Letter to the Department of Transportation on ""Aviation Security Screening Records"" 68 Fed. Reg. 2,101 (January 15, 2003).

February 24, 2003

Documentary Services Division
Attention: Docket Section, Room PL-101
Docket No. OST-1996-1437
Department of Transportation, SVC-124
Washington, DC 20590

Make a Difference

Your support helps the ACLU defend privacy rights and a broad range of civil liberties.

Give Now

Re: ""Aviation Security Screening Records"" 68 Fed. Reg. 2,101 (January 15, 2003).

The American Civil Liberties Union (ACLU) is a nationwide, non-partisan organization of over 300,000 members dedicated to protecting the principles of liberty, freedom, and equality set forth in the Bill of Rights in the United States Constitution.  For almost 80 years, the ACLU has sought to preserve and strengthen privacy in all aspects of American life.

Long concerned about the diminution of privacy in the electronic age and the increased use of surveillance technologies by the government, the ACLU urges the Department of Transportation (DOT) to abandon its plan to establish a system of records known as ""Aviation Security Screening Records"" (ASSR).  The Federal Register notice announcing DOT's intent to establish a system of records under the Privacy Act (DOT notice) describes a database that would include digital dossiers on airline passengers who are not suspected of a crime or in any way shown to be linked to terrorism.[1]  

The ASSR database would include sensitive personal information about financial data (e.g. credit card transactions), transactional data (e.g. any electronic purchase or service), and the full range of ""proprietary"" and ""public source"" information available in government and private industry databases about an untold number of airline passengers traveling inside the United States.  Individuals would be denied the meaningful opportunity to determine whether their personal information is held inside the database, to correct mistakes in the record, or to challenge unfair decisions, including limitations on constitutional rights to travel, equality, and privacy, made on the basis of ASSR information.  

The ASSR database would be used for purposes far beyond air travel, allowing access to individuals' personal information for government functions at the local, state, federal, and even international level and even allowing access for certain employment decisions.  The ASSR database could limit individuals' ability to travel freely; engage in her chosen profession; obtain a student loan; drive a car; obtain government benefits for food and shelter; and provide the basis for arrest and detention abroad.

Such a regime is a departure from the longstanding principle that individuals have the right to be let alone from their government without a high level of suspicion of wrongdoing.  The DOT notice violates both the letter and spirit of the Privacy Act of 1974 (5 U.S.C. § 552a) by failing to establish meaningful public accountability for this government database of sensitive personal information.  

In addition, the scope of both the content and uses of the ASSR database suggests it is in some way related to the Transportation Security Agency's (TSA) plan to institute a controversial surveillance system commonly known as ""CAPPS-II"" (the ""Computer Assisted Passenger Pre-Screening"" program).  The DOT appears to be sidestepping a debate on the effectiveness and civil liberties' implications of this and other large-scale public surveillance systems.

The ASSR database would contain a massive amount of personal information about an untold number of airline passengers traveling inside the United States.

The ASSR database would contain ""Passenger Name Records (PNRs), associated data,"" and reservation and manifest information about every individual ""traveling to, from or within the United States (U.S.) by passenger air transportation.""  

PNR information goes far beyond passenger name and seat assignment.  PNR data may include date of birth, address, phone number, reservation number, date(s) of travel, travel agency/agent, ticket information, traveling companions, form of payment for ticket such as credit card number, itinerary information, carrier information for the flight such as the flight number and date of intended travel and  PNR history.[2]  ""PNR history"" can include very sensitive information about religious or ethnic origin (through choice of meals), data relating to place of residence or contact information (including phone numbers and addresses of friends and family), and medical data relevant to disability accommodations (oxygen, sight, hearing, or mobility).[3]  This information would be held until ""after completion of the individual's air travel to which the record relates.""

The ASSR database would also contain ""risk assessment reports; financial and transactional data; public source information; proprietary data, and information from law enforcement and intelligence sources"" about individuals ""who are deemed to pose a possible risk"" to transportation or national security.  

