CAPPS II: Red Light, Green Light, or 'Mother, May I?'

CAPPS II: Red Light, Green Light, or ‘Mother, May I?’

Jill D. Rhodes

March 2004

Jill Rhodes is an attorney and Senior Advisor for Homeland Security Programs with SRA International, Inc. She has focused on national security issues in the areas of critical infrastructure protection and biological defense, as well as legal matters impacting national security. She is a former Foreign Service Officer and international democratic development expert, previously stationed in Russia and Bolivia. She has lived and worked in France and throughout eastern and southern Africa. She is studying for a master’s degree in national security law at George Washington University.

CAPPS II will operate under a stringent privacy protection protocol being developed through discussions with privacy groups, both in the U.S. and internationally, with Congress, and with the public. Strict firewalls and access rules will protect a traveler’s information from inappropriate use, sharing or disclosure.

Admiral James M. Loy, head of the Homeland Security Department’s Transportation Security Administration, testimony before the House Government Reform Committee, Subcommittee on Technology and Information Policy, 6 May 2003

I might have been a gold-fish in a glass bowl for all the privacy I got.

Saki, pseudonym of H. H. Munro, “The Innocence of Reginald,” 1904

Overview

A transparent system that protects national security interests while maintaining privacy standards would be welcomed with open arms by many. It is not the system itself that is at issue, but rather an overall lack of trust between passengers and authorities with respect to how the information will be collected as well as the type of personal data that will be reviewed, who will access the data, how risk codes can be modified and appealed, and, overall, whether the system will really accomplish what it is set up to achieve. Only through open dialogue can trust in the system be built. This dialogue is not occurring with the second Computer-Assisted Passenger Prescreening System (CAPPS II).

CAPPS II is scheduled to be activated in August or September 2004. It will provide airline passengers with a red, yellow, or green risk code, based upon a rapid database search, and will determine the level of security scrutiny a passenger will receive prior to boarding the plane. Green-coded passengers are not considered a threat and will follow normal security procedures, including electronic screening; yellow-coded passengers are either an unknown or possible threat and will be subjected to heightened screening, such as a bag search and search of their person; red-coded passengers are deemed a high risk and will not be allowed to travel, and law enforcement authorities will be contacted.¹ While the Transportation Security Administration (TSA) sees this as a breakthrough system that will improve air travel security, the controversy surrounding CAPPS I has brought together organizations from both sides of the issue to challenge its validity and constitutionality. The American Conservative Union and the American Civil Liberties Union have held joint press conferences expressing concern about privacy violations and the potential for abuse and mission creep (gradual expansion of a mission) within this program.² The European Commission initially expressed outrage and refused to supply certain information.³ On the other hand, TSA officials have commented that much is being done to protect privacy and prevent system abuse.⁴ The challenge is to find a balance between security and privacy interests and then to explain to all interested parties how this was reached.

The problem is not necessarily the system, but rather the lack of transparency and information available about how the system will operate, the type of information reviewed, and the inability to challenge the validity of the system’s outputs. In addition, since this program is still in its developmental stages, there are weaknesses and gaps that have yet to be filled. The most disconcerting of these weaknesses is the lack of an effective review process if a passenger is wrongly given a yellow or red risk code. Since the system holds no actual data, but rather numeric codes, it is nearly impossible to trace back the passenger score to determine the source of the mistaken or misleading information. As with the current CAPPS, this lack of review can cause significant problems, frustrations, and delays for law-abiding passengers, making it nearly impossible for them to fly.

Background Leading to the Development of CAPPS II

Airport security has seen significant changes during past decades. In the early 1980s, when a passenger flew, there was minimum security, with only a quick scan, and passengers were not even required, unless flying internationally, to produce identification. As security concerns continued to emerge, passengers became subjected to more screening, including identification requirements. After the deployment of CAPPS I in 1999, security continued to increase, but visitors and non-travelers could wait for their friends’ and relatives’ arrivals at the gate, and a passenger could arrive 30 minutes before a flight and still reach the gate in time to board. Since 11 September 2001, security has been tightened, and now only passengers may approach the gates, and this only after a full search in which they often must remove shoes, belts, and jewelry. Even with this security, additional searches may occur at the gate prior to boarding. This creates numerous delays, and passengers now must prepare for an extra one to two hours at the airport if they hope to fly. While CAPPS II is supposed to lead to greater security, it will not reduce the time it takes to get through the security process. The same types of security measures will continue, with a hope to isolate passengers who may be a greater risk to security.

On 17 July 1996, TWA Flight 800, flying from New York to Paris, exploded over the Atlantic Ocean, killing all 230 people on board. While the government concluded that aged wiring ignited the center fuel tank, many other potentially valid theories have been advanced, including a bomb and a possible surface-to-air missile.⁵ As a result, President Clinton initiated a White House commission, led by Vice President Gore, to study aviation security. At the same time, Congress passed and President Clinton signed the Federal Aviation Reauthorization Act of 1996,⁶ which mandated airport security measures, including passenger profiling. As part of the act, the Federal Aviation Administration (FAA) was required to prioritize development of automated surveillance targeting systems and work with airlines to develop passenger profiling systems.⁷ Two years later, the Gore Commission concluded its analysis and recommended the deployment of CAPPS I, which was quickly initiated for all international flights.⁸ On 19 April 1999, the FAA issued a Notice of Proposed Rulemaking, which mandated the implementation of CAPPS I.

CAPPS I, in use at airports globally, was developed and is managed by the airline industry. It conducts “risk assessments” by using 8 to 23 (unidentified) generic rules to assign risk scores. The program is linked through the airline computer reservation system and is based solely on information provided by the passenger to the airlines, including payment information.⁹

CAPPS I is extremely limited in scope. It doesn’t aggregate data or expand much beyond checking bags and matching baggage to passengers; therefore, it is easily compromised.¹⁰ In fact, two students at the Massachusetts Institute of Technology developed an algorithm for defeating CAPPS I.¹¹ As part of their discussion, they argued that the system is easy to bypass—a terrorist organization would need only three factors: a diverse membership; money, patience, and planning skill; and an understanding of the MIT algorithm.¹² Simply stated, a terrorist organization could send members without any harmful materials to board planes to determine whether they will be flagged by CAPPS I. One who is flagged will not be a part of the actual terrorist mission. This would continue until there was an adequate number of terrorists who had not been flagged after several flights and would likely not be flagged in the future.¹³ This model may have been tested on 11 September 2001. “Newsweek reported that in the weeks before September 11, Atta and his conspirators practiced their attack by boarding the exact same target flights they intended to later hijack (same planes, same times, same origins and destinations).”¹⁴

