[House Hearing, 109 Congress]
[From the U.S. Government Publishing Office]
IMPROVING PRE-SCREENING OF AVIATION
PASSENGERS AGAINST TERRORIST AND
OTHER WATCH LISTS
=======================================================================
HEARING
before the
SUBCOMMITTEE ON ECONOMIC
SECURITY, INFRASTRUCTURE
PROTECTION, AND CYBERSECURITY
of the
COMMITTEE ON HOMELAND SECURITY
HOUSE OF REPRESENTATIVES
ONE HUNDRED NINTH CONGRESS
FIRST SESSION
__________
JUNE 29, 2005
__________
Serial No. 109-27
__________
Printed for the use of the Committee on Homeland Security
[GRAPHIC] [TIFF OMITTED] TONGRESS.#13
Available via the World Wide Web: http://www.gpoaccess.gov/congress/
index.html
U.S. GOVERNMENT PRINTING OFFICE
26-959 WASHINGTON : 2006
_____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512�091800
Fax: (202) 512�092250 Mail: Stop SSOP, Washington, DC 20402�0900012006
__________
COMMITTEE ON HOMELAND SECURITY
Christopher Cox, California, Chairman
Don Young, Alaska Bennie G. Thompson, Mississippi
Lamar S. Smith, Texas Loretta Sanchez, California
Curt Weldon, Pennsylvania Edward J. Markey, Massachusetts
Christopher Shays, Connecticut Norman D. Dicks, Washington
Peter T. King, New York Jane Harman, California
John Linder, Georgia Peter A. DeFazio, Oregon
Mark E. Souder, Indiana Nita M. Lowey, New York
Tom Davis, Virginia Eleanor Holmes Norton, District of
Daniel E. Lungren, California Columbia
Jim Gibbons, Nevada Zoe Lofgren, California
Rob Simmons, Connecticut Sheila Jackson-Lee, Texas
Mike Rogers, Alabama Bill Pascrell, Jr., New Jersey
Stevan Pearce, New Mexico Donna M. Christensen, U.S. Virgin
Katherine Harris, Florida Islands
Bobby Jindal, Louisiana Bob Etheridge, North Carolina
Dave G. Reichert, Washington James R. Langevin, Rhode Island
Michael McCaul, Texas Kendrick B. Meek, Florida
Charlie Dent, Pennsylvania
______
Subcommittee on Economic Security, Infrastructure Protection, and
Cybersecurity
Daniel E. Lungren, California, Chairman
Don Young, Alaska Loretta Sanchez, California
Lamar S. Smith, Texas Edward J. Markey, Massachusetts
John Linder, Georgia Norman D. Dicks, Washington
Mark E. Souder, Indiana Peter A. DeFazio, Oregon
Tom Davis, Virginia Zoe Lofgren, California
Mike Rogers, Alabama Sheila Jackson-Lee, Texas
Stevan Pearce, New Mexico Bill Pascrell, Jr., New Jersey
Katherine Harris, Florida James R. Langevin, Rhode Island
Bobby Jindal, Louisiana Bennie G. Thompson, Mississippi
Christopher Cox, California (Ex (Ex Officio)
Officio)
(II)
C O N T E N T S
----------
Page
STATEMENTS
The Honorable Daniel E. Lungren, a Representative in Congress
From the State of California, and Chairman, Subcommittee on
Economic security Infrastructure protection, and Cybersecurity. 1
The Honorable Loretta Sanchez, a Representative in Congress From
the State of California, and Ranking Member, Subcommittee on
Economic Security, Infrastructure Protection, and Cybersecurity 40
The Honorable Christopher Cox, a Representative in Congress From
the State of California, Chairman, Committee on Homeland
Security:
Oral Statement................................................. 34
Prepared Opening Statement..................................... 2
The Honorable Bennie G. Thompson, a Representative in Congress
From the State of Mississippi, and Ranking Member, Committee on
Homeland Security.............................................. 3
The Honorable Peter A. DeFazio, a Representative in Congress From
the State of Oregon............................................ 71
The Honorable Norman D. Dicks, a Representative in Congress From
the State of Washington........................................ 7
The Honorable Sheila Jackson-Lee, a Representative in Congress
From the State of Texas........................................ 44
The Honorable John Linder, a Representative in Congress From the
State of Georgia............................................... 38
The Honorable Zoe Lofgren, a Representative in Congress From the
State of California............................................ 41
The Honorable Edward J. Markey, a Representative in Congress From
the State of Massachusetts..................................... 68
WITNESSES
Panel I
The Honorable John B. Anderson, Former U.S. Representative to
Congress from the State of Illinois:
Oral Statement................................................. 4
Prepared Statement............................................. 6
Mr. James X. Dempsey, Executive Director, Center for Democracy
and Technology:
Oral Statement................................................. 21
Prepared Statement............................................. 23
Mr. James C. May, President and Chief Executive Officer, Air
Transport Association:
Oral Statement................................................. 7
Prepared Statement............................................. 9
Mr. Paul Rosenzweig, Senior Legal Research Fellow, Center for
Legal and Judicial Studies, The Heritage Foundation:
Oral Statement................................................. 11
Prepared Statement............................................. 13
Panel II
Mr. Justin Oberman, Assistant Administrator, Secure Flight and
Registered Traveler, U.S. Department of Homeland Security:
Oral Statement................................................. 46
Prepared Statement............................................. 48
IMPROVING PRE-SCREENING OF
AVIATION PASSENGERS AGAINST
TERRORIST AND OTHER WATCH LISTS
----------
Wednesday, June 29, 2005
House of Representatives,
Committee on Homeland Security,
Subcommittee on Economic Security,
Infrastructure Protection, and Cybersecurity
Washington, DC.
The subcommittee met, pursuant to call, at 10:07 a.m., in
Room 210, Cannon House Office Building, Hon. Dan Lungren
[chairman of the subcommittee] presiding.
Present: Representatives Lungren, Cox, Linder, Pearce,
Jindal, Thompson, Sanchez, Markey, Dicks, DeFazio, Lofgren,
Jackson-Lee, and Pascrell.
Mr. Lungren. [Presiding.] The Committee on Homeland
Security's Subcommittee on Economic Security, Infrastructure
Protection, and Cybersecurity will come to order.
The subcommittee is meeting today to assess the
effectiveness of the systems and policies employed by the
Transportation Security Administration for pre-screening air
travelers.
I would like to welcome everybody to today's hearing. This
morning, we will continue our oversight of the TSA by examining
its aviation passenger pre-screening initiatives. By now,
everyone should be acquainted with the current systems being
used by the airlines to pre-screen passengers: The Computer-
Assisted Passenger Pre-screening System, or CAPPS, and the no-
fly list.
CAPPS is a rule-based system which flags air travelers for
additional screening based on travel and ticket purchase
habits. The specific elements of the program are classified,
but many of the criteria are widely known and discussed.
Since the federal government mandated the use of CAPPS for
airline passengers in 2001, we estimate that over 150 million
passengers have been tagged by the system's overly broad system
and unnecessarily subjected to the inconvenience and indignity
of intrusive pat-downs and additional wandings.
We have all personally learned of many instances where TSA
has aggressively searched grandmothers, disabled veterans,
small children, and others who appear to pose minimal risk to
the homeland security of this country as a result of CAPPS.
The watch lists, which are the focus of today's hearing,
also have their own problems. By some estimates, 2 out of every
100 flyers have been misidentified as persons on these lists.
If true, that is a lot when we are dealing with 1.8 million
passengers every day. The system of watch lists currently in
use does not have an adequate redress process for those who
have been misidentified time and time again. None of the watch
lists used by TSA utilizes the complete set of databases
available within the federal government.
To some of us, the current regime seems to make little
sense. It appears to hassle travelers, waste resources and has
no measurable benefit to aviation security, at least not a
benefit that TSA has demonstrated to us yet. TSA has been
working for some time to replace CAPPS and improve watch list
matching with some progress, but TSA's latest effort to secure
flights seems to be running into difficulties that will delay
its implementation.
This is not good because the longer we delay, the longer we
have the current system, which is certainly not as good for our
security, our privacy or our pocketbooks.
I am also concerned that TSA has no plans to make CAPPS
more effective and less of an imposition on the traveling
public even after a Secure Flight is in place, when it is in
place.
TSA must continue its development of an effective targeted
passenger pre-screening system to improve its aviation security
operations and reduce costs. It must also integrate all pre-
screening initiatives to minimize redundancy and enhance
efficiency. Congress must do the oversight along the way as
well. We must make sure we are not standing in the way of
getting this new system in place as quickly as possible.
Today, we will hear from two distinguished panels of
witnesses to gain the insight of passengers, airlines, other
stakeholders and the Department itself about the problems with
the current system of passenger pre-screening and how we can
improve it.
Mr. I thank all of our witnesses for appearing before us
today, and I recognize the ranking member of the full
committee, Mr. Thompson, from Mississippi, for any statement he
wishes to make.
Mr. Thompson. Thank you very much, Mr. Chairman. I look
forward to the testimony of the witnesses today on this very
important subject.
Millions of Americans flying this summer continue to be
screened under CAPPS I, the behavior-based terrorist screening
system run by the airlines that is designed to root out
terrorists before they board commercial aircraft. The airlines
will likewise continue to use TSA's no-fly and selectee list as
an additional tool to keep passengers safe.
But change is supposedly coming to improve and perhaps
replace these systems. TSA has set a deadline to begin a test
run of the new Secure Flight Program this August. Secure Flight
will check all passengers against TSA's consolidated watch
list, a watch list that fuses together numerous federal
terrorist watch lists.
The TSC watch list is supposed to represent the most up-to-
date listing of known and suspected terrorists, but a recent
report by the Department of Justice's IG's Office raises
significant concerns as to how accurate and complete the TSC's
watch list actually is. If the TSC's list cannot be trusted,
then Secure Flight may not work either.
Another concern in recent weeks has been a possible
violation of the Privacy Act by TSA. In September, TSA said
that it would, on a very limited basis, test the use of
commercial data against a secure flight record system. TSA also
indicated that it would not store the commercially available
data that it would use for testing. Several weeks ago, we
learned that neither of these representations were true.
Finally, we recently learned that even if the Secure Flight
issues are addressed, TSA may require the airlines to continue
running CAPPS I Program, a burden the airlines I believe should
not have.
I hope that Mr. Oberman will address these issues.
Furthermore, I hope that he can discuss whether money is going
in Secure Flight and what we have gotten in past funds spent.
For example, $71.5 million was paid to a contractor for the pay
of CAPPS II Program, and another $8.2 million was paid for its
work on Secure Flight before it stopped working on the program.
If the Department had only listened to Congress and built
privacy into CAPPS II, it probably could have saved a lot of
this money.
In short, I am very concerned, Mr. Chairman, that Secure
Flight may be off track. According to the GAO, Secure Flight
was supposed to have a final concept of operation and
definition of requirements, including whether it was going to
use commercial data, by March and April, respectively. The date
by which Secure Flight was supposed to be fully operational on
two carriers has already slipped by 4 months. We need serious
answers where this program is going. If we do not get answers,
Secure Flight may suffer the same fate similar to CAPPS II. It
may never leave the gate.
Mr. Chairman, I yield back.
Mr. Lungren. I thank the gentleman.
Other members of the committee are reminded that opening
statements may be submitted for the record.
Prepared Opening Statement of the Honorable Christopher Cox, a
Representative in Congress, From the State of California, and Chairman,
Committee on Homeland Security
Thank you, Mr. Chairman.
Screening passenger manifests for potential terrorists is one of
the most important and potentially most effective aspects of our
aviation security system--because instead of focusing on knifes, nail
clippers, and other countless potential weapons, or children and
grandmothers, we are focusing on the more finite universe of known and
suspected terrorists. The problem is not with the concept--but with its
execution to date, which is carried out not by TSA, but by the airlines
under difficult circumstances.
According to TSA, roughly two percent of all travelers have names
that are on or closely resemble names on the Terrorist Screening Center
watchlists. In other words, more than 13 million passengers annually--
or some 36,000 per day--are misidentified by the current system, and
are inconvenienced by costly and time-consuming extra security
procedures or completely prevented from flying. That does not even
count the millions more who are flagged for secondary screening not
because of their name, but because they purchased a ticket in a manner
that TSA has determined raises a suspicion of terrorism--the system
known as CAPPS.
The poor souls who wish to have their good names cleared from the
watchlists have to navigate mountains of TSA red tape and bureaucracy
to get on a ``cleared'' list that may or may not prevent them from
being flagged as terrorists by the airlines on future flights--
depending on the particular airline's particular procedures. One of our
witnesses, former Congressman and Presidential candidate John Anderson
understands this problem all too well--since he is one of those unlucky
passengers whose name matches or closely resembles a name on the
terrorist watchlist. With a name like that, I assume there are
thousands of other John Anderson's facing this problem on a daily
basis.
While these facts alone should be enough to question the efficacy
of the current system, further examination shows that the airlines are
not provided the most comprehensive terrorist watchlist due to security
concerns. They also do not receive certain related information on these
suspected terrorists that could help reduce misidentifications and more
promptly resolve close matches.
As a result, we have a system that flags millions of innocent
people for extra screening or security procedures without cause, and we
may actually be missing some people with terrorist affiliations.
Over the past year, TSA has been attempting to address these
inadequacies through the development of the Secure Flight program, as
mandated by Congress in an overwhelmingly bipartisan fashion last year.
Under this system, TSA will assume from the airlines the responsibility
for managing the terrorist watchlist matching function.
From what we can tell, TSA is mostly on the right track. Secure
Flight will rely on expanded passenger name records, improved name-
matching software, and the TSC's full database of known or suspected
terrorists. It will also have improved passenger redress capabilities,
making this function more expedited and more uniform. These steps
should significantly minimize the ambiguities that have resulted in the
thousands of daily false positives, while also improving our ability to
find real terrorists.
While there remain a host of important issues involving Secure
Flight to be worked out, Congress must be mindful not to let the
perfect be the enemy of the good--or the enemy of the worse. The
current system is a terrible waste of resources, is an unjustified
imposition upon passengers' privacy rights and freedoms, and is of
questionable security benefit. Secure Flight must be implemented as
quickly as possible, with appropriate safeguards, so we can move beyond
what is in place today.
I would like to thank the witnesses for appearing today and for
providing their insight on this important issue.
Mr. Lungren. We are pleased to have two expert panels of
witnesses here today to give testimony on this important topic.
Let me please remind the witnesses that your entire written
testimony will appear in the record, and we ask you to limit
your oral testimony to the 5-minute period allotted.
The Chair now with pleasure recognizes the Honorable John
Anderson, the distinguished former member of the House of
Representatives, candidate for the presidency in 1980, may I
just say that during my first tour of duty here in Congress, he
was one of the first members of the leadership that I met. It
seems like it was just yesterday, although it was 1979.
Congressman Anderson, it is our pleasure to have you speak
now.
STATEMENT OF THE HONORABLE JOHN ANDERSON, A FORMER
REPRESENTATIVE IN CONGRESS FROM THE STATE OF ILLINOIS
Mr. Anderson. Thank you very much. And I also appreciated
very much the statement read just a moment ago by the chairman
of the full committee with respect to the importance of the
hearing that you are holding this morning.
I am here to present some anecdotal evidence of a personal
experience that is relevant I think to the scope of your
inquiry.
Earlier this year, I made two trips abroad on the 23rd of
March without any trouble. I boarded a flight in Fort
Lauderdale, Florida and flew to Amsterdam on a personal family
visit with a daughter who resides there and then returned after
10 days to begin preparations for a trip that was organized by
former Members of Congress and coordinated by the Council on
Excellence in Government, designed to bring former members like
myself to universities in other countries, in this case
Germany. And they had scheduled a flight from Washington to JFK
and from JFK to Frankurt Am Rhein and then a schedule that
would bring us to about five different German cities to
converse with members of the faculty and the student body of
those institutions.
Shortly before the second flight was about ready to go, I
was told, ``You will have to go to the airport personally some
days in advance because you are on the watch list. You are one
of those suspected of possible terrorist activity and of
interest to the government, a person of interest.'' Well,
flattering as it is to be a person of interest, I was a little
bit shocked to find myself included in that group.
So my first thought was for the first time in 25 years, I
will seek the aid of my congressman who now happens to be Clay
Shaw. I am a legal resident, registered independent voter in
the State of Florida. I went to Clay's office and he promptly
undertook an investigation and very shortly produced a
satisfactory result.
But I was encouraged to appear this morning to--well, I
should tell you what I had to do. It was not quite just as
simple as talking to Clay Shaw and his staff, although they
were most helpful.
I supplied, with the assistance of the staff, four items of
identification, including my registered voter's card from the
State of Florida, my driver's license, issued by that state, my
U.S. passport, which was in good order, and then hopefully also
my former Member of Congress card would throw some weight into
the balance, and some days later received a communication from
the Office of the Ombudsman saying that following the receipt
of my passenger identity verification form, PIV, and their
subsequent investigation, the TSA has verified your identity,
and, accordingly, we have provided sufficient personal
information to the airlines to distinguish you from other
individuals in the system in issuing your boarding pass more
efficiently.
Then there was a paragraph that followed that said,
``Notwithstanding, you should have certain documents, one or
more, to help expedite receipt of a boarding pass,'' and that
the airline ``might require a brief period of time to verify
your information. The process should not result in extensive
delay.''
On the day the flight was scheduled to leave, I very
pessimistically arrived 3 hours ahead of time at Delta
Airlines. Fortunately, since I was a business class traveler, I
could luxuriate in the surroundings of a nice lounge but
finally boarded.
My concern today is for less fortunate travelers without a
congressman and his staff to get through quickly to the right
person in TSA. Suppose it was someone who was booking a last-
minute flight in response to a family emergency. You wanted to
be at the bedside of a dying mother or other family member. How
well could that hypothetical traveler cope with the kind of
requirements that apparently now are sufficient to put you on
this list?
I raise these questions, and this is not in high judgment
and high designation. I appreciate what the chairman said, it
is important to identify terrorists before they board an
aircraft, and there have to be some procedures in place, but
should not the TSA have procedures in place that anticipate the
difficulty that I have only cursorily outlined, and have they
kept this committee and others who have a valid interest
properly informed as to what criteria they employ to put a
person's name on a list of a possible suspect of terrorist
activity?
All kinds of lists in this country, best dressed people,
most highly compensated chief executives, but when the
government starts preparing lists, they ought to be very
careful, it seems to me, any government agency, who it is they
include.
And, believe me, this is the first time I have ever done
this. Last night, I just had the idle thought cross my mind, I
wonder, oh, what Google would say about me. So I said to my
wife sitting there at the home desktop computer, ``Google in
John B. Anderson and see what comes up.'' Well, I have sheet of
papers here, I think there are 16 pages in all, about John B.
Anderson, me--the books that I have written, the articles that
I have written, the places I have visited, et cetera, et
cetera, more than you would ever want to know.
So if I could find that out that quickly, why should not
some simple Googling of it--and I appreciate the fact that I
have a common surname. This has bothered my son who has had to
suffer some of the indignity because he is John B. Anderson,
Jr. But if we can that easily acquire a load of information
about who we are and distinguish us from other John Andersons
and when I have closed a real estate deal in Washington from
time to time, I have had to endure the fact that there are few
John Andersons with judgments against them that I had to
explain.
So I can see that there is a problem with people with a
fairly common surname, but I think the ease with which I was
able to produce the kind of information that ought to help the
Agency decide whether or not to include that name along with a
lot of other people on the no-fly list probably needs some
reexamination.
Thank you, Mr. Chairman.
[The statement of Mr. Anderson follows:]
Prepared Statement of Hon. John B. Anderson
Mr. Chairman, Ranking Member Thompson and members of the
Subcommittee, I am pleased the Committee has undertaken this review of
the Transportation Security Agency's establishment of a no-fly list in
its regulation of air transportation.
Earlier this year, I accepted the invitation of the Former Members
of Congress Association, a group of which I am a member, to travel to
the Federal Republic of Germany under a program which they were
conducting with the aid of the German American Marshall Fun and
coordinated with the assistance also of the Council on Excellence in
Government.
Our itinerary embraced cities like Frankfurt Am Rhein, Cologne,
Bonn, Frankfurt Am Oder and Berlin. It involved visits to German
Universities and contacts with both their students and faculty.
Some days before our departure on April 23, 2005, the group
arranging my ticketing notified me and travel arrangements that I was
on a no-fly list and Delta Airlines would not issue the ticket prior to
the departure date until my status was clarified.
As a registered voter for some years now in Florida, I contacted
Congressman Clay Shaw's office, went to his office on Capitol Hill and
with the help of his staff,submitted four items of identification
including, voters card, drivers license, passport, former Members of
Congress identification card and some days later received a
communication from the Office of the Ombudsman saying that following
the receipt of my Passenger Identity Verification (PIV) Form and their
subsequent investigation ``the TSA has verified your identity.
Accordingly, we have provided sufficient personal information to
the airlines to distinguish you from other individuals and assist them
in issuing your boarding pass more efficiently.''
The following paragraph said that not withstanding this you should
have certain documents, one or more, to ``help expedite receipt of a
boarding pass'' and that the airline ``might require a brief period of
time to verify your information but the process should not result in
extensive delay.''
My concern today is for less fortunate travelers without a
Congressman and his staff to get through quickly to the right person at
TSA. If the flight booking was in response to a family emergency or for
some other reason where delay would be serious, how well can that
hypothetical traveler cope? If the person with a common surname arrives
at the airport ticket counter without the availability of the
expeditious advance work of someone like my friend Congressman Shaw,
how well would they fare? Should TSA have procedures in place that
anticipate the difficulty I have only cursorily outlined. Why should
not persons identified by TSA as being ?of interest, and possible
connections with terrorist activities be forewarned? Has TSA kept this
committee and others who have a valid interest properly informed as to
the standards they employ in describing someone as a person of interest
to law enforcement authorities, and therefore a candidate for the ``no-
fly list''?
Mr. Chairman, I again appreciate this opportunity to provide
written testimony.
Mr. Lungren. I thank the gentleman for his testimony.
I might just mention to the gentleman for the record that
we were contacted by the congressional office in your
particular case, and the lady sitting directly behind me, Ms.
Winsome Packer, handled that, but I might say she worked on it
for about a week with TSA to go through all the steps. And as
you suggest, I doubt most Americans would have that ability or
time to do that sort of thing, particularly under the
circumstances you mentioned.
Mr. Dicks. Would the chairman yield just for a comment?
Mr. Lungren. Yes, I will.
Mr. Dicks. As I understand it, even after you do all that--
I have had three of four constituents of mine with very similar
names, Thompson, for example, and even once you have gone
through all it, which you have done, you still have to go in
early and report to the desk because they have got to go
through this and check you out again the next time you fly.
Mr. Anderson. I think that is true. The letter from TSA
suggests as much, that you should be prepared with one or more
forms of identification, which to me indicates that I probably
would still have some delay, but hopefully they say it is not
going to be extraordinary.
Mr. Lungren. Well, the good news, John, is you are not
forgotten.
[Laughter.]
Mr. Anderson. That I appreciate.
Mr. Lungren. I thank you for your testimony.
The Chair now recognizes Mr. James May, president and chief
executive officer of the Air Transport Association, to testify
in his statement for 5 minutes.
STATEMENT OF JAMES MAY, PRESIDENT AND CHIEF EXECUTIVE OFFICER,
AIR TRANSPORT ASSOCIATION
Mr. May. Thank you, Mr. Chairman.
In 2001, the Air Transport Association pledged its support
of appropriate government efforts to utilize available
information to improve the effectiveness and the efficiency of
passenger pre-screening. As we said then, we believe that a
security system premised on looking at people, not at things,
is most likely to produce the results that we all need.
Four years later, things have not progressed as far as any
of us would have hoped. The list of programs that never quite
came to fruition goes on as we keep circling the same issues:
CAPPS I, CAPPS II, Registered Traveler, Secure Flight. We could
go on with a long list of those programs that have not yet
quite come to fruition.
And so I think it is time for this committee to push TSA to
either fish or cut bait and make the changes that are necessary
to these programs.
We are cautiously optimistic that TSA reports of progress
in the development of Secure Flight, however. We see Secure
Fight as improving both the quality of security and the
passenger experience, and I think it has the potential, at
least, to reduce the number of times that Mr. Anderson would
have to go through an unfortunate experience, as he did.
There remain some very challenging implementation issues
ahead, but I think the picture does hold promise. This can only
be made to work, however, if there is real leadership from this
committee, the Congress and the administration as to what it
will take. Let me give you a couple of thoughts on the
challenges.
First, I think we need agreement on data collection, not
just for Secure Flight, but across the entire spectrum of
Department of Homeland Security agencies. We need consistent,
not duplicative or competing requirements. If CBP, the Customs
and Border Patrol people, are going to collect information for
one program, then TSA ought to have a very consistent
collection format for their programs.
Secondly, I think it needs to be understood that this is a
massive undertaking and that sufficient time and resources need
to be made available to resolve any of an array of technology,
operational, economic and policy questions which are presented,
not the least of which is privacy.
And third, action has to be taken by government to
eliminate the unnecessary selection of passengers due to poorly
maintained and poorly vetted lists. That is exactly what Mr.
Anderson talked about.
Finally, in order for Secure Flight to succeed, TSA must
negotiate some extremely challenging privacy issues, as it
looks to developing information management as a tool against
the threat of aviation terrorism. To assist the process,
Congress should be clear as to precisely what privacy issues
need to be addressed, and there must be a clear and effective
resolution of international privacy concerns.
As I said, we are optimistic about the potential for Secure
Flight. We think it warrants real support, but there are many
challenges ahead.
Having said that, while we believe there could also be
merit in a voluntary traveler identification program, we are
not persuaded of the merits of what has become the Registered
Traveler, or RT Program. And I think the problem is that TSA
has never been able to provide a definition of program
participation benefits. They remain ambivalent as to whether or
not this should be a true security program or some type or
passenger perk program. In our judgment, to be successful, we
need to know what exactly the program will provide
participants, and it must be a true security program as well.
Without that information, I think RT is going to be a non-
starter.
And, finally, I would like to address the issues presented
by the concept that has come to be known as APIS-60. Under this
program, passenger passport data is batched and transmitted to
the government within 15 minutes of departure of U.S.-bound
international flights. Now, that information is used to vet
passengers prior to arrival.
