Government To Require Airline Customer Data

The Transportation Security Administration is moving forward with plans to test its new Secure Flight passenger screening system. By the end of October, all domestic airlines must submit to TSA passenger data for flights that took place during the month of June 2004. TSA will compare this data, which includes information such as passenger name, reservation date, travel itinerary, and form of payment, against watch lists held in the Terrorist Screening Database.

TSA, which operates within the Homeland Security Department, will use the data to test the load capacity and accuracy of Secure Flight's underlying technology. The administration has issued a legal order to compel airlines to provide passenger name record data because it wants realistic data to compare against the Terrorist Screening Database, which contains information contributed by the Homeland Security, Justice, and State departments, and by the intelligence community. The Terrorist Screening Center, established in December 2003, administers the database to help law enforcement identify known or suspected terrorists.

TSA's plans to firm up its airline passenger-screening initiative came only a day ahead of a high-profile case of the international terrorist watch list in action. Reuters reported Wednesday that a plane carrying Muslim Yusuf Islam, the pop singer formerly known as Cat Stevens, was denied landing permission in Washington, D.C., and re-routed to Maine for security purposes. Islam, who has been accused of supporting the militant Islamic group Hamas, is reportedly being sent back to England.

Secure Flight is intended to keep suspicious passengers from boarding domestic flights. The differences between Secure Flight and its failed predecessor, the Computer Assisted Passenger Prescreening System (CAPPS II), are sufficient to ensure that TSA is giving strong consideration to privacy issues, says Nuala O'Connor Kelly, Homeland Security's chief privacy officer.

Unlike CAPPS II, Secure Flight proposes to use passenger name data solely to combat terrorism and not for other law-enforcement purposes, TSA Privacy Officer Lisa Dean wrote in a memo describing Secure Flight. The proposed program also lets TSA take sole responsibility for running passenger name comparisons against the Terrorist Screening Database, rather than relying on airlines to do it themselves. Secure Flight also is limited to domestic flights. International terrorist screening will continue to be conducted by Customs and Border Protection .

"The difference between Secure Flight and some of the other [proposed] programs is that privacy concerns were infused from the beginning," Kelly says. "This is exactly how it should be because it's not something that can be added later." Kelly will review TSA's efforts before a final program is designed. "I'm glad to see they're going forward with the test phase first before a complete rollout to make sure the technology is affective," she adds.

Though airlines are being ordered to comply with TSA's testing plans, Kelly says, "Folks in the airline community are generally in favor of anything that makes their business safer."

The airline industry has generally tried to accommodate TSA's security initiatives, even though it's gotten them into hot water with privacy advocates. In late February, both Kelly and the Senate Governmental Affairs Committee criticized TSA for its role in getting JetBlue Airways in 2002 to transfer passenger records to government contractor Torch Concepts, in violation of JetBlue's privacy policy.

"We like the idea of a faster, smarter way of screening people before they set foot in an airport," says Doug Wills, VP of communications for the Air Transport Association, an airline lobbyist organization. "On the other hand, the airlines have voiced concern that the privacy part is done right."

The association, during the October open-comment time frame, will submit to TSA a paper outlining the airlines' concerns about the lack of detail included in the Secure Flight proposal to date. Airlines would prefer that TSA accept their passenger-name record data as-is rather than making the airlines adhere to any special data format that would cost time and money to implement, Wills says. "Airlines and passengers pay $4 billion in unreimbursed security costs per year," Wills says. "We hope the government will be sensitive to this."

The association is also hoping TSA will allow for the expansion of the Registered Traveler program, through which certain airlines have collected passenger pre-screening data and implemented biometric security for frequent travelers.

TSA also contends that Secure Flight is consistent with the 9/11 Commission recommendations that the federal government take over the responsibility for checking airline passengers' names against expanded "no-fly" and "automatic selectee" lists from the individual airlines and that airlines be required to supply data to test and implement this new system.

To comply with the program, each airline must by next week submit a plan for meeting the TSA requirements and submit the actual data by Oct. 29. Uncompressed data must be submitted on optical media in XML or some other structured data format.

The information to be collected as part of the Secure Flight test will be shared with TSA employees and contractors who, Dean states in her memo, have a "need to know" to conduct the required test comparisons. TSA will maintain the data to be collected for this test in a secure facility on electronic media and in hard-copy format, the memo states.