The Transportation Security Administration last month mandated domestic carriers relinquish passenger name record data to test its Secure Flight program. The revamped version of the scrapped second-generation computer assisted passenger prescreening system revives industry concerns about privacy, cost, logistics and security.
TSA expects U.S.-based airlines by late-October to begin passing along such data, upon which the government will start testing the Secure Flight system "at full load and full speed," TSA said.
"On Oct. 29, the aircraft operator must submit to its principal security inspector all PNRs with flight segments flown during the month of June 2004 that reflect itineraries of passengers for transport by the aircraft operator on a scheduled flight within the United States," the U.S. Department of Homeland Security said in its notice to the airlines. TSA on Sept. 23 also began a 30-day period of soliciting comments from the public on the Secure Flight proposal.
TSA is delivering on its August promise that within the following 30 to 60 days it would begin checking up to 2 million daily airline passenger names against terrorist watch lists
(BTN, Aug. 27). TSA will compare airline PNR data—which varies from carrier to carrier but could include passenger names, flight information, addresses, phone numbers and meal orders—to a database controlled by the Terrorist Screening Center, which was launched last year.
TSA said it "envisions that carriers may be required to collect full passenger name and possibly one other element of information under a fully implemented operational Secure Flight program." TSA, however, will determine which components of the PNRs are necessary for prescreening crosschecks once it completes testing.
While privacy and operational concerns were crucial to the capsizing of CAPPS II, TSA is adamant about the new system's sensitivity to such issues. "The system is designed around a core of privacy statutes, regulations and DHS policy," TSA said. However, the Business Travel Coalition and the American Civil Liberties Union said the new system renews the problems of CAPPS II, as others note many questions remain unanswered.
"To me, this is CAPPS III," said BTC chairman Kevin Mitchell. "You can call this whatever you want, but it's still a replacement for the original CAPPS."
While some in the industry assumed the Registered Traveler program would supplant CAPPS II, TSA is moving forward Secure Flight as the government's domestic passenger prescreening program as tests of the Registered Traveler option continues to make progress. "The biggest question is whether it will run into such opposition that it will implode like CAPPS II," said Caldwell Associates president John Caldwell.
TSA asserted Secure Flight is different from CAPPS II. As the beleaguered program moved forward earlier this year, privacy groups noted the problem of "mission creep." What began as a passenger prescreening system emerged to encompass other areas of law enforcement. TSA, however, contends Secure Flight will maintain a singular focus of keeping terrorists off planes. Secondly, Secure Flight proposes TSA—not airlines—carry the responsibility of comparing PNRs with watch lists, which takes a cost burden off the continually struggling airlines.
Critics and travel associations are calling for the program to meet the same criteria that CAPPS II failed.
ACLU and the National Business Travel Association are urging Congress to push the General Accountability Office for an evaluation similar to the conditions GAO outlined for the deployment of CAPPS II in a report released in March. Mitchell also urged the government to apply those standards.
In the GAO report, the agency said the only issue fully addressed by TSA was the establishment of an "internal oversight board" to review CAPPS II. "Other issues, including ensuring the accuracy of data used by CAPPS II, stress testing, preventing unauthorized access to the system and resolving privacy concerns have not been completely addressed, due partly to the early stage of the system's development," the GAO report noted
(BTN, March 15)."Congress needs to step in and require GAO to perform the same objective evaluation of this program—looking at both its effectiveness and its impact on privacy—that it did for CAPPS II," said Barry Steinhardt, director of ACLU's technology and liberty project.
GAO said TSA prolonged testing and developing CAPPS II, "due in large part to delays in obtaining needed passenger data for testing from air carriers because of privacy concerns." Yet, the mandate to domestic airlines should speed tests and propel Secure Flight beyond its predecessor, which never made it to the testing phase.
Attempting to quell the concerns highlighted in the GAO report, a TSA spokesperson said those conditions "addressed CAPPS II specifically, and Secure Flight is a different program." TSA still is making efforts to comply with those standards.
NBTA said TSA already takes into account such concerns highlighted in the GAO report as enabling an outlet to clear misidentified passengers and "stress testing," among others. "The concerns that were raised throughout the CAPPS II program seem to have been heard and are being addressed," an NBTA spokesperson said. "They're going about this in a much more productive way."
Others are less sanguine.
"If they're going to get off on the right foot, they're going to have to be transparent and upfront from the get-go or people are going to have a jaundiced view almost immediately," BTC's Mitchell said, noting he will submit comments to TSA.
NBTA said its data protection committee and the Legislative Advisory Council are reviewing the details of Secure Flight and also "will provide comments to TSA," while the Association of Corporate Travel Executives last week said its traveler security task force will "pursue TSA for details" on Secure Flight.
"We want to know about the reconciliation process, the restitution process and the likely cost-impact to businesses, in comparison with the level of protection this new program is expected to provide," said ACTE executive director Nancy Holtzman. "TSA would be wise to come out of the gate with all of the proposed processes intact and ready to go."
Tanya Pope, Viacom vice president of travel technology and operations, expressed concern about how TSA will collect the data. "We have to expect they have the data anyway, but the big thing is notification," she said, noting she is troubled by the government taking travelers' PNR data from airlines without notification. "Every credit card vendor in your agreement states that he's going to give your information to the credit bureau," she said. "You need to agree to that. They'd never get away with that in Europe."
American Airlines
(BTN, April 12) and JetBlue Airways
(BTN, Oct. 6, 2003) previously acknowledged sending data to government contractors, and Northwest Airlines early this year admitted it transmitted passenger information to NASA in September 2001
(BTN, Feb. 9). While these actions have spurred lawsuits, other major carriers in the past said they would not relinquish PNR data unless mandated by the government, which is expected to shield airlines from lawsuits.
Southwest Airlines said, "Private customer information is something that Southwest has long held extremely close and reviews any request for information with that same filter. We're going to have to see the final order if it gets to that point."
American Airlines noted that it is within policy "to turn over any documents to TSA when ordered to do so by law or court order." Continental Airlines said it was too early to comment, and Northwest said it is "reviewing the matter with TSA." Other major domestic carriers relinquished comment to the Air Transport Association, which as of press time did not return calls to BTN.