Wednesday, 10 December 2003

CAPPS-II will require 3 new directives

Over the past month, I've spent a lot of time -- at the PhoCusWright Executive Conference in Orlando, in interviews in Washington, DC, and by phone and e-mail -- talking with people in various government agencies (in Congressional offices, at the European Commission, and in the TSA and DHS) and all segments of the travel reservations or "travel distribution" industry (travel agencies, CRS's , and travel software companies and consultants) about what it will actually take in time, money, information technology, and business process changes to implement the DHS/TSA CAPPS-II proposal for airline passenger surveillance and monitoring.

A consistent picture emerges from my interviews with all these sources:

While CAPPS 1 (1998) and the first conceptualization of CAPPS-II (2001 - early 2002) were managed by Department of Transportation staff who had longstanding working relationships with the travel industry, CAPPS-II was taken out of their hands with the creation first of the TSA and then the DHS.

Since then, CAPPS-II has become an essentially "black" (secret) program directed by people from the military and "intelligence" (surveillance) backgrounds, and with little familiarity and no ongoing dialogue with the travel reservations industry.

If the DHS Chief Privacy Officer has done poorly at fulfilling her promises of consultation with stakeholders in CAPPS-II privacy issues, the TSA Office of National Risk Assessment (which has primary responsibility for the CAPPS-II project) and other operational divisions of the TSA have done dramatically worse than the Chief Privacy Officer in their failure to consult with stakeholders on CAPPS-II implementation issues.

As I've reported earlier, I eventually did get an interview last month about CAPPS-II with the DHS Chief Privacy Officer, Ms. Nuala O'Connor Kelly. But when we met, Ms. O'Connor Kelly told me (quite properly) that she is a policy officer, not a spokesperson, and that her responsibility or ability to comment on CAPPS-II extends only to its privacy implications -- not its cost or feasibility.

The day before that interview, TSA spokesperson Mr. Nico Melendez had assured me that Ms. O'Connor Kelly "has been the public spokesperson for CAPPS-II, and she will be able to answer all your questions." Mr. Melendez declined to answer any of my questions himself, and when I later contacted him to see if he could provide any information on TSA estimates of CAPPS-II costs he told me that was "an absurd question" and that I was "harassing" him even to ask. To date, the TSA has been unable or unwilling -- despite my repeated requests to a revolving-door succession of staff flacks -- to make anyone available to me who admits any knowledge of CAPPS-II cost or implementation issues.

If the TSA had done their job, the CAPPS-II auditors from the General Accounting Office would have been merely double-checking work the TSA had already done. But in my survey of industry sources, I've found that the GAO seems to have consulted a far wider range of critical industry stakeholders than the TSA has ever bothered to talk to about CAPPS-II.

And in my own interviews, I've repeatedly found that industry sources -- even with some of the organizations and companies without whose active collaboration CAPPS-II can't possibly be implemented -- have been unable to comment on CAPPS-II costs or implementation because they don't yet know what the TSA/DHS will require them to do. I've known much more from my investigatory research than anyone at the TSA or DHS has been willing to tell these key industry players.

Even those who might stand to profit from CAPPS-II, particularly the CRS's (or GDS's, as they often prefer to call themselves), continue to claim -- perhaps truthfully -- that they don't know what changes the TSA will order them to make to their data structures, interfaces, API's, and protocols.

At the PhoCusWright conference, I asked Cendant CEO Sam Katz about the impact of CAPPS-II on Cendant's bottom line: CAPPS-II will require expensive changes to Cendant's Galileo CRS, which costs Cendant might have to absorb. But Galileo and all the other Cendant subsidiaries will be free, under the current CAPPS-II proposal, to retain, use, and sell the additional data travellers will be required to provide.

On balance, will CAPPS-II be a net cost or benefit for Cendant?

"I can't answer that," Katz replied, "Because there is no CAPPS-II business model" and the TSA still hasn't told Cendant its requirements.

When I pressed her, however, Ms. O'Connor Kelly was considerably more forthcoming about what will be required than the TSA has been. She freely conceded that -- as I (and others) had pointed out in comments on the CAPPS-II Privacy Act notices -- those notices could not create any new obligations on the public or private companies (other than government contractors) to provide, collect, store, or forward data or documents. A Privacy Act notice merely describes what the government will do with personal data.

