I will never rent or share your address.
| Index of Articles
| Practical Nomad Home Page
What's wrong with CAPPS-II?
(and what should be done about it?)
by Edward Hasbrouck, "The Practical Nomad"
[Note: In August 2004, CAPPS-II was officially succeeded by the
Secure Flight and
Registered Traveler programs.
These "new" programs, however, would incorporate most of the features
previously included in CAPPS-II.
on the Secure Flight proposal are being accepted through 25 October 2004.
Privacy and Travel section of
my blog for more recent updates on these programs.]
CAPPS-II (the "Computer-Assisted Passenger Pre-Screening System", version 2)
is the USA government's name for a proposed new system for identification, profiling,
monitoring, surveillance, and enforcement of a "no-fly list" and other "watch lists".
At first, CAPPS-II would be applied to airline passengers on flights to, from, or
within the USA. Eventually it would be expanded to other modes of transportation
such as trains, busses, and ferries.
The USA Transportation Security Administration (a division of the Department
of Homeland Security) has published two Privacy Act notices
describing what CAPPS-II would do. The first version, "CAPPS 2.0", was published
in the Federal Register on 15 January 2003. It prompted hundreds of unanimously
critical comments from members of the public, privacy and consumer advocates (including myself),
legislators and law enforcement officials, and other individuals and organizations.
A revised proposal, "CAPPS 2.1", was first outlined in a TSA briefing of privacy
advocates in March, repeated in subsequent TSA press statements and testimony to Congress, and
finally published in the Federal Register on 1 August 2003. It was open for
public comments from then through 30 September 2003, and the DHS promised to publish
the comments received. The DHS has admitted to receiving more public comments
on the second CAPPS-II Privacy Act notice than on any other Privacy Act notice
in the government's history. But the DHS and TSA still have neither published all
the comments, nor responded to them. In March 2004, the Acting Administrator in charge
of the TSA told a Congressional hearing that he would soon issue a secret
"security directive" ordering airlines to start turning over reservations
for use in CAPPS-II testing. Since such an order would be secret, we can't tell
whether it has already been issued, or whether CAPPS-II testing has resumed.
CAPPS-II would be the largest domestic surveillance system ever deployed in the USA.
I've discussed the history, context, evolution, and details of CAPPS-II in much
more detail in my white paper on travel data and privacy,
"Total Travel Information Awareness". But if that's more
than you wanted to know, here's a summary of the most important problems with the
latest version of the program, as most recently defined in the latest version of the
CAPPS-II (CAPPS 2.1) Privacy Act notice, and what I think
should be done to protect your privacy and your right to travel.
As part of the fiscal year 2004 appropriation bill for the Department
of Homeland security, signed into law by the President on 1 October 2004,
Congress ordered the General Accounting Office to investigate and prepare
a report on CAPPS-II, and ordered TSA not to deploy CAPPS-II
until that report is complete, and even then only if the GAO reports that
CAPPS-II has met certain standards of effectiveness and privacy protection.
The GAO reported that only one of the eight criteria set by Congress had been met.
But under that law, there's no restriction at all on ongoing CAPPS-II
testing, including CAPPS-II tests with real data on real passengers.
And the law places no restrictions at all on the contractors -- like those
who got an misused the jetBlue Airways data -- who have conducted most of the
CAPPS-II tests to date (in each case with real passenger data).
What's wrong with CAPPS-II?
- CAPPS 2.1 would create a new, unconstitutional requirement for a "domestic passport".
By requiring all travellers -- even those within the USA, or even within a single state
-- to carry and display, on request, government-issued identity
documents, it would create a de facto national ID card system -- something
that the public, and the Congress, has strongly resisted for many years. Travel is an act
of assembly, and such restrictions on domestic travel would violate the First Amendment
to the Constitution of the USA, which prohibits the government from restricting
"the right of the people peaceably to assemble".
- CAPPS 2.1 would require air travellers to provide additional information
-- the date of birth, home phone number, and home address of each traveller --
to the airline, travel agent, or travel arranger, and would require this
information to be entered into a
computerized reservation system (CRS).
It's not clear if people without telephones -- or with only a mobile phone,
not a "landline" phone at their home address -- would even be allowed to fly!
(This is one of the ways that CAPPS 2.1 is significantly worse than CAPPS 2.0:
CAPPS 2.0 would have relied on information already entered in reservations.)
None of this information is currently required or collected, and airlines
and CRS's don't even have fields in their databases to record it.
CAPPS 2.1 would require hundreds of millions of dollars (not yet included
in the TSA budget) in modifications to the data storage and interchange
standards and information technology infrastructure of tens of thousands
of travel companies.
- CAPPS 2.1 would conscript travel agents, airline employees, corporate
travel mangers, and anyone who makes reservations for friends or family
into working as (unpaid) surveillance agents, collecting and recording information
to be passed on to the government.
- CAPPS 2.1 would
cost the travel industry US$1 billion or more
(airlines themselves have reported that it could be
as much as US$2 billion) in
modifications to their information technology and systems to collect,
store, and forward to the government, in a standardized format,
the additional information about each prospective passenger that would
be required for CAPPS-II. That cost would have to be passed on either
to taxpayers through government reimbursement of travel industry costs, or
to travellers through higher airfares and reservation service fees.
