Since September 11, 2001, the aviation industry has undergone many
changes to strengthen airport security. The Transportation Security
Administration (TSA) was created and placed in charge of passenger
and baggage screeners, who are now federal employees. It has been
using explosives detection systems on 90 percent of checked baggage
and has substantially expanded the Federal Air Marshal
Service.
However, little has been done to determine whether a person seeking to board an aircraft belongs to a terrorist organization or otherwise poses a threat. To meet this objective, the TSA is developing the Computer Assisted Passenger Prescreening System II (CAPPS II).
Proposals regarding the CAPPS II system have recently been modified to show greater sensitivity to privacy issues. These changes are good, and with further modifications, the CAPPS II system should be deployed as part of the American response to terrorist threats.
A Broken System for Airport Security Most of the changes made in airport security have been focused on looking for potential weapons (e.g., better examination of luggage and more alert screeners) and creating obstacles to the use of a weapon on an aircraft (e.g., reinforced cockpit doors and armed pilots). No improvements have been made in the ability to identify individuals who pose threats to an airplane.
In other words, airport security is still using the same system to identify individual threats that did not work on September 11. A new computer-aided system would improve the TSA's ability to assess the risk a passenger may pose to air safety.
The current, limited system (CAPPS or CAPPS I) was first deployed in 1996 by Northwest Airlines. Other airlines began to use CAPPS in 1998, as recommended by the White House Commission on Aviation Safety and Security (also known as the Gore Commission). In 1999, responding to public criticism, the FAA limited the use of CAPPS: It would no longer be used to screen passengers and their carry-on luggage, but only to determine whether to subject their checked luggage to heightened scrutiny.
In other words, since 1999, CAPPS information has not been used as a basis for subjecting passengers to personal searches and questioning. As a consequence, even if CAPPS flagged a high-risk passenger, that passenger could not be singled out for more intensive searches.
Although CAPPS underwent some major changes after September 11, such as expanding the system to include all passengers and modifying the weighing criteria in the algorithms, it is still flawed. CAPPS returned to its original conception and is now used to screen all passengers: If flagged, a passenger may be subject to heightened scrutiny of both carry-on and checked luggage. However, the "flagging" criteria used to select passengers for more intense screening--things such as last-minute reservations, cash payment, and short trips--are too broad. For example, they can flag up to 50 percent of passengers in some instances, principally in short-haul markets.
Nor does CAPPS attempt to compare passenger lists with government-held information to identify specific passengers who may pose a threat. To put it bluntly, if Osama bin Laden tried to board a plane today, CAPPS would not identify him for arrest or further inspection.
CAPPS II--An Improvement The TSA recognizes that screening what a passenger is carrying is only part of the equation. It is developing CAPPS II as a successor to CAPPS in order to determine more directly whether an individual poses a threat to aviation security. CAPPS II will use government intelligence and law enforcement information to assign risk levels to passengers based on real information, not arbitrary models. The TSA will then be able to devote more of its resources to screening those with a higher score (indicating they pose a greater risk) and less to those deemed to be of little concern (although some degree of randomness will need to be retained).
In January 2003, the TSA released a Privacy Act notice for CAPPS II. Since then, many critics have raised substantial concerns. Some thought that CAPPS II was too broad in scope and could infringe on passengers' privacy. Others were concerned that the government should not rely on potentially flawed commercial data to prevent individuals from traveling by air. Some asserted that the use of knowledge discovery technologies on a wide variety of personal data could violate privacy rights and civil liberties. Finally, many wondered whether individuals would be able to challenge their score.