Ms. O'Connor Kelly also freely conceded that for CAPPS-II to be put into effect, the government will have to give 3 new sets of orders to travellers and travel companies:

  1. All airline passengers will be ordered to have reservations (or, equivalently, airlines will be forbidden from transporting anyone who doesn't have reservations).

    This would outlaw unreserved shuttle services, "open" tickets, and use of full-fare freely-changeable tickets on flights other than those originally reserved. And it would invalidate or retroactively impose an advance reservation requirement on tickets already issued. In addition to their cost, both of these changes appear to be in violation of the Airline Deregulation Act of 1978. Ms. O'Connor claimed to be surprised when I raised these issues, in spite of the detailed discussion of them in my prior written comments.

  2. Each reservation (even for a group) will have to contain the following 4 pieces of information about each passenger: "full name", "home address", "home telephone number", and date of birth.

    My interviews and sources suggest that the TSA is only just beginning to figure out how expensive this will be. (The cost would have become apparent sooner, of course, had the TSA been less secretive about its plans, or made any effort to solicit feedback from industry stakeholders.) This also raises a plethora of issues about the definitions of these terms, and the sanctions for those unwilling or unable to provide them (or providing a different name, phone number, and/or address than the TSA considers "correct" for CAPPS-II purposes). For what it's worth, Ms. O'Connor Kelly professed similar surprise at all of these issues, which had also been raised in detail in my written comments.

  3. Each airline passenger will be required to produce and display, to TSA and/or airline staff, documentary evidence of their identity.

    Aside from the definition of what sort of ID documents will be acceptable for air travel, this raises particularly strong Constitutional, legal, and policy issues, especially in light of the history of vehement public and Congressional antipathy to any sort of national ID card or, more precisely in this context, "domestic passport".

Since these are not privacy rules, it wasn't clear what, if any, role the Chief Privacy Officer would have in formulating or promulgating them. Ms. O'Connor Kelly said neither the content nor the form of these 3 orders had yet been finalized. In particular, she said that the DHS and TSA had not yet decided whether to impose these requirements through a regulation promulgated through a public rulemaking process (as is, I suspect, her preference), or through a secret "security directive" to the airlines (as is likely to be the inclination of Admiral Loy, Admiral Stone, the ONRA, and others in the TSA and DHS with military and intelligence backgrounds and outlooks).

Even if the USA enacts privacy protections for travel data sufficient to satisfy European Union standards of adequacy , EU laws will still require consent for use of reservation data for CAPPS-II purposes, including testing. But Ms. O'Connor Kelly said that people whose data would be used in CAPPS-II tests will "almost certainly not be given any opportunity to opt out" of having their data used for those tests.

Unless the USA intends to flout EU law and risk interruption of USA-EU flights, this means that CAPPS-II tests can't legally begin until after travellers start being informed, before they make reservations, that their reservation data will be used for CAPPS-II tests.

So if the TSA/DHS choose to impose these CAPPS-II rules through a secret security directive, the first notice of these rules that we would receive would be either that airlines start demanding dates of birth in reservations, or that airlines start giving notice in the EU that subsequent reservations will only be accepted if consent is given for their use in CAPPS-II testing.

Some might wonder about the costs for the travel industry in the USA of compliance with EU privacy laws . At PhoCusWright, I asked a panel of CEO's of the leading European Internet travel companies -- eBookers.com, Lastminute.com, Opodo.com, Online Travel Corp., and the European divisions of Expedia.com and Travelocity.com -- what lessons they had about privacy protection and regulatory compliance for their counterparts in the USA.

Their response: A collective shrug. That's a great deal more significant than, I suspect, most of the audience realized: respect for privacy isn't difficult, and needn't be costly. It's just good business. Lack of respect for privacy, on the other hand, can be very costly, as Delta, Cendant, and jetBlue have found out.

Link | Posted by Edward on Wednesday, 10 December 2003, 18:12 ( 6:12 PM) | TrackBack (2)
Comments
Post a comment









Save personal info as cookie?