• CAPPS II will likely be ineffective at stopping terrorists.
• CAPPS II and the secrecy surrounding its risk assessment procedures will threaten travelers' constitutional rights, including the right to travel, to speak and associate freely, and to be free from unreasonable searches and seizures.
• CAPPS II, by failing to satisfy the statutory requirements of the Privacy Act of 1974 or to comply with Fair Information Practices, will violate travelers' privacy.
• CAPPS II, if implemented, will soon be used for purposes other than preventing terrorism.

The 2004 Department of Homeland Security Appropriations Act, presented to the President for his signature last week, shows that Congress shares our concerns.  Congress has sensibly chosen not to fund the deployment or implementation of CAPPS II until the General Accounting Office (GAO) reports that:

(1)  a system of due process exists whereby aviation passengers determined to pose a threat and either delayed or prohibited from boarding their scheduled flights by the TSA may appeal such decision and correct erroneous information contained in CAPPS II;

(2)  the underlying error rate of the government and private data bases that will be used both to establish identity and assign a risk level to a passenger will not produce a large number of false positives that will result in a significant number of passengers being treated mistakenly or security resources being diverted;

(3)  the TSA has stress-tested and demonstrated the efficacy and accuracy of all search tools in CAPPS II and has demonstrated that CAPPS II can make an accurate predictive assessment of those passengers who may constitute a threat to aviation;

(4)  the Secretary of Homeland Security has established an internal oversight board to monitor the manner in which CAPPS II is being developed and prepared;

(5)  the TSA has built in sufficient operational safeguards to reduce the opportunities for abuse;

(6)  substantial security measures are in place to protect CAPPS II from unauthorized access by hackers or other intruders;

(7)  the TSA has adopted policies establishing effective oversight of the use and operation of the system; and

(8)  there are no specific privacy concerns with the technological architecture of the system.[2]

Congress' skepticism regarding CAPPS II reflects growing public concern over travel privacy, as demonstrated by the recent controversy surrounding JetBlue Airways' release of passenger records to a military contractor researching airline passenger screening.  In September 2002, at the request of TSA, JetBlue violated its own privacy policy by directly providing 5 million Passenger Name Records (PNRs), representing the personal information and itineraries of over one  million individuals, to Defense Department contractor Torch Concepts.[3]  As described in a February 25, 2003 Torch Concepts presentation, "Homeland Security: Airline Passenger Risk Assessment," those records were then combined with matching personal records purchased from commercial data-aggregation company Acxiom, including social security number, income, occupation, and number of children, in order to analyze patterns in passenger data and attempt to identify passengers posing a risk to aviation security.[4]

Although TSA has denied any direct involvement, the Torch Concepts screening program bears more than a passing resemblance to CAPPS II, and the negative public reaction to JetBlue's release of personal records foreshadows the reaction that TSA may expect when attempting to implement CAPPS II.  Recognizing that any individual airline that assists in the testing of CAPPS II would be jumping into the "middle of the bonfire" of the public's privacy concerns, as JetBlue (and previously Delta Airlines[5]) have experienced, TSA Administrator James Loy is now asking the Air Transport Association, which represents the major airlines, to reach a consensus on the provision of passenger data for use by CAPPS II.[6]  By doing so, TSA clearly hopes to bypass public outrage about CAPPS II that might be directed at any particular airline by enlisting the help of all airlines as a group, thereby preventing those Americans who must fly from objecting to the program by choosing not to patronize airlines that support it.

Rather than avoiding such criticism of CAPPS II, TSA should welcome public input on how to provide effective security to air passengers in a manner that preserves those passengers' fundamental rights to travel freely and maintain their personal privacy.  In that spirit, we offer these comments.

II.             BACKGROUND

As described in TSA's Privacy Act Notice as published in the Federal Register on August 1, 2003, the CAPPS II system will be used in the following manner:

1)    INFORMATION COLLECTION: TSA will obtain electronically, either from airlines or from Global Distribution Systems, every air passenger's Passenger Name Record (PNR), which will include "routine information" collected from the passenger.  This information, in addition to "some information" about the passenger's itinerary, will include the passenger's full name, home address, home telephone number, and date of birth  (despite the Notice's claim, collection of these last three types of information is not currently "routine").  Although not directly addressed in the Notice, passengers will presumably also be required to show ID when first providing their information or upon check-in with their airline.

2)    IDENTITY AUTHENTICATION: The collected information will then be transmitted to commercial data providers.  These data providers will use the collected information to "authenticate" the passenger's identity, by checking its accuracy against unidentified commercial databases.  The data provider will then transmit a numeric score indicating the accuracy of the provided information.

3)    RISK ASSESSMENT: Once CAPPS II has authenticated the passenger's identity, that passenger will then be subjected to CAPPS II's "risk assessment" function, which will be "conducted internally within the U.S. government and will determine the likelihood that a passenger is a known terrorist, or has identifiable links to known terrorists or terrorist organizations"  (the internal sources used for this assessment not identified by the Notice).  Then, "based upon the combination of information derived from commercial sources, national security sources, and dynamic intelligence data," passengers will be assigned a "risk score" indicating whether they present a low, high, or unknown risk of terrorism (presumably, passengers whose identities cannot be authenticated will be treated as posing an unknown risk).  Those representing a high or unknown risk will be subjected to "heightened security screening."  If a passenger is identified as a high risk, "law enforcement or other appropriate authorities will be notified for appropriate action."  The notice does not explain what authorities or actions would be "appropriate."

In this manner, CAPPS II is intended to effectively screen the traveling population for those persons who would pose a risk to aviation security, and in particular, prevent acts of terrorism.  Unfortunately, CAPPS II will likely be ineffective at stopping terrorists, and instead make air travel even less secure, while substantially burdening passengers' rights -- their right to travel, their right to speak, associate, and worship freely, and their right to be free from unreasonable searches.  As a result, the CAPPS II system as proposed should not proceed.

