Oct 22 2008

TSA won’t give up on “Secure Flight” travel permission and surveillance scheme

The DHS and TSA announced their final rule for the Secure Flight program for the control and surveillance of airline passengers during a photo op today at Reagan National Airport.

We aren’t among the journalists to whom the TSA’s anonymous spin doctors chose to leak their plans.  We’ll have more comments after we have reviewed the complete 195-page regulatory notice in more detail.

But our first reading of the “final rule” released today, as well as recent TSA and DHS comments about Secure Flight, including their press release today and testimony at a Congressional hearing we attended last month, suggest that their plans remain essentially unchanged from the Secure Flight proposal announced last year, and which we urged the TSA to withdraw as illegal in our testimony at the TSA’s public hearing and our more detailed written comments.

The DHS’s current spin on why we should love Big Brother and welcome Secure Flight is that it would reduce the number of people who are improperly prevented from flying or improperly subjected to more intrusive “secondary” search and/or interrogation, by “transferring watchlist matching from the airlines to the government”.

But the solution to the problems with “watchlists” is not to tighten their enforcement, but to replace secret administrative “no-fly” and “selectee” determinations with judicial determinations of dangerousness, made by judges in response to government motions for injunctions or restraining orders, and presentation of evidence sufficient to show that they pose a danger to aviation so great as to warrant restriction of their Constitutional and human rights to freedom of travel, assembly, and movement.  We don’t need to establish a new system of (secret) administrative pseudo-justice.  That’s what the courts are for, and they already have an established system of due process and review, including procedures for dealing safely with classified evidence related to national security.

Bloomberg reports that “Passengers will be reviewed against 16,000 people required to get additional scrutiny and 2,500 barred from flying, the Transportation Security Administration said in disclosing the list totals for the first time today.”  If those numbers are true, they are small compared to the numbers of restraining orders and injunctions issued every year against people found to pose a danger in domestic violence cases.  A few thousand court proceedings to determine if these people really pose a danger to aviation would cost far less than the billions of dollars to be spent on Secure Flight systems for secret administrative determinations of dangerousness in the cases of millions of travelers. (Update: Transcript of press conference with Secretary of Homeland Security Chertoff and TSA Administrator Hawley.)

The TSA and DHS description of Secure Flight as a “watchlist matching” program is deeply misleading.  None of the requirements in the rules are actually limited to watchlist matching.  In this respect, there are major discrepancies between the (nonbinding) description at the start of the regulatory notice issued today, and the actual regulations that follow it (the last 20 pages of the notice).  The TSA claims that Secure Flight will not use data mining or commercial data or assign risk scores to passengers.  In fact, the whole point of the Secure Flight program is to mine commercial data about each prospective passenger obtained in advance from airlines, in order to assign each would-be passenger a binary risk score: “cleared” or “not cleared” (with the default, in the absence of any decision by or message from the TSA, being “not cleared”).

The essence of the Secure Flight final rule would be to (1) impose a new, two-stage, requirement for all would-be air travelers to obtain government permisison to fly, first in the form of a discretionary government decision to issue an acceptable form of identification credential and second in the form of a discretionary decision to send the airline a “cleared” message authorizing a specific person to board a specific flight, and (2) require all would-be air travelers to provide identifying information to the airline and the government prior to each flight.

The permission requirement is obviously a general scheme of travel control, directed at everyone and not just at those on watchlists. Nothing in the proposed regulations would (1) set any standards for how the government’s decision to issue travel credentials or clearance messages (or not to do so) would be made or what these decisions would be based on, (2) limit adverse decisions to those on “watchlists”, (3) permit travelers to know what decisions had been made about them (except to the extent that they could guess from whether they were permitted to board a flight, which wouldn’t guarantee that they would be permitted to board their next flight, even a connecting or return flight), or (4) provide for any form of due process or judicial review of these decisions.

In this respect, Secure Flight is not the watchlist matching program that the government claims: it is a program for enforcing a secret, standardless, nonreviewable administrative “black box” of total control of all air travel within the USA, much as the DHS already controls international air travel to, from, or via the USA under the APIS rules.

The current default of “yes” would change to “no”: Instead of their current obligation as common carriers to transport all passengers willing to pay the fare and comply with the general conditions in their published tariff, airlines would be prohibited from transporting anyone except with the express prior per-flight, per-person permisison of the government, in the form of a “cleared” message.

The ID requirement is being proposed as a necessary a prerequisite to the travel control scheme, but it is also the essential prerequisite for travel surveillance through the identity-based logging and compilation of “travel history” records both by unregulated commerical entities (airlines and computerized reservation systems) and the government.  The Secure Flight ID requirement will allow the government to construct (or to obtain from airlines or CRSs, through the secret use of National Security Letters, thus evading restictions on the government compiling and maintaining these records itself), logs of our domestic flights and travel reservations similar to the tens of million of illegal dossiers on US citizens’ international journeys that the DHS has already admitted to compiling through the Automated Targeting System, APIS, and related data collection, mining, and aggregation systems.

