"Secure Flight" succeeds CAPPS-II

On 26 August 2004, the USA Transportation Security Administration (TSA) announced that the latest version of its airline passenger “screening” (identification, profiling, surveillance, and control) scheme will henceforth be referred to by the TSA as “Secure Flight”, rather than as CAPPS-II .

Few details about “Secure Flight” were provided in the TSA press release announcing the new name, or in conference calls the same day by TSA administrator David M. Stone with reporters and by TSA privacy officer Lisa Dean with privacy and civil liberties organizations. (I wasn’t invited to either phone conference, although I’ve gotten accounts of both from participants.)

The initial reaction of ACLU legislative counsel LaShawn Warren was that, “We remain puzzled over how the program will work and believe that several of the most basic problems with the original [CAPPS-II] proposal remain.” A few days later, EFF published a more detailed analysis of what little the TSA has revealed about “Secure Flight”, concluding that “Secure Flight is CAPPS II by another name.”

From what little the TSA has said about its plans, I concur completely with both the ACLU and EFF, although to be more precise I would say that Registered Traveler and “Secure Flight” are, taken together, CAPPS-II by a new pair of names.

The only major difference between “Secure Flight”, as initially described, and CAPPS-II, is that under “Secure Flight” the TSA would make less use than under CAPPS-II of commercial data other than travel reservation data in real-time screening of airline passengers. But applicants for traveller registrations would, apparently, be required to provide even more information and be subjected to even more extensive mining of commercial databases than passengers would have been subjected to under CAPPS-II. The combination of “Secure Flight” and “Registered Traveler” would, it appears, be substantially more intrusive and invasive of civil liberties, including the right to travel, than CAPPS-II would have been.

The main difference between CAPPS-II and “Secure Flight” seems to be in which aspects of the programs are emphasized by the TSA as being significant.

While CAPPS-II would have relied on mandatory collection and transmission to the government through passenger name records (PNRs) of additional identifying information about passengers, the emphasis in the TSA’s public initial public statements about CAPPS-II was on the mining of (non-travel) commercial databases to profile would-be passengers. While the TSA won’t rule out, and will continue to consider, the mining of (non-travel) commercial databases for “Secure Flight”, the TSA’s emphasis in the initial press release about “Secure Flight” has been on government review of PNRs (implicitly requiring that PNRs be provided to the government, although the TSA won’t explicitly confirm that “Secure Flight” will include such a mandate ).

According to the TSA press release:

Under Secure Flight, TSA will take over responsibility for checking airline passengers’ names against terrorist watch lists — a function currently administered by each airline individually…. Under Secure Flight, TSA will take over responsibility for comparing Passenger Name Record (PNR) information of domestic air passengers to a greatly expanded list of known or suspected terrorists in the Terrorist Screening Center (TSC) database.

I’ve heard a rumor that the TSA plans to issue a new “System of Records Notice” (SORN) under the Privacy Act for “Secure Flight”. But there is nothing the TSA has said it intends to do as part of “Secure Flight” that wouldn’t be covered under the SORN for the “Passenger Aviation Security and Screening Records” database which was to have been used for CAPPS-II. So the only apparent reason for a new Privacy Act notice would be to attempt to dissociate “Secure Flight” from CAPPS-II in the eyes of Congress and the public.

More significantly, a Privacy Act notice merely describes a system of government records. In itself, as Privacy Act notice can’t create an obligation to provide information to the government, or to collect it on the government’s behalf (much less to deny transportation otherwise qualified would-be passengers on a common carrier). That leaves unanswered the question of what legal mechanism — administrative “Notice of Proposed Rulemaking” (NPRM), TSA/DHS “Security Directive” under authority of current laws, or new legislation — the TSA intends to use to implement “Secure Flight”, or how it will justify its directives or regulations under the law and the Constitution.

In the USA, there are essentially no legal restrictions on the ability of the government to mine commercial databases, as long as the practice is announced in a Privacy Act notice. But there are substantial statutory and Constitutional restrictions on the ability of the government to order an airline not to transport an otherwise-qualified would-be passenger.

By shifting its emphasis from mining of non-travel commercial databases (legal in the USA, if objectionable) to denial of transportation on the basis of “watch lists” not based on judicial orders (unsupported by any statute), the TSA has focused attention on those aspects of its plans that go furthest beyond what is authorized by current law (and beyond what could be authorized by any law consistent with the Constitutional protection for “the right of the people… peaceably to assemble”).