III.           DISCUSSION

Air passengers are being asked to surrender their privacy and accept burdens on their right to travel in exchange for unsupported promises regarding CAPPS II's potential security benefits.  TSA has not produced any empirical evidence or objective study showing that CAPPS II or any similar profiling system would increase aviation security.  On the other hand, the implementation in other countries of national ID systems, similar in scope and purpose to CAPPS II, has failed to reduce terrorism.[7]  Indeed, relying on CAPPS II may make us less safe.  MIT Professor Arnold Barnett, a noted expert on the statistics of airline safety, writes that CAPPS II as planned "will do us more harm than good,"[8] and former Israeli Airlines ("El Al") Security Chief Isaac Yeffet -- who undoubtedly has substantial experience in such matters -- characterizes CAPPS II as "nonsense" that "is not aviation security."[9]  Due to unavoidable problems of inaccuracy and the adaptive behavior of terrorists, CAPPS II will likely be a very costly security failure.

As proposed, the CAPPS II program would mine commercial and government databases for patterns that might indicate a particular person poses a high risk to aviation security -- is indicated by the fact that, rather than merely checking government watch lists to determine whether a passenger is a known terrorist or has identifiable links to same, CAPPS II will instead attempt to determine "the likelihood" that the passenger is a terrorist or is linked to terrorists.  Such "data-mining," however, suffers from a surplus of data and a dearth of known patterns indicating terrorist behavior. 

Although the Notice fails to identify exactly what commercial and government databases will be mined, it is probable that their number and size will be substantial.  However, as the number of data sources increases, so do the problems.  Integrating data from multiple data sources brings with it the problem of different meanings for the same terms, different terms for the same person or entity, and differing units and measures.  These problems of  "semantic heterogeneity" when trying to integrate multiple data sources necessarily lead to inaccuracies when searching for patterns in the data.

Furthermore, data-mining for patterns generated by terrorists is made more difficult by the fact that there are few examples of terrorist behavior to use as the basis for identifying such patterns.  Attempting to determine, e.g., which "soccer moms" may buy a particular SUV or which "NASCAR dads" will vote for a particular presidential candidate is relatively simple, considering that there are many people who fit into those demographic categories and engage in those behaviors, and the more examples you have of what you are looking for, the easier it is to find a data pattern.  However, the number of persons who would qualify as terrorists is (thankfully) a very small one, and the number of terrorist incidents from which to deduce their typical behaviors is (thankfully) very low.  To make matters even more complex, terrorist behavior is adaptive -- terrorists will vary targets, attempt to hide their identities, and otherwise change their behaviors in order to avoid detection. 

In fact, reliance on computerized profiling may make air travel even less secure.  As two MIT researchers have demonstrated in their article "Carnival Booth: An Algorithm for Defeating the Computer-Assisted Passenger Screening System," [10] a determined terrorist cell could easily overcome the CAPPS I system now in use, and the paper's conclusions logically extend to the currently proposed CAPPS II system.  Passengers will necessarily discover their risk-profile under CAPPS II each time they fly -- those who do not receive additional screening will know that they were found to pose a low risk, while those receiving additional screening will know that they were found to pose an unknown or high risk.  This transparency would be the system's Achilles' Heel, making it possible for a terrorist cell to learn, prior to attempting an attack, whether or not its members are at risk for being stopped.

A terrorist cell could successfully bypass CAPPS II in the following manner: (1) probe the system by sending an operative on a flight, without any intent to harm, and without any explosives or weapons, and note whether or not the operative is flagged;  (2)  If the operative is flagged, the cell could send another in the same manner;  (3) Repeat this probing process until cell members are found who consistently receives "low-risk" treatment; (4) send those operatives out on their terrorist mission, knowing that they will likely not be stopped.  After only a few successful probes by a terrorist, the chances of CAPPS II correctly flagging him for extra scrutiny quickly approaches, and then drops below, the chances of catching him through random screening.  Alternatively, a terrorist could merely adopt the identity of a non-terrorist via identity theft, or create a new identity lacking any of the risk indicators likely to trigger heightened scrutiny.

Therefore, even assuming that the databases being mined are completely accurate, identifying individual terrorists amongst the hundreds of millions of passengers who travel by air each year would be a task even more difficult than finding the proverbial needle in the haystack.  However, there will of course be a gross number of inaccuracies in the databases used by CAPPS II. 

The Notice does not identify what commercial databases will be consulted during the identity authentication phase, but it bears noting that in general, commercial data aggregators are subject to little regulation regarding the quality of their data.  And even the credit reporting industry, which is highly regulated, regularly provides woefully inaccurate data.  According to a recent Public Interest Research Group study, up to 41% of credit reports contain "personal demographic identifying information that was misspelled, long-outdated, belonged to a stranger, or was otherwise incorrect." [11]  This same data will presumably be used during the identity authentication phase of CAPPS II, and the results of that authentication will likely be just as inaccurate.

In addition to the likelihood of inaccuracies in data supplied by aggregators, critical information in government databases may also be incorrect. One database that will probably be checked during the risk assessment phase is the National Criminal Information Center (NCIC) database, yet last March Attorney General John Ashcroft administratively released the FBI from its statutory duty under the Privacy Act of 1974 of ensuring the accuracy and completeness of the more than 39 million criminal records it maintains in the NCIC.

Internal government watch lists of known and suspected terrorists, to be checked during the risk assessment phase, will also contain errors.  For example, current watch lists contain a name identical or similar to "David Nelson," and as a result, multiple innocent David Nelsons around the country have been repeatedly subjected to heightened scrutiny when trying to fly.  Such repeated mistakes are to be expected when, as is the case currently and will be under the CAPPS II system, citizens that are misidentified as threats once have no meaningful way to ensure that they will not be misidentified as threats in the future.  Conversely, many actual terrorists will remain unlisted.  For example, several suspected terrorists with proven links to al-Qa'ida, although known by the government to have entered the country, were not on the relevant watch lists when they boarded the planes that would be used in the attacks of September 11, 2001. 

