ACLU Comments to Department of Homeland Security on the "Passenger and Aviation Security Screening Records"

Privacy Office
U.S. Department of Homeland Security
Washington, DC 20528

Re: DHS/TSA-2003-1 “”Passenger and Aviation Security Screening Records”” 68 Fed. Reg. 45,265

The American Civil Liberties Union (ACLU) is a nationwide, non-partisan organization of approximately 400,000 members dedicated to protecting the principles of liberty, freedom, and equality set forth in the Bill of Rights in the United States Constitution. For almost 80 years, the ACLU has sought to preserve and strengthen privacy and equality in American life.

The ACLU urges the Department of Transportation Security (TSA) to abandon its plan to construct a passenger “”risk assessment”” system known as Computer Assisted Passenger Prescreening System II (CAPPS II). As described in the August 1, 2003 Federal Register notice announcing TSA’s intention to establish a system of records under the Privacy Act, this system would pose a significant threat to Americans’ privacy and freedom.

The danger in creating a program like CAPPS II was highlighted recently when it was revealed that the airline JetBlue had shared over five million passenger records with an Army subcontractor, Torch Concepts, which then augmented those files by purchasing personal information from a private data aggregator, including income, occupation, family size, and Social Security number. The end result was the creation of an extremely detailed and intrusive dossier on the lives of many JetBlue passengers. That data was then used in a data mining experiment in which Torch tried to figure out a way to detect terrorists using data on the personal lives of ordinary people.

The JetBlue incident shows what happens when giant databases are created and information flows back and forth between the private and public sectors. Like CAPPS II, this misguided JetBlue experiment involved privacy invasion on a massive scale, and a reliance on the premise that the best way to detect terrorists is to sift through the lives of everyone. CAPPS II would actually regularize and routinize government sharing of the same information, PNRs, that caused such an uproar when JetBlue provided it to the military. The JetBlue scandal illustrates that collections of personal information, unless subject to strict controls, inevitably leak out and are inevitably are diverted for other uses. And it illustrates that we are at a pivotal moment. Giant new tracking systems have become technologically possible that combine the law enforcement and intelligence powers of government with the relentless daily data collection of the private sector. And Americans are being pushed to accept their creation in the name of stopping terrorism.

CAPPS II would for the first time put the government in the business of conducting regular background checks on everyday citizens. According to current official descriptions, the heart of the program would consist of four steps.

1. The airlines would transmit to the TSA information about its passengers that included at a minimum name, address, telephone number, and date of birth.
2. This information would be provided to commercial data aggregators – companies in the business of compiling extensive dossiers about Americans personal lives – which would check those four pieces of information for consistency with their own files, and produce an “”authentication score”” intended to indicate “”a confidence level in that passenger’s identity.””
3. The TSA would run the passenger through a “”risk assessment function”” involving unknown secret law enforcement, intelligence, or other government databases.
4. Passengers who present an “”elevated, uncertain or ‘unknown risk'”” will be “”subjected to heightened security screening,”” according to the summary that accompanies the Privacy Act notice. TSA Director James M. Loy has stated that a full three to four percent of passengers will be placed in this category.[1] When a passenger is found to be “”high risk,”” according to the notice, “”law enforcement or other appropriate authorities will be notified for appropriate action.””

CAPPS II would represent an unprecedented role for the government in this country. Although the novelty of this program may be somewhat disguised by the surrounding general increase in the efficiency in the collection, storage, search, and retrieval of individual data, and the growth in credit checks, employee background checks, and other searches into the lives of individuals, deployment of CAPPS II would in reality represent a radical departure from the traditions of freedom and equality in the United States. The consequences of having the government conduct searches and evaluations of individuals’ past history and records and generating “”risk scores”” for each person would be far-reaching.

