EPIC logo

Spotlight on Surveillance

August 2007:
Secure Flight Should Remain Grounded Until Security and Privacy Problems Are Resolved

EPIC’s “Spotlight on Surveillance” project scrutinizes federal government programs that affect individual privacy. For more information, see previous Spotlights on Surveillance. Spotlight shines this month on the Secure Flight traveler screening system, run by the Department of Homeland Security’s Transportation Security Administration.[1]

The Department of Homeland Security’s Fiscal Year 2008 budget request is an 8 percent increase over last year’s request.[2] Included in the $46.4 billion proposed budget for the agency is $38 million designated for Secure Flight, on top of the $144 million that has been spent on the program.[3] Introduced in 2004, the Secure Flight has been roundly criticized and the system was suspended in 2006, because it contained massive security and privacy vulnerabilities. Though Secure Flight has been revamped, it remains fundamentally flawed.

The Original Secure Flight Program

Source: Department of Justice Inspector General

The number of records on the watch lists have grown substantially since April 2004. A review of the Terrorist Screening Center by the Justice Department’s Inspector General found that the government’s watch lists of known or suspected terrorists remain filled with errors that the Inspector General said could obstruct the capture of terrorists.

 

Under the Aviation and Transportation Security Act of 2002, the Transportation Security Administration was authorized to maintain watch lists of names of individuals suspected of posing “a risk of air piracy or terrorism or a threat to airline or passenger safety.”[4] Documents obtained in 2002 by EPIC from TSA under the Freedom of Information Act established that the agency administers two lists: a “no fly” list and a “selectee” list.[5] The airlines run passenger names against the watch lists.

When a passenger checks in for a flight, he may be labeled a threat if his name matches an entry on one of the watch lists, even if he is not the person actually on the list. A match to the “no fly” list requires the airline to notify TSA and to call a law enforcement officer to detain and question the passenger. In the case of a Selectee, an “S” or special mark is printed on the individual’s boarding pass and the person receives additional security screening. U.S. Customs and Border Protection also uses the lists to screen travelers. Many travelers have reported problems with being mistakenly matched to names on watch lists.

TSA introduced Secure Flight in August 2004, shortly after the agency abandoned plans for its predecessor, the second generation Computer Assisted Passenger Prescreening System (“CAPPS II”). Secure Flight was intended to compare passenger information from Passenger Name Records (“PNRs”), which contain data given by passengers when they book their flights, against watch lists maintained by the federal government. However, Secure Flight morphed from a simple system of comparing names to watch lists to a complex system where profiles are created on passengers in order to assess the threat that they pose.[6] TSA sought to identify “suspicious indicators associated with travel behavior” in passengers’ itinerary PNR data.[7] TSA began testing Secure Flight in early 2005.

Critical Reviews Lead to Suspension of Secure Flight

Officials claimed Secure Flight would solve the numerous problems of innocent travelers being mistakenly matched to names on the watch lists. However, a Government Accountability Office (“GAO”) report and testimony found that TSA approved Secure Flight to become operational in September 2005 despite inconclusive risk assessments and 144 known security vulnerabilities.[8]

“TSA may not have proper controls in place to protect sensitive information,” according to GAO.[9] In addition to criticizing Secure Flight’s lack of privacy and security safeguards, GAO noted that the documents underlying the program “contained contradictory and missing information.”[10] In February 2006, the head of the Transportation Security Administration told a congressional committee that Secure Flight was suspended for a comprehensive review of the program’s information security measures following the critical GAO report.[11]

Revamped Secure Flight Could Restrict Individuals’ Right to Travel

Source: Department of Justice Inspector General

The Department of Justice Inspector General was highly critical of the watch list database system, detailing a number of errors in the watch lists and said the data collection and dissemination structure helped cause "inaccurate and incomplete watchlist records."

 

In August, TSA detailed a revised Secure Flight program in which “TSA would receive passenger and certain non-traveler information, conduct watch list matching against the No Fly and Selectee portions of the Federal Government’s consolidated terrorist watch list, and transmit boarding pass printing instructions back to aircraft operators.”[12] TSA said Secure Flight would return to its original purpose and be used to conduct watch-list matching.

The Supreme Court has long recognized that citizens enjoy a constitutional right to travel. In Saenz v. Roe, the Court noted that the “‘constitutional right to travel from one State to another’ is firmly embedded in our jurisprudence.”[13] Indeed, in 2003, then-DHS Deputy Secretary Admiral James Loy observed that “the founding fathers . . . had mobility as one of the inalienable rights they were talking about.”[14] For that reason, any government initiative that conditions the ability to travel upon the surrender of privacy rights requires particular scrutiny.

Secure Flight would affect “more than 2.4 million passengers per day,” more than 876 million individuals per year.[15] Secure Flight could bar individuals from air travel completely if the person does not present a “verifying identity document,” as defined by TSA, even if the person does not pose a definable security threat.

Under the Secure Flight proposal, there are circumstances in which, if a passenger does not present a “verifying identity document,” then “the covered aircraft operator must not issue a boarding pass or give authorization to enter a sterile area to that individual and must not allow that individual to board an aircraft or enter a sterile area, unless otherwise authorized by TSA.”[16] A “verifying identity document,” is defined by TSA as “an unexpired passport issued by a foreign government or an unexpired document issued by a government (Federal, State, or tribal) that includes the following information for the individual: (1) Full name. (2) Date of birth. (3) Photograph of the individual.”[17]

Currently, if a person does not present valid identification such as a state driver’s license because he lost, forgot or had stolen his identification document, then the person can choose to submit to “secondary screening” in order to gain admittance to his flight.[18] “Secondary screening” is a more extensive search of a person and her belongings.

There are questions as to whether travelers will be able to present what DHS defines as a valid “verifying identity document.” Travelers may not be able to afford such a document, which would be either a REAL ID compliant identity card or an expensive passport.

REAL ID is a national identification system in which DHS imposes federal technological standards and verification procedures on state driver’s licenses and identification cards, many of which are beyond the current capacity of the federal government, and mandates state compliance by May 2008.[19] In May, EPIC and 24 experts in privacy and technology submitted comments on DHS’s draft regulations for the REAL ID Act warning the federal agency not to go forward with the national identification system.[20] The group said that the ill-conceived plan would create new security risks for the American public, such as increasing the risk of and the damage caused by identity theft.

In a speech to the National Conference of State Legislatures in August, DHS Secretary Michael Chertoff said that although REAL ID “is not a mandate,” states would be punished for non-compliance.[21] He said that citizens in states that do not implement REAL ID would have to use passports for federal purposes, such as entering courthouses or flying domestically.[22] Passports currently cost $97 each, and the State Department admitted in July that there is a significant backlog in processing passports because of, among other things, “inept planning, underfunded preparations, and popular misunderstanding of poorly crafted government advertising.”[23]

TSA Could Surreptitiously Gather Traveler Data Through Secure Flight

Source: Department of Justice Inspector General

TSA allows individuals to petition through the Traveler Redress Inquiry Program or through Privacy Act requests to access any passenger name record ("PNR") data that the individual himself gave to an air carrier or travel agent, but no other information in Secure Flight files. EPIC and others have detailed problems in the redress processes. The Justice Department Inspector General found that "it took the TSC, on average, 67 days to close its review of a redress inquiry."

 

The required and “voluntary” data gathered and retained by TSA under Secure Flight could lead to traveler dossiers. TSA will require the passenger and airlines to submit the traveler’s full name, “reservation control number, the record sequence number, the record type, the passenger update indicator, the traveler reference number, and the itinerary information” at least 72 hours before the flight.[24] TSA will also require aircraft operators to request from the individual “date of birth, gender, redress number (if available), known traveler number (if implemented and available), and passport information (if available).”[25]

It is doubtful that submission of this personal data would truly be “voluntary.” The “privacy notice” required by TSA includes the ominous statement that if an individual does not “volunteer” this information, “you may be subject to additional screening or denied transport or authorization to enter a sterile area.”[26] It hardly seems voluntary, but more like TSA is stating, “Give us your data or else.” Indeed, if the traveler has submitted such data to the airline in another capacity, such as through the airline’s frequent flier program, the data would be transmitted to TSA without the traveler’s knowledge.[27] It is questionable for a government agency to surreptitiously gather data on an individual that resides in commercial data files, especially when the agency has told the individual that she has a right to refuse to submit this data.

Also, it is strange that TSA would force such data from travelers, as the data itself is not crucial to Secure Flight. As TSA explains in the Secure Flight proposal, “[f]or the vast majority of individuals, a decision to forgo providing these data elements should have no effect on their watch list matching results and will result in less information being held by TSA.”[28]

Government Reports Find Watch Lists Used by Secure Flight Are Riddled With Errors

According to the Privacy Impact Assessment for Secure Flight, the DHS Privacy Office states TSA will gather “Secure Flight Passenger Data (SFPD) from certain U.S. aircraft operators and foreign air carriers for the purpose of passenger watch list matching against the No Fly and Selectee list components of the Terrorist Screening Database.”[29] EPIC and others have repeatedly explained that the Terrorist Screening Database and its watch lists are filled with errors, inaccurate and incomplete data.