However, even assuming that CAPPS II could, in spite of inaccuracy in its source data and adaptive behavior by terrorists, achieve 99% accuracy in distinguishing innocents from terrorists (a highly unlikely feat), it would still likely be ineffective.  Assume that there are approximately 600 million air passengers each year, and one thousand of those are terrorists.  Based on those numbers, six million people would be flagged as terrorists, and all but 990 of those people would be "false positives," i.e., not terrorists.  That means that each time an individual was flagged by CAPPS II, there would be a 99.99% chance that the individual was wrongfully targeted.

TSA has yet to provide any evidence or empirical support for its assertion that CAPPS II would provide greater aviation security than current measures.  Nor has it explained why the money intended for CAPPS II would not be better spent on traditional, proven security measures that focus on identifying high-risk items such as bombs and weapons as opposed to high-risk individuals.  TSA has, in fact, refused to provide any information bearing on cost or effectiveness.  In response to a Freedom of Information Act request, TSA declined to provide the Capital Asset Plan and Business case materials it has submitted to the White House's Office of Management and Budget.[12]

The cost of CAPPS II will, however, presumably be very high.  Sophisticated computer profiling systems do not come cheap, and existing systems used by airlines and travel agents will have to be extensively reconfigured to allow for the collection, maintenance and transmission of data that CAPPS II requires.  The estimated cost of much more limited modifications to existing airline and travel agency computer systems, made necessary by proposed U.S. Immigration and Naturalization Service requirements regarding the collection of passenger manifest data, would be at least $164 million and likely would "rise significantly higher," according to the International Air Transport Association.[13]  The much more ambitious CAPPS II program can be expected to cost several times that amount.

There is no evidence that TSA has even considered the true cost of the CAPPS II program, particularly in relation to the marginal security benefit it would add to existing or potential security measures that do not involve the mass surveillance of all air passengers and would likely cost much less -- measures such as x-ray/magnetometer searches of all passengers and baggage, positive bag-matching to ensure that all bags placed on a plane are accompanied by their owners, hardened cockpit doors, or air marshals on every flight.

In fact, the only known test of the risk assessment process was cancelled before it even began.  In 2002, TSA planned to test a CAPPS II prototype in Salt Lake City during the Winter Olympics.  During that test, private companies were going to analyze data from commercial and government databases to generate risk scores for each passenger in the same manner as the proposed CAPPS II system.  However, the plan was scuttled when TSA officials lost confidence that it could be implemented effectively.  As one official said, "We weren't satisfied we were going to get the most bang for the buck,"[14] and in regards to the proposed CAPPS II system, we share that official's concern. 

The cost of CAPPS II will not only be measured in dollars, however.  The supposed security benefits of the proposed system must also be measured against the cost to citizens' constitutional rights, and in this respect, CAPPS II -- in particular, its secret risk assessment phase -- will be costly indeed.

(1)  The Secrecy Surrounding the Risk Assessment Phase Unacceptably Increases the Risk of Error, Abuse, and Discrimination in its Application

The Notice offers no real notice at all when it comes to describing the internal risk assessment process whereby travelers will be flagged as likely terrorists or as persons with links terrorism.  Such secrecy would enable the violation of travelers' constitutional rights, through error, abuse, or discrimination in its application, while offering no redress for those whose rights are violated.

 According to the Notice, "The risk assessment function is conducted internally within the U.S. government and will determine the likelihood that a passenger is a known terrorist, or has identifiable links to known terrorists or terrorist organizations."  The Notice continues, "Based upon the combination of information derived from commercial sources, national security sources, and dynamic intelligence data, each traveling passenger will be identified with a ‘risk score'" indicating whether that person poses "a risk to passenger and aviation security."

The Notice does not identify any of the databases that will be referenced in making this determination.  Based on the mention of "commercial sources", it is unclear whether data used during the identity authentication stage (which the Notice earlier stated would be used "for the sole purpose of authenticating passenger identity") will also be used during risk assessment, or whether additional commercial data will be collected during risk assessment.  The Notice states that "TSA will not use measures of creditworthiness, such as FICO scores, and individual health records in the CAPPS II traveler risk determination," but this leaves the treatment of a great deal of equally sensitive personal information unaddressed.

 It is also unclear what internal government data will be examined during risk assessment.  Certainly, classified intelligence data on known terrorists and terrorist organization will be referenced.  However, it also appears that federal and state databases will be used to determine whether passengers have outstanding arrest warrants, while additional government databases will be used to discover passengers' immigration status.

Considering that citizens may be subjected to questioning, detention, or physical search based on this risk assessment, or may even be prevented from traveling, it is unreasonable not reveal whatever non-classified data sources will be consulted during risk assessment.  Without this information, passengers can neither evaluate whether and to what extent the details of their private lives are being examined nor act to correct erroneous information in those databases over which they may exert some control.  The American public deserves to know to what extent its government is examining citizens' private lives.

Based on these secret information sources, CAPPS II will then use equally secret criteria to determine whether passengers are likely to be terrorists or have terrorist links.  Notably, what constitutes a terrorist, links to terrorism, or a foreign or domestic terrorist organization, is left undefined.  It is also unclear whether passengers who are not on any existing government watch list of known or suspected terrorists may, based on other criteria, nevertheless generate risk scores high enough to bar them from flying.  Without any indication as to what the relevant criteria may be, there is no way to verify that they are reasonable and non-discriminatory. 

Such lack of transparency in a system that so directly affects citizens' rights poses an unacceptable threat to essential liberties, by enabling and encouraging errors and abuse of discretion in the risk assessment phase.  The level of secrecy apparent in the Notice would allow the government essentially unbridled authority to prevent any passenger from traveling, search any passenger regardless of probable cause, or punish passengers based on their constitutionally-protected speech activities, including their political and religious affiliations.