These ""categories of records"" are so broad that they sweep in just about every conceivable piece of information in public or private databases about an individual (from ""proprietary"" to ""public source"").  The ""category of individuals"" covered could be just as sweeping.  First, the DOT notice fails to define exactly who would pose a ""possible risk"" to transportation or national security and thus the category is open to broad interpretation.  Currently, each and every airline passenger is deemed to pose enough of a risk that every passenger, carry on bag, and piece of luggage is carefully screened through security at the airport.  Second, the DOT notice does not even specify who in the government would make the determination that an individual poses a risk.  A DOT employee?  A CIA analyst?  A computer?   Finally, any of the information gathered about individuals pursuant to this determination could be retained in the ASSR database for up to 50 years.  Once an individual is enrolled in the system, ASSR information could follow her for a lifetime.

The DOT notice fails to inform the public the source of the personal information contained in the database.  The Privacy Act makes plain that federal agencies should ""collect information to the greatest extent practicable directly from the subject individual when the information may result in adverse determinations about an individual's rights, benefits, and privileges under Federal programs"" and, if personal information is not directly collected from an individual, notify the public as to the ""source"" of the information. § 552a(e)(2) and (4).   

The DOT notice does not comply with either of these requirements.  The information about air passengers would likely come from a range of private industry sources, not the individual.  At a minimum, the government would have to collect PNR and manifest information from the airlines and travel industry.  The other categories of information could come from financial institutions, state and local governments, the Internet, any private entity that holds proprietary information, any public entity that holds publicly available data, or any entity at all that holds transactional data about an individual.  

The DOT errantly relies on two inapplicable exceptions under the Privacy Act in refusing to notify the public as to the source material for the ASSR database.  If the system of records is ""investigatory material compiled for law enforcement purposes"" or classified information, the agency does not have to comply with certain parts of the notice requirement.  § 552a(k)(1) and (2).  The stated purpose of the ASSR database, however, is for an ""aviation security screening"" program.  The purpose is not to conduct intelligence or law enforcement investigations of air passengers and the notice makes clear that lots of unclassified information would be contained in the database.  Therefore, DOT appears to be in error when it relies on these exceptions.

If the DOT, however, is in fact planning to compile law enforcement and intelligence files on airline passengers, then the agency concedes the agency's true intent is to store dossiers on air passenger when there is no direct link to terrorism or crime.  This would ignore longstanding principles that the government have some high level of suspicion before creating electronic dossiers on individuals.  Instead, the agency relies on an unnamed bureaucrat at DOT (or even perhaps a computer program) to make that determination pursuant to a loosely defined determination that an individual may pose a possible risk.  The result would be a database of personal information about a range of innocent people that would be compiled in a database for up to 50 years without any independent review or public accountability.  This is exactly the scenario of secret databases the Privacy Act was intended to prevent.

The ASSR database would serve as a platform for a myriad of other government and private industry functions and go well beyond the ""routine use"" exception in the Privacy Act.

The Privacy Act's general rule is that information collected for one purpose should not be used or disclosed for another purpose.  As the Act made clear, individuals should be able ""to prevent records pertaining to him obtained by such agencies for a particular purpose from being used or made available for another purpose without consent.""

The Privacy Act provides limited exceptions to this rule for specific government functions.  The ""routine use"" exception allows for ""the use of such record for a purpose which is compatible with the purpose for which it is collected.""  § 552a(a)(7).  