Effectiveness: This System Will Not Make Americans Any Safer

Potentially intrusive new systems and technologies should not be developed or deployed until they have been subjected to a two-part test. The first part of this test asks whether the technology is effective, and significantly increases our safety and security. If the answer is no, then the matter should be closed. Only if a program like CAPPS II will actually work need the second part of the test be applied, in which the program’s likely benefits are balanced against their risks to privacy and other civil liberties.

In fact, CAPPS II fails the first test: it will not make Americans any safer. Proponents say that there is no harm in testing it, but testing is only valuable in cases where simple conceptual analysis of a program does not make the outcome clear. With CAPPS II, gaping holes in the system’s logic make it clear that the system is not worth pursuing. And testing is expensive, diverting money from the many basic security measures that have still not been funded in the U.S.

Even the Bush Administration’s own budget officials have expressed skepticism about CAPPS II. “”I have a huge spotlight on that project,”” Mark Forman, associate director of the Office of Management and Budget, told Congress on March 25, 2003. “”If we can’t prove it lowers risk, it’s not a good investment for government.””[2]

There are several problems with CAPPS II from a purely functional point of view.

1. Identity theft leaves a gaping hole in the system

For example, even a known, wanted terrorist could sail right through this system simply by committing identity theft (which is all too easy today) and obtaining a false driver’s license or passport (which is even easier). For example, such a terrorist might present a driver’s license with his own photograph, but the name, address, phone number and DOB of an innocent person. Nothing in the CAPPS II program would stop such a terrorist. This system is like a Maginot line – the heavily fortified defensive frontier constructed by the French before World War II, which was rendered useless when Hitler’s army simply went around it.

A Federal Trade Commission report issued Sept. 3, 2003 reported that nearly 10 million Americans, or nearly 5 percent of U.S. adults, had been victimized by identity theft in 2002. The ACLU conducted its own inquiry and discovered that in less than an hour it was able to purchase online the name, address, phone number, and DOB of volunteers on our staff for less than $50. Similar information was available on well-known public officials (even TSA director James M. Loy himself).

And once such information was obtained, it would not be hard for a terrorist to put it on a driver’s license – even a “”real”” one – with their own photo. An undercover investigation by the General Accounting Office (made public Sept. 9, 2003) found that it was exceedingly easy to obtain a real driver’s license by presenting birth certificates and other documents that were intentionally made to be obviously counterfeit.[3]

2. Computers can’t make human judgments

More fundamentally, the core notion behind CAPPS II – that an automated process like a computer algorithm can sift through trillions of pieces of information covering billions of passenger flights and hundreds of millions of individuals, and accurately direct the attention of security screeners toward the tiny handful who harbor evil intentions – is almost certainly flawed. According to the Association for Computing Machinery, a professional association for computer scientists, such data mining approaches to stopping terrorism “”suffer from fundamental flaws that are based in exceedingly complex and intractable issues of human nature, economics and law.””[4]

3. False positives will swamp the system

Another problem with CAPPS II is that even a tiny error rate with the system would create huge problems. Each year, 100 million Americans fly, many more than once. Total passenger transactions each year have been estimated to be as high as one billion. CAPPS II would check every one of those transactions. The TSA’s estimate that three to four percent of travelers will be flagged would mean three to four million separate individuals and up to 30 to 40 million transactions. The result will inevitably be not only that many innocent people will come under suspicion – or worse – but that it will become extremely hard to find the handful of real terrorists amid the ocean of false positives.

The error rate will likely be worsened if TSA carries out its announced plan to begin checking passengers for outstanding criminal warrants. The source for that information will most likely be the FBI’s giant criminal database known as NCIC (for National Crime Information Center). Normally, the Privacy Act of 1974 would require that such a database be maintained with “”such accuracy, relevance, timeliness, and completeness as is reasonably necessary to assure fairness”” to individuals affected by it.[5] Unfortunately, however, the accuracy of the information in the NCIC is apparently so poor that the Justice Department in April 2003 specifically exempted the NCIC from the accuracy requirement. And yet this same database would become the basis for curbing the 5th amendment right to travel for thousands of Americans – and diverting limited security resources.