In the post-9/11 world, DHS and others have expressed a
strong interest in receiving APIS data 60 minutes prior to the
flight's departure. We have been engaged with CBP and others to
improve that process.
I will not go into the complexities, but the bottom line is
that if we are required to present information 60 minutes in
advance of departure when we frequently only get it a half hour
in advance of departure for many connecting passengers, it is a
program that is doomed to fail.
We have looked for alternatives that will address both
security and operational concerns, the most desirable approach
in our view would be to develop a real-time interactive ``go/
no-go process.'' There is a program that the Australians and
the New Zealanders have had in effect, the Canadians are about
to adopt it, that we think provides the model.
In conclusion, Mr. Chairman, I would like to emphasize
three critical points. First, the airlines industry commitment
to security is absolute. Second, we applaud and endorse
Congress' recognition that aviation security is national
security and ought to be funded accordingly.
Third, and finally, we urge this committee to push
aggressively to streamline, simplify and consolidate the
multiple, diverse but heretofore uncoordinated programs
requiring collection of passenger information. These programs
must be harmonized in order to best leverage the available
information and investment. We would also encourage a review of
the Privacy Act restrictions to be certain they provide an
appropriate framework for dealing with post-9/11 and security
concerns.
Thank you.
[The statement of Mr. May follows:]
Prepared Statement of James C. May
In November of 2001, the Air Transport Association pledged its
support of appropriate government efforts to utilize passenger
information and available government and public data to improve both
the effectiveness and the efficiency of passenger pre-screening. As we
said then, and have heard echoed repeatedly since, we believe that a
security system premised on ``looking at people and not things'' is
most likely to produce the results we all need. At that same time, we
called for the establishment of voluntary traveler-identification
program to further expedite security processing for those opting to
participate. We remain convinced that both programs have significant
potential in terms of further improving the level of security,
maximizing the utility of Transportation Security Administration (TSA)
resources and enhancing passenger convenience.
Now, however, almost four years later, while we remain committed to
these goals, it is no secret that things have not progressed as far as
any of us would have hoped. CAPPS II, Secure Flight, Known Traveler,
Registered Traveler--the list of programs that never quite come to
fruition goes on, as we keep circling the same issues. In our view, it
is time as they say ?to fish or cut bait.?
We are cautiously optimistic at TSA reports of real progress in the
development of Secure Flight. We see Secure Flight as a very valuable
addition--improving both the quality of security and the passenger
experience. There remain, by universal acknowledgement, some very
challenging implementation issues ahead but the picture right now holds
promise. This can only be made to work, however--to come to a different
end than its multiple predecessors--if there is real leadership from
this committee, the Congress and the administration. We are committed
to a successful Secure Flight program--but we must have the leadership
commitment to getthis done.
As to what it will take to make this work, let me provide you with
a few thoughts on the challenges:
First, we need agreement on data collection--not just for Secure
Flight, but across the spectrum of Department of Homeland Security
(DHS) agencies. We need consistent, not duplicative or competing,
requirements and it must be clear that all participants in the
reservation process share data-collection obligations, including travel
agents and Global Distribution Systems;
Second, it must be clearly understood that this is a massive, very
challenging undertaking and that sufficient time and resources must be
available to bring a successful outcome; this includes a complete and
cooperative analysis and implementation agreement treating an array of
technological, operational, economic and policy questions that must be
resolved by both government and industry before any final decisions are
made. This cannot work with unreasonable timelines or mandates;
Third, whether we are dealing with names of interest under an
eventual Secure Flight program, or the current Watch List system,
action must be taken by the government to eliminate the unnecessary
selection of passengers due to poorly maintained and poorly vetted
lists. Names on any list should only be there with good and sufficient
reason. Steps in this direction are currently underway, however, this
process must be completed and institutionalized going forward; and
finally, in order for Secure Flight to succeed, TSA must negotiate some
extremely challenging privacy issues as it looks to developing
information management as a tool against the threat of aviation
terrorism: To assist the process, Congress should be clear as to
precisely what privacy issues need to be addressed to fully protect
legitimate passenger interests and yet still permit appropriate uses of
data. On a related front, there must be a clear and effective
resolution of international privacy concerns before implementation.
As I said, we are cautiously optimistic about the potential for
Secure Flight and see it as a vast improvement over the current Watch
List protocols--from a security perspective, from a service perspective
and from a privacy perspective. In our judgment, it warrants real
support.
Having said that, while we believe there could also be merit in a
voluntary traveler identification program, we are not persuaded at this
point of the merits of what has come to be called ``Registered Traveler
(RT).'' The problem is fundamental--the TSA has never been able to
provide a definition of program participation benefits. TSA remains
ambivalent as to whether this should be a true security program or some
type of passenger ``perk.'' In our judgment, to be successful, we need
to know exactly what the program will provide participants. Those
benefits must be interoperably available at all airports and it must be
a true security program. Until it is known exactly what is intended,
with specificity, it is not possible to quantify the value of an RT
program--or, as a result, get any real understanding of the appropriate
size of any investment in its development. Without this information, RT
is a non-starter and warrants no further attention until these
fundamental questions are answered.
Finally, I would like to address the issues presented by the
concept that has come to be known as APIS-60. For those not acquainted
with this issue, it arises from a long-established legacy Customs and
Immigration Advanced Passenger Information System program. Under that
program, passenger passport data is batched and transmitted to the
government within fifteen minutes of departure of U.S.--bound
international flights, for vetting prior to arrival.
In the post-9/11 world, DHS and others have expressed strong
interest in receiving this data--which would be cross-checked with
various watch lists--sixty minutes prior to a flight's departure. Since
we first learned of the government's interest in such a program in
March of 2004, we have been engaged in extended discussions, testing
and exploration of the issue with DHS and its Customs and Border
Protection experts.
While in the interest of time, I will not detail the complexities
of this issue, at an elementary level the problem is that the airlines
typically do not have reliable passenger passport data until the
passenger presents his or her documents at check-in. Uninformed or
unrealistic demands for this information prior to departure could be
exceptionally destructive.
While many international travelers do arrive two hours or more in
advance of a flight, late-arriving passengers, particularly connecting
passengers, may not present themselves until minutes before departure.
As a result an APIS-60 requirement would significantly impact industry
operations and economics on a global scale, either through massive
schedule inefficiencies or, more likely, by ``disconnecting''
passengers on a wholesale basis.
Because of these functional realities we have looked for
alternatives that will address both security and operational concerns.
The most desirable approach, in our view, would be to develop a real-
time, interactive, ``go/no-go'' process that would permit passport data
to be swiped and transmitted, and an answer provided on the spot--not
unlike approval of a credit-card transaction. The Australian government
utilizes a process along these lines for pre-approving passengers
traveling to Australia from anywhere in the world. While, without
question, the scale of travel to and from the United States is orders
of magnitude larger, and a U.S. system would be significantly more
complex, we believe this real-time approach would be infinitely more
practical than any alternative. Should that prove unworkable, however,
we believe that other alternatives should be explored including
``rolling'' transmissions of APIS data as a flight builds to
departure--leaving only a modest percentage of passengers for last-
minute clearance or, conceivably, an earlier collection of APIS data.
We recently advised Secretary Chertoff of our commitment to working
with the department to develop a practicable solution and, we remain
committed to this goal.
In conclusion, I would like to emphasize three critical points:
First, the airline industry's commitment to security is absolute--
we fully recognize that the security and safety of our operations must
be unquestionable; at the same time, we are committed to the protection
of our customers' legitimate privacy interests.
Second, we recognize that, particularly with regard to security,
Congress's recognition that aviation security is national security
necessitates the government's integral involvement in our business.
This in turn, necessitates our common reliance on strong professional
leadership that understands the imperative for fully integrating
security into the complex, but essential, provision of air
transportation. Fortunately, with the leadership team in place at the
Department of Homeland Security and the anticipated return of Mr.
Hawley to direct TSA, we have the administration?s leadership team
uniquely well-positioned and;
Third and finally, we urge this committee, working with the full
Congress and the administration, to push aggressively to streamline,
simplify and consolidate the multiple, diverse--but heretofore
uncoordinated--programs requiring collection of passenger information
to facilitate one or another security goal. These programs must be
harmonized in order to best leverage the available information and
investment, and they may also warrant consideration of a review of
Privacy Act restrictions to be certain they provide an appropriate
framework for dealing with post-9/11 privacy and security issues.
Thank you for the opportunity to appear before you today. I will be
happy to respond to questions.
Mr. Lungren. Thank you, Mr. May.
The Chair would now recognize Mr. Paul Rosenzweig, the
senior legal research fellow at the Heritage Foundation, for
his testimony.
STATEMENT OF PAUL ROSENZWEIG, SENIOR LEGAL RESEARCH FELLOW,
CENTER FOR LEGAL AND JUDICIAL STUDIES
Mr. Rosenzweig. Thank you very much, Mr. Chairman, and
thank you for the invitation to appear.
As a lookout, I should note at the beginning that I also
serve on the Department of Homeland Security's Data Privacy and
Integrity Advisory Committee, but nothing I say here is that
Committee's view. I speak for myself only.
I would like to step back a minute and reflect where we
were 20 years ago. Twenty years ago, you could get on a shuttle
flight to New York from Washington and fly without showing any
identification and pay cash. You could fly anonymously,
essentially. I think it is impossible to imagine returning to
that system for obvious national security reasons, and aviation
is, as Mr. May said, part of national security.
So the bottom line is we need to identify people who fly,
and we do that today. The question is whether or not we are
doing it the right way and whether or not we can do it better.
Today, I would submit we are doing it in a way that is no
longer terribly effective. We have a CAPPS I system that uses
behavioral rules that, as the chairman said in his opening, are
fairly well known outside of TSA and thus fairly ineffective
and fairly easy to avoid. And we have a no-fly list watch
matching system that, as Mr. Anderson's experience shows, is
ineffective and catches the wrong people.
Why does the current system not work? Well, first, because
of national security concerns, we cannot share the full TSC
watch list with the airlines who are currently responsible for
doing the matching. Second, each airline administers the watch
list differently, and so there is no single common standard for
defining what is in fact a watch list match.
Third, each airline uses different automated matching
programs, they use different computer programs and different
systems. So there is actually a high variability in who gets
matched. Who gets matched at Delta may indeed be different than
who gets matched at American, and certainly amongst the smaller
airlines.
And, finally, because the lists are administered in the end
by the airlines, there is no single system or standard list of
cleared passengers so that they cannot propagate the list of
clearances--like the clearance for Mr. Anderson--cannot
propagate out to the airlines effectively.
The current system that we have in place of the no-fly list
is inefficient, both because it inconveniences innocent
travelers like Mr. Anderson but also because it is a waste of
resources. Every time we spend time clearing Mr. Anderson again
or subjecting someone in his situation to additional secondary
screening, we are wasting time and money of TSA screeners that
ought to be directed at those who are truly ambiguous on
potential threats.
Thus, I think that the testing program that we are
undertaking now to see whether or not a more refined watch list
can be used is the right way to go. Preliminary results are at
least suggestive of success. With the addition of a simple date
of birth field, it is estimated that we can reduce the number
of matches on the watch list by roughly 60 percent. If that is
true, if that actually proves to the be the case, that would be
a huge success. It would reduce from roughly 35,000 to 14,000 a
day the number of people who are in this close match list, not
secondary screenings but for people who are really people of
interest. And if we can do that, that would be a great thing.
Now, the system is obviously undergoing testing. We have
not determined yet whether or not this proof of concept can be
implemented in a broader range, addressing 1.8 million
passengers per day, and we also need to get right issues like
Privacy Act notice disclosures, like Mr. Thompson mentioned,
and a fully integrated redress procedure so that when Mr.
Anderson goes through the process once and gets cleared, that
should be the end of it.
We need to develop the technological system of tethering
information back to its original source so that when the
correction is entered, Mr. Anderson, with the addition of his
date of birth or some other uniquely identifying number,
becomes a cleared person who can sail through without any
additional clearing.
That is technologically possible, I believe, and it is
ahead of us. Are we there yet? I do not think so. But is the
Secure Flight Program a promising alternative to our current
system, which I think everyone agrees is only somewhat
functional? Absolutely.
So I commend the committee for its attention to the
program, and I commend it for staying on top of TSA in
monitoring its implementation of the program as we go through
testing.
Thank you very much, Mr. Chairman.
[The statement of Mr. Rosenzweig follows:]
Prepared Statement of Paul Rosenweig
The Heritage Foundation
Good morning Mr. Chairman and Members of the Subcommittee. Thank
you for the opportunity to testify before you today on the challenge of
maintaining the balance between security and constitutionally protected
freedoms inherent in responding to the threat of terror, in the
particular context of the Transportation Security Administration's
(TSA's) proposed Secure Flight system.
For the record, I am a Senior Legal Research Fellow in the Center
for Legal and Judicial Studies at The Heritage Foundation, a
nonpartisan research and educational organization. I am also an Adjunct
Professor of Law at George Mason University where I teach Criminal
Procedure and an advanced seminar on White Collar and Corporate Crime
and I serve on the Editorial Board of the Journal of National Security
Law and Policy.
I am a graduate of the University of Chicago Law School and a
former law clerk to Judge R. Lanier Anderson of the U.S. Court of
Appeals for the Eleventh Circuit. For much of the first 13 years of my
career I served as a prosecutor in the Department of Justice and
elsewhere, prosecuting white-collar offenses. During the two years
immediately prior to joining The Heritage Foundation, I was in private
practice representing principally white-collar criminal defendants. I
have been a Senior Fellow at The Heritage Foundation since April 2002.
I should also note that I serve as Chairman of the Department of
Homeland Security's Data Privacy and Integrity Advisory Committee. This
group is constituted to advise the Secretary and the DHS Chief Privacy
Officer on programmatic, policy, operational, administrative, and
technological issues within DHS that affect individual privacy, as well
as data integrity, data interoperabilty and other privacy-related
issues.
Nothing in my testimony, oral or written, reflects the views of the
Privacy Advisory Committee or any other member of the Committee. My own
views, however, are certainly informed by my service on that Committee
and the information I learn there. We heard testimony earlier this
month, for example, at a hearing in Boston, about many of the
Department's screening programs, including Secure Flight.
More broadly, my perspective on the question before you is that of
a lawyer and a prosecutor with a law enforcement background, not that
of technologist or an intelligence officer/ analyst. I should hasten to
add that much of my testimony today is based upon a series of papers I
have written (or co-authored) on various aspects of this topic and
testimony I have given before other bodies in Congress, all of which
are available at The Heritage Foundation website (www.heritage.org).
For any who might have read portions of my earlier work, I apologize
for the familiarity that with attend this testimony. Repeating myself
does have the virtue of maintaining consistency--I can only hope that
any familiarity with my earlier work on the subject does not breed
contempt.
In this testimony, I want to do four things: summarize the history
of the Secure Flight program; discuss the anticipated utility of Secure
Flight and the most controversial aspect of its architecture, the
possible use of commercial data to verify identity; discuss privacy
impact compliance as a necessary condition for implementation; and
finally, discuss the question of redress.
I. A Bit of History
One common critique offered by skeptics of new initiatives to
combat terrorism is the concern that advances in information technology
will unreasonably erode the privacy and anonymity to which American
citizens are entitled. They fear, in effect, the creation of an
``electronic dossier'' on every American. Attention to this issue has
particularly focused on TSA's proposal to use an enhanced information
technology program to screen airplane passengers. That program, known
as Secure Flight, is intended to identify every passenger to determine
his or her presence on a watch list for screening or to be denied
access to the plane.
Since September 11th the aviation industry has undergone many
changes to strengthen airport security. The TSA was created and placed
in charge of passenger and baggage screeners (who are now federal
employees). It has been using explosives detection systems on 90
percent of checked baggage and substantially expanded the Federal Air
Marshal Service. However, little has been done to determine whether a
person seeking to board an aircraft belongs to a terrorist organization
or otherwise poses a threat. In order to meet this objective, the
Transportation Security Administration is developing the Secure Flight.
Most of the changes made in airport security have focused on
looking for potential weapons (better examination of luggage, more
alert screeners) and creating obstacles to the use of a weapon on an
aircraft (reinforced cockpit doors, armed pilots, etc). A computer-
aided system would improve the TSA's ability to assess the risk a
passenger may pose to air safety.
CAPPS I: The original, limited CAPPS I system was first deployed in
1996 by Northwest Airlines. Other airlines began to use CAPPS I in
1998, as recommended by the White House Commission on Aviation Safety
and Security (also known as the Gore Commission).\1\ In 1999,
responding to public criticism, the FAA limited the use of CAPPS I--
using it only to determine risk assessments for checked luggage
screening. In other words, between 1999 and September 2001 CAPPS I
information was not used as a basis for subjecting passengers to
personal searches and questioning--only for screening checked bags. As
a consequence even if CAPPS I flagged a high-risk passenger he could
not be singled out for more intensive searches.
---------------------------------------------------------------------------
\1\ See White House Commission on Aviation Safety and Security
(Feb. 12, 1997) (avaiable at http/ /www.airportnet.org/depts/reguatory/
gorefinaL.htm).
---------------------------------------------------------------------------
After September 11 CAPPS I returned to its original conception and
is now again used to screen all passengers along with their carry-on
and checked luggage. However, the criteria used to select passengers,
such as last-minute reservations, cash payment, and short trips are
over inclusive. This is a very crude form of pattern-recognition
analysis. So crude that it can flag up to 50% of passengers in some
instances, mainly in short haul markets.\2\ These criteria are also
widely known and thus readily avoided by any concerted terrorist,
effort. Nor does CAPPS I attempt to determine whether or not the
federal government has information that may connect a specific
perspective passenger with terrorism or criminal activity that may
indicate they are a threat to the flight. And it is costly--I've heard
informal estimates as high as $150 million per year for domestic
airlines to operate the system. As a result, we are wasting resources:
it's likely that if Osama bin Laden tried to board a plane today CAPPS
I would not identify him for arrest or further inspection.\3\
---------------------------------------------------------------------------
\2\ See Robert W. Poole, Jr. & George Passatino, ``A Risk-Based
Aiort Security Policy'' Reason Public Policy Institute at 11 (May
2003).
\3\ It has been reported that the CAPPS I system was partially
effective, flagging nine of the 19 September 11 terrorists for
additional screening. See National Commission on Terrorist Attacks Upon
the United States, ``The Aviation Security System and the 9/11 Attacks:
Staff Statement No.3'' (Jan. 27, 2004) (available at http://www.9-
11commssion.gov/hearings/hearig7 /staff statement 3.pdf]); see also
Sara Goo and Dan Eggen, ``9/11 Hijackers Used Mace and Knives,Panel
Reports,'' Wa. Post at A1 (Jan. 28,2004) (summarizing report). To the
extent that is true it emphasizes both that some form of screening can
be effective, that the limitation to bag-only screening was unwise, and
that however effective electronic screening might be, the human element
will always be a factor in insuring the success of any system.
---------------------------------------------------------------------------
The Current System: In the immediate aftermath of September 11 it
quickly became obvious that the failure to make any matching effort was
problematic. The existing watch lists were disjointed and inconsistent
and could not be effectively shared with airlines (for fear of
disclosing sensitive or confidential national security information).
But some watch list matching was, rightly, deemed necessary.
To meet that perceived need the Administration took two steps.
First, it created the Terrorist Screening Center in an effort to
consolidate and coordinate the multiple government-wide watch lists.
Second, the Administration created a system whereby watch list names
were shared with individual airlines for them to match against their
own customer lists.
This current system is problematic for several reasons:
Most saliently, because of the national security
sensitivity of the watch lists only a portion of the lists can
be shared;
Because each airline administers the watch list
matching differently, there is no single common standard for
defining a watch list ``match'';
Because each airline uses different automated matching
programs, there is a high variability in the matching
operational methodology; and
Because of differing programs and standards a list of
``cleared'' passengers who are on the watch list cannot be
readily propagated throughout the system (no doubt the cause,
for example, of Senator Kennedy's persistent screening).
Recognizing the inadequacy of the system and the waste of resources
that attends the disutility of screening those who do not need to be
screened, TSA began developing potential replacement systems. In the
post-9/11 world the question is not really whether we will watch list
match, but how best to do it.
CAPPS II Proposed: The TSA reasonably believes that screening what
a passenger is carrying is only part of the equation and began
developing CAPPS II as a successor to CAPPS I in order to determine
whether the individual poses a threat to aviation security. CAPPS II
was intended to use government intelligence and law enforcement
information in order to assign risk levels to passengers based on real
information not arbitrary models. The TSA would then be able to devote
more of its resources to those with a higher score (indicating they
pose a greater risk), than those deemed to be a lesser concern
(although some degree of randomness will need to be retained).
In January 2003, TSA released a Privacy Act notice for CAPPS II,
the successor to CAPPS I.\4\ Many critics raised substantial concerns.
Some thought that CAPPS II, as originally proposed, was too broad in
scope and could infringe on passengers' privacy. Others were concerned
that the government should not rely on potentially flawed commercial
data to prevent individuals from traveling by air. Some asserted that
the use of knowledge discovery technologies on a wide variety of
personal data could pose privacy and civil liberty violations. Finally,
many wondered if individuals would be able to challenge their score.
---------------------------------------------------------------------------
\4\ See 68 Fed. Reg. 2101 (Jan. 15,2003).
---------------------------------------------------------------------------
In August 2003, TSA made available an Interim Final Privacy Notice
on CAPPS II, which included substantial modifications to the initial
proposal based on many of the concerns voiced in response to the first
Privacy Notice.\5\
---------------------------------------------------------------------------
\5\ See 68 Fed. Reg. 45265 (Aug. 1,2003).
---------------------------------------------------------------------------
Under the Interim Notice, TSA would not keep any significant amount
of information after the completion of a passenger's itinerary.
Furthermore, TSA promised to delete all records of travel for U.S.
citizens and lawful permanent residents a certain number of days after
the safe completion of the passenger's travels (7 days is the current
anticipation). TSA also committed to developing a mechanism by which a
passenger targeted for more thorough screening can seek to set the
record straight if they think they have been identified in error.
More importantly, the CAPPS II system addressed privacy concerns by
severely limiting the types of private information collected and the
way in which commercial data will be examined. The proposed CAPPS II
system would have accessed only a ``passenger name record'' (PNR),
which includes information collected at the time the passenger makes
the reservations, prior to the flight. Selected PNR information
(including name, address, date of birth, and telephone number) was to
be transmitted to commercial data providers for the sole purpose of
authenticating the passenger's identity. This process would be similar
to the credit card application procedure used to check for fraudulent
information.
Secure Flight--In 2004, TSA again modified its pre-screening
program, now renaming it Secure Flight. According to a Privacy Impact
Assessment and Systems of Records Notice published in September 2004,
the principal difference between Secure Flight and CAPPS II was to
further tighten the privacy protections and to split into two distinct
pieces the operational components of the system.\6\ One part of the
system would match PNR data to existing Terrorist (and other ``no-
fly'') watch lists. The second part would test whether the fidelity of
PNR data (that is the clarity with which the data unambiguously
identifies a single unique individual) could be enhanced through the
use of commercial data bases.\7\ Consistent with those notices, and
with the Congressional mandate to do SO,\8\ Secure Flight began a test
of its system using historical data from June 2004 provided under order
by the airlines.
---------------------------------------------------------------------------
\6\ 69 Fed. Reg. 57345 (SORN, 57352) (PIA) (Sept. 24, 2004).
\7\ A more detailed summary of the differences between CAPPS II and
Secure Flight can be found in GAO, Secure Flight Development and
Testing Under Way but Risks Should Be Managed as System is Further
Developed, at Table 3 (GAO-05-356, March 2005).
\8\ In the Intelligence Reform and Terrorism Prevention Act of
2004, Congress mandated testing of a passenger pre-screenig program.
See IRTPA, Pub. L. No. 108-458, Sec. 4012, 118 Stat. screening
3638,3714-19 (2004) (TSA directed to ``commence testing of an advanced
passenger prescreening system. . .utilizing all appropriate records in
the consolidated and integrated terrorist watchlist maintained by the
Federal Government'').
---------------------------------------------------------------------------
The results of this testing have not yet been fully disclosed. In
public remarks, however, TSA representatives have stated that the watch
list matching portion of the project appears to have worked well, both
in effectively matching PNR data with watch list information and in
stress testing to demonstrate that the system is capable of handling
the volume of inquires anticipated.
The best estimate is that after automated clearances, carriers
operating independently have approximately a 2% ``close'' match rate--
that is a rate that requires further inquiry and human intervention.
This means that, on average there are 35,000 matches per day (assuming
an average of 1.8 million travelers each day. Preliminary results
suggest that with an ``in-house'' matching system run by TSA and with
the addition of only the date of birth of an individual, this close
match rate can be reduced by 60% to 0.8% of the travelling public--an
average of 14,000 matches each day. If so, this will be a substantial
improvement--and the use of commercial data has the potential to drive
the number even lower, though testing is still ongoing.
Controversy has arisen regarding the program in the past few weeks,
however, concerning its compliance with the original System of Records
Notice (SORN) published in the Federal Register. The deviation was
sufficiently great that TSA recently amended the notice of the scope of
the system of records. In the original SORN \9\ the system included
only PNRs; information from the Terrorist Screening Center (TSC);
authentication scores and codes from commercial data providers; and the
results of comparisons between individuals identified in PNRs and the
TSC watch list. The revised SORN,\10\ issued last week, adds two new
categories of information held in the system of records:
---------------------------------------------------------------------------
\9\ 69 Fed. Reg. 57345 (Sept. 24, 2004).
\10\ 70 Fed. Reg. 36319 (June 22, 2005).
---------------------------------------------------------------------------
PNRs that were enhanced with certain information obtained from
commercial data--full name, address, date of birth, gender--and
that were provided to TSA for purposes of testing the Secure
Flight program; [and]
Commercial data purchased and held by a TSA contractor for purpose
of comparing such data with June 2004 PNRs and testing the Secure Flght
program.
The Privacy Officer has announced an investigation of Secure Flight
to examine whether the actions which necessitated the modification of
the SORN constituted a violation of Departmental privacy polices or
law.