The TSA has recently made available an Interim Final Notice for CAPPS II, which substantially modifies the initial proposal in response to many of the concerns voiced in comments about the first Privacy Notice.1 The Interim Notice allows for a 60-day period for further comments. The following are some of the more significant changes that the TSA made to ensure privacy:
Under the terms of use proposed in the Interim Notice, the "TSA will not retain significant amounts of personal information after completion of a passenger's itinerary."2 In other words, the TSA will delete all travel records of U.S. citizens and lawful permanent residents within a fixed number of days after the safe completion of the passenger's travels. The proposed CAPPS II system will access only a "passenger name record" (PNR), which will include information (such as the passenger's name, address, and flight plans) that is collected at the time the passenger makes the reservations. Selected PNR information will then be transmitted to commercial data providers for the sole purpose of authenticating the passenger's identity. This process is similar to the credit card application procedure used to check for fraudulent information. Commercial data providers will then transmit back to the TSA a numeric score indicating the degree of match between commercial data and TSA data. In other words, they will indicate whether commercially available data confirm that the person is who he or she claims to be.3 Furthermore, the CAPPS II system has addressed privacy concerns by severely limiting the types of private commercial data that will be examined. No commercial data will be retained by the TSA, and the commercial companies will retain no travel data. The TSA has also committed to developing a mechanism by which passengers targeted for more thorough screening can seek to set the record straight if they think that they have been mistakenly identified. After the identity authentication phase, the CAPPS II system will conduct a risk assessment by comparing that identification information to intelligence and law enforcement data. Passengers whose identity is confirmed with a high degree of confidence and who have no matches with intelligence or law enforcement data will be less likely to receive additional scrutiny, whereas those on the opposite end of the spectrum will be searched more thoroughly or, if appropriate, arrested. By attempting to match identities to existing intelligence information, CAPPS II will allow the TSA to focus its resources on those passengers who, through a qualitative analysis, are determined to be more dangerous--either because their identity cannot be verified or because they are identified as a potential threat to air safety.
CAPPS II is now being field-tested to resolve logistical details such as the potential inaccuracies of commercial data, the system's speed of response, and identifying the data necessary for the effective operation of CAPPS II. The testing period is expected to last as long as 180 days, after which the TSA will release the Final Notice with more specific language on the capabilities and the actual and imposed limitations of CAPPS II.
The Need for CAPPS II September 11 proved that CAPPS is insufficient for combating terrorism. Despite the fact that four hijackers had been placed on federal watch lists and three faced charges of immigration violations, none was targeted. CAPPS II is a tool that will make screening more effective because it has the capacity to analyze a broad range of data in real time. The combination of commercial sources, national security sources, and dynamic intelligence data will allow for a timely and appropriate response to security threats.
Anyone who doubts the need for such a system need only look to a recent event--two individuals who were on the terrorist watch list and flew under their own names were arrested attempting to board an airplane in Seattle after apparently having just entered the country from Canada.4 Plainly, the air travel system remains at risk.
The fundamental conclusion is clear: The Transportation Security Administration should continue to develop CAPPS II with an eye toward deploying it as soon as practicable. The TSA should work closely with the Department of Homeland Security's Privacy Office to ensure that the Final Notice addresses the public's concerns about the system without compromising the security function of CAPPS II.
Concurrently, Congress needs to provide strong oversight to guide the development of CAPPS II so that the system does not infringe on citizens' privacy and civil liberties. However, Congress also needs to recognize the necessity for this technological tool in combating the threat of terrorism and should resist calls to restrict the development of CAPPS II.
Section 615(a) of the current version of the Department of Homeland Security appropriations bill, which the Senate passed at the end of July, states that "None of the funds provided by this or previous appropriations Acts may be obligated for testing (other than simulations)"5 until the U.S. General Accounting Office reports to Congress that "the TSA has stress-tested and demonstrated the efficacy and accuracy of all search tools in CAPPS II and has demonstrated that CAPPS II can make an accurate predictive assessment of those passengers who may constitute a threat to aviation."6 It is unreasonable and contradictory to expect that the TSA will be able to demonstrate the capacities of CAPPS II when funding cannot be allocated for testing.
This is a premature rejection of a promising new technology and is no answer to the asymmetric threat of terrorism. It is a Luddite response to fear.7
Congress should remove the restriction on CAPPS II testing in the upcoming conference session and fully fund CAPPS II through the appropriations process. Indeed, resistance to new technology poses practical dangers. As the congressional joint inquiry into the events of September 11 pointed out in noting systemic failures that played a role in the inability to prevent the terrorist attacks:
Finding: While technology remains one of this nation's greatest advantages, it has not been fully and most effectively applied in support of U.S. counter-terrorism efforts. Persistent problems in this area included a lack of collaboration between Intelligence Community agencies [and] a reluctance to develop and implement new technical capabilities aggressively.8 It is important not to repeat that mistake. CAPPS II is a necessary tool for protecting America from terrorist threats. The TSA has taken significant steps to keep CAPPS II from unnecessarily infringing on people's privacy--steps that highlight the TSA's commitment to safeguarding Americans' civil liberties while ensuring aviation security.
Paul Rosenzweig is Senior Legal Research Fellow in the Center for Legal and Judicial Studies at The Heritage Foundation and Adjunct Professor of Law at George Mason University. Ha Nguyen is Research Assistant for Homeland Security in the Kathryn and Shelby Cullom Davis Institute for International Studies at The Heritage Foundation.
