Computer-Assisted Passenger Prescreening System

Overview
The Computer-Assisted Passenger Prescreening System (CAPPS II) project represented a direct response to the 9/11 terrorist attacks. After the attacks, air travel was widely viewed not only as a critically vulnerable terrorist target, but also as a weapon for inflicting larger harm. The CAPPS II initiative was intended to replace the original CAPPS, currently being used. Spurred, in part, by the growing number of airplane bombings, the existing CAPPS (originally called CAPS) was developed through a grant provided by the Federal Aviation Administration (FAA) to Northwest Airlines, with a prototype system tested in 1996. In 1997, other major carriers also began work on screening systems, and, by 1998, most of the U.S.-based airlines had voluntarily implemented CAPS, with the remaining few working toward implementation. Also, during this time, the White House Commission on Aviation Safety and Security (sometimes referred to as the Gore Commission) released its final report in February 1997. Included in the commission’s report was a recommendation that the United States implement automated passenger profiling for its airports. On April 19, 1999, the FAA issued a notice of proposed rulemaking (NPRM) regarding the security of checked baggage on flights within the United States (Docket No. FAA-1999-5536).. As part of this still-pending rule, domestic flights would be required to utilize “the FAA-approved computer-assisted passenger screening (CAPS) system to select passengers whose checked baggage must be subjected to additional security measures.” CAPPS II was described by Transportation Security Administration (TSA) as “an enhanced system to confirm the identities of passengers and to identify foreign terrorists or persons with terrorist connections before they can board U.S. aircraft.” CAPPS II would have sent information provided by the passenger in the passengers name record (PNR), including full name, address, phone number, and date of birth, to commercial data providers for comparison to authenticate the identity of the passenger. The commercial data provider would have then transmitted a numerical score back to TSA indicating a particular risk level. Passengers with a “green” score would have undergone “normal screening,” while passengers with a “yellow” score would have undergone additional screening. Passengers with a “red” score would not have been allowed to board the flight, and would have received “the attention of law enforcement.”

While drawing on information from commercial databases, TSA had stated that it would not see the actual information used to calculate the scores, and that it would not retain the traveler’s information. TSA had planned to test the system at selected airports during spring 2004. However, CAPPS II encountered a number of obstacles to implementation. One obstacle involved obtaining the required data to test the system. Several high-profile debacles resulting in class action lawsuits made the U.S.-based airlines wary of voluntarily providing passenger information. In early 2003, Delta Airlines was to begin testing CAPPS II using its customers’ passenger data at three airports across the country. However, Delta became the target of a vociferous boycott campaign, raising further concerns about CAPPS II generally.

In September 2003, it was revealed that JetBlue shared private passenger information in September 2002 with Torch Concepts, a defense contractor, which was testing a data mining application for the U.S. Army. The information shared reportedly included itineraries, names, addresses, and phone numbers for 1.5 million passengers. In January 2004, it was reported that Northwest Airlines provided personal information on millions of its passengers to the National Aeronautics and Space Administration (NASA) from October to December 2001 for an airline security-related data mining experiment.

In April 2004, it was revealed that American Airlines agreed to provide private passenger data on 1.2 million of its customers to TSA in June 2002, although the information was sent instead to four companies competing to win a contract with TSA. Further instances of data being provided for the purpose of testing CAPPS II were brought to light during a Senate Committee on Government Affairs confirmation hearing on June 23, 2004. In his answers to the committee, the acting director of TSA, David M. Stone, stated that during 2002 and 2003 four airlines &mdash; Delta, Continental, America West, and Frontier, and two travel reservation companies &mdash; Galileo International and Sabre Holdings, provided passenger records to TSA and/or its contractors.

Concerns about privacy protections had also dissuaded the European Union (EU) from providing any data to TSA to test CAPPS II. However, in May 2004, the EU signed an agreement with the United States that would have allowed PNR data for flights originating from the EU] to be used in testing CAPPS II, but only after TSA was authorized to use domestic data as well. As part of the agreement, the [[EU data was to be retained for only three-and-a-half years (unless it is part of a law enforcement action), only 34 of the 39 elements of the PNR were to be accessed by authorities, and there were to be yearly joint DHS-EU reviews of the implementation of the agreement.

Another obstacle was the perception of mission creep. CAPPS II was originally intended to just screen for high-risk passengers who may pose a threat to safe air travel. However, in an August 1, 2003, Federal Register notice, TSA stated that CAPPS II could also be used to identify individuals with outstanding state or federal arrest warrants, as well as identify both foreign and domestic terrorists (not just foreign terrorists). The notice also states that CAPPS II could be “linked with the U.S. Visitor and Immigrant Status Indicator Technology (US-VISIT) program” to identify individuals who are in the country illegally (e.g., individuals with expired visas, illegal aliens, etc.).

Several other concerns had also been raised, including the length of time passenger information is to be retained, who would have access to the information, the accuracy of the commercial data being used to authenticate a passenger’s identity, the creation of procedures to allow passengers the opportunity to correct data errors in their records, and the ability of the system to detect attempts by individuals to use identity theft to board a plane undetected.

