• Military
• WMD
• Intelligence

• Security Menu                     

• Systems
• Industry
• Operations
• Hot Documents
• News
• Reports
• Policy
• Budget
• Congress
• Links

• Space

TABLE OF CONTENTS(Click on Section)

PURPOSE

BACKGROUND

WITNESSES

The purpose of this hearing is to determine the status of the Computer Assisted Passenger Prescreening System (CAPPS II), and the progress made in addressing concerns regarding privacy, due process, accuracy, and the effectiveness of the system.

In 1998, the Federal Aviation Administration (FAA) implemented the Computer Assisted Passenger Prescreening System (CAPPS) to enable air carriers to separate passengers into two categories: those who require additional security scrutiny ("selectees") and those who do not. CAPPS, which is currently in use today, uses information from the passenger's itinerary to search for certain behavioral characteristics determined by the FAA (and now by the Transportation Security Administration) to indicate a higher security risk. A passenger's selectee status is then transmitted to the check-in counter, where a code is printed on the boarding pass of any passenger determined to require additional screening. At the screening checkpoint, passengers who are selectees are subject to additional security measures.

The TSA's Office of National Risk Assessment is currently developing what is intended to be an improved version of CAPPS, known as CAPPS II. When fully developed, CAPPS II is envisioned to operate in the following manner:

1. During the reservation process, the passenger will be required to provide four pieces of information: full name, home address, home phone number, and date of birth. This information will be entered into the Passenger Name Record (PNR), and the PNR plus the four pieces of information will be sent electronically to CAPPS II.
2. At a specified time prior to the flight, CAPPS II will request an identity authentication from commercial data providers. This means that a passenger's personal information collected under step 1 will be verified by information in commercial databases, such as those operated by Lexis-Nexis. Rather than the commercial data provider sending back any personal information, an identity authentication score will be returned to CAPPS II indicating the probability that the passenger is who he says he is.
3. After obtaining passengers' authentication scores, CAPPS II will conduct risk assessments using government databases, including classified and intelligence data, to generate a risk score categorizing the passenger as an acceptable risk, unknown risk, or unacceptable risk.
4. When the passenger checks in for a flight, the passenger's risk category will be transmitted from CAPPS II to the check-in counter. Passengers who are an acceptable or unknown risk will receive a boarding pass encoded with their risk level so that checkpoint screeners will know the level of scrutiny required. If the passenger's risk is determined to be unknown, additional security checks will be required. Passengers whose risk assessment is determined to be unacceptable will not be issued boarding passes. Law enforcement agencies will be notified and will determine whether the individual will be allowed to proceed through the screening checkpoint or if other actions are warranted, such as additional questioning of the passenger, or taking the passenger into custody.

TSA estimates that currently 15 percent of passengers require additional checkpoint screening under CAPPS, compared to an expected one to three percent under CAPPS II.

Issues Identified by Congress Remain Unresolved: Both the FY 2004 Homeland Security Appropriations Act and the Vision 100 - Century of Aviation Reauthorization Act identified eight concerns that must be addressed before CAPPS II may be implemented on other than a test basis. These concerns relate to privacy, due process, accuracy, and the effectiveness of the system. According to GAO, although TSA is in various stages of addressing each of these eight issues, as of January 1, 2004, only one - the establishment of an internal oversight board to review the development of CAPPS II - had been fully addressed. Due to system development delays, uncertainties regarding when needed passenger data will be obtained, and the need to finalize key policy decisions, TSA was unable to identify a time frame for when all remaining issues will be fully addressed.

CAPPS II Is Behind Schedule: The development of CAPPS II is being delayed because TSA has been unable to obtain passenger data needed for testing from air carriers. Air carriers have thus far refused to provide the data due to privacy concerns. As a result, according to the General Accounting Office (GAO), TSA has delayed the CAPPS II initial operating capability date - the point at which the system will be ready to operate with one airline - from November 2003 to a date unknown.

Due to the lack of passenger data, TSA has not yet stress-tested CAPPS II or conducted other testing to fully demonstrate the effectiveness and accuracy of the system's search tools in correctly assessing passenger risk levels. According to GAO, TSA officials believe they will continue to have difficulty in obtaining data for both stress and other testing until TSA issues a Notice of Proposed Rulemaking (NPRM) to require airlines to provide passenger data to TSA. TSA plans to issue a Security Directive compelling U.S. air carriers to provide historical PNR data for testing purposes, as well as an NPRM proposing to require airlines to provide future passenger data that will be used when CAPPS II is operational. After receiving passenger data, TSA says 90 days will be required to stress-test the system and test the accuracy of the CAPPS II algorithms that produce the identity authentication and risk scores.

