[Senate Hearing 109-461]
[From the U.S. Government Publishing Office]



                                                        S. Hrg. 109-461

 
                      THE TRANSPORTATION SECURITY 
   ADMINISTRATION'S AVIATION PASSENGER PRESCREENING PROGRAMS: SECURE 
                     FLIGHT AND REGISTERED TRAVELER

=======================================================================

                                HEARING

                               before the

                         COMMITTEE ON COMMERCE,
                      SCIENCE, AND TRANSPORTATION
                          UNITED STATES SENATE

                       ONE HUNDRED NINTH CONGRESS

                             SECOND SESSION

                               __________

                            FEBRUARY 9, 2006

                               __________

    Printed for the use of the Committee on Commerce, Science, and 
                             Transportation



                    U.S. GOVERNMENT PRINTING OFFICE
27-562                      WASHINGTON : 2006
_____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512ï¿½091800  
Fax: (202) 512ï¿½092250 Mail: Stop SSOP, Washington, DC 20402ï¿½090001


       SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION

                       ONE HUNDRED NINTH CONGRESS

                             SECOND SESSION

                     TED STEVENS, Alaska, Chairman
JOHN McCAIN, Arizona                 DANIEL K. INOUYE, Hawaii, Co-
CONRAD BURNS, Montana                    Chairman
TRENT LOTT, Mississippi              JOHN D. ROCKEFELLER IV, West 
KAY BAILEY HUTCHISON, Texas              Virginia
OLYMPIA J. SNOWE, Maine              JOHN F. KERRY, Massachusetts
GORDON H. SMITH, Oregon              BYRON L. DORGAN, North Dakota
JOHN ENSIGN, Nevada                  BARBARA BOXER, California
GEORGE ALLEN, Virginia               BILL NELSON, Florida
JOHN E. SUNUNU, New Hampshire        MARIA CANTWELL, Washington
JIM DeMINT, South Carolina           FRANK R. LAUTENBERG, New Jersey
DAVID VITTER, Louisiana              E. BENJAMIN NELSON, Nebraska
                                     MARK PRYOR, Arkansas
             Lisa J. Sutherland, Republican Staff Director
        Christine Drager Kurth, Republican Deputy Staff Director
             Kenneth R. Nahigian, Republican Chief Counsel
   Margaret L. Cummisky, Democratic Staff Director and Chief Counsel
   Samuel E. Whitehorn, Democratic Deputy Staff Director and General 
                                Counsel
             Lila Harper Helms, Democratic Policy Director


                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on February 9, 2006.................................     1
Statement of Senator Burns.......................................    41
Statement of Senator Inouye......................................     1
Statement of Senator Lautenberg..................................     3
Statement of Senator Lott........................................     2
Statement of Senator E. Benjamin Nelson..........................     4
Statement of Senator Stevens.....................................     5
    Prepared statement...........................................     5

                               Witnesses

Barclay, Charles, President, American Association of Airport 
  Executives.....................................................    47
    Prepared statement...........................................    49
Berrick, Cathleen A., Director, Homeland Security and Justice 
  Issues, U.S. Government Accountability Office..................    11
    Prepared statement...........................................    12
Connors, Bill, Executive Director and Chief Operating Officer, 
  National Business Travel Association...........................    71
    Prepared statement...........................................    72
Hawley, Hon. Edmund ``Kip'', Assistant Secretary, Transportation 
  Security Administration........................................     6
    Prepared statement...........................................     7
May, James C., President and CEO, Air Transport Association of 
  America, Inc...................................................    43
    Prepared statement...........................................    44
Sparapani, Timothy D., Legislative Counsel, American Civil 
  Liberties Union................................................    58
    Prepared statement...........................................    59

                                Appendix

Mitchell, Kevin P., Chairman, Business Travel Coalition, prepared 
  statement......................................................    87
Response to Written Questions Submitted by Hon. Ted Stevens to:
    Cathleen A. Berrick..........................................    92
    Hon. Edmund ``Kip'' Hawley...................................    92
Smith, Hon. Gordon H., U.S. Senator from Oregon, prepared 
  statement......................................................    87
Sudeikis, CTC, Kathryn W., President, American Society of Travel 
  Agents, letter, dated February 21, 2006, to Hon. Ted Stevens...    91


                      THE TRANSPORTATION SECURITY 
   ADMINISTRATION'S AVIATION PASSENGER PRESCREENING PROGRAMS: SECURE 
                     FLIGHT AND REGISTERED TRAVELER

                              ----------                              


                       THURSDAY, FEBRUARY 9, 2006

                                       U.S. Senate,
        Committee on Commerce, Science, and Transportation,
                                                    Washington, DC.
    The Committee met, pursuant to notice, at 10:05 a.m. in 
room SD-562, Dirksen Senate Office Building, Hon. Ted Stevens, 
Chairman of the Committee, presiding.

          OPENING STATEMENT OF HON. DANIEL K. INOUYE, 
                    U.S. SENATOR FROM HAWAII

    Senator Inouye. The Chairman of this Committee is presently 
presiding at the U.S. Senate in his capacity as President pro 
tempore, so he sends his regrets he cannot be with you.
    The TSA has spent hundreds of millions of dollars on Secure 
Flight, Registered Traveler, and other airline passenger 
prescreening programs, yet we have been told that there are few 
tangible improvements in security to show for this investment.
    With respect to Secure Flight, Congress outlined specific 
privacy, security, and spending requirements for the agency to 
meet before moving forward with the program. Despite the TSA's 
assurances that it would be operational within the year, Secure 
Flight has yet to be implemented.
    The Registered Traveler Program has experienced similar 
setbacks. The Nation's air carriers have begun to call into 
question the necessity of the program. Others have raised 
concerns about the impact of the program on existing airport 
screening systems, and have questioned whether or not the 
program will produce an equitable and more secure program.
    To date, no one at the TSA has taken responsibility for 
this, and the lapses have squandered scarce public resources 
and delayed important security improvements. These programs 
make sense, in theory, and we know that related technology is 
available. But will the traveling public ever realize the 
stated benefits? So, we need a far more candid and honest 
assessment than we have received thus far, and I look forward 
to hearing from Mr. Hawley about his next course of action.
    But before I call upon you, sir, Senator Lott?

                 STATEMENT OF HON. TRENT LOTT, 
                 U.S. SENATOR FROM MISSISSIPPI

    Senator Lott. Thank you, Senator Inouye--``Co-Chairman,'' I 
believe is the way we describe your title on this Committee. 
It's a real pleasure to see the way you and Senator Stevens 
work together. I think it's in the best interest of the Senate, 
and I wish more people would follow your example.
    Thank you for being here this morning. I'm looking forward 
to hearing the witnesses' testimony we have before us now, and 
hopefully even the next panel, even though I do have an 
Intelligence Committee hearing I must attend. And so, I thank 
all of you for being here, and I will review your statements 
that you have.
    You know, I'm quite often quick to be critical, and I have 
certainly been critical many, many times, and with lots of 
justification, of the TSA. But I think, Mr. Hawley, that you're 
trying to get it turned around. I see some small signs of a 
little common sense kicking in. Not a lot. But that's the way 
it works in the Federal Government. Even if you get good, 
strong leadership at the top, it doesn't seem to always get all 
the way down to the people on the ground, or to the gate, in 
the case of the airlines. But you've taken some criticism for 
the new screening procedures and changes to the prohibited-
items list, and I want to make it clear, I think you did the 
right thing. I think you still haven't done enough. I don't 
know how many of my little pen knives I'm going to have 
confiscated, but I lost another one this past weekend. So, I 
just buy 'em by the dozen now.
    [Laughter.]
    Senator Lott. I do realize this is a serious threat to 
airlines, but I've gone from the black ones to the white ones, 
so I've got plenty of them.
    But you made some little small change. I mean, you've got 
all my little scissors. If you could just send them in a big 
box, I could probably use them. But you're trying to do the 
right thing, and I want you to know that I appreciate it. I 
appreciate your attitude. And I appreciate the fact that you 
did something to begin to bring some modicum of common sense to 
the gates.
    Let me make just a couple of more points, then go to your 
testimony.
    I do want to make it clear that I'm absolutely opposed to 
the Administration's suggestion to increase passenger security 
fees again. Congress rejected it last year. We're going to 
reject it this year. Why waste your time, your breath, to 
suggest such a thing? Because the airlines have got enough 
problems without that being added to it. Plus, I don't think 
you need more money. I don't think TSA needs more money. You 
need to do a better job with what you have. The budget request 
for 2007 is 4.607 billion. So, I think you need to find ways to 
do a better job with less money.
    And part of it is to quit fumbling around with things and 
make a decision, make it happen. How long do you--look, I could 
come over with a pencil and a napkin and design a program for 
the Registered Traveler Program. At least you're trying to make 
it work, but--I think--but now you've got milestones you've got 
to meet, and we may be able to get it in place by June. You get 
no awards for that. What's wrong with April? What's wrong with 
next week? Get on with it. Because it's--it wastes time and 
energy and money, and I don't understand why it should be so 
hard to do that.
    Now, I guess the argument is going to be, from you and some 
people, ``Well, we're getting pushback because of privacy 
advocation concerns.'' Forget that. If people don't want to 
divulge their private information for this voluntary program, 
fine, they don't get in it. I don't understand what people are 
trying to hide. Get on with this.
    And that's part of the problem, overall. I mean, you--the 
Secure Flight thing, we've been messing around with the CAPPS 
II and Secure Flight for 4 years, 200--between 200 and 300 
million. Do something, even if it's wrong. And part of the 
problem, for instance, with regard to this--the registered 
flyer program is, industry officials really don't think you're 
dedicated to moving the program forward; you really don't want 
to do it, for some reason. I don't know what it is. I don't 
know if they know what it is. But enough money spent, let's get 
some action. And we want to help you every way we can, and not 
be an impediment and a pain in your neck. I only call you and 
scream at you from BWI once a year.
    [Laughter.]
    Senator Lott. So--but it could increase.
    But we want you to succeed, because it's very important 
work you do. We want secure flights, but we want some common 
sense applied in how people are screened and what the 
conditions are for flying. Let's do some of these programs, or 
forget them, but quit fumbling around with them.
    Thank you for the opportunity to ventilate a little bit, 
Mr. Co-Chairman, and I'll look forward to hearing the 
testimony.
    Senator Inouye. Thank you very much.
    Senator Lautenberg?

            STATEMENT OF HON. FRANK R. LAUTENBERG, 
                  U.S. SENATOR FROM NEW JERSEY

    Senator Lautenberg. Yes, thanks very much, Mr. Chairman.
    And I guess that's wishful thinking. But to Senator Lott, 
talking about the confiscation of that weapon he's carrying 
there, the fact of the matter is that I think this was 
originally a scheme by the scissor manufacturers to make sure 
that there was always an opportunity to replace them. But in 
any event, the nuisance side of things is really just a plain 
pain in the neck, and we've seen that, now, scissors aren't the 
weapon that they were intended to be. I'd trade in your knife 
for a pair of scissors. I think that's probably the best way. 
But the fact is that we've got to get on with securing our 
aviation system and to make it more secure for passengers.
    My state lost 700 people in 9/11. Many people in New Jersey 
could see the flames and smoke at the World Trade Center from 
their homes and offices. And I was a Commissioner of the Port 
Authority before I came here; we had offices in the Trade 
Center. My home in New Jersey is right across the river from 
where the World Trade Center was. The absence of those two 
towers is obvious. The towers can be replaced, but the pain 
felt by the families can never be dealt with appropriately.
    After 9/11, we realized that our aviation system was not as 
safe and secure as it needs to be. We learned that some of the 
hijackers were known terrorists who never should have been 
allowed to board a commercial flight. And that's why this 
Committee created the Transportation Security Administration, 
and why we continue to oversee its activities.
    We must be certain that the American people, neighbors and 
our families, can travel safely. Considering the importance of 
this mission, I share the words of Senator Inouye, and say that 
I'm disappointed by the Administration's lack of progress in 
securing our transportation systems. Most of TSA's resources 
have been directed toward aviation security. And when it comes 
to aviation, it would seem that TSA's top priority should be to 
know when a suspected terrorist, or at least someone on the 
list, is attempting to board an airplane. And this fact was 
highlighted a few months ago when a man at Newark Airport got 
on a plane without even holding a valid ticket. He had taken a 
printed fare estimate that he got at the airline ticket 
counter, and used it, along with his ID, to board an airplane. 
If he had been a terrorist, we might not have known until it 
was too late. This lapse by both the airline and TSA highlights 
the importance of prescreening passengers, weeding out the few 
suspected threats from the millions of travelers that move each 
day.
    Now, I'd like to see a working passenger prescreening 
program that properly and efficiently matches passenger names 
with the suspected terrorist list. But this seems to be more of 
a challenge for TSA than anticipated.
    And as for the Registered Traveler Program, those of us who 
fly frequently would very much like a way to speed the process 
up for the kind of frequent flyers, as we call them. I don't 
mean to say that those who spend the most money ought to get 
the best attention, but the fact is that those who travel 
frequently by air are easier to identify, and we ought to get 
on with doing that.
    So, Mr. Chairman, this is a timely hearing. I look forward 
to hearing from our witnesses and hope that we can see some 
progress pretty soon.
    The Chairman. [presiding] Senator Nelson, do you have an 
opening comment?

             STATEMENT OF HON. E. BENJAMIN NELSON, 
                   U.S. SENATOR FROM NEBRASKA

    Senator Ben Nelson. Mr. Chairman, thank you very much.
    Just one observation. Going through an airport recently, I 
found that there were two lines. There was a line for those who 
flew first class and those who flew non-first class. Two 
different lines going through the same security screening 
process. Since I think we all pay the same amount for the 
screening process, I couldn't understand the distinction 
between first-class lines to get through and the others. I can 
understand getting--riding in the--flying in the front of the 
plane, but I couldn't understand that. And so, I'd like Mr. 
Hawley to be thinking about that before we get to the 
questions.
    Thank you very much. And I appreciate also having this 
opportunity for this hearing.
    The Chairman. Thank you very much.