(2)  CAPPS II Will Unduly Burden the Constitutional Right to Travel

Fundamental to a democratic society is the ability to wander freely and anonymously without being compelled to divulge information to the government about who we are or what we are doing.[15]  "Free movement by the citizen is of course as dangerous to a tyrant as free expression of ideas or the right of assembly and it is therefore controlled in most countries in the interests of security….  That is why the ticketing of people and the use of identification papers are routine matters under totalitarian regimes, yet abhorrent in the United States."[16]  The CAPPS II system clearly affects several aspects of the right to travel -- the right to pass through a state;[17] the right to visit another state;[18] and the right to free movement[19] -- and it does so in a vague and open-ended way that raises grave constitutional concerns.[20]

The Notice is unclear as to whether passengers who will not or cannot provide the information required by CAPPS II will be allowed to fly at all.  The Notice does not indicate whether passengers without home telephone numbers -- a common occurrence in the age of the cell phone -- will be allowed to fly.  It is silent on whether passengers who have no permanent residence and cannot provide a home address will be allowed to fly.  And it is equally silent on whether passengers do not possess identification, or who refuse to provide personal information such as their date of birth, will be allowed to fly.

These unanswered questions lead to others.  We are concerned that travelers will be deemed to pose high or unknown risks simply because they have not generated a long and storied data trail for CAPPS II to evaluate. Will people who don't own houses, don't drive cars, work in low-paying jobs, or lack credit histories be detained more frequently because they are "unknown" to the system? Will low-income people be more likely to be "unknown" because they don't engage in many "trackable" activities? Will recent immigrants, who have not lived in the U.S. for long, be deemed "unknown risks"?

Additionally, will those who are mistakenly deemed to pose high or unknown risks be singled out for heightened scrutiny every single time they travel?  The Notice fails to establish a system of records for tracking mistaken risk assessments in order to prevent such repeat incidents, which will waste precious security resources while unreasonably burdening passenger rights.

Forcing air travelers to choose between traveling by air or having to surrender their privacy by providing personal information, allowing the government to rifle through the personal details of their lives, and submitting to searches based on secret criteria that offer the government unlimited discretion, is a Hobson's choice not allowed by the Constitution.  It is "often a necessity to fly on a commercial airliner, and to force one to choose between that necessity and the exercise of a constitutional right is coercion in the constitutional sense."[21] 

(3)  CAPPS II Will Unduly Burden the First Amendment Rights to Speak, Associate and Worship Freely

The Supreme Court has said that the First Amendment represents "a profound national commitment to the principle that debate on public issues should be uninhibited, robust, and wide-open."[22]  State action that punishes citizens for engaging in protected speech is unconstitutional.  Yet CAPPS II's secret risk assessment will have a chilling effect on citizen's willingness to express politically marginalized viewpoints and associate with disfavored political or religious groups.

There is already evidence that political activists have been stopped because their political speech placed them on the current "no-fly" list.[23]  People who are from left-leaning or activist groups have found themselves increasingly pulled out of line at the airports to go through expanded security measures.  For example, Virgine Lawinger, a nun and peace activist from Milwaukee, was questioned by police before being allowed to board her flight.  In addition, two other journalists who were also peace activists catching a flight in San Francisco were stopped and questioned by the FBI before being allowed to board their plane.  An airline even kicked a passenger off the plane because he wore a button that said "suspected terrorist."[24]

Freedom of speech supports our political democracy, the need for human self-realization, and the search for truth.  As such, CAPPS II will deservedly be subject to strict scrutiny in the courts. Because there are other, non-restrictive ways of increasing security, CAPPS II is an unnecessary curtailment of the First Amendment right of free speech.  Both of these examples also violate the Equal Protection clause of the 14^th Amendment. The Fourteenth Amendment protects individuals from arbitrary discrimination perpetrated by the government.[25]  This protection extends both to express and as applied discrimination.[26]

The Notice makes no assurance that the secret risk assessment will not include protected characteristics such as race or national origin.  Furthermore, the Notice does not include procedures for minimizing discriminatory treatment by security personnel.  For example, will "unknown" risk individuals be detained longer and subject to more invasive searches if they are Muslim or of Arab descent?  Racial discrimination has already occurred in the name of national security,[27] and the TSA claims CAPPS II will solve problems like this.  Yet the secretive risk assessment and sparse regulations do little to allay these serious constitutional concerns.

There have been examples that this type of discrimination is going on right now.  Hussein Ibish, communications director of the American Arab Anti-Discrimination Committee has stated has stated that there have been at least 80 cases involving more than 200 people where passengers who have Arabic names have been delayed for their flights or barred from flying altogether.[28]

To the extent that secret risk assessments based on examination of extensive private information enable monitoring of travelers' social, religious and political activities, deter them from traveling in order to engage in such activities, or target them based on their political or religious affiliations, those travelers' First Amendment rights to associate and worship freely are threatened. Where state action causes people to decide not to join political groups or to end their memberships to such groups, their right of association has been violated and the state action is subject to strict scrutiny.[29]  To pass muster, the state action must be narrowly tailored using the least restrictive means to further the purported state interests.[30]  Security procedures that target members of certain political or religious groups may severely curb innocent citizens' desire to join those groups and to express their views.  As mentioned, there is evidence that political targeting is already happening with the TSA's no-fly lists.  Because the risk assessment is hidden from the public, citizens may fear being detained or prevented from traveling because of their political associations. CAPPS II will unconstitutionally pose to them the choice between not traveling and not participating in social, religious and political groups.

