TSA Plans for Next Generation CAPPS: "Secure Flight"
 

Article from today's (Friday 8/27/04) Los Angeles Times by Ricardo Alonso-Zaldivar.

http://www.latimes.com/news/nationwo...adlines-nation

Registration required. Try the default "cyberpunk" as both user name and password which works on many news sites that require a login. I decided not to post it here because it's a long story.

Here's the meat of the system as I see it:
* Over the next year, airlines will transmit PNR data to the feds.
* If name info is a close match to a terror/security (not garden variety criminal) database, additional PNR data will be used to decide if the passenger and the name on the list are one and the same.
* Most passengers "flagged" will be selectees, small number will be no-fly and subject to arrest.
* Some passengers will still be random selectees.
* TSA will establish an appeals process for people who believe they have been wrongly flagged.

I have to agree with the ACLU spokesman quoted in the article that this is a "step in the right direction."

Press Release

TSA To Test New Passenger Pre-Screening System

U. S. DEPARTMENT OF HOMELAND SECURITY
Transportation Security Administration

FOR IMMEDIATE RELEASE - August 26, 2004
TSA Press Office: (571) 227-2829

"Secure Flight" to be Tested Before Year's End

WASHINGTON, D.C. – The Transportation Security Administration (TSA) today announced it will move forward to test a new passenger-prescreening program called Secure Flight. The decision follows completion of a thorough review of the computer-assisted passenger prescreening system (CAPPS II) proposal ordered by Department of Homeland Security (DHS) Secretary Tom Ridge in July. Based on the results of this review, TSA modified its earlier passenger prescreening proposal to create the new Secure Flight program.

Under Secure Flight, TSA will take over responsibility for checking airline passengers' names against terrorist watch lists – a function currently administered by each airline individually. The move will help eliminate most of the false alerts caused by the current out-dated system. When in place, Secure Flight will help move passengers through airport screening more quickly and reduce the number of individuals selected for secondary screening – while fully protecting passengers' privacy and civil liberties.

"This new system will allow Homeland Security to implement a key recommendation of the 9/11 Commission – for the government to continue improving the use of ‘no-fly' and ‘automatic selectee' lists by using an expanded watch list," DHS Under Secretary for Border and Transportation Security Asa Hutchinson said. "Secure Flight is a critical part of Homeland Security's overall layered strategy to secure the nation's commercial air transportation system."

"TSA is prepared to begin testing and execution of the next-generation passenger prescreening program," said Rear Admiral David M. Stone USN (Ret.), Assistant Secretary of Homeland Security for Transportation Security Administration. "Secure Flight will enhance security for the nation's travelers while preserving the individual freedoms of each passenger."

Significant progress has already been made by the U.S. Government by providing greatly expanded No-Fly and Selectee lists to airlines to conduct checks on their own computer systems. New names are being added every day as intelligence and law enforcement agencies submit persons for consideration. Under Secure Flight, TSA will take over responsibility for comparing Passenger Name Record (PNR) information of domestic air passengers to a greatly expanded list of known or suspected terrorists in the Terrorist Screening Center (TSC) database. As the program is phased in, TSA will be able to check passenger records against watch list information not previously available to airlines.

Passengers on international flights will continue to be checked against names in the consolidated TSC database by U.S. Customs and Border Protection (CBP), through its Advanced Passenger Information System (APIS). These checks are mandated by U.S. law.

Secure Flight differs from earlier proposed systems by focusing screening efforts on looking for known or suspected terrorists, rather than using it for other law enforcement purposes. In addition, the new program will also include a redress mechanism through which people can resolve questions if they believe they have been unfairly or incorrectly selected for additional screening.

Separately, TSA will also conduct a very limited test to determine whether or not comparing passenger information to commercially available data can help to more accurately verify the identity of individuals.

Results of the testing, both of the TSC database comparisons and the use of commercial data to verify identity, will be as publicly transparent as possible without compromising national security. Testing and eventual implementation will be governed by strict privacy protections including passenger redress procedures, data security mechanisms, and limitations on use.

