[Politech] Questions for the Dept of Homeland Security on CAPPS II [priv]

From: Declan McCullagh (declan@private)
Date: Sun Feb 29 2004 - 20:41:54 PST

  • Next message: Declan McCullagh: "[Politech] Greenspan on the Internet, intellectual property rights [ip]"

    	
    
    COMMENTARY: CAPPS II: QUESTIONS THAT NEED TO BE ANSWERED
    
    Should CAPPS II be cleared for takeoff?
    
    The new, new thing developed by the TSA that they claim will enhance
    aviation security has encountered plenty of turbulence even before it's
    taken off.
    
    Certainly, privacy advocates are concerned about the new system with its
    color-coded risk assessment. Who gets a cautionary yellow? Who gets a red
    which means you will be forbidden to board? What factors will determine the
    rating system? What recourse do passengers who think they have been stopped
    unfairly have?  For that matter, just how accurate will this color-coded
    system be?
    
    The TSA admits that they have not been able to fully plan and test the
    system yet. Clearly, a very important stumbling block has been the failure
    of the airlines to provide on time needed passenger data to the TSA.
    Airlines may very well fear that cooperating with TSA will lead to boycotts
    or bad publicity. Perhaps a more important issue that may be lurking but so
    far has been largely undiscussed by the airlines and the travel industry is
    that the CAPPS II system will saddle them with added costs as they will have
    to revamp their reservation systems to collect the passenger authentication
    data required by CAPPS II.  It's an unfounded mandate by the Federal
    government on the travel and airline industry. (see Business Travel News
    Online.com article)
    
    But the concerns expressed about the system have also been expressed by a
    recent report issued by the Government Accounting Office called: "Computer
    Assisted Prescreening System Faces Significant Implementation Challenges."
    
    Here are some excerpts:
    
    "TSA program officials said that testing government databases for overall
    accuracy will be challenging. For example, TSA does not know exactly what
    type of information the government databases contain, such as whether a
    database will contain a person's name and full address, a partial address,
    or no address at all. Furthermore, a senior program official said that TSA
    has no indication of the accuracy of information contained in government
    databases. The official stated that using data without assessing accuracy
    and mitigating data errors could result in erroneous passenger assessments,
    and that government database accuracy and mitigation measures will be
    completed before the system is placed in operation.
    
    "Although TSA plans to take measures to mitigate errors in commercial and
    government databases used by CAPPS II, TSA officials and commercial data
    providers stated that databases determined to have an acceptable level of
    accuracy will likely still contain errors. Consequently, in addition to
    using multiple databases and a process to identify misspellings to correct
    errors in commercial databases, TSA is also developing a redress process
    whereby passengers can attempt to get erroneous data corrected. However, it
    is unclear what access passengers will have to information found in either
    government or commercial databases, or who is ultimately responsible for
    making corrections. Additionally, if errors are identified during the
    redress process, TSA does not have the authority to correct erroneous data
    in commercial or government databases. TSA officials said they plan to
    address this issue by establishing protocols with commercial data providers
    and other federal agencies to assist in the process of getting erroneous
    data corrected."
    
    But will these protocols ensure effective followup? To get others to
    "assist" in making corrections makes it sound as if the commercial or
    government agencies keeping the data bases are doing aggrieved passengers a
    favor, not fulfilling what should be an iron-clad responsibility to maintain
    the accuracy of their databases. How much teeth will these protocols have?
    How effective will the monitoring process be?
    
    The GAO report credits the TSA for issuing plans that "appear to address
    many of the requirements of the Privacy Act, the primary legislation that
    regulates the government's use of personal information."
    
    However, the GAO report goes on to say: "In January 2003, TSA published a
    proposed rule to exempt the system from seven Privacy Act provisions but has
    not yet provided the reasons for these exemptions, stating that this
    information will be provided in a final rule to be published before the
    system becomes operational. As a result, TSA's justification for these
    exemptions remains unclear. Until TSA finalizes its privacy plans for CAPPS
    II and addresses such concerns, we lack assurance that the system will fully
    comply with the Privacy Act."
    
    The Department of Homeland Security, in which TSA is housed, has a Chief
    Privacy Officer who, among other things, is supposed to ensure DHS agencies
    are in compliance with Privacy Act measures. However, how effective can the
    CPO be in ensuring privacy act protection under CAPPS II when the TSA is
    seeking a number of exemptions? Consider what is stated below by GAO.
    