(4)  CAPPS II Will Unduly Burden the Right to be Free from Unreasonable Searches and Seizures

Warrantless searches of air travelers have been allowed in the past as "administrative searches," i.e., "searches conducted as part of a general regulatory scheme in furtherance of an administrative purpose, rather than as part of a criminal investigation to secure evidence of a crime…." [31]  However, "an administrative screening search must be limited in its intrusiveness as is consistent with satisfaction of the administrative need that justifies it,"[32] and the administrative purpose of air passenger screening is to "prevent the carrying of weapons or explosives aboard aircraft, and thereby prevent hijackings."[33]  As a result, x-ray and magnetometer screening of all passengers in order to detect weapons or explosives are constitutional, insofar as they are "confined in good faith to that purpose."[34]

Additionally, administrative searches are only permissible insofar as they do not accord undue discretion to law enforcement that may be abused.  Rather, administrative searches must be "carefully limited in time, place, and scope,"[35] and those subject to such searches cannot be "left to wonder about the purposes of the inspector or the limits of his task."[36]

CAPPS II's attempts to prevent high-risk persons from boarding airplanes instead of focusing on detecting high-risk items such as weapons and explosives are of dubious practicality and constitutionality, and go far beyond the traditional administrative search doctrine as applied to passenger screening.  Even a known terrorist is not a danger to aviation security without weapons or explosives, and passenger screening is constitutionally limited to the purpose of detecting such items.   Furthermore, subjecting passengers to detention, questioning, and physical search based on secret and unproven data-mining procedures that allow the government to scrutinize vast amounts of personal data is a measure of unprecedented intrusiveness.

Additionally, due to the secrecy of the risk assessment process, there are no adequate safeguards to ensure that the resulting searches are in fact confined in good faith to the purpose of weapon and bomb detection, or that they are carefully limited in scope.  Inspectors will be accorded an unconstitutional level of discretion in applying secret criteria to secret data in order to evaluate whether a passenger warrants the undefined label of terrorist or person linked to terrorism, and each targeted passenger will undoubtedly be "left to wonder" about the purpose of and the limits on their inspector's behavior.

There is "an obvious danger…that the screening of passengers and their carry-on luggage for weapons and explosives will be subverted into a general search for evidence of a crime," and therefore, in order to satisfy the Fourth Amendment, the screening process must only seek to discover weapons and explosives and go no further in scope.[37]  However, the Notice indicates that CAPPS II may be used to apprehend passengers with outstanding federal or state criminal warrants to law enforcement, or to detect persons who have violated immigration laws.  Such general law enforcement use of the CAPPS II system would unconstitutionally exceed administrative search authority.  "[A] generalized law enforcement search of all passengers as a condition for boarding a commercial aircraft would be plainly unconstitutional."[38]

The Fourth Amendment guarantees citizens' right to be free from unreasonable searches.  Yet, because the risk assessment is secret, there can be no guarantees of the veracity of the TSA's claim that a traveler is of high or unknown risk, and hence no possibility of assessing its reasonableness.  Both the identity authentication and risk assessment phases will rely to some extent on inaccurate data, as discussed above, yet the greater the inaccuracy of the system, the less reasonable searches based upon it are.  Furthermore, although it may not directly implicate Fourth Amendment rights, combing commercial databases for details regarding passengers' private lives clearly violates the spirit of the Amendment.  The mere decision by a citizen to travel by air should not give the government unfettered access to their personal records.

(1)  The Proposed System of Records Violates the Privacy Act of 1974

In response to a previous notice regarding the system of records to be used in CAPPS II, published in the Federal Register in January 2003, we submitted comments detailing the ways in which that notice does not comply with the Privacy Act of 1974.  The current Notice similarly fails to satisfy statutory requirements.  Briefly, our main concerns about that notice, which equally apply to this Notice, included:

• The Categories of Individuals are too vague. See § 5. U.S.C. 552a(e)(4)(B).
• The Categories of Records are too vague.  See 5 U.S.C. § 552a(e)(4)(C).
• The Safeguards are inadequate.  See 5 U.S.C. § 552a(e)(9) and (e)(10).
• The Routine Uses are too broad.  See 5 U.S.C. § 552a(a)(7).
• The Routine Uses are likely not compatible with the purpose for which the data will be collected.  See 5 U.S.C. § 552a(a)(7).
• Most of the collected data will not to be collected from the data subject, i.e., the passenger.  See 5 U.S.C. § 552a(e)(2).
• Passengers have no right of access that would enable the correction of erroneous information in their record, even if they are denied the right to board a plan.  See 5 U.S.C. § 552a(k)(2).

For a more detailed discussion of CAPPS II's failure to comply with the statutory requirements of the Privacy Act, please see our previous comments.[39]

(2)  The Proposed System of Records and Its Use in CAPPS II Violates Fair Information Principles

In addition to violating the letter of the Privacy Act, CAPPS II also fails to satisfy the guiding principles upon which that law was built.  Almost thirty years ago, the Fair Information Principles were developed in order to allow the benefits of computerization, while at the same time providing safeguards for personal privacy.  The Fair Information Principles are generally accepted to be at least: Notice, Choice, Access, Security, and Enforcement.

First, the CAPPS II system violates the Notice requirement because passengers are largely unaware of the government's data handling practices, including what information is collected and how it is being used.

In the Notice, the TSA claims to have narrowed the kinds of data that will be collected. The TSA changed the description of additional information that would be collected about travelers (besides the PNR) from "associated data" to "some information about the passenger's itinerary."  This change cannot be described as anything more than cosmetic. Contrary to the TSA's claim, the Notice does not narrow the scope of the CAPPS II system. Instead the system is expanded, and with this expansion, notice to the passenger as to the types of information collected about that passenger is obscured.

The TSA's claim that it will no longer "collect and maintain" large amounts of personal information is spurious. There is no more than a technical difference between the TSA "collecting and maintaining" information and the TSA having constant and perpetual access to information that data aggregators (who are not subject to the Privacy Act) collect and maintain. Even the TSA's claim that it will not collect information is vague: "TSA will not retain significant amounts of personal information."  The operative word, "significant," is relative. What may not be significant to the government, may have great significance to an individual. The TSA offers no clarification of the use of that term or how much information is a "significant amount." Furthermore, there is no assurance that any of the data gathered will not be used in discriminatory ways. For example, will food preferences be used to racially or religiously profile travelers? Will political affiliations be used? If so, the First Amendment right of association stands to be violated when people curb their political activities for fear of being searched and questioned. The Notice fails to address these potential rights violations.