II. Secure Flight and Commercial Data
Why Secure Flight?--The Secure Flight program poses some
interesting and challenging problems in adapting the law to new
technology and the realities of new technology to the law. First, if
Secure Flight is to be effective its hallmark will be the idea that
some form of ``result'' will necessarily be immediately available to
TSA screeners on a ``real-time'' basis so that they can make near-
instantaneous decisions regarding whom to screen or not screen prior to
allowing passengers to board the aircraft. If Secure Flight were
designed so that detailed personal information on each passenger were
transmitted to every TSA screener, all would agree that the
architecture of the system did not adequately protect individual
privacy. The analysis passed by the Secure Flight system to TSA
employees at the airport must be (and under current testing plans, will
be) limited to a reported color code--red, yellow or green--and should
not generally identify the basis for the assignment of the code.
Thus, Secure Flight proposes to precisely reverse the privacy
protection equation being developed in other contexts. To protect
privacy, other information technology program disaggregate analysis
from identity by making the data available to the analyst while
concealing the identity of the subject of the inquiry unless and until
disclosure is warranted. In the reverse of this paradigm, Secure Flight
will disclose the identity of the potential threat (through a red/
yellow/green system displayed to the screener, warning of a particular
individual) but will conceal from the screener the data underlying the
analysis--at least until such tie as a determination is made that the
two pieces of information should be combined. The privacy protection
built into Secure Flight is therefore the mirror image of the more
common system. It is by no means clear which method of protecting
privacy is ex ante preferable--but it is clear that the two systems
operate differently and if we are to have any sort of Secure Flight
system at all, it can only have privacy protections of the second kind.
Nor is Secure Flight necessarily a decrease in privacy. Rather, it
requires trade-offs in different types of privacy. It substitutes one
privacy intrusion (into electronic data) for another privacy intrusion
(the physical intrusiveness of body searches at airports). It will
allow us to target screening resources, while actually reducing the
number of intrusive searches: Currently 14% of the traveling public are
subject to some form of secondary screening. Secure Flight may reduce
that to as low as 4% selected for additional screening.\11\ More
importantly, Secure Flight will also have the salutary effect of
reducing the need for random searches and eliminate the temptation for
screeners to use objectionable characteristics of race, religion, or
national origin as a proxy for threat indicators.\12\ For many
Americans, the price of a little less electronic privacy might not be
too great if it resulted in a little more physical privacy, fewer
random searches, and a reduction in invidious racial profiling.
---------------------------------------------------------------------------
\11\ See Transcript of Media Roundtable with DHS Under Secretary
Asa Hutchison (Feb. 12, 2004) (available at www.tsa.gov).
\12\ Some purely random searches will need to be retained in order
to maintain the integrity of the inspection system and defeat so-called
``Carnival Booth'' attacks (named after a student algorithm proposing a
method of defeating CAPPS). Adding a random factor to the inspection
regime answers the problem. See Samidh Chakrabati & Aaron Strauss,
``Carnival Booth: An Algorithm for Defeating the Computer-assisted
Passenger Screening,'' (available at http://www.swiss.ai.mit.edu/6805/
student-papers/sprig02-papers/caps.htm) (describing program); KA.
Taipale, ''Data Mining and Domestic Security,'' 5 CoOlum. Sci. & Tech.
L. Rev. 2, at n.285 (2003) (explaining how addition of random screening
guards against such attacks).
---------------------------------------------------------------------------
Finally, and perhaps most saliently, Secure Flight is a useful idea
because it will allow us to focus scarce resources. One of the truly
significant improvements in homeland security has come from the use of
risk assessment and risk management techniques to identify salient
threats and vulnerabilties and target resources (like inspectors) at
those situations where the threats and vulnerability are greatest.
Thus, rather than attempt fruitlessly to search every container
entering the United States, we use information about the shipper, place
of origin and other factors to select for inspection containers about
which there is some ambiguity or concern. So, too, with Secure Flight--
we can envision the day when TSA inspectors (and other resources such
as Air Marshals), are allocated in the way we think best addresses
actual risks of harm, increasing the chances of catching terrorists and
minimizing the unnecessary intrusion into people's lives at times and
places where there is no risk at all. Should Congress have any concerns
at all about the intrusiveness of individual screening it should, at a
minimum, recognize the utility of enhanced risk assessment
technology.\13\ To fail to do so would be even worse than our current
system.
---------------------------------------------------------------------------
\13\ Risk assessment need not be used only to identify particular
individual activity. We could also imagine a world in which Secure
Flight were used only to identify resource allocation methods--surging
TSA resources, for example, to at-risk flghts or airports without
particularly singling out an individual for distinct scrutiny.
---------------------------------------------------------------------------
Which brings us to the final question of effectiveness. Of course,
before full deployment, Secure Flight needs to demonstrate that it can
work. It holds great promise--but promise is far different from
reality. Thus, the ultimate efficacy of the technology developed is a
vital antecedent question. If the technology proves not to work-if, for
example, it produces 95 percent false positives in a test environment-
than all questions of implementation may be moot. For no one favors
deploying a new technology--especially one that impinges on liberty--if
it is ineffective. Thus, Congress is right to insist that Secure Flight
be thoroughly tested. Conversely, we are unwise to reject it before
knowing whether the effectiveness problem can be solved.
Some critics are skeptical that Secure can ever work,
characterizing it as the search Bayesian probability problems.\14\ That
broad statistical criticism is rejected by researchers in the field who
believe that because of the high correlation of data variables that are
indicative of terrorist activity, a sufficient for a ``silver bullet''
that cannot function because of number of variables can be used in any
model to create relational inferences and substantially reduce the
incidence of false positives.\15\ And, in other environments, enhanced
technology allowing the correlation of disparate databases and
information has proven to have potentially significant positive uses.
American troops in Iraq, for example, use the same sorts of link and
pattern analysis, prediction algorithms and enhanced database
technology that would form a part of Secure Flight to successfully
track the guerrilla insurgency.\16\
---------------------------------------------------------------------------
\14\ E.g. Jeffrey Rosen, The Naked Crowd 105-06 (Random House
2004).
\15\ See Remarks, David Jensen, ``Data Mining in the Private
Sector,'' Center for Strategic and International Studies, July 23,2003;
David Jensen, Matthew Rattigan, Hannah Blau, ``Information Awareness: A
Prospective Technical Assessment,'' SIGKDD '03 (Augst 2003) (ACM 1-
58113-737-0/03/0008).
\16\See AP, ``Computer-sleuthing aids troops in Iraq,'' (Dec.
23,2003). Any who doubt that, in some form, enhanced information search
technology can work need only contemplate the recent arrest of LaShawn
Pettus-Brown, whose date identified hi as a fugitive when she
``Googled'' him. See Dan Horn, ``Fugitive Done in by Savvy Date and
Google,'' USA Today (Jan. 29,2004) (available at http://
www.usatoday.com/tech/news/2004-01-29-google-bustx.htm). Compare that
with the pre-September 11 prohibition (eliminated by the new FBI
guidelines) on the FBI's use of Google. See L. Gordon Crovitz,
``Info@FBIgov,'' Wall St. J. (June 5, 2002). At some fundamental level
the ultimate question is how to reconcile readily available technology
in commercial and public use, with the broad governmental monopoly on
the authorized use of force. Whatever the proper resolution, we cannot
achieve it by hiding our heads in the sand and pretending that data
integration technology does not exist.
---------------------------------------------------------------------------
It is also important to realize that there may be potentially
divergent definitions of ``effectiveness.'' Such a definition requires
both an evaluation of the consequences of a false positive and an
evaluation of the consequences of failing to implement the technology.
If the consequences of a false positive are relatively modest (e.g.
enhanced screening), and if the mechanisms to correct false positives
are robust (as recommended below), then we might accept a higher false
positive rate precisely because the consequences of failing to use
Secure Flight technology (if it proves effective) could be so
catastrophic. In other words, we might accept 1,000 false positives if
the only consequence is heightened surveillance and the benefit gained
is a 50 percent chance of preventing the next terrorist flight attack.
The vital research question, as yet unanswered, is the actual utility
of the system and the precise probabilities of its error rates.\17\
---------------------------------------------------------------------------
\17\One final note--though privacy advocates are concerned about
the false positives, the existence of an available system also may
create civil tort liability for the failure to deploy. It is not
fanciful to imagine tort suits against airlines that either do not
implement Secure Flight or refuse to cooperate with TSA if by doing so
they give rise to a false negative.
---------------------------------------------------------------------------
Commercial Data--One part of the efficacy answer lies in the
question of the use of commercial data to disambiguate and resolve
identities. Clearly, it is plausible to believe that the incidence of
false positives can be reduced by the use of commercial data. Credit
granting institutions do it all the time. Thus, in theory, there ought
to be no reason why reliance on commercial data to enhance efficacy
should be ruled out of bounds.
Indeed, if using commercial data works to reduce the unnecessary
screening of correctly identified individuals it will have the salutary
effect of enhancing privacy. We need, of course, to test this aspect of
Secure Flight as well to insure that it works, but if it does and if it
can be implemented in privacy-protective ways, then identity
verification should be welcomed, not opposed
The question then, is whether it can be done in a manner that is
sufficiently privacy protective. The outlines for such a privacy-
protective system can be seen in the original SORN issued for the
Secure Flight testing phase. Most notably, that SORN limited the Secure
Flight system of records to authentication scores and codes provided by
commercial data providers--in other words, the actual data that forms
the basis for the authentication score would remain with the commercial
database and not be transmitted to TSA.
In my judgment, that system architecture strikes the right balance.
It allows Secure Flight to take advantage of the commercial
authentication methodology while minimizing the risk of governmental
misuse of commercial data. It should be the cornerstone of a broader
oversight structure to guard against abuse, which would include
additional components along the following lines:
Though the details would need, of course, to be further developed,
the outline of such an oversight system might include some or all of
the following components:
Secure Flight should be constructed to include an
audit trail so that its use and/ or abuse can be reviewed;
It should not be expanded beyond its current use in
identifying suspected terrorists and threats to national
security--it should not be used as a means, for example, of
identifying drug couriers or deadbeat dads; \18\
---------------------------------------------------------------------------
\18\ Cf. William Stutz, ``Local Policing After the Terror,'' 111
Yale L. J. 2137, 2183-84 (2002) (use of expanded surveillance authority
to prosecute only terrorists and other serious offenses).
---------------------------------------------------------------------------
The program should sunset after a fixed period of
time, thereby ensuring adequate Congressional review;
Secure Flight authorization should have significant
civil and criminal penalties for abuse;
The ``algorithms'' used to screen for potential danger
must, necessarily, be maintained in secret, as their disclosure
would frustrate the purpose of Secure Flight. They must,
however, also be subject to appropriate congressional scrutiny
in a classified setting and, if necessary, independent
(possibly classified) technical scrutiny;
As outlined below, there must be an adequate redress
procedure in place;
Because commercial databases may contain errors, no
American should be totally denied a right to travel (i.e. red-
carded) and subject to likely arrest as a suspected terrorist
solely on the basis of public, commercial data. An indication
of ambiguous identification and lack of authentication should
form the basis only for enhanced screening. Adverse
consequences of arrest or detention should only be based on
intelligence from non-commercial sources.
The No-Fly/Red Card designation, though initially made
as the product of a computer algorithm, should never
transmitted to the ``retail'' TSA screening system until it has
been reviewed and approved by an official of sufficiently high
authority within TSA to insure accountability for the
system.\19\
---------------------------------------------------------------------------
\19\ This would mirror the view of the European Union which styles
it as a ``right'' to have human checking of adverse automated
decisions. The EU Directives may be found at http://www.dataprivacy.ie/
6aii-2.htm#15.
---------------------------------------------------------------------------
In my view, the recent controversy over commercial data provides an
important lens through which to view the Secure Flight program.
Evidently (though, of course, the facts are not yet known) TSA needed
to enhance PNR data with commercial data in order to resolve residual
identification ambiguities. This suggests, albeit indirectly, that the
thesis of Secure Flight--that PNR data alone is sufficient to allow it
to function--may be untenable. For the enhanced PNRs would probably not
have been sought had they not been necessary. It also raises the
question of whether the system's chosen architecture is the best--or
whether in light of the necessity for enhancing PNRs we might not
prefer a decentralized system.
But those questions are relatively technical in nature and, it
seems, capable of resolution. The most significant aspect of the recent
controversy is one of public perception. To that I now turn.
III. Compliance and the Privacy Act
Most Americans recognize the need for enhanced aviation security.
They are even willing to accept certain governmental intrusions as a
necessary response to the new threats.
But what they insist upon--and rightly so--is the development of
systemic checks and balances to ensure that new authorities and powers
given the government are not abused. And to achieve a suitable system
of oversight, we need adequate transparency. We do not seek
transparency of government functions for its own sake. Without need,
transparency is little more than voyeurism. Rather, its ground is
oversight--it enables us to limit the executive exercise of authority.
Paradoxically, however, it also allows us to empower the executive; if
we enhance transparency appropriately, we can also comfortably expand
governmental authority, confident that our review of the use of that
authority can prevent abuse. While accommodating the necessity of
granting greater authority to the Executive branch, we must also demand
that the executive accept greater review of its activities.
In that spirit, the Privacy Impact Assessments and Systems of
Records Notices published by institutional actors like TSA serve
several important functions. They define the program, they provide the
opportunity for notice and comment on the program by the public and,
most significantly, they provide a metric against which to measure the
program's implementation. Prior notice of governmental activity is the
hallmark of accountability--it fixes in time and place the ground for
decision making and prevents ex post justifications from being
developed.
Thus, we should be at least somewhat concerned by the recent
revision of Secure Flights notice regarding the system of records being
maintained. As I said earlier, the original SORN developed the right
theoretical methodology for accessing commercial data for identify
verification--maintaining the data in private hands and reporting the
government only an authentication score. The most notable change
identified in the new SORN issued last week is the breakdown in this
screening methodology paradigm. To be sure, that change may prove to be
a technical necessity--but if so, it is a change that ought to be
publicly disclosed and debated before it is made. The fundamental
premise of my analysis of Secure Flight (and indeed the analysis of all
supporters and opponents) is that what is described in the TSA's
privacy act notices is an accurate description of what is planned and
what has happened. It undermines the transparency of the program and
public confidence when that premise is proven wrong.
IV. Redress
Finally, the subject matter of the Secure Flight system calls for
heightened sensitivity to the potential for an infringement on
protected constitutional liberties. While Secure Flight will not
directly affect personal physical liberty which lies at the core of
constitutional protections, it does implicate at least one fundamental
liberty, interest guaranteed by the Constitution. Since the 1960s the
Supreme Court has recognized a fundamental right to travel \20\--
indeed, one might reasonably say that one purpose of the Federal union
was to insure the freedom of commerce and travel within the United
States.
---------------------------------------------------------------------------
\20\ Shapiro v. Thompson, 398 U.S. 618 (1969).
---------------------------------------------------------------------------
Thus, there is a risk that a poorly designed system will
unreasonably impinge upon a liberty. The risk of such impingement
should not result in fundamental constitutional abandonment of the
program--especially not in light of the potentially disastrous
consequences of Type II error if there is another terrorist attack in
the United States. However, we will need stringent oversight to provide
the requisite safeguards for minimizing infringements of civil liberty
in the first instance and correcting them as expeditiously as possible.
Any appropriate redress mechanism will need to solve two inter-
related yet distinct problems. First, it will need to accurately and
effectively identify false positives without creating false negatives
in the process. For though we know that any watch list system will make
mistakes by wrongly singling out an individual for adverse
consequences, we also know that a watch list system may err by failing
to correctly identify those against whom adverse consequences are
warranted. And we also know that any redress mechanism must be as
tamper-proof and spoof-proof as possible, for it is likely that those
who are correctly placed on a terrorist watch list will use any redress
process available to falsely establish that they should not be subject
to enhanced scrutiny.
Second, any redress mechanism must effectively implement the
requisite corrective measures. Already we have seen situations in which
acknowledged ``wrongly matched'' errors in watch list systems cannot be
readily corrected because of the technologically unwieldy nature of the
information systems at issue. Even when TSA has recognized that a given
person (for example, Senator Edward Kennedy) is repeatedly wrongly
matched to a ``no fly'' list entry, correction proves challenging as
one cannot just remove the more ambiguous watch list entry.\21\ Thus,
the legal, policy, and technological mechanisms must be built in to the
watch listing system to allow for the effective handling of redress.
---------------------------------------------------------------------------
\21\ See Sara Goo, ``Sen. Kennedy Flagged by No-Fly List,'' The
Washington Post, August 20, 2004, p. A1. Others on the list, like
Representative John Lewis, avoided secondary screening by including
their middle initial. See Jeffrey McMurray, ``Rep. Lewis says his name
is on terrorist watch list,'' Associated Press, August 20, 2004.
---------------------------------------------------------------------------
Sadly, the limitations of this forum prevent me from providing you
a detailed of exactly what a system answering these questions would
look like. But my colleague Jeff Jonas and I have written in detail
about this question.\22\ In short, we envision a system of third-party
ombudsman-like review; initial administrative review; limitations on
disclosure if necessary to accommodate national security concerns; a
private cause of action to correct any permanent deprivation of
liberty; and a system design requirement tethering and attributing
information so that corrections propagate through the system rapidly.
Our conclusion is that these questions are soluble--and that prior to
full-scale implementation TSA must solve them.
---------------------------------------------------------------------------
\22\ See Rosenzweig & Jonas, Correcting False Positives: Redress
and the Watch List Conundrum, Legal Memorandum No. 17 (The Heritage
Foundation, June 2005) (avaiable at http://www.heritage.org/Research/
HomelandDefense/lm17.cfm)
---------------------------------------------------------------------------
In short, Secure Flight continues to have some significant issues
that need to be addressed. But it also is a system of great promise.
Failing to make the effort to use new technology wisely poses grave
risks and is an irresponsible abdication of responsibility.
As six former top-rankig professionals in America's security
services recently observed, we face two problems-both a need for better
analysis and, more critically, ``improved espionage, to provide the
essential missing intelligence.'' In their view, while there was
``certainly a lack of dot-connecting before September 11,'' the more
critical failure was that ``[t]here were too few useful dots.'' \23\
Secure Flight technology can help to answer both of these needs.
Indeed, resistance to new technology poses practical dangers. As the
Congressional Joint Inquiry into the events of September 11 pointed out
in noting systemic failures that played a role in the inability to
prevent the terrorist attacks:
---------------------------------------------------------------------------
\23\ Robert Bryant, John Hamre, John Lawn, John MacGaffin, Howard
Shapiro & Jeffrey Smith, ``America Needs More Spies,'' The Economist,
July 12, 2003, p. 30.
---------------------------------------------------------------------------
4. Finding: While technology remains one of this nation's
greatest advantages, it has not been fully and most effectively
applied in support of U.S. counterterrorism efforts. Persistent
problems in this area included a lack of collaboration between
Intelligence Community agencies [and] a reluctance to develop
and implement new technical capabilities aggressively. . .
.\24\
---------------------------------------------------------------------------
\24\ Report of the joint Inquiry Into the Terrorist Attacks of
September 11, 2001, House Permanent Select Committee on Intelligence
and Senate Select Committee on Intelligence, 107th Cong., 2nd Sess., S.
Rept. No. 107-351 and H. Rept. No. 107-792, Dec. 2002, p. xvi
(available at http://wwwjas.org/irp/congress/2002&--rpt/911 rept.p4f
(emphasis supplied). The Joint Inquiry also critiqued the lack of
adequate analytcal tools, id. Findings 5, and the lack of a single
means of coordinatig disparate counterterrorism databases, id. Findigs
9 & 10. Again, aspects of the CAPPS II program are intended to address
these inadequacies and litations on the research program are
inconsistent with the Joint Inquiry's findigs.
---------------------------------------------------------------------------
Or, as one commentator has noted, the reflexive opposition to
speculative research by some is ``downright un-American.'' \25\ Though
Secure Flight technology might prove unavailing, the only certainty at
this point is that no one knows. It would be particularly unfortunate
if Congress opposed basic research without recognizing that in doing so
it was demonstrating a ``lack [of] the essential American wilingness to
take risks, to propose outlandish ideas and, on occasion, to fail.''
\26\ That flaw is the way to stifle bold and creative ideas--a ``play
it safe'' mindset that, in the end, is a disservice to American
interests.
---------------------------------------------------------------------------
\25\ See David Ignatius, ``Back in the Safe Zone,'' The Washington
Post, August 1, 2003, p. A19.
\26\ Id.
---------------------------------------------------------------------------
Mr. Chairan, thank you for the opportunity to testify before the
Subcommittee. I look forward to answering any questions you might have.
Mr. Lungren. Thank you for your testimony, Mr. Rosenzweig.
The Chair would now recognize Mr. James Dempsey, the
executive director of the Center for Democracy and Technology,
for his testimony.
STATEMENT OF JAMES DEMPSEY, EXECUTIVE DIRECTOR, CENTER FOR
DEMOCRACY AND TECHNOLOGY
Mr. Dempsey. Chairman Lungren, Chairman Cox, Mr. Thompson,
members of the subcommittee, good morning. Thank you for the
opportunity to testify today.
Let me start, Mr. Chairman, with two basic points. First of
all, in my view, we need a passenger pre-screening system.
Passenger airlines remain a target of terrorists. Every day,
1.5 to 1.8 million passengers board airplanes in the United
States for domestic flights. It is infeasible to intensively
scrutinize each of those passengers. To focus resources, it is
necessary to make judgments about them before they reach the
security checkpoint. Therefore, one element of the layered
security system for air transport should be the pre-screening
of passengers.
Second, in developing a passenger screening system, privacy
is not a luxury. By privacy, I really mean fair information
practices. How much information is collected? Is it accurate?
How is it used? With whom is it shared? How long is it kept?
Answering these privacy questions is not a distraction from the
task of preventing terrorist attacks.
To the contrary, addressing these information collection
and use issues is part of the process for designing an
effective system, from a security standpoint, as well as from a
privacy and public trust standpoint, because as Mr. Rosenzweig
said, every minute airport screeners spend inconveniencing an
innocent person is an opportunity for the terrorist to slip by
undetected.
Here is how I would do it. First, I would preserve the
CAPPS I behavioral rules. I have changed my own opinion on
this. I now no longer believe that CAPPS I is broken. CAPPS I,
after all, correctly flagged 9 of the 19 September 11
hijackers. At the time, that only meant that their luggage had
to be checked and the individuals themselves were not subject
to more scrutiny. But the behavioral rules of CAPPS, even
though to some extent they have been publicly discussed, are
flexible, they are useful enough and they should be continued.
Moreover, I believe that CAPPS rules should continue to be
administered by the airlines. While Section 4012 of the Intel
Reform Act requires the government to bring in-house the
process of matching passenger data with watch lists, TSA seemed
to be suggesting in its latest Secure Flight notice that it
might also assume full responsibility for administering the
behavioral rules of CAPPS. If so, that would be a big change
with major implications for privacy since the application of
CAPPS rules require a lot more data, even more data than is in
the passenger name record, and I just do not see either
technically or from a public policy standpoint how the
government could possibly take in that kind of data. So leave
that with the airlines.
Second, put on top of it the screening of passengers
against the watch list, and that should be done by the
government, not the airlines. That is what the 9/11 Commission
recommended, and that is what Congress mandated last December
in the Intel Reform Act.
We have many data quality issues to resolve with those
watch list and with the matching process, but if we have that
list of suspected terrorists, we should use it to decide who
deserves closer scrutiny.
In my view, however, the passenger name record is not a
good source of information for matching. It does not have what
is needed, full name and date of birth, and it has too much
irrelevant information. I believe, currently, in my view, the
airlines should be required to collect and provide to the
government or only what is necessary to make a reliable match.
The problem with watch list matching is that the categories
of information in the watch list do not match the categories of
information in the PNR record, the passenger name record. So
you are trying to match apples and oranges, and name alone of
course is worse than worthless; it is harmful trying to match
on name alone because you get far too many hits.
So now the third question and the possible third element of
a passenger pre-screening system is the use of commercial data.
It may be useful, but so far we have not seen the evidence. I
do wonder why TSA has been looking at using commercial data to
augment PNR on millions of passengers a day when I think there
may be better value from using commercial data at the TSC to
augment the watch list data on the 200,000 or so people in the
watch list to try to figure out can we figure out better
identifying information on them.
There is a lot of commendable work that TSA has done, and
we clearly rely upon the screeners for our safety, and they
have an extremely difficult job. TSA stumbled badly when its
testing procedures departed from its privacy notices, but we
must not let this controversy detract from the more important
issues that remain, still unanswered, about how Secure Flight
will work.
It is on those questions of data collection and use that
this committee and TSA and my organization should focus.
I am committed to working with you, Mr. Chairman, and this
subcommittee as well as with TSA to resolve those questions to
develop a more effective passenger screening system.
Thank you.
[The statement of Mr. Dempsey follows:]
Prepared Statement of James X. Dempsey
Chairman Lungren, Ranking Member Sanchez, Members of the
Subcommittee, thank you for the opportunity to testify today.
I am Executive Director of the Center for Democracy and Technology.
CDT is a non-profit, public interest organization dedicated to
promoting civil liberties and democratic values for the digital age. I
am also privileged to serve as an associate member of the Markle
Foundation Task Force on National Security in the Information Age. The
Markle Task Force, co-chaired by Zoe Baird and Jim Barksdale, is
comprised of leading experts from the fields of national security,
technology, and privacy, including CDT's President Jerry Berman. Its
members have extensive experience in and out of government at the
federal and state level, in both the legislative and executive
branches, from the administrations of Presidents Carter, Reagan, George
H.W. Bush, Clinton, and George W. Bush. The Task Force has published
two reports, ``Protecting America's Freedom in the Information Age''
(2002) and ``Creating a Trusted Information Network for Homeland
Security'' (2003), available at http://www.markletaskforce.org. The
Task Force, which is continuing its work, has offered concrete
recommendations for strengthening national security while protecting
civil liberties by creating a decentralized network for sharing and
analyzing information within a framework of accountability and
oversight. This testimony is based in large part on recommendations the
Task Force submitted to the Transportation Security Administration in
February of this year.
