The Practical Nomad

Subscribe to my free travel newsletter

Your e-mail address:

I will never rent or share your address. (More info)

Prev | Next | Index of Articles | Practical Nomad Home Page


What's wrong with CAPPS-II?

(and what should be done about it?)

by Edward Hasbrouck, "The Practical Nomad"

[Note: In August 2004, CAPPS-II was officially succeeded by the Secure Flight and Registered Traveler programs. These "new" programs, however, would incorporate most of the features previously included in CAPPS-II. Public comments on the Secure Flight proposal are being accepted through 25 October 2004. See the Privacy and Travel section of my blog for more recent updates on these programs.]

CAPPS-II (the "Computer-Assisted Passenger Pre-Screening System", version 2) is the USA government's name for a proposed new system for identification, profiling, monitoring, surveillance, and enforcement of a "no-fly list" and other "watch lists". At first, CAPPS-II would be applied to airline passengers on flights to, from, or within the USA. Eventually it would be expanded to other modes of transportation such as trains, busses, and ferries.

The USA Transportation Security Administration (a division of the Department of Homeland Security) has published two Privacy Act notices describing what CAPPS-II would do. The first version, "CAPPS 2.0", was published in the Federal Register on 15 January 2003. It prompted hundreds of unanimously critical comments from members of the public, privacy and consumer advocates (including myself), legislators and law enforcement officials, and other individuals and organizations.

A revised proposal, "CAPPS 2.1", was first outlined in a TSA briefing of privacy advocates in March, repeated in subsequent TSA press statements and testimony to Congress, and finally published in the Federal Register on 1 August 2003. It was open for public comments from then through 30 September 2003, and the DHS promised to publish the comments received. The DHS has admitted to receiving more public comments on the second CAPPS-II Privacy Act notice than on any other Privacy Act notice in the government's history. But the DHS and TSA still have neither published all the comments, nor responded to them. In March 2004, the Acting Administrator in charge of the TSA told a Congressional hearing that he would soon issue a secret "security directive" ordering airlines to start turning over reservations for use in CAPPS-II testing. Since such an order would be secret, we can't tell whether it has already been issued, or whether CAPPS-II testing has resumed.

CAPPS-II would be the largest domestic surveillance system ever deployed in the USA. I've discussed the history, context, evolution, and details of CAPPS-II in much more detail in my white paper on travel data and privacy, "Total Travel Information Awareness". But if that's more than you wanted to know, here's a summary of the most important problems with the latest version of the program, as most recently defined in the latest version of the CAPPS-II (CAPPS 2.1) Privacy Act notice, and what I think should be done to protect your privacy and your right to travel.

As part of the fiscal year 2004 appropriation bill for the Department of Homeland security, signed into law by the President on 1 October 2004, Congress ordered the General Accounting Office to investigate and prepare a report on CAPPS-II, and ordered TSA not to deploy CAPPS-II until that report is complete, and even then only if the GAO reports that CAPPS-II has met certain standards of effectiveness and privacy protection. The GAO reported that only one of the eight criteria set by Congress had been met. But under that law, there's no restriction at all on ongoing CAPPS-II testing, including CAPPS-II tests with real data on real passengers. And the law places no restrictions at all on the contractors -- like those who got an misused the jetBlue Airways data -- who have conducted most of the CAPPS-II tests to date (in each case with real passenger data).

What's wrong with CAPPS-II?