TSA will collect passenger data and begin testing Secure Flight within the next 30-60 days. TSA will likely move forward with implementation of the system nationally after testing is completed and the agency publishes a final Notice of Proposed Rulemaking (NPRM).

# # #

So what will this do to passengers who book at the last minute? Will there be time for the checks for them? Or is that suspicious enough to warrant automatic checking?

If there is time for "quiick checks" than there will likely be a lot of false positives. I hope the system set up to allow passengers to "clear their names" is done correctly.

CAPPS II is not dead. It's engine is included. ;)

"Daddy, tell me where you were when freedom, liberty and privacy died"?

Uh, that sounds just like CAPPS-II. Like, exactly like it. Why does calling CAPPS-II "Secure Flight" make it more acceptable?

If I take this press release at face value, it sure sounds like they're going to appropriate people's travel data, compare it to commercial databases to verify address or phone or credit card, and all without asking permission or even notifying the individuals involved that they're being investigated. How can they test Secure Flight without publishing a Privacy Act notice? Do they think something that's wrong, that's unacceptable to the public, magically becomes okay because they are only doing "a very limited test"? That's like saying it's not stealing because the thing they took only costs a few dollars.

I told you it wasn't dead :D :D :D

The government does not and has never had to notify people that they're being investigated. "Excuse me, may we investigate you?"

They're not testing it yet. The notice for the Registered Traveler pilot program hit the Federal Register about 30 days before that program began...so I would imagine this will hit the FR in the next week or two.

My question to those that abhor all the screening programs - what would, in your mind, be acceptable? Do we need any such program? If not, why not? If so, what is sufficient?

A clarification of what you mean by "all the screening programs" would be helpful since right now I don't know who abhors "all the screening programs". People abhor all the ineffective our counterproductive screening programs.

A better checkpoint screening for weapons and weapons components, including explosives, on persons or in carry-ons and in cargo would be sufficient for passengers and is my recommendation.

This is nothing more than another profiling system, and on aggregate, such programs fail miserably and create hostile parties over time (short or long) while lulling the security apparatus to sleep/false confidence.

Do a search. I'm not re-typing 3 years' worth of info just for you.

You are correct - I should have clarified. MAny people on this board dislike TSA. What is the alternative? Back to private, and if so, what standards should they be held to? Is everyone screened and, if not, why not (thinking of the old person thread)? Kids too? If not, what are the cut off ages? Do we need any "ckecklist" for non-flyers? A no-fly list?

To you specifically GU, what is a "better checkpoint" for screening weapons? How does it work? Staffed by whom? What kind of technology? Is TSA sufficient today and, if not, where are they lacking?

This is the process BEFORE boarding. Maybe we can discuss there needs to be any security AFTER boarding later.....:)

Wrong. There is travel data contained in the systems of many airlines that was collected in the E.U. Nothing distinguishes E.U. data from the rest of the records, and E.U. law says that people have to be notified of all uses to which their travel data will be put. The EU-US "agreement" you've heard so much about is directly contradictory to E.U. law, and hopefully will soon be invalidated by the EC which is hearing the matter.

There are other legal precedents which might be used and have been used to argue that CAPPS-II/Secure Flight is illegal. Since this program is identical to CAPPS-II, I'm sure that the many activists on this issue won't waste any time in bringing the arguments before a judge.

You guys are arguing different things.

Why do you feel that you are so special that you should be exempt from using the fine search features of this UBB and that everyone should have to re-type all their thoughts on this very subject just for you?

Since we have a discussion on the subject it seems appropriate to ask. If you do not feel like answering then don't.

Anyone (except Spiff) who wishes to answer I would be interested.

MAYBE it will be invalidated. Don't forget the European Commission AUTHORIZED the test of CAPPS-II.