Despite this, CAPPS I targeted 9 of the 19 hijackers on 11 September, but only their baggage was searched, not their carry-on luggage or their persons.¹⁵ Perhaps the failure was not necessarily in the computer system itself, but in the lack of procedures to properly follow up once a passenger has been flagged. One other weakness of CAPPS is the large black S placed on boarding passes, which gives passengers notice that they’ve been specially selected and will be pulled aside. This warning gives ample opportunity for terrorists to abandon flight plans and leave the airport. With these weaknesses, even before 11 September 2001, security specialists had expressed reservations about the effectiveness of CAPPS I. They commented that there had been too many disclosures about its passenger risk-assessment mechanisms, which, for example, look at factors such as the date of purchase, payment method, and type of ticket (one-way versus roundtrip).¹⁶ The attack of 11 September launched the United States into a new era of protectionism and security awareness, including the call for development of a new CAPPS with additional protection mechanisms. This system, if not used appropriately, may unduly restrict law-abiding citizens yet still not protect the country from terrorists in the air.

CAPPS II: What Is It and How Does It Work?

On 11 September, the apparent weaknesses in the airport security systems were exposed and exploited. Just over two months later, on 19 November 2001, President Bush signed the Aviation and Transportation Security Act,¹⁷ which federalized the airport security function and created TSA, under the Department of Transportation. TSA’s duties include “screening of all passengers”¹⁸ and “developing procedures for screening and inspecting all individuals, goods, vehicles, and other equipment before it is allowed to enter the secured area of an airport.”¹⁹ The Aviation and Transportation Security Act expanded the 2001 Aviation Security Act to include all passengers and not just those with checked bags.

The Homeland Security Act of 2002²⁰ created the Department of Homeland Security (DHS), which consolidated 22 agencies into one umbrella organization. The mission of DHS is to prevent domestic terrorist attacks, reduce the overall terrorist threat, reduce U.S. vulnerability to the threat, and provide emergency management and response support after an attack occurs. The Homeland Security Act also established an Under Secretary for Border and Transportation Security who is responsible for securing all ports of entry and preventing terrorists from accessing all modes of transportation—airplanes, ships, trains, and others.²¹ The legislation also provided for a TSA transfer to DHS. But before this occurred in 2003, TSA received $45 million to begin the expansion of CAPPS I into CAPPS II.²²

On 15 January 2003, the Office of the Secretary of Transportation²³ posted a Federal Register announcement²⁴ describing a new system called the Aviation Security Screening Records.²⁵ This was the new CAPPS II program, which would “facilitate the conduct of an aviation security-screening program, including risk assessments to ensure aviation security.”²⁶ As described in the announcement, the records would apply to “individuals traveling to, from, or within the United States … by passenger air transportation; individuals who are deemed to pose a possible risk to transportation or national security, a possible risk of air piracy or terrorism, or a potential threat to airline or passenger safety, aviation safety, civil aviation, or national security.”²⁷ All types of data information would be used, including Passenger Name Records,²⁸ financial and transactional data, public-source information, and law enforcement and intelligence information.²⁹

In addition, the announcement set out 11 routine uses³⁰ of records maintained in the system, along with their purposes. These uses were broad and vague and included granting access to

National and international law enforcement agencies to search for potential civil or criminal violations
Contractors, grantees, or anyone working with TSA, to assist TSA in any function relevant to the purpose of the system
The news media as the information relates to criminal or civil proceedings
Federal, state, or local agencies as part of a pre-hiring process
International and foreign governmental authorities “in accordance with law and formal or informal international agreements”
Justice departments for use in relevant court proceedings
Aircraft operators

Under the announcement, data on those who may pose a risk to transportation security would be stored for 50 years and be retrievable by passenger name or other flight information. In addition, national security restrictions prevent access to the information in the database, except for the information originally provided by the passenger.³¹ TSA will develop a separate process solely for correcting information originally provided by the passenger. Nothing is planned for correcting false information that is in the system but not provided by the passenger.

In the six weeks provided, significant comments were received, including concerns about privacy issues, mission creep, and overall data mining.³² On 1 August 2003, TSA, through the new Department of Homeland Security, issued a second Federal Register announcement. This one was much more detailed than the announcement in January, and it limited the scope of CAPPS II. The announcement began to address many of the concerns expressed about CAPPS II, and, as a result, it established a somewhat new vision for CAPPS II while still leaving many questions unanswered and discrepancies in available information. This has led to more confusion than clarification about the workings of CAPPS II.

The August 2003 announcement established the latest framework for CAPPS II. The 2003 announcements alone do not provide a clear understanding of the system, but when they are combined with additional research and interviews, a broader picture of CAPPS II emerges.

CAPPS II is fast and complex, intended to complete each passenger data search within five seconds of receiving the initial information. All information will be gathered prior to the departure of the passenger’s flight, so all screening may also occur prior to the plane’s departure. First, approximately 39 data points will be collected from Passenger Name Records data,³³ either from airlines or from the airline-fed Global Distribution System.³⁴ This information will be brought together with the passenger’s name, address, home phone number, and date of birth and placed into a standard format. It then will be submitted into a risk-assessment engine to determine whether a person is “rooted in the community.”³⁵ The risk-assessment engine will link, initially, to two commercial databases: Lexis/Nexis and Axciom.³⁶ Both databases aggregate data and maintain information about people and their commercial habits. By applying algorithms, the risk engine will ask the databases for information about each passenger. Information considered cannot include medical data or bank or credit history reports, but it may include³⁷ data about or from

Businesses frequented
How often a passenger has moved
Outstanding arrest warrants
How long the passenger has owned a car
Where family members live³⁸
Phonebooks or magazine subscriptions
Credit header information—that is, information at the top of a credit report that could confirm a person’s address and state whether the passenger holds credit cards with certain companies³⁹

The risk-assessment engine will seek information from the two databases, but the algorithms weight the data. Rather than submit written questions, the risk-assessment engine will submit a series of codes to Lexis/Nexis and Axciom; in return, the databases will send the risk-assessment engine a confidence score and reason code, rather than specific passenger information. At no point in the process will actual passenger information, outside the Passenger Name Records and four information points,⁴⁰ be revealed or reviewed—only a set of numbers that include a confidence score and reason codes.⁴¹ The August 2003 TSA announcement states that authentication will not be “by a permanent co-mingling of data, but merely by the commercial data providers transmitting back to TSA a numeric score, which is an indication of the percentage of accuracy of the match between the commercial data and the data held by TSA. This will enable TSA to have a reasonable degree of confidence that each passenger is who he or she claims to be.”⁴² The commercial data providers will be limited in their continued access to the data. In fact, they will not be permitted to

