Op-Ed: ACLU: Congress Must Halt Secure Flight

It is no coincidence that, at the same time the government is seeking to secretly compile ever more information on law-abiding Americans, we see an increase in the frequency and scope of identity theft and data crime. Both are symptomatic of astounding advances in how we now store and manipulate massive quantities of electronic data and the threats to personal privacy that come with it.

Unfortunately, it often feels like the current administration habitually gives short shrift to the danger in the unauthorized disclosure of our private information. The ultimate case in point is the push by the Transportation Security Administration to implement the super airline profiling system known now as "Secure Flight," which will be coming to an airport near you in the next year.

Secure Flight is the latest incarnation of the Computer-Assisted Passenger Prescreening System, the current airline security system that flags passengers for more scrutiny based on such behavioral criteria as paying cash for a ticket.

Shortly after 9/11, the Bush administration proposed CAPPS II, which would have abandoned the specificity of the original CAPPS program for a broad data-mining approach. Under CAPPS II, travelers would have had names, addresses, dates of birth and other indicators checked against credit records, secret intelligence databases and consumer records compiled by "data aggregators" (companies that organize and sell information) like ChoicePoint. (ChoicePoint was tricked this year into handing over records on more than 140,000 customers to identity thieves.) The system would then have "ranked" passenger threat levels—and give each traveler a color-coded threat score.

Unease among the general public, as well as a critical assessment by Congress's investigative wing, the Government Accountability Office (GAO), led lawmakers to halt the development of CAPPS II. The result? TSA reintroduced CAPPS II as Secure Flight with slightly different parameters, including the solemn promise not to cross-reference traveler records with top-secret databases or consumer records, both of which are notoriously inaccurate and consequently pose a serious risk of identifying innocent people as terrorists. Recently, however, TSA broke that promise, and showed Secure Flight to be little different than CAPPS II.

In compliance with the Privacy Act of 1974, which obligates government agencies to publicly announce whenever they create a new set of records containing Americans' personal information, TSA published a revised "Privacy Impact Assessment." The assessment disclosed the agency had fibbed.

Before the assessment, TSA assured air travelers it would only check passenger data against consumer records to verify a potential traveler is a real person. The potential privacy impact of cross-referencing would be minimal as the data involved was not sensitive, nor would it be retained.

The Privacy Impact Assessment disclosed, retroactively, a far more involved data-mining process, in violation of the agency's own articulated, legally binding, privacy policy.

Indeed, in response to a TSA request in November 2004, several airlines released various types of passenger records for June 2004. TSA then transferred this raw data, which contained the reservation information for these passengers, to a private government contractor named "EagleForce," which checked it against consumer records.

Instead of merely verifying that, say, Joe Smith of Pineview Lane actually has a paper trail, EagleForce "enhanced" the airline records with new personal information from consumer records, burned those records to CD-ROMs and sent them to TSA so the agency could compare them to various government watch lists (which, again, are riddled with inaccuracies). Those disks—containing perhaps a highly detailed snapshot of your personal and financial life—are now sitting in a nondescript safe somewhere at TSA.

In short, the Secure Flight described in this new assessment looks an awful lot like CAPPS II, and it suffers from the same two pitfalls.

First, it promises to be imprecise. Minute but pervasive flaws in the underlying data—a misspelled name here, an incorrect street number there—would build up to produce a large number of false positives and negatives. That is, not only would innocent travelers frequently be subjected to the indignities of heightened security checks and lengthy delays or detentions, but actual terrorists would easily be able to sidestep any added security benefit through the use of identity theft.

Second, it creates another honey pot for data thieves. Just as the aggregation of credit and consumer information in the databases of places like ChoicePoint encourages data merchant hackers, the creation of a similar database within a huge and unwieldy government bureaucracy would draw criminal attention like a magnet to metal.

Highlighting these dangers, history repeated itself earlier this year when, just like CAPPS II, the GAO gave Secure Flight a failing grade both in its assessment of the program's progress toward implementation and its privacy protections.

It remains to be seen what sort of fallout TSA's recent disclosure will bring. The privacy officer at the Department of Homeland Security, TSA's parent agency, launched an investigation into these new disclosures. Unfortunately, that post was created with a bare mandate, a lack of independence and few real powers. In truth, the only hope is for Congress to halt Secure Flight before its implementation, just as it did for its big brother (no pun intended), CAPPS II.

Timothy D. Sparapani, a legislative counsel for the American Civil Liberties Union's Washington Legislative Office, focuses on lobbying Congress and the executive branch to protect the right to privacy.