You are assuming that DHS is going to start using the SF system tomorrow. The information given is that it could take up to 60 days to get the system running for a TEST. I would not be surprised if the test began on airlines that did not serve EU destinations. (YX, B6, WN, etc.) A negative ruling from an EU court would have virtually zero impact on a company that did not do business in the EU. Either that, or airlines will start giving an EU privacy notice in the fine print within the next 2 months. That's all that's required.

If it's more privacy protection in the U.S. that you want--and I'm not arguing that that's bad policy--that's a matter for Congress to take up. (I doubt a GOP-controlled Congress will make any headway on the matter.)

On a slightly different point...are you a member of a frequent flyer program? (Is there anyone on this board who isn't?) I see as somewhat disingenuous the stinkification over "travel privacy" when your voluntary FF participation puts your entire travel history and other demographic information in the hands of virtually EVERY business partner with the airline. Saying that the government checking my name against a terrorist database to see if I am a threat to other passengers is WRONG but Avis Rent-A-Car checking my name against my travel history to send me valuable coupons is OK just doesn't sit right with me.

Why not? I want Avis coupons, but I don't want a background check. Also, my participation in a FF program is not required as a condition of flight, government terrorist database checking soon will be. Also, I can opt out of many airline partners' marketing databases. I cannot opt-out of government harassment if I want to fly.

It is only a violation of civil rights if the person has an inherent right to privacy and it is violated without 1) probable cause, 2) warrant (essentially same thing) or 3) national security.

Do you have a right to fly? And is it in the national security interest of the country to check names against a watch-list?

My opinion (and this will be fought in the courts for years to come, IMO) is no and yes, respectively.

Do you have a right to take a taxi? No, you take a taxi as a contract between you and the taxi driver. If the taxi driver doesn't want to take you then he doesn't have to.

If the Air Carriers doesn't want to sell a ticket or doesn't want you to fly it is up to them. In order to get to your perferred destination you contracted with the carrier to rent a seat on their vehicle and will use the airport services to get to the plane. To use these services you must be screened through a security checkpoint.

You do have a right not to be screened by not using the services of the air carriers and airport.

Touche'. That was a clean shot.

I hate phone marketing, junk mail and spam email.

From the LA times:

The government hasn't yet said if in this version they will store a database of travel dossiers like they planned to in CAPPS II. One of the first things that will be needed is a Privacy Act request to see if they still want to keep travel dossiers on all of us for 50 years (like CAPPS II wanted to).

It's a good sign though that they no longer seem to be talking about making the airlines put date-of-birth into PNRs.

That is no different from CAPPS II color codes, just minus the colors. Hopefully the media will be smart enough to see through this spin.

Better. Looking for terrorists instead of bank robbers, deadbeat dads, and parking tickets. But I believe they still will want to expand the program to do these things once established.

Somehow TSA still believes that commercial databases are a wealth of accurate information; maybe they are lucky enough to not receive badly mistargeted junk mail (based on those databases) at their homes, but most of us are not.

That is a substantial improvement, as such predictive systems are bound to use information the government has no business using (travel patterns, address history, travel companions, credit history, books checked out at library, etc.) and bound to create orders of magnitude more false positives than actual positives.

From TSA press release:
Yes, the public has seen the results of your "greatly expanded no-fly and selectee lists" as you have added names like Edward Kennedy (senator) and John Lewis (congressman) to the lists that already included David Nelson (actor) and Jack Baldwin (MD and WWII veteran). We are not inspired with confidence.

The only substantitive differences I see from CAPPS II are:

1) claim they will not be a full-up "papers please" checkpoint looking for law-enforcement violations

2) claim they will no longer try to predict who might be a terrorist

3) no more talk (yet) of requiring pax DOB, address, and phone on PNRs.

All are important, but the key metric is elimination of harassment due to false alarms and a quick, effective process with independent judicial appeal to clear your name. Lip service is given, but details are short.

I wonder, does Bill Scannell plan to fire up his website again? It would be great to hear from him on this new proposal.

Ownership of certain security processes does not concern me as long as they meet a certain standard and have measurable efficacy. Today, the measurability is not there and the efficacy is certainly in question as plenty of people can engineer ways around the current dog and pony show of security (especially in the key area of explosives).