- CAPPS 2.1 would require travelers to provide additional information,
which would be recorded in their reservations, passed on to the
government, and retained by travel companies. The TSA would (it claims)
purge this data on most travelers after their flights. But since the USA
has no general data privacy law, and since neither CAPPS 2.1 nor any other
Federal law or regulation restricts use of travel data by private companies,
travel companies would be free to retain this additional information
-- which travelers would be required by government regulation to provide
-- and to use it, rent it, or sell it without travelers' knowledge or permission.
CAPPS-II would require travelers to provide information to travel companies under
government order, but then treat the information as though it were a "gift"
that the travel companies, not travelers, would own and control. Such an
expropriation of travellers' personal information for private travel companies'
use and profit, under government coercion, would constitute an improper and
unconstitutional taking of personal informational property without compensation.
- The additional information required by CAPPS 2.1 could be used to
correlate each travel reservation (currently indexed only by
flight number or reservation record locator) with a specific person,
and to index separate reservations for individual trips into
databases easily searchable by name, birthday, address, or phone
number. CAPPS-II would thus enable the government and private travel companies
(especially the four main CRS's which host
almost all airline reservations worldwide) to create comprehensive
lifelong dossiers of everywhere each person
has travelled, when, how, with whom, whether (behind the closed
doors of their hotel room) they asked for one bed or two, and many other
intimate details of their lives as revealed by their travel histories.
These travel databases would be vulnerable to theft and/or abuse.
- The additional identifying and indexing information required by
CAPPS 2.1, and provided under government order, would make it as
easy for the government to investigate and obtain the details of
your travel history as to obtain your criminal history from NCIC.
(Even though travel isn't a crime.) Even if travel records aren't
stored by the government, the current lack of travel privacy or
data privacy law in the USA makes travel records available to the
government from travel companies for the asking, without notice to the traveller.
Simply by asking the big four CRS's and a few other airlines, the government
could obtain a comprehensive report of your past travels.
- CAPPS-II violates the international norms of data privacy and fair information
practices, as incorporated into the laws of Canada, the European Union,
and many other countries. CAPPS-II would require airlines to do things
that are forbidden by law in those countries. As a result, it would
be impossible for airlines to operate flights between the USA and Canada,
or the USA and the EU, without breaking the law in one or the other country.
Airlines would have to operate illegally (precipitating a legal and diplomatic
crisis between the USA, EU, and Canada), or cease international flights
(precipitating a personal and business crisis for travellers).
- CAPPS 2.1 would allow information known to be inaccurate to be used as the
basis for denial of air transportation (in violation of Federal law requiring
common carriers to transport all qualified passengers), and would result in
many false arrests. Under the expanded CAPPS 2.1 regulations, airline reservations
could be used by CAPPS-II for "detection of outstanding warrants for crimes of
violence". The only plausible source of information on outstanding
warrants is the FBI's National Criminal Information Center (NCIC database). And
in the FBI's Privacy Act notice for NCIC, the FBI has renounced any obligation to
ensure that NCIC data is accurate. With hundreds of thousands of airline passengers
being checked each day against a warrant database known to be inaccurate,
CAPPS 2.1 would produce many false arrests every day.
What's wrong with the way the CAPPS-II regulations have been put into effect?
- The TSA and DHS intend to impose the new requirements
through secret "security directives" to the airlines, making it impossible for travellers
to know what is required, or to
challenge illegal or unconstitutional orders.
- The CAPPS-II Privacy Act "notice" fails to provide notice to all of the
categories of individuals about whom personally identifiable information in
included in airline reservations, which would be passed to the government
under CAPPS-II. The Privacy Act "notice" falsely claims that the only
categories of individuals about whom CAPPS-II would use personal information
would be airline passengers. Specifically, the Privacy Act "notice" fails to
provide notice that airline reservations, and CAPPS-II, would also include personal information on:
- Individuals who make reservations for air travel, but who do not actually travel,
and who never purchase tickets and/or cancel their reservations.
(Cancelled and unticketed reservations cannot actually be deleted from airline databases.)
- Travel arrangers, personal assistants and administrative staff, travel managers, group
coordinators, event organizers, and family members and friends assisting with travel arrangements, as
identified by the "received from" field in the "history" (audit trail) for each reservation entry
that records the person who requested the reservation or change.
- People who pay for tickets for others, or who hold joint credit or debit cards with
people who purchase travel for themselves or others -- again, whether or not
they travel themselves -- as identified from the "form of payment" fields in ticketing records.
- Travel industry personnel, including travel agents and airline reservation, check-in, and ticketing staff,
as identified by the unique "agent sine" or log-in ID in the reservation "history" for each entry or change.
- Clients, customers, and employers of travellers, even if they aren't travelling, as identified by
billing and accounting codes for travel by others undertaken on their behalf or at their expense.
