In August 2004, TSA announced that the CAPPS II program was being canceled and would be replaced with a new system called Secure Flight. Secure Flight, a program run by DHS's Transportation Security Administration, would match information about passengers provided by the airlines against government watch lists to detect individuals on the No Fly List and prevent them from boarding aircraft and to identify individuals for additional screening.
In the Department of Homeland Security Appropriations Act of 2005, Congress included a provision (Sec. 522) prohibiting the use of appropriated funds for "deployment or implementation, on other than a test basis," of CAPPS II, Secure Flight, "or other follow on/successor programs," until the GAO has certified that such a system has met all of the privacy requirements enumerated in a February 2004 GAO report, can accommodate any unique air transportation needs as it relates to interstate transportation, and that "appropriate life-cycle cost estimates, and expenditure and program plans exist."
The GAO's certification report was delivered to Congress in March 2005. In its report, GAO found that while "TSA is making progress in addressing key areas of congressional interest . . . TSA has not yet completed these efforts or fully addressed these areas, due largely to the current stage of the program's development." In follow-up reports in February 2006 and June 2006, the GAO reiterated that while TSA continued to make progress, the Secure Flight program still suffered from system development and program management problems, preventing it from meeting its congressionally-mandated privacy requirements. In early 2006 TSA suspended development of Secure Flight in order to "rebaseline" or reassess the program.
In December 2006, the DHS Privacy Office released a report comparing TSA's published privacy notices with its actual practices regarding Secure Flight. The DHS Privacy Office found that there were discrepancies related to data testing and retention, due in part because the privacy notices "were drafted before the testing program had been designed fully." However, the report also points out that
|“||material changes in a federal program's design that have an impact on the collection, use, and maintenance of personally identifiable information of American citizens are required to be announced in Privacy Act system notices and privacy impact assessments.||”|
In a February 2007 interview, it was reported that TSA Administrator Kip Hawley stated that while TSA has developed a means to improve the accuracy, privacy, and reliability of Secure Flight, it would take approximately one-and-a-half years to complete. This would be followed by an additional year of testing, leading to an anticipated implementation in 2010.
Notice of Proposed Rulemaking
On August 23, 2007, TSA published a notice of proposed rulemaking (NPRM) for implementing Secure Flight, as well as an NPRM proposing Privacy Act exemptions for Secure Flight, in the Federal Register. A Privacy Act System of Records Notice (SORN) was also published in the same edition of the Federal Register. In addition, a Privacy Impact Assessment (PIA) for Secure Flight was posted on the TSA website.
Along with the Secure Flight NPRM, on August 23, 2007, TSA published a related but separate final rule regarding the Advanced Passenger Information System (APIS) administered by U.S. Customs and Border Protection (CBP) for screening passengers of international flights departing from or arriving to the United States. TSA states:
|“||We propose that, when the Secure Flight rule becomes final, aircraft operators would submit passenger information to DHS through a single DHS portal for both the Secure Flight and APIS programs. This would allow DHS to integrate the watch list matching component of APIS into Secure Flight, resulting in one DHS system responsible for watch list matching for all aviation passengers.||”|
According to the August 23, 2007 Secure Flight NPRM, in accordance with the Intelligence Reform and Terrorism Prevention Act of 2004 (IRTPA), “TSA would receive passenger and certain non-traveler information, conduct watch list matching against the No Fly and Selectee portions of the Federal Government’s consolidated terrorist watch list, and transmit boarding pass printing instructions back to aircraft operators.” Currently, air carriers are responsible for comparing passenger information to that on government watch lists.
The NPRM states that TSA would collect Secure Flight Passenger Data that includes a combination of required and optional information. Passengers would be required to provide their full names, “as it appears on a verifying identity document held by that individual.” In addition, passengers would be asked, but not required, to provide their date of birth, gender, Redress Number or known traveler number. However, the NPRM does propose circumstances in which aircraft operators would be required to provide the optional information to TSA if it already has obtained that information “in the ordinary course of business.” The NPRM states:
|“||If a covered aircraft operator were to input data required to be requested from individuals into the system where it stores SFPD — such as data from a passenger profile stored by the aircraft operator in the ordinary course of business — the aircraft operator would be required to include that data as part of the SFPD transmitted to TSA, even though the individual did not provide that information at the time of reservation.||”|
In addition, aircraft operations would be required to provide TSA, if available, a passenger’s passport information, and “certain non-personally identifiable data fields” including itinerary information, reservation control number, record sequence number, record type, passenger update indicator, and traveler reference number. Secure Flight would not utilize commercial data to verify identities, nor would it use algorithms to assign risk scores to individuals.
In the NPRM TSA proposes a tiered data retention schedule. The purpose for retaining the records would be to facilitate a redress process, expedite future travel, and investigate and document terrorist events. Under this schedule, the records for “individuals not identified as potential matches by the automated matching tool would be retained for seven days” after the completion of directional travel. The records for individuals identified as “potential matches” would be retained for seven years following the completion of directional travel. The records of individuals identified as “confirmed matches” would be retained for 99 years.
