Wednesday, 22 October 2008
Secure Flight, "Watch-List Service Providers", and more
Today the TSA and DHS released their final rule for the so-called Secure Flight program to require each would-be airline passenger, even on domestic fligths within the USA, to get individualized per-person, per-flight prior permission from the TSA before they would be "allowed" to board a plane.
The final Secure Flight rule isn't significantly different from the proposal I testified against at the TSA public hearing a year ago, and analyzed in comments submitted on behalf of the Identity Project.
Meanwhile, the TSA is proposing a permisison and surveillance scheme modeled on Secure Flight -- but with the addition to the operational mix of third-party commercial "Watch-List Service Providers" -- for all but the smallest private and all-cargo aircraft, under the somewhat misleading name of the "Large Aircraft Security Program" (LASP).
The TSA claims that Secure Flight will not use data mining or commercial data or assign risk scores to passengers. In fact, the whole point of the Secure Flight program is to mine commercial data about each prospective passenger obtained in advance from airlines, in order to assign each would-be passenger a binary risk score: "cleared" or "not cleared" (with the default, in the absence of any decision by or message from the TSA, being "not cleared").
The essence of the Secure Flight final rule would be to (1) impose a new, two-stage, requirement for all would-be air travelers to obtain government permisison to fly, first in the form of a discretionary government decision to issue an acceptable form of identification credential and second in the form of a discretionary decision to send the airline a "cleared" message authorizing a specific person to board a specific flight, and (2) require all would-be air travelers to provide identifying information to the airline and the government prior to each flight.
In this respect, Secure Flight is not the watchlist matching program that the government claims: it is a program for enforcing a secret, standardless, nonreviewable administrative "black box" of total control of all air travel within the USA, much as the DHS already controls international air travel to, from, or via the USA under the APIS rules.
The current default of "yes" would change to "no": Instead of their current obligation as common carriers to transport all passengers willing to pay the fare and comply with the general conditions in their published tariff, airlines would be prohibited from transporting anyone except with the express prior per-flight, per-person permisison of the government, in the form of a "cleared" message.
The ID requirement is being proposed as a necessary a prerequisite to the travel control scheme, but it is also the essential prerequisite for travel surveillance through the identity-based logging and compilation of "travel history" records both by unregulated commerical entities (airlines and computerized reservation systems or CRS's) and the government. The Secure Flight ID requirement will allow the government to construct (or to obtain from airlines or CRSs, through the secret use of National Security Letters, thus evading restictions on the government compiling and maintaining these records itself), logs of our domestic flights and travel reservations similar to the tens of million of illegal dossiers on US citizens' international journeys that the DHS has already admitted to compiling through the Automated Targeting System , APIS, and related data collection, mining, and aggregation systems.
The Secure Flight "final rule" doesn't specify when the permission and information-collection rules will go into effect, making it impossible for travellers to know what they are actually required to do, or when. Effective dates of the rules for each airline will be communicated to the airlines by the TSA in secret "Security Directives".
Five years ago, when I first predicted that CAPPS-II (the program which was eventually reflagged "Secure Flight") would cost a billion dollars , the government ignored me, and many people outside the travel IT industry were skeptical.
Today, after adding more than US$800 million dollars to its previous estimate in response to airline, travel agency, and CRS comments about costs it had overlooked, the TSA predicts a price tag for Secure Flight of at least US$2 billion. That's in addition to several billion dollars that the government has already estimated travel companies have had to spend to comply with mandates to remake their reservation systems into instruments of surveillance and control. The total cost of Secure Flight and its predecessors -- most of which involved systemic changes that would have been required for Secure Flight if they hadn't already been required by the APIS and PNR access rules -- thus appears likely to exceed US$5 billion.
All of which, of course, ultimately has to be passed on to travellers in higher ticket prices, taxes, and/or "fees". So the next time you're being subjected to "secondary screening", or have to wait to see if you will be "cleared" to board, remember: "Your tax dollars at work."
[Update: Where is Secure Flight headed next? (from the Identity Project)]
[Further update: Secure Flight and the right to travel ]Link | Posted by Edward on Wednesday, 22 October 2008, 15:54 ( 3:54 PM) | TrackBack (0)