            OPENING STATEMENT OF HON. TED STEVENS, 
                    U.S. SENATOR FROM ALASKA

    The Chairman. I apologize for being late. I was in the 
Chair of the Senate. My relief was a little tied up in traffic.
    I think we should all recognize this is a first in a series 
of hearings on aviation security. The next hearing will be on 
March 9th, when we continue the evaluation of the airline 
passenger screening programs and examine the physical screening 
of airline passengers and their baggage.
    The purpose of today's hearing is to examine two of TSA's 
commercial aviation passenger screening programs, Secure Flight 
and Registered Traveler. The emphasis on today's discussion I 
hope will be to review the policy and management issues that 
have prevented TSA from launching these programs, to determine 
the future of the programs.
    I do support the Administration's efforts to secure all 
modes of transportation, as well as any program that yields a 
significant security benefit to Americans, comparative to the 
cost of developing and operating the program. The programs at 
issue today have been in development now for 4 years, and, for 
various reasons, have not yet come to fruition.
    The Committee is going to seek answers from the witnesses 
here today regarding the cost of Secure Flight and the 
Registered Traveler Program and the necessity and viability of 
the programs, and the timetables related to them.
    I'm going to print the rest of my statement in the record.
    [The prepared statement of Senator Stevens follows:]

    Prepared Statement of Hon. Ted Stevens, U.S. Senator from Alaska
    We welcome the witnesses who will appear before the Committee 
today, and thank them for their willingness to participate in this 
hearing.
    Today represents the first in a series of hearings that the 
Committee will hold on aviation security. On March 9th, the Committee 
will continue its evaluation of TSA airline passenger screening 
programs, and examine the physical screening of airline passengers and 
their baggage. That hearing also will deal with screening technology, 
screener workforce issues, and TSA procurement processes.
    The purpose of today's hearing, however, is to examine two of TSA's 
commercial aviation passenger pre-screening programs, Secure Flight and 
Registered Traveler. The emphasis of today's discussion will be to 
review policy and management issues that have prevented TSA from 
launching these programs, and to determine the future of the programs.
    I support the Administration's efforts to secure all modes of 
transportation, as well as any program that yields a significant 
security benefit to Americans comparative to the cost of developing and 
operating the program. But the programs at issue today have been in 
development for four years and, for various reasons, have yet to come 
to fruition.
    The Committee will seek answers from the witnesses regarding the 
costs associated with Secure Flight and Registered Traveler, the 
necessity and viability of the programs, and the timetables for their 
launch. The Committee also will examine the impediments that have 
caused delays, including privacy concerns, and even Congressionally 
imposed hurdles.
    I look forward to a constructive dialogue with the witnesses.

    The Chairman. We're pleased to recognize the first panel: 
Edmund ``Kip'' Hawley, the Assistant Secretary for 
Transportation Security, and Cathleen Berrick, who's the 
Director of Homeland Security and Justice for GAO.
    We'll call on you first, Kip. Thank you for your statement.
    Your statements will be printed in the record in full. We 
appreciate the extent to which you can really reduce them down 
to approximately 5 minutes.

STATEMENT OF HON. EDMUND `` KIP '' HAWLEY, ASSISTANT SECRETARY, 
             TRANSPORTATION SECURITY ADMINISTRATION

    Mr. Hawley. Good morning, Mr. Chairman, Co-Chairman Inouye, 
Members of the Committee. Thank you for the opportunity to 
discuss Secure Flight and the Registered Traveler Programs.
    In December's hearing, we discussed the 14 layers of 
protection now in place for cockpits and passenger cabins, and 
our view of the current risk environment. These layers range 
from measures the government takes overseas to preempt attacks 
to the security measures in place on the aircraft itself. 
Today, I'm here to assist the Committee in considering 
activities toward the middle of the 14 layers, passenger 
prescreening.
    Passenger prescreening can be broken down into three parts:
    One, identify known terrorists and prevent them from 
getting near the aircraft. This is the role of watch-list-
matching, which is now done by airlines and will be transferred 
to the Government under Secure Flight.
    Second is to identify behaviors common to terrorists whose 
names we don't know, and give them additional screening. This 
is the role of the computer-assisted passenger prescreening, or 
CAPPS, process.
    Third is to identify people who do not pose a threat to 
aviation security, so that we do not expend valuable security 
resources unnecessarily. This is the role of Registered 
Traveler.
    Secure Flight is the most important of these, and also the 
one requiring the most management attention. I'll focus my 
opening remarks on Secure Flight.
    The effort to improve terrorist watch-list screening, first 
through CAPPS II and subsequently under Secure Flight, was, and 
is, a complicated task. Despite sincere and dedicated efforts 
by TSA, there has been an undercurrent of concern from outside 
stakeholders really from the beginning. Over the past 4 years, 
many concerns have been raised and addressed, but Secure Flight 
continues to be a source of frustration.
    Congress recognized these issues when it included special 
certification requirements for the Secure Flight Program in 
recent appropriations acts, and we appreciate GAO's efforts to 
provide a comprehensive review of the Secure Flight Program.
    We are in the process of making changes to how TSA 
operates, aligned with Secretary Chertoff 's risk-based 
strategy for the Department. I've previously shared with you 
our overall strategy, organization changes that support that 
strategy, and in December we reviewed some of the operational 
steps that are now in action.
    As part of this continuing review, I asked TSA's 
Information Technology Office to conduct IT system security 
audits of all TSA credentialing and vetting programs. This 
review, which includes Secure Flight, is ongoing, but I believe 
it is safe to say that many of the same issues identified by 
GAO are also highlighted by this more detailed review.
    Rather than address any identified weakness on its own, I 
have directed that the Secure Flight IT systems go through the 
comprehensive recertification process pursuant to the Federal 
Information Security Management Act, FISMA, requirements. This 
action and the others we're taking, I believe, is compatible 
with GAO's suggestions that we rebaseline the program and 
ensure that we use technology-development best practices in 
management, security, and operations. While the Secure Flight 
regulation is being developed, this is the time to ensure that 
Secure Flight's security, operational, and privacy foundation 
is solid.
    We will move forward with the Secure Flight Program as 
expeditiously as possible, but in view of our need to establish 
trust with all of our stakeholders on the security and privacy 
of our systems and data, my priority is to ensure that we do it 
right, and not just do it quickly.
    When I appeared before the Committee during the 
confirmation process, I said that I believe programs like 
Secure Flight should be built from a strong privacy foundation 
as a starting point, as opposed to building it and then adding 
privacy. The approach I just outlined will accomplish that. 
Security and privacy are necessary ingredients of each other, 
and not opposite ends of the spectrum. TSA will approach all of 
its programs with that in mind.
    On Registered Traveler, I will just say that it will be 
market-driven and offered by the private sector. TSA's 
principal requirements are that, one, it pays its own way, and, 
two, does not diminish security. We are fully aware that 
terrorists may attempt to exploit Registered Traveler Program 
benefits, and the program is designed to thwart those efforts.
    On November 3, 2005, I outlined the path forward for 
Registered Traveler. We are on track, having met the milestones 
established for January 20th. Depending on the pace of our 
market-driven private-industry partners, TSA expects to be 
ready to begin screening Registered Traveler Program applicants 
by mid-June.
    Mr. Chairman, I look forward to working with you and the 
Committee.
    Thank you.
    [The prepared statement of Mr. Hawley follows:]

Prepared Statement of Hon. Edmund ``Kip'' Hawley, Assistant Secretary, 
                 Transportation Security Administration

    Good morning Mr. Chairman, Co-Chairman Inouye, and Members of the 
Committee. I am pleased to have the opportunity to appear before you 
today on behalf of the Transportation Security Administration (TSA) to 
discuss non-physical security screening programs. As requested, my 
testimony will focus on the Secure Flight and Registered Traveler 
programs, two promising programs that can play an important role in our 
comprehensive, multi-layered aviation security network.
    Last fall, before this Committee, I shared the key principles that 
are guiding the work and priorities of TSA. Secure Flight and 
Registered Traveler are rooted in two of these principles: using risk/
value analysis to make investment and operational decisions, and making 
the best possible use of coordinated interagency intelligence and 
information.
    Secure Flight will enhance our ability to identify known or 
suspected terrorists before they attempt to pass through the airport 
security checkpoint. It builds upon the work of the law enforcement and 
intelligence agencies who provide the information necessary to 
prescreen passengers, and recognizes that our strongest defense against 
terrorism is to detect terrorists before an attempt to attack.
    Registered Traveler focuses on people at the other end of the 
threat spectrum. It is intended to enable people who are not considered 
threats to aviation security to move more quickly through the security 
process. The program is expected to reduce the time and resources that 
must be devoted to screening such individuals at the airport screening 
checkpoint, allowing TSA to focus more attention and resources on 
people we know less about and who may pose a greater threat to aviation 
security.

Secure Flight
    Computerized screening of airline passengers predates the creation 
of TSA. The Computer-Assisted Passenger Prescreening System (CAPPS), a 
joint effort by airlines and the Federal Government, has been used to 
screen passengers since the mid-1990s. The CAPPS program uses an 
algorithm that draws upon information in passenger name records (PNRs) 
to determine whether a passenger and his or her property should receive 
a higher level of security screening prior to boarding an aircraft.
    The Aviation and Transportation Security Act (ATSA) (Pub. L. 107-
71), which created TSA, mandated that computerized passenger 
prescreening continue on an expanded basis. Since 9/11, we have added 
more comprehensive computerized pre-screening measures and enhanced 
CAPPS processing rules. Today, airlines must also compare passenger 
names to the names on two consolidated Federal Government watch lists 
known as the No-Fly and Selectee lists. These watch lists are the 
product of an on-going interagency effort, and are maintained by the 
Terrorist Screening Center, a multi-agency center administered by the 
Federal Bureau of Investigation (FBI). TSA continues to work closely 
with the Terrorist Screening Center to ensure that the watch lists are 
accurate and comprehensive. In addition, TSA maintains a list of 
individuals who have a similar name to someone on the watch list, but 
who have already been distinguished from that person through TSA's 
redress process. These lists are made available to air carriers on a 
daily basis for use in carrying out the watch list matching function.
    When an air carrier finds a passenger with a name on the Selectee 
list, the carrier must identify that passenger to TSA for enhanced 
screening at the checkpoint. When an air carrier finds a passenger has 
a name identical or similar to a name on the No-Fly list, the carrier 
must contact TSA in order to verify whether the passenger is actually 
the individual of interest to the government. If it is determined that 
the passenger is in fact the individual named on the No-Fly list, the 
carrier is prohibited from transporting that passenger and may contact 
law enforcement. As there are no children on the watch list, TSA 
permits airlines to deselect children under 12 without contacting TSA. 
TSA runs a 24-hour/7-day watch center to coordinate the resolution of 
issues related to watch list matches and other operational matters.
    As recommended by the 9/11 Commission and mandated by the 
Intelligence Reform and Terrorism Prevention Act of 2004 (IRTPA) (Pub. 
L. 108-458), TSA is taking steps to assume the passenger watch list 
matching function from the airlines through the Secure Flight program. 
The CAPPS screening function will remain with the airlines.
    Under Secure Flight, the watch list screening process will 
generally occur prior to an individual's arrival at the airport, unless 
he or she makes a reservation or changes a flight upon arrival at the 
airport. Rather than transmitting watch lists to air carriers, under 
Secure Flight, air carriers will transmit passenger names and a limited 
amount of additional identifying data for flights within the United 
States to a central data processing unit. Passenger names will be 
compared to names on the consolidated watch lists, as well as a list of 
individuals who have already been distinguished from persons on the 
watch lists through the redress process.
    Similar to current practice, if an individual is confirmed as a 
match to the Selectee list, TSA will notify the appropriate air 
carrier, who is then required to take steps to identify the individual 
as a selectee so that TSA Transportation Security Officers can apply 
enhanced screening to the individual and his or her property at the 
checkpoint. If TSC confirms a match to the No-Fly list, TSA will notify 
the air carrier to refuse to issue the passenger a boarding pass. The 
Terrorist Screening Center will assist in the match confirmation 
process and may notify other agencies to initiate an operational 
response to the match, if appropriate.
    We expect that watch list screening under Secure Flight will offer 
significant improvements in security, efficiency and the passenger 
experience. It should be noted that any individual who is identified as 
``No-Fly'' by a government agency is not allowed to board an aircraft 
under the system in operation today. Nevertheless, security will be 
enhanced by vetting passengers against the expanded watch lists 
produced by the TSC, instead of the more limited lists TSA currently 
transmits to carriers. Further, by moving the watch list screening 
process within the Federal Government, comparisons will be made using a 
single system, rather than the multiple matching programs now utilized 
by individual airlines.
    Additionally, we believe the Secure Flight system will reduce the 
number of passengers who are misidentified as an individual on the 
watch list. By incorporating a limited amount of additional passenger 
information in the comparison process and by offering tighter 
integration with TSA's redress process, we expect Secure Flight to more 
easily and accurately distinguish passengers with similar names from 
those on the watch list. TSA fully appreciates the frustration of 
passengers facing this false positive match issue, and we are working 
diligently to reduce the inconvenience these passengers experience. As 
part of this effort, TSA's Office of Transportation Security Redress 
will implement a redress process that will permit passengers who are 
delayed or prohibited from boarding a flight to appeal and correct 
erroneous information. The Office will work in consultation with 
stakeholders and companion offices including the TSA Office of Civil 
Rights and the DHS Officer for Civil Rights and Civil Liberties in 
implementing this process.
    I also want to assure the Committee that we are fully committed to 
protecting passenger privacy with the deployment of Secure Flight by 
incorporating privacy protection features into the system design. We 
will follow both the letter and intent of the Privacy Act, and we will 
continue to design, develop, and deploy Secure Flight in consultation 
with TSA and DHS Privacy Officers and privacy advocates.
    TSA is pursuing a phased development and deployment approach to 
Secure Flight. Initial development and testing of the Secure Flight 
matching application is nearing completion. In September and November 
of 2004, we published a number of documents necessary to begin testing 
the Secure Flight matching application, including a Privacy Act System 
of Records Notice (SORN) and a Privacy Impact Assessment (PIA). Testing 
of the matching application using historical Passenger Name Records was 
successful. Development and testing of TSA communication links to the 
Terrorist Screening Center and Customs and Border Protection (CBP), 
through which we intend to connect to the airlines, as well as fine-
tuning of the matching application, will continue through the next 
phase of Secure Flight's development.
    In addition to application testing, TSA conducted a separate test 
to determine whether the use of additional data sources produced by 
commercial data aggregators could be used to identify potentially 
inaccurate or incomplete passenger data and add an additional layer of 
security in passenger prescreening. As a result of those tests, 
commercial data analysis will not be included in the operational 
deployment of Secure Flight.
    During the next phase, we will undertake operational testing of 
Secure Flight by connecting with several airline partners and vetting 
passenger information in real time. During this phase, participating 
air carriers will be required to continue screening passenger names 
against the watch lists that are provided to them. We are currently in 
the process of drafting the necessary regulatory documents to implement 
operational testing, including the System of Records Notice (SORN) and 
Privacy Impact Assessment (PIA) for Secure Flight. Once this regulatory 
process is concluded, operational testing will begin.
    Based on the operational tests, TSA will make adjustments to the 
systems and operations as necessary, and prepare for the phased 
deployment of Secure Flight. As you may be aware, the Department of 
Homeland Security Appropriations Act, 2006 (Pub. L. 109-90), prohibits 
TSA from expending funds to deploy Secure Flight until the Secretary of 
Homeland Security certifies, and the Government Accountability Office 
(GAO) reports, that all ten of the elements contained in Section 522 of 
the Department of Homeland Security Appropriations Act, 2005 (Pub. L. 
108-334), have been met.
    We appreciate GAO's efforts to provide a comprehensive review of 
the Secure Flight program, especially in light of the difficulties in 
reviewing a complex program that is still under development. TSA 
intends to make the required certification after completion of 
operational testing, and will fully cooperate with GAO as it completes 
its review of Secure Flight within the 90-day post-certification 
reporting deadline. We are confident that Secure Flight will meet all 
Congressional requirements for implementation.