I. Background and Summary of Conclusions
Terrorists continue to target passenger airplanes. One element of
a layered security system for air transport is the screening of
passengers. Every day, over 1.5 million passengers board airplanes in
the United States for domestic flights. It is infeasible to intensively
scrutinize each of those passengers. To focus resources, it is
necessary to make judgments about passengers before they reach the
security checkpoint.
The Transportation Security Administration (TSA) is testing a
proposed passenger screening system named Secure Flight. The system is
mandated by Section 4012 of the Intelligence Reform and Terrorism
Prevention Act of 2004 (Pub. L. No. 108-458). It would implement a
recommendation of the 9/11 Commission.
Section 4012 of the Intelligence Reform Act requires TSA to
``assume the performance of the passenger screening function of
comparing passenger information to the automatic selectee and no fly
lists and utilize all appropriate records in the consolidated and
integrated terrorist watch list maintained by the Federal Government in
performing that function.'' Section 4012 specifies that DHS must:
include a procedure to enable airline passengers who
are delayed or prohibited from boarding a flight because of the
system to appeal such determination and correct information in
the system;
ensure that databases that will be used to establish
identity of passengers will not produce a large number of false
positives;
establish an internal oversight board;
establish sufficient operational safeguards to reduce
the opportunities for abuse;
implement substantial security measures to protect
against unauthorized access;
adopt policies establishing effective oversight of the
use and operation of the system; and
ensure that there are no specific privacy concerns
with the technological architecture of the system.
Section 4012 also requires the Secretary of Homeland Security, in
consultation with the Terrorist Screening Center, to ``design and
review, as necessary, guidelines, policies, and operating procedures
for the collection, removal, and updating of data maintained, or to be
maintained, in the no fly and automatic selectee lists.''
In addition, section 522 of the fiscal year 2005 DHS Appropriations
Act (Pub. L. No. 108-334), required the Government Accountability
Office to assess 10 aspects of Secure Flight development and report to
Congress, which GAO did in March of this year.'' \1\
---------------------------------------------------------------------------
\1\ U.S. Government Accountability Office, ``Aviation Security:
Secure Flight Development and Testing Under Way, but Risks Should Be
Managed as System Is Further Developed,'' March 2005, GAO-059-356.
---------------------------------------------------------------------------
On September 24, 2004, even before the Intelligence Reform Act was
adopted, but after the report of the 9/11 Commission was widely
endorsed, the TSA released three documents that outlined plans for
testing Secure Flight. As detailed in a Privacy Act Notice, Privacy
Impact Assessment, and Emergency Clearance Request (collectively, the
``September 2004 Notices''),\2\ Secure Flight would have three
components:
---------------------------------------------------------------------------
\2\ Notice to Establish System of Records, Docket No. TSA-2004-
19160, 69 Fed. Reg. 57345 (Sept. 24, 2004); Notice of Privacy Impact
Assessment, Docket No. TSA-2004-19160, 69 Fed. Reg. 57352 (Sept. 24,
2004); Notice of Emergency Clearance Request, Docket No. TSA-2004-
19160, 69 Fed. Reg. 57342 (Sept. 24, 2004).
---------------------------------------------------------------------------
collection from the airlines of identifying
information contained in the Passenger Name Records (PNRs) for
matching against the consolidated watch list of the FBI's
Terrorism Screening Center (TSC);
possible use of commercial databases of personally
identifiable information to verify the information provided in
the PNR; and
use of ``streamlined'' behavior rules drawn from the
current Computer Assisted Passenger Prescreening System (CAPPS
I), which uses behavioral factors such as purchase of a one-way
ticket to select passengers for enhanced scrutiny.
While use of commercial data and continued use of CAPPS I rules
were not required in Section 4012, they have remained part of the
Secure Flight plan and test. Moreover, in regards to the use of
commercial data, it is now clear that TSA is examining not merely its
value to verify identity but also its value in augmenting PNR
information to make a better watch list match. Furthermore, while
Section 4012 requires the government to bring ``in-house'' the process
of matching passenger data with watch lists, TSA seems to be saying in
its latest Secure Flight notice that it will also assume full
responsibility for administering the behavioral rules of CAPPS. If so,
this is a big change, with major implications for privacy, since
application of the CAPPS behavioral rules would require the government
to access much more personal information than required for watch list
matching.
To test Secure Flight, TSA required airlines to turn over all
Passenger Name Records (PNRs) from June 2004. TSA has been using this
historical data to test the efficacy of its proposed system, including
the possible use of commercial data, and to compare results under
Secure Flight with results under the old CAPPS system. In general,
passengers face no adverse consequences in the test phase, unless the
search turns up a name on the watch list as having been on a flight
last June, in which case the FBI will be notified. According to TSA, no
such notification has been justified.
There are several commendable elements of TSA's process in
developing Secure Flight:
In response to congressional oversight and public
criticism, TSA fundamentally re-examined the previous proposal
for a new airline passenger security program, the second-
generation Computer Assisted Passenger Prescreening System
(``CAPPS II'').
After issuing an opaque Privacy Act notice on CAPPS II
in January 2003, TSA took a more transparent approach, with
both the CAPPS II notice of August 2003 and the Secure Flight
notices of September 2004. This included the publication of a
Secure Flight Privacy Impact Assessment (PIA) before going
forward with the test phase, an important precedent within DHS
and for other agencies.
Before implementing a new passenger screening system,
TSA is conducting testing to determine what is most effective.
From the September 2004 Notices, it would appear that TSA has
not prejudged the outcome of the testing.
In its Secure Flight proposal, TSA appears to have
dropped some of the most troublesome aspects of CAPPS II,
including the probability-based review of all passengers based
on unidentified government data to determine each passenger's
``risk'' score and the notion of using Secure Flight for
purposes other than enhancing the security of domestic flights
by identifying passengers who warrant further scrutiny prior to
boarding an aircraft based on possible terrorist connections.
However, TSA stumbled badly when its testing procedures departed
from the assurances it provided to Congress and the public in the
September 2004 Notices. In particular, contrary to indications in the
Notices, TSA and its contractors acquired and retained personal
information from commercial databases, as TSA admitted in a revised
notice issued earlier this month.\3\ This misstep has once again cast
doubt on the credibility of the government.
---------------------------------------------------------------------------
\3\ Notice to Supplement and Amend Existing System of Records and
Privacy Impact Assessment, Docket No. TSA-2004-19166, ---- Fed. Reg. --
----(June 20, 2005).
---------------------------------------------------------------------------
However, we must not let this controversy detract attention from
much more important issues that remain unanswered about Secure Flight.
Important efficacy, privacy and due process issues remain to be
resolved before full implementation can begin. As the GAO found in its
March 2005 report:
``the effectiveness of Secure Flight in identifying
passengers who should undergo additional security scrutiny has
not yet been determined'' (p. 27);
``the accuracy of commercial data is uncertain'' (p.
32);
``key issues regarding how [PNR] data will be obtained
and transmitted have not yet been resolved'' (p. 29);
``the ability of Secure Flight to make accurate
matches between passenger data and data contained in the
terrorist screening database is dependent on the quality of the
data [in the screening database]. . . .the accuracy of this
data has not been fully determined'' (p. 6).
In particular, because expanded watch lists are the core of the
proposed program, the fidelity, data quality and overall reliability of
those watch lists will be very important. In June of this year, the
Department of Justice Inspector General found that the Terrorist
Screening Center could not ensure that the information in the watch
list database was complete and accurate. The IG's report identifies a
number of types of errors in TSC data.\4\ While TSA has begun to
develop its own redress procedures, it should work with other agencies
to develop standards for watch listing and redress mechanisms so
passengers will have the ability to challenge a watch list entry or an
erroneous watch list match. Proper resolution of those issues will be
critical to the success of any air passenger screening system, in terms
of both enhanced security and protection of civil liberties. The
Intelligence Reform Act required the Executive branch to develop
criteria and minimum standards for watch listing. As far as we know,
those criteria and standards have not been developed.
---------------------------------------------------------------------------
\4\ U.S. Department of Justice, Inspector General, ``Review of the
Terrorist Screening Center,'' June 2005, Audit Report 05-27, at p. xi.
---------------------------------------------------------------------------
Moreover, the controversy over collection of commercial data in the
test phase of Secure Flight must not obscure more important questions:
Where are the results of the test of matching June 2004 PNR data
against the watch list and how will the lessons learned from the test
affect implementation of Secure Flight? What has TSA learned from its
test of commercial data, and what does it intend to do with commercial
data if Secure Flight is permanently implemented? What has TSA
determined is the best method for matching names? What is the quality
of PNR data and what is the best way for the government to get the
minimum amount of data to make reliable matches? These and other key
questions should be the focus of Congressional and public oversight.
II. Watch Lists
TSA has accepted--and Congress has mandated--the recommendation of
the 9/11 Commission that airline passengers should be screened against
terrorist watch lists and the government, not the airlines, should
perform that such screening. Secure Flight should be an improvement
over the current CAPPS, because the watch lists should offer a
particularity of suspicion that behavioral rules cannot, and because it
is not desirable to disclose the watch list to airlines. Despite these
advantages, however, Secure Flight will only be as good as the watch
lists on which it is based and the way in which they are searched. The
watch list to be used by TSA is a subset of the consolidated watch list
(known as the Terrorist Screening Database (TSDB)) managed by the FBI's
Terrorist Screening Center (TSC).
Watch list fidelity and data quality are critical to Secure
Flight's success. ``Fidelity'' speaks to the robustness of entries: Do
they contain enough information to resolve identity? ``Data quality''
refers to the accuracy, completeness and currency of the data. Related
questions include: Are entries reviewed periodically for data quality?
Has there been an evaluation of the reliability of criteria for
designating individuals to the TSC watch list?
There should be a focus across the intelligence community on
improving the quality of watch list entries. We appreciate that TSA
does not create terrorist watch lists, but rather is a consumer of
them. Nonetheless, Secure Flight will be the first time that the TSDB
is used regularly to screen a significant portion of the U.S. public,
and TSA will receive the brunt of the criticism if the watch list
produces a significant number of false positives. Accordingly, TSA
should play a lead role in developing and refining watch list
standards.
Thus far, it is not clear whether there are adequate rules for
watch list entries. While we understand the national security concerns
associated with making public certain information about watch lists, we
believe that, considering the critical importance of the watch listing
process, the process and accountability measures associated with it
should be publicly discussed.
Section 4012(c) of the Intelligence Reform Act requires the
Director of National Intelligence, in consultation with the Secretary
of Homeland Security, the Attorney General and the Secretary of State,
to report to Congress in June 2005 on the criteria for placing names on
the watch list, the minimum standards for reliability and accuracy of
identifying information, the degree of information certainty and the
range of threat levels to be associated with an individual on the watch
list, and the range of consequences that are to apply to an individual,
if located. As far as we know, that report has not been submitted.
It is clearly preferable that watch listing standards be
government-wide. In the absence of government-wide standards, TSA has
adopted its own internal standards as to what constitutes an
``adequate'' watch list entry for purposes of Secure Flight. Such
standards might include requirements like:
There should be minimum fidelity standards before a
watch list entry can be used. Each watch list entry used by TSA
should contain enough identifying information so that the
record can meaningfully be used for its intended purpose of
identifying an individual. For example, TSA may require
multiple data points, such as a first and last name as well as
another piece of identifying information, such as date of
birth. Name plus nationality or name plus gender is not enough.
Each watch list entry used by TSA should be reviewed
at least once a year by the agency that was responsible for its
nomination to the list, to ensure that that the record still
meets watch listing criteria and fidelity and data quality
standards.
To promote data quality and redress, each watch list
entry should be traceable to a specific transaction (i.e.,
record) within the source agency, using an internal reference
number or some other means of ``tethering'' the data, so that
questions can be resolved and source system records can be
reconciled with watch listing system records.
In addition, the use of any watch list for screening purposes
depends on reliable match criteria. TSA should establish reliable
matching criteria and should periodically reevaluate them.
Finally, as indicated in Section 4012(c) of the Intelligence Reform
Act, another aspect of watch listing concerns the seriousness of the
threat posed by a watch-listed individual and the different types of
consequences that a person may face as a result of being placed on a
watch list. An individual on a watch list should face consequences
appropriate to the threat that individual is believed to pose. More
than 200,000 people are listed in the TSDB--ranging from those known
with certainty to be members of a terrorist organization to those
suspected of having some tie to terrorism. The current situation is
very confusing. Each of the international terrorist names included in
the TSC database is assigned one of 25 different codes that describe
how a specific individual is associated with international terrorism.
Each of the domestic terrorist records is assigned one of three codes,
which the DOJ IG concluded do not provide an adequate description. In
addition, all entries are marked with one of four levels of ``handling
instructions,'' advising users what action to take when they encounter
a watch listed person. On top of that, however, TSA draws a two-tiered
distinction between ``no fly'' and ``selectee.'' As a matter of policy,
these distinctions and their basis need to be clarified.
III. Collection of Passenger Name Records
The Passenger Name Record (PNR) generated by airlines and
reservation systems contains numerous pieces of information beyond the
identifying information necessary to make a match for screening
purposes, but, on the other hand, may not contain the data needed to
make a reliable identification (e.g., the address and phone number on
the PNR quite often is that of a travel agency, and date of birth is
not included in the PNR). We understand that it would have been quite
expensive for airlines to provide only certain PNR fields for the
testing phase. Based, however, on the results of the test phase, TSA
should determine exactly what data it needs to achieve the aviation
security goal of Secure Flight. Then, if feasible, when Secure Flight
is implemented permanently, TSA should collect from the airlines and
reservations systems only those data elements that are necessary. One
of the goals of the test phase should be to explore with the airlines
and the reservations systems the feasibility of isolating and
delivering to the government only those items of information for which
the government has a justified need.
If TSA requires airlines to collect any additional information that
they do not currently collect, such as date of birth, TSA should ensure
that passengers are given notice about the reasons for the new
collection of information. Alerting passengers to the purpose for which
their information will be gathered--telling them that it is for
security purposes as opposed to, say, marketing uses--should give law-
abiding travelers an incentive to provide accurate information when
booking air travel, enhancing privacy and effectiveness.
Also, if TSA requires airlines and reservation agents to collect
information they do not currently collect, the airlines and other
ticketing agents should be prohibited from retaining and using that
data for any other purpose. While TSA has promised that it will not be
compiling travel dossiers on passengers, neither should the travel
industry be able to turn a TSA security order into an opportunity to
compile new categories of information on air travelers for the
airlines' or travel agents' own use.
TSA has announced that it intends to limit its retention of PNR
data, but has not yet set specific retention periods. Once Secure
Flight is implemented, TSA should not keep passenger data after a
flight has safely completed its flight without incident, except that
TSA may retain and disclose to the FBI and other relevant agencies the
records of ``reds'' or no-flies who are not allowed to board and of
``yellows'' or selectees who are identified based on a watch list match
but allowed to board after a more intensive search. Also, TSA should be
able to retain data with the consent of any passenger who has invoked
the redress process. These retentions and disclosures, which would have
a sound predicate in the form of the match to the watch list, should be
documented and auditable. Of necessity, given the verification process
that should occur for every red and yellow, the TSC would receive (and
should be able to retain) a record of the hit.
IV. Use of Commercial Data
Databases held by commercial entities contain a vast amount of data
possibly relevant to screening activities, but they also pose
challenges in terms of relevance and reliability. TSA and other
policymakers, through a process with some transparency and outside
input, need to make an assessment of what commercial data would be
relevant to passenger screening. In the test phase, TSA has been
exploring two potential uses of commercial data: (1) to augment PNR
data with additional identifying information: and (2) to verify the
identity of passengers. TSA should take a skeptical approach to the use
of commercial data in the Secure Flight program, particularly regarding
whether the identity scores provided by searching commercial data will
significantly enhance TSA's certainty about passengers' identities.
If TSA decides to use commercial data in connection with Secure
Flight, it should be on the basis of a finding that the use of
commercial data would give additional certainty about the identities of
a substantial number of passengers or a more reliable watch list match.
Some questions to be considered during testing include:
What minimum amount of information is required to even
test a person for a true identity likelihood score using
commercial databases?
How many people, when providing true identifying
information, fail to correlate with commercial databases? For
example, what percentage of people flying to, from or within
the United States will not have adequate information about them
in commercial databases to do identity verification?
How much reliability does the identity verification
process add?
Will identity verification work with individuals who
have privacy concerns and use a different address (e.g., PO
Box) than what appears on their driver's licenses, who
legitimately have multiple addresses and phone numbers or whose
addresses do not match because they use a different billing
address for their credit cards?
What consequences can flow from a poor ``identity''
score (as opposed to a watch list match)? Will a poor identity
score in and of itself suggest a threat to aviation and trigger
secondary inspection?
If TSA decides to use commercial data in Secure Flight, then a
number of additional privacy protections will need to be implemented.
First, TSA should clarify what passenger-provided information will be
disclosed to commercial data aggregators. As explained above, passenger
PNRs often provide sensitive and/or irrelevant information. TSA should
not pass information on to commercial vendors without justification,
and it should specify in advance which items of information it will be
disclosing to the commercial aggregators.
Second, TSA should, to the maximum extent possible, specify what
commercial information its vendors will rely on for the passenger
identity verification process. TSA has made clear that neither it nor
its commercial vendors will use credit scores, but it has been silent
on what information they would rely on. While there are national
security concerns at stake, it may be possible to reveal what
commercial data is being used. One approach to these kinds of issues is
to require the commercial data aggregators who are government
contractors to make available for free upon request (maybe just once a
year) all data they have on an individual for review and correction,
the same way they are required to under the Fair Credit Reporting Act.
This is in keeping with the commercial data aggregator's interest in
having accurate information. Alternatively, the TSA could be required
to use aggregators that can guarantee reconciliation accuracy with
their data source providers. The transparency into what is used would
reveal sources such as public records, credit headers, phone books,
driver's licenses, etc. In any case, the consumer should be able to
request what information the TSA uses and its source, with instructions
on how to remedy inaccuracies (at the source system). In this regard,
providing travelers with notice and access to their data may increase
the reliability and accuracy of the sources that TSA employs. TSA could
include language in its contracts with commercial data vendors that
provides for passenger access to and correction of that data directly
or through the Passenger Advocate Office that TSA will establish.
Third, TSA should make clear that commercial vendors will, by
contract, be prohibited from retaining any airline passenger data other
than minimum amounts of data for audit and accountability controls or
using it for any purpose other than testing for Secure Flight.
Finally, TSA should develop standards for assessing and verifying
the accuracy of the commercial data on which it relies. TSA might base
such standards on the answers to the following types of questions: (1)
How often are the data updated? (2) How complete is the information?
(3) How accurate is it? (4) How do the data sources protect against
and/or mitigate the possibility of identity theft?
V. Redress and Oversight
Redress and oversight are important aspects of any decision making
process based on personally identifiable information. As TSA implements
Secure Flight, redress will be a major issue.
Major federal privacy laws offer sound models for Secure Flight
redress procedures. As reflected in the Privacy Act, the Fair Credit
Reporting Act, and other privacy laws, redress typically includes the
following elements:
Notice of the fact of an adverse decision and of the
procedure for challenging it;
Access to the information on which the decision is
based;
An opportunity to correct erroneous information and an
obligation by the decision-maker to correct or delete
information that is erroneous, which is premised on the ability
to trace information to its source for verification;
Procedures for ensuring that erroneous information
does not re-enter the system;
Obligations on data furnishers to respond to requests
for reconsideration of data and to take corrective action when
justified; and
Independent administrative or judicial review and
enforcement.
TSA has already committed to developing a ``robust review and
appeals process'' to protect passengers' ability to seek redress where
incorrect information or inferences cause them to be subjected to
heightened scrutiny. As part of that process, TSA has indicated that it
will create a Passenger Advocate Office, which will act on behalf of
passengers and investigate complaints. The proposed Passenger Advocate
is a desirable component of a passenger redress process, but TSA will
need to flesh out the procedures that will govern the Passenger
Advocate's review of passengers' complaints. It will be critical to the
success of any new program that individuals have a meaningful process
for challenging their ``yellow'' or ``red'' designations.
As noted above, we believe that TSA should not keep data on cleared
passengers after a flight is successfully completed. For the relatively
small number of passengers who may complain due to being selected for
whatever reason, TSA should be able to preserve data if a passenger
makes a complaint at the airport at the time of screening.
The Intelligence Reform Act requires TSA to establish a timely and
fair process for individuals identified as a threat to appeal to TSA
that determination and to correct any erroneous information. The
process must include the establishment of a method by which TSA will be
able to maintain a record of air passengers and other individuals who
have been misidentified and have corrected erroneous information. To
prevent repeated delays of misidentified passengers and other
individuals, the TSA record shall contain information to authenticate
the identity of such a passenger or individual.
Particularly in the context of individuals who appear to be a risk
because of a watch list match, TSA must work closely with TSC to ensure
that people are not mistakenly flagged on a repeat basis. As we already
have seen, there will be innocent individuals with the same or similar
names as people on the watch list. Such mistakes must be investigated
and rectified quickly so that the affected individuals are not
repeatedly flagged and delayed. This will require TSA to work closely
with TSC and various intelligence agencies.
Passengers should have the ability to challenge the Passenger
Advocate's decisions. First, passengers should be able to mount an
administrative appeal within TSA or the Department of Homeland
Security, perhaps to the Privacy Officer. Second, given that the right
to travel is at stake, judicial review should also be available once
administrative appeals are exhausted. In some cases, judicial review
might require special ex parte procedures to deal with classified
information, but such procedures have been successfully implemented in
other contexts. See, e.g., Classified Information Procedures Act,
Public Law 96-456.
In addition to redress, TSA should implement other oversight
mechanisms. Auditing should be an important part of the Secure Flight
system. The DHS Inspector General, the Privacy Officer, and the Civil
Rights and Civil Liberties Officer should jointly conduct an annual
audit of the system's operations. Of necessity, the auditors should
have security clearances enabling them to access all relevant
information, including classified data. The auditors could conduct spot
checks of actual screenings and retain some passenger records for the
duration of the audit process as well as examine the aggregator'
datasets. To the extent an audit report relies on classified
information, portions of the report may need to remain classified, but
much of the audit reports could be made public.
TSA also should implement a real-time auditing function to monitor
who accesses the system. TSA and TSC both must implement a documented
information security program (to protect the data) and data governance
models (to control access to the data and ensure access and
modification are auditable). Such audit trials are crucial to prevent
abuse and internal security breaches, ensuring that only authorized
personnel are accessing the system and that they are using it only for
authorized purposes.
Other forms of independent oversight of Secure Flight are also
essential to an effective privacy protection scheme. TSA should report
annually and publicly to Congress, including (1) an explanation of the
Secure Flight privacy policies; (2) a description of how those policies
have been implemented; (3) a list of the types of passenger complaints
that have been filed, with descriptions of how they have been resolved;
(4) changes that TSA is making to minimize any identified problems; and
(5) the ratio of hits, no hits, and disposition results to allow
evaluation of the false positive counts. Other oversight mechanisms
that TSA should consider are independent evaluations of the program by
outside auditors and periodic consultations with privacy advocates.
VI. Scope
Over the course of the evolution of CAPPS II and Secure Flight,
there has been uncertainty about the mission that a passenger screening
system should serve. In the spring of 2003, then-TSA Administrator
Admiral James Loy assured Congress and the public that CAPPS II would
be used only to identify foreign terrorists and prevent them from
boarding airplanes, because foreign terrorists were the source of the
threat to aviation security. Subsequently, TSA proposed broadening
CAPPS II's purposes to include identification of domestic terrorists
and those associated with domestic terrorist organizations as well as
certain criminals and possibly immigration law violators.
In the September 2004 Notices and in the June 2005 Notice, TSA
refocused on the threat of terrorism. The task of creating an effective
system to screen passengers against terrorist watch lists is so urgent
and so challenging that it is preferable at this point for TSA not to
pursue the additional and separate task of identifying other criminals
not believed to pose a threat to aviation.
Like CAPPS II, the proposal for Secure Flight includes not only
foreign terrorists, but also members of domestic terrorist groups--
i.e., members of radical organizations like the KKK, anti-government
militias, or certain radical environmental activists. It might be
sensible to include domestic terrorists in Secure Flight if there is
evidence that particular individuals or discrete groups pose a threat
to civil aviation. In the absence of intelligence suggesting that
particular individuals or groups are a threat, the expansion of Secure
Flight into the realm of domestic terrorism raises a host of difficult
issues that TSA appears not to have confronted. It could ultimately
place TSA in the role of having to evaluate the political activities of
Americans. The FBI's definition of who is a domestic terrorist has
often been quite broad. In the absence of a specific threat, does the
term ``domestic terrorist'' include all members of a environmental
group, when a few of those members that have engaged in illegal acts
and have been investigated by the FBI as domestic terrorist
organizations? Does it include an anti-abortion activist who breaks the
law by blocking access to abortion clinics or who may be
organizationally or ideologically related to those who have killed
doctors or committed arson at clinics, which some have called
terrorism? Does it include protesters against the war in Iraq, whom the
FBI interviewed in advance of the Republican National Convention?
Furthermore, each added function puts further pressure on the
system: more false positives, diversion of screener resources, loss of
screener confidence in system results, and the risk of public
disapproval. Accordingly, TSA should limit screening of passengers for
associations with purely domestic terrorist organizations to those
situations, if and when they arise, when information indicates that
specific individuals or discrete groups pose a threat to civil
aviation.
VII. Privacy Act
The Privacy Act offers a sound framework for a number of issues
posed by Secure Flight. In the September 2004 Notices, TSA proposed
exempting the Secure Flight test data from various Privacy Act
provisions. Moreover, TSA had indicated that it would invoke blanket
exemptions for full implementation of CAPPS II.
In the Notice issued last week, TSA announced that it would not
pursue its Privacy Act exemptions. We commend this decision, and we
urge that it be followed in the implementation of Secure Flight as
well. TSA has always said that it plans to provide access to certain
unclassified records such as PNR and the ability to correct them, as an
important element of the integrity of the system. There seems to be, on
the current record, no valid reason to take a exemption from the
Privacy Act provisions on access and right to correct. If there are
specific concerns that TSA has about application of the Privacy Act to
Secure Flight in the implementation phase, it should identify them so
they can be addressed based on a public dialogue.
Conclusion
We firmly believe that a passenger screening system can be designed
that that both enhances security and protects civil liberties.
