Why CAPPS-II would cost a billion dollars

Several people have asked for the basis of my cost estimate for CAPPS-II, quoted today in Business Travel News online and elsewhere.

My estimate of US$1 billion or more in in infrastructure and implementation costs to airlines, computerized reservations systems (CRS’s), travel agencies and agents, other intermediaries, and software and information technology service providers, in order to be able to provide the additional data about each prospective passenger in each PNR demanded for CAPPS-II (“full name”, “home address”, “home phone number”, and date of birth) is an extrapolation from the IATA comments to the INS (see page 11) on the cost of the additional data collection required for the enahnced Advance Passenger Information System(APIS) system, based on the the relatively greater complexity and number of databases, intermediaries, interfaces, protocols, and API’s required for CAPPS-II, as compared with APIS.

I’ve previously published my estimate in an article on my Web site, Total Travel Information Awareness , and in my comments to the DOT and DHS (see pp. 9-10, 50-52) last year, as excerpted below.

From my article, “Total Travel Information Awareness”:

Personal data about travellers passes through a long “food chain” of people and information systems, in many cases, before it gets to the airline. In a typical case, it might go like this: You give your travel information to a travel arranger (travelling companion, family member, business associate, assistant, etc.). They provide your information, perhaps through a Web site (user interface, Web server, and booking engine) to an offline or online travel agency. They enter it (through a GUI, command-line interface, booking engine API, or third-party CRS interface) into a computerized reservations system (CRS), also known as a global distribution system (GDS). (The USA Department of Transportation regulations governing their operations refer to them as “CRS’s”, and that’s the term usually used by travel agents. The companies themselves prefer to describe themselves as “GDS’s”.) The travel agent’s CRS sends the relevant portions of the information (using bilaterally agreed inter-CRS data protocols, or the standard AIRIMP protocol) to the CRS of the airline on whose flight you are booked. If your trip involves travel on multiple airlines, or a “codeshare” flight actually operated by a different airline, your information is passed on again, perhaps to yet another CRS (again using bilaterally agreed protocols or the AIRIMP ).

None of these systems, interfaces, or protocols provide any way, much less any standard way, that the data the TSA plans to require under CAPPS 2.1 could be entered. Each of these systems and interfaces will have to be modified — all in consistent and compatible way, and while continuing to handle millions of reservations every day — to support the TSA’s plans for CAPPS 2.1. There is no evidence that the TSA has even considered the cost (or who would pay it) or time required for these changes.

Airlines have put the cost of even much smaller IT infrastructure changes, limited to airlines’ own internal systems, in the hundreds of millions of dollars. The best clue of likely CAPPS-II costs are the estimates, and commentary on them, in the comments of IATA, the international airline trade association, on the BCIS proposals to require airlines to collect passenger manifest data at check-in:

“IATA advised that the figures it was providing were estimates only and likely to be extremely conservative. The figures … indicate that the estimated cost of the program’s implementation will be approximately $164 million dollars. We believe now, based on a sampling of additional estimates now being reported by various airlines, that the actual costs for both initial implementation and data collection / airport operations will rise significantly higher.”

Because data collection for the BCIS scheme would only occur at check-in, and would be done directly by the airlines, there would be no impact on travel agents, and no need to modify the interfaces between airlines. CAPPS 2.1 would implicate many more systems, interfaces, and protocols, and be much costlier.

IT implementation costs of CAPPS 2.1 would likely exceed a billion dollars, and even with funds in hand the work would likely take several times longer than the TSA has budgeted. Since the TSA’s budget for CAPPS-II is only US$35 million in fiscal 2004, during which CAPPS-II is supposed to be put into full operation, it appears that the TSA expects the travel industry — airlines, CRS’s, and travel agencies — to foot the bill themselves. That’s unlikely to be possible, given the state of their cash reserves in the current travel climate. In effect, CAPPS 2.1 will conscript travel agents, airlines, and other travel data intermediaries into service as involuntary, unpaid servants of the government’s surveillance, monitoring, and data collection agenda.

Collecting the additional data the TSA wants for CAPPS 2.1 will also require changes to business procedures, and require additional labor, especially for travel agents and airline reservations and ticketing staff. Travel agents will bear most of the burden of collecting and entering information about travellers, as well as complying with requirements to provide notice and obtain consent for disclosure of passenger data to the government (and keeping records that this has been done). CAPPS-II, in any of its variants, will also invade the confidentiality of travel agents’ relationships with their clients: travel agents would be required to provide specified passenger data to the government, even if that information is subject to a contractual non-disclosure agreement and wasn’t previously entered in PNRs.