Retain the data in any commercially usable form
Retain information about the response provided to TSA in any record they maintain about the individual
Create a persistent link between the individual’s record in the private sector and that person’s records within CAPPS II⁴³

Once a confidence score is returned to the risk-assessment engine, that information will be screened by a classified “black box” system⁴⁴ that contains intelligence and other watch list–type databases. This may include law enforcement as well as U.S. and foreign intelligence databases.⁴⁵ The August 2003 TSA announcement stated that while “the CAPPS II system is designed to determine the likelihood that a passenger is a known terrorist, or has identifiable links to terrorist organizations,” “information regarding persons with outstanding state or Federal arrest warrants for crimes of violence may also be analyzed and applied in the context of the system … where there is an indication of a serious violation of criminal law.”⁴⁶ The “black box” will review the data and translate it into a combined passenger risk score. The score may be low, unknown, or high, better understood as green, yellow, or red. Green-coded passengers will be able to pass directly through the normal security procedures, while yellow-coded passengers will be given heightened screening, and red-coded passengers will be referred to law enforcement and counterterrorism authorities.⁴⁷ Officials estimate that fewer than 100 cases would be referred to law enforcement authorities each year,⁴⁸ while an estimated 8% of passengers will receive yellow ratings. With an average of 2.5 million people flying daily, approximately 73 million people will be yellow-coded each year.⁴⁹

TSA is in the testing phase of this program; this phase will continue until mid to late 2004.⁵⁰ As part of the test, TSA is using and retaining Passenger Name Records data.⁵¹ At the same time, a “persistent” link to law enforcement databases will not be established for the tests, but if potential terrorist data is revealed during the testing, appropriate action will be taken.⁵² The testing phase will focus on the accuracy, efficiency, and effectiveness of the system in order to manage possible inaccuracies.⁵³

As a result of over 200 comments received by TSA in response to the January 2003 announcement, the August announcement modified several aspects of routine uses of data. First, the January announcement stated that categories of records would include Passenger Name Records “and associated data.” This phrase was removed to limit the data available.⁵⁴ As mentioned, health records and measures of creditworthiness previously included will not be included in the assessment.⁵⁵ The 11 routine uses were reduced and modified:

Routine Uses of CAPPS II Data
January 2003 Announcement	August 2003 Announcement
To national and international law enforcement agencies for potential civil or criminal violations.	For an outstanding state or federal arrest warrant for a crime of violence.
To contractors, grantees, or anyone working with TSA in order to assist TSA in any function relevant to the purpose of the system.	Not substantively modified: “when necessary to perform a function or service related to the CAPPS II system.”
To the news media as the information relates to criminal or civil proceedings.	Deleted.
To a federal, state or local agency as part of a pre-hiring process.	Deleted.
To international and foreign governmental authorities “in accordance with law and formal or informal international agreements.”	Removed “formal or informal.”
In court proceedings.	No substantive changes. Records may be used as TSA determines that the records are both relevant and necessary to the litigation and as the use of such records is compatible with the purpose for which TSA collected the records.
To aircraft operators.	Limited to the extent that disclosure is deemed required for counterterrorism or passenger and aviation security purposes.

Table 1. Comparative Changes Between the 15 Jan. and 1 Aug. 2003 Federal Register Announcements

While some changes in the August 2003 announcement were significant, other changes did not occur. The January announcement stated that all data would be held for 50 years. The August announcement suggests that, for U.S. persons, “records will be deleted within a set number of days after the safe completion of the travel to which the record relates. The duration of data retention for other persons is still under consideration.”⁵⁶ This has created significant backlash and problems with international counterparts, especially the European Union. At the same time, TSA plans to retain existing records obtained from other government agencies, including intelligence information and “other data” that “will be retained for three years, or until superseded.”⁵⁷

Unfortunately, lack of access to information still permeates the August announcement. As stated in the January announcement, passengers may request access only to information that they specifically provided to the airlines, not to information that has placed them on a yellow or red risk list. Even this information provided by the passenger may be denied if providing it is inconsistent with “national security requirements.”⁵⁸ In addition, TSA claims several privacy exemptions based upon national security concerns, as set out in the Privacy Act of 1974. These exemptions significantly restrict the understanding of CAPPS II, the information gathered, and possible benefits and restrictions as a result.

Issues With the Current CAPPS II Process and Possible Resolutions

Implementation of CAPPS II may be the first time a collection process, working through a computer system, provides the basis for trust between the government and the private sector in establishing a mechanism to enhance national security.⁵⁹ While CAPPS II could prove revolutionary, unless it is properly executed, the program could prove more harmful than beneficial. Several significant concerns should be addressed before its implementation.

Lack of Information Available About CAPPS II

TSA has restricted access to information about CAPPS II predominantly through two methods: first, through exemptions pursuant to the U.S. Privacy Act of 1974; second, through exemptions that deny public access to the privacy impact assessment. Resulting Congressional action may slow or deter CAPPS II development.

In the August 2003 announcement, TSA claimed several information access exemptions under the U.S. Privacy Act of 1974.⁶⁰ The exemptions relate directly to a one’s ability to access information about oneself and amend those records if information is inaccurate or incorrect.⁶¹ The claim also exempts TSA from publishing in the Federal Register agency procedures for a passenger to be notified about any records pertaining to him or her,⁶² information about how a passenger can gain access to any record pertaining to him or her,⁶³ and the sources of the information within the records.⁶⁴ Moreover, TSA claims exemption from maintaining “in its records only such information about an individual as is relevant and necessary to accomplish a purpose of the agency required.”⁶⁵ Essentially, through these exemptions, passengers have no recourse if they are flagged yellow or red, nor do they have a mechanism to review or challenge the information used to determine their risk score. In addition, despite the TSA claim that records will be deleted within a set number of days after the completion of a passenger’s safe travel, with these exemptions, TSA may retain the information for as long as possible, even if the information is not relevant or necessary to the antiterrorism mission.

TSA is claiming these exemptions pursuant to 5 U.S.C. 552(b)(c)(1) and 5 U.S.C. 552a(k)(2), the U.S. Privacy Act of 1974.⁶⁶ The first section provides that the exemptions may occur if the matter is “specifically authorized under criteria established by an Executive order to be kept secret in the interests of national defense or foreign policy and” are “in fact properly classified pursuant to such Executive order.”⁶⁷ An Executive Order may have been signed making this information secret, but information about the order is not readily available.