Moreover, the Notice do not disclose what governmental or commercial databases will be used. Though the TSA claims that CAPPS II will not use information about creditworthiness or FICO scores, it did not rule out the use of other financial information such as transactional information, including billing information on credit cards. The Notice states that the system will contain information from "governmental databases containing information on, or pertinent to, the detection of terrorists and their associates and the detection of the serious criminal violations detailed in this notice." Who decides what databases are pertinent to the detection of terrorists? This description is so subjective that it is almost meaningless. Given the numerous, uncoordinated databases that are kept about individuals, it is vitally important that citizens have access to them, or at least know about how the information in those databases is used. One example in the vast array of possible databases is the National Databases of New Hires. This is a database that was created to ensure that parents wouldn't renege on child support payments, but has been expanded to facilitate collection on student loans. Will it be used to make risk assessments? As more marginally relevant databases are used, the potential for violations increases. Of concern are violations of privacy and civil liberties, not to mention subjecting individuals to the risk of unlawful conduct by people who have access to the information.

Trying to evade the Privacy Act of 1974 by contracting with commercial aggregators to match passenger identification data supplied by Passenger Name Records (PNRs) also violates the notice requirement. Commercial data aggregators operate under no requirements for fairness and accuracy. In fact, most consumers are already concerned that private companies keep too much personal information about them.[40] Along with being disingenuous, the pretense of having nothing to do with the collection and sorting of data is highly questionable, particularly when this extensive data collection and checking is for a specific government purpose; that is, to fulfill the TSA's mission of ensuring aviation security. When private companies do the government's work, not only is no one accountable for errors or inaccuracies, but consent to collect the information is not required.

There is also no notice to passengers about how long their personal information will be kept in government databases. The TSA maintains that it has decreased the time period for which personal data will be retained.  In fact, the time period for passengers who are U.S. citizens has increased. Under the current Notice, data will be retained for "a certain number of days after the safe completion of [passengers'] travel itinerary."  Under previous notice, data was to be deleted upon completion of passengers' travel.  The problem of vagueness surfaces again: "certain number of days" could mean very different things. Three days and thirty days are both a "certain number."

Data related to non-citizens can be retained for "three years, or until superseded, but again, there is little or no notice to passengers about this."  This essentially allows information to be kept forever. This is an unacceptably long time because it greatly increases the risk that the data will be compromised or misused. Not only that, but differential treatment of citizens and non-citizens is discriminatory.

The question of adequate notice and security is again raised by the TSA's desire to collect even more personal information from passengers, thus raising the specter of identity theft. The Notice describes the information that will be collected by airlines as "routine."  In reality, date of birth (DOB) is never and addresses are rarely collected by airlines. For example, reservations for a group are often made in one person's name. Similarly, full names are not required to make a reservation. Reservation systems currently in use by airlines and the major booking agents do not even contain a field for DOB. In other words, the information the TSA calls "routine" passenger name record (PNR) information is not routine at all. The TSA proposes to make travel agents and airlines collectors of data they do not now collect. Once the PNR information has been collected and turned over to the government, there is no restriction on what these private entities can do with it.

Second, the CAPPS II system violates the Choice requirement because passengers are not given meaningful choice or consent about how their data can be used

Implementation of CAPPS II does not allow for individual choice.  If the individual wishes to purchase an airplane ticket, he or she must be prepared to give their name, address, phone number and DOB.  The Federal Register notices lists the agencies, corporations, and other contractors who will have access to this information. The individual has no opportunity to "opt-out" of any type of data sharing.

As discussed above, The Privacy Act requires consent as a condition of disclosure.[41] There is no provision for any form of consent in this process, other than coerced consent, including consent to the collection of information not ordinarily collected, such as date of birth (DOB) and address. Further, the TSA is attempting to get around the choice requirement by having commercial enterprises do the work, so that the TSA can argue that the Privacy Act does not apply.

Third, the CAPPS II system violates the Access requirement because passengers are given virtually no rights to view, amend, or delete information kept on them.

The principle that people should have access to information about them is almost entirely ignored in the Notice. The Notice states: "DHS has determined that all persons may request access to records containing information they provided . . . To the greatest extent possible and consistent with national security requirements, such access will be granted." This means that passengers can request to see the information that they provided to their travel agent and that their request may be granted. This cannot realistically be called access - passengers can only see a very small portion of the data and none of the data that will be used to determine whether they are members of "terrorist" organizations. Even more peculiar is that the data may not even exist when the traveler requests it. The TSA has somehow determined that "access" is when you can see only data you provided, which is a small portion of the total data, and only if it happens to be in the computer system at the time.

In an interesting logical leap, the Notice states that the system may not be accessed to determine whether someone is in the database.  Section 552a(k) of the Privacy Act is cited as barring such access.  Section 552a(k) bars access only related to law enforcement activity.  Yet earlier in the Notice, the TSA maintains that most passengers will be "low risk" and therefore not subject to screening.  Only in this latest Notice has coordination with law enforcement been mentioned, and vaguely at that.  Characterizing the CAPPS II system as "law enforcement" is therefore disingenuous. Law enforcement deals with people who are suspects under the probable cause requirement.  CAPPS II evades the data access requirements by characterizing everyone as a criminal, even though, by its own account, most passengers are "low risk" (and therefore not criminals). This tactic is reminiscent of totalitarian political regimes that operate using a police state, intimidating the populace into submission. Law enforcement is politically and judicially regulated for good reasons.