1. 68 Fed. Reg. 45265 (August 1, 2003).
2. U.S. Department of Homeland Security, Transportation Security Administration, "Notice of Status of System of Records; Interim Final Notice; Request for Further Comments," DHS/TSA-2003-1, July 22, 2003, p. 10, at www.dhs.gov/interweb/assetlibrary/CAPPSII_PRIVACY_ACT.doc. Clearly, the Interim Notice uses some indefinite language that is vulnerable to abuse. To assuage civil libertarian concerns, the TSA will need to clarify its definitions and procedures in the Final Notice.
3. The technical name of this identification process is "resolving" an identity (i.e., ensuring that the data all identify a single, unique individual). According to at least one expert in the field, achieving the technical expertise to accomplish this objective is a "solved problem." See Jeff Jonas, "Data Mining in the Private Sector," remarks, Center for Strategic and International Studies, July 23, 2003.
4. Blaine Harden, "Two on `No-Fly' List Arrested at Airport," The Washington Post, August 14, 2003, p. A2.
5. U.S. Senate, Department of Homeland Security Appropriations Act, H.R. 2555 EAS, Sect. 615(a), 108th Cong., 1st Sess.
6. Ibid., Section 615(a)(3).
7. The Terrorism Information Awareness program from the Department of Defense encountered similar appropriations problems. See Paul Rosenzweig, Michael Scardaville, and Ha Nguyen, "Senate Should Restore TIA Funding," Heritage Foundation Web Memo No. 315, July 17, 2003, at www.heritage.org/Research/HomelandDefense/wm315.cfm.
8. Permanent Select Committee on Intelligence, U.S. House of Representatives, and Select Committee on Intelligence, U.S. Senate, Report of the Joint Inquiry into the Terrorist Attacks of September 11, 2001, 107th Cong., 2nd Sess., S. Rept. No. 107-351 and H. Rept. No. 107-792, December 2002, p. xvi, at www.fas.org/irp/congress/2002_rpt/911rept.pdf (emphasis added). The joint inquiry also critiqued the lack of adequate analytical tools (idem, Finding 5) and the lack of a single means of coordinating disparate counter-terrorism databases (idem, Findings 9 and 10). Aspects of the CAPPS II program are intended to address these inadequacies.
However, little has been done to determine whether a person seeking to board an aircraft belongs to a terrorist organization or otherwise poses a threat. To meet this objective, the TSA is developing the Computer Assisted Passenger Prescreening System II (CAPPS II).
Proposals regarding the CAPPS II system have recently been modified to show greater sensitivity to privacy issues. These changes are good, and with further modifications, the CAPPS II system should be deployed as part of the American response to terrorist threats.
A Broken System for Airport Security Most of the changes made in airport security have been focused on looking for potential weapons (e.g., better examination of luggage and more alert screeners) and creating obstacles to the use of a weapon on an aircraft (e.g., reinforced cockpit doors and armed pilots). No improvements have been made in the ability to identify individuals who pose threats to an airplane.
In other words, airport security is still using the same system to identify individual threats that did not work on September 11. A new computer-aided system would improve the TSA's ability to assess the risk a passenger may pose to air safety.
The current, limited system (CAPPS or CAPPS I) was first deployed in 1996 by Northwest Airlines. Other airlines began to use CAPPS in 1998, as recommended by the White House Commission on Aviation Safety and Security (also known as the Gore Commission). In 1999, responding to public criticism, the FAA limited the use of CAPPS: It would no longer be used to screen passengers and their carry-on luggage, but only to determine whether to subject their checked luggage to heightened scrutiny.
In other words, since 1999, CAPPS information has not been used as a basis for subjecting passengers to personal searches and questioning. As a consequence, even if CAPPS flagged a high-risk passenger, that passenger could not be singled out for more intensive searches.
Although CAPPS underwent some major changes after September 11, such as expanding the system to include all passengers and modifying the weighing criteria in the algorithms, it is still flawed. CAPPS returned to its original conception and is now used to screen all passengers: If flagged, a passenger may be subject to heightened scrutiny of both carry-on and checked luggage. However, the "flagging" criteria used to select passengers for more intense screening--things such as last-minute reservations, cash payment, and short trips--are too broad. For example, they can flag up to 50 percent of passengers in some instances, principally in short-haul markets.
