A Briefing On Public Policy Issues Affecting Civil Liberties Online
from
The Center For Democracy and Technology
(1) TSA Issues Second Privacy Act Notice Expanding and Narrowing CAPPS II
(2) Mission Creep Begins: Scope of CAPPS II Expanded
(3) TSA Exempts CAPPS II Program from Important Privacy Act Protections
The Transportation Security Administration released today an interim Privacy Act Notice on its Computer Assisted Passenger Prescreening System, or CAPPS II, announcing that testing of elements of the controversial airline security program is beginning. While TSA has imposed some important privacy protections on CAPPS II, it expanded the system's mission to include catching ordinary criminals who pose no special risk to airlines and it exempted the system from a number of Privacy Act protections.
The new notice is far clearer than the one originally published in January. TSA and the Department of Homeland Security's new Privacy Officer, Nuala O'Connor Kelly, should be commended for providing significant details about the plans for CAPPS II, and for seeking further public comment. CAPPS II will not be used to actually screen passengers until further comments are considered. The Notice also acknowledges the importance of evaluating the effectiveness of the system during the testing period to decide whether to go forward with active implementation.
The Interim Notice also puts into writing some important privacy protections that TSA has been promising Congress and privacy advocates for the last several months. It confirms that TSA would rely on commercial data providers only to authenticate the identity of passengers, and that it would not use health information or credit worthiness as part of that authentication process. It also clarified that commercial data providers would not be permitted to retain any data provided to them by the government for purposes of CAPPS II.
The new Notice states that the government would retain data about a U.S. person (a citizen or permanent resident alien) only for a "certain number of days" after the person's travel has been completed -- not the 50 years indicated by the first notice. We note, however, that until recently TSA had been saying that passenger data would be purged immediately after the completion of a flight.
The new Interim Privacy Act Notice for CAPPS II is at http://www.cdt.org/security/usapatriot/030731cappsii.pdf
For background on CAPPS II and other initiatives: http://www.cdt.org/security/usapatriot/datamining.shtml.
Despite these important protections, CDT is concerned about the expansion of the scope of CAPPS II. According to the Interim Notice, CAPPS II would be used not only to identify individuals (including U.S. citizens) with ties to international terrorist organizations, which TSA repeatedly stated in recent months was the sole goal of CAPPS II, but also: (1) individuals with ties to domestic terrorist organizations (a category left undefined); (2) individuals with outstanding federal or state arrest warrants for crimes of violence; and (3) potentially, visa and immigration violators. Each of these expansions creates a significant danger.
The question of who is considered a domestic terrorist is not a simple one. Certainly if the Intelligence Community has specific intelligence about a threat to aviation security from a particular domestic organization, TSA should coordinate with the FBI to prevent an attack. But in the absence of such a threat, how does TSA decide who is a domestic terrorist who should be flagged by CAPPS II? Does it include anti-abortion activists who break the law by blocking access to abortion clinics or who may be organizationally or ideologically related to those who have killed doctors or committed arson at clinics? Does it include members of Earth First or other radical environmental groups that have engaged in illegal acts and have been investigated by the FBI as terrorists? By expanding CAPPS II to the realm of purely domestic terrorism, TSA will find itself having to evaluate the political activities of Americans, which is not a role it should relish.
Similarly, it is not clear that individuals with outstanding warrants for crimes of violence are a threat to other airline passengers. To the degree they are a threat to individuals after they get off the plane, that goes far beyond the scope of TSA's mission of aviation security.
In terms of immigrants, the otherwise informative Notice is unclear. One sentence states: "It is further anticipated that CAPPS II will be linked to the U.S. Visitor and Immigrant Status Indicator Technology (US-VISIT) program at such time as both programs become fully operational, in order that the processes at both border and airport points of entry and exit are consistent."
These additional uses of the program, no matter how compelling they might seem, would divert resources from the core mission of aviation security, thereby reducing TSA's ability to keep airline transportation safe from terrorists. The broader the mission, the higher the likelihood of mistake.
The Interim Notice exempts the CAPPS II program (and its associated "system of records") from key provisions of the Privacy Act. For example, CAPPS II would be exempt from the Privacy Act's requirement that agencies maintain only records "relevant and necessary" to accomplish their statutory purpose.
Other exemptions eliminate the possibility of judicial review of TSA's response to citizen requests for access to or correction of data used by CAPPS II. The Interim Notice exempts CAPPS II from the provisions of the Privacy Act that require agencies to provide individuals with access to certain government records and the opportunity to correct them. TSA instead proposes substituting its own procedure for individuals to request access to CAPPS II records. But that procedure offers no opportunity for judicial review of any TSA decision to deny access to particular records.
Comments are due to TSA within 60 days. CDT will be submitting comments and urges interested citizens to do so as well.
Detailed information about online civil liberties issues may be found at http://www.cdt.org/.
This document may be redistributed freely in full or linked to http://www.cdt.org/publications/pp_9.16.shtml.
Excerpts may be re-posted with prior permission of ari@cdt.org
Policy Post 9.16 Copyright 2003 Center for Democracy and Technology
