Secure Flight Is Set to Take Off, But Will our Data Be Secure? :
By ANITA RAMASASTRY
|Tuesday, Jul. 26, 2005|
In mid-July, the Government Accountability Office (GAO), Congress' investigative body, reported that the federal Transportation Security Administration (TSA) used personal consumer information to test a controversial passenger-screening program, without informing the public it was doing so.
According to the GAO, a private TSA contractor obtained more than 100 million records from commercial data brokers, and combined them with passenger name records (PNRs) obtained from commercial airlines. (PNRs contain information provided by passengers as they book their flights).
The information was collected as part of a test of a new but controversial passenger screening program known as "Secure Flight." The program will conduct computerized checks of airline passengers against terrorist watch lists.
This latest snafu is symbolic of problems that TSA has encountered as it attempts to unveil new methods of passenger screening programs that match a PNR against data collected from both government watch lists and commercial data brokers.
We need such screening mechanisms in place. But they need to be carefully designed and implemented so they can both ensure security, and honor privacy.
So far, the TSA has failed at these tasks. Secure Flight is the follow-up to the Computer Assisted Passenger Pre-Screening System II (CAPPS II), which was scrapped by TSA last year after growing bipartisan concerns that it would not protect Americans' privacy or security. As I noted in an earlier column, those concerns were well-founded.
Unfortunately, there is good reason to believe that Secure Flight, too, will fail to protect either privacy or security. It should not be rolled out until we have better measures as to whether the system will correctly identify potential terrorist threats, while minimizing the chances of error or so-called "false positives".
The TSA Privacy Breach that Occurred This Summer
TSA's Secure Flight-related error this summer hardly inspires confidence. According to a GAO report, the TSA violated the federal Privacy Act when it "collected and stored commercial data records even though TSA stated in its privacy notices that it would not do so."
The Privacy Act requires the government to notify the public when it collects information about people: It must say who it is collecting information about, what type of information is being collected and why, and how the information is stored.
According to the GAO, the TSA's privacy notices relating to the Secure Flight how it what data failed to accurately reveal these things. The TSA also failed to inform the public could gain access to, and if necessary correct, its data.
At first glance, it may appear to have been a harmless error for the TSA to share data with a private contractor. Not so.
TSA had promised it would only use the limited PNR information it had already obtained from airlines. Instead, the agency and its contractors compiled files on other people, using data from commercial brokers, and then compared those files with various watch lists.
Before it began testing Secure Flight, the TSA published notices in September and November 2004, saying that it would collect data from commercial airlines, information about people who flew in June 2004.
In fact, the agency did utilize 43,000 names of passengers as well as approximately 200,000 variations of those names -- and many of the variations turned out to be the names of real people who may not have flown that month, the GAO reported. Those additional 200,000 persons had no idea this data collection could or would take place.
A TSA contractor collected 100 million records on those names from commercial data brokers and the like. It then supplemented PNRs with personal information contained in the commercial data, though - GAO noted -- TSA "did not identify . . . its plans to supplement PNR data with commercial data."
The GAO report said that the TSA also stated originally that it would not use and store commercial data about airline passengers (as opposed to government data and PNRs). In fact, it not only did that, it collect and stored information about the people with similar names. "As a result, an unknown number of individuals whose personal information was collected were not notified as to how they might access or amend their personal data," the GAO report found.
To protect people from having incorrect data bout them in federal files, the government must also disclose how they can access and correct the data it has collected. The people whose names were among TSA's variations not only had no notice their data might be used, but they also were not told of any way to correct the information -- which, having been gathered from commercial sources, may be rife with error.
It was only after meeting with the GAO, that the TSA published a revised notice indicating that it would, in fact, do the things it had earlier promised not to do. When it was revealed in June that TSA had collected these personal records, the agency took steps to amend retroactively its privacy notices, to inform the public of what happened. But this is too little, too late.
Troublingly, TSA seems to be a repeat violator when it comes to its obligation to either keep data private, or give notice of disclosure. As I noted in a prior column, In November 2003, a TSA contractor, Torch Concepts, was said to have received passenger data from Jet Blue Airlines without notifying passengers - another possible Privacy Act violation.
As the GAO said - citing the passenger-profiling project's "unfortunate history," "Careless missteps such as this jeopardize the public trust and DHS' ability to deploy a much-needed, new system."
What is Secure Flight?
That new system is Secure Flight. It is the latest incarnation of a government-sponsored passenger-profiling system designed to identify potential security threats.
Shortly after the 9/11 attacks, in November 2001, Congress passed the Transportation Security Act, which established the TSA. The Act also required that TSA use a computer-assisted passenger screening system to evaluate all airline passengers. (The current system operates not through TSA, but rather through each airline's reservation system.)
As noted above, TSA's first, failed effort was CAPPS II - which I discussed in detail in a prior column. Its new effort, Secure Flight, is designed to compare passenger information from PNRs against terrorist and other watch lists maintained by the federal government.
TSA had initially hoped to launch the program with two airlines in August 2005, but it seems very unlikely that will actually happen. Until the GAO certifies Secure Flight, it cannot be launched - and it has not yet done so.
