More from the TSA on its CAPPS-II plans

The Electronic Privacy Information Center has posted the full 100 pages of Admiral David M. Stone’s written responses to questions from the USA Senate Government Affairs Committee in conection with today’s hearing on Stone’s confirmation as head of the Transportation Security Administration (TSA) of the Department of Homeland Security (DHS). And Ryan Singel catalogs some of the discrepancies between Stone’s latest submission to the Senate and prior TSA, airline, and CRS claims in More False Information From TSA today on Wired.com.

Additional testimony on DHS plans for the CAPPS-II airline passenger profiling and monitoring system was given Tuesday by Stone’s boss, DHS Under Secretary for Border and Transportation Security Asa Hutchinson, at a hearing before the Senate Committee on Commerce, Science, and Transportation.

Hutchinson’s testimony strongly suggests that the DHS is developing a two-part fallback position in case cost, logistical difficulties, and/or continued Congressional opposition (particularly re-enactment in next year’s appropriation bill for the DHS of the restrictive criteria for full CAPPS-II deployment enacted in 2003, and which the TSA has yet to meet) prevent the implementation of CAPPS-II in the full form in which it was originally envisioned.

One, as was done with key portions of the Pentagon’s “Total (Terrorism) Information Awareness” program, the DHS is likely to continue the parts of CAPPS-II that it really wants under other names, as parts of other programs, and/or within other budget line items. Already, for example, Stone is describing what had been considered the profiling component of CAPPS-II as a distinct project, the “Risk Assessment Engine (RAE)”. And Hutchinson is now talking about “enhancements to CAPPS”, previously considered part of CAPPS-II, that would instead be labeled as some sort of “CAPPS 1.5” or the like. To prevent this, Congresss needs to describe in functional terms the types of prgrams that will be subject to the CAPPS-II restrictions — regardless of what they are labeled by DHS/TSA. Or, better still, Congress needs to enact a travel privacy law applicable to all travel records, whether in government or commercial hands.

Two, the DHS is beginning to define its priorities within CAPPS-II, in preparation for for the necessity of sacrificing some of the most controversial and least useful (to the DHS/TSA) components of the program in order to preserve and move forward with those portions that are deemed most important.

In this regard, Hutchinson’s testimony suggests that real-time profiling using non-travel data, which at least initially was the element of CAPPS-II that drew the most criticism, is probably not the highest priority — even though it’s the part of CAPPS-II most relevant to its ostensible security purpose. Hutchinson’s testimony and DHS/TSA lobbying, both within the USA and internationally, instead focuses on what I’ve long argued, and what the DHS now seems more and more to admit, is their real priority: mandatory government access to PNR data, mandatory collection and entry of sufficient identifying PNR and API data to ensure that PNRs can be indexed into lifetime travel histories, and mandatory verification of identity credentials at the time of travel.

In essence, DHS/TSA are willing to abandon the security-directed risk assessment components of CAPPS-II, if that’s the price of Congressional funding and public approval (or at least acquiescence) for putting it into place with the necessary mandates to make it effective as a surveillance system.

(Should this happen, instead of being conducted in real time, profiling would be conducted when would-be travellers apply for their registered traveller identification credentials, which are undergoing further tests at several major USA airports beginning in July 2004. The TSA says registered travellers won’t be exempt from the current “security” screening, so the only reason for travellers to register will be if unregistered travellers are subjected to more onerous screening, probably increasingly so as registration becomes the norm.)

Additional testimony on CAPPS-II was provided at that hearing by Jim May of the Air Transport Association (ATA), the trade association and lobbying group for USA-based airlines. May went out of his way to say that ATA member airline still support CAPPS-II and want to see it implemented (contrary to what they have tried to imply in their public professions of concern for passengers’ privacy), instead focusing his criticisms on the unfunded government mandates for airline spending on CAPPS-II and other “security” programs. But he did make clear that the actual costs of CAPPS-II will far exceed the amounts that Stone said were being budgeted for it, and that it would require major changes to airline and reservations industry (CRS/GDS and travel agency) information technology infrastructure and business procedures.