The DHS Office of the Inspector General (OIG) has released a redacted version of a report (OIG-09-103) that was provided to Congress in August, evaluating the TSA’s “Traveler Redress Inquiry Program” (TRIP). The TRIP name may be corny, but it’s also oddly accurate: it’s a system for inquiries, not answers, and as the OIG concludes it advertises more than it delivers and and often doesn’t result in real redress.

We commend Rep. Bennie Thompson, Chair of the House Homeland Security Committee, for requesting this report. It’s worth reading for giving one of the most detailed public descriptions to date as to the actual process by which a constellation of Federal agencies decide what entries to put on (and off) their “watch lists”, and who to allow to fly.

The OIG doesn’t consider the statutory, Constitutional, and international treaty-law right to travel, referring at one point to “the privilege of boarding an aircraft” (p. 68). But even within this perspective of travel as a privilege, not a right, the OIG concludes that the current redress and review procedure “is not fair” (p. 59):

This approach provides no guarantee that an impartial review of the redress complaint will occur. Instead, it ensures that the offices that initially acted on the TECS lookout and were the source of the redress-seeker’s travel difficulties will also be the final arbiters of whether the basis for the traveler’s secondary inspection is overridden…

DHS is required to offer aggrieved travelers a “fair” redress process. Impartial and objective review and adjudication of redress petitions is an essential part of any fair redress process. A process that relies exclusively on the review and consideration of redress claims by the office that was the source of the traveler’s grievance is not fair. CBP should modify its redress process in this area to provide for independent review.

Despite the redactions, the report also gives some interesting clues about the timeline for implementation of the DHS’s systems for transmitting per-passenger, per-flight permission to travel (”cleared”) messages to airlines. We were intrigued to read (p.56, 58) that:

CBP is now in the process of assuming responsibility for communicating watch list vetting results for all international passengers bound for the United States to air carriers through its interactive Advance Passenger Information System (APIS)….

DHS described CBP’s screening of travelers arriving in and departing from the United States using APIS and TECS as temporary.  DHS described CBP’s screening of travelers arriving in and departing from the United States using APIS and TECS as temporary. Secure Flight will assume all No Fly and Selectee watch list matching for international flights by the 1st quarter of FY 2011.

The revised APIS rules for international flights were effective February 18, 2008. The statement that CBP “is now in the process” of implementing the “cleared/ inhibited/not cleared” message back-channel to airlines, 20 months later, and sees it only as a stopgap, suggests that in reality the CBP not only hasn’t implemented the APIS permission scheme but may not be serious about implementing it at all. Why bother, when with only a little more delay they can hand the cost, infrastructure, and business-process problems over to the TSA to deal with next year as part of the Secure Flight rollout?

This passing comment in the OIG report implies that we haven’t yet seen the practical problems that will result when the DHS flips the air travel default from “yes” to “no”, from a “no-fly” blacklist to a “cleared” whitelist. It also implies that there is still time for the Obama Administration and the Congress to head off this train wreck (and its multi-billion dollar expense) by withdrawing the APIS and Secure Flight regulations before their central feature — the requirement for affirmative, individualized permission to travel — is put into effect.

The OIG also concludes (pp. 77-78) that TRIP data constitutes a “system of records” within the meaning of the Privacy Act, for which a “System of Records Notice” (SORN) is required to have been published in the Federal Register, but has not been:

CBP redress staff enter redress case information from TRIP’s RMS into CBP’s system on all TRIP cases that CBP processes. This case information includes addresses; dates of birth; drivers’ license and passport numbers; travel information; heights; weights; hair and eye colors; and copies of identifying documents. CBP staff can electronically retrieve this information from its case management system using identifying information such as a redress case number or date of birth. CBP’s redress case management system is therefore a system of records under the Privacy Act, and an IT system covered by the E-Government Act.

The redress case management system that CBP uses to monitor TRIP cases is not compliant with requirements of the Privacy Act or E-Government Act. CBP is required to issue both a notice and an impact assessment for its redress case management system, but has not done so.

Maintaining a system of records without a valid published SORN is a criminal violation of the Privacy Act on the part of the responsible CBP official(s). Despite identifying such a crime, the OIG report makes no mention of criminal investigation or enforcement, saying meekly that, “Because CBP has operated and maintained this system for more than two years, we believe that CBP should issue the proper notices as soon as possible.”

That not enough. Violations of the criminal provisions of the Privacy Act against maintenance of unnoticed systems of records can only be committed by Federal officials, and by their nature these violations are likely to be invisible to the public. Only an independent but internal oversight and enforcement body has the ability to investigate and prosecute these criminals. If the OIG won’t take action when they identify clear violations of the criminal provisions of the Privacy Act by officials within their within their agency jurisdiction, do those penalties really have any meaning or deterrent value?