Developing sound privacy rules and sticking to them is crucial to the
success of such a program. To facilitate public trust in the system
that is eventually implemented, we encourage TSA to make public as much
as possible about the results of Secure Flight testing and TSA's
decisionmaking process. We look forward to working with TSA and the
Congress.
Mr. Lungren. Thank you very much, Mr. Dempsey.
I thank all the witnesses on this panel for their
testimony.
At this time, I would yield myself 5 minutes to begin the
questioning.
To Mr. May, Mr. Rosenzweig and Mr. Dempsey, there has been
a suggestion that CAPPS I ought to remain as it is. There seems
to be some divergence of opinion with the three of you, but I
will just ask you this question: We have had situations where
people have been taken out for a secondary search that
obviously do not belong there, and I keep harkening back to
children, instances of 10-year-olds, 5-year-olds, 3-year-olds,
2-year-olds being carried out.
Every time I have asked the question of TSA, the answer is,
``That is the airline's responsibility. If they see someone is
under 12 years of age, they are not supposed to take them out
of the secondary search.'' But it does not happen. And then it
goes to the TSA people and they say, ``Well, since CAPPS I is
not in our bailiwick, we cannot make that decision.'' Obviously
when you see an infant in diapers, they are obviously under the
12.
That is my concern if you keep the CAPPS Program with the
airlines. Who is on first? Who has got the responsibility? Is
that a wrong conclusion on my part? How would you respond to
that?
Mr. Dempsey first.
Mr. Dempsey. Well, Mr. Chairman, I would say that your
facts are right but your conclusion I would probably disagree
with, in that, yes, it results or appears to result in some
ridiculous results, but I do not think the answer is to try to
bring the administration of CAPPS behavioral rules into the
government. The government sets the rules, it changes them from
time to time based upon new information, it tries to refine
them, it provides them to the airlines.
As I understand it, application of CAPPS behavioral rules
requires a lot of information--passenger name record
information, frequent flier information, some historical data--
data that the government really cannot collect easily, cannot
digest, cannot hold, would have a hard time. I think you might
by bringing that in government produce a worse result, produce
a gridlock.
So I would say refine it, and it clearly needs to be
refined, work with the airlines on those implementation
questions, absolutely, but basically keep the current
structure.
Mr. Lungren. Mr. Rosenzweig?
Mr. Rosenzweig. Well, as you will gather, I am somewhat
more skeptical that the CAPPS I rules have a continued
vitality. To the extent that they do, though, I would agree, I
think, with Mr. Dempsey that they are better placed with the
airlines. They are behavioral rules, and it is classified and
so on, reading in the public record, but they are buying with
cash, flying one way, and that is the type of personal behavior
that is precisely the type of privacy-related material that we
want to try if we can to keep out of governmental databases.
So to the extent that we are talking not about factual
record data, like a date of birth or a name that is a matter of
public record that is okay, in my judgment, to take into a
government database but rules about how often you fly, where
you go frequently, whether you are paying cash or credit, that
sort of thing. That would seem to me to raise more significant
privacy concerns, and it would be better to be kept in the
commercial data space rather than in the governmental data
space.
Mr. Lungren. Mr. May?
Mr. May. Actually, Mr. Chairman, we think that CAPPS I,
because it looks at behavioral activity, does present some
opportunities down the road for continued good security. We do
not think that the CAPPS Program, as it is currently crafted,
all of the elements are necessarily as well done as they should
be. At the end of the day, it has to be a government designed
program we think we can continue to implement.
But, remember, when we tag somebody for behavioral
activity, it really then is up to the?what we are doing is we
are making them a selectee, and they are going to be subject to
additional scrutiny. I think what we are talking about today,
Secure Flight, is an equally important part of the process, and
I think that should, as Congress has said and others have said,
be a function of TSA.
I think to the extent it is improved upon and combined with
some behavioral checks, I think it will be overall a much
better system.
Mr. Lungren. Let me just ask the three of you, and I do not
mean to leave you out, Mr. Anderson, but the question of not
having the proper information to do these checks, that is, you
have got two different groups of characteristics, how much
would it improve the systems that we are talking about here if
you had in addition to the name the date of birth, and maybe
even birthplace.
Mr. Dempsey. It seems to be that the evidence is that
adding date of birth for the watch list matching most watch
list entries have at least name and date of birth, and so to
make a match that is what you need, unless you can augment the
watch list with additional data.
Mr. Rosenzweig. There is every reason to think that
something simple like that will work. The best analogy that I
can think of that I have seen in the literature is by Dr.
Latanya Sweeney of Carnegie Mellon who has demonstrated pretty
effectively that zip code and date of birth uniquely identify
about 97 percent of the people in the world--or in American, I
should say, because she applied it in an American database. The
only exceptions to that turn out to be collect campuses where
there is a very high concentration of people with a very narrow
birth range, all with the same zip code.
So that suggests that name and date of birth, name, date of
birth and zip code would be pretty darn close to effective in
uniquely identifying each individual.
Mr. Lungren. My time is up, but, Mr. May, on that, would
that cause any considerable difficulty to the airlines to
gather that information?
Mr. May. I think that is doable, but what I would like to
point out, Mr. Chairman, two things. One, TSA is not the only
one that asks to collect information from the airlines. There
are other parts of DHS that do that. Whatever system we have
let's make sure it is standardized across the whole board.
Mr. Lungren. I thank the gentlemen for their comments.
The Chair now recognizes the Ranking Member of the full
committee, Mr. Thompson, for 5 minutes.
Mr. Thompson. Thank you very much, Mr. Chairman.
Following up on the questions, it is kind of related to Mr.
Anderson's situation, but if I give those three forms of
identification, under normal procedure, that would suffice for
getting me off the list, am I correct?
Mr. Rosenzweig. Provided that the list itself allows the
clearance, the fact that you are cleared to propagate to all
the users, which is one of the reasons to take it in-house at
TSA, if we have hypothetically Mr. Anderson's name, date of
birth and zip code, that uniquely identifies him, and if he is
carrying something that has those three pieces of information
on it, that should be a simple Google search-like click-through
methodology. I mean, it is not technologically--
Mr. Dicks. On what document do you have your zip code?
Mr. Rosenzweig. Well, name and date of birth you have on
your driver's license, and it is true that we do not normally
carry zip codes. I offered that as a hypothetical additional
one.
Mr. Thompson. Well, I guess going forward to the next step,
if I am picked up under Secure Flight, what redress will I have
to get off the list?
Mr. Dempsey?
Mr. Dempsey. Well, that is one of the unanswered questions,
okay? The TSA has not yet fully spelled out what its redress
process will look like. It has said it knows it needs one, it
needs to be robust, it needs to be effective, it needs to be
user friendly. Getting from here to there requires some more
work.
I think there is apparently a John Anderson or somebody
with a name like John Anderson on the watch list. You are never
going to take John Anderson off the watch list. Presumably, he
is on there correctly, although we do need to reverify and
revet, I believe, on a yearly basis the names on the watch
list.
But the question is showing John Anderson but not this John
Anderson, and that is where the additional forms of
identification come in and some way to build into the system,
and I do not think it is quite as easy as people have talked
about so far, the ability to say, ``Stop all John Andersons
except this John Anderson,'' and then every other John Anderson
goes through the process.
Mr. Thompson. What about the middle initial? I mean, that
has got a get a few of them out of the list.
Mr. Dempsey. Then you have to start collecting middle name
on passengers, and you have to start having middle name or
middle initial in the watch list.
Mr. May. The point that was just made is critically
important, Congressman. It is as important to have fully
identified individuals on the watch list as it is to be able to
check with the individual passengers.
Mr. Dicks. So in other words, if you just have John
Anderson on the watch list, then every John Anderson is in
trouble, because they cannot distinguish between that and--
Mr. May. Right. We need to--
Mr. Dempsey. Well, and it is worse than that, Congressman,
because it is possible they have J. Anderson, and when they
search they are not going to only search for Anderson, S-O-N,
but they are going to search for Andersen, S-E-N, and they may
search for John and James and Jack and Johnny, and they may
search for an Anderson with two As or Ss, et cetera. That is
the way the searching of names works. That is why name search
alone is so unreliable.
Mr. Rosenzweig. Just to add a couple points, Mr. Dicks, I
just checked, my driver's license actually has my zip code on
it too.
Mr. Dicks. It also has your social security number on it.
Mr. Rosenzweig. Actually, in D.C., it does, yes. So it
uniquely identifies me in several ways. But the point you
asked, Mr. Thompson, is actually the hardest question, which is
what process are we going to allow somebody to get off the
list, the redress process. It is pretty easy for people like
Mr. Anderson who are wrongly listed, who are not the John
Anderson they mean.
The tough question, the really hard question is, what if he
is the guy that they meant but he contends he should not be on
the list? There is a John Anderson that we have some suspicion
about, presumably. What if that guy shows up and say, ``No, I
am an innocent bricklayer from Terre Haute?
How do we test it to allow--there has to be some
adversarial process, clearly, but it cannot be a fully
transparent process, because often the reason that John
Anderson is on the list is because of some national security
concern that cannot be fully disclosed. It is a very
intractable problem.
Mr. Thompson. I guess the other point is, do you think we
are ready for the demonstration given what we are hearing here
today?
Mr. Dempsey. I do not think so.
Mr. May. Congressmen, I do not know that we are ready for
the demonstration, but I think it is only when you get to a
demonstration and it is what it is, it is a demonstration, it
is a test, that you begin to identify some of the problems that
you are going to face in putting it out live, if you will. And
so I think you need to go through that phase of it.
I do not think TSA is ready right this minute, but I would
hope they can become ready soon, recognizing that there are
going to be some problems that show up that will have to be
resolved. But it is only when you test it that you find that
out for certain.
Mr. Lungren. Gentleman's time has expired.
The Chair would now recognize the chairman of the full
committee, Mr. Cox, for 5 minutes.
Mr. Cox. Thank you, Mr. Chairman.
Thank you once again to all of our witnesses. This is a
very important hearing, and I want to particularly thank a
former colleague, Mr. Anderson, for coming and sharing your
personal experience.
I take it you have not flown since the Delta experience.
Mr. Anderson. No, I have not.
Mr. Cox. So you do not know what would happen if you tried
to do this again.
Mr. Anderson. I do not.
Mr. Dicks. They just told him.
[Laughter.]
Mr. Cox. Mr. Rosenzweig, you pointed out in your testimony
that each airline administers the watch list matching
differently and that there is a high variability in the
matching operational methodology and that there is no single
common standard for defining watch list match, neither is there
sharing among the carriers on a routine basis of all of this
information. So isn't it likely that Delta did not take that
information and spread it all around the industry?
Mr. Rosenzweig. Well, I think it is quite likely.
Mr. Cox. So that if John Anderson wants to fly to Germany
again but takes a different airline, he is going to have to
call up his congressman and start from scratch and go through
this whole routine all over again, isn't he?
Mr. Rosenzweig. Well, I would hope not, and it might have?
Mr. Cox. Well, I would hope not too, but what reason do we
have to think that this would not happen again?
Mr. Dempsey. Congressman, Mr. Chairman, I think that is
part of the reason for bringing the watch listing process into
the government, to do the matching on a centralized basis in
the government, both in order to use the best name-matching
technology, whatever that might be, and it has not been
determined yet--
Mr. Cox. Well, I want to go even further--
Mr. Dempsey. --and then, secondly--
Mr. Cox. --and ask why it is that we think that if there
are people who have been blessed by their parents with names
like John Anderson in the world that we are going to single
them out with that kind of a system?
I mean, we have two objectives here. One is, and it is the
primary objective, to find out which, if any, of the people
that are boarding airplanes are terrorists. The other, which is
ancillary to that primary purpose, is to reduce the size of the
haystack that we are sifting through so that we can focus our
energies and our attention on the right people.
Now, Chairman Lungren pointed out he is concerned about
infants being sent for secondary screening. There is no reason
on Earth if we use CAPPS I that we are not going to look at
infants because infants may well have had their tickets
purchased with cash or may well have made a last-minute change
in their reservation and bought a one-way ticket. Those kinds
of things, dumb criteria, if you will, like that are going to
focus us on the wrong people. Whereas, what we ought to be
doing is reducing the size of that haystack.
We have good information about people like John Anderson.
Unfortunately, we do not always have good information about the
terrorists. But what we can do is use the good information we
have about Mr. Anderson to let him go through the airport
quickly, reduce the size of the haystack and focus the
attention on actual terrorists or suspected terrorists.
Mr. Dempsey. Mr. Chairman--
Mr. Cox. We will never be able to do that if we are relying
on such primitive information as John Anderson. We have got a
lot more information about Mr. Anderson, which he discovered
himself when he Googled himself.
Mr. Dempsey. Mr. Chairman, in terms of the infants and the
grandmothers, I think a huge issue there is training and
discretion and the judgment of the screeners. After all--
Mr. Cox. Well, let me ask Mr. May, because it was suggested
a moment ago by Mr. Dempsey that this is an airline issue
that--or maybe it was Chairman Lungren that said this--that the
airlines are the ones that are supposed to be not screening the
infant. Why does this persist?
Mr. May. I think it persists because we are using
behavioral criteria that are established by TSA. We are not in
the position of making the judgment as to who should or should
not. We are in the position of enforcing the boarding pass
identification based on those behavioral characteristics.
They then go to the screening process, and if they are
identified as a selectee based on those CAPPS I criteria, then
it is up to TSA. I think it absolutely should be that if
somebody has been identified as a selectee because of a
behavioral characteristic, that TSA can look and see that it is
an 11-month-old infant and that relieves the responsibility
right there, as it would a 95-year-old grandmother.
Mr. Cox. Let me ask my final question, because I have less
than a minute left.
Mr. Anderson, you have heard about Registered Traveler, a
voluntary program that you might sign up for in order to avoid
all of this hassle. What kind of incentive would you need as a
traveler in order to want to sign up for such a program?
Mr. Anderson. Well, I do not think I would ask for frequent
flyer miles or any compensation of that kind. I think if it
were available, if such a program were available, I would
rather willingly cooperate.
I do not deny there is a huge problem out there of
eliminating the possibility that we are going to have another
terrorist hijacking, and I would not want to stand in the way
of all efforts that are made to try to screen out people, but a
voluntary sign-up of some kind to eliminate, just as we
voluntarily engaged in this program to get on the no-call list,
not to be bothered during dinner hour by people--
Mr. Cox. A national no wait in line list.
Mr. Anderson. Exactly, some national list of that kind
where you could relatively easily say, ``Yes, I subscribe to
this,'' and then get the clearance you need.
Mr. Cox. Thank you very much. This has been an excellent
panel, and I am going to continue to listen intently.
Thank you, Mr. Chairman.
Mr. Lungren. I thank you.
The gentleman from Washington, Mr. Dicks, is recognized for
5 minutes, in which time that he wants to give to the chairman
he can.
Mr. Dicks. That is Mr. Thompson.
Tell me what Secure Flight is going to be about. Explain
what Secure Flight is going to be.
Mr. Dempsey. Secure Flight is the matching of passenger
names with a list of known or suspected terrorists in order to
determine who deserves secondary screening in addition to the
metal detector and luggage x-ray.
Mr. Dicks. And what list is this passenger list from the
government--this is a government list, I take it.
Mr. Dempsey. Yes, sir.
Mr. Dicks. What list is this?
Mr. Dempsey. On the next panel is Justin Oberman, who is
head of the Office of Credentialing and Vetting at TSA, and he
can answer those, but I will say that the list is the
consolidated--it is a subset of the consolidated watch list
managed by the FBI from 11 or 12 watch lists that the
government had been using prior to 9/11. The Terrorist
Screening Center was created at the FBI to bring together these
disparate watch lists.
Mr. Dicks. They still have not got this done, you know.
Mr. Dempsey. Well, to some extent--honestly, Congressman, I
believe they have made progress on this. It is an incomplete
system, it is better than it was on 9/11, although we read in
the paper this morning that the State Department has not been
using it to screen applicants for passports, which is bizarre.
But, look, we have put a lot of effort into trying to figure
out who are the terrorists.
Mr. Dicks. But I am told that even on this list there are
certain names that are left off.
Mr. Dempsey. There are both names that are on the list that
should not be, and there are names that should be on the list
that are not, that is correct.
Mr. Dicks. Explain that. Can you explain that?
Mr. Rosenzweig. I guess the answer is, nothing is perfect.
I mean, we have as a goal the creation of a unified watch list,
but to expect, especially in the context of intelligence
information, which is often indefinite and hazy, that it is a
perfect list is unrealistic. If your objective is only to
implement perfect systems, we will never implement any.
Mr. Dempsey. But some of the flaws here, Congressman, one
day the employee at the FBI who was responsible for loading the
names into the list and that person's backup were both out.
Therefore, that day no new names were loaded into the list and
when people came to work the next day they did not go back and
fill. So that is one reason that the Inspector General found as
to why not all the lists that should be on the list are not
there.
Mr. Dicks. So, Jim, what is your major concern here? From
ATA's perspective, you were kind of gentle, I noticed, in your
testimony. You said it was not perfect but you hoped it would
get better. What are you mainly concerned about here?
Mr. May. Congressman Dicks, I think we want to see, number
one, the federal Government take over the business of matching
names on whichever list or combination of lists are going to be
used. Number two, I think we want to have a simplified data
collection process that, whether it is CBP or TSA or anybody
else that is collecting information for the airlines, it is
consistent fields of information.
Number three, I think we need to have discussions with TSA,
CBP and others, it has been discussed here that we have a
number of different ways to implement the program based on
different computer systems, carriers, things of that sort. Let
us have those conversations so that we know how that
information is going to be managed.
Number four, do not forget that we are not the sole
collectors of information. Travel agents, for example, collect
information, and we may not even be in receipt of a lot of the
required information on a number of passengers until they check
in with us immediately prior to their flight on a connecting
flight from another airline.
Mr. Dicks. So that is where you say on the flight coming
into the United States. It does sound ludicrous that we check
these things 15 minutes after the flight leaves. I mean, if you
have got the terrorist on there and he is, whatever, that is
disconcerting. And then we have to land up in Maine or
somewhere and get the person off.
Mr. May. That is correct, and that is why we suggest a
real-time process where you get a board/no board as we get that
information in.
Mr. Dicks. But it should be before the plane leaves,
shouldn't it, I mean, in a perfect world?
Mr. May. In a perfect world, it should be before the plane
leaves, but we do not live or operate in a perfect world.
Mr. Dicks. Would a real-time system allow you to do it
before the plane leaves?
Mr. May. A real-time system would allow us to do it better
than we do it today. Do not forget that if we had it on an hour
in advance, it still takes them 4 hours to process that
information. When they have a conflict between John B.
Anderson, III and John Anderson, it still is a human being that
sits down and starts to look at other information to try and
correct that. And in the final analysis, the airlines would far
prefer to have some planes turned around over the Atlantic than
have the huge delays that would be required of processing
information on all of those passengers, all of the time prior
to departure.
Mr. Dicks. So in a real-time system, it still would take 4
hours.
Mr. May. Right now it is taking--we think it is taking--
Mr. Dicks. That is why on these 8-or 9-hour flights they
get it--
Mr. May. Right. Right. So get a real-time system that
allows us to put that information in 2 hours in advance, for
example. When we have it an hour in advance, a half hour in
advance, there is still probably going to be some passengers
that are not prescreened prior to getting on. Now, they are
going to be prescreened according to CAPPS I. They can be run
against a watch list, et cetera. But in depth APIS screening
will not necessarily take place for every single passenger, but
that is a risk we will take because we think the disruption to
the system of a mandatory 60 minutes prior to departure is
going to be far greater.
Mr. Dicks. Thank you, Mr. Chairman.
Mr. Lungren. The Chair now recognizes Mr. Linder for 5
minutes.
Mr. Linder. Thank you, Mr. Chairman.
Mr. Dempsey, you said that it is clear that the terrorists
are still seeking access to airliners. Where do you get that
information?
Mr. Dempsey. Well, I am not privy to any intelligence but
it seems to me that it is one of the most powerful targets that
they have. They have shown--
Mr. Linder. Have more people died on airlines or trains?
Mr. Dempsey. Excuse me, sir?
Mr. Linder. Have more people died on airlines or trains?
Mr. Dempsey. I honestly do not know the answer to that, but
we have had some spectacular losses of life on airplanes.
Mr. Linder. Do you think another airplane will ever be
allowed to go into a building?
Mr. Dempsey. Not if the passengers can help it.
Mr. Linder. Do you think the passengers will help it?
Mr. Dempsey. Yes, sir. They may die in the process, but
they are going to probably rise up and prevent it.
Mr. Linder. That is correct. And the value of the airliner
on September 11 was that it was full of fuel and it was come to
allow to fly into a building because the passengers up to that
point had believed they were just going to be taken off
somewhere. And it was spectacular because the jet fuel burned
down the buildings.
If it is the case that I think it is that the terrorists
are looking for spectacular financial events, it does not seem
much in their interest to just take down one airliner. And they
can do that today by just putting a bomb in the cargo hold.
Mr. Dempsey. When I fly on airplanes, I hope people have
not given up on protecting airplanes.
Mr. Linder. We had 690 million passenger flights on
airlines in 2004, and we spent $5 billion on that. We have 9
billion passenger rides on trains, we spend one-half of 1
percent of the budget on that. Do you think that is fair?
Mr. Dempsey. Well, I do think that you raise the question
of risk assessment and prioritization, which is absolutely part
of this. We obviously had a terrorist train bombing or subway
bombing, commuter train bombing in Madrid. So our security
system must look at and evaluate all of those risks. Whether
too much money has been spent on air transport to that
exclusion of other forms of transport is something that I am
not going to offer an opinion on.
I do stand by my position that terrorists see airplanes as
potent targets, and if they can, they will take one and they
will either blow it up or crash it. And we need to keep
terrorists off of airplanes, which means we need to screen
passengers, and we need to do so in a cost-effective way, I
agree with you entirely.
Mr. Linder. I do not think it really matters just who is on
an airplane, because fake IDs are so easy to get in this day
and age that anybody--no terrorists are going to get on there
and identify themselves correctly and tell you where he is
from.
Mr. Dempsey. Most of the 9/11 hijackers flew under their
true names.
Mr. Linder. That was pre-9/11. That was pre-9/11.
Mr. Dempsey. It is an excellent point, Congressman. The GAO
noted in its report that identity theft does pose a serious
challenge to screening. We have efforts underway, separate
efforts, to improve the quality of identification documents.
Identity theft and fake IDs pose a risk in a number of
contexts. If we were to vet train passengers, the same problem
would be posed there.
So the fact that we do not have a perfect ID system, to me,
does not say that we should not try to figure out who is
getting on an airplane.
Mr. Linder. If we take this system and move it to the train
system, we would make a huge mistake, because this one does not
work, for starters.
Mr. May, let me ask you something.
Mr. Dempsey. Congressman, just let me say I agree that this
is not working yet and it should not be extended to any other
forms of transportation until we can prove that it works in the
air transport context.
Mr. Linder. It appears to be a wholly owned subsidiary, the
airline industry.
Mr. May, nobody has mentioned biometrics here. In your
judgment, if we had a background screening and I had a
fingernail print, shouldn't I be able to just walk on that
plane?
Mr. May. Mr. Linder, we have long supported the concept of
Registered Traveler because we think if you have a robust
Registered Traveler database using biometrics and they use iris
and fingerprint, that it removes the number of people or a
number of people that would otherwise be potential selectees.
Mr. Linder. But the ones we have right now they go through
and identify themselves with a fingerprint at Reagan National,
still go through the magnetometer, still take off their shoes--
Mr. May. That was exactly the point of my testimony. We
have to have TSA identify the benefits for belonging to that
program, for providing the biometric information so that you do
not have to take your computer out, you do not have to take
your shoes off, you do not have to take your outer garment off,
et cetera, so you can quickly move through the process. And
then you have to have those six test programs learn how to talk
to one another as just one other additional step in the
process.
Mr. Linder. Thank you, Mr. Chairman.
Mr. Lungren. The Chair now recognizes the gentlelady from
California, Ms. Sanchez, for 5 minutes.
Ms. Sanchez. Thank you, Mr. Chairman, and I am sorry for
having arrived late. I was caught in another committee meeting.
And I did not get to hear the testimony of all of our gentlemen
before us, but I do have one question.
I have a constituent, Bob Lewis, has a regular sounding
name, a businessman, he goes to the airport quite a bit. And
every single time he gets stopped because there is a Bob Lewis
on the list. Now, he is not that Bob Lewis.
So with respect to that, he has talked to all of the
agencies, he has finally gotten a letter that says he is not
that Bob Lewis, so now he shows up to LAX and it can be normal
procedure of showing them the letter and that is fine and goes
through and takes off his shoes like everybody else or
sometimes he is set aside for 4 hours, missing his flight
because somebody is not trained or somebody does not believe
the letter or something is going on. I mean, this is an
occurrence that happens over and over to this gentleman.
So my question is, what is the process to stop that from
happening currently, because it is very aggravating. And he is
not the only I have but this is not a--I mean, believe me, I
have plenty of Middle Easterners and Muslims. I have the
largest mosque in California in my district. But I am talking
about just a regular Anglo-Saxon community leader type of
person.
Mr. Rosenzweig. Actually, ma'am, I think that that is
probably the best argument for Secure Flight that you could
make. The reason he keeps getting stopped is because the
current distributed network system is not just distributed but
disconnected. So they cannot disambiguate him from the other
Bob Lewis, was it?
Ms. Sanchez. Bob Lewis.
Mr. Rosenzweig. They cannot disambiguate him from the other
Bob Lewis. He is not that Bob Lewis. That Bob Lewis may be 42
and Hispanic from El Toro and he is Anglo-Saxon and 37 from El
Centro.
Ms. Sanchez. He wishes he was 37.
Mr. Rosenzweig. Okay. But the point is that in the
disconnected system we have now, I mean, it is absurd.
Ms. Sanchez. But he has been corrected. He has been
corrected with the letter, so we are going back to this
training issue.
Mr. Rosenzweig. Well, it is a training issue, but it is
absurd that we have a system where the correction has to be a
hard copy that he has to carry with him, right?
Ms. Sanchez. But even when he carries it with him the
problem is still whoever has not been trained correctly.