The second section provides an exemption for “investigatory material compiled for law enforcement purposes.”⁶⁸ This section has a caveat, though, which states that “if any individual is denied any right, privilege, or benefit that he would otherwise be entitled by Federal law,” the material should be provided to the individual unless it reveals its originating source and the Government has made an express promise that the information would not be revealed.⁶⁹

For CAPPS II, as it has been explained, neither section applies. First, if an Executive Order has been signed classifying this system, information about this Executive Order is not available. Executive Order 12958⁷⁰ sets out the framework for national security classified information, but classification levels are limited to Confidential, Secret, and Top Secret.⁷¹ The August 2003 announcement classifies CAPPS II as “sensitive,”⁷² and it therefore does not fall under this Executive Order. Next, even if we agree that it is investigatory, CAPPS II, by denying all passengers the right to see what information has been used to determine their risk code score and not providing an opportunity for inaccurate information to be corrected, has a chilling effect and will violate due process.

“Freedom to travel throughout the United States has long been recognized as a basic right under the Constitution.”⁷³ In Pettit v. Penn, the court held that due process means

that no person shall be deprived of life, liberty, property or of any right granted him by statute, unless matter involved first shall have been adjudicated against him upon trial conducted according to established rules regulating judicial proceedings, and it forbids condemnation without a hearing.⁷⁴

By not providing any opportunity for modification of inaccurate or misleading information, CAPPS II, as currently planned, violates due process and the overall fundamental right to travel.⁷⁵ The August 2003 announcement states that TSA is developing a robust review and appeals process that will include the Department of Homeland Security Privacy Office.⁷⁶ That said, since the only information available to a passenger is the information she or he initially provides prior to the flight, there is still no process to appeal a risk code score based on inaccurate commercial data.

Several examples in the implementation of CAPPS I demonstrate the need for such an appeals process at the airport. Through a Freedom of Information Act lawsuit, the Electronic Privacy Information Center obtained a series of government documents, some of which described extensive harassment and abuse under CAPPS I.⁷⁷ In one case, a man with a Top Secret security clearance, who travels frequently from Syracuse to Washington, DC, to conduct business at the Pentagon, shares the same last name and birth year as someone on a watch list. Every time he flies, security flags and detains him until an FBI agent can come to the holding area to verify his identity.⁷⁸ Another example is an airline pilot who is an American citizen with a common Pakistani last name. He sent a letter to Rep. Jack Quinn (R-NY) after the extensive screening he received at an airport almost caused the airline to cancel his flight.⁷⁹ Still others include a 71-year-old retired English teacher and a 62-year-old grandmother.⁸⁰

In January 2004, a college student, Alexandra Hay, through the Pennsylvania Chapter of the American Civil Liberties Union, filed a lawsuit against the Department of Homeland Security after learning that her name was on the no-fly list. During a trip home over Thanksgiving break, while she was at the airport, the airline informed her that, due to this, she might not be permitted to fly overseas for her school program of study abroad. The suit claimed that she had no criminal record, had never done anything that would qualify her as a threat, and belonged to no groups that threatened the United States. While the suit requested the removal of her name from the no-fly list, instead, a TSA attorney hand-delivered a letter declaring that her identity had been verified and that it was safe to allow her to fly overseas.⁸¹ Under CAPPS II, Ms. Hays would have been immediately detained, rather than informed about her status by the airline.

As CAPPS II continues its development, the developers should include some type of direct appeals process initiated at the airport. Passengers who are red or yellow coded and believe that this is a result of inaccurate information should be able to file an immediate appeal, similar to a lost luggage claim. These claims could be electronically sent to a central operations office where the data is being stored. Since the majority of the initial risk assessment is derived from an understanding of passenger information through commercially available data, appeals should focus on the risk engine rather than the black box. Representatives in the central operations office would review the data and adjudicate each case, providing an initial response within a few minutes. Specific security-cleared central operations office employees should be tasked only to work on these appeals, providing the quick response time for passengers coded yellow and red.⁸² Through these proceedings, passengers should be able to either review their accounts to search for discrepancies or, at minimum, be entitled to clarify information through a personal interview at a local federal office within 24 hours. Interviews may prove labor intensive, but if, through such a methodology, fewer false positives emerge and passengers have a right to modify inaccurate information, greater trust and confidence in the system will be established. While there are valid concerns about security for the types of data assessed through the risk engine, without recourse, CAPPS II could negatively impact 73 million people who would receive yellow risk scores and up to 500 passengers receiving red risk scores.⁸³

Another possible solution to the lack of trust based upon limited information sharing is the development and publication of a privacy impact assessment. Under the E-Government Act of 2002, agencies are required to “conduct privacy impact assessments for electronic information systems and collections and, in general, make them publicly available.”⁸⁴ The privacy impact assessment must be conducted before “developing or procuring IT systems or projects that collect, maintain or disseminate information in identifiable form from or about members of the public.”⁸⁵

The privacy impact assessment must analyze and describe

What information will be collected
Why the information is being collected
The intended use of the information
With whom the information will be shared
What opportunities individuals have to decline to provide information or to consent to particular uses of information, and how individuals can grant consent
How the information will be secured
Whether a system of records is being created⁸⁶

While TSA should have completed a privacy impact assessment for CAPPS II as of 1 February 2004, the assessment had not been finalized.⁸⁷ To an outsider, it appears that TSA has not fully considered the privacy impact of CAPPS II and will continue to build the system regardless. This is even more worrisome because TSA has classified the system “Sensitive.”⁸⁸ While this should have no impact on the Privacy Act exemptions, it does exempt TSA from making the privacy impact assessment publicly available.⁸⁹

Despite a right to not publish the privacy impact assessment, TSA should consider publishing those aspects of it that are less sensitive or would not compromise national security. The sources of the information are a key national security aspect, but TSA could still publicly answer each of the other points covered by the E-Government Act of 2002 without compromising the first. In addition, TSA could talk about the types of information not being collected, so as to allay some concerns and silence many of the rumors permeating the Internet and the press.⁹⁰ The more information provided, the greater the trust passengers will have that CAPPS II will protect them and not hinder their travel and privacy rights.

