Chief among the program's reported shortcomings are its inability to safeguard against abuse of passenger information, or provide "due process" for passengers wrongly flagged as risks. The program also fails to address the key issues of data accuracy, stress testing, unauthorized access prevention, policies in place for operation and use, and privacy concerns. The one area where TSA has met Congress's mandate is in forming an internal oversight board to review the development of CAPPS II.
The GAO concluded in its report that the most troubling aspect of CAPPS II is concern over the security of both the system and passenger data contained in the system. Without proper security policy oversight, there's limited assurance that the system and its data will be adequately protected against misuse, and that the system will work as intended.
In a Feb. 4 letter to the GAO, Homeland Security Department Under Secretary for Management Janet Hale commented that the department generally concurred with the GAO's report. However, Hale pointed out that the report doesn't accurately describe the department's progress in developing CAPPS II, in particular that it's too early in the development of CAPPS II for the program to fully address all eight of the issues Congress mandated.
Former Georgia Congressman Bob Barr at a press conference on Thursday suggested an approach that deviates from the CAPPS II philosophy of collecting data on all passengers. "Two and a half years [after 9/11], we still do not have a comprehensive, governmentwide database containing information on known terrorists and associates of terrorists," says Barr, chairman of the American Conservative Union Foundation's 21st Century Center for Privacy and Freedom.
The Air Transport Association and other organizations estimate it could cost the airline industry $1 billion to make the necessary changes to their reservation systems to provide the kind of data required by CAPPS II, Barry Steinhardt, director of the ACLU Technology and Liberty program, said at the press conference to discuss the GAO report. These systems aren't all set up to provide the name, home address, phone number, and date of birth data that the CAPPS II system will use, particularly when the international community is factored in.
Inconsistent data would likely create a number of "false positives," passengers targeted by airport security although they don't pose a risk, Steinhardt said. "[CAPPS II] builds a huge haystack and expects to be able to find needles in it."