Wednesday, 9 February 2011
"Airline Passenger Profiling: Back From the Grave?"
There's an excellent article on the latest developments in airline passenger profiling today in the Huffington Post by my friend Jay Stanley, policy analyst for the ACLU.
It includes a link to my FAQ, What's in a Passenger Name Record (PNR)?, which provides some background on the data being used for current and additional proposed passenger profiling, surveillance, and control.
A few further thoughts are in order (but read Jay's article first):
Jay's article is prompted, I presume, by news reports that began last December and made the New York Times last week, floating the idea of what they refer to as "tiered risk-based screening" of airline passengers.
"Screening" in this context is course a euphemism for searches (including virtual-strip-search machines and hands-on genital groping), interrogation, and no-fly decision-making. "Risk" is a complete misnomer. What's meant, of course, is "profiling," and there's absolutely no evidence whatsoever that the profiles that would be used have any relationship to actual risk.
If one were actually concerned with the "risk" or terrorism on airliners, the first thing one would do would be to prohibit rollaboard carry-on luggage with metal handles. There's no way current screening can detect whether the x-rzy opaque metal tubes that form the frame and handles of a typical rollaboard suitcase contain a pipe bomb, the barrel of a zip gun or more sophisticated firearm (with the mechanism in the top handle), or a stabbing or cutting weapon. As long as metal-frame rollaboards are allowed, it's absurd to be searching under passengers' clothes. I'm not saying rollaboards should be banned, but I am saying that allowing them as carry-on luggage that's impossible to "screen" without tearing it apart make metal detectors or strip-search machines, or even manual body cavity searches, completely pointless.
It's not as though governments aren't already profiling airline passengers. DHS press releases describe Secure Flight as a "watch list matching" system, but the Secure Flight regulations don't limit Secure Flight decision-making to watch list matching, or exclude the use of commercial data beyond PNR's. It's a black box with many inputs, as is clear from the process diagrams include by the TSA in its bid solicitations for Secure Flight contractors and its presentations to industry stakeholders about the system.
The most important lines on this flow chart are the "Boarding Pass Printing Result" (BPPR) control lines that were installed in Computerized Reservation Systems (CRS's) and airline departure control systems, at the expense of a couple of billion US dollars, to enable DHS to send individualized per-passenger per-flight "permission to come aboard" messages to airlines and to ensure that the default, in the absence of such a message, is that you are denied boarding and prevented from travelling by common carrier.
But Secure Flight isn't just used to determine whether or not to allow you to fly. It can also to assign you an intermediate "inhibited" risk score -- communicated to the airline through the same new control channel -- that results in a further, open ended, computer-assisted but semi-manual "identity verification and clearance" process that can involve interrogation, search, and/or consultation of other government agencies or third-party databases.
And the PNR data used in Secure Flight and APIS decision-making is stored, at least for international flights, in the DHS Customs and Border Protection (CBP) "Automated Targeting System" (ATS) along with, according to the official CBP notice for this system of records, (secret) "risk assessments", (secret) rules used for determining risk assessments, and (secret) pointers to the other (secret) data including commercial data used in making these assessments. I'm currently suing CBP under the Privacy Act and Freedom of Information Act (FOIA) to find out what PNR and other travel data they have about me in the Automated Targeting System and other CBP databases, how it is indexed, and who else they have "shared" it with. There's been no trial or ruling yet on that lawsuit.
While governments persist in using euphemisms like "screening", vendors of the systems used to carry out this process describe it more honestly in terms of "profiling" and "control". SITA, the cooperative established by airlines to carry our shared IT infrastructure development, describes its core PNR and API product as follows (emphasis added):
Get pre-arrival passenger profiling and risk assessment
iBorders API - PNR helps governments obtain the passenger information they need - in the right format, whenever they require it. This enables government control authorities to conduct pre-arrival passenger risk assessment....
Passenger information resides in many places and formats, but border authorities need it in a single, consistent format.
iBorders API - PNR is a post-departure system which collates passenger and flight data from a number of sources (typically airline reservations [PNR] and departure control systems) and provides this data to control authorities in a single format prior to flight arrival.
The point of the latest proposals from governments and the airline industry isn't whether to profile airline passengers -- that's already being done -- or whether to use "risk assessments" based on PNR-based profiling to decide whether to allow you to travel -- that too is already being done. The latest idea is to expand the use of these profiling systems to decide how to treat you when you actually get to the airport, especially at TSA checkpoints.
These proposals originated with airlines, in an unholy alliance of malign interest cemented at meetings that began with a "summit" meeting a year ago, in January 2010, between three of your best friends: the airlines (represented by IATA), the U.S. Department of Homeland Security, and the International Civil Aviation Organization (ICAO).
ICAO is the UN-affiliated standard-setting body that the U.S. used as a front for its policy initiative to add secretly and remotely-readable RFID chips to passports. Since then, ICAO has been the DHS's preferred policy-laundering venue for travel surveillance and control measures, as I've reported in articles for the Identity project here, here, and here. (There's still no civil liberties or human rights NGO observer presence at ICAO's working groups on air travel "facilitation" and on machine-readable travel documents. I'd still love to hear form anyone interested in such a monitoring project, particularly groups willing to commit funding, staff time, or other resources.)
Unfortunately, airlines are mainly interested in business process automation, cost control, and "making the planes run on time" regardless of what impact that may have on travellers' rights and freedoms. And as I've pointed out before, they are more concerned with having potential travellers feel safe, so that they will be willing to travel, than with actually making them more safe (properly a non-issue, since air travel is already the safest mode of travel and safest part of most trips).
Other sectors of the travel industry are also on board, with the U.S. Travel Association having recruited a one-sided panel of advisors and conducting loaded-question surveys to legitimize its endorsement of differential treatment for travellers who are profiled as "trustworthy". Since everyone considers themself trustworthy, most people will support such a plan on the assumption that its burdens will be felt by other "untrustworthy" people.
The question is whether the TSA has succeeded in making the checkpoint experience so intrusive and oppressive with its virtual-strip-search machines and groping policies that the public will acquiesce in even more discriminatory profiling practices in the hope that giving up more informational privacy will enable them to "prove their innocence" or "trustworthiness" and thereby regain some minimal physical privacy at TSA checkpoints.
The TSA has announced that they are beginning to deploy software that will replace the as-though-naked images (which will still be collected) on virtual-strip-search displays that merely show checkpoint staff where on the body the scanner found an "anomaly" that they have to "resolve" with a pat-down. But that should be no reassurance to anyone: the new displays will still show the screeners that they are supposed to feel between the legs of travellers wearing menstrual pads, palpate the breasts of those with mastectomy prostheses, and so forth. The virtual-strip-search machine is merely a targeting mechanism for the TSA's improper groping, and the groping policy hasn't changed.
The problem is in the concept of identity-based profiling, not its implementation,. And the solution is to roll back its usage and eliminate requirements for travellers to get permission from the government to move about the country or the world -- not to expand them.Link | Posted by Edward on Wednesday, 9 February 2011, 09:12 ( 9:12 AM)