While the TSA hopes to reduce improper identification by using the CAPPS II system, the Notice does not discuss the accuracy of the commercial databases. Identification, based on the 4 data fields (name, address, phone, DOB) may be correct, but the information contained in the commercial databases on which a passenger's risk rating will be based can still be incorrect. There is no requirement or assurance that the commercial databases maintain accuracy. It is even more troubling that passengers mis-labeled under the system have no recourse in the courts because there is no accountable entity subject to liability for inaccuracies.

Fourth, the CAPPS II system violates the Security requirement because there is no meaningful discussion of the types of security measures that will be in place to safeguard personal information while it is in a government database.

The Notice fails to describe the security procedures that will protect the personal information being generated and used by CAPPS II. The TSA states that the records will be maintained at the TSA's headquarters.  Questions that remain unanswered include: 1) Will the TSA contract out the security services? 2) If so, will companies be allowed to submit bids? 3) How will the TSA select the contractor? 4) What procedures and security requirements must the contractor adhere to or develop and implement? The information collected by CAPPS II is extremely valuable and as such, will be the target of many security attacks. Not only that, but databases that are frequently used are also subject to inadvertent leaks and breaches simply because of their size and accessibility.

Of particular concern is the requirement that airlines disclose dates of birth to private corporations and systems of government records. A person's date of birth provides a key to unlocking, aggregating, and tracking the private and sensitive data of every airline passenger for life. The courts have recognized this in numerous cases. Scottsdale Union School District no. 48 v. KPNX Broadcasting Company held that that disclosure of DOBs threaten individual privacy, [42] stating that disclosing a DOB can be "...an unwarranted invasion of privacy..." similar to that of disclosing a person's Social Security Number ("SSN").[43] Aggregation of dates of birth into PNR records held by various entities in various systems is a recipe for identity theft and other crimes on a disastrous scale. Given the clear hypersensitivity of the date of birth, we insist that the notice must be withdrawn and subsequently amended to eliminate collection of passenger dates of birth entirely.

As discussed above in the Notice section, there are security issues associated with data retention. The chances of deliberate or accidental misuse of data increase with the more data you keep and the longer you keep it. CAPPS II would  allow data to be kept for much longer than it is needed, and therefore increases the likelihood of a security breach.

Fifth, the CAPPS II system violates the Enforcement requirement because the appeal process is too burdensome for passengers.

Finally, the procedures for allowing travelers to contest incorrect information are inadequate. Passengers can write to the CAPPS II Passenger Advocate if they wish to contest or amend the records.  If the Passenger Advocate doesn't resolve the issue the passenger can appeal to the DHS Privacy Office. These procedures are inadequate for a number of reasons. There must be judicial recourse for resolving questions that relate to fundamental constitutional rights, including the right to know the identity of your accuser and the evidence that's the basis of the accusation against you—not to mention the right of travel itself. In addition, there are no guidelines regarding how long will it take to resolve issues that may be keeping someone from flying. With the advent of the Coast Guard's port security regulations,[44] it is clear that passengers may be barred from using any form of long-distance (and perhaps eventually short-distance) transportation for an indeterminate amount of time as their claims are handled.

We predicted in our earlier comments the CAPPS II system would expand, and the TSA has fulfilled that prediction. Although originally intended to protect against international terrorists, CAPPS II's purposes have expanded even before the system has been implemented.  No longer limited to detecting international terrorists, CAPPS II will attempt to catch domestic terrorists as well, a category of persons that is left undefined and may well include many innocents targeted solely based on their exercise of First Amendment rights.  Nor will CAPPS II only be limited to ferreting out terrorists, whether foreign or domestic – its purpose has been expanded to include criminal and immigration law enforcement: TSA will share information with law enforcement agencies and the Department of Homeland Security when there is an indication of a "serious criminal violation," and CAPPS II will also be linked to the U.S. Visitor and Immigrant Status Indicator Technology (US-VISIT)," presumably in order to detect violators of immigration law.

CAPPS II is already experiencing "function creep" whereby systems come to be used for purposes that were not contemplated when the systems were created. Damaging and often unconstitutional practices are implemented this way by gradually expanding the scope and use of government programs.  The Social Security number, for example, although originally intended to aid in the administration of Social Security benefits, has in modern times become a de facto national identity number.  CAPPS II and similar passenger-screening technology, if implemented, should similarly be expected to "creep."  Although currently limited to detecting terrorists and certain types of criminals, there is no reason to expect that the CAPPS II system will not be used in the future to detect any and every type of garden-variety crime.  Furthermore, once adopted in airports and grudgingly tolerated by air passengers, CAPPS-like systems can be expected to appear in all travel contexts, including bus stations, train stations, and maritime ports.  It is no exaggeration to say that CAPPS II may represent the first step towards pervasive internal border controls that would subject all citizens to invasive government scrutiny every time they attempted to travel. 

IV.           CONCLUSION

The CAPPS II system as currently proposed is an unacceptable threat to essential liberties that will fail to make the public safer.  CAPPS II will be ineffective at stopping terrorists; it's secret inner workings will grant the government unfettered discretion such that constitutional rights may be violated without recourse; it's thoroughly invasive nature will seriously degrade the privacy of all air travelers; and its purpose and reach will almost certainly expand far beyond the goal of catching terrorists and far outside the airport walls.  The CAPPS II system as currently proposed must not proceed, and the system of records intended to enable its functioning should not be created.

Sincerely,

Beth Givens
Privacy Rights Clearinghouse

Katherine Albrecht
CASPIAN

Richard Sobel
Cyber Privacy Project

Mike Stollenwerk
Advisor to the Privacy Rights Clearinghouse

Kevin Bankston, Attorney & Equal Justice Works Fellow
Electronic Frontier Foundation
454 Shotwell Street
San Francisco, CA 94110

Lee Tien, Senior Staff Attorney
Electronic Frontier Foundation
454 Shotwell Street
San Francisco, CA 94110

Deborah Pierce
Executive Director
PrivacyActivism
452 Shotwell Street
San Francisco, CA 94110

[1] See 68 Fed. Reg. 45265 (August 1, 2003).

