CAPPS II: Government Surveillance via Passenger Profiling

Why EFF Is Concerned About CAPPS II

The Computer Assisted Passenger Prescreening System (CAPPS II) would force you to surrender more of your privacy in order to travel by air -- with little, if any, increase in security.  If the Transportation Security Administration (TSA) succeeds in implementing CAPPS II, the many personal details about you that have been collected in both government and commercial databases would be an open book to travel authorities.  How much of your private life should the government be allowed to examine before you can exercise your right to travel freely?

CAPPS II could also misidentify you as a terrorist, criminal, or other security threat requiring heightened government scrutiny.  Personal details about you, correct or not, could repeatedly trip the security wire, yet there would be no effective way for you to access your own CAPPS II file to correct the mistake.  Meanwhile, airport personnel would squander valuable time and resources on you and other CAPPS II "false positives" rather than on real terrorists. 

Worst of all, CAPPS II could come to serve as an all-purpose dragnet.  Originally, CAPPS II was meant to serve as a tool to prevent foreign terrorists from boarding flights.  Then the government decided that it would also be used to profile "domestic terrorists," employing a fuzzy definition that could apply to legitimate political activists.  Then CAPPS II was once again expanded, this time to include screening for people wanted for violent crimes or for flouting immigration laws. 

All of this "mission creep" has taken place before CAPPS II has even been implemented.  How many more classes of people will CAPPS II target once it is installed and operational at airports across the country?  And how many other modes of travel will eventually fall under the CAPPS II purview?

How CAPPS II Would Work

• Step One:  Collecting Personal Information About You

Under CAPPS II, airlines and travel agencies would be forced to collect personal information that they currently do not require:  each traveler\'s name, birth date, home address and home phone number.  No matter how young or old, no matter how law-abiding, every single person who chooses to fly would be required to submit to a CAPPS II background check.

This extra personal information, your "name plus three," would be added to your Passenger Name Record (PNR).  Your PNR is the electronic file that your airline or travel agency creates about you every time you travel.  PNRs include your travel itinerary and credit card information, as well as other private details such as who you are traveling with, what hotel you are staying at and whether or not you are sharing a hotel room with someone else.  If you\'ve ordered a special meal for the flight, your PNR could also be interpreted to indicate what religion you practice.

• Step Two:  Checking Your Identity Against Government and Commercial Databases

After you make a reservation, your PNR will sent to the government, and then, through the CAPPS II system, to commercial database companies.  These companies will check your "name plus three" against personal information they have mined from your credit report, voter registration card, real estate transactions, driving records, marketing profiles and more -- the average adult American is in at least 50 commercial databases that can be shared with the federal government.  After comparing your PNR data with this information, the companies will generate a numeric score indicating whether they think you are who you say you are. 

There are, of course, plenty of reasons that innocent people would fail this I.D. check.  For example, if a credit agency has your address wrong, or if you\'ve recently moved and haven\'t yet applied for a new license, you would likely be tagged.  CAPPS II would also discriminate against those who haven\'t generated enough data to verify their identities -- i.e., those who don\'t have driving or credit records, or who don\'t own a home.  As a result, the poor and working classes would unfairly be targeted for extra scrutiny, as well as would younger travelers who haven\'t yet "shed" enough data for commercial mining.

• Step Three:  Secret Profiling & Color Coding

After your identity is verified using the methods described above, travel authorities will feed personal details from your PNR into the CAPPS II system, and then will use secret criteria for a "threat assessment" process to determine whether or not you are a danger to aviation security.  First, they\'ll check your name against terrorist watch lists.  But that\'s not all -- they plan to check criminal and immigration records, too. 

The government won\'t say exactly what types of personal information they will use to classify you.  Responding to pressure from privacy advocates, TSA indicated in a 2003 Privacy Act notice that it will not use sensitive medical or financial information.  However, this assurance appears in the supplementary section, not the main text of the notice.  As final regulations will be drafted from the main text, this is a disturbing omission.

After assessing your threat level based on secret criteria, the government will assign you a color.  GREEN means you are not considered a threat and are free to board your flight.  YELLOW means you may be a threat; law enforcement will be called, you will be detained, searched and questioned and you may not be allowed to fly.  RED means that you cannot fly at all.  You may also be arrested. 

Your Right to Privacy

CAPPS II would profoundly violate your right to privacy:  first, by demanding that you hand private information over to the government every time you fly; second, by sifting through the personal details about you contained in commercial and government databases; and finally, by applying secret criteria to your data profile to determine your relative "fitness" for air travel.

CAPPS II won\'t only invade your privacy by accessing the information in existing databases -- it could also lead to the creation of new databases that could be used to track your movements.  For example, the extra personal details that CAPPS II would require you to hand over would enable the airlines and reservation companies easily to index all of your reservations into a lifetime travel dossier, which they would then be free to use for marketing purposes or to sell without your permission.  This dossier could also be made available to any government agency upon request.