Registered Traveler
    The Aviation and Transportation Security Act (ATSA) also directed 
TSA to explore options for expedited travel at airports for people who 
do not pose, and are not suspected of posing, a security threat.
    Registered Traveler Pilot programs were initiated in five airports 
on a staggered basis during the summer of 2004. In partnership with 
Northwest Airlines, United Airlines, Continental, and American 
Airlines, TSA established pilot programs at Minneapolis-St. Paul (MSP), 
Los Angeles (LAX), Houston Intercontinental (IAH), Boston (BOS), and 
Ronald Reagan Washington National (DCA). Each of the five pilot 
programs enrolled approximately 2,000 people, who were invited to 
participate by the airlines from among their very frequent fliers. 
Participation was limited to U.S. citizens, nationals, and lawful 
permanent residents, and was entirely voluntary. Participants in these 
TSA run pilot programs were not charged a fee. The five initial pilots 
ended in September 2005.
    In June 2005, TSA initiated a sub-pilot program at Orlando 
International Airport (MCO) to test the feasibility of using a public-
private partnership model for the program. The sub-pilot also tests the 
willingness of the public to pay a fee to participate in a Registered 
Traveler Program. In the Orlando sub-pilot, participants pay an annual 
fee of $80. Approximately 13,000 passengers have enrolled in the sub-
pilot, which is still in operation.
    The results of the pilot programs were positive. Tests of biometric 
identity verification and smart card technology demonstrated that the 
technology performs accurately and rapidly under airport operational 
conditions. Furthermore, based upon the results of the Orlando sub-
pilot, we concluded that the public will accept the participation of 
private companies in the Registered Traveler program and that a fee-
based program can attract participants.
    In keeping with Congressional direction and consistent with the 
results of the pilot and sub-pilot programs, Registered Traveler 
programs will be market-driven, and offered by the private sector. 
Individual participation in a Registered Traveler program will be 
entirely voluntary, with prices established by the private sector 
providers.
    On November 3, 2005, I shared with Congress an aggressive schedule 
for the development and implementation of interoperable Registered 
Traveler programs nationwide. On December 15, TSA issued a Request for 
Information to assist in the identification of one or more business 
models for the program that will meet the requirements for nationwide 
interoperability, sustainability through user fees, and scalable 
operations. Responses were due to TSA on January 20, 2006. Based on 
initial responses, TSA sought additional comments and extended the 
response deadline to January 30.
    Also on January 20, TSA provided guidance to the industry regarding 
the collection of biometrics and their storage on Registered Traveler 
smart cards, as well as information regarding the process for seeking 
redress of an unfavorable eligibility or revocation decision.
    Biometrics will be collected and stored in accordance with already 
existing standards, including Federal Technical Implementation Guidance 
on smart cards and the American National Standards Institute/
International Committee for Information Technology Standards (ANSI/
INCITS) standards for biometrics. Participants will be expected to 
provide images of all ten fingerprints at enrollment, with necessary 
accommodations for physical limitations. Templates of two or more 
fingerprints will be stored on smart cards for identity verification at 
security checkpoint kiosks. Registered Traveler program requirements 
will be harmonized with the DHS-State Department P.A.S.S. System 
(People, Access, Security, Service), the credentialing effort recently 
announced by Secretaries Chertoff and Rice, and other government-
sponsored travel facilitation programs, as they are developed.
    Redress matters will be handled by TSA's Office of Transportation 
Security Redress until the consolidated traveler screening redress 
process envisioned by the Rice-Chertoff initiative is developed and 
implemented. As part of the redress process, applicants pursuing an 
appeal may be asked to provide additional information and documents for 
necessary processing. Applicants will receive the results of their 
appeal in writing. All Registered Traveler data will be handled in 
compliance with the Privacy Act.
    Finally, we announced that TSA intends to mandate a core security 
assessment for each applicant to a Registered Traveler program. If 
providers undertake more in-depth security background checks, TSA will 
authorize a variety of enhanced or time-saving participant benefits at 
passenger screening checkpoints. Participants may receive significant 
efficiency benefits over what exists today, if additional security is 
added by a more thorough threat assessment. Registered Traveler will 
also include ongoing checks of participants to ensure that TSA is 
notified of potentially disqualifying information available after the 
initial threat assessment. Furthermore, if Registered Traveler 
providers wish to make investments in approved screening equipment, 
fund additional screeners, and/or obtain space for separate Registered 
Traveler screening, then TSA is prepared to authorize the use of 
dedicated screening lanes or alternative screening locations for 
participants.
    We are fully aware and expect that terrorists may seek to exploit 
Registered Traveler program benefits, and we are working to design a 
program to thwart those efforts. Therefore, program benefits can be 
expected to change from time to time in order to make it difficult for 
terrorists to anticipate our security activities. In addition, TSA will 
not exempt Registered Traveler participants entirely from random 
selection for secondary screening.
    By late April, TSA expects to select an entity to certify service 
providers and manage compliance, and will begin issuing necessary 
amendments to Airport Security Plans to establish requirements for 
identity verification providers. The period for parties to submit plans 
for achieving interoperability of Registered Traveler programs will 
also close at that time. TSA plans to be ready to begin screening 
Registered Traveler program applicants in mid-June, provided that our 
private industry partners have successfully enrolled applicants by that 
time.

Conclusion
    TSA's mission is to protect the Nation's transportation systems 
while facilitating the movement of people and commerce. Both Secure 
Flight and Registered Traveler can enhance our aviation security 
network, and we look forward to working with the Committee to implement 
these promising programs.
    Thank you again for the opportunity to testify today. I will be 
pleased to respond to questions.

    The Chairman. Thank you very much.
    Our next witness is Ms. Berrick.

          STATEMENT OF CATHLEEN A. BERRICK, DIRECTOR, 
          HOMELAND SECURITY AND JUSTICE ISSUES, U.S. 
                GOVERNMENT ACCOUNTABILITY OFFICE

    Ms. Berrick. Thank you, Mr. Chairman, Co-Chairman Inouye, 
and Members of the Committee, for inviting me to discuss the 
development of Secure Flight, a program designed to identify 
domestic passengers who should be denied boarding or who should 
undergo additional security scrutiny prior to boarding a 
flight.
    My testimony today focuses on the development and oversight 
of Secure Flight, TSA's coordination with key stakeholders that 
are critical to the program's success, and TSA's efforts to 
protect passenger rights and privacy.
    Overall, our work has found that TSA faces significant 
challenges in implementing Secure Flight, that the system is at 
risk of not meeting program goals. We've found that TSA has not 
conducted critical activities consistent with best practices 
for large-scale IT systems. TSA has also not followed their own 
established systems development process for Secure Flight. For 
example, officials declared the design phase of Secure Flight 
complete before fully defining system requirements. As a 
result, it's not clear what Secure Flight capabilities will be 
delivered when, and at what cost, and it has been difficult to 
measure the extent of progress on this program.
    We also found that TSA has collaborated with key 
stakeholders whose participation is essential to support Secure 
Flight, and we are encouraged by these efforts. However, these 
stakeholders have stated that they need more definitive 
information from TSA about Secure Flight requirements in order 
to be able to support the program.
    TSA has also begun coordinating with other DHS people-
screening programs in order to achieve efficiencies and 
commonality; however, it remains unknown what changes, if any, 
will be made to Secure Flight or the prescreening process as a 
result of these efforts.
    We also found that TSA must still make key policy decisions 
that will significantly influence program effectiveness, 
including what passenger data TSA will require air carriers to 
provide.
    Finally, Secure Flight's requirements documentation does 
not fully explain how passenger privacy protections will be 
met, and TSA has not yet issued privacy notices that describe 
how it will protect passenger data for an operational system. 
As a result, it's not possible for us to fully assess how TSA 
is addressing privacy concerns.
    Since we last reported on Secure Flight, in March of 2005, 
TSA has made some progress in all of these areas, including 
conducting further system testing and working to establish 
connectivity needed to make the system operate. As Assistant 
Secretary Hawley just mentioned, TSA has also recently taken 
additional steps to instill more discipline into the 
development of Secure Flight, including hiring a program 
manager with information-systems credentials and rebaselining 
the program to more fully defined requirements and establish 
milestones and cost estimates. We believe that these activities 
are critical, and must be completed before Secure Flight is 
positioned, so that informed investment decisions can be made 
about this program.
    Mr. Chairman, this concludes my opening statement. I would 
be happy to respond to any questions at the appropriate time.
    [The prepared statement of Ms. Berrick follows:]

Prepared Statement of Cathleen A. Berrick, Director, Homeland Security 
       and Justice Issues, U.S. Government Accountability Office
    Mr. Chairman and Members of the Committee:

    Thank you for inviting me to participate in today's hearing on the 
Transportation Security Administration's (TSA) Secure Flight program. 
The purpose of Secure Flight is to enable our government to protect the 
public and strengthen aviation security by identifying and scrutinizing 
individuals suspected of having ties to terrorism, or who may otherwise 
pose a threat to aviation, in order to prevent them from boarding 
commercial aircraft in the United States, if warranted, or by 
subjecting them to additional security scrutiny prior to boarding an 
aircraft. The program also aims to reduce the number of individuals 
unnecessarily selected for secondary screening while protecting 
passengers' privacy and civil liberties. My testimony today presents 
information on the progress TSA has made and the challenges it faces in 
(1) developing, managing, and overseeing the Secure Flight program; (2) 
coordinating with Federal and private sector stakeholders who will play 
critical roles in Secure Flight operations; (3) addressing key factors 
that will impact system effectiveness; and (4) minimizing program 
impacts on passenger privacy and protecting passenger rights.
    My testimony is based on our past reviews of the Secure Flight 
program, and on preliminary results from our ongoing review of 10 
issues related to the development and implementation of Secure Flight, 
as mandated by Public Law 109-90, and as requested by eight 
congressional committees. \1\ (See app. 1 for a description of the 10 
issues.) My testimony today updates information presented in our March 
2005 report on the status of Secure Flight's development and 
implementation, \2\ including 9 of the 10 areas of congressional 
interest. \3\ In March 2005, we reported that TSA had made progress in 
developing and testing Secure Flight, but had not completed key system 
testing, had not finalized system requirements or determined how 
certain aspects of the program would operate (such as the basis on 
which passengers would be selected for preflight scrutiny), and had not 
clearly defined the privacy impacts of the program. At the time, we 
recommended that TSA take several actions to manage the risks 
associated with developing and implementing Secure Flight, including 
finalizing system requirements and test plans, privacy and redress 
requirements, and program cost estimates.
    Today, I present information that suggests that, 3 years after TSA 
began developing a program to provide passenger prescreening, 
significant challenges remain in developing and implementing the Secure 
Flight program. The results I am presenting are based on our review of 
available documentation on Secure Flight's systems development and 
oversight, policies governing program operations, and our past reports 
on the program, and interviews with Department of Homeland Security 
(DHS) officials, TSA program officials and their contractors, and other 
Federal officials who are key stakeholders in the Secure Flight 
program. We reviewed TSA's System Development Life Cycle Guidance for 
developing information technology systems, and other Federal reports 
describing best practices in developing and acquiring these systems. We 
also reviewed draft TSA documents containing information on the 
development and testing of Secure Flight, including concept of 
operations, requirements, test plans, and test results. My testimony is 
based on TSA documents received, but does not necessarily reflect all 
documentation that was only recently made available. In addition to the 
TSA documents we have reviewed, we also reviewed reports from the U.S. 
Department of Justice Office of the Inspector General (DOJ-OIG), which 
reviewed the Secure Flight program, and reports from two oversight 
groups that provided advisory recommendations for Secure Flight: DHS's 
Privacy and Data Integrity Advisory Committee and TSA's Aviation 
Security Advisory Committee Secure Flight Working Group. We interviewed 
senior-level TSA officials, including representatives from the Office 
of Transportation Threat Analysis and Credentialing, which is 
responsible for Secure Flight, and the Office of Transportation 
Security Redress (OTSR), to obtain information on Secure Flight's 
planning, development, testing, and policy decisions. We also 
interviewed representatives from the U.S. Customs and Border Protection 
(CBP) and Terrorist Screening Center (TSC) \4\ to obtain information 
about stakeholder coordination. We also interviewed officials from an 
air carrier and representatives from aviation trade organizations 
regarding issues related to Secure Flight's development and 
implementation. In addition, we attended conferences on name-matching 
technologies sponsored by MITRE (a federally funded research and 
development corporation) and the Office of the Director of National 
Intelligence. Our work was conducted from April 2005 to February 2006 
in accordance with generally accepted government auditing standards.