This original NPRM included a 60-day comment period, ending on October 22, 2007. However, in response to deadline extension requests received, on October 24, 2007, TSA published a notice in the Federal Register extending the public comment period an additional 30 days, ending November 21, 2007. On November 9, 2007, TSA published a final SORN and a final rule regarding Privacy Act exemptions for Secure Flight.
Section 522(a) of the Department of Homeland Security Appropriations Act, 2005, set forth 10 conditions related to the development and implementation of the Secure Flight program that the Secretary of Homeland Security must certify have been successfully met before the program may be implemented or deployed on other than a test basis.
Secure Flight has made progress towards maturing its understanding and implementation of a robust privacy program that supports the program mission while mitigating risks to individual privacy. To this end, Secure Flight employs a privacy officer for the program and has contracted for an integrated team of privacy professionals consisting of policy, operations, and technical experts deployed throughout the program. Working in concert with the new privacy officer for Secure Flight, the TSA Privacy Officer, and officials from the DHS Privacy Office, the Secure Flight privacy team identified risks and appropriate mitigation strategies.
The team also published privacy notices including a PIA, SORN, Privacy Act Exemption NPRM, and PRA notice, which were released in conjunction with the Secure Flight NPRM. Since the NPRM publication, the privacy team has published the Privacy Act Exemption Final Rule and submitted the NARA Notice, which outlines the data retention schedule, for approval. These documents will be updated and re-published with the Secure Flight Final Rule as appropriate. The team also works to ensure that the program continues to operate within the structure of currently published notices during its on-going development.
- Pub. L. No. 108-334.
- The eight issues included establishing an oversight board, ensuring the accuracy of the data used, conducting stress testing, instituting abuse prevention practices, preventing unauthorized access, establishing clear policies for the operation and use of the system, satisfying privacy concerns, and creating a redress process. GAO, Aviation Security: Computer-Assisted Passenger Prescreening System Faces Significant Implementation Challenges (GAO-04-385) (Feb. 2004).
- GAO, Aviation Security: Secure Flight Development and Testing Under Way, But Risks Should Be Managed as System is Further Developed (GAO-05-356) (Mar. 2005).
- Id. at 4; for a more detailed analysis of the Secure Flight program, see Bart Elias and William Krouse, Homeland Security: Air Passenger Screening and Counterterrorism (CRS Report RL32802).
- GAO, Aviation Security: Significant Management Challenges May Adversely Affect the Implementation of the Transportation Security Administration's Secure Flight Program (GAO-06-374T) (Feb. 2006).
- GAO, Aviation Security: Management Challenges Remain for the Transportation Security Administration's Secure Flight Program(GAO-06-864T) (June 2006).
- U.S. Department of Homeland Security, DHS Privacy Office, Report to the Public on the Transportation Security Administration's Secure Flight Program and Privacy Recommendations 13 (Dec. 2006) (full-text).
- Eric Lipton, "U.S. Official Admits to Big Delay in Revamping No-Fly Program," N.Y. Times, at A17 (Feb. 21, 2007).
- Department of Homeland Security, Transportation Security Administration, “Privacy Act of 1974: Implementation of Exemptions; Secure Flight Records,” 72 Fed. Reg. 48397 (Aug. 23, 2007).
- Department of Homeland Security, Transportation Security Administration, “Privacy Act of 1974: System of Records; Secure Flight Records,” 72 Fed. Reg. 48392 (Aug. 23, 2007).
- Department of Homeland Security, Bureau of Customers and Border Protection, “Advance Electronic Transmission of Passenger and Crew Member Manifests for Commercial Aircraft and Vessels,” 72 Fed. Reg. 48320 (Aug. 23, 2007).
- Department of Homeland Security, Transportation Security Administration, “Secure Flight Program,” 72 Fed. Reg. 48356, (Aug. 23, 2007).
- Id. at 48369.
- Id. at 48364.
- Id. at 48359.
- Id. at 48363.
- Id. at 48356.
- Department of Homeland Security, Transportation Security Administration, “Secure Flight Program,” 72 Fed. Reg. 60307 (Oct. 24, 2007).
- Dept. of Homeland Security, Transportation Security Administration, “Privacy Act of 1974: System of Records; Secure Flight Records,” 72 Fed. Reg. 63711 (Nov. 9, 2007).
- Department of Homeland Security, Transportation Security Administration, “Privacy Act of 1974: Implementation of Exemptions; Secure Flight Records,” 72 Fed. Reg. 63706 (Nov. 9, 2007).
- See Pub. L. No. 108-334, §522, 118 Stat. 1298, 1319-20 (2004).
- Privacy Impact Assessment for the Secure Flight Program, October 21, 2008.