The DOT notice includes eleven broadly worded ""routine use"" exceptions that would transform the ASSR database from an air security system to an all-purpose surveillance tool, accessible to agencies at every level of government and even private industry.  In Britt v. Naval Investigative Service, the Third Circuit explained the definition of routine use:  ""[T]he statutory requirement of compatibility ? requires ? a dual inquiry into the purpose of the collection of the record in the specific case and the purpose of the disclosure.""[4]   The stated purpose of the ASSR database is ""to facilitate the conduct of an aviation security-screening program, including risk assessments to ensure aviation security.""  The purposes of the disclosures in the eleven routine use exceptions, however, go far beyond air security and reach into criminal and civil law enforcement, agency hiring and firing decisions, and numerous other unrelated purposes. For example:

  • TSA may disclose ASSR information to any Federal state territorial, tribal, local, international or foreign agencies responsible for investigating or enforcing any statute, rule, regulation, order or license.  Under this exception, the ASSR database could be used as a surveillance tool to track individuals' for tax collection, gun registration, immigration enforcement, or even outstanding parking tickets and even deny them the privilege of gun ownership, a driver's license, or some other benefit that depends on ASSR database ""approval."" 
  • TSA may disclose ASSR information to contractors, grantees, experts, consultants, agents and other non-Federal employees working under contract, grant or agreement with the Federal government for consulting, data processing, clerical, or ""other functions to assist TSA in any function relevant to the purpose of the system.""   Under this exception, the TSA could implement the ""registered traveler"" system by allowing companies to screen frequent business travelers through the ASSR database in advance.  This would be a function ""relevant"" to assisting TSA with air security screening.  (If in fact the intent of the DOT is to permit a ""registered traveler"" program, the issue should be described explicitly in the DOT notice and debated up front -- not implemented through the back door of a routine use exception.)  
  • TSA may disclose ASSR information contained in the database to Federal, State, territorial, tribal, and local law enforcement and regulatory agencies - foreign and domestic - in response to queries regarding persons who may pose a risk to transportation or national security.  Under this exception, sensitive personal information about innocent airline passengers could end up in an FBI file or even the local sheriff's office without any showing of suspicion.  This exception could also permit foreign governments access to sensitive personal information (such as financial data) about Americans. 
  • TSA may disclose ASSR information to a federal, state, or local agency where such agency has requested information relevant or necessary for hiring, firing, or issuance of a security clearance, license, contract, grant, or other benefit.  Under this exception, the ASSR database would transform from an air security screen into a background check, allowing agencies at all levels of government to make employment decisions based on the information included in the ASSR database.  Applications for positions ranging from city truck driver and public defender to public health nurse and legislative staff could be screened through the ASSR database as a pseudo-security clearance. And, private jobs would be affected as well.  Government grants could be accepted or rejected based on the accurate or inaccurate information contained in the ASSR.

All of these purposes go well beyond the definition of ""routine use.""  And there are seven more ""routine uses"" listed in the DOT's notice.  The DOT should narrow the routine use exceptions to those that are actually related to air security and spell out in more detail exactly what is being contemplated by the agency (i.e. registered traveler).

Individuals would have no meaningful ability to access the ASSR database to find out if the government holds their names and personal information in the database, to determine if the information is accurate, or to challenge errors in the record.  

As a general rule, the Privacy Act requires federal agencies to provide any individual notice that the individual is listed in the database. § 552a(f).  The opportunity ""to gain access to his record or any information pertaining to him contained in the system?."" § 552a(d)(1).  And, the opportunity to both request an amendment to his record and challenge the refusal of an agency to amend the record upon request.  § 552a(d)(2)-(4).  

Once again, however, the DOT errantly attempts to apply the same exceptions for ""investigatory material compiled for law enforcement purposes"" and classified information to avoid the Privacy Act's full public accountability requirements.  §552a(k)(1) and (2).  The ASSR database ""may not be accessed for purposes of determining if the system contains a record pertaining to a particular individual.""  In addition, an individual may ""request"" access in writing for a limited set of information contained in the database or send a letter challenging the accuracy of information contained in the record.  But, because the DOT relies on the (k)(1) and (2) exceptions, there is no guarantee an individual will ever get a response from the government.  And, it is difficult for individuals to write ""clear and concise"" requests for information when it is unclear what information is being stored in the database in the first place.