- The CAPPS 2.1 Privacy Act "notice" fails to provide notice of the items
required by the Privacy Act (which is supposed to be the central purpose
of a Privacy Act notice), specifically:
- What items of information and documents will airline passengers be required to provide?
(What types of ID documents are and aren't sufficient? Is a hotel address a
sufficient "home address"? Is a cell phone a sufficient "home" phone number?)
- What is the specific statutory legal basis for the requirement for
travellers to provide each of these items of information and these
documents both to the airline and/or other travel company and to the TSA?
- What will the penalty be for failing to provide each of the requested items?
(If I don't have, or don't choose to provide, a "home address", does that mean I
will be subject to a more intrusive search, refused passage, reported to the
FBI and/or local police, or immediately detained?)
- The CAPPS 2.1 Privacy Act notice, like the CAPPS 2.0 Privacy Act notice,
entire ignores and fails to carry out the statutorily required analysis of
its economic impact.
- The TSA/DHS analysis of the comments made by the public on the CAPPS 2.0
proposal entirely ignores, and fails to respond to, all of the many comments concerning
whether CAPPS-II would actually accomplish any legitimate purpose; whether it would
be constitutional (as a restriction on the right to assemble);
whether it is authorized by any law; whether it would be compatible
with European Union or other countries data privacy laws or international
privacy norms; and whether airlines, CRS's/GDS's, and travel
agencies could legally be conscripted into carrying out its data collection and
What can (and should) be done about CAPPS-II?
- The TSA and DHS should withdraw their proposed CAPPS-II regulations.
At minimum, they should publish a revised an expanded Privacy Act notice, describing the data
actually to be required, and the full range of individuals (not just passengers)
whose personal information would be included in the system, and allow an opportunity for comment
before resuming or continuing CAPPS-II testing or deployment. Any new requirements should
be imposed through published rules, not secret "security directives" that evade judicial review.
- The DHS Chief Privacy Officer, Ms. Nuala O'Connor Kelly, and the
TSA Chief Privacy officer, Ms. Lisa Dean,
should order a halt to CAPPS-II testing and deployment as unconstitutional, not authorized by any law,
and a violation of the most basic privacy rights and norms of fair information practices.
- Congress should:
- Investigate and hold public hearings on the privacy and
personal information handling and usage practices of the travel industry, including
what really happened with the jetBlue Airways, Northwest Airlines, and American Airlines
passenger records and the role of government agencies and corporations including the
DHS/TSA, DOT, NASA, the military, Torch Concepts, SRS Technologies,
Acxiom, LocatePLUS Holdings,
other airlines, and the CRS's/GDS's.
- Enact a comprehensive consumer privacy law (which I would suggest be modeled on the
successful Canadian example, as it was before being amended by Canada's Bill C-7)
requiring fair information practices in the handling of
personal information -- including travel records -- by both government agencies and
private companies. At a minimum, Congress should enact travel data privacy rules
(focused on the CRS's/GDS's as the
principal repositories of travel records) giving travel data as least as much
protection as is currently given to medical and financial data.
- Citizens of Canada or the European Union can ask your national data privacy
protection authorities to refuse to allow airlines and CRS's/GDS's that transfer data to the USA
government and/or commercial entities in the USA in violation of your national and EU privacy
laws to continue to operate in your country. If you aren't certain what data is being kept
about you, or by whom, you can and should request copies of your travel records
-- including archived PNR's from your past air travel -- as well as
a report on who has been given access to your data, from each airline
or CRS that might have information about you. (I've posted sample request letters you can use or adapt
for use in your country.) It's particularly important to
make such requests of the four major global CRS's, not just airlines.
Ask each of the four major CRS's for complete copies including the "history" (audit trail)
of all PNR's in their system, whether in live or archival storage and whether created by
travel agencies or airlines, that contain personal information about you. Ask for a complete
log of what portions of each of those PNR's was provided to what commercial or governmental
entities, under what if any contractual restrictions on its use or further dissemination by them.
Make sure your request to the Amadeus CRS includes its
Airline Automation, Inc.subsidiary in the USA.
(If anyone tries this, please let me know what happens: CRS's have told me that no one has
ever made a request like this, so they haven't yet had to figure out how to respond.)
- Canadian and EU privacy law enforcement agencies, and enforcers of nondisclosure
contracts and the Privacy Act in the USA, can seek appropriate sanctions against airlines
and CRS's that turn over passenger data to the TSA and/or commercial entities in the USA
in violation of their countries
laws or CRS regulations, including revocation of licenses to operate in Canada
and the EU.
[My chapter on
in the Privacy and Human Rights 2004 yearbook from Privacy International
and the Electronic Privacy Information Center.]
[Updates from the Privacy and Travel category of my blog.]
[Earlier background information on travel data and privacy]
[Disclosure: I am a paid affiliate of Airtreks.com,
which subscribes to the Amadeus, Sabre, and Galileo CRS's.]
| Index of Articles
| Practical Nomad Home Page
Copyright © 1991-2007 Edward Hasbrouck, except as noted.
Use of any information obtained from this site for the purpose of
sending unsolicited bulk e-mail is expressly forbidden, and is a
violation of your license to use this copyrighted material.