Mr. Rosenzweig. That is true. That is true. And obviously
training and implementation issues need to be addressed as we
transition. I guess the point of what I would take away from
your experience is that if we actually transition to a better
system, the training problems diminish substantially. I mean,
let's be honest, there are 43,000 TSA people. You are never
going to have all of them trained perfectly. There is a lot of
turnover. We cannot expect human systems to be error free, much
as we would like it to. We can expect better of automated
systems that use additional data about the good Bob Lewis to
distinguish him.
Ms. Sanchez. So the Secure Flight would have the real
information on the good Bob Lewis in there, ``Do not stop this
guy, he looks like this.''
Mr. Rosenzweig. If properly implemented, I believe that
the--and you should ask Mr. Oberman back there when he comes--
Ms. Sanchez. Well, I will when he comes up.
Mr. Rosenzweig. --but if properly implemented the good
Secure Flight system should have identification about the good
Bob Lewis, maybe his biometrics, probably more likely simply
his date of birth, which I am sure is different from whoever
the bad Bob Lewis is, that he carries with him already on his
driver's license. And if that is all that it takes to
distinguish the two, then the good Bob Lewis will be carrying
with him not a letter but a driver's license that just type it
in, bam, he is the good John B. Anderson, not the bad John B.
Anderson.
It can work. It does not yet, to be sure.
Ms. Sanchez. Any of the rest of you have a comment?
Mr. May. I would simply note, as we said with Mr. Linder a
minute ago, if you have got biometrics attached to a Registered
Traveler Program that has absolute positive benefits for the
traveler, Bob Lewis could become a registered traveler with
biometrics and breeze through the system on a regular basis.
And I think that needs to be a component of the overall
process.
Ms. Sanchez. Well, just to mention that so far it is only
one airline at LAX at a certain terminal, in a certain way, and
so, you know.
Mr. May. We agree with you. And that program does not talk
to the one in Minneapolis, it does not talk to the one at
Washington National and so forth.
Ms. Sanchez. Exactly. A lot of work to be done.
Thank you, Mr. Chairman.
Mr. Lungren. The Chair recognizes the gentlelady from
California, Ms. Lofgren, for 5 minutes.
Ms. Lofgren. Thank you, Mr. Chairman. And I appreciate this
hearing because I think we need to examine what we are doing
here from really the very beginning. We are spending a lot of
money, not only in terms of expenditures, but the public is
spending a lot of money in terms of their time, and the
question is, what are we getting for that investment? I guess
my current operating belief is not too much.
How many names are on the watch list, do you know, Mr. May?
Anyone?
Mr. Dempsey. About 200,000.
Ms. Lofgren. Now, do we believe that there are 200,000
people who want to either blow up a plane or hijack a plane?
Mr. Dempsey. No.
Ms. Lofgren. So we have got a lot of data there that we are
checking the bad John Andersons or the bad Bob Lewis's, but
there is no reason at all to believe they are going to hijack a
plane or blow it up.
Mr. Dempsey. Congresswoman, let me just also clarify that a
little bit further. The consolidated terrorist screening
database has, according to the DOJ Inspector General's report,
I think currently about 260,000 names.
Ms. Lofgren. Well, reclaiming--
Mr. Dempsey. But then only a subset of that is used as the
no-fly and selectee lists.
Ms. Lofgren. And that is about 37,000?
Mr. Dempsey. Right.
Ms. Lofgren. And we do not believe there are 30,000 people
on that list that intend to blow themselves up.
Mr. Dempsey. No, but what we are talking here about, I
believe, Congresswoman, and your point is 100 percent, as Mr.
Linder's point, is 100 percent correct, we do need to do a
little baseline questioning here. But these are people who are
being referred for secondary screening.
Ms. Lofgren. Well, it is worse than that. I will just give
you a little personal story. My husband and I were in Los
Angeles and we were going to fly back to San Jose on Southwest
Airlines. It was a nightmare. I mean, it was like a two and
half hour security line. I went fine. We found a line to the
kiosk, got my little boarding pass, and then we could not get
John's boarding pass. And finally we found?we are in another
hour-long line and it is a J. Collins is on the list.
I will tell you to get cleared by the Southwest people took
like--they said, ``Oh, well, you are not him,'' and gave a
boarding pass. But there is no way to get off the list, and it
is not him, and I do not know who the J. Collins is, whether
this is somebody who really would blow themselves up, but
Senator Kennedy went through it, Mr. Lewis went through it, Mr.
Anderson went through it, my husband is going through it, and
it bears no relationship to keeping the nation safe. So that is
a stupid system, and we are spending a lot of money on it, and
it does not make us any safer at all.
So I think we need to start from the very beginning. What
is this list and how does it inform us about who is really
going to be a threat to the nation? And if we have a small
group of people who we have reason to believe are going to blow
themselves up or hijack and airplane, it is not going to be
37,000 people, it is going to be a much smaller group, and then
we should look at those people pretty carefully when they try
and board an airplane. But the system we have now, and I cannot
believe and I heard it took 4 hours to do a database search. I
mean, who is doing our software here? I mean, that is
astonishing.
So I just think this system is--you know, we always look at
the last problem not the next problem. We are throwing
resources at this system foolishly. We are not providing value,
we are not providing safety, and we are completely ignoring the
exposure we have in other transportation modes that is likely
to be the next target.
So we can do biometrics. I mean, the chairman and I had all
of our fingerprints taken when we sworn into the state bar. The
government has my fingerprints. But until we know what we are
sorting for, I think we are just causing a lot of problems
here.
Mr. Rosenzweig. Can I just gently disagree with you
slightly?
Ms. Lofgren. Certainly.
Mr. Rosenzweig. And, certainly, the person you should talk
to is Donna Bucella who runs the Terrorist Screening Center who
we heard from in the Privacy Committee that I am on a couple
weeks ago, and she can do much better at this. But it strikes
me that 37,000 is not as big a number as you think it is,
because it is not 37,000 Americans. It is 37,000 people out of
3 billion worldwide, which is--I was trying to do the math
while you were talking, but I think it is one one-hundredth of
1 percent.
And if you ask the question, do we think that there are
37,000 people worldwide who are bent on terrorist impulses, I
have no personal knowledge. I do not get any classified
briefings, but I am going to guess that there probably is that
many that we know about.
Ms. Lofgren. I see that my time has expired, but, Mr.
Chairman, I think at a future hearing and maybe even in a
classified session it would be of value to explore what this
list is and what it is made up of and what kind of information
is provided, just as a baseline for the beginning of the
discussion.
I yield back and thank the chairman for his recognition.
Mr. Lungren. I thank the gentlelady, and that is something
I think we ought to do. And I would just say that that list
changes from day to day. And without revealing any classified
information, in investigations we know from Judiciary Committee
experience in the intelligence area sometimes someone is put on
a list of suspicion based on the fact that they had lunch with
someone that we know is a known suspected terrorist. And until
further investigation reveals them not to be someone, they
would probably be on that list. So it is an expanding and
contracting target.
And I think our real question is, how do we get people such
as your husband and Mr. Anderson who are clearly not the person
that is meant to be on that list, how do we clear them, and do
we utilize, for instance, commercial information? Do we use
commercial databases? And if that is the case, does the
government have that or do we query those as opposed to having
the government set up their own systems, which brings up
questions of privacy? And until we create that context for
discussion, you will have criticism of the government ever
looking at commercial databases.
And I think that is part of our inquiry here. We have tried
in this hearing to set up the dimensions of the problem, and
how do you get out of that problem I think is the next inquiry,
and that goes into the question of databases and who utilizes
the databases, for what purpose, and who keeps them? And in
which way do we protect privacy to a greater extent? So I
appreciate--
Ms. Lofgren. Would the gentleman yield for--
Mr. Lungren. Yes.
Ms. Lofgren. --for a comment, because I think what is
missing here is the connection of information to risk. There
are people on that list, I will use an Ireland example, people
who donate to the widows and orphans but it might actually be
the IRA and they could end up on that list and it has nothing
to do with whether they are going to blow themselves up on an
airplane. And so the information does not match to the risk,
and we are spending a huge amount of money, consequently.
Mr. Lungren. That is part of our inquiry, but the other
part is, as I suggest, if you do have a defined number of
people on a list, and yet we know John B. Anderson is not that
person, how do we create a system that is more efficient in
removing this John B. Anderson, his progeny and so forth, from
that? And I think those two areas of inquiry, and then on top
of that how do we protect appropriate privacy concerns?
Mr. Dempsey. Mr. Chairman, if I could just comment upon
that for one second because everything that Congresswoman
Lofgren has said I agree with. Last December, Congress required
the administration to report by the end of this month on what
are the criteria, how do you get on, how do you get off? As far
as I know, that report has not yet been submitted. I certainly
have not seen any reports about it. But we have been over this
ground once before, but we have to o over it again.
The Intel Reform Act also said that that watch list should
have better information about how you got there and why you are
there and what level of risk you pose, because I agree with you
entirely. Whether it is 260,000 or 37,000, there are different
levels of suspicion there, and, clearly, when that consolidated
watch list was first created, and the TSC admits this, it was
overbroad. They dumped a lot of stuff in there because they
were in a hurry and they did not want to miss something.
But now we are seeing the consequences of that, and it is
time to go back and reconsider who is in there, why, what is
the validity of the information, and then what is the quality
of that identifying information so we can begin to tell one
person from another.
Mr. Lungren. The gentlelady from Texas wish to inquire?
Okay. The gentlelady is recognized for 5 minutes.
Ms. Jackson-Lee. I thank the chairman for this hearing, and
I guess I just want to pursue the line of questioning that my
colleagues have been, and I will ask a broad question to all of
you.
We are a team dealing with homeland security, and the more
precise we can be, the more effective that we will be, in
addition to the watch list and the backlog that I understand in
terms of refining the watch list. Many of us have had
constituents raise questions about that. Are you in need of
more resources, more technology, more training? And out of the
watch list, can you account for me any arrests or any terrorist
that was deterred or any act that was deterred because we have
the existence of a watch list?
Why don't I let whoever--
Mr. Dempsey. I am sorry, Congresswoman, none of us
represent the watch list, none of us work for the government,
so I do not know that any of us are in a position to answer
that question. The next panel does have a witness from the
government.
Ms. Jackson-Lee. Do you have any comment about the
existence of a watch list?
Mr. Dempsey. Well, I will say that part of the effort to
prevent and combat terrorism is to identify terrorists, and we
have an effort to identify them. There are various screening
points in life, in society where individuals are seeking a
government benefit or in this case to travel, and there is an
interesting question there, where we have to determine is the
person entitled to enter this country? And terrorists are not
entitled to enter this country. Is the person entitled to a
visa? Terrorists are prohibited from acquiring visas. So we try
to figure out who the terrorists are and are they entitled to
certain benefits or rights.
Ms. Jackson-Lee. But we need to be right in doing so, and I
appreciate you trying to take a stab at a question that you
think you might not be prepared for.
Let me just go right to Mr. Anderson, and I am sure you
have been probed extensively, Congressman. I am delighted to
see you.
Mr. Anderson. Thank you.
Ms. Jackson-Lee. And we all owe you a debt of gratitude for
your service. But you have lived in different periods of our
country's history, and we all know how we had to change our
thought processes after 9/11, but as the constitutionalist that
you are, a person who obviously applauded and utilized the
freedom that this country represents, tell us the stress, the
strain and the enormous difficulty that you had in clearing
your name.
And when we talk about insurance issues, we talk about
risks. Insurers will say, ``I am willing to give this certain
amount or even products based upon we are willing to accept
this amount of loss on this product.'' Is it equal to what
safety we are getting by what you had to go through or the
existence of lists like this?
Mr. Anderson. Well, I think the general consensus, and I
would not presume to speak for the other members of the panel
this morning who have far more expertise than I, really, on a
day-to-day basis of dealing with this problem, but I think
there has been a consensus that there is definitely overbreadth
in the list and that there are serious questions as to whether
or not the methods that are employed to compile that list
comport with recognition, as it should have for standards of
privacy and indeed whether or not the standards that are
employed to compile the list are even very sensible and
reasonable and that the system is broken and that it needs to
be reworked.
No one challenges, as I think is also implicit in your
question, the need to protect ourselves against terrorists
boarding airplanes and all the rest, but we cannot tolerate a
system that involves your fellow congresswoman testified to the
difficulty that she and her husband have had.
Ms. Jackson-Lee. Well, it cries out for action.
Mr. Anderson. I am only one, I think, of literally many,
many people who feel that this system is very badly flawed, and
this committee has the responsibility, and I am happy that they
see it the same way, of undertaking to find out what can be
done to correct the present system.
Ms. Jackson-Lee. Thank you very much.
Mr. Lungren. Thank you.
Ms. Jackson-Lee. Thank you very much.
Mr. Lungren. I again thank all the witnesses for their
testimony. It has been a very interesting hearing. You are
helping us in our inquiry as to where we are and where we wish
to go. The witnesses are excused, and I would call up our
second panel for testimony.
The Chair now recognizes Mr. Justin Oberman, the Assistant
Administrator for Secure Flight and Registered Traveler Program
at the Department of Homeland Security to testify.
And I would say, Mr. Oberman, that your written testimony
will be put in the record in its entirety, and we would ask you
to make your oral presentation in 5 minutes, and then we will
have some questions for you.
Thank you for being here.
STATEMENT OF JUSTIN OBERMAN, ASSISTANT ADMINISTRATOR, SECURE
FLIGHT AND REGISTERED TRAVELER, U.S. DEPARTMENT OF HOMELAND
SECURITY
Mr. Oberman. Thank you, Chairman Lungren, for calling this
hearing. Chairman Cox, Congresswoman Sanchez, Congressman
Thompson, pleasure to be here to discuss one of the most
important programs we are trying to launch at the Department of
Homeland Security.
As you know, the issue of protecting security on domestic
aviation is one of the nearest and dearest threats to 9/11 and
one of our most important missions, not only at TSA but also at
the Department.
As you also know, the 9/11 Commission recommended that the
government assume the responsibility for checking domestic
passengers against terrorist watch lists, and of course the
Congress built on that recommendation in the Intel Reform Act
last December and also required us to stand up this system, and
of course that is exactly what we are doing.
We have been in a testing and planning phase since we
launched the program last September and have done quite a bit
of work to define our capabilities as well as areas where
additional progress is needed. Our testing, for example, has
shown that our existing technology does have the ability to vet
the names of 1.8 million people who fly in the United States
every day and to do so far more accurately than the air
carriers do today, particularly if we have every passenger's
full name and date of birth.
As you also know, we are conducting a test to determine
whether the use of commercially available information can
assist us in carrying out our pre-screening function,
particularly with respect to making our watch list matching
capability even more accurate and also to see if we can get at
the critical issue mentioned by several members today regarding
verifying the identities of people who fly.
In addition to that, the test also looked at our ability to
assume the responsibility for CAPPS I from the airlines, and it
was a very useful test because it showed that it was in fact
very difficult for us to take that over for the reasons that I
think Mr. Dempsey alluded to, that information far beyond what
is in the passenger record is required to run CAPPS I.
Partly in response to that, the Department amended the
CAPPS I rules in January and gave the carriers 90 days to make
those changes. That 90 days, of course, has come and gone, and
we have seen selectee rates due to CAPPS I drop significantly
across the industry. The major carriers have a CAPPS I selectee
rate of under 10 percent, and the regional and low-cost
airlines who are disproportionately impacted by criteria that
are publicly known, such as paying for tickets in cash and
flying one way, have seen their selectee rates drop in some
cases by half or more as a result of the changes that TSA
authorized in January. That is a big improvement.
I do want to address, though, several other key issues
right now and hopefully during the course of my testimony that
I think are very important and of course are on the minds of
members of the committee and others, and they include the
following: Number one is our budgetary situation. We are in a
very difficult situation with respect to funding for Secure
Flight. The President requested $60 million for fiscal year
2005 and we were funded at $35 million. That is a 40 percent
reduction, which required us to significantly curtail our plans
for the current fiscal year.
Furthermore, the President's request for 2006 is $81
million, and the House mark, which is obviously now public, is
at $66 million. That is about a 20 percent cut. The Senate mark
is at $56 million, which is about a 30 percent cut.
And what I can tell you is that if the enacted level is
less than what the President requested, our ability to meet our
timelines, which we have set ourselves and as well are required
by the Intel Reform Act, will be in serious jeopardy. The
program needs to be funded at the President's requested level
for us to be successful, and we are in, as I said, serious
jeopardy at the current amounts marked up, particularly coming
on the heels of a major reduction for us in fiscal year 2005.
Another key issue, of course, is the issue of privacy, and,
as I have said from the moment I assumed responsibility for
this program, privacy and security are the two goalposts of
Secure Flight. We have tried to design the system with privacy
at its very core, and, as you know, we are undergoing very
close consultations with GAO as well as the Privacy Officer at
the Department, and we determined several weeks ago that the
documents that we had issued to govern testing, which of course
will be scrapped and renewed for the implementation of the
program, did not adequately and fully reflect everything we had
done during testing.
And so we took the initiative on our accord to amend those
documents publicly, which we published a week ago today, to
more fully explain what we have been doing. Of course,
everything that is in those documents we have briefed
extensively to the committee, others in the Congress and to GAO
and the public, so it was a matter of making sure that our
documents were aligned.
In addition to that, the Deputy Secretary has directed the
Privacy Officer to conduct a review of all aspects of privacy
in Secure Flight. We of course welcome that. We are working
with the Privacy Officer on a daily basis, and so this is just
more useful support for the program, and we are appreciative of
that.
With respect to GAO's overall effort, which I know is of
great interest to the committee, there are 10 separate criteria
regarding Secure Flight that the Congress has directed GAO to
review. GAO issued a preliminary report in March describing our
progress in all 10 areas, and in that report included 6
recommendations, all of which we concur with, all of which were
in progress at the time of publication and all of which we are
nearing completion on. And we intend to meet all 10 GAO
criteria before we start the program. That is our objective.
Those criteria are things that we would normally do anyway, and
so we are appreciative of that.
And then the final issue, of course, deals with redress,
which has been a great topic of conversation today. I think
Secure Flight offers significant improvements in terms of how
people who are particularly close matches to the list can
navigate through the system much more efficiently than they do
today. And I will be happy to discuss that in more detail.
So I really do appreciate the opportunity to testify. This
is a very important program. We need to be talking with the
American people as often as we can about what we are doing,
because it is so broad based, and I look forward to your
questions and questions from other members of the committee.
[The statement of Mr. Oberman follows:]
Prepared Statement of Justin P. Oberman
Good morning Mr. Chairman, Congresswoman Sanchez, and Members of
the Subcommittee. I am pleased to have this opportunity to appear
before you today on behalf of the Transportation Security
Administration (TSA) to discuss our efforts and challenges relating to
improving pre-screening of aviation passengers against terrorist and
other watch lists, particularly in the context of our Secure Flight
Program. The Department of Homeland Security (DHS) and TSA are
committed to the development of Secure Flight as an essential layer in
our system of systems approach to aviation security. We envision Secure
Flight as a unique opportunity to leverage technology and information
management practices to implement a program that enhances the security
of the civil aviation system. An additional benefit of Secure Flight is
the prospect for improving and facilitating travel for the broad
public. We are working to quickly resolve remaining policy, technical,
cost, and privacy considerations.
BACKGROUND
Currently, aircraft operators are required to compare the name of
each passenger to the names of individuals on two Federal Government
watch lists known as the No-Fly and Selectee Lists. When an aircraft
operator has a reservation from a passenger with a name that is the
same as, or similar to, a name on the No-Fly list, the aircraft
operator is required to notify law enforcement personnel and TSA to
verify whether that passenger is in fact the individual whose name is
on either list. If the passenger is verified as an individual on the
No-Fly List, the aircraft operator is prohibited from transporting the
passenger and all accompanying passengers. When an aircraft operator
has a reservation from a passenger with a name that is on the Selectee
List, the aircraft operator is required to identify the individual to
TSA for enhanced screening at security screening checkpoints.
In addition, domestic air carriers perform passenger pre-screening
through their use of the Computer-Assisted Passenger Prescreening
System (CAPPS). CAPPS, which was developed jointly by the airlines and
the Federal government in the mid-1990s, analyzes information in
passenger name records (PNRs) using certain evaluation criteria to
determine whether a passenger and his property should receive a higher
level of security screening prior to boarding an aircraft.
As part of the Aviation and Transportation Security Act (ATSA)
(P.L. 107-71), Congress directed that the Secretary of Transportation
ensure that ``the Computer-Assisted Passenger Prescreening System, or
any successor system--is used to evaluate all passengers before they
board an aircraft; and includes procedures to ensure that individuals
selected by the system and their carry-on and checked baggage are
adequately screened.'' This requirement became part of the mission of
TSA, with overall responsibility transferring with TSA to DHS on March
1, 2003, as provided for in the Homeland Security Act of 2002 (P.L.
107-296).
The need to expedite implementation of an effective passenger pre-
screening system was reinforced and reemphasized in the final report of
the National Commission on Terrorist Attacks Upon the United States (9/
11 Commission), which states at page 392:
``[I]mproved use of ``no-fly'' and ``automatic selectee'' lists
should not be delayed while the argument about a successor to
CAPPS continues. This screening function should be performed by
TSA and it should utilize the larger set of watch lists
maintained by the Federal Government. Air carriers should be
required to supply the information needed to test and implement
this new system.''
Spurred by the recommendations of the 9/11 Commission, Congress
enacted in relevant part Section 4012 of the Intelligence Reform and
Terrorism Prevention Act of 2004 (IRTPA)(P.L. 108-458). The provision
directs that TSA commence testing of and ultimately assume
responsibility for ``the passenger prescreening function of comparing
passenger information to the automatic Selectee and No Fly lists
[utilizing] all appropriate records in the consolidated and integrated
terrorist watch lists maintained by the Federal Government in
performing that function.''
Secure Flight is TSA's program to move the existing watch list
vetting process of domestic passengers from the air carriers into the
Federal Government in order to make the process more effective,
consistent, and efficient for the traveling public from a security and
customer service standpoint. Under this program, TSA will assume the
function of conducting pre-flight comparisons of domestic passenger
information to Federal Government watch lists, to include expanded
versions of the No-Fly and Selectee Lists. TSA is also reviewing
whether the Secure Flight system may be able to incorporate a
streamlined version of the existing CAPPS system to evaluate
information in PNRs that passengers otherwise provide to aircraft
operators in the normal course of business.
BRIEF OVERVIEW OF SECURE FLIGHT'S GOALS
The importance of an effective Secure Flight program is hard to
overstate. Because the airlines have varying systems by which they
implement passenger prescreening, the effectiveness, efficiency, and
consistency in response for airline passengers of the current system is
limited. In developing Secure Flight, TSA is seeking that greater
effectiveness, efficiency and consistency, but doing so requires the
consolidation of functions that are now being carried out separately by
65 air carriers, for 1.8 million passengers on 30,000 flights fly each
day, at approximately 450 airports where security screening is
required. Once implemented, however, Secure Flight would enable TSA to
better focus its resources and security screening efforts on those
passengers who are identified to be more likely to pose a threat to
aviation security. In addition to resulting in a more secure system,
the benefits to legitimate travelers, who comprise the vast majority of
the traveling public, will be evident. TSA fully appreciates the
frustration felt by individuals posing no threat to aviation security
who are selected for additional scrutiny at airports because of a false
positive report that they match or resemble a name on a watch list.
Once operational, Secure Flight will result in fewer individuals
undergoing additional scrutiny, thus reducing one element of the
``hassle factor.'' Furthermore, by reducing false positives, additional
passengers will be able to avail themselves of expedited check-in
procedures on the Internet and at self service ticket kiosks. The
overall result would be a more secure system that is also more
efficient and user-friendly to travelers.
In assuming the watch list checking role from the air carriers, we
recognize that they are indispensable partners, without whom the Secure
Flight program will not succeed. The carriers have been extremely
cooperative, for example, in providing the necessary historic PNR data
relating to domestic flights in June, 2004 to enable TSA to conduct its
preliminary testing, and we expect that this cooperation will continue
as we make preparations for beginning operational testing of Secure
Flight. We are also partnering with U.S. Customs and Border Protection
(CBP) on the transmission of passenger data because most domestic
carriers already have pre-existing information technology connections
to CBP relating to passenger data.
TSA also acknowledges that carriers are concerned with not only the
technical issues relating to connectivity but also with the initial
start-up costs that they might have to bear. TSA will continue to work
with the airline industry to develop cost estimates for implementation
and continued operations and is committed to working with the carriers
in managing the start-up costs of Secure Flight, including the costs
associated with aligning the IT systems. However, ultimately, the
anticipated economies of scale that will be achieved by consolidating
the watch list vetting function into the government, a function whose
attendant costs are currently borne by the carriers, will likely lead
to significant savings to the carriers. An additional benefit of Secure
Flight is that the increased efficiency that it will afford at
checkpoints and ticket counters should assist carriers in maintaining
and improving passenger satisfaction and customer service--objectives
that we share with the carriers as TSA carries out its primary mission
of ensuring civil aviation security.
TERRORIST WATCH LISTS AND FUNCTIONALITY OF SECURE FLIGHT
Before I discuss further our efforts to develop and test Secure
Flight and the issues that must be resolved prior to its actual
deployment, please allow me to provide some information regarding the
underlying terrorist databases on which passenger information will be
compared. Homeland Security Presidential Directive 6 (HSPD-6) and an
accompanying Memorandum of Understanding (MOU) dated September 16,
2003, directed the creation of the Terrorist Screening Center (TSC) and
reengineered the terrorist watch list process.
Since its creation on December 1, 2003, TSC has developed and
maintained the Federal government's Terrorist Screening Database
(TSDB). TSDB receives international terrorist-related identity data
from the National Counterterrorism Center (NCTC), also created under
HSPD-6, and purely domestic terrorist information from the FBI. The
NCTC receives nominations from U.S. Government agencies, such as CIA
and FBI, for placement on specific Federal watch lists. The NCTC then
creates records in its terrorist identities database and forwards the
originator nomination to the TSC. The TSC then provides unclassified
identity data to TSA for use in its No-Fly and Selectee lists, based on
specific No-Fly and Selectee nominations from agencies. TSA personnel
at the TSC provide quality assurance and monitor the transmission of
this data.