4. “”Trusted Traveler”” provision creates security hole

In addition, according to the Privacy Act notice, CAPPS II will contain a special registry of government officials, holders of security clearances, those in “”positions of trust and confidence,”” and those “”otherwise deemed not to require heightened scrutiny.”” Aside from its potential to evolve into a privileged class of Americans who receive special treatment at our airports, this registry opens up yet another security hole in the CAPPS II system. Notorious spies like the Robert Hanssen of the FBI and Aldrich Ames of the CIA had security clearances. Just this month, the government has arrested a Navy chaplain and an Air Force translator who were serving in Guantanamo and accused them of espionage; would they have been “”trusted travelers”” under CAPPS? And a similar “”trusted person”” security exemption cost lives July 23, 2003 in New York City after a gunman opened fire inside City Hall after being escorted past security by a city council member.

5. Our allies value privacy and aren’t cooperating

The privacy problems with the proposal, which are discussed below, can also translate into practical problems. An example is the fact that foreign governments, especially the European Union, are proving to be reluctant to allow the details of their citizens’ lives to be shared with the U.S. government. European privacy law prevents the transfer of European citizens’ data to countries whose privacy laws are deemed to be inadequate – a group that, because of our weak privacy laws, unfortunately includes the U.S. Negotiations are underway but have hung up on several issues, including the fact that the US wants 39 pieces of information about each incoming traveler, many of which are unnecessary, the fact that the US wants to use the information for purposes beyond just preventing terrorism, the fact that the US wants to retain the data for an unnecessarily long period of time, and the fact that European citizens would have no means of redress if they were to be affected by false information.

The European Commission commissioner in charge of customs issues, Frits Bolkestein, wrote in a letter to U.S. authorities that the issues involve “”fundamental rights and liberties which are constitutionally protected in the law of several [EU] member states.””[6] The fact that CAPPS II appears to conflict with the entirely reasonable privacy protections in place in Europe – and that the US is fighting so hard over these issues – speaks volumes. It is sadly ironic that the privacy principles upon which the Europeans’ objections are based were developed in the U.S., and then adopted in Europe but not here (see below).

Such obvious shortcomings of CAPPS II are being ignored by proponents now, but once this system is installed, we will inevitably start hearing a lot more about these security holes and how they necessitate an airtight, biometric national identity and tracking system that would change what it means to live in America (but in all likelihood still fail to thwart terrorism). Americans must grasp the full implications of CAPPS II now, lest they be led step by step down a path they would soundly reject were it presented all at once.

Mission Creep: Build It And It Will Grow

Once CAPPS II is put in place, it will inevitably be expanded. In fact, the program has already expanded significantly, and it hasn’t even been launched yet (see below). History has shown repeatedly that this is typical: surveillance programs, once initiated, always grow in scope. There are three main ways that this program is likely to expand:

1. The system will draw on more and more sources of data.

Initially, CAPPS II may just plug into a few terrorist watch lists. But inevitably, pressure will build to expand the sources of information in order to enrich the process by which both passengers’ “”authentication scores”” and their “”risk scores”” are generated. That process will likely be driven by a vain attempt to overcome, through the sheer accumulation of data, the inherent limitations of using computer algorithms to make what are in essence human judgments.

The Aug. 1 Privacy Act notice states, under “”Categories of Records in the System,”” that CAPPS II will collect government databases “”containing information on known terrorists and terrorist associates,”” as well as “”other information pertinent to the detection of terrorists and their associates.”” This broad language would permit the addition of all manner of new data sources into the program. Virtually any record can be regarded as information pertinent to the detection of terrorists. The Patriot Act, for example, already indicates that the government regards financial and student records as “”pertinent,”” so presumably such records maintained by the government would be included.

Over time, it is entirely predictable that the government will seek to add more and more data sources to its background checks – and any actual terrorist attacks will only accelerate the process to a frenzied pace.