  1. CAPPS 2.1 would create a new, unconstitutional requirement for a "domestic passport". By requiring all travellers -- even those within the USA, or even within a single state -- to carry and display, on request, government-issued identity documents, it would create a de facto national ID card system -- something that the public, and the Congress, has strongly resisted for many years. Travel is an act of assembly, and such restrictions on domestic travel would violate the First Amendment to the Constitution of the USA, which prohibits the government from restricting "the right of the people peaceably to assemble".
  2. CAPPS 2.1 would require air travellers to provide additional information -- the date of birth, home phone number, and home address of each traveller -- to the airline, travel agent, or travel arranger, and would require this information to be entered into a computerized reservation system (CRS). It's not clear if people without telephones -- or with only a mobile phone, not a "landline" phone at their home address -- would even be allowed to fly! (This is one of the ways that CAPPS 2.1 is significantly worse than CAPPS 2.0: CAPPS 2.0 would have relied on information already entered in reservations.) None of this information is currently required or collected, and airlines and CRS's don't even have fields in their databases to record it. CAPPS 2.1 would require hundreds of millions of dollars (not yet included in the TSA budget) in modifications to the data storage and interchange standards and information technology infrastructure of tens of thousands of travel companies.
  3. CAPPS 2.1 would conscript travel agents, airline employees, corporate travel mangers, and anyone who makes reservations for friends or family into working as (unpaid) surveillance agents, collecting and recording information to be passed on to the government.
  4. CAPPS 2.1 would cost the travel industry US$1 billion or more (airlines themselves have reported that it could be as much as US$2 billion) in modifications to their information technology and systems to collect, store, and forward to the government, in a standardized format, the additional information about each prospective passenger that would be required for CAPPS-II. That cost would have to be passed on either to taxpayers through government reimbursement of travel industry costs, or to travellers through higher airfares and reservation service fees.
  5. CAPPS 2.1 would require travelers to provide additional information, which would be recorded in their reservations, passed on to the government, and retained by travel companies. The TSA would (it claims) purge this data on most travelers after their flights. But since the USA has no general data privacy law, and since neither CAPPS 2.1 nor any other Federal law or regulation restricts use of travel data by private companies, travel companies would be free to retain this additional information -- which travelers would be required by government regulation to provide -- and to use it, rent it, or sell it without travelers' knowledge or permission. CAPPS-II would require travelers to provide information to travel companies under government order, but then treat the information as though it were a "gift" that the travel companies, not travelers, would own and control. Such an expropriation of travellers' personal information for private travel companies' use and profit, under government coercion, would constitute an improper and unconstitutional taking of personal informational property without compensation.
  6. The additional information required by CAPPS 2.1 could be used to correlate each travel reservation (currently indexed only by flight number or reservation record locator) with a specific person, and to index separate reservations for individual trips into databases easily searchable by name, birthday, address, or phone number. CAPPS-II would thus enable the government and private travel companies (especially the four main CRS's which host almost all airline reservations worldwide) to create comprehensive lifelong dossiers of everywhere each person has travelled, when, how, with whom, whether (behind the closed doors of their hotel room) they asked for one bed or two, and many other intimate details of their lives as revealed by their travel histories. These travel databases would be vulnerable to theft and/or abuse.
  7. The additional identifying and indexing information required by CAPPS 2.1, and provided under government order, would make it as easy for the government to investigate and obtain the details of your travel history as to obtain your criminal history from NCIC. (Even though travel isn't a crime.) Even if travel records aren't stored by the government, the current lack of travel privacy or data privacy law in the USA makes travel records available to the government from travel companies for the asking, without notice to the traveller. Simply by asking the big four CRS's and a few other airlines, the government could obtain a comprehensive report of your past travels.
  8. CAPPS-II violates the international norms of data privacy and fair information practices, as incorporated into the laws of Canada, the European Union, and many other countries. CAPPS-II would require airlines to do things that are forbidden by law in those countries. As a result, it would be impossible for airlines to operate flights between the USA and Canada, or the USA and the EU, without breaking the law in one or the other country. Airlines would have to operate illegally (precipitating a legal and diplomatic crisis between the USA, EU, and Canada), or cease international flights (precipitating a personal and business crisis for travellers).
  9. CAPPS 2.1 would allow information known to be inaccurate to be used as the basis for denial of air transportation (in violation of Federal law requiring common carriers to transport all qualified passengers), and would result in many false arrests. Under the expanded CAPPS 2.1 regulations, airline reservations could be used by CAPPS-II for "detection of outstanding warrants for crimes of violence". The only plausible source of information on outstanding warrants is the FBI's National Criminal Information Center (NCIC database). And in the FBI's Privacy Act notice for NCIC, the FBI has renounced any obligation to ensure that NCIC data is accurate. With hundreds of thousands of airline passengers being checked each day against a warrant database known to be inaccurate, CAPPS 2.1 would produce many false arrests every day.

What's wrong with the way the CAPPS-II regulations have been put into effect?

  1. The TSA and DHS intend to impose the new requirements through secret "security directives" to the airlines, making it impossible for travellers to know what is required, or to challenge illegal or unconstitutional orders.
  2. The CAPPS-II Privacy Act "notice" fails to provide notice to all of the categories of individuals about whom personally identifiable information in included in airline reservations, which would be passed to the government under CAPPS-II. The Privacy Act "notice" falsely claims that the only categories of individuals about whom CAPPS-II would use personal information would be airline passengers. Specifically, the Privacy Act "notice" fails to provide notice that airline reservations, and CAPPS-II, would also include personal information on:
    1. Individuals who make reservations for air travel, but who do not actually travel, and who never purchase tickets and/or cancel their reservations. (Cancelled and unticketed reservations cannot actually be deleted from airline databases.)
    2. Travel arrangers, personal assistants and administrative staff, travel managers, group coordinators, event organizers, and family members and friends assisting with travel arrangements, as identified by the "received from" field in the "history" (audit trail) for each reservation entry that records the person who requested the reservation or change.
    3. People who pay for tickets for others, or who hold joint credit or debit cards with people who purchase travel for themselves or others -- again, whether or not they travel themselves -- as identified from the "form of payment" fields in ticketing records.
    4. Travel industry personnel, including travel agents and airline reservation, check-in, and ticketing staff, as identified by the unique "agent sine" or log-in ID in the reservation "history" for each entry or change.
    5. Clients, customers, and employers of travellers, even if they aren't travelling, as identified by billing and accounting codes for travel by others undertaken on their behalf or at their expense.
  3. The CAPPS 2.1 Privacy Act "notice" fails to provide notice of the items required by the Privacy Act (which is supposed to be the central purpose of a Privacy Act notice), specifically:
    1. What items of information and documents will airline passengers be required to provide? (What types of ID documents are and aren't sufficient? Is a hotel address a sufficient "home address"? Is a cell phone a sufficient "home" phone number?)
    2. What is the specific statutory legal basis for the requirement for travellers to provide each of these items of information and these documents both to the airline and/or other travel company and to the TSA?
    3. What will the penalty be for failing to provide each of the requested items? (If I don't have, or don't choose to provide, a "home address", does that mean I will be subject to a more intrusive search, refused passage, reported to the FBI and/or local police, or immediately detained?)
  4. The CAPPS 2.1 Privacy Act notice, like the CAPPS 2.0 Privacy Act notice, entire ignores and fails to carry out the statutorily required analysis of its economic impact.
  5. The TSA/DHS analysis of the comments made by the public on the CAPPS 2.0 proposal entirely ignores, and fails to respond to, all of the many comments concerning whether CAPPS-II would actually accomplish any legitimate purpose; whether it would be constitutional (as a restriction on the right to assemble); whether it is authorized by any law; whether it would be compatible with European Union or other countries data privacy laws or international privacy norms; and whether airlines, CRS's/GDS's, and travel agencies could legally be conscripted into carrying out its data collection and surveillance requirements.

