A Death Knell for Airline Passenger Profiling?
By ANITA RAMASASTRY
|Wednesday, Mar. 17, 2004|
Since the September 11 terrorist attacks, improving aviation security has been a priority for the federal government. Among the most controversial proposals to address it is the Computer Assisted Passenger Pre-Screening System II (CAPPS II).
CAPPS II is designed to use commercial and government data to verify passenger identity, and to decide whether individual fliers pose security risks. The Transportation Security Administration (TSA) is the agency tasked with implementing this program.
The program was initially intended to detect terrorists and keep them off airplanes. In August 2003, however, TSA announced that CAPPS II would also serve as a law enforcement tool to identify individuals wanted for violent crimes.
Based on privacy concerns that I have discussed in a previous column, Congress voted to block funding for CAPPS II unless the TSA could satisfy eight criteria relating to privacy, security, accuracy and oversight. (TSA may, at this time, move forward in testing CAPPS II, however.) In addition, Congress also asked the General Accounting Office (GAO) to conduct a review of CAPPS II to determine whether it met the relevant criteria.
This February, that report came in. And it concluded that CAPPS II has numerous problems, as I will explain.
Then today, March 17, a second report was released by the DHS. It confirmed that the TSA was involved in the transfer of JetBlue Airways passenger information to a Department of Defense subcontractor, Torch Concepts, for use in a data mining study (which I also discussed in an earlier column). Moreover, the DHS report found that, "The TSA employees involved acted without appropriate regard for individual privacy interests or the spirit of the Privacy Act of 1974."
As these two reports suggest, and as I will argue in this column, CAPPS II should not go forward unless it incorporates comprehensive further measures to protect privacy and to provide security for the data in the government's possession.
How CAPPS II Would Work
In 1998, a passenger risk assessment program was implemented as an additional measure to help prevent a terrorist attack on passenger aircraft. In the wake of September 11, Congress directed the TSA to improve that system. The result was CAPPS II.
After receiving fierce criticism of its first proposal for CAPPS II, the TSA on August 1, 2003 issued a new notice regarding the program. The notice informed the public that TSA intended to begin testing CAPPS II, and attempting to address some of the criticism the agency had received.
According to the notice, CAPPS II will proceed through four steps:
(1) Data Collection. Airlines will be required to collect certain data from every passenger, and pass it along to the TSA. Upon purchasing an airplane ticket, passengers will have to provide four pieces of information: their name, address, telephone number, and date of birth.
(2) Identity Authentication. The TSA will send that information to commercial data services, which will then send back an "authentication score" intended to indicate "a confidence level in that passenger's identity." The idea is that these data services will figure out if we are who we say we are.
But that raises some questions: What if a person's information is incorrect, or his name is similar to that of a criminal? What are tolerable false positive and false negative rates when it comes to verifying identity -- and how can mistakes be corrected? Or, what if a person -- because of her age, or lack of income or credit history, is not present in these databases to have her identity verified?
(3) Risk Assessment. The TSA will then perform a risk assessment for each passenger, drawing upon law enforcement, intelligence, or other government databases. Each person will be scored as either an "acceptable," "unknown," or "unacceptable" risk.
Again, this is troubling -- the TSA notice does not make clear the criteria for such assessments, and much of the data relied upon may be confidential data, so that a passenger may not ever known why he or she has been deemed an "unacceptable" risk.
And again, what are acceptable false positive and false negative rates -- and how can mistakes be corrected? Also, what kind of data should be collected, and how long should the data be retained? Who will have access to the data and for what purposes?
(4) Enforcement of "Unacceptable" and "Unknown" Risk Assessments.
Each passenger's risk score would then be forwarded to airport security personnel. Those who score "unknown" would be subjected to heightened scrutiny. Those who receive an "unacceptable" risk assessment will be denied boarding passes, and law enforcement authorities will interview them to decide whether they can board the plane.
The GAO Report: the TSA Gets a Failing Grade in Seven out of Eight Categories
The GAO report found that as of January 2004, the TSA had not adequately addressed seven of Congress's eight concerns.
Why did TSA fail so spectacularly? In part, the GAO noted, because it failed to timely test the CAPSS II program. According to the report, the TSA had not effectively managed and monitored CAPPS II's development and operation.
In addition, according to the report, the TSA had also failed to protect passenger privacy; address the accuracy of the data relied upon; create a system to address erroneous labeling of passengers; prevent abuse; or create security procedures. (Such procedures are necessary to prevent hackers from compromising the data used in the screening process.)
According to the report, TSA has also failed to adequately "stress test" CAPPS II to see if it even works. Does it really spot "high risk" passengers? Does it waste resources with false high-risk assessments? We don't know. So even those who would willingly sacrifice some privacy for greater security ought to be very disappointed with the TSA and CAPPS II.
Another reason CAPPS II may not be effective is identity theft. If someone else can steal your identity, then verification of who you actually are may be highly problematic. And as we all know, today, with the Internet, identity theft is all too common.
Errors in Data May Be Rife
As noted above, CAPPS II will incorporate both government and commercial data. Each kind of data has its own flaw: Commercial data is often error-ridden. And government data is secret, and may be error-ridden, for all we know.
Erroneous-but-secret government data probably can't be challenged at all. The CAPPS II Privacy Act notice includes a procedure for passengers to access their records, and to "contest or seek amendment of" those records. And the TSA notes that it will use a TSA Ombudsman and a Passenger Advocate to help passengers to request corrections of their records. But the records it refers to are the airlines' records, not the government's.
In addition, the error rate will likely be worsened if TSA carries out its announced plan to begin checking passengers for outstanding criminal warrants. What if the warrant data is error-ridden?
Even A Small Data Error Rate Will Cause Huge Problems
Readers may object that we can live with a few errors in order to get greater security. But the American Civil Liberties Union (ACLU) has pointed out that even a small error rate would create huge problems.
With CAPPS II checking an estimated billion transactions, the ACLU points out, "[e]ven if we assume an unrealistic accuracy rate of 99.9%, mistakes will be made on approximately one million transactions, and 100,000 separate individuals." (Emphasis added.) So even a tiny error rate will lead to many, many errors.
Not only will a lot of innocent people be flagged, but worse, as the ACLU notes that a high degree of false positives "will make it extremely hard to find the handful of real terrorists amid the ocean of false positives."
Even the government's more limited existing "no-fly" lists have caused many innocent, Americans to be subjected to countless searches, interviews and refusals to allow them to board. And after an error has been made, it has proved impossible to correct, due to federal government bureaucracy.
The government's own assessment is the right one: Thus far, CAPPS II has been plagued by problems. If it is not drastically transformed, it ought to be cancelled.