The fact that the CAPPS II Privacy Act notice would permit the addition of so many new data sources into the program with no public notification or oversight over those sources raises the possibility that it could evolve into a true Big Brother program, akin to the Pentagon’s “”Total Information Awareness”” concept, in which the government monitors all available data sources about us (sources that increasingly cover everything we do) in order to search for “”suspicious”” patterns of activity.

A key distinction for the CAPPS II program is the difference between attempting to identify known terrorist suspects, and attempting to identify bad intentions in those who are not otherwise suspected. The CAPPS II Privacy Act notice indicates that the system as currently conceived is not confined to the former goal, but is based on the far more ambitious and civil liberties-threatening task of identifying bad intentions. The notice states that the purpose of the system will be “”to determine the likelihood that a passenger is a known terrorist, or has identifiable links to known terrorists or terrorist organizations, or otherwise poses a threat to passenger or aviation security”” (emphasis added). While making it sound like known terrorists are the target, the open-ended final clause of this sentence leaves the government total leeway. Under “”Categories of Records in the System,”” the Privacy Act notice lists databases “”pertinent to the detection of terrorists”” – not known terrorists – “”and their associates.””

The quest to detect terroristic intentions would permit the most sweeping attempts at trying to divine potentially dangerous intentions by sifting through the lives of individuals. It is inevitable that this impossible goal will drive the government to attempt to collect more and more detailed information about individuals.

2. The system will be used for an ever-widening set of purposes.

Only a few months ago TSA officials were issuing public assurances that CAPPS II would remain confined to searching for foreign terrorists. But the current Privacy Act notice states that among those covered by the system will be “”persons with outstanding federal or state warrants for crimes of violence,”” as well as those linked to “”both foreign and domestic terrorist organizations.”” It also suggests that it may be used to enforce the immigration laws.

When the ACLU met with TSA officials in January 2003, they were adamant that the program would not be expanded beyond its then-strict focus on foreign terrorists. No doubt, those officials were being sincere at that time – which only serves to highlight how quickly government policy can change.

The expansion of CAPPS II’s goals to include the apprehension of domestic criminals and immigration violators – all before the program is even officially launched – heralds what will inevitably be a steady expansion in the purposes for which it is used. And it is predictable that before long the system will be expanded to search for con artists, drug dealers, deadbeat dads, and so on down the scale of wrongdoing until it becomes a comprehensive net for enforcing even the most obscure rules and regulations.

3. CAPPS II will expand beyond airports to more and more locations.

TSA director Admiral James Loy has explicitly indicated that the agency envisions expansion of CAPPS II beyond airports to other forms of transportation such as trains and boats.[7] It is inevitable that the next time there is a shooting on board a bus, pressure will build to expand CAPPS II to bus terminals, and so on in train stations, office buildings, concerts, and every other venue where people gather together in public and thus form a target for terrorism or crime. Once this system is put in place for airports, where the need for security is highest, it will be easily scalable to other locations, and the net result will be an un-American system of internal government checkpoints.

Due Process: No Notification, No Correction, No Appeal

The TSA’s Federal Register notice is a Privacy Act notice, but the program it describes fails to incorporate the key principles that were behind the drafting of the Privacy Act – principles that were first set out in a report for the Department of Health, Education and Welfare in 1973 and have since become widely recognized around the world, having formed the basis for privacy laws in most industrialized nations (including the European Union, which is now objecting to CAPPS II based on those principles). Among the core privacy principles are Access (“”There must be a way for an individual to find out what information about him is in a record and how it is used””) and Correction (“”There must be a way for an individual to correct or amend a record of identifiable information about him””).[8] Neither of these principles would be honored by CAPPS II.