False Positives and Illusory Security

The quality of the data that TSA will use for CAPPS II screening is very much in question.

TSA claims that the commercial databases with which it contracts would have to meet a "very high" standard before being used for CAPPS II.  Unfortunately, TSA hasn\'t explained how it would ensure that these databases are accurate.  And whether or not the information in these databases turns out to be correct, TSA will also use government databases, which are notoriously unreliable.  Indeed, a senior program official told the General Accounting Office (GAO) that TSA has no indication of the accuracy of information contained in government databases.

The result is that you could be grounded, placed on a government watch list, or made subject to repeated security checks due to information that is false, old, or incomplete (such as an arrest that never led to a conviction).  You could also be forced to endure "second class" travel because true facts about you -- for example, that you\'re of Arab descent, or Muslim -- might serve as the grounds for unjustified inferences.  Worse, you won\'t be able to review the database records upon which your security score is based.

And what happens if you find yourself misidentified as a terrorist or criminal, repeatedly barred from flying or flagged for further scrutiny?  Your only avenue for redress is to write to the CAPPS II Passenger Advocate with a complaint.  Not only is this method slow and inefficient, there is no deadline by which travel authorities must abide to correct any errors they have made.

These kinds of "false positives" aren\'t only unfortunate for those who are misidentified; they are bad for our overall security.  If CAPPS II uses faulty data in screening passengers, the number of false positives goes up.  With a sufficiently high ratio of false to true positives, security personnel might become conditioned to false positives and as a consequence, more lax.  

The "security" offered by CAPPS II is illusory because using identity for threat assessment is a deeply flawed approach.  Such profiling can fail in two very dangerous ways.  First, as previously discussed, it can misidentify innocents as evildoers and divert important security resources away from the real threats.  Second, and even worse, it could misidentify evildoers as innocents, mistakenly tagging armed terrorists as "greens" who do not require additional screening.  The more practical and effective approach to enhancing our aviation security would be to scrap CAPPS II in favor of random but thorough searches for bombs and weapons.

CAPPS II as All-Purpose Dragnet

Mission creep is an all-too-common problem with government agencies.  Despite the fact CAPPS II was designed specifically to identify terrorists, TSA has already admitted that it will use the program to screen for violent criminals and illegal immigrants.   There is no guarantee that once in place, CAPPS II won\'t continue incrementally to expand its mission in ways that threaten the basic civil liberties of air travelers -- especially those deemed "suspicious."

Already, an envoy of Moroccan lawmakers on a goodwill tour to the U.S. was detained at Portland International Airport after travel officials mistook them for possible terrorists.  The incident made headlines, but under CAPPS II, this sort of discrimination in the name of security could very well become commonplace.  If today there is a problem with "driving while black," tomorrow the problem could be "flying while Arab/Muslim."

Congress Gives CAPPS II a Failing Grade

Congress\'s investigatory arm, the General Accounting Office (GAO), reports that as of January 2004 the TSA has failed to meet seven out of eight Congressional requirements for CAPPS II.  Specifically, TSA has failed to:

• adequately assess the accuracy of information in the databases that will be used for CAPPS II;
• stress test the CAPPS II system and demonstrate its efficacy and accuracy;
• install safeguards to protect CAPPS II from abuse;
• install security measures to protect unauthorized access to travelers\' personal data;
• establish effective oversight of the system\'s use and operation;
• address privacy concerns regarding CAPPS II; and
• create redress procedures for passengers to correct erroneous information.

Thankfully, Congress does not intend to release funds for the system\'s implementation until TSA has satisfied the above criteria.  However, President Bush has made it clear that he believes these requirements to be merely advisory and, as such, will not serve to prevent TSA from proceeding with implementation as scheduled.  Hence, the fight over implementing CAPPS II is far from over. 

Coming Soon: The "Trusted Traveler" Program

In addition to CAPPS II, TSA is working on a "Trusted Traveler" program that would allow some people to opt out of airport security screening.  Under the program, travelers who submit to an extensive background check would, after paying a fee, receive an ID card allowing them to skip extra airport screenings. 

The danger here is obvious: if a terrorist discovers how to game the system and successfully register as a "trusted traveler," he can bypass otherwise unavoidable searches for bombs and weapons.  This leaves every passenger more, not less, vulnerable to a stealth attack. 

Apart from the problem of trading real security for the illusion thereof, "trusted traveler" ID cards could have a number of unsavory unintended consequences.  These include opening up a new market for identity theft, creating a de facto national ID card, and establishing a form of "class structure" based on the level of trust that the government affords a cardholder.  

The bottom line is that by treating each of us as a suspected criminal or terrorist, CAPPS II would rob us of our most fundamental rights as U.S. citizens without proof that it will make any of us any safer.  TSA should abandon CAPPS II and put our valuable security resources into programs that strike an appropriate balance between providing enhanced safety and protecting the freedoms central to American life.