What can (and should) be done about CAPPS-II?

  1. The TSA and DHS should withdraw their proposed CAPPS-II regulations. At minimum, they should publish a revised an expanded Privacy Act notice, describing the data actually to be required, and the full range of individuals (not just passengers) whose personal information would be included in the system, and allow an opportunity for comment before resuming or continuing CAPPS-II testing or deployment. Any new requirements should be imposed through published rules, not secret "security directives" that evade judicial review.
  2. The DHS Chief Privacy Officer, Ms. Nuala O'Connor Kelly, and the TSA Chief Privacy officer, Ms. Lisa Dean, should order a halt to CAPPS-II testing and deployment as unconstitutional, not authorized by any law, and a violation of the most basic privacy rights and norms of fair information practices.
  3. Congress should:
    1. Investigate and hold public hearings on the privacy and personal information handling and usage practices of the travel industry, including what really happened with the jetBlue Airways, Northwest Airlines, and American Airlines passenger records and the role of government agencies and corporations including the DHS/TSA, DOT, NASA, the military, Torch Concepts, SRS Technologies, Acxiom, LocatePLUS Holdings, other airlines, and the CRS's/GDS's.
    2. Enact a comprehensive consumer privacy law (which I would suggest be modeled on the successful Canadian example, as it was before being amended by Canada's Bill C-7) requiring fair information practices in the handling of personal information -- including travel records -- by both government agencies and private companies. At a minimum, Congress should enact travel data privacy rules (focused on the CRS's/GDS's as the principal repositories of travel records) giving travel data as least as much protection as is currently given to medical and financial data.
  4. Citizens of Canada or the European Union can ask your national data privacy protection authorities to refuse to allow airlines and CRS's/GDS's that transfer data to the USA government and/or commercial entities in the USA in violation of your national and EU privacy laws to continue to operate in your country. If you aren't certain what data is being kept about you, or by whom, you can and should request copies of your travel records -- including archived PNR's from your past air travel -- as well as a report on who has been given access to your data, from each airline or CRS that might have information about you. (I've posted sample request letters you can use or adapt for use in your country.) It's particularly important to make such requests of the four major global CRS's, not just airlines. Ask each of the four major CRS's for complete copies including the "history" (audit trail) of all PNR's in their system, whether in live or archival storage and whether created by travel agencies or airlines, that contain personal information about you. Ask for a complete log of what portions of each of those PNR's was provided to what commercial or governmental entities, under what if any contractual restrictions on its use or further dissemination by them. Make sure your request to the Amadeus CRS includes its Airline Automation, Inc.subsidiary in the USA. (If anyone tries this, please let me know what happens: CRS's have told me that no one has ever made a request like this, so they haven't yet had to figure out how to respond.)
  5. Canadian and EU privacy law enforcement agencies, and enforcers of nondisclosure contracts and the Privacy Act in the USA, can seek appropriate sanctions against airlines and CRS's that turn over passenger data to the TSA and/or commercial entities in the USA in violation of their countries laws or CRS regulations, including revocation of licenses to operate in Canada and the EU.

[My chapter on Travel Privacy in the Privacy and Human Rights 2004 yearbook from Privacy International and the Electronic Privacy Information Center.]

[Updates from the Privacy and Travel category of my blog.]

[Earlier background information on travel data and privacy]

[Disclosure: I am a paid affiliate of Airtreks.com, which subscribes to the Amadeus, Sabre, and Galileo CRS's.]

Prev | Next | Index of Articles | Practical Nomad Home Page


Subscribe to the Practical Nomad's free travel newsletter:

E-mail address:

Copyright © 1991-2007 Edward Hasbrouck, except as noted. Use of any information obtained from this site for the purpose of sending unsolicited bulk e-mail is expressly forbidden, and is a violation of your license to use this copyrighted material.


Around-the-world airline tickets from Airtreks.com