Either shifting analysis of PNRs from the airlines to the government, or expanding “no fly” lists beyond those against whom orders of denial of common carrier transportation have been issued by Federal courts, would require new legislation. Perhaps the most disturbing aspect of “Secure Flight” is that the TSA has made no mention of any intention to seek authorization for it from Congress — instead intending, apparently, to implement it without Congressional authorization, and in contravention of the explicit language of multiple Federal laws.

My comments on the first Privacy Act notice for CAPPS-II, more than a year ago, included a detailed analysis (pp. 36-41) of its lack of statutory authority. In particular, 49 U.S.Code. 114 (h)(3) authorizes the Department of Transportation (now the TSA) to, “in consultation with other appropriate Federal agencies and air carriers, establish policies and procedures requiring air carriers … to use information from government agencies to identify individuals on passenger lists who may be a threat to civil aviation or national security.”

I don’t see any ambiguity: under this law, the source of the data is to be government lists, and the identification of passengers matching those lists is to be done by airlines . If, instead, the source of data is to be airline reservation data (PNRs), and the identification is to be done by the government, that change will require a change in the law.

As for the actual denial of passage, airlines are defined as common carriers under 49 U.S. C 40102, and 49 U.S.C. 40103 recognizes a “public right of transit through the navigable airspace” applicable to travel by commercial air carrier. 49 U.S.C. 40101(c) requires that, in issuing regulations, “the Administrator of the Federal Aviation Administration” (whose obligations have in relevant part been transferred to the DHS and TSA), “shall consider … the public right of freedom of transit through the navigable airspace”, which the TSA and DHS have yet to do.

It makes little legal difference whether the actual decision to deny passage, following a match with a “watch list” of suspects, is made by the airline or the government. In either case, even leaving aside Constitutional questions, it is a violation of the statutory obligation of the airline as a common carrier to transport all passengers satisfying the published conditions of carriage and paying the fare specified in the published tariff — unless ordered to do otherwise by a court of competent jurisdiction (something the government can’t say isn’t workable since, so far as I can tell, it has never tried to use the existing legal mechanisms to seek a protective injunction restricting the travel of someone who can be shown to pose a danger).

Whether or not the requisite laws would withstand Constitutional challenge, expanding “no-fly” lists beyond those subject to such injunctions or other court orders restricting travel would clearly require new legislation covering people who, as security expert Bruce Schneier puts it in a recent op-ed , “so dangerous that we can’t ever let them fly, yet so innocent that we can’t arrest them — even under the draconian provisions of the Patriot Act.”

But according to its initial press release, “TSA will collect passenger data and begin testing Secure Flight within the next 30-60 days,” which seems unlikely to allow time for the requisite changes to Federal laws.

(Confirming its disinterest in the niceties of judicial process, on Friday the TSA and DHS reportedly requested that the Federal Court of Appeals for the 9th Circuit, in San Francisco, hold a secret hearing — closed to the plaintiff and his attorneys — on the appeal of a legal challenge to the secret orders under which otherwise qualified would-be passengers are already being denied airline passage if they decline to display government-issued idnetification credentials. If secret laws are judged only in secret hearings, who watches the watchers?)

Participation of airlines or computerized reservation systems (CRS’s) in “Secure Flight”, particularly with archival or “historical” data (for which it is impossible, after the fact, to obtain the consent of the data subjects) would also violate the European Union’s Code of Conduct for CRS’s and the DHS Undertakings to the European Union on use of PNR data transferred to the USA. Those “Undertakings” provide for use of PNR data from the EU for testing of CAPPS-II, but not for “Secure Flight”. The TSA and DHS can’t have it both ways: If “Secure Flight” isn’t CAPPS-II (and thus is exempt from the Congressional restrictions on CAPPS-II), than it isn’t covered by Undertakings, or the USA-EU agreement based on them, and will require a separate agreement.

Since it remains impossible to determine from a PNR whether it contains data collected in the EU, any attempt to test or deploy “Secure Flight” would violate the DHS Undertakings, void the USA-EU agreement on PNR transfers, and allow EU national data protection authorities to resume enforcement proceedings against airlines and CRS’s collaborating with the tests.

[Addendum, 8 September 2004: Added link to documents on the U.S. Circuit Court appeal of the U.S. District Court decision in Gilmore vs. Ashcroft .]