CAPPS II Progress Raises Privacy Concerns

The Computer Assisted Passenger Pre-Screening program, designed to help identify air passenger security risks, has a long way to go to meet Congressional mandates to protect privacy and ensure data accuracy, the GAO says.
The General Accounting Office will flash a yellow light of caution Friday when it releases a report assessing the second iteration of the Homeland Security Department's Computer Assisted Passenger Pre-Screening program. CAPPS II, currently in development, is designed to gather information from public and private databases and assign every airline passenger a threat level. The GAO, however, reports that the Transportation Security Administration hasn't met seven of the eight requirements Congress mandated before providing the CAPPS II program with additional funding.

Chief among the program's reported shortcomings are its inability to safeguard against abuse of passenger information, or provide "due process" for passengers wrongly flagged as risks. The program also fails to address the key issues of data accuracy, stress testing, unauthorized access prevention, policies in place for operation and use, and privacy concerns. The one area where TSA has met Congress's mandate is in forming an internal oversight board to review the development of CAPPS II.

The GAO concluded in its report that the most troubling aspect of CAPPS II is concern over the security of both the system and passenger data contained in the system. Without proper security policy oversight, there's limited assurance that the system and its data will be adequately protected against misuse, and that the system will work as intended.

In a Feb. 4 letter to the GAO, Homeland Security Department Under Secretary for Management Janet Hale commented that the department generally concurred with the GAO's report. However, Hale pointed out that the report doesn't accurately describe the department's progress in developing CAPPS II, in particular that it's too early in the development of CAPPS II for the program to fully address all eight of the issues Congress mandated.

Former Georgia Congressman Bob Barr at a press conference on Thursday suggested an approach that deviates from the CAPPS II philosophy of collecting data on all passengers. "Two and a half years [after 9/11], we still do not have a comprehensive, governmentwide database containing information on known terrorists and associates of terrorists," says Barr, chairman of the American Conservative Union Foundation's 21st Century Center for Privacy and Freedom.

The Air Transport Association and other organizations estimate it could cost the airline industry $1 billion to make the necessary changes to their reservation systems to provide the kind of data required by CAPPS II, Barry Steinhardt, director of the ACLU Technology and Liberty program, said at the press conference to discuss the GAO report. These systems aren't all set up to provide the name, home address, phone number, and date of birth data that the CAPPS II system will use, particularly when the international community is factored in.

Inconsistent data would likely create a number of "false positives," passengers targeted by airport security although they don't pose a risk, Steinhardt said. "[CAPPS II] builds a huge haystack and expects to be able to find needles in it."

Editor's Choice
Samuel Greengard, Contributing Reporter
Cynthia Harvey, Freelance Journalist, InformationWeek
Carrie Pallardy, Contributing Reporter
John Edwards, Technology Journalist & Author
Astrid Gobardhan, Data Privacy Officer, VFS Global
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing