Thursday, 22 September 2005

Whither "Secure Flight"?

As of today, there's still been no official announcement from the USA Transportation Security Administration (TSA) or its parent the Department of Homeland Security (DHS) concerning their plans for the Secure Flight airline passenger screening and surveillance system.

Earlier reports had suggested that the TSA/DHS would publish a Privacy Act notice in the Federal Register by early this month for the next phase of deployment (which they have to call "testing" if they want to evade the Congressional restrictions on non-test deployment) of Secure Flight.

That hasn't happened, but today the Wall Street Journal reports:

The agency has decided to launch the program without using commercial data, said TSA chief Kip Hawley.... Secure Flight is now expected to launch by early next year, according to one person interested in the program who was briefed by a top TSA official.

According to this account, regulations governing it will be issued in the next few weeks, with the program set to begin with at least a handful of airlines as early as November -- or if it can't get off the ground before Thanksgiving, then in early 2006.

Assuming (as I do) that this report is true, it's hard to know how to interpret Hawley's remark. On its face, it's absurd: the whole point of Secure Flight and its predecessors CAPPS-II and CAPPS 1 was to make determinations about prospective airline passengers on the basis of information about them in passenger name records (PNR's) in commercial databases of airline reservations.

I think what TSA administrator Hawley really means is that the TSA won't use commercial data except PNR's in Secure Flight, and that the only way the TSA can evade the restrictions placed by Congress on the use of commercial data for secure Flight is to pretend, nonsensically, that PNR's are sui generis and not "commercial data" (when of course that's exactly what they are).

It remains to be seen whether the TSA/DHS will also repeat, in its next revised Privacy Act notice, their equally absurd claim that PNR's -- with their details of when, where, and with whom we travel -- don't contain any information about how we exercise our right to assemble (a claim they have to make if they want to evade the restrictions in the Privacy Act on Federal government collection of data about the exercise of rights protected by the First Amendment to the Constitution of the USA).

Meanwhile:

  • Last month the Inspector General of the USA Department of Justice (DOJ) released a redacted version of their report to Congress on DOJ activities (as the operator of the FBI's "Terrorist Screening Center" that provides TSA/DHS with "watch lists") in support of Secure Flight. Even in its redacted form, the DOJ auditors' report is the most detailed official account to date of how the TSA imagines that Secure Flight would work. But the gist of the report is that the TSA hasn't yet decided enough about the program to be able to tell whether it would work, how much it would cost, what it would require from other agencies, or how long it would take to implement.

  • The DHS Privacy Office held a Public Workshop: Privacy and Technology: Government Use of Commercial Data for Homeland Security on 8-9 September 2005 in Washington, DC. Oddly, although airline reservations have clearly been the category of commercial data of greatest interest to the DHS, none of the invited presenters appears to have been an expert on airline reservations.

  • The TSA's Aviation Security Advisory Committee (ASAC) met today and received the report and presentation of its "Secure Flight Privacy/IT Working Group". The working group report itself has not (yet) been released, but reportedly says more information about the scheme should be made public before it is put into effect. Unfortunately, while the Working Group is composed primarily of bona fide privacy and IT experts, it doesn't include any experts on airline reservations. In any event, as I've noted previously, the ASAC is purely advisory, and has no authority.

  • The DHS Data Privacy and Integrity Advisory Committee will meet next Wednesday, 28 September 2005, in Bellingham, WA. The Committee's ongoing review of Secure Flight is on the agenda, and I wouldn't be surprised if the official unveiling of the TSA's latest revised version of Secure Flight (should we call it, "CAPPS-4"?) takes place at this meeting.

If any of my readers was, or is, at any of these events, please let me know how they went.

[Addendum, 23 September 2005: The report of the ASAC Secure Flight Working Group, as well as the report of the consultant who facilitated the preparation of the group's report, were posted on the TSA Web site sometime last night or early this morning.]

Link | Posted by Edward on Thursday, 22 September 2005, 22:55 (10:55 PM) | TrackBack (6)
Comments

Thanks for your post. I was at the Public Workshop: Privacy and Technology: Government Use of Commercial Data for Homeland Security and PNRs are not commercial data in the mind of DHS. It is the product delivered by the data aggregators that DHS addressed at this meeting. The contents of PNRs was not addressed but should have been. Addressed were three uses of "commercial data" : (1) to run background checks on known threats (2) to crawl data using algorithms designed to identify potential threats (3) to better identify an individual traveling so as to compare them to the no fly and watch lists resulting in a lower number of false positives. It is the third that concerns secure flight.

Now, the center of attention will shift away from commercial data to the date of birth requirement when making the reservation. (focus back on PNRs) With this new required field TSA will attempt to bring the number of false positives down.

What is the airline industry status of the date of birth requirement?

Jim Harrison

Posted by: Jim Harrison, 23 September 2005, 06:53 ( 6:53 AM)
Post a comment









Save personal info as cookie?