Thursday, 18 August 2005
Update on "Secure Flight"
This summer there's been both a public sideshow about (relatively) minor privacy and legal violations by the USA Transportation Security Administration (TSA) in its ongoing testing of the "Secure Flight" airline passenger screening and surveillance scheme, and a larger unreported story of much more fundamental illegality and privacy invasion.
In June 2005, the USA Government Accountability Office (GAO) reported that "TSA did not fully disclose to the public its use of personal information [in "Secure Flight" testing] in its fall 2004 privacy notices as required by the Privacy Act."
In response, the TSA published an amended Privacy Act notice admitting to some of the things the GAO had complained about, and giving (retroactive) "notice" to people identified in reservations for June 2004 flights as to some of the ways that information about them had already been used.
When some of those people made formal requests under the Privacy Act for the TSA records about them from June 2004 flights, the TSA said that many of those records, and the records of how they had been used and with whom they had been shared, had already been destroyed before their existence was disclosed, and before they could be reviewed by the data subjects or the GAO.
Although the knowing and willful creation of a new Federal government database of personal information without proper notice is a criminal violation of the Privacy Act, the DHS and TSA made no mention of any referral of the episode for criminal investigation or possible prosecution. It remains unclear -- although I asked in my comments on the original draft Privacy Act notice for Secure Flight testing -- who is responsible for policing criminal violations of the Privacy Act by the TSA and/or DHS. It certainly appears that the TSA and DHS "Privacy Officers" are not taking on this responsibility. Scarcely surprising since, as those responsible for issuing the knowingly erroneous, incomplete, and misleading Privacy Act statements, they are among the criminals.
Both the GAO report and the revised Privacy Act disclosures focus solely on the ways that commercial data from other sources was used in conjunction with airlines' commercial reservation records in the Secure Flight "tests". But the unexamined core use of commercial data in the Secure Flight program remains the use of passenger name record (PNR) data from airlines' commercial databases.
There's still been no real scrutiny of the fundamental legal problems with Secure Flight and its testing (it violates the First Amendment right of assembly, the Privacy Act restrictions on collection and use of records related to activities protected by the First Amendment, and the requirement of the Airline Deregulation Act that airlines operate as "common carriers"), and the fundamental deficiencies in the Privacy Act notice (it's based on false claims -- which I believe the TSA and DHS Privacy Officers must have known to be false -- that "TSA does not agree that PNR's contain information related to First Amendment rights, including the right of assembly," and that "inclusion in PNR's of names other than passengers is rare").
Nor have the international obstacles to Secure Flight been resolved: Since there is still no agreement with the European Union that could even arguably permit the use of PNR data collected in the EU for Secure Flight, and since even the DHS and the TSA have admitted that it is impossible to identify or filter out which reservations were made in EU, each and every demand by the USA government for reservation data for Secure Flight -- even for "testing" -- has required, and will continue to require, airlines and the computerized reservation systems (CRS's) that host their reservation data to violate EU data protection law and the EU Code of Conduct for CRS's.
Just from the first round of Secure Flight testing, each passenger who made a reservation, while in the EU, for a flight within the USA in June 2004, already has grounds for a complaint and request for sanctions against the airline with their national data protection authorities, and against the airline's host CRS with the European Commission (as the agency responsible for enforcing the Code of Conduct for CRS's).
Under an oversight law enacted last year, the GAO must certify that specific criteria have been met before "CAPPS II or Secure Flight or other follow on/successor programs" can be deployed or implemented "on other than a test basis".
As it has been publicly described, the first Secure Flight "test" was inherently incapable of generating any evidence that could satisfy the criteria in the law. In particular, the GAO must certify that, "the underlying error rate of the government and private data bases that will be used both to establish identity and assign a risk level to a passenger will not produce a large number of false positives that will result in a significant number of passengers being treated mistakenly."
In order to measure the rate of errors in the identification of passengers on the basis of data in reservations, or the number of passengers identified "mistakenly", one would have to compare the identifications by the Secure Flight "black box" matching system (based on inputs of databases of PNR's, watch lists, etc.) with some other method of identification of the actual passengers. But the test was based on flights in June 2004, and no attempt has been reported to track down people who travelled on those dates or determine to what extent the data in their reservations corresponded to their "real" identities (rather than being e.g. the identifying information of a victim of identity theft, as would likely be the case for a real terrorist traveller).