Secure Flight will include the following steps - each of which raises unique problems:
First, commercial airlines will be required to collect additional information from every passenger in PNRs- reportedly, including date of birth.
Here's the problem: The cost of overhauling the PNR data collection system to allow inputting of birthdates and other information may be huge, and the airlines are receiving an unfunded mandate to do so.
Second, the TSA proposes to conduct authentication of PNRs by using commercial data brokers. TSA will send passengers' names and dates of birth (and/or whatever other personal information is collected) to commercial data brokers or aggregators. These are for profit companies that compile extensive digital dossiers about the activities of the majority of Americans.
These commercial data companies will report back to the TSA whether the information provided by the passenger via the airline, matches the information in the company's own records.
Here's the problem: These records may not be very reliable; credit reports and other privately-held data are often replete with mistakes. Credit card theft may lead to serious misinformation about credit patterns and traveling habits. A thief might buy numerous one-way tickets over the Internet, thus arousing suspicion, even if you never would. And identity theft, combined with driver's license forgery, may leave an even more misleading and hard-to-correct trail - suggesting you fly to destinations you've never actually visited.
Another problem is that discrimination may result from the use of commercial databases. Minority populations tend, on average, to have lower credit scores. Some persons may have no credit record at all; disadvantage may be misinterpreted by the TSA as shiftiness. Certain populations - such as lower- income individuals, students, and homeless persons - may also move more frequently than others, so their data may be missing, inaccurate, or subject to suspicious gaps.
Third, the TSA will run the passenger through watch lists maintained by the government's Terrorist Screening Center (TSC). This government entity is supposed to aggregate the many dispersed watch lists that the government was maintaining after 9/11.
But there's a problem here too: The evidence indicates that in the years since 9/11, these watch lists have not been properly consolidated or culled of erroneous names.An August 2004 report by the DHS's own Inspector General found continued problems with attempts to create a unified watch list.
Meanwhile, hundreds -- if not thousands --of innocent passengers have been routinely stopped, questioned and searched while trying to fly because they erroneously appeared on a TSA "no fly" list. These lists have even included U.S. Senator Edward Kennedy and the famous singer Yusuf Islam (formerly known as Cat Stevens).
Worst of all, many innocent Americans have been unable, in many cases, to get themselves removed from these secret lists - or even to figure out why they are there in the first place, to see if discrimination is the culprit.
Secure Flight does provide a set of redress procedures so that a person who is wrongly targeted can appeal and have his or her name removed. This is an important step. But it is important to keep as many innocent people off watch lists rather than to provided an appeals process after they have been tainted as security risks.
Fourth, law enforcement must make a decision about how to proceed with a person identified as a possible risk.
How Must Secure Flight Change to Protect Privacy and Ensure Security?
What changes must be made to Secure Flight to ensure our security and privacy? Two recent GAO reports provide guidance.
This February, the GAO issued a report on the use of commercial data as part of the Secure Flight process. The February GAO report focused solely on Secure Flight's use of commercial databases such as Choice Point. It found that the TSA had not developed successful measures by which to judge the performance of those commercial databases.
Then, this March, the GAO issued a second report. (In October 2004, Congress had asked the GAO to evaluate Secure Flight in 10 different areas.) This second report was entitled "Initial Secure Flight Test Results Show Improvements over Current Passenger Prescreening, but Key Issues Regarding How Data Will Be Obtained and Transmitted Have Not Yet Been Resolved."
The title says a great deal - and the report says more "[T]he ability of Secure Flight to make accurate matches between PNR data and data contained in the terrorist screening database is dependent on the type and quality of data contained in the database as well as in PNRs. While TSC and TSA have taken, or plan to take, a number of actions to improve the quality of the data in the terrorist screening database, the accuracy of the database has not been determined. The effectiveness of data matches will also be dependent on the accuracy of commercial data used to augment the matching, should TSA decide to use commercial data for Secure Flight. However, the accuracy of commercial data is undetermined because there are no industry standards for processes or requirements to ensure accuracy." (Emphases added).
GAO also notes before Secure Flight goes forward, there must be a procedure for correcting erroneous data in the hands of data brokers: the TSA "will need to reach specific agreements with commercial data aggregators on a process for correcting erroneous information."
The report has many other findings and recommendations but its emphasis on accuracy and error correction are essential to a well functioning screening system.
Accuracy Is Needed to Protect Both Privacy And Security
GAO is correct. In my view, Secure Flight should not go forward until the public and Congress can be assured that the program has been tested and that the data against which our names will be compared is valid, useful and capable of being corrected.
It is also vital for the public to have a means of access to, and a right to challenge, the data on which inclusion on a list is based. It means that the TSA and other sister agencies should have stringent criteria for adding persons to watch lists, and clear procedures for removing the names of innocent people who appeal their status.
Bloated databases are bad not only because they cast many innocent travelers as suspected terrorists, but also because they dissipate the focus that those screeners should be keeping on true terrorists.
Errors and false positives divert security resources. A terrorist watch list that is discrete and focused has a greater chance of being productive, and a lesser chance of being harmful to society.