Summary
    In developing and managing the Secure Flight program, TSA has not 
conducted critical activities in accordance with best practices for 
large-scale information technology programs. Specifically, TSA has not 
followed a disciplined life cycle approach in developing Secure Flight, 
in which all phases of the project are defined by a series of orderly 
phases and the development of related documentation. Program officials 
stated that they have instead used a rapid development method that was 
intended to enable them to develop the program more quickly. However, 
as a result of this approach, the development process has been ad hoc, 
with project activities conducted out of sequence. For example, program 
officials declared the design phase complete before requirements for 
designing Secure Flight had been detailed. Our evaluations of major 
Federal information technology programs, and research by others, has 
shown that following a disciplined life cycle management process 
decreases the risks associated with acquiring systems. As part of the 
life cycle process, TSA must define and document Secure Flight's 
requirements--including how Secure Flight is to function and perform, 
the data needed for the system to function, how various systems 
interconnect, and how system security is achieved. We found that Secure 
Flight's requirements documentation contained contradictory and missing 
information. TSA officials have acknowledged that they have not 
followed a disciplined life cycle approach in developing Secure Flight, 
and stated that they are currently rebaselining the program to follow 
their standard Systems Development Life cycle process, including 
defining system requirements. We also found that while TSA has taken 
steps to implement an information security management program for 
protecting Secure Flight information and assets, its efforts are 
incomplete, based on Federal standards and industry best practices. 
Without a completed system security program, Secure Flight may not be 
adequately protected against unauthorized access and use or disruption, 
once the program becomes operational. Finally, TSA is proceeding with 
Secure Flight development without an effective program management plan 
that contains current program schedules and cost estimates. TSA 
officials stated they have not maintained an updated schedule in part 
because the agency has not yet promulgated a necessary regulation 
requiring commercial air carriers to submit certain passenger data 
needed to operate Secure Flight, and air carrier responses to this 
regulation can impact when Secure Flight will be operational and at 
what cost. While we recognize that program unknowns introduce 
uncertainty into the program-planning process, uncertainty is a 
practical reality in planning all programs and is not a reason for not 
developing plans, including cost and schedule estimates that reflect 
known and unknown aspects of the program. Further, several oversight 
reviews of the program have been conducted and raise questions about 
program management, including the lack of fully defined requirements. 
TSA has recently taken actions that recognize the need to instill more 
rigor and discipline into the development and management of Secure 
Flight, including hiring a program manager with information systems 
program management credentials, and more completely defining system 
requirements and a program management plan, including the development 
of schedules and cost estimates.
    TSA has taken steps to collaborate with Secure Flight stakeholders 
whose participation is essential to ensuring that passenger and 
terrorist watch list data are collected and transmitted for Secure 
Flight operations, but additional information and testing are needed to 
enable stakeholders to provide the necessary support for the program. 
TSA has, for example, drafted policy and technical guidance to help 
inform air carriers of their Secure Flight responsibilities, and has 
begun receiving feedback from the air carriers on this information. TSA 
is also in the early stages of coordinating with U.S. Customs and 
Border Protection and the Federal Terrorist Screening Center on broader 
issues of integration and interoperability related to other people-
screening programs used by the government to combat terrorism. In 
addition, TSA has conducted preliminary network connectivity testing 
between TSA and Federal stakeholders to determine, for example, how 
information will be transmitted from CBP to TSA and back. However, 
these tests used only dummy data, and were conducted in a controlled 
environment, rather than in a real-world operational environment. 
According to CBP, without real data, it is not possible to conduct 
stress testing to determine if the system can handle the volume of data 
traffic that will be required by Secure Flight. TSA acknowledged it has 
not determined what the real data volume requirements will be, and 
cannot do so until the regulation for air carriers has been issued and 
their data management role has been finalized. All key program 
stakeholders also stated that additional information is needed before 
they can finalize their plans to support Secure Flight operations. A 
TSC official stated, for example, that until TSA provides estimates of 
the volume of potential name matches that TSC will be required to 
screen, TSC cannot make decisions about required resources. Also, 
ongoing coordination of prescreening and name-matching initiatives with 
CBP and TSC can impact how Secure Flight is implemented.
    In addition to collaborating with stakeholders, TSA has, over the 
past 11 months, made some progress in evaluating factors that could 
influence system effectiveness. However, several activities are under 
way, or are to be decided, that will also affect Secure Flight's 
effectiveness, including operational testing to provide information 
about Secure Flight's ability to function. TSA has been testing name-
matching technologies to determine what type of passenger data will be 
needed to match against terrorist watch list data. These tests have 
been conducted thus far in a controlled, rather than real-world 
environment, using historical data, but additional testing is needed to 
learn more about how these technologies will perform in an operational 
environment. In addition, due to program delays, TSA has not yet 
conducted comprehensive end-to-end testing to verify that the entire 
system functions as intended, although it had planned to do so last 
summer. TSA also has not yet conducted stress testing to determine how 
the system will handle peak data volumes. In addition, TSA has not made 
key policy decisions for determining the passenger information that air 
carriers will be required to collect, the name-matching technologies 
that will be used to vet passenger names against terrorist watch list 
data; and thresholds that will be set to determine the relative volume 
of passengers who are to be identified as potential matches against the 
database. TSA plans to finalize decisions on these factors as system 
development progresses. However, until these decisions are made, data 
requirements will remain unsettled and key stakeholders--in particular, 
air carriers--will not have the information they need to assess and 
plan for needed changes to their systems to interface with Secure 
Flight. On the issue of data quality and accuracy, while the 
completeness and accuracy of data contained in the government's 
terrorist screening database can never be certain--given the varying 
quality of intelligence information gathered, and changes in this 
information over time--TSC has established some processes to help 
ensure the quality of these data. However, in a review of the TSC's 
role in Secure Flight, the Department of Justice Office of Inspector 
General found that TSC could not ensure that the information contained 
in its databases was complete or accurate. According to a TSC official, 
TSA and TSC plan to enter into a letter of agreement that will describe 
the data elements from the terrorist-screening database, among other 
things, to be used for Secure Flight. To address accuracy, TSA and TSC 
plan to work together to identify false positives--passengers 
inappropriately matched against data contained in the terrorist-
screening database--by using intelligence analysts to monitor the 
accuracy of data matches. An additional factor that could impact the 
effectiveness of Secure Flight in identifying known or suspected 
terrorists is the system's inability to identify passengers who assume 
the identity of another individual by committing identity theft, or who 
use false identifying information. Secure Flight is neither intended to 
nor designed to address these vulnerabilities.
    Because Secure Flight's system development documentation does not 
fully address how passenger privacy protections are to be met, it is 
not possible to assess potential system impacts on individual privacy 
protections. The Privacy Act and the Fair Information Practices--a set 
of internationally recognized privacy principles that underlie the 
Privacy Act--limit the collection, use, and disclosure of personal 
information by Federal agencies. TSA officials have stated that they 
are committed to meeting the requirements of the Privacy Act and the 
Fair Information Practices. However, it is not yet evident how this 
will be accomplished because TSA has not decided what passenger data 
elements it plans to collect, or how such data will be provided by 
stakeholders. Further, TSA is in the process of developing but has not 
issued the systems of records notice, which is required by the Privacy 
Act, or the privacy impact assessment, which is required by the E-
Government Act, that would describe how TSA will protect passenger data 
once Secure Flight becomes operational. Moreover, privacy requirements 
were not incorporated into the Secure Flight system development process 
in a manner that would explain whether personal information will be 
collected and maintained in the system in a manner that complies with 
privacy and security requirements. In our review of Secure Flight's 
system requirements, we found that privacy concerns were broadly 
defined in functional requirements documentation, which states that the 
Privacy Act must be considered in developing the system. However, these 
broad functional requirements have not been translated into specific 
system requirements. TSA officials stated that they are completing work 
on integrating privacy and requirements into the Secure Flight system 
as the program is being developed, and that new privacy notices will be 
issued in conjunction with a forthcoming regulation prior to proceeding 
with the system's initial operating capability. Until TSA finalizes 
these requirements and notices, however, privacy protections and 
impacts cannot be assessed. TSA is also determining how it will meet a 
congressional mandate that the Secure Flight program include a process 
whereby aviation passengers determined to pose a threat to aviation 
security may appeal that determination and correct erroneous 
information contained within the prescreening system. According to TSA 
officials, no final decisions have been made regarding how TSA will 
address the redress requirements, but information on the process will 
be contained within the privacy notices released in conjunction with 
the forthcoming regulation.

Background
    TSA is responsible for securing all modes of transportation while 
facilitating commerce and the freedom of movement for the traveling 
public. Passenger prescreening is one program among many that TSA uses 
to secure the domestic aviation sector. The process of prescreening 
passengers--that is, determining whether airline passengers might pose 
a security risk before they reach the passenger-screening checkpoint--
is used to focus security efforts on those passengers that represent 
the greatest potential threat. Currently, U.S. air carriers conduct 
passenger prescreening by comparing passenger names against government-
supplied terrorist watch lists and applying the Computer-Assisted 
Passenger Prescreening System rules, known as CAPPS rules. \5\

Development of Legacy Passenger Prescreening Systems
    Following the events of September 11, and in accordance with the 
requirement set forth in the Aviation and Transportation Security Act 
that a computer-assisted passenger prescreening system be used to 
evaluate all passengers before they board an aircraft, \6\ TSA 
established the Office of National Risk Assessment to develop and 
maintain a capability to prescreen passengers in an effort to protect 
U.S. transportation systems and the public against potential 
terrorists. In March 2003, this office began developing the second-
generation computer-assisted passenger prescreening system, known as 
CAPPS II, to provide improvements over the current prescreening 
process, and to screen all passengers flying into, out of, and within 
the United States.
    Based in part on concerns about privacy and other issues expressed 
by us and others, DHS canceled the development of CAPPS II in August 
2004 and shortly thereafter announced that it planned to develop a new 
passenger prescreening program called Secure Flight. In contrast to 
CAPPS II, Secure Flight, among other changes, will only prescreen 
passengers flying domestically within the United States, rather than 
passengers flying into and out of the United States. Also, the CAPPS 
rules will not be implemented as part of Secure Flight, but rather the 
rules will continue to be applied by commercial air carriers. Secure 
Flight will operate on the Transportation Vetting Platform (TVP) \7\--
the underlying infrastructure (hardware and software) to support the 
Secure Flight application, including security, commonality, and data 
management; and, is to perform the functions associated with receiving, 
vetting, and returning requests related to the determination of whether 
passengers are on government watch lists. This application is also to 
be configurable--meaning that it can be quickly adjusted to reflect 
changes to workflow parameters. Aspects of Secure Flight are currently 
undergoing development and testing, and policy decisions regarding the 
operations of the program have not been finalized. \8\

Overview of Secure Flight Operations
    As currently envisioned, under Secure Flight, when a passenger 
makes flight arrangements, the organization accepting the reservation, 
such as the air carrier's reservation office or a travel agent, will 
enter passenger name record (PNR) information obtained from the 
passenger, which will then be stored in the air carrier's reservation 
system. \9\ While the government will be asking for only portions of 
the PNR, the PNR data can include the passenger's name, phone number, 
number of bags, seat number, and form of payment, among other 
information. Approximately 72 hours prior to the flight, portions of 
the passenger data contained in the PNR will be sent to Secure Flight 
through a network connection provided by DHS's CBP. Reservations or 
changes to reservations that are made less than 72 hours prior to 
flight time will be sent immediately to TSA through CBP.
    Upon receipt of passenger data, TSA plans to process the passenger 
data through the Secure Flight application running on the TVP. During 
this process, Secure Flight is to determine if the passenger data match 
the data extracted daily from TSC's Terrorist Screening Database 
(TSDB)--the information consolidated by TSC from terrorist watch lists 
to provide government screeners with a unified set of terrorist-related 
information. In addition, TSA will screen against its own watch list 
composed of individuals who do not have a nexus to terrorism but who 
may pose a threat to aviation security. \10\
    In order to match passenger data to information contained in the 
TSDB, TSC plans to provide TSA with an extract of the TSDB for use in 
Secure Flight, and provide updates as they occur. This TSDB subset will 
include all individuals classified as either selectees (individuals who 
are selected for additional security measures prior to boarding an 
aircraft) or no-flys (individuals who will be denied boarding unless 
they are cleared by law enforcement personnel). \11\ To perform the 
match, Secure Flight is to compare the passenger, TSDB, and other watch 
list data using automated name-matching technologies. When a possible 
match is generated, TSA and potentially TSC analysts will conduct a 
manual review comparing additional law enforcement and other government 
information with passenger data to determine if the person can be ruled 
out as a possible match. TSA is to return the matching results to the 
air carriers through CBP. Figure 1 illustrates how Secure Flight is 
intended to operate.



   a. Information about confirmed no-flies and certain selectees are 
     shared with appropriate Federal agencies which coordinate the 
                 appropriate law enforcement response.

