"Secure Flight" comments due by Monday, 25 October 2004

Public comments are open through Monday, 25 October 2004, on the Secure Flight airline passenger identification, selection, and surveillance system proposed by the USA Transportation Security Administration (TSA) and its Office of National Risk Assessment (ONRA).

Together, the Secure Flight and Registered Traveler programs are intended to replace, and considerably expand, the infringements of travellers’ freedoms which were to have been part of the supposedly-abandoned CAPPS-II passenger profiling scheme. (Traveller registration with the TSA is currently “voluntary”, but will eventually be mandatory for anyone who wants to travel by air.)

The complete TSA docket of notices and comments on Secure Flight testing (TSA-2004-19160) includes those comments filed to date with the TSA (there is sometimes a delay of a couple of days in docketing and posting comments), as well as well as the three rulemaking notices and requests for comments:

1. The Office of Management and Budget (OMB) Information Collection Request notice under the Paperwork Reduction Act and request for comments on the proposed order (the full text of the order itself is included in the notice) requiring USA-based airlines to turn over all data in all PNRs , including cancelled PNRs, that ever included flights that were to have been taken in June 2004; docket TSA-2004-19160-2
   
   
2. The TSA Privacy Act notice or “System Of Records Notice” (SORN) for the Secure Flight testing database; docket TSA-2004-19160-3
   
   
3. The TSA Privacy Impact Assessment for Secure flight testing; docket TSA-2004-19160-4

The purported Privacy Act “notice” fails to give notice of most of the categories of people about whom personal data is contained in PNRs, and comes well more than a year after PNRs for June 2004 travel began to be created (in June 2003 or earlier), making a mockery of any concept of “notice”. By this, and by including cancelled PNRs, it ensures that even those who wish to withhold consent, or tried to do so by cancelling their reservations and not travelling, will be unable to opt out.

The purported Privacy Impact Assessment is a real piece of work, failing entirely to acknowledge, much less to assess, most of the privacy impacts of the proposals.

The most significant portion of the rulemaking, however, may be that of the OMB. The TSA notices concern only what the TSA will do with the data, after it is commandeered from the airlines and, indirectly, from the people whose data is contained in PNRs: travellers, people in whose names reservations were made but who did not travel, people who made reservations for other people or paid for other people’s tickets, and travel agents and airline staff, among others. Under the Paperwork Reduction Act, the OMB must also consider the actual demand for archived PNR data from the airlines (and, implicitly, from the CRS’s that host airline data, and without whose active collaboration it would be impossible for airlines to comply with the demand).

TSA is soliciting comments [to the OMB, which must evaluate them] to —

1. Evaluate whether the proposed information requirement is necessary for the proper performance of the functions of the agency, including whether the information will have practical utility;
   
   
2. Evaluate the accuracy of the agency’s estimate of the burden [imposed by the information collection requirement];
   
   
3. Enhance the quality, utility, and clarity of the information to be collected; and
   
   
4. Minimize the burden of the collection of information on those who are to respond, including through the use of appropriate automated, electronic, mechanical, or other technological collection techniques or other forms of information technology.

There’s plenty of room for comment on these issues. Among other things, there is no evidence whatsoever that information about people whose reservations were cancelled, and who made no attempt to travel, would have any relevance to determining which of the people who did attempt to travel were terrorists. Nor is there any evidence that most of the data in PNRs, especially the information about people other than passengers (people making reservations for other people or paying for other people’s tickets, travel agents and airline staff, etc.) has any potential utility in identifying terrorists — its only utility would be for surveillance, not security.

The test data set is peculiarly ill-chosen to “have practical utility”. Since no airline passengers in the USA in June of 2004 committed any acts of terrorism, any identifications of suspects in the proposed tests as people who would, if allowed to fly, attempt to commit acts of air terrorism would, by definition, be “false positives”. Since there are no air terrorists in the proposed June 2004 test data set , the test would be useless to measure the rates of “true positive” identifications of the non-existent (in the test data set) terrorists, or of “false negative” failures to identify real terrorists.

Note that the OMB standard is whether the proposed information collection is “necessary for the proper performance of the functions of the agency”, not the lesser standard of whether it is or might be merely useful.

The burden on those who are to respond — the airlines and the CRS’s who host their databases — would be extreme, measured in billions or tens of billions or dollars rather than the hundreds of thousands disingenuously estimated by the TSA. Because the retroactive request for archived data precludes any advance notice or consent, it is unambiguously and directly counter to the unqualified requirement for notice and consent in the European Union Code of Conduct for CRS’s .