Earlier this month, the Justice Department’s Inspector General’s review of the Terrorist Screening Center found that the government’s watch lists of known or suspected terrorists remain filled with errors that the Inspector General said could obstruct the capture of terrorists.[30] The Inspector General was highly critical of the system, detailing a number of errors in the watch lists and said the data collection and dissemination structure helped cause “inaccurate and incomplete watchlist records.”[31] In fact, problems at the Center meant that “several known or suspected terrorists” were not on the lists, though they should be.[32]

The Inspector General said, “The results of our testing of watchlist records, as well as the TSC finding that many records involved in its redress reviews required modification or removal, indicate a deficiency in the integrity of watchlist information” (emphasis added).[33] He explained this deficiency significantly affects travelers because “inaccurate, incomplete, and obsolete watchlist information increases the chances of innocent persons being stopped or detained during an encounter because of being misidentified as a watchlist identity.”[34]

Revamped Secure Flight Offers Inadequate Redress Process

Adherence to Privacy Act requirements is critical for a system such as Secure Flight, which seeks to allow or deny the ability to travel for all air travelers (domestic at this time, though TSA expects to phase in the international portion at a later date). TSA proposes to exempt Secure Flight from key fair information practices, such as the requirements that an individual be permitted access to personal information, that an individual be permitted to correct and amend personal information, and that an agency assure the reliability of personal information for its intended use.[35]

TSA allows individuals to petition through the Traveler Redress Inquiry Program or through Privacy Act requests to access any passenger name record (“PNR”) data that the individual himself gave to an air carrier or travel agent, but no other information in Secure Flight files.[36] Allowing a person to access and correct data she directly gave to TSA, but not other data in profiling files provides neither adequate access nor the ability to amend or correct inaccurate, irrelevant, untimely and incomplete records.

In February comments to the Department of Homeland Security, EPIC detailed the many privacy and security problems in TRIP, and urged DHS to fully apply Privacy Act requirements of notice, access, correction, and judicially enforceable redress to TRIP and the underlying system of watch lists.[37] It is especially important for individuals to have judicially enforceable rights of access and correction, because government reviews have found that there is “a high rate of error in watchlist records” and the Terrorist Screening Center’s redress procedure is inadequate.[38] In the Justice Department Inspector General’s review of the watch lists, the Center’s redress procedures were criticized. The Inspector General found that “it took the TSC, on average, 67 days to close its review of a redress inquiry.”[39]

Secure Flight Needs To Remain Grounded

Multiple government assessments state that the watch lists remain filled with errors. The Justice Department Inspector General has said this indicates “a deficiency in the integrity of watchlist information.”[40] These watch lists are used to screen “approximately 270 million individuals . . . each month.”[41] Accuracy and reliability problems need to be resolved before they are used in yet another passenger profiling system to restrict the movement of U.S. citizens. Full application of the Privacy Act requirements to government record systems is the only way to ensure that data is accurate and complete, which is especially important in the context of watch lists and Secure Flight, where mistakes and misidentifications are costly. Secure Flight should remain suspended until these problems are resolved.



[1] See EPIC’s page on Secure Flight, http://www.epic.org/privacy/airtravel/secureflight.html.

[2] Press Release, Dep’t of Homeland Sec., Fact Sheet: U.S. Department of Homeland Security Announces Eight Percent Increase in Fiscal Year 2008 Budget Request (Feb. 5, 2007), available at http://www.dhs.gov/xnews/releases/pr_1170702193412.shtm.

[3] Id.; Edmund S. “Kip” Hawley, Nominee for Assistant Sec’y of Homeland Sec., Transp. Sec. Admin., Dep’t of Homeland Sec., Testimony at Hearing on TSA’s Secure Flight and Registered Travelers Programs Before the S. Comm. on Commerce, Science & Transp., 109th Cong. (Feb. 9, 2006) [hereinafter “Hawley Testimony on Secure Flight”], available at http://www.tsa.gov/press/speeches/speech_1002.shtm.

[4] Pub. L. No. 107-71, 115 Stat. 597 (2002).