The CAPPS II Privacy Act notice includes a procedure by which “”all persons may request access to records containing information they provided,”” and to “”contest or seek amendment of”” those records. That procedure is largely meaningless, however. First, the information that is held in the hands of private data companies is not covered by the procedure, even though that information may be used to assign passengers their “”risk scores”” too. Second, the procedure would only apply to the non-secret part of CAPPS, the information passed along to the TSA by the airlines: passengers’ names, addresses, telephone numbers, and dates of birth, as well as other information contained in the Passenger Name Records (PNRs). And that information is composed almost entirely of information provided by passengers themselves, which means that access will do nothing but let passengers see whether their own information has been recorded properly. And rendering this right of access even more meaningless is the fact that, according to the Privacy Act notice, the PRN data will be deleted “”within a set number of days”” after the completion of travel. It is good that the data won’t be retained – but it is not good that the right of access will be limited solely to that information.

The information that will be of true concern to travelers – the private and government data used to judge travelers and assign them “”risk scores”” – will not be available for review or correction.

Because the core security evaluations at the heart of CAPPS II are completely secret, individuals singled out by the program will have no way of knowing why they have been targeted. They will not know if they are the victim of the widespread inaccuracies that riddle government and private databases, and will have no way to correct such errors if they are. They will have no way of knowing if they have been falsely accused of wrongdoing by someone, or have been discriminated against because of their religion, race, ethnic origin, or political beliefs. This lack of a meaningful process for redress by those who are unfairly and adversely affected by CAPPS II is at the heart of the European Community’s refusal to sign on to the system, and should be of equal concern to all Americans.

The due process procedure outlined in the notice is an empty shell, because it does not address the underlying purpose of due process procedures: to prevent individuals from being unfairly punished or harmed.

Discriminatory impact: the potential for systematic unequal treatment

While CAPPS II remains shrouded in mystery and its details hidden in black boxes, there is a very real possibility that it will treat Americans unequally based on characteristics such as race, religion, and ethnic origin. CAPPS II will rely on both commercial and government databases. There is ample reason to suspect that both contain biases against particular groups. For example, credit scores – judgments about individual financial reliability made by a handful of private corporations – are notoriously sloppy, and on average minority populations have lower scores and may be more likely to have no credit record at all.[9] And it is likely that government security databases discriminate against ethnic and religious groups such as Arabs and Muslims. The names of legal immigrants selected by the Justice Department in 2001 for interviews by FBI agents solely on the basis of their ethnicity, for example, are lodged in a government database.

One point where the system is open to discriminatory impact is the “”authentication check”” conducted against the commercial databases. Although that check would rely on commercial data services for nothing more than checking name, address, phone number, and DOB, it is possible that the data services possess this data for a smaller proportion of minorities than they do for non-minorities, or contain more inaccuracies for such individuals. This could be true because, for example, African-Americans and Hispanics tend to move more often than non-Hispanic whites.[10] Therefore, the information held about them by the data services is more likely to be out of date, rendering them more likely to “”fail”” the authentication check.

Not only individuals who move more often than average, but also those who change other aspects of their identity may face undue discrimination by this system. Many people each year change their names, whether because they get married, because they change religions (many African-American Muslims adopt Muslim names, for example) or simply to make their name more pleasing or easily pronounced. Others change their sexual identity.

Another point where the system is open to discriminatory impact is in the secret risk-scoring portion of the CAPPS II process. That process could include any number of data sources that have a discriminatory impact on the process. For example, although current TSA officials have denied any intention of drawing on credit scores with their well-documented bias against minorities, nothing in the Privacy Act notice bars the government from doing so as part of the secret risk assessment process at any point in the future.

The bottom line is that there just isn’t enough information about this program to allay well-founded suspicions that its burden would not be shared by all Americans equally. And it contains absolutely no mechanism for taking measurements to make sure that such discriminatory impacts do not emerge.

The Black Box: Americans Judged In Secret

Underlying many of the problems with CAPPS II is the fact that that so much of its operation would take place out of public view. It is secrecy that leaves the public with no way to evaluate the degree to which CAPPS II is expanding beyond its original scope. It is secrecy that makes it difficult or impossible to offer proper due process protections to travel