In preparing for today’s announcement, TSA Administrator Kip Hawley told Business Travel News earlier this week that, “We’ve had very good input from the people affected through the rule process. We know the concerns that people might have had, and when the rule comes out, those will be well addressed.”  The only way our concerns would would have been “well addressed” would have been if the Secure Flight proposal had been entirely withdrawn or drastically modified to recognize that freedom to travel is a human right, and to allow that right to be restrict only on the basis of valid court orders.  Our concerns have not been addressed at all, so far as we can tell — not that we really expected them to be, since the TSA hasn’t listened to the practical concerns of the travel industry either.  Hawley shouldn’t lie about the extent to which his agency has (or, in this case, hasn’t) acted on our comments.

In the same interview, Hawley was asked about the impact of the new rule on travel agents who would have to collect and enter additional personal information, not supported by their current software, about all travelers:

BTN: In regard to Secure Flight, date of birth is not a data element travel agents currently collect, so they’d likely have to modify some systems. Are there any timeframes for when they’d have to be compatible?

Hawley: … That is principally the issue that the travel community will have to deal with, particularly the airlines, to accommodate the date-of-birth information. But it’s not a huge volume of additional data, and it’s not complex. It’s not so much a technical challenge, but a matter of getting around to it.

This answer from Hawley makes clear that he still doesn’t get it: He was asked about travel agents, who actually create the majority of Passenger Name Records (PNRs) for air travelers.  But he responded with a claim that this is a problem that the airlines particularly will have to deal with, despite having heard to the contrary from representatives of travel agents, face to face with him at the hearing last year where we also testified.  If he knew anything about reservation technology, or had been paying any attention to what the travel industry has been telling his agency, he also wouldn’t have claimed that adding fields to ancient, crufty, mainframe databases is “not complex”.  And if the prerequisites for Secure Flight haven’t yet been implemented in the tens of thousands of databases, user interfaces, scripts,”middleware”, and other software, that’s not because they “haven’t gotten around to it” but because the TSA refused to tell the airlines, until today, what would be required.  As the international airline trade association IATA told GovernmentEexecutive.com last week, “It’s just another regulation … that DHS seems to be impervious from taking feedback on for fixing,” said Ken Dunlap, IATA’s director of security. “This is the perfect storm of DHS regulations.”

(Hawley doesn’t have to worry about how to implement the new rule.  He says he intends to resign after the Presidential election, regardless of its results.  Perhaps he’ll go back through the revolving door to work for a DHS or TSA contractor. Whatever he does, it will be up to his successor and the next Administration — and travelers and the the travel industry — to deal with the mess he’s made.)

TSA and DHS have been repeatedly forbidden by Congress from spending any money to implement Secure Flight or any “successor or follow-on program” unless and until the Government Accountability Office certifies that it has met a set of tests spelled out in a series of DHS Appropriations Acts over the last 4 years.  It’s difficult for us to see how those tests could be met, but there was no mention in today’s DHS press release of any GAO certification.  [Follow-up: Where is “Secure Flight” headed next?] In particular, the GAO must certify that:

(2) the underlying error rate of the government and private data bases that will be used both to establish identity and assign a risk level to a passenger will not produce a large number of false positives that will result in a significant number of passengers being treated mistakenly or security resources being diverted;

In evaluating the Secure Flight proposal against this standard, the GAO must consider not just (1) the system’s performance in matching entries on watch lists (names and other personal information) against similar entries from “Secure Flight Passenger Data” (SFPD), but the accuracy of “assigning risk levels to passengers,” i.e (2) how accurate is the “black box” watchlist process in accurately predicting which people are likely to attempt to engage in air terrorism, and (3) how likely is SFPD to correspond to actual passengers’ identities, given the likelihood of identity theft by would-be air terrorists.  We cannot imgine that, if it actually looks at these issues, the GAO would be able to certify that Secure Flight meets the standards established by the Appropriations Acts.

5 thoughts on “TSA won’t give up on “Secure Flight” travel permission and surveillance scheme

  1. Pingback: "Secure Flight" now part of the Bush Administrations Legacy [Emergent Chaos] | Small Business System

  2. Pingback: What China calls “social credit”, the US calls “risk assessment” | Papers, Please!

  3. Pingback: Canada copies US “Secure Flight” air travel controls – Papers, Please!

  4. Pingback: “Put them on the no-fly list!”

  5. Pingback: “Put them on the no-fly list!” – Papers, Please!

Leave a Reply

Your email address will not be published. Required fields are marked *