It's self-explanatory (almost) -- i.e., better than today in terms of efficacy and cost-efficiency with more measurable results and a measured calculation of costs and benefits. [I believe some people will die and some property will be damaged; the only way to prevent all death and destruction is to ban/encumber life and/or wholly restrict property ownership (rights). In other words, I am ready to let myself be one of the casualties because I don't believe in draining the public coffers of tens of millions of dollars from others for my personal self-interest and don't believe in health, safety and security regardless of the price.] A better checkpoint screening for weapons and weapons components, including explosives -- on persons or in carry-ons and in cargo -- is one that is better than the current dog and pony show we have today. Today's dog and pony show I label a dog and pony show because it has done little to stop the more intelligent and more dangerous sociopaths around. It is merely rewarding them to adapt faster. Unfortunately, systems are reactive (more often than not) and individuals proactive; so in the cat and mouse game, we know who will be ahead of the curve first. And our sorry excuse for "pro-active" security is little more than a wild goose chase and a lot of jumping the gun long before an incident and all its accessories are anywhere close to being netted properly and in total.

Unlinke many here, I like the FAM program but have some reservations about it. First, the weapons need to be personalized so no one else can use them. ;)

In my book, national security has a strict and limited definition. It's also more effective then. ;)

Bad argument. In many jurisdictions, a cab driver can only refuse you under certain, pre-defined bases.

Your being from NYC-metro area, you should know that taxis cannot refuse most passsengers so easily. Cab drivers cannot refuse people based on ethnicity and not picking up the first passenger "just because" or for any reason not mentioned explicitly in either applicable legal, regulatory or voluntary compliance systems results (at least occassionally) in prosecution and/or penalties.

Perhaps you need a bit more insight on what exactly they authorized, under what conditions and why? ;)

Well, people volunteer to have certain information conveyed for certain limited purposes. It's not a blank check (and many companies find that out the hard way). ;)

I don't profess to be an expert in the matter. It is, though, a foreboding sign when the best hope American citizens have in regards to their privacy rights is EU law.


I don't disagree in principle, except that the "limited purpose" of marketing so frequently becomes so broad. My argument is that the limited purpose of checking to see whether government intelligence (is that an oxymoron?) indicates a terrorist threat is a far more compelling interest than an individual interest in a corporate marketing scheme--and, as such, it seems silly to support one but decry the other.

I'm not saying I'm not concerned about misuse of data, or of people being wrongly flagged--those should always be concerns. I don't think that threat is presently greater than the necessity of stopping known terrorist threats.

Sad but too often true. A backdoor channel to get a lot of info about yourself (for amusement purposes) is to transfer your mailing address for a given account to the EU and then use EU laws and regulations to extract information that a certain entity would never care to give you. :)


Understandable and reasonable, even if I disagree with portions. Government "intelligence" is increasingly questionable (as it has become increasingly politicized or become a political football) and I would rather have the government allocate resources for truly dangerous items than on trying to gamble on "identity-as-security" approaches.

He was just asking for some opinions..jeez. Would it kill you to type a sentence or two? If you don't want to answer...then don't answer. You don't have to respond with snide remarks. :rolleyes:
FAMIAM

check your PMs.

Come on, the only yellow cabs are in Manhattan. They are too yellow :D to go anywhere else. OK maybe bad example but the principle was right.

ROTFLOL :D

Technology by itself is not the solution. Technology can fail and people can use it improperly or not use it at all (amongst a whole series of other issues). It's the combination of the people, processes and technology/tools that must be looked at in an integrated manner. Right now, the process is broken, regardless of the technology that currently exists (and in some cases is already paid for).

Technology improvements, process rationalization and people overhaul. In fits and starts we are moving in that direction but with the current people in charge, we will get little bang for the buck and a lot of nothing and a little of something.

You have just described every governmental process in the history of this country....;)

"Nothing to see here folks, move along." ;)

:D True too often. ;)