From my comments on the CAPPS 2.0 Privacy Act notice (23 February 2004, pp. 46, 50-52):

The economic impact of the proposals would be immense. If the … system were not exempted from the Privacy Act, and if airlines, CRS’s/GDS’s, airline hosting systems, and travel agencies could comply without violating the EU Data Directive or the Canadian Personal Information Protection and Electronic documents Act (all of which seem extremely unlikely to be possible), compliance would cost the travel industry at least hundreds of millions of dollars, probably billions, and take many months to implement….

Addition of entirely new fields to PNR data models is a slow and expensive process. So far as I know, the last time changes were made to a CRS’s/GDS’s data structure to enhance privacy protection was in April of 2002 when, in response to my criticisms of the disclosure of PNR data over the Internet without a password, Sabre (the largest CRS/GDS), began using the contents of the “passenger e-mail address” field in the Sabre PNR as a pseudo-password for access to Sabre PNR data through Sabre’s Virtually There Web gateway. (See Who’s Who’s watching you while you travel? .)

This process took about two and a half months, even though it involved only adding a new function for the contents of an existing PNR field. Mr. David Houck, Sabre’s Vice President, Industry Affairs, and chief privacy and regulatory compliance officer, told me in an interview that the reason Sabre chose to use the e-mail address as a pseudo-password, rather than a password stored as a separate field in the PNR (which would have been more secure, and standard data security and privacy practice in other industries), was that adding a new field to each PNR would take substantially longer and be prohibitively expensive.

Further indication of the potential cost of compliance with this proposal is contained in the comments of the International Air Transport Association (IATA) on the INS Notice of Proposed Rulemaking on Manifest Requirements , Docket No. INS 2182-01, RIN 1115-AG57, comments dated 3 February 2003.

According to these recent comments by IATA, the direct costs to the airlines alone of implementation of a system to provide the Federal government with post-departure batch access (not real-time or continuous access) to passenger manifest information (limited to a small finite number of specified data fields, not the entire PNR), for international flights only (not all flights), would be “significantly higher” than IATA’s initial “extremely conservative” estimate of US$164 million. The cost of implementation of the ASSR [CAPPS-II] proposals at issue in this rulemaking proceeding would undoubtedly be substantially higher still….

For all these reasons the proposal should be withdrawn at least until the Department has conducted the requisite analysis of its impact as a significant regulatory action, particularly given its likely immense economic impact and its likely critical direct impact on tens of thousands of small travel businesses….

That analysis should include public hearings and expert and public testimony on the potential impact of the proposals, particularly on individual privacy, confidentiality of business information, personal and business data handling by small and large online and offline travel agencies, and related impacts on personal information practices in the travel industry.

From my comments on the CAPPS 2.1 Privacy Act notice (30 September 2003):

“A PNR may include each passenger’s full name, home address, home telephone number, and date of birth.”

This may be the most economically significant of all the misstatements in the Supplementary Information and the Notice.

In reality, most PNRs cannot now contain all this information, because current PNR formats, data structures, and interline data interchange and messaging protocols do not support these additional (currently optional, and some rarely used) data items.

It’s not clear whether the Department has developed the CAPPS-II scheme in isolation from, and in ignorance of, how airline passenger information is handled, or whether the Department is knowingly trying to mislead the public and the Congress about the likely total cost of this proposal.

The Department’s budget of US$35 million in 2004 for completion of development, testing, and deployment of CAPPS-II is ludicrously inadequate for this task. As I discussed in detail in my comments on the original Notice, the International Air Transportation Association (IATA) estimated earlier this year, in comments filed on a parallel but much more limited proposal by the INS (now also part of the Department of Homeland Security), that the cost of providing much more limited access to a smaller subset of PNR data on international flights only would be “significantly higher” then IATA’s initial “extremely conservative” estimate of US$164 million. That proposal would have involved information collected from passengers directly by the airlines at check-in, so it would not have required any changes by travel agencies, CRS’s, or any other intermediaries.

Either the Department is completely clueless about the implications of this proposal, and doesn’t yet realize what sweeping changes in airline industry information technology infrastucture, protocols, and interfaces this proposal would require. Or the Department does know, and intends to impose implementation costs of US$1 billion or more on an airline industry that can ill afford them, and that will be obliged to pass them on to passengers in the form of higher fares.