On 22 January 2004, airlines met to develop privacy disclosure policies in response to government demands with respect to CAPPS II as well as suits filed by passengers against JetBlue and Northwest Airlines for revealing passenger information without informing passengers.⁹¹ Through discussions and rapid policy writing, the industry hopes to develop procedures that protect both security interests and passenger privacy.⁹² This discussion comes on the heels of an announcement that the government is planning to compel airlines and airline reservations companies to hand over all passenger records for scrutiny.⁹³ The airlines are working with DHS to develop these measures and should involve the public. By involving public organizations at this phase, both the airlines and DHS could prevent future backlash after the policy is implemented.

Mission Creep

Mission creep is also a potential problem. While CAPPS II still has not come into effect, TSA has stated that it “intends to extend its use to screen truckers, railroad conductors, subway workers and others whose transportation jobs involve the public trust.”⁹⁴ As the system expands, it could reach a point where, whenever a person travels, by whatever means, a data system will screen the personal information. CAPPS II will continuously evolve, ensuring that up-to-date information is assessed for each passenger.⁹⁵ One concern with this is that the expansion into other avenues may prove limitless. The system could expand beyond railroad conductors to passengers, then to subway riders. It ultimately could become a tracking device for people who use any type of public transportation. As a result, this may lead to a chilling effect and an unlawful restriction on travel.

Another concern about CAPPS II is its provision of data to law enforcement agencies. In the January 2003 announcement, the original intent of CAPPS II included providing the data to national and international agencies for potential civil or criminal violations.⁹⁶ The August 2003 announcement limited this to persons with an outstanding federal warrant for a crime of violence.⁹⁷ At the same time, “violence” is never defined. To provide clearer and more accurate information, TSA should define “violence” and specify the types of crimes that will cause the risk engine to red-flag a passenger.

TSA should provide information about its full intentions with respect to CAPPS II. It should place specific limits on the system’s level of growth and explain how it expects the system will evolve. Once again, by reducing public skepticism and building a level of trust with the public, TSA could make CAPPS II an effective and successful system that the public is willing to support.

The System May not Achieve Its Intended Goals

Despite the tremendous efforts, both technical and financial, the system may not achieve its intended goals. It may actually prove easy to bypass. First, someone can easily steal an identity and then use that to access a flight.⁹⁸ A 2003 survey sponsored by the Federal Trade Commission estimated that almost 10 million Americans (4.7% of American adults) were victims of or discovered they were victims of identity theft in the past year—27 million in the past five years.⁹⁹ For approximately 33% of the victims, it took less than one week to discover that criminals were using their information, mostly through misuse of non–credit card (that is, ATM) accounts.¹⁰⁰ Almost 25% of identity theft victims took almost six months to discover the theft when new accounts were opened in the victim’s name.¹⁰¹ The quickest discovery method was through billing cycle statements for credit cards and other accounts.¹⁰² This means that if identity theft occurs at the end of or immediately after a billing cycle, the victim would likely not discover it until the following billing cycle.

Given these statistics, it may prove easy for a terrorist to steal an identity and then use that information to both purchase a ticket via credit card and board a flight. One source stated that CAPPS II is fluid in that it is constantly gathering up-to-date information, which means that as soon as the theft is discovered and reported,¹⁰³ it would become part of the responses returned to the risk engine.¹⁰⁴ This may have an opposite effect. First, the thief will likely use the identity as quickly as possible, thereby avoiding heightened airport scrutiny. Second, once identity theft is discovered, the victim may actually be risk-coded yellow or red because the identity theft will be noted in the person’s record. Without an effective appeals process, the victim will likely be flagged for every flight thereafter.

Next, as with CAPPS I, the algorithm developed by MIT may still prove effective for bypassing CAPPS II. It would be limited only to a question of probabilities. If a passenger risk score is green for several flights, what likelihood is there that the next flight will also be green? One source said that just because a person is risk-coded green on one flight will not mean the person will continue to be risk-coded green. The system looks for behavior patterns, and behavior that may seem “too normal” might be flagged.¹⁰⁵ This is especially disconcerting and provides no true basis for flagging passengers.

In addition, the system may not address the root of two problems with current aviation security: poor screener performance and lack of screener training.¹⁰⁶ Until this is addressed, no system is impenetrable. In September 2003, the General Accounting Office issued its preliminary findings on progress in passenger security.¹⁰⁷ Some of the initial findings are these:

TSA has not fully developed or deployed recurrent or supervisory training programs
TSA collects little information about screener performance in detecting threat objects
While TSA has implemented test programs using contract screeners in lieu of government screeners, it has not developed an evaluation mechanism to measure the difference in airport security¹⁰⁸

The report mentions several positive steps that TSA has taken to improve the skills of screeners, but “TSA concluded that four key factors contributed to the identified deficiencies: (1) lack of skills, knowledge, or information; (2) low motivation; (3) ineffective work environment; and (4) incorrect or missing incentives.”¹⁰⁹ TSA is developing solutions for each of these areas, but, overall, to ensure aviation security, both the technology and the screeners will need to function effectively.¹¹⁰

International Ramifications

Finally, there are significant international ramifications with respect to the current proposed system. The European Commission has already expressed outrage about providing the U.S. government with the 39 required data points that would then be held for seven years.¹¹¹ At a May 2003 DHS briefing to the European Parliament, European leaders emphasized a need for “equal treatment” for U.S. citizens and non-citizens.¹¹² In October 2003, the European Parliament passed a resolution with respect to the current negotiations with the United States on this matter.¹¹³ The resolution calls on the European Commission to, among other things,

Determine what data may legitimately be transferred to the United States
Ensure in any negotiation that passengers will have full and accurate information as well as provide informed consent (to be defined)
Ensure that passengers have access to a swift and efficient appeals process
Deny airlines and computerized information systems any access to and/or transfer of data that is not in accordance with the European Parliament Directive on the protection of personal data¹¹⁴

The United States continued its negotiations with the European Commission and, on 15 December 2003, reached a tentative agreement,¹¹⁵ which changed the limit on the time the United States plans to store the data from 50 years to 3.5 and reduced the number of pieces of information on passengers from 39 to 34. The United States also agreed that the information gathered would be used only to combat terrorism and terrorist finance.¹¹⁶

Despite this, on 21 January 2004, the Belgian Privacy Committee published a decision that “US airline companies that have transferred passengers’ personal data have violated the Belgian law of implementation of EU privacy acts.”¹¹⁷ Even with EU agreement, the international debate is still not over.

This political fire is slowly diminishing, although not without ramifications. The United States needs to continue its negotiations with the European Commission, possibly linking European intelligence agencies to the system so that they, too, can increase security within their aviation transportation systems.¹¹⁸ Additionally, as the United States places restrictions on its international counterparts, the restrictions may become reciprocal, but perhaps through other means, such as trade.