Like the ""routine use"" exception, the DOT stretches these exceptions too far.  Even under the exception for ""investigatory material"" in (k)(2), the Privacy Act requires that ""if any individual is denied any right, privilege, or benefit that he would otherwise be entitled to under Federal law, or for which he would otherwise be eligible, as a result of the maintenance of such material, such material shall be provided to such individual ?""  (The provision is limited to the extent such a disclosure would identify a source who was promised confidentiality.)  At a minimum, the ASSR database could result in the denial of the right to travel, equality, and privacy and that does not even account for the numerous privileges and benefits that could be affected through the routine use exceptions. The DOT should provide a meaningful procedure to remedy a right or privilege denied based on ASSR information.

The ASSR database lacks adequate security and privacy safeguards.

The DOT notice provides ""safeguards"" for the ASSR database, including access controls and audit requirement.  These measures are important tools but do not replace the overall good government policies in the Privacy Act that allow the public to hold the government accountable for accurate information and fair implementation of the database.  

In addition, the broadly defined ""routine uses"" of the ASSR data open up a host of security and privacy concerns.  Once information is sent outside federal agencies, it is difficult to control its accuracy or how the information gets used.  For example, the Wall Street Journal reported that in the fall of 2001, the FBI circulated the names of hundreds of people it wanted to question in relationship to September 11 to a range of private companies, including car rental companies, banks, travel reservation systems, and data collection firms.[5]  ""A year later, the list has taken on a life of its own, with multiplying - and error-filled - versions being passed around like bootleg music.  Some companies fed a version of the list into their own databases and now use it to screen job applicants and customers.  A water-utilities trade association used the list ""in lieu of"" standard background checks ?."" [6] The list was even posted on the Internet via Venezuela.  In the Wall Street Journal article, the head of the FBI's strategic analysis and warning section acknowledged, ""We have now lost control of that list.""  

And, the consequences of being on such a list in error are real.  The Wall Street Journal documented a case where an individual was on the FBI list in error and, as result, experienced such serious delays that he curtailed his air travel.  This could be devastating for someone whose employment depends on frequent travel.  In addition, several companies continued to screen customer lists and job applicants based on the list.  

Just last week a United States national team rower was stopped at Newark Airport on his way back from training camp at Princeton. ""Aquil Abdullah"" is a common Muslim name and according to the police ""anyone with a common Muslim name has to be checked out."" [7]   In this instance, Mr. Abdullah missed his flight.  And, for him every flight will be a challenge.  There is no way for people to find out how they got on the ""No Fly"" list or more importantly how to get off (and the same would be true under the ASSR). 

Finally, the DOT notice avoids a controversial debate about the effectiveness of data surveillance tools and their impact on civil liberties, including privacy, equality, and free expression.  

In 1974, Congress enacted the Privacy Act to protect the privacy of individuals' personal information collected by the government.  As the Act articulated in its findings, ""the increasing use of computers and sophisticated information technology, while essential to the efficient operations of the government, has greatly magnified the harm to individual privacy that can occur from any collection, maintenance, use, or dissemination of personal information.""  § 552a(a)(2).   Upon passage of the Privacy Act, Senator Percy said, ""I hope that we never see the day when a bureaucrat in Washington, Chicago, or Los Angeles can use his organization's computer facilities to assemble a complete dossier of all known information about an individual.  But, I fear that is the trend.""[8]

As information technology has grown more powerful, the principles of the Privacy Act are even more relevant thirty years later.  Earlier this month, the Pentagon's Total Information Awareness program (TIA) drew increased scrutiny from Congress because of concerns that the program would intrude on individual privacy, subvert the longstanding principle that the government should have cause before it investigates its citizens, and an elementary concern that TIA was being developed in secret without meaningful congressional oversight or specific authorization.  The omnibus appropriations bill for FY 2003 included a provision that requires the Administration to report to Congress with details about the program and congressional approval before TIA or any of its component programs are deployed against United States citizens.[9]

