Tuesday, 22 June 2004
TSA names more airlines, CRS's that turned over reservations for CAPPS-II tests
In preparation for today's USA Senate Government Affairs Committee hearing on the nomination of (former?) Admiral David M. Stone as Assistant Secretary of Homeland Security, Transportation Security Administration (i.e. the head of the TSA -- yet another military officer in charge of the nominally-civilian agency), Stone submitted written answers to two sets of questions asked by the Chair and Ranking Minority Member of the Committee in February and April of this year, concerning the TSA's requests for and use of airline reservations or PNR's for testing of the CAPPS-II airline passenger profiling and monitoring scheme, and other purposes.
Last fall, I reported that the spring-summer 2002 CAPPS-II "proof-of-concept" tests by 4 teams of TSA contractors used millions of real PNR's of real travellers hosted in the Sabre computerized reservation system (CRS) and from several major airlines. In April 2004, American Airlines became the first airline to confirm that PNR's of its passengers had been used in these tests.
In his written statement to the Senate released today in excerpted form, Stone named Delta Air Lines, Continental Airlines, America West Airlines, Frontier Airlines, and JetBlue Airways as having turned over PNR's from their archives to CAPPS-II contractors in 2002.
Stone said PNR's of unnamed airlines were also obtained from the Sabre CRS/GDS (which hosts the reservation databases of American Airlines, Alaska Airlines, and ATA Airlines -- formerly American Trans Air -- among others), and from the Galileo CRS/GDS (a division of the Cendant Corp.), whose only major USA-based hosting client is its former owner United Airlines.
(As I also revealed last year, JetBlue Airways also provided its PNR archive to a military subcontractor for the Total Information Awareness program. And Northwest Airlines was exposed earlier this year as having provided PNR's to NASA for airline passenger profiling tests.)
Stone also named several other intermediaries and contractors through which, or to which, PNR's were transmitted. In addition, Stone referred in his statement to "Galileo International ... and possibly Apollo", suggesting a lack of diligence and/or technical competence in his research: anyone with even a cursory familiarity with the big four CRS's would know that Apollo is simply the brand name in which Galileo International markets its CRS/GDS services in North America.
Senator Joe Lieberman, the ranking minority member on the committee, said in a statement released after today's confirmation hearing that, "these new disclosures ... suggest TSA may have violated the Privacy Act in the handling of passenger records."
Stone's written statement also responded to questions about the TSA's plans for CAPPS-II:
Question f: How does TSA plan to obtain PNR data to test CAPPS II? Is it considering promulgating new rules or issuing a security directive?
Answer: TSA plans to use the Notice of Proposed Rulemaking (NPRM) vehicle to seek public comment on the collection of Passenger Name Record (PNR) data for the operation of the CAPPS II program, and would likely issue an order compelling the collection of historical PNR data for testing purposes simultaneously with publication of that NPRM. Each of these documents would require regulated parties to take reasonable steps to ensure that passengers are provided notice of the purpose for which the information is collected, the authority under which it is collected, and any consequences associated with a passenger's failure to provide the information.
Question g: When will CAPPS II testing begin...?
Answer: ... CAPPS II testing will not begin until security systems to ensure protection of the data are fully in place.
Question h: Do you agree with the steps TSA has taken thus far to secure PNR data to develop or test CAPPS II?
Answer: To date, TSA has not secured PNR data to test CAPPS II.... Until we are confident that both the security system and redress procedures meet privacy and security muster, we have no intention of collecting PNR data for any reason.
Depending on how you interpret it, this is some combination of the self-contradictory, the disingenuous, and the surreal.
What does it mean to say that "TSA has not secured PNR data to test CAPPS II" and that "CAPPS II testing will not begin", after listing numerous instances in which PNR data has been provided for, and used in, tests of CAPPS-II systems? It's unresponsive to any question asked by Congress or CAPPS-II critics to say that the TSA has "no intention of collecting PNR data", since neither the TSA nor anyone else has ever suggested that PNR data would be collected directly by the TSA: it would be collected by airlines, travel agents, and other intermediaries. And it's obviously impossible, with respect to historical data that has already been collected, "to ensure that passengers are provided notice of the purpose for which the information is collected ... and any consequences associated with a passenger's failure to provide the information."Link | Posted by Edward on Tuesday, 22 June 2004, 21:59 ( 9:59 PM)