Nor does CAPPS attempt to compare passenger lists with government-held information to identify specific passengers who may pose a threat. To put it bluntly, if Osama bin Laden tried to board a plane today, CAPPS would not identify him for arrest or further inspection.
CAPPS II--An Improvement The TSA recognizes that screening what a passenger is carrying is only part of the equation. It is developing CAPPS II as a successor to CAPPS in order to determine more directly whether an individual poses a threat to aviation security. CAPPS II will use government intelligence and law enforcement information to assign risk levels to passengers based on real information, not arbitrary models. The TSA will then be able to devote more of its resources to screening those with a higher score (indicating they pose a greater risk) and less to those deemed to be of little concern (although some degree of randomness will need to be retained).
In January 2003, the TSA released a Privacy Act notice for CAPPS II. Since then, many critics have raised substantial concerns. Some thought that CAPPS II was too broad in scope and could infringe on passengers' privacy. Others were concerned that the government should not rely on potentially flawed commercial data to prevent individuals from traveling by air. Some asserted that the use of knowledge discovery technologies on a wide variety of personal data could violate privacy rights and civil liberties. Finally, many wondered whether individuals would be able to challenge their score.
The TSA has recently made available an Interim Final Notice for CAPPS II, which substantially modifies the initial proposal in response to many of the concerns voiced in comments about the first Privacy Notice.1 The Interim Notice allows for a 60-day period for further comments. The following are some of the more significant changes that the TSA made to ensure privacy:
Under the terms of use proposed in the Interim Notice, the "TSA will not retain significant amounts of personal information after completion of a passenger's itinerary."2 In other words, the TSA will delete all travel records of U.S. citizens and lawful permanent residents within a fixed number of days after the safe completion of the passenger's travels. The proposed CAPPS II system will access only a "passenger name record" (PNR), which will include information (such as the passenger's name, address, and flight plans) that is collected at the time the passenger makes the reservations. Selected PNR information will then be transmitted to commercial data providers for the sole purpose of authenticating the passenger's identity. This process is similar to the credit card application procedure used to check for fraudulent information. Commercial data providers will then transmit back to the TSA a numeric score indicating the degree of match between commercial data and TSA data. In other words, they will indicate whether commercially available data confirm that the person is who he or she claims to be.3 Furthermore, the CAPPS II system has addressed privacy concerns by severely limiting the types of private commercial data that will be examined. No commercial data will be retained by the TSA, and the commercial companies will retain no travel data. The TSA has also committed to developing a mechanism by which passengers targeted for more thorough screening can seek to set the record straight if they think that they have been mistakenly identified. After the identity authentication phase, the CAPPS II system will conduct a risk assessment by comparing that identification information to intelligence and law enforcement data. Passengers whose identity is confirmed with a high degree of confidence and who have no matches with intelligence or law enforcement data will be less likely to receive additional scrutiny, whereas those on the opposite end of the spectrum will be searched more thoroughly or, if appropriate, arrested. By attempting to match identities to existing intelligence information, CAPPS II will allow the TSA to focus its resources on those passengers who, through a qualitative analysis, are determined to be more dangerous--either because their identity cannot be verified or because they are identified as a potential threat to air safety.
CAPPS II is now being field-tested to resolve logistical details such as the potential inaccuracies of commercial data, the system's speed of response, and identifying the data necessary for the effective operation of CAPPS II. The testing period is expected to last as long as 180 days, after which the TSA will release the Final Notice with more specific language on the capabilities and the actual and imposed limitations of CAPPS II.
The Need for CAPPS II September 11 proved that CAPPS is insufficient for combating terrorism. Despite the fact that four hijackers had been placed on federal watch lists and three faced charges of immigration violations, none was targeted. CAPPS II is a tool that will make screening more effective because it has the capacity to analyze a broad range of data in real time. The combination of commercial sources, national security sources, and dynamic intelligence data will allow for a timely and appropriate response to security threats.
Anyone who doubts the need for such a system need only look to a recent event--two individuals who were on the terrorist watch list and flew under their own names were arrested attempting to board an airplane in Seattle after apparently having just entered the country from Canada.4 Plainly, the air travel system remains at risk.
The fundamental conclusion is clear: The Transportation Security Administration should continue to develop CAPPS II with an eye toward deploying it as soon as practicable. The TSA should work closely with the Department of Homeland Security's Privacy Office to ensure that the Final Notice addresses the public's concerns about the system without compromising the security function of CAPPS II.