    As shown in figure 1, when the passenger checks in for the flight 
at the airport, the passenger is to receive a level of screening based 
on his or her designated category. A cleared passenger is to be 
provided a boarding pass and allowed to proceed to the screening 
checkpoint in the normal manner. A selectee passenger is to receive 
additional security scrutiny at the screening checkpoint. \12\ A no-fly 
passenger will not be issued a boarding pass. Instead, appropriate law 
enforcement agencies will be notified. Law enforcement officials will 
determine whether the individual will be allowed to proceed through the 
screening checkpoint or if other actions are warranted, such as 
additional questioning of the passenger or taking the passenger into 
custody.

TSA Has Not Followed a Disciplined Life Cycle Approach or Fully Defined 
        System Requirements, Schedule, and Costs
    TSA has not followed a disciplined life cycle approach in 
developing Secure Flight, in accordance with best practices for large-
scale information technology programs. Following a disciplined life 
cycle, activities and related documentation are to be developed in a 
logical sequence. TSA also has not finalized and documented functional 
and system requirements that fully link to each other and to source 
documents. Without adequately defined requirements, TSA cannot finalize 
a system security plan or develop a reliable program schedule or life 
cycle cost estimates. In addition to these concerns, other reviews that 
have been conducted of Secure Flight have raised questions about the 
management of the program.

TSA Has Not Followed a Disciplined Life Cycle Process or Fully Defined 
        System 
        Requirements but Plans to Address These Issues
    Based on evaluations of major Federal information technology 
programs like Secure Flight, and research by others, following a 
disciplined life cycle management process in which key activities and 
phases of the project are conducted in a logical and orderly process 
and are fully documented, helps ensure that programs achieve intended 
goals within acceptable levels of cost and risk. Such a life cycle 
process begins with initial concept definition and continues through 
requirements determination to final testing, implementation, and 
maintenance. TSA has established a System Development Life Cycle (SDLC) 
that defines a series of orderly phases and associated steps and 
documentation. The SDLC serves as the mechanism to ensure that systems 
are effectively managed and overseen. Figure 2 provides a description 
of TSA's SDLC phases and related documentation.



    TSA has not followed its SDLC in developing and managing Secure 
Flight. Rather, program officials stated that they have used a rapid 
development method that was intended to enable them to develop the 
program more quickly. However, these officials could not provide us 
with details on how this approach was implemented. As a result, our 
analysis of steps performed and documentation developed indicates that 
Secure Flight has not been pursued within the context of a logical, 
disciplined, system development methodology. Rather the process has 
been ad hoc, with project activities conducted out of sequence. For 
example, program officials declared that the program's design phase was 
completed before system requirements had been adequately detailed, and 
key activities have yet to be adequately performed, such as program 
planning and defining system requirements. TSA officials acknowledged 
that problems arose with Secure Flight as a result of using this 
approach. As a result, it is currently unclear what Secure Flight 
capabilities are to be developed, by when, at what cost, and what 
benefits are to accrue from the program. Without clarification on these 
decision points, the program is at risk of failure.
    Defining and documenting system requirements is integral to life 
cycle development. Based on best practices and our prior work in this 
area, the expected capabilities of a system such as Secure Flight 
should be defined in terms of requirements for functionality (what the 
system is to do), performance (how well the system is to execute 
functions), data (what data are needed by what functions, when, and in 
what form), interface (what interactions with related and dependent 
systems are needed), and security. Further, system requirements should 
be unambiguous, consistent with one another, linked (that is, traceable 
from one source level to another), \13\ verifiable, understood by 
stakeholders, and fully documented.
    TSA has prepared certain Secure Flight requirements documents, and 
officials stated that they are now reviewing those requirements 
documents. \14\ We support these review efforts because we found, in 
the requirements documents we reviewed, inconsistencies and ambiguities 
in requirements documentation for system functions, performance, data, 
and security--and that these documents were not always complete. For 
example, according to TSA's SDLC guidance and best practices for 
developing information technology systems, systems like Secure Flight 
should have a comprehensive concept of operations covering all aspects 
of the program during the planning phase (see fig. 2). We reported in 
our March 2005 report that TSA had not yet finalized a concept of 
operations, which would describe conceptually the full range of Secure 
Flight operations and interfaces with other systems, and we recommended 
that it develop one. Since March 2005, TSA documents refer to numerous 
concept of operations, such as a long concept of operations, a short 
concept of operations, and an initial operational capability concept of 
operations. TSA provided a June 2005 concept of operations for our 
review, but this document does not contain key system requirements, 
such as the high-level requirements for security and privacy.
    In addition, we found that Secure Flight requirements were unclear 
or missing. For example, while the requirements that we reviewed state 
that the system be available 99 percent of the time, this only covers 
the TVP and Secure Flight application. It does not include requirements 
for the interfacing systems critical for Secure Flight operations. 
Thus, the availability requirements for all of the components of the 
Secure Flight system are not yet known. Some data requirements are also 
vague or incomplete; for example, one data requirement is that the data 
is current, but the meaning of current is not defined. In addition, 
only some system security requirements are identified in the security 
document provided to us for the TVP, and sections in TSA's Systems 
Requirements Specification contain only placeholder notes--``to be 
finalized''--for security and privacy requirements.
    TSA officials acknowledged that it is important that requirements 
be traceable to ensure that they are consistently, completely, and 
correctly defined, implemented, and tested. To help accomplish this, 
TSA officials stated that they use a requirements tracking tool for 
Secure Flight that can align related requirements to different 
documents, and thus establish traceability (e.g., it can map the 
Systems Requirements Specification to a functional requirements 
document). According to program officials, this tool can also be used 
for aligning and tracing requirements to test cases (i.e., scenarios 
used to determine that the system is working as intended). We found, 
however, that requirements for Secure Flight have not been fully 
traced. For example, we were not able to trace system capabilities in 
contractual documents to the concept of operations and then to the 
various requirement documents, to design phase use cases, and to test 
cases. In addition, contractor staff we interviewed stated that they 
were unable to use this tool to align or trace necessary requirements 
without the aid of supplemental information. Without internal alignment 
among system documentation relating to requirements, there is not 
adequate assurance that the system produced will perform as intended.
    In addition, we found that available Secure Flight requirements 
documents did not define the system's boundaries, including interfaces, 
for each of the stakeholders--that is, the scope of the system from end 
to end, from an air carrier to CBP, to TSA, to TSC, and back to TSA, 
then again to CBP and air carriers (refer to fig. 1 for an overview of 
this process). Defining a system's boundaries is important in ensuring 
that system requirements reflect all of the processes that must be 
executed to achieve a system's intended purpose. According to TSA's 
SDLC guidance, a System Boundary Document is to be developed early in 
the system life cycle. However, in its third year of developing a 
passenger prescreening system, TSA has not yet prepared such a 
document. Although the System Boundary Document was not available, the 
program's Systems Security Document does refer to an ``accreditation 
boundary,'' which defines the Secure Flight system from the standpoint 
of system security accreditation and certification. According to this 
definition of what Secure Flight includes, those systems that are 
needed to accomplish Secure Flight program goals (e.g., those of 
commercial air carriers, CBP, and TSC) are not part of Secure Flight. 
If the boundary documents, and thus the requirements, do not reflect 
all system processes and connections that need to be performed, the 
risk is increased that the system will not achieve Secure Flight's 
intended purpose. Moreover, until all system requirements have been 
defined, TSA will not be able to stress-test Secure Flight in an 
operational, end-to-end mode. In our March 2005 report, we recommended 
that TSA finalize its system requirements documents and ensure that 
these documents address all system functionality. Although TSA agreed 
with our recommendations, the requirements documentation that we 
reviewed showed that the agency has not yet completed these activities.
    Our evaluations of major Federal information technology programs, 
and research by others, has shown that following a disciplined life 
cycle management process decreases the risks associated with acquiring 
systems. The steps and products in the life cycle process each have 
important purposes, and they have inherent dependencies among 
themselves. Thus, if earlier steps and products are omitted or 
deficient, later steps and products will be affected, resulting in 
costly and time-consuming rework. For example, a system can be 
effectively tested to determine whether it meets requirements only if 
these requirements have already been fully defined. Concurrent, 
incomplete, and omitted activities in life cycle management exacerbate 
the program risks. Life cycle management weaknesses become even more 
critical as the program continues, because the size and complexity of 
the program will likely only increase, and the later problems are 
found, the harder and more costly they will likely be to fix.
    In October 2005, Secure Flight's director of development stated in 
a memorandum to the assistant TSA administrator responsible for Secure 
Flight that by not following a disciplined life cycle approach, in 
order to expedite the delivery of Secure Flight, the government had 
taken a calculated risk during the requirements definition, design, and 
development phases of the program's life cycle development. The 
director stated that by prioritizing delivery of the system by a 
specified date in lieu of delivering complete documentation, TSA had to 
lower its standards of what constituted acceptable engineering 
processes and documentation. Since then, TSA officials stated that the 
required system documentation associated with each phase of the TSA 
life cycle is now being developed to catch up with development efforts. 
In addition, TSA recognized that it faces challenges preparing required 
systems documentation, and to help in this regard it has recently hired 
a certified systems program manager to manage systems development. In 
January 2006, this program manager stated that as Secure Flight moves 
forward, TSA's SDLC would be followed in order to instill greater rigor 
and discipline into the system's development. In addition, TSA plans to 
hire a dedicated program director for Secure Flight to manage program 
activities, schedules, milestones, costs, and program contractors, 
among other things.

Comprehensive System Security Management Program Has Not Yet Been 
        Established in Accordance with Federal Guidance
    TSA has taken steps to implement an information system security 
management program for protecting Secure Flight information and assets. 
Secure Flight's security plans and the related security review, which 
TSA developed and conducted to establish authority to operate, are 
important steps in the system's development. However, the steps related 
to system security TSA has taken to date are individually incomplete, 
and collectively fall short of a comprehensive system security 
management program. Federal guidance and industry best practices 
describe critical elements of a comprehensive information system 
security management program. Without effective system security 
management, it is unlikely that Secure Flight will, for example, be 
adequately protected against unauthorized access and use, disruption, 
modification, and destruction.
    According to National Institute of Standards and Technology (NIST) 
\15\ and Office of Management and Budget (OMB) guidance under the 
Federal Information Security Management Act, as well as industry best 
practices, a comprehensive system security management program includes 
(1) conducting a system wide risk assessment that is based on system 
threats and vulnerabilities, (2) developing system security 
requirements and related policies and procedures that govern the 
operation and use of the system and address identified risks, (3) 
certifying that the system is secure based on sufficient review and 
testing to demonstrate that the system meets security requirements, and 
(4) accrediting the system as secure in an operational setting.
    TSA has developed two system security plans--one for the TVP and 
one for the Secure Flight application. However, neither of these plans 
nor the security activities that TSA has conducted to date are 
complete. For example, while security threats and vulnerabilities were 
assessed in the documentation and risks were identified in risk 
assessments, requirements to address these risks were only partially 
defined in the security plan for the TVP, and they were not included at 
all in the plan for the Secure Flight application. In addition, the 
sections on security requirements and privacy requirements in the 
System Requirements Specification document read ``to be finalized'' 
with no further description.
    Moreover, we also found that the security systems plans did not 
reflect the current level of risk designated for the program. For 
example, although the July 15, 2005, System Security Plan for the TVP 
arrived at an overall assessment of its exposure to risks as being 
``medium,'' an August 23, 2005, requirements document found that the 
security risk level for the TVP was ``high.'' As a system moves from a 
medium to a high level of risk, the security requirements become more 
stringent. TSA has not provided us with an updated System Security Plan 
for the TVP that addressed this greater level of risk by including 
additional NIST requirements for a high-risk system. In addition, this 
TVP System Security Plan included only about 40 percent of the NIST 
requirements associated with a medium-risk system. Without addressing 
all NIST requirements, in addition to those required for a high-risk 
system, TSA may not have proper controls in place to protect sensitive 
information.
    According to Federal guidance and requirements, the determination 
and approval of the readiness of a system to securely operate is 
accomplished via a certification and accreditation process. On 
September 30, 2005, the TSA assistant administrator responsible for 
Secure Flight formally granted authority, based on certification and 
accreditation results, for the TVP and the Secure Flight application to 
operate. \16\ However, the team performing the certification found that 
TSA was unsure whether they tested all components of the security 
system for the TVP and the Secure Flight application, because TSA 
lacked an effective and comprehensive inventory system. Therefore the 
certification team could not determine whether its risk assessments 
were complete or accurate. This team also documented 62 security 
vulnerabilities for the Secure Flight application and 82 security 
vulnerabilities for the TVP. The certification team recommended 
authority to operate on the condition that corrective action or 
obtaining an exemption for the identified vulnerabilities would be 
taken within 90 days or the authority to operate would expire. TSA 
officials stated that these vulnerabilities had been addressed except 
for three that are being reviewed in a current security audit.