The only information we have about whether any June 2004 passengers posed an actual threat to aviation, if allowed to fly, is that none of them actually committed any detected acts of air terrorism during that month. So Secure Flight, if in place during the test period, would not have prevented any terrorist acts in flight. And any and all identifications on the basis of the test data of passengers who must be prevented from flying must be treated as "false positives".
In a softball interview last week with USA Today , Secretary of Homeland Security Michael Chertoff vowed to implement Secure Flight -- with no mention of whether the statutory prerequisites are, or can ever be met.
Since Secure Flight is unlikely ever to be certified by the GAO as meeting the statutory criteria without drastic changes, the DHS and TSA appear, undeterred, to be following a two-pronged strategy to deploy and implement it anyway:
Their short-term tactic is to exploit the absence of any definition of "on a test basis" in the oversight law by fully deploying and implementing Secure Flight as fast as they feel like, while publicly describing whatever they do as being "on a test basis".
Their longer-term goal is to repeal the oversight law so that they can openly declare the "test" period over, and continue Secure Flight permanently, without ever having to satisfy the GAO or anyone else that the test have proven anything, or that the program actually accomplishes any legitimate purpose. Earlier this week Ryan Singel of Wired News reported on a leaked copy of draft legislation to accomplish just that. Singel's report confirms an alert last week by the ACLU to its members that such a bill is being shopped around by the DHS for Congressional sponsors.
The next "phase" of Secure Flight "testing" (i.e. deployment) is planned for next month with at least two unnamed airlines based in the USA -- although airlines say they still haven't been given the necessary details of what's expected of them.
That's typical. As I've been saying for years, aviation "security" initiatives in the USA since 11 September 2001 have largely been devised by people whose background is in "intelligence" (spying), not aviation safety or security, and who have no idea how the air travel industry actually operates or how it might be affected by the new procedures they are trying to impose.
At first, airlines were hesitant to complain, and focused on lobbying for reimbursement of unfunded "security" mandates rather than outright opposition to these schemes. But as the pressure to convert travel industry operational infrastructure into a surveillance infrastructure have mounted, while hopes for full assumption of the huge costs by the government have faded, airlines have become more outspoken.
In the most recent major example, trade associations of airlines both in the USA and Europe sent a joint public letter in May to USA Secretary of Homeland Security Chertoff, protesting his proposal for a an agreement with the EU to require airlines to provide a complete passenger list to the USA and EU governments 60 minutes before the departure of each trans-Atlantic flight (rather than 15 minutes at present):
[T]he member airlines of the Air Transport Association of America (ATA) and the Association of European Airlines (AEA) believe that such a rule will result in severe adverse consequences for the airline industry, and indeed, to the world economy....
[S]uch a requirement would have a devastating impact on industry operations and efficiency. We are particularly concerned with the statement attributed to CBP [the DHS division for Customs and Border Protection] in a May 25 Washington Post article that the rule change "will cost the airlines no money." This suggests a complete lack of understanding of the implications of such a requirement.
Airlines operate network systems, both on their own and in conjunction with other airlines. These networks are designed to connect as much traffic as possible to multiple destinations, in as brief a period as practicable.... The APIS-60 rule would disrupt both objectives by requiring either wholesale rescheduling of flights on much less efficient schedules or simply eliminating connecting traffic....
Finally, with regard to the observation attributed to you suggesting that the airlines would surely prefer an APIS-60 rule to the occasional diversion of a flight, we want to be absolutely clear that is not the case. The economic impact of the rule would vastly outweigh the cost of diversions.
[Addendum, 19 August 2005: I neglected to link to Ryan Singel's report on some of the lies and possible criminal violations of the Privacy Act by the TSA.]
[Further addendum, 20 August 2005: The Electronic Privacy Information Center (EPIC) and a group of travellers and travel agents in Alaska are pursuing lawsuits under the Freedom of Information ACT (FOIA) to get more information about the use of commercial data from PNR's identifying travellers and travel agents, as well as additional commercial data from other sources, in Secure Flight testing.]
[Further addendum, 26 August 20005: More from USA Today onTSA/DHS lobbying to eliminate GAO oversight of "Secure Flight"]Link | Posted by Edward on Thursday, 18 August 2005, 08:30 ( 8:30 AM) | TrackBack (2)