TSA has proposed its own version of TIA in the form of the second-generation passenger profiling system known as ""CAPPS-II.""  Like TIA, CAPPS II would scour individuals' personal information (what TIA calls ""transactional data"") for patterns, associations, and trends that could - at least in theory -- point to terrorist activity.  TSA has disclosed very little about CAPPS II but the Washington Post provided some details about the program in an article last fall.  ""In recent months, the [TSA] hired four teams of technology companies. Their mission was to demonstrate how artificial intelligence and other powerful software can analyze passengers' travel reservations, housing information, family ties, identifying details in credit reports and other personal data to determine if they're ""rooted in the community"" - or have an unusual history that indicates a potential threat.""[10]  

CAPPS II raises many of the same concerns and questions posed by TIA.  In January, a diverse coalition wrote to Congress encouraging Members to ask tough questions about TIA.  In this same letter, the coalition noted ""[s]imilar questions need to be asked about other initiatives that will vastly expand government collection and use of personal information, such as the CAPPS II (Computer Assisted Passenger Profiling System) program of the Transportation Security Administration.""[11]  

The ASSR notice does not state its relationship to CAPPS II (or if it is one in the same program) but the purpose of the system appears to be the same --  ""to facilitate the conduct of an aviation security-screening program, including risk-assessments to ensure aviation security.""   Given the current debate over CAPPS II and other similar data mining and surveillance tools, the DOT should be clear about what program is at issue and disclose the connection between ASSR and the CAPPS II.  To do otherwise is to obscure public debate on a controversial topic that cuts to the core of privacy and freedom and could run afoul of the Privacy Act's notice requirements.  § 552a(e)(4).[12]  

In any case, the scope of the ASSR database - no matter what it is called -- could allow the government to collect massive amounts of personal information about every air passenger in the United States without any meaningful public accountability.  That is the very definition of generalized surveillance.

Conclusion

Like all Americans, the ACLU strongly supports efforts to ensure air travel safety, but we remain convinced that we need not sacrifice our civil liberties to guarantee safety in the air.  The DOT should abandon its plans to implement the ASSR database and use a three-prong analysis to promote safety and to reduce the likelihood that any new security measures would violate civil liberties.  First, any new security proposals must be genuinely effective, rather than creating a false sense of security.  Second, security measures should be implemented in a non-discriminatory manner. Travelers should not be subjected to intrusive searches or questioning based on race, ethnic origin or religion.  Finally, if a security measure is determined to be genuinely effective, the government should work to ensure that implementation of it minimizes its cost to our fundamental freedoms, including the rights to travel, due process, privacy and equality.

At a minimum, the TSA should disclose detailed information about the purpose, scope and efficacy of the program; explain the relationship of the ASSR database to CAPPS II and other risk assessment programs being developed at the TSA; limit the routine uses of the data; and adequately address privacy and civil liberties concerns posed by this massive database of personal information about airline passengers in the United States.  

Neither the public nor the Congress can adequately assess the scope, effectiveness and intrusiveness of the program until the DOT provides meaningful notice of its intent.  

Thank you for your consideration of this matter.  

Sincerely,

Laura W. Murphy
Director, Washington National Office

Katie Corrigan
Legislative Counsel 


ENDNOTES

[1] Fed. Reg. 2,101, Jan. 15, 2003.

[2] Interim Rule, Fed. Reg. June 25, 2002. Passenger Name Record Information Required for Passengers on Flights in Foreign Air Transportation to or From the United States.  p. 4,2710.  

[3] See Article 29 Data Protection Working Party, Opinion 6/2202 on transmission of Passenger Manifest Information and other data from Airlines to United States.  Oct. 24, 2002. 

[4] 886 F.2d 544, 548 (1989).

[5] Ann Davis, FBI Listed People Wanted for Questioning, But Out-of-Date Versions Dog the Innocent, Wall Street Jour., Nov. 11, 2002.

[6] 

Statistics image