Heavily redacted records released by the Transportation Security Administration (TSA) last month, more than six years after they were requested by the Electronic Privacy Information Center (EPIC), give fragmentary clues to the answer to an important question: Just how many air travel blacklists does the US government have?
Only 57 of 604 pages of records found by the TSA to be responsive to EPIC’s request have been released, and only in redacted form. During the years the request was pending, 104 pages of responsive pages were destroyed “due to the records disposition schedule.”
The records released to EPIC include portions of agreements between the TSA and US Customs and Border Protection for operational interfaces and procedures, sharing of blacklist (“watchlist”) data, and sharing of costs related to the TSA’s Secure Flight pre-crime profiling and travel control system.
Included in one of those TSA-CBP agreements is the table at the top of this article, showing the various blacklists used by the Secure Flight system (along with other pre-crime prediction algorithms that are rule-based rather than list-based) to determine who to allow to fly, who not to allow to fly, and who to subject to more intrusive searches.
The red boxes show redacted cells in the table, including the number of entries on the No-Fly, “Selectee” (more intrusive search), and “Expanded Selectee” lists.
The table reveals, for the first time, the numbers of people on two other more obscure air travel blacklists. As of 2012, there were 19,000 entries on the TSA Pre-Check® Passenger Disqualifying Protocol (PDP) list, and 80 entries on the “Do Not Board List” (DNBL) provided to the TSA by the US Centers for Disease Control (CDC).
The PDP list was mentioned in a TSA Privacy Impact Assessment in 2016, but we’ve been unable to find any information about the “protocol” that by 2012 had already been used to put 19,000 names on this TSA blacklist.
The CDC travel blacklist was proposed in a CDC Notice of Proposed Rulemaking in 2016. That notice didn’t mention that the DNBL had already been in existence since at least 2012, as we’ve now learned from the TSA files released to EPIC.
The Identity Project and more than 15,000 other individuals and organizations filed comments overwhelmingly opposing the CDC proposal.
The CDC brushed off most of the objections and issued a final rule giving administrative approval to its proposal in January 2017. But nobody except those who actually read the Federal Register every day learned about the final rule, because it was posted online in the wrong docket on the Regulations.gov Federal rulemaking website. The CDC travel rule still showed as open pending consideration of the public comments until last week, when the final rule was moved to the correct docket on Regulations.gov on October 11, 2018.
In the analysis of public comments accompanying its final rule in January 2017, “CDC notes that historically, the issuance of Federal orders is rare (i.e., one to two orders issued per year).”
Unless there was some drastic change in CDC practices, which seems unlikely, it’s hard to reconcile that claim with the TSA List Overview showing that there were already 80 names on the CDC Do Not Board List by June 2012. The absolute numbers are small compared to some of the other TSA blacklists, but there’s a big difference between “one or two orders issued per year” and 80 entries on the CDC air travel blacklist.
Finally, the TSA “List Overview” has an entirely redacted last row for some other air travel blacklist we can only guess at. Feel free to add your speculation or insider information about this additional air travel blacklist in the comments.