Critical CAPPS II Plans Are Not Complete: GAO found that TSA has not yet developed critical elements associated with sound project planning, including a plan for what specific functionality will be delivered, by when, and at what cost throughout the development of the system. According to GAO, failure to complete these key system development planning activities puts CAPPS II at risk of providing decreased functionality at increased cost and behind schedule.

Accuracy of Databases To Be Used by CAPPS II: Commercial data providers maintain certain information on the accuracy of their databases. However, accuracy data for government databases is not systematically collected. According to GAO, TSA does not know exactly what type of information the government databases contain - some may include only partial names or partial addresses -- nor does TSA know how accurate the information is. TSA intends to develop and conduct its own tests to assess the overall accuracy of information contained in both commercial and government databases before determining whether a database is acceptable to be used by CAPPS II.

Data Aging: Data aging is another concern related to database accuracy. Two of the four key identity criteria that TSA plans to collect to identify potential travelers and compare them against terrorist watch lists are address and phone number. Failure to have the data provided match the information in the database may lead to lower scores, and additional screening. Unfortunately, about 20 percent of Americans move every year. That raises the issue of how often travelers will be subjected to additional screening and other problems based on the fact that they have moved and the database has not kept up with them.

Redress Process: TSA is developing a redress process whereby passengers who are erroneously delayed or prohibited from boarding their scheduled flights ("false positives") can attempt to get inaccurate data corrected. Although the redress process is not fully developed, TSA anticipates it will use its existing complaint procedures - currently used for complaints from passengers denied boarding passes - to document complaints and provide these to the TSA Ombudsman. Complaints relating to CAPPS II will be routed to the Passenger Advocate, a position to be established within TSA for assisting individuals with CAPPS II-related concerns. The Passenger Advocate will represent the passenger and help identify errors in the system that may have caused a person to be identified as a false positive. If the passengers are not satisfied with the response received from TSA with regard to the complaint, they may appeal their case to the DHS Privacy Office. A number of key policy issues associated with the redress process, however, still need to be resolved, including how long the data will be retained, who will have access to it, and how it will be corrected.

Data Retention: TSA has not yet determined how long CAPPS II will retain passenger data. Current plans indicate that data on U.S. travelers and lawful permanent residents will be deleted from the system at a specified time following the completion of the passengers' itinerary (i.e., after completion of the return trip in a roundtrip itinerary). TSA's decision to limit the retention of data was made for privacy reasons, but the short retention period might make it difficult for passengers to seek redress if they do not register complaints quickly.

Data Access: It is unclear what access passengers -- through the Passenger Advocate -- will have to information found in either government or commercial databases, or who is ultimately responsible for making corrections. TSA has stated that passengers will not have access to any government data used to generate a passenger risk score due to national security concerns, so passengers may not be able to challenge data that is causing them to be flagged as a security risk.

Data Correction: If errors are identified during the redress process, TSA does not have the authority to correct erroneous data in commercial or government databases. It will be the responsibility of passengers to correct errors in commercial databases at their source, and TSA will refer the passengers to the original source of the data to seek correction. Regarding government databases, TSA intends to work with the appropriate government agency to correct erroneous data at the source. However, TSA will also have the capability to adjust the CAPPS II algorithms to eliminate the effect of government data that the TSA, through its redress and adjudication process, has determined to be erroneous. TSA officials have told GAO they plan to establish protocols with commercial data providers and other federal agencies to assist in the process of getting erroneous data corrected.

In January 2003, TSA issued (1) a Privacy Act notice that described the system of records that will reside in CAPPS II and asked for public comment, and (2) a proposed rule to exempt this system of records from seven Privacy Act provisions as permitted under the Act. TSA has not yet provided the reasons for these exemptions, stating that this information will be provided in a final rule to be published before the system becomes operational. In August 2003, TSA issued an interim final notice that describes planned changes to CAPPS II based on the public's comments on the January 2003 notice. The August notice also stated that TSA would issue a further Privacy Act notice before any implementation of CAPPS II.

The success of CAPPS II depends on being able to verify that passengers are who they say they are. Unfortunately, the basic information of name, address, telephone number and date of birth could be easily obtained by a terrorist intent on assuming a less risky identity. If coupled with the offering of counterfeit photo ID at the airport ticket counter and the screening checkpoint, CAPPS II appears to be susceptible to circumvention. According to GAO, TSA believes that CAPPS II will be able to detect some instances of identify theft (especially if the identity theft has been reported), but will not detect all instances of identify theft without implementing some type of biometric indicator, such as fingerprinting or retinal scans.