Currently, TSA's role is to provide the No Fly and Selectee lists
to foreign and domestic air carriers that service U.S. airports. TSA
has provided the air carriers with guidance on how to handle and
operate the lists via Security Directives and Emergency Amendments, and
TSA's 24x7 watch centers take air carrier reports and coordinate No-Fly
and Selectee operational issues. TSA continues to work closely with TSC
to ensure as much as possible that the watch lists are accurate and
comprehensive. Additionally, TSA maintains a list of cleared
individuals whose names are similar to those contained in the watch
lists. Cleared lists with identifying information are attached to the
No Fly and Selectee lists to assist carriers in distinguishing between
watch listed and non-watch listed passengers.
Secure Flight will involve the comparison of passenger information
for domestic flights to names in the TSDB maintained by the TSC,
including the TSA No-Fly and Selectee Lists, to identify individuals
known or suspected to be engaged in terrorist activity. Secure Flight
will automate the vast majority of watch list comparisons, will allow
TSA to apply more consistent procedures where automated resolution of
potential matches is presently not possible (due to the current
reliance on separate procedures at each airline), and will allow for
more consistent response procedures at airports for those passengers
identified as potential matches.
Bringing the watch list matching function into the Federal
government will also permit expansion of these lists to include
sensitive information that could not be disclosed to the airlines.
Under the current system, TSA has great concerns over the security
aspects of providing air carriers and many of their employees with
information contained on the No-Fly and Selectee Lists. These security
concerns would be reduced once the Federal government assumes the
responsibility for administering watch list comparisons, thus
permitting integration and consolidation by TSC of additional
information relating to individuals known or suspected to be engaged in
terrorist activity.
PROGRESS AND CHALLENGES
On September 24, 2004, TSA published in the Federal Register a
number of documents necessary to allow the agency to begin testing the
Secure Flight program. These included: (1) a proposed order to U.S.
aircraft operators directing them to provide a limited set of
historical passenger name records (PNRs) to TSA for use in testing the
program (69 FR 57342); (2) a Privacy Act System of Records Notice
(SORN) for records involved in testing the program (69 FR 57345); and
(3) a Privacy Impact Assessment (PIA) of program testing (69 FR 57352).
These documents explained that in addition to testing TSA's ability to
conduct automated watch list comparisons for purposes of the Secure
Flight program, TSA intended to conduct a separate test to determine
whether the use of commercial data would be effective in identifying
passenger information that is incorrect or inaccurate. TSA updated the
SORN and PIA on June 22, 2005 (70 FR 36320).
On November 15, 2004, TSA published in the Federal Register a
document setting forth, among other things: TSA's response to public
comments on the September 24, 2004, proposed order; revisions made to
the proposed order in response to comments; and the text of the final
order. (69 FR 65619). The final order directed U.S. aircraft operators
to provide to TSA, by November 23, 2004, a limited set of historical
PNRs for testing of the Secure Flight program.
Utilizing the data provided by air carriers, TSA commenced testing
of the watch list matching function for Secure Flight beginning in
November, 2004. The testing involved 15 million PNRs relating to
flights flown domestically on every U.S. carrier in June, 2004. That
test demonstrated that the system was effective in matching PNR data
with data contained in terrorist watch lists and that the system can
handle the expected load of more than 1.8 million passengers per day.
The preliminary testing also enabled TSA to determine that it must
obtain, at a minimum, an individual's full name and date of birth in
order to perform an effective comparison of that individual against
those individuals identified on the No-Fly and Selectee Lists. Testing
showed that use of date of birth is helpful in distinguishing a
passenger from an individual on a Federal watch list with the same or
similar name and significantly reduced the number of false positive
watch list matches.
In addition to the testing to determine TSA's ability to compare
passenger information with data maintained by TSC, TSA is continuing
with a separate set of testing involving commercial data. Our purpose
is to test the Government's ability to verify the identities of
passengers using commercial data and to improve the efficacy of watch
list comparisons by making passenger information more complete and
accurate using commercial data. In conducting commercial data testing,
procedures have been put in place to ensure strict adherence by
contractors and their personnel to privacy standards and data security
protections. No decision has yet been made on whether commercial data
will ultimately be used in Secure Flight. If TSA decides to use
commercial data for Secure Flight, it will not do so until the agency
publishes a new SORN and PIA announcing how commercial data will be
used and how individuals' privacy will be protected. TSA will not be
using commercial data upon the initial rollout of Secure Flight.
Let me say a bit more about the importance TSA gives to
incorporating privacy rights protections in the design of Secure
Flight. The protection of privacy is an omnipresent concern as TSA
tests, develops, and implements Secure Flight. We are resolute in our
commitment to adhere to the letter and intent of the Privacy Act and
applicable policies on privacy protection and are endeavoring to
resolve all of the outstanding issues relating to privacy. Moreover, we
have continuously consulted with various privacy advocates to seek best
practices and share details about this important program, and we will
continue to work with the DHS Privacy Officer on the privacy issues
relating to Secure Flight.
As you are probably aware, recently, the Deputy Secretary requested
the Department's Privacy Officer to assess the handling of PNR
information and commercial data during the testing phase and to provide
any recommendations about how to strengthen our focus on privacy
protection as we continue testing and contemplate deployment of Secure
Flight. The Deputy Secretary has made the same request of the
Department's new Data Privacy and Integrity Advisory Committee. I met
with this group in Boston last week to brief them and to solicit their
counsel. Throughout our testing of commercial data, Government
Accountability Office (GAO) and interested committees in Congress have
been made fully aware of the details surrounding our goals and
methodology in conducting this testing.
On June 22, 2005, TSA amended the scope of the SORN and PIA to
clarify and describe with greater particularity the categories of
records and categories of individuals covered by the Secure Flight Test
Records system. The GAO also has conducted extensive assessments of
Secure Flight, including recently our use of commercial data testing.
TSA is cooperating fully to ensure that all privacy concerns are
addressed in an appropriate manner.
TSA has employed data security controls, developed with the TSA
Privacy Officer, to protect the data used for Secure Flight testing
activities. The procedures and policies that are in place are intended
to ensure that no unauthorized access to records occurs and that
operational safeguards are firmly in place to prevent system abuses.
Measures that are in place include the following:
Access to private information is limited to only those
TSA employees and contractors who have a ``need to know'' to
perform their duties associated with Secure Flight operations;
A real-time auditing function is part of this record
system to track all whoaccesses information resident on
electronic systems during testing, and all instances when
records are transmitted between TSA and contractors are
meticulously kept;
Data is maintained at a secure facility, and the
information is protected in accordance with rules and policies
established by both TSA and DHS for automated systems and for
hard copy storage, including password protection and secure
file cabinets;
Each employee and contractor associated with the
Secure Flight program has completed mandatory privacy training
prior to beginning work on the program.
Many technical challenges remain as TSA continues its work on
testing Secure Flight in preparation for implementation and deployment.
To ensure that these hurdles are overcome, it is absolutely necessary
that Congress fully support the request in the President's budget for
FY06, which proposes that Secure Flight be funded at $81 million. I
would emphasize that if the program is ultimately funded at levels
comparable to the $66 million or $56 million in the bills that have
been approved by the House and reported in the Senate that a delay in
implementation will be unavoidable.
TSA recognizes the importance of having in place a redress system
that is readily available to passengers. TSA has already developed and
implemented a clearance protocol for persons who are flagged for
additional screening due to the similarity of their names to those of
individuals who are appropriately on the watch lists. A passenger may
initiate the clearance protocol by submitting a completed Passenger
Identity Verification Form to TSA headquarters. TSA reviews the
submission and reaches a determination of whether these procedures may
aid in expediting a passenger's check-in process for a boarding pass.
It is important to emphasize, however, that this clearance process is
distinct from the ongoing internal review process to ensure that
persons do not remain on the watch lists if they are found not to pose
a security threat. TSA's clearance process distinguishes passengers who
are not a security concern from persons who are on the watch lists by
placing their names and identifying information in a cleared portion of
the lists. This information is transmitted to the airlines. Following
TSA-required identity verification procedures, airline personnel can
then quickly determine that these passengers are not the person of
interest whose name is actually on the watch lists.
In conjunction with the Secure Flight program, TSA has charged a
separate Office of Transportation Security Redress to further refine
the redress process under the Secure Flight program. The redress
process will be coordinated with other DHS redress processes as
appropriate. Utilizing current fiscal year funding, resources have been
committed to this Office to enable it to increase staffing and to move
forward on this important work. TSA recognizes that additional work
remains to ensure that there is a fair and accessible redress process
for persons who are mistakenly correlated with persons on the watch
lists, as well as for persons who do not in actuality pose a security
threat but are included on a watch list.
In addition to the mandates of IRTPA, Section 522 of the Homeland
Security Appropriations Act, 2005 (P.L. 108-334) requires TSA to
satisfy and GAO to report that TSA has addressed ten areas of
Congressional interest relating to the Secure Flight program. On March
28, 2005, GAO released a report concluding that while ``TSA has not yet
completed these efforts or fully addressed these areas, due largely to
the current stage of the system's development'', ``TSA is making
progress in addressing each of the key areas.'' GAO also issued six
recommendations to assist TSA in managing the risks associated with the
implementation of the Secure Flight program:
1. Finalize the system requirements document and the concept of
operations, and develop detailed test plans--establishing
measures of performance to be tested--to help ensure that all
Secure Flight system functionality is properly tested and
evaluated. These system documents should address all system
functionality and include system stress test requirements.
2. Develop a plan for establishing connectivity among the air
carriers, CBP, and the TSA to help ensure the secure,
effective, and timely transmission of data for use in Secure
Flight operations.
3. Develop reliable life-cycle cost estimates and expenditure
plans for Secure Flight--in accordance with guidance issued by
the Office of Management and Budget--to provide program
managers and oversight officials with information needed to
make informed decisions regarding program development and
resource allocations.
4. Develop results-oriented performance goals and measures to
evaluate the effectiveness of Secure Flight in achieving
intended results in an operational environment--as outlined in
the Government Performance and Results Act--including measures
to assess associated impacts on aviation security.
5. Prior to achieving initial operational capability, finalize
policies and issue associated documentation specifying how the
Secure Flight program will protect personal privacy, including
addressing how the program will comply with the requirements of
the Privacy Act of 1974 and related legislation.
6. Prior to achieving initial operational capability, finalize
policies and procedures detailing the Secure Flight passenger
redress process, including defining the appeal rights of
passengers and their ability to access and correct personal
data.
TSA has systematically proceeded within the framework outlined by
GAO to address the ten areas of Congressional interest identified in
P.L. 108-334. With regard to the fifth recommendation, TSA is
absolutely committed to safeguarding personal privacy and to complying
with the letter and intent of the Privacy Act of 1974. As I previously
discussed, many safeguards are already in place, and as we learn more
through our ongoing testing, we will devise and implement the
appropriate measures and will be updating the associated documentation
as illustrated by our actions last week in issuing a revised SORN and
PIA.
CONCLUSION
The implementation of an improved program for pre-screening of
passengers against watch lists, as identified by the 9/11 Commission
and Congress, is a vitally important mission and is a high priority for
TSA and the Department. We appreciate the support that you have voiced
for expeditious implementation of Secure Flight and your recognition of
the program's great potential for further improving aviation security.
We acknowledge the concerns over our progress in development of the
program and other related issues and are heavily engaged in resolving
issues of concern. We will continue to work with you and other
interested Members and Committees in Congress on Secure Flight and will
keep you apprised of important developments as they occur.
Mr. Chairman, Congresswoman Sanchez, and other Members of the
Subcommittee, this concludes my prepared remarks. I would be pleased at
this time to answer any questions.
Mr. Lungren. Thank you, Mr. Oberman, for your testimony.
I recognize myself for 5 minutes of questions.
First of all, if you could describe the Secure Flight
Program and how it would improve, if at all, the question that
was raised by Mr. Anderson's experience and the one related by
the Ranking Member of the person in her district, as well as
Ms. Lofgren's husband. How will the mechanics of the Secure
Flight Program in any way impact those situations?
Mr. Oberman. They will positively impact them in several
different ways, which I would be happy to describe.
Mr. Lungren. Okay. Maybe you need to sort of describe the
program and then show how this would specifically affect that.
Mr. Oberman. Absolutely. Firstly, we are going to require
passengers to provide us with their full name and their date of
birth when they travel. The reason for that is twofold: Number
one, most of the records in the watch list contain name and a
date of birth, and then the data elements that are there
significantly drop off. And that is because we do not have
perfect information on terrorist threats by virtue of the fact
that they are terrorist threats, not making themselves visible.
So by having a full name and date of birth, we will be able
to resolve a significant number of close matches before the
person ever arrives at the airport at all. And our testing has
shown that we can reduce that false-positive rate by at least
60 percent.
Secondly, we will be the only--
Mr. Lungren. Is that because you will have the date of
birth?
Mr. Oberman. That is right.
Mr. Lungren. Which is an identifier you do not have now?
Mr. Oberman. That is correct.
Mr. Lungren. And when you say, ``full name,'' does that
include middle initial, middle name?
Mr. Oberman. Yes, it does. It is the name that you present
on your travel documents, for example, your driver's license,
which we also do not have in every passenger record today.
Mr. Lungren. Thank you.
Mr. Oberman. The second thing that will be different under
Secure Flight and also will help mitigate the difficulties that
people such as Congressman Anderson are having is the fact that
we will be the only entity responsible for vetting. There are
65 carriers in the United States, all of whom do this process
slightly differently from one another, leading to
inconsistencies like the one that Congresswoman Sanchez
described with a passenger on a specific airline having trouble
and then on another carrier, another day not having the same
kind of difficulty.
As a result of our being able to be the only vetting entity
and the fact that this is a core function for TSA, not a core
function for an airline, we will have state-of-the-art
technology to do name matching. That is not what the air
carriers use today. We have the best available, and we are
continuing to partner with the Terrorist Screening Center and
others to make sure that we have state-of-the-art technology,
much greater accuracy in terms of matching.
The third thing is, we are going to have a team of very
experienced intelligence analysts looking at all of these close
matches and making judgments about whether somebody is in fact
on the list. The carriers do an excellent job of this today by
necessity so they can keep their system operating, but our
folks are trained to do this and have been doing it in almost
every case since before 9/11.
Finally, we will be the only entity applying these so-
called cleared lists of people who were never on the list in
the first place, went through our redress process and received
relief, for example, Congressman Anderson who is now on the
cleared list. Again, we will not have 65 separate airlines
running that list differently, and we will also have a new
redress office, triple the staff that is there today, with new
procedures. It is going to be far better than?
Mr. Lungren. So right now, if you clear Mr. Anderson, you
then give notice to all the airlines of that, correct?
Mr. Oberman. That is right.
Mr. Lungren. And then you have to rely on however they
operate their systems.
Mr. Oberman. That is correct.
Mr. Lungren. And under the Secure Flight Program, you will
no longer put that responsibility on the airlines, it will be
your responsibility solely.
Mr. Oberman. That is correct.
Mr. Lungren. Let me ask you with respect to the question of
commercial databases, you have said that with the additional
information of the full name and the date of birth, that will
eliminate 60 percent of the names, correct?
Mr. Oberman. Sixty percent of the close matches, that is
correct.
Mr. Lungren. Of the close matches, yes. So then you are
still dealing with 40 percent. Obviously, you have got more
names on there than there are people that you want to keep off
the airplane or more people that you are checking against then.
How do you then go through that second analysis and what bits
of information or data do you need for that?
Mr. Oberman. Couple different things that we are going to
do under Secure Flight. Firstly, as I said, we will have a team
of very experienced analysts take a look at Bob Lewis flying
out of LAX on a particular day, which now will be given to us
as Robert M. Lewis with a date of birth. So it may not be
flagged in the first place, but if he still is, we will have a
team of experienced analysts with access to underlying
classified information, supports the watch list record, to be
able to make a determination.
In addition to that, one of the things that we have tested
over the last 4 or 5 months, which we are still doing the
testing, it is not conclusive enough yet to be able to make a
judgment, is looking at whether bringing additional information
into that passenger's record, for example, their address, their
phone number, things of that nature would enable us to further
distinguish it.
Comments Mr. Rosenzweig made about dates of birth and zip
codes being very good identifiers is precisely one of the
things we have been looking at, and we have not been pulling in
just the street address but also the zip code to make a
differentiation. And that is one potential benefit of using
commercial data, which is the subject of a test and ongoing
work to see if it will be effective.
Mr. Lungren. My time has expired.
The Ranking Member of the full committee, Mr. Thompson, is
recognized for 5 minutes.
Mr. Thompson. Thank you very much.
Let me welcome you, Mr. Oberman, to the committee.
There are a couple of questions I would like to get
answered in my mind about Secure Flight. Would Secure Flight
pick up a person with strong community roots but who is in a
terrorist sleeper cell or would a person have to be a known
terrorist in order for Secure Flight to pick him up?
Mr. Oberman. Let me answer that this way: It will identify
people who are known or suspected terrorists contained in the
terrorist screening database, and it ought to be able to
identify people who may not be on the watch list. It ought to
be able to do that. We are not in a position today to say that
it does, but we think it is absolutely critical that it be able
to do that.
And so we are conducting this test of commercially
available data to get at that exact issue. Very difficult to
do, generally. It is particularly difficult to do when you have
a system that transports 1.8 million people a day on 30,000
flights at 450 airports. That is a very high bar to get over.
It is also very difficult to do with a threat described
just like you described it, which is somebody who has sort of
burrowed themselves into society and is not readily apparent to
us when they are walking through the airport. And so I cannot
stress enough how important we think it is that it be able to
have that functionality. And that is precisely the reason we
have been conducting this commercial data test, why we have
extended the testing period and why we are very hopeful that
the results will prove fruitful to us so that we can then come
up here, brief them to you and explain to you why we need to
include that in the system.
Mr. Thompson. Well, since we have used Mr. Anderson as our
person, what happens if a terrorist is traveling on stolen
identity? How can this system pick that person up?
Mr. Oberman. Again, it is a critical threat area that we
are worried about and something that we are hopeful that the
use of commercial data will be able to address. Right now if we
take the names of passengers as they are provided to the
carriers and we compare them to the watch list, we will
generate matches.
It happens dozens of times a day across the country in all
modes of transportation, including aviation, today. That is a
terrorist giving us an identity that is known to the
government. But, as I said, it will not be adequate for an
aviation pre-screening system in the United States if it relies
only on information provided by the passenger. We do not think
that is enough.
And so the purpose of testing the use of commercial data is
to see if we can attain that functionality. As I said, it is a
very high bar to get over because of the complexities of our
system, but we think it is just fundamental to our overall
mission to secure the aviation system in the United States.
Mr. Thompson. And I will follow up that line of questions,
Mr. Chairman, with some additional questions for our witness,
but I want to go to another point.
It is my understanding that Carol DiBattiste, formerly of
TSA, has been hired as ChoicePoint's chief privacy officer. Are
you aware of that?
Mr. Oberman. Yes.
Mr. Thompson. But I am also told that there was a point in
time that a contract had been offered to ChoicePoint through
EagleForce Associates. Are you aware of any of this
information?
Mr. Oberman. It is not correct, Congressman. EagleForce is
conducting a commercial data test on behalf of TSA and has
contracted with three separate commercial data providers.
Mr. Thompson. Is ChoicePoint one of them?
Mr. Oberman. ChoicePoint is not one of them.
Mr. Thompson. So ChoicePoint is not involved in it at all.
Mr. Oberman. That is correct.
Mr. Thompson. Well, I am glad to know that. Now, I have a
letter that I sent to the Department in March of this year
which has yet to be responded to. I will provide you with
another copy of that letter in hopes of within the next 10 days
we can get it responded to.
Mr. Oberman. We will get it up here quicker than that.
[Information follows:]
[GRAPHIC] [TIFF OMITTED] T6959.001
[GRAPHIC] [TIFF OMITTED] T6959.002
[GRAPHIC] [TIFF OMITTED] T6959.003
[GRAPHIC] [TIFF OMITTED] T6959.004
Mr. Thompson. Thank you, Mr. Chairman.
Mr. Lungren. The gentleman from California, Mr. Cox, is
recognized for 5 minutes.
Mr. Cox. Thank you, Mr. Chairman.
I am sure you were here for the first panel and saw all
that testimony, and everyone has to be very sympathetic with
the plight of John B. Anderson. At least all of us in Congress
know who John B. Anderson is and the fact that not only was he
a member of the House of Representatives but a pretty well
known at the time candidate for President of the United States.
Do you believe that what happened to him when he tried to
fly to Germany with formers Members of Congress is likely to
happen again if he chooses a different carrier next time?
Mr. Oberman. I do not know, and the reason is every airline
applies this cleared list in a slightly different manner.
Mr. Cox. So since you do not know, the answer is it could
happen again.
Mr. Oberman. Yes, it could.
Mr. Cox. What can we do to make sure that it does not or to
ask the question more broadly, what can we do to make sure that
this system learns? My understanding is that we have thousands
of false matches every day and that a lot of John Andersons
exist and these people then are going to extraordinary lengths
to educate the system, at least in connection with their
upcoming trip about why they are not the person that the system
thinks they are. Having gone to those lengths, doesn't the
traveler deserve to just do it that once?
Mr. Oberman. We need to fully fund Secure Flight so that we
can put in place a system--
Mr. Cox. Yes, and I am all for Secure Flight, I hope it
happens, but we have got a system in place right now.
Mr. Oberman. Yes.
Mr. Cox. Are you saying that it is absolutely incapable of
learning?
Mr. Oberman. I am not saying it is incapable of learning,
but the issue is that the carriers are not as a matter of their
first priority in the watch list checking business. And when we
put someone on a cleared list, it is the same mechanics of
checking names of people who are flying against names on a
cleared list. And the problem is--
Mr. Cox. But why do we have to keep doing it over and over
and over again the same way so that the system does not learn
anything? Every time that I show up at the airport, even if I
have been there many, many times, the system thinks it is my
first time.
Mr. Oberman. Yes. The answer is that some carriers are
working right now before Secure Flight is up and running on
systems that I do not think remember is necessarily the
priority, it is more that we can differentiate and know that
this particular John B. Anderson is the former Member of
Congress and presidential candidate and not the person that is
on the watch list. And they are using other identifiers.
Now, they do not have the date of birth currently, so some
carriers are working on systems which, for example, the would
use the frequent flyer number. But it is the same premise that
we are trying to get to under Secure Flight, which is to have
additional identifiers to distinguish these passengers.
And the issue is, from a TSA standpoint and I think also
from a congressional standpoint, it is a matter of coaxing and
urging and consulting with the air carriers to help them get
there in what is admittedly a very difficult financial
environment, while we are also asking them to make changes to
their system to comply with Secure Flight.
But I am aware of some carriers now who are trying to make
their systems smarter so that they can distinguish between the
John B. Anderson who may or may not have flown the day before
but is already on the cleared list and the John B. Anderson
that may in fact be on the terrorist watch list, and other
identifiers are the way that they are doing it.
Mr. Cox. So we are just leaving it to every air carrier to
do their own thing and the TSA is not going to fix this
problem.
Mr. Oberman. TSA is not in a position under the current
system to fix it in the way that you are describing, and that
is because we issue security directives that require the
carriers to use these lists. We have some specific requirements
as to how they are supposed to run those lists, but that
security directive does not come with a software package.
Mr. Cox. You know, what happens then as a result is that
the federal government, TSA included, is spending a whole lot
of money looking at the wrong people. To the extent that we are
looking at John B. Anderson as he goes again through the
airport, definitionally we are wasting resources that should be
focused on potential terrorists. So the fact that our system in
incapable of learning is not only diverting our attention away
from actual counterterrorism but it is wasting resources and
taking us a step backwards. Those resources should be applied
to finding real terrorists.
The main job here since we are dealing with the domestic
U.S. population has to be to reduce the size of the haystack.
By and large, we can rest assured that 300 million Americans
are not a problem and yet our system right now seems intent on
increasingly drilling down into the population that we know is
not the problem.
In my own case, just in this town, with the same zip code,
there is Chris Cox over at the White House and Legislative
Affairs responsible for homeland security. There is Chris Cox
who runs the NRA. My first name is Charles. There is a Charles
Cox who in the Reagan administration was a Commissioner of the
Securities and Exchange Commission.
None of these people is me, but if we have a name-based
system, we are going to make it very, very difficult on
ourselves. We are going to make it a big time waster and a
resource consumer when the real job is to look for terrorists
who in the main are overseas people.
The software that we are using of the National Tracking
Center for international flights, trying to match passengers to
lists, I was advised, worked an awful lot better with Anglo-
sized names than it does with foreign names. This name approach
that we have got is not anywhere near to a system of unique
identifiers that we are going to need. And I do hope that we
can quickly remember what--get back to first principles and
remember what this is supposed to be all about, which is
finding terrorists.
Let me just ask one final question and that is about the
problem of screening of infants, which the chairman raised.
TSA's view is that is not supposed to happen. Indeed, I think
your guidance is do not automatically shunned to secondary
screening anyone under 12; is that right?
Mr. Oberman. Correct.
Mr. Cox. Right now I cannot get a boarding pass in advance,
I cannot print it out on my home computer or even at a kiosk, I
do not believe, if I have been flagged for secondary screening
according to the behavioral criteria; is that right?
Mr. Oberman. Right.
Mr. Cox. So what happens is I have to show up at the
airport, and if I have got an infant in tow then what should
happen from TSA's standpoint so that we do not keep having baby
John Andersons go through this process?
Mr. Oberman. Let me answer that, and I do want to just pick
up on the other point you raised before the alarm there.
You are correct in your understanding of how the procedures
are supposed to work, and we are making additional changes,
which are not finalized yet at TSA, some of which are
classified in nature so I cannot discuss them in detail here,
to further mitigate that problem, to give us more discretion so
that we can move people through the airport faster. We can
brief you about that in a secure setting, but we are making
changes in response to some of these issues, literally, in the
imminent future.
Mr. Cox. I am very happy to hear that.
Mr. Oberman. Okay. And then just with respect to the other
issue, let me just make two points. I think, as I have said,
you are starting to see the air carriers innovate to some
extent. And, again, it is a very difficult environment for them
to innovate given all the other challenges they face. And that
is going to help this problem before we fully roll out Secure
Flight. I think that is going to hopefully take off across the
industry.
