TSA, 2 Airlines To Test Secure Flight
With little fanfare, the Transportation Security Administration late last month announced plans to roll out in August its highly contentious Secure Flight program. Considered by some travel industry experts a foray into operational testing, rather than a viable implementation, the program will begin, in limited release, with two airlines not yet named by TSA.
"We are in the process of wrapping up the initial testing phase and we're looking ahead to begin a test using commercial data. That has not yet begun. We're in coordination with the General Accountability Office before we commence testing on that," said TSA spokesperson Amy Von Walter.
TSA, which in late February completed its controversial comparison testing of static, historical passenger name record data from June 2004 and existing watch lists, now is analyzing the results of that trial and working toward getting the congressional green light to proceed in testing more comprehensive commercial data. TSA, however, is still working to meet Government Accountability Office recommendations on "concept testing" to determine the value of using such information.
According to the 2005 Homeland Security Appropriations Act, Congress mandated that prior to testing the use of commercial data for Secure Flight, TSA develop measures to assess the impacts of using commercial data on aviation security and that GAO review those measures.
Operational Secure Flight testing, pending TSA's successful completion of commercial data concept testing, may be "a ways off," said Cathleen Berrick, GAO director of homeland security and justice issues, citing GAO's most recent report to Congress on Feb. 23. "The message with that was that the measures TSA developed to test commercial data didn't assess impacts on aviation security given where they are in their stage of development, but they're planning on that."
Still, said Berrick, TSA is forging ahead with commercial data concept testing and anticipates seeing initial results in April 2005. "They haven't even decided if they want to use commercial data. Nothing we're doing is holding them up at all when it comes to that right now," she said. "The next point at which we've been asked to brief Congress is after TSA has developed test plans and refined these measures. They haven't done that, so there's absolutely nothing we can do. We're waiting for them to do that."
GAO plans to report again to Congress on March 28 regarding issues more fundamental to Secure Flight's operational viability and, perhaps, of greater concern to the travel management community. "In the appropriations law, there were 10 specific areas related to Secure Fight that Congress mandated GAO to review," said Berrick. One was to assess whether Secure Flight has adequate measures to protect people's privacy. Another thing: Have they adequately stress-tested the system? Do they have oversight boards? We're reporting on those 10 specific questions at the end of the month."
Bill Connors, executive director and chief operating officer of the National Business Travel Association, said that TSA's public discussions of commercial data concept testing are a step in the right direction. "The way that they're using this new data, we think, is positive, although, we're monitoring it," he said. "At least they're talking about that and they're open about it. In the past, we wouldn't know what the heck was going on. That's a good sign in itself."
Still, Connors said, "We haven't shifted in our overall belief that any system, whether it was the old CAPPS II or the new Secure Flight system, addresses some of the operational and privacy concerns that GAO pointed out last year. To that end, we think—and I don't want to give carte blanche, saying everything's peachy—that the approach TSA's taking now is much more open. They're concerned about privacy issues and they're particularly concerned about getting people wrong on that watch list. We're particularly concerned about that too, as well as easy redress for people who are incorrectly on that list. The news is getting better, but we'll continue to monitor things."
Some, however, are not so optimistic. Bruce McIndoe, CEO of iJet Travel Risk Management, said that TSA is "playing with fire again" when it comes to the potential use of commercial data—in his view, one of "the big things that blew up CAPPS II."
"The government is forcing the airlines to provide unfettered access to all data in the PNR. Corporate America should be protecting their employees and their own data, because in there would be their corporate card numbers and other proprietary information that's now being released to the federal government for no clear disclosure of purpose," said McIndoe. Corporate travel managers, he said, "should be jumping up and down, working with NBTA and ACTE to force the government to itemize specific elements of the PNR that they need and why."
In the wake of several widespread, high-profile corporate data privacy debacles last month, the Department of Homeland Security appointed 20 members of the private sector to a newly established data privacy and integrity advisory committee, including representatives from Cendant and Oracle. That group's impact has yet to be felt, and neither TSA nor GAO was able to comment on the relationships they would have with the committee.
Kevin Mitchell, chairman of the Business Travel Coalition, was skeptical. "They just put together a panel of privacy experts. The panel is not titled, 'Privacy Experts for a Sound Secure Flight Program,' it's an advisory panel. There is not a single person on that panel representing the end user, which troubled me," he said. "Somebody who can represent the passenger perspective should be on the panel. It's symptomatic of this overarching problem of lack of transparency, lack of outreach."
Some travel managers, however, are offering that end user perspective, weighing the issue of data privacy against the day-to-day security of their road warriors, and coming out in favor of protecting the latter.
"TSA has take measures to make sure that the data is secure and that it's being handled in the proper fashion," said Leslie Bernauer, senior vice president of corporate travel at Lehman Brothers. "With that said, do they handle in the proper way? Do they have the right security around the data? I don't know, but if they did, and unless there's proof that there's been mishandling along the way, I don't think you could give them enough information."
Bernauer understands the privacy concerns associated with TSAs potential use of commercial data, but said she has to look at the issue from her travelers' perspectives. "As somebody who travels and as somebody who was right across from the World Trade Center when the planes hit, I must also comment as a concerned flyer," she said. "I don't think that there's enough information out there that you can give them. I have nothing to hide, so you can have all my information ten times over."