Amadeus, the one major CRS based in the EU, could not legally comply with the proposed order, or provide its airline hosting customers with the data they would need to comply.

The other three major CRS’s (Sabre, Worldspan, and Galileo) are based in the USA, and could be forced by the USA to give airlines data dumps even if the CRS’s know that they will be turned over to the TSA without the data subjects’ consent. But if they do so, those CRS’s would have to stop doing business in the EU, including ceasing to provide hosting services to EU airlines or reservation connectivity to EU travel agencies.

The result would be billions of dollars in lost airline business and disruption to airlines’ and travel agencies’ business.

The proposed order would also impose mandates on airlines and travel agencies contrary to their obligations under the EU Data Protection Directive and EU national data protection laws. The USA negotiated an agreement with the European Commission (currently under challenge by the European Parliament in the European Court of Justice) to permit use of data about passengers for testing of CAPPS-II, but it doesn’t extend to Secure Flight or to data subjects other than passengers.

Unless a new USA-EU agreement is concluded before the effective data of the proposed order, airlines in the USA that comply with the order will be unable legally to operate in, or accept reservations from, the EU. That consequence — cessation of USA-EU flights by USA-based airlines — would increase the cost burden of the proposed information collection requirement into the tens of billions of dollars.

As for minimizing the burden of collecting the information — assuming that there is a Constitutional and statutory basis for its collection, which I doubt — the way for the government to collect it which would least burden the airlines or the subjects of the data would be for TSA personnel to collect any required data directly from passengers at the TSA security checkpoints. That would eliminate any collection of data on people other than passengers, and any burden on airlines, CRS’s, or travel agencies and agents. But the TSA doesn’t want that because it would give the TSA less data to retain or pass on in “travel history” surveillance records for future use, and because it would force the government to bear more of the cost itself, instead of foisting the cost of data collection onto the travel industry.

Comments to the OMB (it’s probably best to copy all comments to both the TSA and OMB) can be submitted to the Office of Information and Regulatory Affairs, Office of Management and Budget, Attn: DHS-TSA Desk Officer, only by fax to +1-202-395-5806. Be sure your fax is addressed “Attn: DHS-TSA Desk Officer” and refers to “Docket No. TSA-2004-19160”.

Comments to the TSA can be submitted through the comment submission form on the TSA Web site. Be sure to enter “TSA-2004-19160” in the “Docket ID” field. You can type your comments into the form on the Web page, or attach them as a text, PDF, word processor, or other document file.

It’s not necessary to be a citizen or resident of the USA to submit your comments or have them entered into the official record of the USA government rulemaking proceedings.

EFF and the ACLU built Web-bots for submitting comments on the second of the two CAPPS-II Privacy Act notices. If they do so again for Secure Flight, I’ll link them here.

[Update: There’s now a form to submit brief text comments to the TSA at UnSecureFlight.com . You’ll still need to fax your comments separately to the OMB. If you want to submit lengthier comments, or to attach document files, go directly to the TSA (DOT) docket system — again, be sure to enter “TSA-2004-19160” in the “Docket ID” field.]

The last CAPPS-II notice prompted the largest volume of public comments ever in response to a Privacy Act notice, almost universally critical of the scheme, and many of them still not posted on the DHS Privacy Officer’s Web site . (For some reason the previous round of CAPPS-II comments weren’t processed through the relatively accessible Web-based DOT docket management system. And the OMB comments won’t be, either.) It’s important that the alphabet soup of Federal agencies involved (DHS, TSA, ONRA, and OMB), as well as Congressional and European observers, not get the false impression that travellers think the latest version of The Program Formerly Known As CAPPS-II is an acceptable replacement, rather than another egregious affront to our Constitutional, civil, and human rights to travel.

[Addendum, 26 October 2004: Comments filed by myself and others.]

[Addendum, 31 March 2005: In the original version of this article, I mistakenly reported that Contintal Airlines PNRs are hosted in the EU by the Amadeus CRS . Neither Continental nor Amadeus would confirm, deny, or respond to my queries about this, but I have since learned that Continental uses Amadeus to host its fares database but not its database of reservations. “Continental’s”: http://www.eds.com/about/history/timeline.aspx PNR database is hosted in the SHARES system run by EDS .]