Program Management Plan and Supporting Schedules and Cost Estimates for 
        Secure Flight Have Not Been Maintained
    TSA has proceeded with Secure Flight development over the past year 
without a complete and up-to-date program management plan, and without 
associated cost and schedule estimates showing what work will be done 
by whom, at what cost, and when. A program management plan can be 
viewed as a central instrument for guiding program development. Among 
other things, the plan should include a breakout of the work activities 
and products that are to be conducted in order to deliver a mission 
capability to satisfy stated requirements and produce promised mission 
results. This information, in turn, provides the basis for determining 
the time frames and resources needed for accomplishing this work, 
including the basis for milestones, schedules, and cost estimates. TSA 
has not provided us with either the complete and up-to-date program 
management plan, or an estimated schedule and costs for Secure Flight. 
According to a TSA official, an updated program management plan is 
currently being developed and is about 90 percent complete.
    In lieu of a program management plan with a schedule and 
milestones, TSA has periodically disclosed program milestones. However, 
the basis for and meaning of these milestones have not been made clear, 
and TSA's progress in meeting these milestones has not been measured 
and disclosed. TSA's SDLC and OMB \17\ guidance require that programs 
like Secure Flight provide risk-adjusted schedule goals, including key 
milestones, and that programs demonstrate satisfactory progress toward 
achieving their stated performance goals. In March 2005, we reported 
that the milestone that TSA set for achieving initial operating 
capability for Secure Flight had slipped from April 2005 to August 
2005. TSA officials stated that TSA revised this milestone to state 
that instead of achieving initial operating capability, it would begin 
operational testing. This new milestone subsequently slipped first to 
September 2005, then to November 2005. Since that time, the program has 
not yet begun operational testing or initial operations, and TSA has 
not yet produced an updated schedule identifying when program 
operations will begin or when other key milestones are to be achieved 
to guide program development and implementation. Further, while agency 
officials stated that they are now planning for operational testing of 
an unspecified capability, no milestone date has been set for doing so.
    TSA officials stated that they have not maintained an updated 
program schedule for Secure Flight in part because the agency has not 
yet determined the rulemaking approach it will pursue for requiring 
commercial air carriers to submit certain passenger data needed to 
operate Secure Flight, among other things. Specifically, TSA officials 
stated that a schedule with key milestones, such as operational 
testing, cannot be set until after air carriers have responded to the 
rulemaking and provided their plans and schedules for participating in 
Secure Flight. The rulemaking has been pending since the spring of 
2005, and the rule remains in draft form and is under review, according 
to TSA officials. Once the rule has been issued, TSA officials stated 
that air carriers will be given time to respond with their plans and 
schedules. TSA officials further stated that until this occurs, and a 
decision is made as to how many air carriers will participate in a yet-
to-be-defined initial phase of the program (they are expected to begin 
incrementally), a program schedule cannot be set.
    Further, TSA has not yet established cost estimates for developing 
and deploying either an initial or a full operating capability for 
Secure Flight, and it has not developed a life-cycle cost estimate 
(estimated costs over the expected life of a program, including direct 
and indirect costs and costs of operation and maintenance). TSA also 
has not updated its expenditure plan--plans that generally identify 
near-term program expenditures--to reflect the cost impact of program 
delays, estimated costs associated with obtaining system connectivity 
with CBP, or estimated costs expected to be borne by air carriers. 
Program and life cycle cost estimates are critical components of sound 
program management for the development of any major investment. 
Developing cost estimates is also required by OMB guidance and can be 
important in making realistic decisions about developing a system. 
Expenditure plans are designed to provide lawmakers and other officials 
overseeing a program's development with a sufficient understanding of 
the system acquisition to permit effective oversight, and to allow for 
informed decision making about the use of appropriated funds.
    In our March 2005 report, we recommended that TSA develop reliable 
life cycle cost estimates and expenditure plans for the Secure Flight 
program, in accordance with guidance issued by OMB, in order to provide 
program managers and oversight officials with the information needed to 
make informed decisions about program development and resource 
allocations. Although TSA agreed with our recommendation, it has not 
yet provided this information. TSA officials stated that developing 
program and life cycle cost estimates for Secure Flight is challenging 
because no similar programs exist from which to base cost estimates and 
because of the uncertainties surrounding Secure Flight requirements. 
Further, they stated that cost estimates cannot be accurately developed 
until after system testing is completed and policy decisions have been 
made regarding Secure Flight requirements and operations. 
Notwithstanding these statements, TSA officials stated that they are 
currently assessing program and life cycle costs as part of their 
rebaselining and that this new baseline will reflect updated cost, 
funding, scheduling, and other aspects of the program's development.
    While we recognize that program unknowns introduce uncertainty into 
the program-planning process, including estimating tasks, time frames, 
and costs, uncertainty is a practical reality in planning all programs 
and is not a reason for not developing plans, including cost and 
schedule estimates, that reflect known and unknown aspects of the 
program. In program planning, assumptions need to be made and disclosed 
in the plans, along with the impact of the associated uncertainty on 
the plans and estimates. As more information becomes known over the 
life of the program, these plans should be updated to recognize and 
reflect the greater confidence in activities that can be expressed with 
estimates.
    Program management plans and related schedules and cost estimates--
based on well-defined requirements--are important in making realistic 
decisions about a system's development, and can alert an agency to 
growing schedule or cost problems and the need for mitigating actions. 
Moreover, best practices and related Federal guidance emphasize the 
need to ensure that programs and projects are implemented at acceptable 
costs and within reasonable and expected time frames. Investments such 
as Secure Flight are approved on the expectation that programs and 
projects will meet certain commitments to produce certain capabilities 
and benefits (mission value) within the defined schedule and cost. 
Until an updated program management plan and related schedules and cost 
estimates and expenditure plans, are prepared for Secure Flight--which 
should be developed despite program uncertainties, and updated as more 
information is gained--TSA and Congress will not be able to provide 
complete oversight over the program's progress in meeting established 
commitments.

Oversight Reviews of Secure Flight Have Been Conducted and Raised 
        Questions about Program Management
    DHS and TSA have executive and advisory oversight mechanisms in 
place to oversee Secure Flight. As we reported in March 2005, the DHS 
Investment Review Board (IRB)--designed to review certain programs at 
key phases of development to help ensure they meet mission needs at 
expected levels of costs and risks--reviewed the TVP from which Secure 
Flight will operate, in January 2005. \18\ As a result of this review, 
the board withheld approval for the TVP to proceed from development and 
testing into production and deployment until a formal acquisition plan, 
a plan for integrating and coordinating Secure Flight with other DHS 
people-screening programs, and a revised acquisition program baseline 
(cost, schedule, and performance parameters) had been completed. Since 
that time, TSA has not yet addressed these conditions and has not 
obtained approval from the IRB to proceed into production. DHS 
officials stated that an IRB review is scheduled to be held in March 
2006--14 months after the IRB last met to examine Secure Flight--to 
review Secure Flight and other people-screening programs, including 
international prescreening conducted by CBP. Specifically, the board 
will review the acquisition strategy and progress for each program, 
focusing, in part, on areas of potential duplication. According to TSA 
officials, the agency intends to establish a new program cost, 
schedule, and capability baseline for Secure Flight, which will be 
provided to the IRB for review.
    DHS's Data Privacy and Integrity Advisory Committee also reviewed 
Secure Flight during the last year. \19\ Committee Members have diverse 
expertise in privacy, security, and emerging technology, and come from 
large and small companies, the academic community, and the nonprofit 
sector. In December 2005, the committee issued five recommendations on 
key aspects of the program, including recommendations designed to 
minimize data collection and provide an effective redress mechanism to 
passengers who believe they have been incorrectly identified for 
additional security scrutiny. TSA officials stated that they are 
considering the advisory committees' findings and recommendations as 
part of their rebaselining efforts.
    In September 2004, TSA appointed an independent working group 
within the Aviation Security Advisory Committee, \20\ composed of 
government privacy and security experts, to review Secure Flight. The 
working group issued a report in September 2005 that concluded, among 
other things, that TSA had not produced a comprehensive policy document 
for Secure Flight that could define oversight or governance 
responsibilities, nor had it provided an accountability structure for 
the program. The group attributed this omission to the lack of a 
program-level policy document issued by a senior executive, which would 
clearly state program goals. The working group also questioned Secure 
Flight's oversight structure and stated that it should focus on the 
effectiveness of privacy aspects of the program and, in doing so, 
consider oversight regimes for Federal law enforcement and U.S. 
intelligence activities.
    In addition to oversight reviews initiated by DHS and TSA, the DOJ-
OIG issued a report in August 2005 reviewing TSC's role in supporting 
Secure Flight. \21\ In its report, the DOJ-OIG reported that TSC faced 
several key factors that were unknown with respect to supporting Secure 
Flight, including when the program will begin, the volume of inquiries 
it will receive, the number of TSC resources required to respond to 
these inquiries, and the quality of the data it will have to analyze. 
In light of these findings, the DOJ-OIG report recommended that, among 
other things, TSC better prepare itself for future needs related to 
Secure Flight by strengthening its budgeting and staffing processes and 
by improving coordination with TSA on data exchange standards. In June 
2005, a DOJ-OIG report recommended that TSC conduct a record-by-record 
review of the TSDB to improve overall data quality and integrity. TSC 
agreed with all recommendations made. \22\

TSA Has Made Progress in Coordinating With Critical Stakeholders but 
        More Work Remains
    TSA has drafted policy and technical guidance to help inform air 
carriers of their Secure Flight responsibilities, and has begun 
coordinating with CBP and TSC on Secure Flight requirements and broader 
issues of integration and interoperability between Secure Flight and 
other people-screening programs. However, TSA has not yet provided 
information and technical requirements that all stakeholders need to 
finalize their plans to support the program's operations, and to 
adequately plan for the resources needed to do so.

TSA Has Begun Collaborating With Key Stakeholders, but Their 
        Participation Will Be Limited Until System Requirements Have 
        Been Finalized
    As we reported in March 2005, key Federal and commercial 
stakeholders--CBP, TSC, and commercial air carriers--will play a 
critical role in the collection and transmission of data needed for 
Secure Flight to operate successfully. Accordingly, TSA will need to 
ensure that requirements for each stakeholder are determined. For 
instance, TSA will need to define how air carriers are to connect to 
CBP and what passenger data formats and structures will be used. 
Although more remains to be done, TSA has worked to communicate and 
coordinate requirements with stakeholders. For example, TSA has 
maintained weekly communications with CBP and TSC regarding their roles 
and responsibilities related to Secure Flight operations.
    TSA has also begun to address air carriers' questions about 
forthcoming Secure Flight requirements. For example, TSA Officials have 
produced draft air carrier guidance, known as the Secure Flight Data 
Transmission Plan Guidance (DTPG). \23\ The final DTPG is to include 
guidance to air carriers addressing the following areas: Secure 
Flight's mission overview and objectives, project planning phases, 
aircraft operator operations and airport procedures, technical data 
requirements, aircraft operator application development, Secure Flight 
operations, and system maintenance and support. According to TSA 
officials, air carriers have received copies of a partial draft DTPG, 
and some air carriers have submitted feedback to Secure Flight's 
Airline Implementation and Operations Team that TSA says it is working 
to address.
    In addition to drafting guidance, TSA has conducted preliminary 
network connectivity testing between TSA and Federal stakeholders. For 
example, messages have been transmitted from CBP to TSA and back. 
However, such tests included only dummy data. According to CBP 
officials, no real-time passenger data have been used in this testing, 
and system stress testing has not yet been conducted. \24\ Without 
real-time passenger data, the official said, CBP cannot estimate total 
capacity or conduct stress testing to ensure the system operates 
effectively. Further, according to a TSC official, testing has been 
conducted to show that a data exchange between the TSC and TSA is 
functioning, but the system has not been stress-tested to determine if 
it can handle the volume of data traffic that will be required to 
operate Secure Flight. According to this official, TSA has not 
specified what these data volume requirements will be. TSA officials 
acknowledged that they have not yet made this determination and stated 
that they will not be able to do so until they (1) issue the rule, and 
(2) have received the air carrier plans for participating in Secure 
Flight based on requirements identified in the rule.
    Although CBP, TSC, and air carrier officials we interviewed 
acknowledged TSA's outreach efforts, they cited several areas where 
additional information was needed from TSA before they could fully 
support Secure Flight. Several CBP officials stated, for example, that 
they cannot proceed with establishing connectivity with all air 
carriers until DHS publishes the rule--the regulation that will specify 
what type of information is to be provided for Secure Flight--and the 
air carriers provide their plans for providing this information. 
Similarly, a TSC official stated that TSC cannot make key decisions on 
how to support Secure Flight until TSA provides estimates of the volume 
of potential name matches that TSC will be required to screen, as 
identified above. The TSC official stated that without this 
information, TSC cannot make decisions about required resources, such 
as personnel needed to operate its call center. \25\ As we reported in 
March 2005, air carriers also expressed concerns regarding the 
uncertainty of the Secure Flight system and data requirements, and the 
impact these requirements may have on the airline industry and 
traveling public. Air carriers will not be able to begin to modify 
their passenger data systems to record the data attributes--such as 
full name and date of birth, which Secure Flight will use to conduct 
name matching--until TSA determines and communicates which specific 
data attributes are to be used.
    Oversight groups that have reviewed Secure Flight agreed that 
additional work was needed to improve the flow of information to, and 
coordination with, program stakeholders. In its December 2005 report on 
Secure Flight, the DHS Data Privacy and Integrity Advisory Committee 
stated that TSA needs to be clear with air carriers about what 
information it needs now and what information it may consider 
requesting in the future, to enable air carriers to avoid sequential 
revisions of data-handling systems. Also, in September 2005, the 
Aviation Security Advisory Committee working group expressed concerns 
about the lack of clarity regarding how Secure Flight will interact 
with other screening programs.
    Further, in its August 2005 audit of TSC's support of Secure 
Flight, the DOJ-OIG reported that TSC officials believed that their 
ability to prepare for the implementation of Secure Flight has been 
hampered by TSA's failure to make, communicate, and comply with key 
program and policy decisions in a timely manner, such as the launch 
date and volume of screening to be conducted during initial 
implementation. In addition, the report noted that because TSA is 
unsure about how many air carriers will participate in the initial 
phase of the program, neither TSA nor TSC can know how many passenger 
records will be screened, and cannot project the number of watch list 
hits that will be forwarded to the TSC for action. Finally, the DOJ-OIG 
report concluded that the shifting of critical milestones--including 
TSA's schedule slippages over the past year--has affected TSC's ability 
to adequately plan for its role in Secure Flight.
    Despite TSA's outreach efforts, stakeholder participation in Secure 
Flight is dependent on TSA's effort to complete its definition of 
requirements and describe these in the rule. Because TSA has not fully 
defined system requirements, key stakeholders have not been able to 
fully plan for or make needed adjustments to their systems. In our 
March 2005 report, we recommended that TSA develop a plan for 
establishing connectivity among the air carriers, CBP, and TSC to help 
ensure the secure, effective, and timely transmission of data for use 
in Secure Flight operations. Although TSA has continued to coordinate 
with these key stakeholders, at present the agency has still not 
completed the plans and agreements necessary to ensure the effective 
support of Secure Flight.