Maintaining the Balance—The Congressional Role

For CAPPS II to be effective, it needs not only to function, but also to receive user buy-in and support. Passengers need to have confidence in the system as well as in the people managing it, and this will come only through interchange that is more extensive. In response to the secrecy and lack of information surrounding CAPPS II and other database systems, Congress has paved the way for oversight in several areas.

First, in the fiscal year 2003 Department of Homeland Security Appropriations Act, all funding for CAPPS II was limited to testing until completion of the General Accounting Office February 2004 report on CAPPS II. Congress directed the General Accounting Office to assess and confirm that, among other things:

A due process appeals system exists
The underlying false positive/error rate is minimized
An internal oversight board exists
There are sufficient safeguards to prevent abuse
Sufficient security measures will reduce system hackers and intruders
Sufficient policies for oversight exist
No specific privacy concerns with the technological architecture of the system exist¹¹⁹

The General Accounting Office found that TSA¹²⁰

has not completely addressed seven of the eight issues identified by the Congress as key areas of interest related to the development, operation, and public acceptance of CAPPS II. Although TSA is in various stages of progress on addressing each of these eight issues, as of January 1, 2004, only one—the establishment of an internal oversight board to review the development of CAPPS II—has been fully addressed. However, concerns exist regarding the timeliness of the board’s future reviews. Other issues, including ensuring the accuracy of data used by CAPPS II, stress testing, preventing unauthorized access to the system, and resolving privacy concerns have not been completely addressed, due in part to the early stage of the system’s development.

Because of CAPPS II and other database information systems,¹²¹ several Senate bills are expected to be brought before the full Senate and presented to Congress within the next year. For example, the “Citizens Protection in Federal Databases Act” would require a report on “Federal Government use of commercial and other databases for national security, intelligence, and law enforcement purposes, and for other purposes.”¹²² The legislation also states: “Notwithstanding any other provision of law, no department, agency, or other element of the Federal Government, or officer or employee of the Federal Government, may conduct a search or other analysis for national security, intelligence, or law enforcement purposes of a database based solely on a hypothetical scenario or hypothetical supposition of who may commit a crime or pose a threat to national security.”¹²³ If passed, this legislation would directly impact CAPPS II, since all testing of the system to determine risk levels involves working with hypothetical scenarios. In addition, this legislation would cover active systems as well as those developed after the law’s enactment.¹²⁴ The more TSA can allay the concerns of passengers and Congress early in the development of CAPPS II, the easier it will be to implement the system.

Final Thoughts and Conclusions

CAPPS II has great potential for increasing security at airports globally. The sources interviewed who understood the technological working of the system were enthusiastic about its value and effectiveness. A system in which no specific passenger data is available, only coded numeric information, may remove some concern about who has access to passenger information. At the same time, according to sources interviewed, inaccurate and misleading information from third parties cannot be identified or rectified.

Secrecy and privacy surrounding the design and development of CAPPS II have created public suspicion that the system will not be limited in scope and may secretly violate privacy rights. There are concerns about TSA’s use of exemptions pursuant to the U.S. Privacy Act of 1974. Many of these issues and complications can be avoided or at least minimized through appropriate TSA action. To effectively launch CAPPS II, TSA should initiate a national public awareness campaign, though it may also have international reach, especially to the European Union.

TSA should determine what information must remain classified and what could be made available to reduce public and Congressional anxiety about CAPPS II and publicly explain how it made this determination. Rather than focus on what the system does, TSA can emphasize what the system does not do and avert misleading information. TSA should meet regularly with the organizations that support CAPPS II and those that oppose it to determine their primary concerns and identify potential mechanisms to mitigate those concerns. TSA should also form an appeals committee with membership from government, private-sector, and nongovernmental organizations, as well as IT specialists and attorneys. This group’s sole responsibility would be to design and develop an effective appeals process. This type of collaborative effort will reduce some of the current antagonistic sentiment. The more ways in which TSA can actively involve the public in the design and development of CAPPS II, the greater likelihood that the system will receive public support upon its activation.

Balancing national security interests with privacy and liberty interests remains a difficult challenge. Supplying information to the public while attempting to withhold it from terrorists places a significant burden on TSA. But, rather than withhold most, if not all information, as is the case with the privacy impact assessment, TSA should determine which information could be declassified and made available to the general public. No law-abiding passenger wants to be a victim of a terrorist attack, and TSA can leverage passenger willingness to compromise some liberties in order to prevent this. Overall, though, the more TSA can do to limit the level of compromise a passenger must undertake, the more passengers will be willing to support and accept CAPPS II.

CAPPS II can be a viable system if it is developed appropriately. TSA needs to be more transparent with the system and its functioning in order to build the citizen trust that is needed for it to not only be effective, but supported by Congress and the general public. Until this occurs, skepticism will underlie any discussion about its effectiveness in balancing the protection from terrorism with respect for individual liberties.

References

Click on an end note number to return to the article.

1. See Lane County (OR) Bill of Rights Defense Committee, “CAPPS II.”

2. See Ryan Singel, “CAPPS Navigates Unfriendly Skies,” Wired News, 26 Aug. 2003. Besides the two organizations mentioned, this press conference included representatives from the National Association for the Advancement of Colored People and Americans for Tax Reform.

3. J. Kirwin, “Privacy EU Commissioner Takes Firm Public Stance Against U.S. Demands for Air Passenger Data,” Bureau of National Affairs, Daily Report for Executives, no. 207, 27 Oct. 2003, p. A-6.

4. Steven Thayer, Deputy Director, Office of National Risk Assessment, testimony before the Senate Advisory Committee on Technology and Privacy, 110th Congress (2003). Thayer commented that the Office of National Risk Assessment is very concerned about privacy interests, but that technology can protect individual rights and privacy rights as never before.

5. Paul Stephen Dempsey, “Aviation Security: The Role of Law in the War Against Terrorism,” Columbia Journal of Transnational Law, vol. 41, no. 3.

6. Federal Aviation Reauthorization Act, Public Law no. 104-264, 110 Stat. 3213 (1996).

7. See Paul Stephen Dempsey, p. 710.

8. Electronic Privacy Information Center, “Passenger Profiling.”

9. Ibid. p. 4.

10. The author spoke with two anonymous sources who have worked with CAPPS II. The fact that CAPPS I can easily be compromised is drawn from an interview with Source I in Washington, DC, on 20 Nov. 2003.