Secure Flight
In August 2004, TSA announced that the CAPPS II program was being canceled and would be replaced with a new system called Secure Flight. In the Department of Homeland Security Appropriations Act, 2005, Congress included a provision (Sec. 522) prohibiting the use of appropriated funds for “deployment or implementation, on other than a test basis,” of CAPPS II, Secure Flight, “or other follow on/successor programs,” until GAO has certified that such a system has met all of the privacy requirements enumerated in a February 2004 GAO report, can accommodate any unique air transportation needs as it relates to interstate transportation, and that “appropriate life-cycle cost estimates, and expenditure and program plans exist.” GAO’s certification report was delivered to Congress in March 2005.

In its report, GAO found that while “TSA is making progress in addressing key areas of congressional interest. . . TSA has not yet completed these efforts or fully addressed these areas, due largely to the current stage of the program’s development.” In follow-up reports in February 2006 and June 2006, GAO reiterated that while TSA continued to make progress, the Secure Flight program still suffered from system development and program management problems, preventing it from meeting its congressionally-mandated privacy requirements. In early 2006 TSA suspended development of Secure Flight in order to “rebaseline” or reassess the program.

In December 2006, the DHS Privacy Office released a report comparing TSA’s published privacy notices with its actual practices regarding Secure Flight. The DHS Privacy Office found that there were discrepancies related to data testing and retention, due in part because the privacy notices “were drafted before the testing program had been designed fully.” However, the report also points out that


 * material changes in a federal program’s design that have an impact on the collection, use, and maintenance of personally identifiable information of American citizens are required to be announced in Privacy Act system notices and privacy impact assessments.

In a February 2007 interview, it was reported that TSA Administrator Kip Hawley stated that while TSA has developed a means to improve the accuracy, privacy, and reliability of Secure Flight, it would take approximately one-and-a-half years to complete. This would be followed by an additional year of testing, leading to an anticipated implementation in 2010.

On August 23, 2007, TSA published a notice of proposed rulemaking (NPRM) for implementing Secure Flight, as well as an NPRM proposing Privacy Act exemptions for Secure Flight, in the Federal Register. A Privacy Act System of Records Notice (SORN) was also published in the same edition of the Federal Register. In addition, a Privacy Impact Assessment (PIA) for Secure Flight was posted on the TSA website.

Along with the Secure Flight NPRM, on August 23, 2007, TSA published a related but separate final rule regarding the Advance Passenger Information System (APIS) administered by U.S. Customs and Border Protection (CBP) for screening passengers of international flights departing from or arriving to the United States. TSA states:


 * We propose that, when the Secure Flight rule becomes final, aircraft operators would submit passenger information to DHS through a single DHS portal for both the Secure Flight and APIS programs. This would allow DHS to integrate the watch list matching component of APIS into Secure Flight, resulting in one DHS system responsible for watch list matching for all aviation passengers.

According to the August 23, 2007 Secure Flight NPRM, in accordance with the Intelligence Reform and Terrorism Prevention Act (IRTPA), “TSA would receive passenger and certain non-traveler information, conduct watch list matching against the No Fly and Selectee portions of the Federal Government’s consolidated terrorist watch list, and transmit boarding pass printing instructions back to aircraft operators.” Currently, air carriers are responsible for comparing passenger information to that on government watch lists.

The NPRM states that TSA would collect Secure Flight Passenger Data that includes a combination of required and optional information. Passengers would be required to provide their full names, “as it appears on a verifying identity document held by that individual.” In addition, passengers would be asked, but not required, to provide their date of birth, gender, Redress Number or known traveler number. However, the NPRM does propose circumstances in which aircraft operators would be required to provide the optional information to TSA if it already has obtained that information “in the ordinary course of business.” The NPRM states:


 * If a covered aircraft operator were to input data required to be requested from individuals into the system where it stores SFPD &mdash; such as data from a passenger profile stored by the aircraft operator in the ordinary course of business &mdash; the aircraft operator would be required to include that data as part of the SFPD transmitted to TSA, even though the individual did not provide that information at the time of reservation.

In addition, aircraft operations would be required to provide TSA, if available, a passenger’s passport information, and “certain non-personally identifiable data fields” including itinerary information, reservation control number, record sequence number, record type, passenger update indicator, and traveler reference number. Secure Flight would not utilize commercial data to verify identities, nor would it use algorithms to assign risk scores to individuals.

In the NPRM TSA proposes a tiered data retention schedule. The purpose for retaining the records would be to facilitate a redress process, expedite future travel, and investigate and document terrorist events. Under this schedule, the records for “individuals not identified as potential matches by the automated matching tool would be retained for seven days” after the completion of directional travel. The records for individuals identified as “potential matches” would be retained for seven years following the completion of directional travel. The records of individuals identified as “confirmed matches” would be retained for 99 years.

This original NPRM included a 60-day comment period, ending on October 22, 2007. However, in response to deadline extension requests received, on October 24, 2007, TSA published a notice in the Federal Register extending the public comment period an additional 30 days, ending November 21, 2007. On November 9, 2007, TSA published a final SORN and a final rule regarding Privacy Act exemptions for Secure Flight.