Ongoing Coordination of Prescreening and Name-Matching Initiatives Can 
        Impact How Secure Flight Is Implemented
    In January 2006, TSA officials stated that they are in the early 
stages of coordinating with CBP on broader issues of integration and 
interoperability related to other people-screening programs. These 
broader coordination efforts, which are focused on minimizing 
duplicative efforts that may exist between the agencies that screen 
individuals using watch list data and achieving synergies and 
efficiencies, are important because they may affect how Secure Flight 
will operate initially and in the future. Specifically, TSA Officials 
stated that they are coordinating more closely with CBP's international 
prescreening initiatives for passengers on flights bound for the United 
States. The Air Transport Association and the Association of European 
Airlines--organizations representing air carriers--had requested, among 
other things, that both domestic and international prescreening 
function through coordinated information connections and avoid 
unnecessary duplication of communications, programming, and information 
requirements. \26\
    In response to air carrier concerns, and the initiatives of DHS to 
minimize duplicative efforts, officials from both CBP and TSA explained 
that they are beginning to work together to ensure that air carriers 
have a single interface with the government for prescreening both 
domestic and international passengers. TSA and CBP officials further 
stated that they will try to use CBP's network to transmit domestic and 
international passenger data to and from the air carriers, thus 
providing the air carriers with a single interface for sending and 
receiving information. \27\ TSA and CBP officials also stated that air 
carriers should receive a common notification about whether a 
passenger--domestic or international--requires normal processing, 
additional screening, or is not permitted to board a plane. However, 
according to these officials, TSA and CBP have not yet resolved other 
system differences--such as the fact that their prescreening systems 
use different passenger data elements, documentation, \28\ and name 
matching technologies--that could lead to conflicting notifications 
that would instruct air carriers to handle a passenger differently for 
an international than for a domestic flight. Both TSA and CBP officials 
agreed that additional coordination efforts are needed to resolve these 
differences, and stated that they plan to work closely together in 
developing a prescreening capability for both domestic and 
international passengers. \29\ Decisions made as a result of further 
coordination could result in changes to the way that Secure Flight is 
implemented.
    In addition to coordinating with CBP on international prescreening, 
TSA faces additional coordination challenges working with TSC. 
Specifically, according to TSC officials, TSC has an initiative under 
way to, among other things, better safeguard watch list data. 
Currently, TSC exports watch list data to other Federal agencies, such 
as TSA and the State Department, for use in these agencies' screening 
efforts or processes for examining documents and records related to 
terrorism. However, TSC is currently developing a new system whereby 
watch list data would not be exported, but rather would be maintained 
by TSC. This system, called Query, is to serve as a common shared 
service that will allow agencies to directly search the TSDB using 
TSC's name matching technology for their own purposes. TSC has 
conducted limited testing of the system. If TSC chooses to use Query, 
TSA will be required to modify the system architecture for Secure 
Flight in order to accommodate the new system. According to a TSC 
official, this effort could be costly. While TSA acknowledged in its 
draft concept of operations plan in June 2005 that Secure Flight would 
need to be modified to accommodate TSC's Query ``as necessary,'' the 
agency has not made adjustments to its system requirements or conducted 
a cost analysis of expected impacts on the Secure Flight program. 
Rather, TSA has decided that it will continue developing the Secure 
Flight application, which includes TSA's name-matching technologies. 
Thus, TSC will need to export watch list data to TSA to support Secure 
Flight, once it becomes operational.

Key Factors That Will Influence the Effectiveness of Secure Flight Have 
        Not Been Finalized or Resolved
    Several activities are under way, or are to be decided, that will 
affect Secure Flight's effectiveness, including how operational testing 
is conducted, and how data requirements and data accuracy are 
determined. TSA has been testing and evaluating name-matching 
technologies for determining what type of passenger data will be needed 
to match against the TSDB. These tests have been conducted thus far in 
a controlled, rather than real-world environment, using historical 
data, and additional testing is needed. In addition, TSA has not made 
key decisions regarding how the name-matching technologies to be used 
by Secure Flight will operate or which data will be used to conduct 
name matching. While TSA is not responsible for ensuring the accuracy 
of passenger data, the agency must nonetheless advise stakeholders on 
data accuracy and quality requirements. Another factor that could 
impact the effectiveness of Secure Flight in identifying known or 
suspected terrorists is the system's inability to identify passengers 
who assume the identity of another individual by committing identity 
theft, or passengers who use false identifying information. Secure 
Flight is neither intended to nor designed to address these 
vulnerabilities.

Tests of Name-Matching Capability Are Under Way, but Full System 
        Testing Has Not Yet Been Conducted
    TSA has tested--and continues to test--the effectiveness of one 
aspect of the Secure Flight system, namely name-matching technologies. 
These name-matching tests will help TSA determine what passenger data 
will be needed for the system to match most effectively passenger 
records with information contained in the TSDB. These tests are 
critical to defining data requirements and making decisions about how 
to configure the name-matching technologies. Additional tests will need 
to be conducted in an operational, real-world environment to fully 
understand how to configure the system effectively. This is because the 
name-matching tests conducted to date were conducted in a controlled, 
rather than real-world, environment--that is, under controlled, or 
simulated, conditions. For example, TSA used historic air carrier 
passenger data from June 2004 and historic and simulated watch list 
data to test the functionality and effectiveness of Secure Flight's 
name-matching technologies that match air carrier passenger records 
with potential terrorists in the TSDB.
    Additional testing beyond name-matching also needs to be conducted, 
after TSA rebaselines its program, defines system requirements, and 
begins adhering to its SDLC. For example, stress and operational 
testing \30\ would help determine whether Secure Flight can process the 
volume of data expected and operate as intended in an operational 
environment. As we reported in March 2005, TSA had planned to conduct a 
series of operational tests consisting of increasingly larger 
increments of the system's functionality until the complete system was 
tested. These tests were to begin in June 2005. However, due to program 
delays, TSA has not yet conducted this end-to-end testing needed to 
verify that the entire system, including any interfaces with external 
systems, functions as intended in an operational environment. TSA also 
has not yet conducted the stress testing needed to measure the system's 
performance and availability in times of particularly heavy (i.e., 
peak) loads. Recently, TSA documented its overall strategy for 
conducting these tests and developed draft test plans. TSA officials 
stated that information about its plans for future testing will be 
included in its rebaselined program plan. Until this testing is 
complete, it will not be possible to determine whether Secure Flight 
will function as intended in an operational environment.

Key Policy Decisions That Will Impact System Effectiveness Have Not 
        Been Made
    Key policy decisions that will influence the effectiveness of 
Secure Flight in identifying passengers who should undergo additional 
security scrutiny have not yet been made. These policy decisions 
include (1) determining the passenger information that air carriers 
will be required to collect and provide for vetting, (2) the name-
matching technologies that will be used to vet passenger data against 
data contained in the TSDB, and (3) the thresholds that will be set to 
determine when a passenger will be identified as a potential match 
against the TSDB. These three decisions, discussed below, are all 
critical to ensuring that Secure Flight identifies potential terrorist 
threats as effectively as possible while minimizing the number of 
potential matches that will require further review by TSA and TSC 
analysts.
    (1) Determining the passenger information that air carriers will be 
required to collect and provide for vetting: TSA needs to decide which 
data attributes air carriers will be required to provide in passenger 
data to be used to match against data contained in the TSDB, such as 
full first, middle, and last name plus other discrete identifiers, such 
as date of birth.
    Using too many data attributes can increase the difficulty of 
matching, since the risk of errors or mismatches increases. Using too 
few attributes can create an unnecessarily high number of incorrect 
matches due to, among other things, the difficulty of differentiating 
among similar common names without using further information. Initial 
TSA test results have shown that the use of name and date of birth 
alone might not be sufficient for decreasing the number of false 
positives--that is, passengers inappropriately matched against data 
contained in the TSDB.
    (2) Selecting name-matching technologies used to vet passenger 
names against the TSDB: TSA must determine what type or combination of 
name-matching technologies to acquire and implement for Secure Flight, 
as these different technologies have different capabilities. For 
example, TSA's PNR testing showed that some name-matching technologies 
are more capable than others at detecting significant name 
modifications, which allows for the matching of two names that contain 
some variation. Detecting variation is important because passengers may 
intentionally make alterations to their names in an attempt to conceal 
their identity. Also, unintentional variations can result from 
different translations of nonnative names or data entry errors. For 
example, some name-matching technologies might correctly discriminate 
between ``John Smith'' and ``John Smythe,'' others may not. However, 
name matching technologies that are best at detecting name variations 
may also increase the number of potential matches that will have to be 
further reviewed, which could be offset using a combination of name 
matching technologies. TSA officials stated in November 2005 that it 
planned to continuously evaluate the best name-matching technologies or 
combination of technologies to enhance the system in future iterations. 
TSA officials recently stated that they had made, but not yet 
documented, an initial determination regarding the name-matching 
technologies that will be used for Secure Flight and that they plan to 
conduct continuous reviews of the name-matching technologies to address 
circumstances as they arise.
    (3) Selecting thresholds for determining when a possible name match 
has occurred: TSA has discretion to determine what constitutes a 
possible match between a passenger's data and a TSDB record. \31\ For 
each name that is matched, the name-matching tool will assign a numeric 
score that indicates the strength of the potential match. \32\ For 
example, a score of 95 out of 100 would indicate a more likely match 
than a score of 85. If TSA were to set the threshold too high, many 
names may be cleared and relatively few flagged as possible matches--
that is, there is a possibility that terrorists' names may not be 
matched. Conversely, if the threshold were set too low, passengers may 
be flagged unnecessarily, and relatively few cleared through the 
automated process. As an example of the importance of setting 
thresholds, during one of the PNR tests conducted, TSA set the name-
matching threshold at 80, which resulted in over 60 percent of 
passengers requiring manual review. Alternatively, when TSA set the 
threshold at 95, less than 5 percent of the same group of passenger 
records were identified as requiring further review. With about 1.8 
million passengers traveling domestically per day, having a threshold 
that is too low could produce an unmanageable number of matches--
possibly leading to passenger delays--while setting the threshold too 
high could result in the system missing potential terrorists. Although 
TSA will not decide how the thresholds should be set until it conducts 
additional evaluations, it has indicated that the threshold might be 
adjusted to reflect changes in the terrorist threat level. This would 
result in Secure Flight flagging more names for potential manual review 
in order to ensure greater scrutiny in response to changing conditions.
    TSA plans to finalize decisions on these factors as system 
development progresses. However, until these decisions are made, 
requirements will remain unsettled and key stakeholders--in particular 
air carriers--will not have the information they need to assess and 
plan for changes to their systems necessary for interfacing with Secure 
Flight. Air carriers and reservation companies will also not know which 
additional data attributes they may be required to collect from 
passengers, to support Secure Flight operations, as reservations are 
made. These decisions will also directly influence the number of 
analysts that TSA and TSC will need to manually review potential 
matches to the TSDB. Accordingly, stakeholders have expressed concern 
that they have not been provided information about what these decisions 
are. They stated that they are awaiting additional information from TSA 
in order to move forward with their plans to interface with and support 
Secure Flight.

Efforts to Improve Data Quality and Accuracy Are Under Way, but 
        Additional Work Remains
    Two additional factors that will impact the effectiveness of Secure 
Flight are (1) the accuracy and completeness of data contained in TSC's 
TSDB and in passenger data submitted by air carriers, and (2) the 
ability of TSA and TSC to identify false positives and resolve possible 
mistakes during the data matching process, in order to minimize 
inconveniencing passengers. According to TSA and TSC officials, the 
data attributes that Secure Flight will require for name matching need 
to be included in both the passenger data and the TSDB in order for the 
automated system to effectively match names between the two lists. As 
we reported in March 2005, while the completeness and accuracy of data 
contained in the TSDB can never be certain--given the varying quality 
of intelligence information gathered, and changes in this information 
over time--TSC has established some processes to help ensure the 
quality of these data. However, the DOJ-OIG, in its June 2005 review of 
TSC, \33\ found that the TSC could not ensure that the information 
contained in its databases was complete or accurate. \34\ According to 
a TSC official, since the time of the DOJ-OIG review, TSC has taken 
several steps to improve the quality of TSDB records, including 
conducting a record-by-record review, updating procedures for a daily 
review of each new or modified record, and using automated rules to 
check the completeness of records received from other agencies. \35\ 
According to this official, TSA and TSC plan to enter into a letter of 
agreement that will describe the TSDB data elements that TSC will 
produce for TSA, among other things, to be used for Secure Flight. 
However, these data requirements have not yet been determined.
    In order to obtain accurate and complete passenger data from air 
carriers, TSA plans to describe the required data attributes that must 
be contained in passenger data provided to TSA in the forthcoming rule. 
TSA also plans to issue a final and complete DTPG to specify the data 
formats and other transmission requirements. However, the accuracy and 
completeness of the information contained in the passenger data record 
will still be dependent on the air carriers' reservations systems and 
passengers, and the air carriers' modifications of their systems for 
transmitting the data in the proper format. These steps are not 
trivial, as indicated by the June 2004 historical passenger data 
provided by the air carriers for TSA's name-matching tests. For these 
tests, many passenger data records submitted by air carriers were found 
to be inaccurate or incomplete, creating problems during the automated 
name-matching process. For example, some passenger data included 
invalid characters or prefixes, such as ``Mr.'' and ``Mrs.,'' in the 
name fields. Other inaccuracies included invalid characters or 
prefixes, spelling errors, and inverted birth date information. 
Additionally, some of the records had omitted or incomplete data 
elements necessary for performing the automated match or were in an 
unusable format.
    In a related effort to address accuracy, TSA and TSC plan to work 
together to identify false positives as passenger data are matched 
against data in the TSDB and to resolve mistakes to the extent possible 
before inconveniencing passengers. The agencies will use intelligence 
analysts during the actual matching of passenger data to data contained 
in the TSDB to increase the accuracy of data matches. As indicated in 
figure 1, when TSA's name-matching technologies indicate a possible 
match, TSA analysts are to manually review all of the passenger data 
and other information to determine if the passenger can be ruled out as 
a match to the TSDB. If a TSA analyst cannot rule out a possible match, 
the record will be forwarded to a TSC analyst to conduct a further 
review using additional information. According to a TSC official, TSA 
and TSC analysts participated in a tabletop exercises to test the 
consistency of their respective manual reviews, and found that the 
matching logic used by both groups of analysts was consistent. This 
official stated that TSA and TSC also tested their operational 
procedures, and found gaps in their procedures that are now being 
addressed. According to this official, TSA and TSC plan to conduct 
additional joint exercises. Completing these exercises will be 
important to further understanding the effectiveness of using 
intelligence analysts to clear misidentified passengers during Secure 
Flight operations.