[5] EPIC, Documents Show Errors in TSA’s “No-Fly” Watchlist, http://www.epic.org/privacy/airtravel/foia/watchlist_foia_analysis.html.

[6] Dep’t of Homeland Sec., Notice to Establish System of Records, Secure Flight Test Records, 69 Fed. Reg. 57,345 (Sept. 24, 2004), available at http://edocket.access.gpo.gov/2004/04-21479.htm.

[7] Id. at 57,346.

[8] Cathleen Berrick, Dir., Homeland Sec. & Justice, Gov’t Accountability Office, Statement at a Hearing on TSA’s Secure Flight and Registered Travelers Programs Before the S. Comm. on Commerce, Science & Transportation, 109th Cong. (Feb. 9, 2006), available at http://www.gao.gov/new.items/d06374t.pdf.

[9] Id.

[10] Id.

[11] See Hawley Testimony on Secure Flight, supra note 3.

[12] Dep’t of Homeland Sec., Secure Flight Plan; Proposed Rule, 72 Fed. Reg. 48,355, 48,356 (Aug. 23, 2007) [hereinafter “Secure Flight Proposed Rule”], available at http://edocket.access.gpo.gov/2007/E7-15960.htm.

[13] 526 U.S. 489 (1999), quoting United States v. Guest, 383 U.S. 745 (1966).

[14] Admiral James L. Loy, Deputy Sec’y, Dep’t of Homeland Sec., Testimony before H. Gov. Reform Subcom. on Tech., Info. Policy, Intergovernmental Relations and the Census, 106th Cong. (May 6, 2003).

[15] Secure Flight Proposed Rule at 48,360, supra note 12.

[16] Id. at 48,390.

[17] Id. at 48,388.

[18] Gilmore v. Gonzales, 435 F.3d 1125 (9th Cir. 2006).

[19] See generally, EPIC, Spotlight on Surveillance, Federal REAL ID Proposal Threatens Privacy and Security (Mar. 2007), http://www.epic.org/privacy/surveillance/spotlight/0307/.

[20] EPIC and 24 Experts in Privacy and Technology, Comments on Docket No. DHS 2006-0030: Notice of Proposed Rulemaking: Minimum Standards for Driver’s Licenses and Identification Cards Acceptable by Federal Agencies for Official Purposes (May 8, 2007), available at http://www.epic.org/privacy/id_cards/epic_realid_comments.pdf.

[21] Eliott C. McLaughlin, Federal ID plan raises privacy concerns, CNN, Aug. 16, 2007.

[22] Id.

[23] Official takes blame for passport mess, Associated Press, July 23, 2007.

[24] Secure Flight Proposed Rule at 48,371, supra note 12.

[25] Privacy Office, Dep’t of Homeland Sec., Privacy Impact Assessment for the Automated Targeting System, Aug. 9, 2007 [hereinafter “Secure Flight Revised Privacy Impact Assessment”], available at http://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_tsa_secureflight.pdf.

[26] Secure Flight Proposed Rule at 48,372, supra note 12.

[27] Id. at 48,364.

[28] Id. at 48,363, supra note 1.

[29] Secure Flight Revised Privacy Impact Assessment at 2, supra note 25.

[30] Office of Inspector General, Dep’t of Justice, Follow-Up Audit of the Terrorist Screening Center, Audit Report 07-41 (Redacted for Public Release) (Sept. 2007) [hereinafter “Justice Dept. Report on Watch Lists”], available at http://www.usdoj.gov/oig/reports/FBI/a0741/final.pdf.

[31] Id. at ii-iii, 61.

[32] Id. at ii.

[33] Id. at xxii.

[34] Id. at iii.

[35] Dep’t of Homeland Sec., Notice of proposed rulemaking: Implementation of Exemptions; Secure Flight Records, 72 Fed. Reg. 48,397, 48,399 (Aug. 23, 2007), available at http://edocket.access.gpo.gov/2007/E7-15963.htm.

[36] Secure Flight Revised Privacy Impact Assessment at 23-24, supra note 25.

[37] EPIC, Comments on Docket Nos. DHS-2007-0003: Implementation of Exemptions; Redress and Response Records System (Feb. 20, 2007), available at http://www.epic.org/privacy/airtravel/profiling/trip_022007.pdf.

[38] Justice Dept. Report on Watch Lists at xix, supra note 30.

[39] Id.

[40] Id. at xxii.

[41] Id. at v.


EPIC Spotlight on Surveillance Page | EPIC Privacy Page | EPIC Home Page