    "...TSA plans to exempt CAPPS II from the Privacy Act's requirements to
    maintain only that information about an individual that is relevant and
    necessary to accomplish a proper agency purpose. These plans reflect the
    subordination of the use limitation  practice and data quality  practice
    (personal information should be relevant to the purpose for which it is
    collected) to other goals and raises concerns that TSA may collect and
    maintain more information than is needed for the purpose of CAPPS II, and
    perhaps use this information for new purposes in the future. Further, TSA
    plans to limit the application of the individual participation practice --
    which states that individuals should have the right to know about the
    collection of personal information, to access that information, and request
    correction -- by prohibiting passenger access to all personal information
    about them accessed by CAPPS II. This raises concerns that inaccurate
    personal information will remain uncorrected in and continue to be accessed
    by CAPPS II."
    
    
    The GAO report does admit that the actions to restrain the use of Fair
    Application
    Policies -- international principles reflected in the Privacy Act -- are not
    violating federal requirements. In GAO's view, TSA is attempting a balance
    between privacy and concerns regarding enforcement and administration.
    
    The conclusion of the GAO report states: "Without proper oversight, there is
    limited assurance that the system and its data will be adequately protected
    against misuse, and that the system is operating as intended...Lastly, given
    the concerns regarding the protection of passenger data, the system cannot
    be fully accepted if it lacks a comprehensive redress process for those who
    believe they are erroneously labeled as an unknown or unacceptable risk."
    
    The DHS differs with key conclusions of the GAO report. They stress that
    CAPPS II is still a system that is "under development" but overarching
    privacy policies and redress mechanism have been established."
    
    The selective quoting in this commentary reflect the entire range of
    concerns covered in the extensive 50 page GAO report and the Department of
    Homeland Security's side, expressed in a letter over two pages that was
    signed by Undersecretary for Management Janet Hale,  is clearly treated in
    passing in this commentary.  The report in its entirety and the DHS letter
    is available on the GAO webpage:
    <http://www.gao.gov/cgi-bin/getrpt?GAO-04-385>
    
    It's worth noting that even The Heritage Foundation in a recent webmemo
    called "Passenger Screening Program is Vital -- and Vital to Get Right" by
    James Carafano, Paul Rosenzweig, Ha Nguyen asserts that "Several privacy and
    data protection issues...should be addressed before CAPPS II is deployed"
    and that congressional guidance is needed to "set criteria for data
    accuracy, prevention of unauthorized use, privacy protection, and redress
    procedures and should require guidelines and risk mitigation strategies to
    prevent costs from spiraling out of control."
    
    If you travel frequently or have experienced problems with government or
    commercial databases or both then you have every reason to want to learn
    more about CAPPS II because this system and its color coded risk assessment
    will determine whether you will be able to board a plane and takeoff to your
    destination. The use of government and commercial databases and their
    accuracy and the effectiveness of the privacy protections that will be in
    place and the procedures for effective recourse for passengers who feel they
    have been misrated by CAPPS II  are also significant concerns and certainly
    invite questions.
    
    The Senate Commerce Committee or one of its subcommittees is expected to
    hold a hearing on CAPPS II in March. There's no better time to let the
    senators and staff who serve on that committee know what questions you want
    answered about this system.
    
    Steve Lilienthal is Director of the Center for Privacy and Technology Policy
    at the Free Congress Foundation.
    
    Address:
    
    Senate Commerce Committee
    United States Senate
    Washington, D.C. 20510
    
    <http://commerce.senate.gov>
    
    
    In fairness, the Department of Homeland Security's own view of CAPPS II:
    Myths & Facts can be found at:
    
    <http://www.dhs.gov/dhspublic/display?content=3163>
    
    2/13/04 BTNonline.com (Business Travel Newsonline.com) Story: "Industry:
    CAPPS II Faces Massive Technical Challenges"
    
    
    <http://www.btnmag.com/businesstravelnews/headlines/article_display.jsp?vnu_
    content_id=2091182>
    
    2/18/04 The Heritage Foundation WebMemo #428: "Passenger Screening Program
    is Vital -- and Vital to Get Right"
    
    <http://www.heritage.org/Research/HomelandDefense/wm428.cfm?renderforprint=1
     >
    
    
    
    _______________________________________________
    Politech mailing list
    Archived at http://www.politechbot.com/
    Moderated by Declan McCullagh (http://www.mccullagh.org/)
    



    This archive was generated by hypermail 2b30 : Sun Feb 29 2004 - 21:11:33 PST