11. Samidh Chakrabarti and Aaron Strauss, “Carnival Booth: An Algorithm for Defeating the Computer-Assisted Passenger Screening System,” Law and Ethics on the Electronic Frontier, 6.806, 16 May 2002.

12. Ibid., p. 10.

13. Ibid., p. 8.

14. Ibid., p. 11, citing several October 2001 issues of Newsweek.

15. “Think Tank Backs Profiling to Go After ‘Bad People,’” World Airport Week, vol. 10, issue 12, 18 June 2003, 2003 WL 9793336.

16. Robert O’Harrow, Jr., “Air Security Focusing on Flier Screening: Complex Profiling Network Months Behind Schedule,” Washington Post, 4 Sept. 2002.

17. Aviation and Transportation Security Act, Public Law no. 107–71 (2001).

18. 49 U.S.C. 44901 (2003).

19. See Paul Stephen Dempsey, p. 717.

20. Homeland Security Act of 2002, Public Law no. 107–296.

21. 6 U.S.C. 301–303, as cited by Paul Stephen Dempsey, p. 718.

22. Zeichner Risk Analytics, Zeichner Risk Assessment Weekly Overview, no. 78, 30 June 2003, p. 5. In February 2004, TSA awarded Lockheed Martin and numerous subcontractors a five-year contract to develop and run CAPPS II. The initial phase of the contract totals $12.8 million.

23. TSA did not transfer to DHS until March 2003.

24. Department of Homeland Security, Transportation Security Administration, Federal Register, vol. 68, no. 10, 15 Jan. 2003, pp. 2101–2103. Under the U.S. Privacy Act of 1974 (5 U.S.C. 552a), an agency must report a new government “system of records,” which is “a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual” (section 552a(a)(5)).

25. This is the system being used to develop CAPPS II.

26. See Federal Register, vol. 68, no. 10, 15 Jan. 2003, p. 2102.

27. Ibid.

28. Passenger name records generally include about 39 data points, such as name, itinerary, payment method, seat selection, and special meal selection.

29. Federal Register, vol. 68, no. 10, 15 Jan. 2003, p. 2102.

30. “Routine uses” are ways in which the records can be used; they often expand the availability of these records to other private- and public-sector agencies.

31. Federal Register, vol. 68, no. 10, 15 Jan. 2003, p. 2103.

32. Department of Homeland Security, Transportation Security Administration, Federal Register, vol. 68, no. 148, 1 Aug. 2003, pp. 45265–45269. The system is now called the Passenger and Aviation Security Screening Records system; it primarily supports the new CAPPS II program.

33. The exact number and type of data points are not available to the public.

34. The Global Distribution System consists of four passenger check-in and database systems managed independently by the airlines (interview with Source I).

35. Interview with Source II, Washington, DC, 21 Nov. 2003.

36. CAPPS II will continue to evolve, expanding the number of databases in the future (interview with Source I).

37. This information is classified, and TSA has published only small amounts.

38. Greg Griffin, “Air of Anxiety,” Denver Post, 16 Nov. 2003.

39. Leslie Miller, Associated Press, “U.S. to Check Background of Each Airline Passenger; Privacy Advocates See Move as Positive, But Are Wary of Abuse,” Charleston (SC) Gazette, 1 Aug. 2003, 2003 WL 5485454.

40. Name, address, phone number, and birth date.

41. Interview with Source II.

42. Federal Register, vol. 68, no. 148, 1 Aug. 2003, p. 45266. This is confusing, but it appears that data mining will occur at the commercial level, but not at the government level. This may subject CAPPS II to additional data-mining reporting requirements.

43. Ibid. It is important to note the use of the word persistent, which implies that a temporary link will be established, but it is still uncertain for what period of time that link will remain.

44. Robert O’Harrow, Jr., “TSA Modifies Screening Plan: Computerized Analysis Changed in Response to Criticism That It’s Intrusive,” Washington Post, 14 June 2003.

45. Interview with Source II.

46. Federal Register, vol. 68, no. 148, 1 Aug. 2003, p. 45266. Despite this part of the announcement, Admiral Loy, head of the DHS Border and Transportation Security Directorate, testified to Congress that aviation security remains the top priority: “At the moment we are charged with finding in the aviation sector foreign terrorists or those associated with foreign terrorists and keeping them off airplanes.… even as heinous as it sounds, the axe murderer that gets on the airplane with a clean record in New Orleans and goes to Los Angeles and commits his or her crime, that is not the person we are trying to keep off that airplane at the moment” (comments of the Electronic Privacy Information Center to the Department of Homeland Security, Transportation Security Administration, interim Final Privacy Act Notice, p. 16, citing Admiral Loy’s 6 May 2003 testimony.

47. Lane County Bill of Rights Defense Committee.

48. Robert O’Harrow, Jr., “TSA Modifies Screening Plan.” In Christopher Smith, “[Salt Lake] Airport Watches, Waits on New Security,” the estimate is higher, with 400 to 500 people red flagged annually (Salt Lake Tribune, 28 Aug. 2003, 2003 WL 3691522.)

49. Christopher Smith, p. 3.

50. Interview with Source II.

51. Federal Register, vol. 68, no. 148, 1 Aug. 2003, p. 45266. While Darrin Keyser, Director of Public Affairs for TSA, denied that any valid passenger data would be in use during the testing phase and stated that TSA is not working with any airlines (interview, Washington, DC, 13 Nov. 2003), Source II would neither confirm nor deny these statements.

52. Federal Register, vol. 68, no. 148, 1 Aug. 2003, p. 45267.

53. Ibid., p. 45266.

54. Ibid., p. 45267.

55. Ibid.

56. Ibid., p. 45269.

57. Ibid. No explanation for “other data” or “superseded” has been provided, leaving significant room for discrepancy as to what type of data TSA will maintain and for how long.

58. Ibid.

59. Interview with Source II.

60. Federal Register, vol. 68, no. 148, 1 Aug. 2003.

61. 5 U.S.C. § 552a(d) and 5 U.S.C. § 552a(f).

62. 5 U.S.C. § 552a(e)(4)(G).

63. 5 U.S.C. § 552a(e)(4)(H).

64. 5 U.S.C. § 552a(e)(4)(I).

65. 5 U.S.C. § 552a(e)(1), emphasis added.

66. Federal Register, vol. 68, no. 148, 1 Aug. 2003, p. 45269.

67. 5 U.S.C. § 552(b)(c)(1).