The second thing, though, is we are applying state-of-the-
art technology at TSA to this problem, and you need two things.
You need state-of-the-art technology, and so, you are right,
CBP has the technology that is excellent, we are going to use
that at the State Department the same way, the private sector
as well, and we are going to put all that together and have a
state-of-the-art matching system.
The second thing, though, is we need to be able to have
unique identifiers into the system, and we agree that a name-
based system is not adequate but we have to remember that the
terrorist watch list starts with names, it goes to dates of
birth and then the unique identifiers drop off. And so that is
why Secure Flight will require full name and date of birth to
mitigate so many of those false matches before the person ever
gets to the airport.
Mr. Cox. I am sorry, Mr. Oberman, just if you would answer
the question about the baby John Anderson.
Mr. Oberman. That is going to be addressed in the
procedural changes that we are making.
Mr. Cox. Oh, you have to address that in the classified
setting.
Mr. Oberman. That is correct.
Mr. Cox. Thank you.
Mr. Lungren. Mr. Dicks is recognized for 5 minutes.
Mr. Dicks. Mr. Chairman, our staff put together a Secure
Flight missed milestones. I just would like to put a copy of
that in the record if that is possible.
Mr. Lungren. I do not think there is any problem.
Mr. Dicks. Let me just of forward. TSA is making progress--
this is a GAO report--in the development and testing of Secure
Flight and it attempting to build in more rigorous processes
than those used for CAPPS II. Specifically, TSA has drafted a
number of key documents to assist in providing program
oversight, including a draft concept of operations, a draft
requirements document and a draft project schedule. However,
TSA has not yet finalized these documents.
Further, although TSA uses a working milestone chart to
coordinate its many activities, key milestones for the Secure
Flight Program have slipped. For example, the date when Secure
Flight is expected to achieve initial operating capability with
two air carriers slipped by about 4 months. TSA is also
completing initial Secure Flight testing to determine data
needs and system functions, which are basic to defining how
Secure Flight will operate.
However, key systems testing, including stress testing to
verify that the entire system will function as intended in an
operational environment, has not been completed, and we are now
July almost.
Further, although TSA expects to complete stress testing
prior to initial operational development scheduled for August
2005, it has not yet designed the procedures that we will use
to conduct these tests.
Until TSA finalizes key program documents and completes
additional system testing, it is uncertain whether Secure
Flight will perform as intended and whether it will be ready
for initial operational deployment by August of 2005. What do
you have to say about that? Is that all true? Is all that
accurate?
Mr. Oberman. No. Here is what I have to say, a few things.
Firstly, several of those documents have subsequently been
completed since the GAO report was issued in March, and we, as
you know, have turned over hundreds of thousands of pages of
documents and continue to do it on a daily basis with GAO. The
concept of operations is done, for example.
The second thing is we are in very serious jeopardy of
missing our planned dates, because we do not have the funding
we need to turn the program on.
Mr. Dicks. Okay. Explain that.
Mr. Oberman. Okay. I would be happy to.
Mr. Dicks. Congress cut the money?
Mr. Oberman. Yes.
Mr. Dicks. How much did they cut?
Mr. Oberman. In 2005, the President requested $60 million;
we got $35 million. That is a 40 percent cut. In 2006, the
President requested $81 million. The House mark is $66 million.
That is a 20 percent cut. The Senate mark is $56 million. That
is a 30 percent cut. We cannot make it go at those funding
levels.
And the reason for that is several-fold. Firstly, it is
very costly to test and develop a system of this complexity
that has to connect to 65 air carriers and run more than 1.8
million transactions every day with no failure, including the
day before Thanksgiving, Spring Break and so forth.
The second thing is the costs associated with connecting to
each individual carrier--
Mr. Dicks. Is all that work being done by contractors?
Mr. Oberman. It is being done by contractors and federal
employees together.
Mr. Dicks. Okay. Go ahead.
Mr. Oberman. Okay. And so it is important that the way we
spend the money is understood. The costs associated with
connecting each individual carrier because of the vagaries in
their systems and the differences in the way that United might
add the passenger's date of birth compared to how American
might do it is very costly. Okay? So that is number one.
The second thing is the way we connect to an airline is a
process that takes about 5 or 6 months per carrier, because a
lot of that testing that GAO described has to be done once my
regulation is issued, and I have got real--
Mr. Dicks. None of it has been done yet.
Mr. Oberman. A lot of testing has been done, and a lot of
testing is still to be done.
Mr. Dicks. Stress testing?
Mr. Oberman. Yes, absolutely. We were able to run 2.7
million records in a 24-hour period. One point eight million
people fly daily; we beat that stress test. We have to run 31
records a second. There are 28 records a second. We only run 31
records a second. All of our stress tests we met those
thresholds, but that was with test data from June of 2004 that
was historical and in a lab.
What GAO is referring to, which we fully concur with, is
running a live test when I have actual passenger data coming in
and I am really vetting it. That is considered a test and it
has not begun yet, and what I cannot do is start the test, turn
it off because I run out of money and try to turn it on again.
It is a continuous incline to get every carrier connected. I am
40 percent sure in 2005, and I need the President's budget
funded.
Mr. Dicks. Now, if you have the watch list, if you have the
responsibility for doing the watch list, which you say you
want, the Commission says you want, Congress has told you to
do, you will have a better and more comprehensive list to use;
isn't that correct?
Mr. Oberman. That is correct.
Mr. Dicks. Because one of the problems up to now is the
lack of willingness of these intelligence agencies to share
with the airline some of these names; isn't that true?
Mr. Oberman. Yes. I am not sure it is a lack of
willingness. I think that there are real legitimate--
Mr. Dicks. Okay. Well, that means there is a lack of
willingness.
Mr. Oberman. We will have a bigger and more comprehensive
watch list for Secure Flight.
Mr. Dicks. So we should do better. You saw this story about
the processing of passports in the New York Times today?
Mr. Oberman. Yes.
Mr. Dicks. I mean, that is pretty bad, isn't it? Doesn't
that undermine your whole ability to do your job if passports
are not properly issued?
Mr. Oberman. It does not undermine my ability to do my job
in the sense that I am focused on domestic passengers, and if
somebody uses their passport as their travel document and
submits me their full name and date of birth, as required under
Secure Flight, I am using the full terrorist screening database
to flag that person.
Mr. Dicks. It says here, ``The names of more than 30
fugitives, including 9 murder suspects and one person on the
FBI investigations Most Wanted list did not trigger any warning
in the test of the nation's passport processing system, federal
auditors have found.''
Mr. Oberman. I cannot speak to the details of that, because
I am not responsible for the testing or administration of that.
I just cannot speak to those specific details about those
records and the names that were cleared.
Mr. Dicks. Well, let me just say what they tell you. I
think it is important for you to know. Maybe you can talk to
Mr. Moss. We are certainly going to do that, I hope. The lapses
occurred because passport applications are not routinely
checked against comprehensive lists of wanted criminals and
suspected terrorists, according to the report, which was
provided to the New York Times by an official critical of the
State Department who has access to it in advance. For example,
of the 67 suspects included in the test managed to get a
passport 17 months after he was first placed on the FBI wanted
list, the report said. I mean, that is not acceptable.
Mr. Oberman. All I can say is that--
Mr. Dicks. And I see people out there at the airport using
their passport as their document to identify themselves, so
that has got to be a problem.
Mr. Oberman. All I can tell you is we have our hands full
trying to get Secure Flight started. We are going to use the
terrorist screening database of known or suspected terrorists
from boarding domestic flights of the United States. I am not
in a position to speak to those details.
Mr. Dicks. All right. Thank you.
Thank you, Mr. Chairman.
Mr. Lungren. I hope it is not a sting program to bring them
into the State Department.
The gentlelady from Texas, Ms. Jackson-Lee, is recognized
for 5 minutes.
Ms. Jackson-Lee. I thank you.
Thank the witness very much for his presence.
I understand one of my colleagues raised this and raised it
earlier, but I will raise it with you again with respect to the
watch list. I believe it would be appropriate to pose it to
you. What information can you give on the value or the results
of the utilization of the watch list in terms of deterring a
tragic terrorist act, arresting a terrorist, getting
information about terrorism or terrorist cells? What is it that
we can secure that shows the validity of this watch list as it
is presently constructed?
Mr. Oberman. I can discuss some of that. I think some of
that information is more appropriate for classified setting,
and I think much of that information is more appropriately
provided by the Bureau and others.
What I can tell you is that--
JJackson-Lee. And if you would just yield for a moment.
Mr. Chairman, I would, Ranking Member, appreciate that we
have an opportunity for a classified briefing on some of these
questions so that we can both constructive and probative in our
decision-making on this issue.
Mr. Lungren. I thank the gentlelady for her suggestion, and
Mr. Oberman has suggested that he would be available for that
in his prior testimony, and I am sure we are going to take him
up on that.
Ms. Jackson-Lee. I appreciate it very much. And let me
just, if you can take this other question so that as you
answer, you can answer this as well.
The enormous problem that we have is also a privacy
question that we are all concerned about. I note on September
21, 2004, TSA released Privacy Act notices for the Secure
Flight data. These notices included a privacy impact
assessment, system of records notice, et cetera. In the notice,
TSA claimed several exemptions from Privacy Act requirements
for the test. On June 22, TSA issued a revised privacy notice
for Secure Flight that amends the scope of the system and
clarifies and describes with greater particularity the
categories of records and categories of individuals.
Can you explain that dilemma or that different step? Can
you also explain, as you answer this other question, this whole
issue of behavior that the airlines use, and I consider it
ineffective and whether it should be under their jurisdiction.
And my last point is the training, which is off the point,
but I just simply hope you convey this. We need to work with
TSA and the training of your airline screeners. I just want to
go on record on that. You have a deficit in the training and
the style and the appropriateness. You have hardworking
individuals there, let me acknowledge that on the record, but
you have got a deficit, as I travel and many of my constituents
travel, in the treatment that these individuals provide. We
would like them to be the first-line defense, but we do not
like them to attack a grandmother, suggesting that that person
is a terrorist and their treatment acts accordingly.
I yield to the gentleman.
Mr. Oberman. Thank you. Let me try to take all four of
those in turn if I could.
Firstly, with respect to watch list effectiveness, what I
can tell you is that today numerous U.S. government agencies
are identifying known or suspected terrorist threats in and
around the transportation system who would mean to do us harm.
And that is happening in aviation and at border crossings and
so forth, and it is of great concern to us, but of course we
are very gratified that our systems are working to deter these
people. And of course our capabilities under Secure Flight will
be significantly improved. Of course, we need to be fully
funded, I need to stress that again, so that we are able to
stand up the system and be as effective as we need to be to
secure domestic aviation in the United States.
Secondly, with respect to privacy, let me reiterate that
privacy is one of two goalposts for Secure Flight, the other of
course being security. And that is a critical priority for us.
This program is going to be as broad as anything the Department
does. It will screen 1.8 million people flying domestically
every single day in the United States. We need to be fully open
and transparent with the American people and have total
credibility with the American people to be able to effectively
operate a system that is that broad.
And so we did issue a series of documents in September, and
we made some adjustments to those documents a week ago today,
as you point out, to more fully and clearly reflect exactly
what we have been doing during our test period so that it would
be on record exactly the nature of the test.
However, in addition to what is in the Federal Register, we
have been up to brief congressional staff, committee staff.
Numerous times we have given GAO literally hundreds of
thousands of pages of documents and we have spent a lot of time
with the media, the air carriers, the privacy groups and so
forth so that, again, we have transparency and credibility with
the American people. And the privacy documents, as I said,
reflect that.
Finally, let me just say that with respect to the existing
CAPPS I system that you alluded to, we do think it retains some
security benefits. We do think it is, at least initially, more
effectively operated by the air carriers, as I think Mr. May
alluded to in his testimony, and our focus at the moment is
standing up the system whereby we are going to check passengers
against the watch list, as required by the statute.
Ms. Jackson-Lee. And the professionalism training?
Mr. Oberman. I am not responsible for screener training at
TSA--
Ms. Jackson-Lee. I understand that.
Mr. Oberman. --but I will take it back, absolutely.
Ms. Jackson-Lee. I have some further questions on the
privacy issue, and I hope we will have an opportunity to
provide you that in writing. Thank you.
Mr. Lungren. Time of the gentlelady has expired.
Let me just mention that the document prepared by the
minority staff of the committee entitled, ``Secure Flight's
Missed Milestones,'' will be entered into the record in its
entirety.
Now the gentleman from Massachusetts is recognized for 5
minutes.
Mr. Markey. Thank you, Mr. Chairman. I understand that
ChoicePoint will not be involved in the Secure Flight Program;
is that correct?
Mr. Oberman. Well, ChoicePoint is not involved in the test
phase of the Secure Flight Program. We have not made any final
decisions with respect to implementation. That will all be done
in an open competitive process.
Mr. Markey. Well, I believe that ChoicePoint's contract
would represent a poor choice for American taxpayers given the
company's recent involvement in a massive privacy breach that
has enabled hundreds of ID thefts, and I think you should know
that is how that decision would be viewed. The Pentagon
recently confirmed that it had hired a Massachusetts company to
protect personal information on potential recruits.
Beyond the Secure Flight Program, does TSA currently have
any contracts with ChoicePoint or LexisNexis?
Mr. Oberman. I am not aware of any existing contracts with
ChoicePoint. One of my contractors uses LexisNexis as a
subcontractor but not for the provision of any data. We have
some technology experts that help us with technology. We do not
have any LexisNexis data.
Mr. Markey. Do you have any relationships with any
companies that have been involved in privacy breaches?
Mr. Oberman. No.
Mr. Markey. None. None. Is TSA in negotiation with
ChoicePoint or LexisNexis or any company that has been involved
in a privacy breach beyond the Secure Flight Program?
Mr. Oberman. I am not aware of that, but it is obviously
outside of my specific jurisdiction. I am not aware of any.
Mr. Markey. Has TSA always conducted security review of all
contractors that access personally identifiable information,
such as passenger name records before entering into contracts
with third parties?
Mr. Oberman. Yes.
Mr. Markey. Has TSA ever terminated a contract with a third
party contractor because it failed to provide adequate security
to prevent unauthorized access to passengers' personal
information?
Mr. Oberman. Not aware of that.
Mr. Markey. You are not. As you know, TSA recently admitted
it collected personally identifiable information, such as
passenger names, addresses and credit card numbers as part of
testing for the Secure Flight Program. TSA's admission came
after it reportedly stated it would not do so.
Given this retreat from its commitment to passenger
privacy, why should this committee and the American flying
public have any confidence that TSA will secure and safeguard
passengers' private information when the Secure Flight Program
is fully implemented?
Mr. Oberman. I respectfully disagree with the
characterization that we retreated or changed what we have
done. I want to just take a minute to explain that.
We developed a methodology for how this commercial data
test would work in December, and from that point forward we
have provided every document that we have generated and every
document that our contractor has provided to GAO and in often
cases directly to this committee and to other committees in the
Congress. We have also fully discussed what that test would be
with the media, the air carriers, privacy groups and so forth.
What we did in our most recent privacy notice was expand
and clarify the discussion of commercial data testing that were
in the documents that were issued in September. The September
documents discuss our use of commercial data, and the June
documents are designed to expand what was issued in September
to reflect everything that was briefed between December and the
current day.
And so there was no retreat or change. In fact, we are not
making any changes to the manner in which the test is being
conducted, because we do not need to. We just had to expand and
clarify those existing documents, which is what we have done,
and also I think it is important to note we have not taken any
action against any passengers.
This was all using historical information from June of 2004
that we used our regulatory authority to collect and it is
simply a test and it is being used to generate results, by the
way, which are not yet conclusive, and so we decided to extend
our test period so we can get better information.
Mr. Markey. I mean, I will just again for the record make
it clear that privacy groups in America disagree with your
assessment of the role that TSA is playing in protecting that
information.
On May 20, I sent a letter to Secretary Chertoff along with
Mr. Thompson and Ms. Sanchez regarding the Department's
inability to check the names of international passengers
against terror watch lists prior to departure of the flight to
the United States. We have not yet received a letter in
response to our letter.
Mr. Oberman, I believe our policy should actually be
called, ``no wheels up until the watch list has been checked
off.'' What we have had as a policy is, ``fly now and we will
check the list later when the plane is in mid-air heading for
the United States.'' When will the Department give us an answer
to our question?
Mr. Oberman. I do not know, sir, but I will take that back
and find out. That is the responsibility of Customs and Border
Protection, and I will reach out to my colleagues today and
find out.
Mr. Markey. So TSA has no role in that?
Mr. Oberman. That is correct.
Mr. Markey. Okay. So I would appreciate it if you could get
us an answer. It is now a month and I think a month is a long
time in homeland security terms to get an answer to such a
question. We had two planes coming into Boston that both had to
be diverted to Maine a month ago with people on board whose
final security clearance actually had not been completed. And
you just cannot have a system where potential terrorists are
already on board and the final checks are now being completed
back on land. It is just absolutely unacceptable, and TSA has a
responsibility to get us this answer along with the entire Bush
administration.
And, finally, could I ask him one final question? Any
relation?
Mr. Oberman. To?
Mr. Markey. The famous Oberman?
Mr. Oberman. There are several famous Obermans.
Mr. Markey. Oh, there are?
Mr. Oberman. Which are you referring to?
Mr. Markey. That have television shows on MSNBC.
Mr. Oberman. Oh, it is spelled a little differently.
Mr. Markey. Oh, it is?
Mr. Oberman. Yes.
Mr. Markey. Oh, okay.
Mr. Oberman. He has got an L and a couple extra N's, I
think.
Mr. Markey. Okay. Who was the famous Oberman that spells
their name like you?
Mr. Oberman. My dad is a politician--
Mr. Markey. He is proud of you. He is very proud of you.
Mr. Oberman. He is more infamous than famous, but I was not
sure if that is who you were referring to.
Mr. Markey. Okay. Thank you. Thank you.
Mr. Lungren. A Chicago politician.
Mr. Oberman. That is right.
Mr. Lungren. The gentleman from Oregon is recognized for 5
minutes.
Mr. DeFazio. Thank you, Mr. Chairman. I regret I was unable
to hear the early questions. I was in the highway conference,
which may or may not be coming to a conclusion soon.
If I could revisit the CAPPS I issues. When I was able to
be here, one person testified CAPPS I had continuing value,
another witness said it does not since it has all been on the
front page of the USA Today. We know exactly what the criteria
are, these terrorists are not casual people or people who may--
they spent a lot of time planning the original attacks. It is
likely they would have read USA Today, they visit Web sites,
they would know what the criteria are.
Do you think that CAPPS I has continuing value, and if so,
why?
Mr. Oberman. I do think it has continuing value, and the
reason is that all of the criteria are not publicly known. So
there are criteria that are still in use today that we think do
provide a security benefit to identify passengers for further
scrutiny, and we have made adjustments to the system directed
at some of the criteria that are more publicly known that have
dropped the selectee rates for CAPPS I significantly over the
last 3 to 6 months.
Mr. DeFazio. So why wouldn't we just drop all the ones that
are publicly known then, because some of those are ones that
trip up business travelers. For instance, you know, you bought
a ticket within 24 hours. Okay, well, what business traveler
has not done that how many times this year?
Mr. Oberman. I would like to answer that question in a
classified setting because it does not lend itself to a very
simple yes or no answer with respect to how we would do that.
Mr. Lungren. If the gentleman would yield, while he was
gone we talked about having a classified briefing on a number
of elements that they are changing.
Mr. DeFazio. Great. Okay. Well, I would look forward to an
explanation of that.
Let me ask this: We had another witness question the
validity of the Trusted Traveler, as it is currently
envisioned, and what the real benefits would be. Is a potential
benefit of Trusted Traveler that if one were targeted under one
of these CAPPS I criteria as a trusted traveler, a previous
witness from TSA said you would look at the potential for
waiving certain requirements of people, whether it is shoes or
overcoats or laptops. Would it also be considered if someone
was SSS by CAPPS I but they also had the Trusted Traveler card?
Which one would trump?
Mr. Oberman. Today, participants for Registered Traveler
are exempted from selectee screening if they are selected by
CAPPS I. That is already in place today.
Mr. DeFazio. Okay. So you would envision that would--you
have not had a problem or concern about that?
Mr. Oberman. No.
Mr. DeFazio. Okay. Well, I think the rest of my questions
are really going to lend themselves to the classified portion.
When are we going to do that, Mr. Chairman, sometime soon,
after the break or something?
Mr. Lungren. Well, we will do it as soon as we can schedule
it.
Mr. DeFazio. Okay. Great.
Thank you, Mr. Chairman.
Mr. Lungren. Just a couple questions, Mr. Oberman. I would
like us to be more explicit on the record as to the need for
commercial database queries. As I understand what you were
saying, when you have the watch list, if we have the full name
and the birth date, that will take us down 60 percent of those
who would otherwise be checked against the watch list. Then, as
you say, your personal identifiers drop off rather
significantly.
So as I understand it, that is when in addition to other
sorts of classified data you might have, you would then utilize
certain commercial databases as a way for determining whether
the person who is standing there at the airport is in fact a
person of real interest on the terrorist group; is that
correct?
Mr. Oberman. Yes.
Mr. Lungren. And you are still in the testing phase of
that?
Mr. Oberman. That is correct. In fact, we have just
recently extended the test period, because we do not have
conclusive results. They are very promising but they are not
conclusive enough for us to be able to say this is exactly the
way we would like to proceed, here is what it would cost and so
forth. We are still testing.
Mr. Lungren. As I understand it, you would propose if you
really rolled out the program that you would not own or retain
the information from the commercial databases but rather you
would be involved in a contractual situation where you would
query these to find out positives or negatives in terms of the
responses that you would wish to get.
Mr. Oberman. That is correct, and we would go one step
further than that, which is we would destroy and discard all
that information after the trip is completed. Do not need to
retain any of it in our system at all.
Mr. Lungren. What about information that in fact cleared
this person, tells you this person should not be on the watch
list? You would get rid of the information that was utilized to
do that but somehow you would identify that person thereafter
as not being on the watch list?
Mr. Oberman. Yes. The way the system is structured is we
are going to retain the so-called vetting history, which says
that Ms. Smith was cleared. What I do not want to retain is any
commercial available data because I am not going to use it for
any further purpose. By virtue of having that vetting history,
when the same Smith comes through the next day, I will know
that that person was already in fact cleared. Assuming they
have not been added to the watch list, they will be cleared
again to fly, and they should not continue to be hassled.
In addition to that, some people will obviously go through
the redress process in which they submit identifying documents
to TSA, we place them on a cleared list, and we will be able to
administer that cleared list much more effectively than the
carriers do today because we will be the only entity running
the cleared list, and it will not matter to us what air carrier
you are on. So those two features of the system will provide
significant further reductions in the number of people stopped
at the airport.
Mr. Lungren. So you are reducing that haystack we keep
talking about.
Mr. Oberman. By a great deal.
Mr. Lungren. I thank you very much. I thank you for your
testimony.
Mr. DeFazio. Could I have one--
Mr. Lungren. Yes.
Mr. DeFazio. Thank you, Mr. Chairman.
Earlier, the issue of the overseas travelers was brought up
and the potential problems with the diversion of flights and
that. And there were concerns raised about the logistical
problems with early check-in or late check-in or whatever. I
mean, to come to the United States of America or leave the
United States of America or any other country, as far as I
know, you have got to have a passport when you show up at the
airport, right? And the ticket agent is going to look at your
passport and then let you have the ticket. So they are going to
see your passport, they are going to see the number, they are
going to then transmit, I guess, that data to us at the
airport.
Why couldn't we simply negotiate or try and negotiate with
other countries that people when they make?this would get you
down to a very small universe, which is people who fly
internationally who book their ticket less than an hour in
advance. If you said when you book your ticket you are going to
have to give your passport information and then it will be
provided to us as much as 6 months in advance, a month in
advance, whatever, however long in advance that person made the
reservation. Why wouldn't that work?
Mr. Oberman. Short answer is, I do not know why it would
not work. It very well could. We are not responsible at TSA for
vetting international flights which have unique attributes. All
I would tell you is that I think that is something that Customs
and the carriers are working on. I cannot--
Mr. DeFazio. Right.
Mr. Oberman. --speak to it beyond that, but of course that
is the approach and maybe it is easier, although I do not feel
like I have an easy job right now. That is of course the
approach we are using for Secure Flight domestically, which is
you will provide your full name and date of birth at the time
you book your ticket. We are not going to look at your
reservation until 3 days before because the watch list can
change so much. And then between 72 hours and an hour or
something before departure, that data will stream into TSA, be
vetted, will provide results to the air carriers, notify the
Bureau if there is a hit and start it again the next day.
Mr. DeFazio. Right. Well, I was involved in some of the
discussions with the Europeans on the current system from the
Aviation Committee during the last session of Congress. They
had these huge privacy concerns about the data fields we
wanted.
Mr. Oberman. Yes.
Mr. DeFazio. But there was never, as far as I know, any
denial on their part that if that person is going to leave,
say, Belgium or France and fly to the United States they have
to have a passport to get on the plane. So I do not think that
would go to their privacy concerns. I do not remember that it
was raised at the time, because we had a whole other field of
things that we were arguing over in terms of what disclosure
would have to be made at the time of booking a ticket or at the
time of embarkation in Europe.
But this seems to me fairly simple. I mean, if it is a
document you have to have to get on the plane, then you have
probably got it when you book your ticket, and if that
information is provided then, we would get down to this really
infinitesimal universe of people who are going to come here,
buy an international ticket at the counter an hour before the
plane leaves and that raises other questions about who that
person is.
Mr. Oberman. I will be happy to take that back to Customs.
That is easily done.
Mr. DeFazio. Okay. Thank you.
Thank you, Mr. Chairman.
Mr. Lungren. I thank you.
I thank you, Mr. Oberman, for your testimony, as I thank
all the witnesses in the previous panel.
The members of the committee may have some additional
questions for you, and we will ask if you would respond to them
in writing. The hearing record will be held open for 10 days.
And without objection, the committee stands adjourned.
[Whereupon, at 12:32 p.m., the subcommittee was adjourned.]