[2] Dept. of Homeland Security Appropriates Act of 2004.  H.R. 2555, § 519.

[3] See Philip Shenon, JetBlue Gave Defense Firm Files on Passengers, New York Times, Sep. 19, 2003 (available at http://www.nytimes.com/2003/09/20/business/20PRIV.html?pagewanted=print&position=).

[4] A copy of the Torch Concepts presentation, "Homeland Security: Airline Passenger Risk Assessment is Included as Appendix I.

[5] See, e.g., www.boycottdelta.com.

[6] Jim Wolf, U.S. Airlines Urged to Agree on Prescreening Tests, Reuters, Sep. 26, 2003 (available at http://reuters.com/newsArticle.jhtml?type=topNews&storyID=3515963).

[7] See Richard Sobel, The Demeaning of Identity and Personhood in National Identification Systems, 15 Harv. J. Law & Tec 319, 367 (2002).

[8] Arnold Barnett, Airline Security's False Hope, MIT Technology Review, Jul. 28, 2003 (available at http://www.technologyreview.com/articles/wo_barnett072803.asp).

[9] Erika Jonietz, Technology Can't Tame Terror, MIT Technology Review, Sep. 2003 (available at http://www.technologyreview.com/articles/impact0903.asp).

[10] See Samidh Chakrabarti, Aaron Strauss, Carnival Booth: An Algorithm for Defeating the Computer-Assisted Passenger Screening System, Law and Ethics on the Electronic Frontier, May 2002 (available at http://www.swiss.ai.mit.edu/6805/student-papers/spring02-papers/caps.htm).

[11] See http://www.pirg.org/reports/consumer/mistakes/page1.htm for more details.

[12]g See http://www.epic.org/privacy/airtravel/pia-foia-response.pdf.

[13] See http://www.epic.org/privacy/airtravel/iata_ins_pax_manifest.pdf.

[14] Robert O'Harrow Jr., Air Security Focusing on Flier Screening,Washington Post, Sept. 4, 2002, Page A01.

[15] See Papachristou v. City of Jacksonville, 405 U.S. 156, 164 (1972); Brown v. Texas, 443 U.S. 47, 52-53 (1979)); Hutchins v. Dist. Of Columbia, 188 F.3d 531, 537 (D.C. Cir. 1999) (right to "interstate travel is a fundamental right subject to a more exacting standard" than ordinary due process scrutiny). 

[16] Aptheker v. Secretary of State, 378 U.S. 500, 519.  (1964) (Douglas, J, concurring). 

[17] United States v. Guest, 383 U.S. 745 (1966).

[18] Baldwin v. Fish & Game Commission, 436 U.S. 371 (1978).

[19] Kent v. Dulles, 357 U.S. 116, 126 (1958).

[20] See, e.g., Kolender v. Lawson, 461 U.S. 352, 361-62 (1983) (California statute requiring an individual who loitered or wandered the streets to produce "credible and reliable" identification to an officer upon request of a police officer was unconstitutional on vagueness grounds); Lawson v. Kolender, 658 F.2d 1362, 1366-67 (9th Cir.1981) ("serious intrusion on personal security outweighs the mere possibility" that identification might lead to arrest), aff'd on other grounds, 461 U.S. 352 (1983).

[22] New York Times v. Sullivan, 376 U.S. 254, 270 (1964).

[23] See Dave Lindorff, Grounding the flying nun, Salon.com, Jul. 25, 2003 (available at http://www.salon.com/news/feature/2003/07/25/no_fly/index.html).

[24] See Justin Jouvenal, Politics doesn't fly on British Airways; British Airways no-fly zone for politics, Alameda Times-Star, Jul. 28, 2003.

[25] Willowbrook v. Olech, 528 U.S. 562, 564 (2000) (citing Sioux City Bridge Co. v. Dakota County, 260 U.S. 441, 67 L. Ed. 340, 43 S. Ct. 190 (1923)).

[26] Id.

[27] See United States Department of Justice Office of the Inspector General, A Review of the Treatment of Aliens Held on Immigration Charges in Connection with the Investigation of the September 11 Attacks (2003) (available at http://www.usdoj.gov/oig/special/03-06/index.htm).

[28] See http://www.alternet.org/story.html?StoryID=14563

[29] NAACP v. Alabama, 357 U.S. 449, 463 (1958).

[30] Roberts v. United States Jaycees, 468 U.S. 609, 623 (1984).

[31] U.S. v. Davis, 482 F.2d 893, 908 (9^th Cir. 1973).

[32] Id. at 910.

[33] Id. at 908.

[34] Torbet v. United Airlines, 289 F.3d 1087, 1089 (9^th Cir. 2002).

[35] NY v Burger, 482 U.S. 691, 703 (1987)

[36] Donovan v. Dewey, 452 U.S. 594, 604 (1981)

[37] U.S. v. Davis, 482 F.2d at 909.

[38] U.S. v. $124,570 U.S. Currency, 873 F.2d 1240, 1243 (9^th Cir. 1989).

[39] Our previous comments are available at http://www.privacyactivism.org/Item/69.

[40] Study: 70% of Consumers Say Companies Know Too Much, DM News, Aug. 21, 2003 (available at http://www.dmnews.com/cgi-bin/artprevbot.cgi?article_id=24820).

[41] 5 U.S.C. § 552a(b).

[42] Scottsdale Union School District no. 48 v. KPNX Broadcasting Company, 955 P. 2d 534 (1998).

[43] Id. at 534 (citing Oliva v. US, 756 F. Supp. 105 (1991)).

[44] Vessel Security, 68 Fed. Reg. 39,292 (proposed Jul. 1, 2003) (to be codified at 33 C.F.R. pt. 104).