Concurrently, Congress needs to provide strong oversight to guide the development of CAPPS II so that the system does not infringe on citizens' privacy and civil liberties. However, Congress also needs to recognize the necessity for this technological tool in combating the threat of terrorism and should resist calls to restrict the development of CAPPS II.
Section 615(a) of the current version of the Department of Homeland Security appropriations bill, which the Senate passed at the end of July, states that "None of the funds provided by this or previous appropriations Acts may be obligated for testing (other than simulations)"5 until the U.S. General Accounting Office reports to Congress that "the TSA has stress-tested and demonstrated the efficacy and accuracy of all search tools in CAPPS II and has demonstrated that CAPPS II can make an accurate predictive assessment of those passengers who may constitute a threat to aviation."6 It is unreasonable and contradictory to expect that the TSA will be able to demonstrate the capacities of CAPPS II when funding cannot be allocated for testing.
This is a premature rejection of a promising new technology and is no answer to the asymmetric threat of terrorism. It is a Luddite response to fear.7
Congress should remove the restriction on CAPPS II testing in the upcoming conference session and fully fund CAPPS II through the appropriations process. Indeed, resistance to new technology poses practical dangers. As the congressional joint inquiry into the events of September 11 pointed out in noting systemic failures that played a role in the inability to prevent the terrorist attacks:
Finding: While technology remains one of this nation's greatest advantages, it has not been fully and most effectively applied in support of U.S. counter-terrorism efforts. Persistent problems in this area included a lack of collaboration between Intelligence Community agencies [and] a reluctance to develop and implement new technical capabilities aggressively.8 It is important not to repeat that mistake. CAPPS II is a necessary tool for protecting America from terrorist threats. The TSA has taken significant steps to keep CAPPS II from unnecessarily infringing on people's privacy--steps that highlight the TSA's commitment to safeguarding Americans' civil liberties while ensuring aviation security.
Paul Rosenzweig is Senior Legal Research Fellow in the Center for Legal and Judicial Studies at The Heritage Foundation and Adjunct Professor of Law at George Mason University. Ha Nguyen is Research Assistant for Homeland Security in the Kathryn and Shelby Cullom Davis Institute for International Studies at The Heritage Foundation.
1. 68 Fed. Reg. 45265 (August 1, 2003).
2. U.S. Department of Homeland Security, Transportation Security Administration, "Notice of Status of System of Records; Interim Final Notice; Request for Further Comments," DHS/TSA-2003-1, July 22, 2003, p. 10, at www.dhs.gov/interweb/assetlibrary/CAPPSII_PRIVACY_ACT.doc. Clearly, the Interim Notice uses some indefinite language that is vulnerable to abuse. To assuage civil libertarian concerns, the TSA will need to clarify its definitions and procedures in the Final Notice.
3. The technical name of this identification process is "resolving" an identity (i.e., ensuring that the data all identify a single, unique individual). According to at least one expert in the field, achieving the technical expertise to accomplish this objective is a "solved problem." See Jeff Jonas, "Data Mining in the Private Sector," remarks, Center for Strategic and International Studies, July 23, 2003.
4. Blaine Harden, "Two on `No-Fly' List Arrested at Airport," The Washington Post, August 14, 2003, p. A2.
5. U.S. Senate, Department of Homeland Security Appropriations Act, H.R. 2555 EAS, Sect. 615(a), 108th Cong., 1st Sess.
6. Ibid., Section 615(a)(3).
7. The Terrorism Information Awareness program from the Department of Defense encountered similar appropriations problems. See Paul Rosenzweig, Michael Scardaville, and Ha Nguyen, "Senate Should Restore TIA Funding," Heritage Foundation Web Memo No. 315, July 17, 2003, at www.heritage.org/Research/HomelandDefense/wm315.cfm.
8. Permanent Select Committee on Intelligence, U.S. House of Representatives, and Select Committee on Intelligence, U.S. Senate, Report of the Joint Inquiry into the Terrorist Attacks of September 11, 2001, 107th Cong., 2nd Sess., S. Rept. No. 107-351 and H. Rept. No. 107-792, December 2002, p. xvi, at www.fas.org/irp/congress/2002_rpt/911rept.pdf (emphasis added). The joint inquiry also critiqued the lack of adequate analytical tools (idem, Finding 5) and the lack of a single means of coordinating disparate counter-terrorism databases (idem, Findings 9 and 10). Aspects of the CAPPS II program are intended to address these inadequacies.
