February 18, 2004 | WebMemo on Department of Homeland Security
Following the September 11, 2001, terrorist attacks, the federal government began to greatly expand its role in aviation security. Among these initiatives, the Transportation Security Administration (TSA) is developing the Computer Assisted Passenger Pre-Screening System II (CAPPS II), a program to accurately identify which travelers merit additional security attention. A February 2004 report by the General Accounting Office (GAO) concludes that the program is behind schedule and lacks adequate provisions for privacy and data protection. The GAO report should be taken seriously. Congress and TSA must work together to make CAPPS II a success.
Over the last decade, screening airline passengers to identify potential risks has been increasingly recognized as one important component of a larger air-security regime. CAPPS was first used in 1996 by Northwest Airlines, and in 1997 the White House Commission on Aviation Safety and Security, chaired by then-Vice President Al Gore, recommended that other air carriers adopt it. CAPPS uses flagging criteria (such as whether a passenger made a last-minute reservation or a cash payment) to determine which passengers require more screening.
CAPPS, however, was and
remains deeply flawed. The criteria used to select passengers for
intense screening are too broad. In some instances they can flag up
to 50 percent of passengers. In addition, CAPPS does not marry
passenger information to real world intelligence or other data that
might differentiate potential terrorists from legitimate travelers.
Clearly, TSA needs a better system.
The GAO report casts doubts on the promise of CAPPS II. It finds that CAPPS II testing is behind schedule, mainly because of delays in obtaining sufficient passenger data to evaluate the system. In order to adequately test CAPPS II, TSA will need up to 1.5 million "passenger name records," actual identities and travel itineraries of individuals boarding a flight. According to the GAO, lack of testing so far has led to other setbacks. These include the absence of an adequate management plan, a lack of information about which commercial and government databases will be employed to evaluate passenger data, and insufficient cost estimates.
To fill these gaps, TSA should move expeditiously to complete CAPPS II testing. Without it we won't know what we have and what we need to make the system work right. Congress should not seek to delay testing in order to address other concerns.
The GAO also notes that identity theft could be used to circumvent CAPPS II. Though true, this challenge is one faced by all identity-based security screening programs. The solution here relies not just on CAPPS II, but also on developing national and international strategies to promote the adoption of new technologies to combat identity theft and protect individual privacy. As a recent report by the Markle Foundation rightly points out, there is an urgent need to "harden" identity documentation, as a means of preventing identity theft.
Several privacy and data protection issues, however, should be addressed before CAPPS II is deployed. The House Select Homeland Security Committee proposes authoring an authorization bill for the Department of Homeland Security. This measure should include set criteria for data accuracy, prevention of unauthorized use, privacy protection, and redress procedures and should require guidelines and risk-mitigation strategies to prevent costs from spiraling out of control.
Also, Congress should direct that CAPPS II be used solely to combat terrorism and not for other purposes. Such restraint will help constrain costs and ease fears that the program will impinge upon the civil liberties of American or foreign air travelers.
It is important to get CAPPS II right and not rush to failure. CAPPS II will only become an effective tool if the administration and Congress work closely together to shepherd the program to that end.