68. 5 U.S.C. § 552a(k)(2), emphasis added

69. Ibid.

70. Executive Order 12958 as amended on 25 March 2003.

71. Ibid., section 1.3.

72. Federal Register, vol. 68, no. 148, 1 Aug. 2003, p. 45268.

73. United States v. Guest, 383 U.S. 745, 758, 86 S. Ct. 1170, 1178, 16 L. Ed. 2d 239, 249 (11th Cir. 1966).

74. Pettit v. Penn, 180 So.2d 66, 69 (La. Ct. App. 1965), as cited in Black’s Law Dictionary, fifth edition (Eagan, MN: West Publishing, 1979).

75. See John Gilmore’s 29 Sept. 2003 comments in opposition to the Aug. 2003 Federal Register announcement,

76. Federal Register, vol. 68, no. 148, 1 Aug. 2003, p. 45267.

77. Ryan Singel, “Due Process Vanishes in Thin Air,” Wired News, 8 April 2003.

78. Ibid.

79. Ibid.

80. Ibid.

81. Associated Press and Stroudsburg, PA, Pocono Record stories, 1 Jan. and 3 Jan. 2004.

82. The system is estimated to take less than five seconds to assess a passenger’s risk; therefore, a 24-hour response time should not become an issue.

83. See Christopher Smith.

84. Josh Bolten, Director, Office of Management and Budget, “Memorandum for Heads of Executive Departments and Agencies,” M-03-22, 26 Sept. 2003.

85. Ibid., attachment A, II.B.1.

86. Ibid., attachment A, II.C.1.a.

87. “TSA: No Final ‘Privacy Impact Assessment’ for Controversial Airline Passenger Screening System,” Electronic Privacy Information Center press release, 25 Sept. 2003. See also the TSA response to the EPIC Freedom of Information Act request.

88. Federal Register, vol. 68, no. 148, 1 Aug. 2003, p. 45268.

89. Josh Bolten memo, attachment B, section 208.B.1.c.

90. Interview with Source I.

91. Sara Kehaulani Goo, “Airlines Hustling on Data Disclosure: Policies Being Drafted Under Pressure,” Washington Post, 24 Jan. 2004.

92. Ibid.

93. Sara Kehaulani Goo, “U.S. to Push Airlines for Passenger Records: Travel Database to Rate Security Risk Factors,” Washington Post, 12 Jan. 2004.

94. Robert O’Harrow, Jr., “Aviation ID System Stirs Doubts,” Washington Post, 14 March 2003.

95. Interview with Source I.

96. Federal Register, vol. 68, no. 10, 15 Jan. 2003.

97. Federal Register, vol. 68, no. 148, 1 Aug. 2003, p. 45268.

98. This does not even mention the possibility of people consenting to lend their identification.

99. Synovate Federal Trade Commission—Identity Theft Survey Report, Sept. 2003 (cited in the Committee on Ways and Means, “Facts and Figures on Identity Theft,” 5 Sept. 2003).

100. Ibid., p. 20.

101. Ibid., p. 21.

102. Ibid.

103. The survey estimated a 62% reporting rate. Ibid., p. 51.

104. Interview with Source II.

105. Ibid.

106. Rep. John Mica (R-FL) made the exact opposite claim on 20 Nov. 2003 at a House Transportation and Infrastructure Committee hearing: “TSA has done a good job of ramping up an army of screeners,” he commented. “They have not done a good job in developing technology” (Chris Strohm, “House Chair Urges TSA to Spend Less on People, More on Technology,” Government Executive, 24 Nov. 2003).

107. GAO-03-1173, “Airport Passenger Screening: Preliminary Observations on Progress Made and Challenges Remaining,” report to the Chairman, House Subcommittee on Aviation, Committee on Transportation and Infrastructure, Sept. 2003.

108. Ibid.

109. Ibid.

110. With respect to screener training, perhaps TSA could learn from the Israeli experience, even though the El Al fleet is just 30 planes (see Greg Griffin) compared to the U.S. commercial fleet of 6,800. With the El Al security system, screeners are extensively trained to monitor passenger behavior. A passenger entering the airport is asked a series of questions designed to evoke an observable reaction. As the passenger responds, the officer analyzes the tone of voice, body language, and quickness of response. If there is hesitancy, a different screener will ask the passenger other questions (Stacy Perman, “The El Al Approach: A Look at the Israeli Airline’s Security Procedures,” Business 2.0, Nov. 2001, as cited in Samidh Chakrabarti and Aaron Strauss, p. 18). This type of intensive personal screening may prove more effective than questions such as “Did you pack your own bag?”

111. Seven years is the time between the first and second attacks on the World Trade Center (see Daily Report for Executives).

112. European Parliament (Brussels), Committee on Citizens’ Freedoms and Rights, Justice and Home Affairs, 6 May 2003.

113. European Parliament “Resolution on Transfer of Personal Data by Airlines in the Case of Transatlantic Flights: State of Negotiations With the USA,” 9 Oct. 2003.

114. Ibid. Directive 95/46/EC of the European Parliament and of the Council of 24 Oct. 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

115. Commission of the European Communities, “Communication from the Commission to the Council and the Parliament: Transfer of Air Passenger Name Record (PNR) Data: A Global EU Approach” (see also Financial Times, 15 Dec. 2003).

116. Ibid. 117

117. “Transatlantic Flights: Belgian Privacy Committee Supports Marco Cappato by Stating the Illegality of the Transfer of His Personal Data to the US,” Transnational Radical Party press release, 21 Jan. 2004.

118. December 2003 developments, such as the requirement of U.S. air marshals on international flights entering the United States and Qantas implementation of U.S. demands not to congregate around the toilets on its flights to the United States have further fueled this fire.

119. Paraphrased from “Provision of Department of Homeland Security Appropriations Act Relating to the Computer Assisted Passenger Prescreening System (CAPPS II),” H.R. 2555.

120. “Aviation Security: Computer-Assisted Passenger Prescreening System Faces Significant Implementation Challenges,” report GAO-04-385.

121. One database program, the Total Information Awareness system, came under fire due to its secrecy and the type of information it would have gathered. The system’s creator, the Defense Advanced Research Projects Agency, renamed it the Terrorist Information Awareness system. It cannot be implemented without Congressional approval (Ryan Singel, “Pentagon Defends Data Search Plan,” Wired News, 21 May 2003).

122. S.1484, sponsored by Sen. Ron Wyden (D-OR), 21 July 2003.

123. Ibid.

124. Interview with Ruchi Bhommik, Judicial Legislative Aide for Sen. Wyden, Washington, DC, 19 Nov. 2003.