False Identifying Information and Identity Theft Could Impact the 
        Security Benefits of Secure Flight
    Another factor that could affect Secure Flight's effectiveness in 
identifying known or suspected terrorists is the system's inability to 
identify passengers who falsify their identifying information or who 
commit identity theft. \36\ TSA Officials stated that the program is 
not intended to or designed to protect against the use of falsified 
identities or to detect identity theft. However, TSA officials stated 
that the use of commercial data during the name-matching process may 
help identify situations in which a passenger submits fictitious 
information such as a false address. In the spring of 2005, a TSA 
contractor tested the use of commercial data composed of personally 
identifiable information (such as name and address) to determine, among 
other things, if such data could be used to increase Secure Flight's 
effectiveness in identifying false or stolen identities. However, 
according to the DHS Data Privacy and Integrity Advisory Committee 
report, testing performed to date does not provide a reasonable case 
for utilizing commercial data as part of Secure Flight. TSA officials 
are not currently pursuing the use of commercial data to support Secure 
Flight because the Fiscal Year 2006 DHS Appropriations Act prohibits 
TSA from using data or databases obtained from or that remain under the 
control of a non-federal entity, \37\ effectively terminating this type 
of testing for the duration of Fiscal Year 2006. \38\ Further, TSA 
officials stated that incorporating biometrics--technologies that can 
automate the identification of people by one or more of their distinct 
physical or behavioral characteristics--is not currently envisioned for 
Secure Flight. As noted in our previous work, biometric technologies, 
such as fingerprint recognition, are being used in other TSA screening 
programs. \39\ Moreover, the current prescreening process of matching 
passenger names against no-fly and selectee lists implemented by air 
carriers also does not protect against identity theft or the use of 
fictitious identities.

Secure Flight Privacy Notices and Passenger Redress Process Cannot Be 
        Finalized Until Program Requirements Are More Fully Defined
    TSA is aware of, and plans to address, the potential for Secure 
Flight to adversely affect travelers' privacy and impact their rights. 
However, TSA, as part of its requirements development process, has not 
yet clearly identified the privacy impacts of the planned system or the 
full actions it plans to take to mitigate them. Nor has the agency 
completed its assessment of the potential impact on passenger privacy 
of the system in an operational environment or defined its redress 
process for Secure Flight because, in part, the operational plans and 
system requirements for Secure Flight have not been finalized. TSA 
officials stated that they are in the process of reviewing new privacy 
notices that will be issued in conjunction with a forthcoming rule 
making prior to proceeding with its initial operating capability, and 
that these notices will also address certain aspects of Secure Flight's 
redress process. Until TSA finalizes system requirements and notices, 
however, privacy protections and impacts cannot be assessed.

Privacy Cannot Be Fully Assessed Because System Development 
        Documentation Does Not Fully Address Privacy Requirements
    The Privacy Act and the Fair Information Practices--a set of 
internationally recognized privacy principles that underlie the Privacy 
Act--limit the collection, use, and disclosure of personal information 
by Federal agencies. \40\ While TSA has reiterated its commitment to 
meet the requirements of the Privacy Act and the Fair Information 
Practices, it is not yet evident how this will be accomplished. \41\ To 
begin with, TSA has not decided what data attributes from the PNR it 
plans to collect, or how such data will be provided by airlines, 
through CBP, to TSA. Further, according to TSA officials, the agency is 
in the process of developing but has not issued the system of records 
notice, which is required by the Privacy Act, \42\ or the privacy 
impact assessment, which is required by the E-Government Act, \43\ that 
would describe how TSA considered privacy in the development of the 
system and how it will protect passenger data once the system becomes 
operational.
    Moreover, privacy requirements were not incorporated into the 
Secure Flight system development process in such a way that would 
explain whether personal information will be collected and maintained 
in the system in a manner that complies with statutory requirements and 
TSA's SDLC guidance. One requirement of the privacy impact assessment 
is that privacy be addressed in the systems development documentation. 
In addition, TSA's SDLC guidance acknowledges that privacy protections 
should be planned for and carried out as part of the system development 
process. In our review of Secure Flight's system requirements, we found 
that privacy concerns were broadly addressed in Secure Flight's 
functional requirements, but had not been translated into specific 
system requirements. For example, the functional requirements stated 
that the Privacy Act must be considered in the development of the 
system, but the system requirements documents do not reflect how 
privacy protections will be supported by the system. Rather, system 
requirements documents state that privacy requirements are ``yet to be 
finalized.'' TSA's Privacy Officer stated that she has been 
collaborating with the system development team, but this is not evident 
in the documents we reviewed.
    Without taking steps to ensure that privacy protections are built 
into the system requirements, TSA cannot be assured that it will be in 
compliance with the Privacy Act once operational, and it runs the risk 
of repeating problems it experienced last spring. We reported in July 
2005 that TSA's initially issued privacy notices for the Secure Flight 
data-processing tests did not meet Privacy Act requirements because 
personal information was used in testing in ways that the agency had 
not disclosed to the public. \44\ We explained that in its fall 2004 
notices, TSA had informed the public of its plans to use personal 
information during Secure Flight testing, including the use of 
commercial data in a limited manner. However, these initial notices did 
not fully describe how personal information would be collected, used, 
and stored for commercial data testing as it was carried out. As a 
result, individuals were not fully informed that their personal 
information was being collected and used, nor did they have the 
opportunity to comment on this or become informed on how they might 
exercise their rights of access to their information. Although TSA did 
not fully disclose its use of personal information prior to beginning 
Secure Flight commercial data testing, the agency issued revised 
privacy notices in June 2005 to more fully disclose the nature of the 
commercial tests and address the issues disclosed by us.
    As we reported in March 2005, until TSA fully defines its 
operational plans for Secure Flight and addresses international privacy 
concerns, it will remain difficult to determine whether the planned 
system will offer reasonable privacy protections to passengers who are 
subject to prescreening or mitigate potential impacts on passengers' 
privacy. At that time, we recommended that TSA finalize privacy 
policies and issue associated documentation prior to Secure Flight 
achieving initial operating capability. TSA acknowledged that it needs 
to publish new privacy notices to cover the collection, use, and 
storage of personal data for Secure Flight's initial and full operating 
capability, before beginning operational testing. TSA officials stated 
that these privacy notices are currently being reviewed by TSA and DHS 
and will be released in conjunction with the forthcoming rulemaking.

TSA Has Not Determined Secure Flight's Redress Process
    Congress mandates that Secure Flight include a process whereby 
aviation passengers determined to pose a threat to aviation security 
may appeal that determination and correct erroneous information 
contained within the prescreening system. \45\ TSA currently has a 
process in place that allows passengers who experience delays, under 
the current process run by air carriers, to submit a passenger identity 
verification form to TSA and request that the agency place their names 
on a cleared list. If, upon review, TSA determines that the passenger's 
identity is distinct from the person on a watch list, TSA will add the 
passenger's name to its cleared list, and will forward the updated list 
to the air carriers. TSA will also notify the passenger of his or her 
cleared status and explain that in the future the passenger may still 
experience delays. \46\ Recently, TSA has automated the cleared list 
process, enabling the agency to further mitigate inconvenience to 
travelers on the cleared list.
    The Intelligence Reform and Terrorism Prevention Act, enacted in 
December 2004, directs TSA to include certain elements in its Secure 
Flight redress policy. \47\ Specifically, it requires the establishment 
of a timely and fair process for individuals identified as a threat to 
appeal the determination to TSA and correct any erroneous information. 
\48\ It further requires that TSA establish a method for maintaining a 
record of air passengers who have been misidentified and have corrected 
erroneous information. To prevent repeated delays of misidentified 
passengers, this record must contain information determined by TSA to 
authenticate the identity of such a passenger. In January 2006, TSA 
officials stated that no final decisions have been made regarding how 
TSA will address the relevant requirements for redress found in the 
Intelligence Reform and Terrorism Prevention Act requirements. However, 
OTSR officials stated that a cleared list will be part of the process. 
The June 2005 concept of operations describes a process where 
individuals that are frequently misidentified as being on the TSDB and 
TSA selectee list can request to be placed on a list of individuals who 
have been cleared.
    In our March 2005 report, we recommended that TSA finalize its 
Secure Flight redress policies and procedures prior to achieving its 
initial operating capability. Information concerning aspects of the 
redress process will be published before operational tests or full 
implementation of the Secure Flight process, and will be contained 
within the privacy notices that TSA officials stated will be released 
in conjunction with the forthcoming rulemaking. Moving forward, TSA has 
assigned a manager to serve as liaison with DHS on privacy and redress 
issues.

Concluding Observations
    TSA has continued its development and testing of Secure Flight, but 
has made limited progress in addressing longstanding issues related to 
system development and testing, program management, and privacy and 
redress protections. To make and demonstrate progress on any large-
scale information technology program, such as Secure Flight, an agency 
must first adequately define what program capabilities, such as 
requirements related to performance, security, privacy, and data 
content and accuracy, are to be provided. These requirements can then 
in turn be used to produce reliable estimates of what these 
capabilities will cost, when they will be delivered, and what mission 
value or benefits will accrue as a result. For Secure Flight, well-
defined requirements would provide a guide for developing the system 
and a baseline to test the developed system to ensure that it delivers 
necessary capabilities, and would help to ensure that key program 
areas--such as security, system connectivity, privacy and redress 
protections--are appropriately managed.
    When we reported on Secure Flight in March 2005, TSA had committed 
to take action on our recommendations to manage the risks associated 
with developing and implementing Secure Flight, including finalizing 
the concept of operations, system requirements and test plans; 
completing formal agreements with CBP and air carriers to obtain 
passenger data; developing life cycle cost estimates and a 
comprehensive set of critical performance measures; issuing new privacy 
notices; and putting a redress process in place. Over the past 11 
months, TSA has made some progress on all of these areas, including 
conducting further testing of factors that could influence system 
effectiveness and corroborating with key stakeholders. However, TSA has 
not completed any of the actions it had scheduled to accomplish. In 
particular, TSA has not yet developed complete system requirements or 
conducted important system testing (including stress testing), fully 
established security measures, made key decisions that will determine 
system effectiveness, developed a program management plan and a 
schedule for accomplishing program goals, or published updated privacy 
and redress notices. Taken as a whole, this lack of progress indicates 
that the program has not been effectively managed and is at risk of 
failure.
    While we recognize that TSA faces program uncertainties that can 
directly impact Secure Flight's development and progress, uncertainty 
is a component of most programs, and should not be used as a reason for 
not defining requirements and developing plans and cost estimates, to 
manage risk. We believe that Secure Flight, like all programs, can 
utilize best practices to develop such plans to manage program 
uncertainties.
    To its credit, TSA has recently taken actions that recognize the 
need to instill more rigor and discipline into the development and 
management of Secure Flight, including hiring a program manager with 
information systems program management credentials. We also support 
TSA's efforts to rebaseline the program, including defining system 
requirements and finalizing a program management plan, including the 
development of schedules and cost estimates, before proceeding with 
program development. In fact, proceeding with operational testing and 
completing other key program activities should not be pursued until TSA 
puts in place a more disciplined life cycle process and defines system 
requirements. In the absence of this and other program information, 
such as requirements, capabilities, and benefits, further investment in 
this program would be difficult to justify.
    We are also encouraged that DHS's IRB--the executive decision 
making authorities--has scheduled a review of Secure Flight and other 
people-screening programs. Given the potential duplication with CBP's 
new initiatives for international prescreening, DHS, TSA, and CBP need 
to assess alternative system solutions that should be factored into 
Secure Flight's rebaselined program and be the basis for IRB decisions 
regarding Secure Flight's future. Notwithstanding these efforts, 
however, much work remains to be accomplished before Secure Flight is 
positioned to be properly executed so that informed and prudent 
investment decisions can be made.
    Mr. Chairman, this concludes my prepared statement. I will be 
pleased to respond to any questions that you or other Members of the 
Committee have at the appropriate time.
GAO Contacts and Staff Acknowledgments
    For further information about this testimony, please contact 
Cathleen Berrick, at 202-512-3404 or at [email protected] or Randolph C. 
Hite at 202-512-6256 or at [email protected].
    Other key contributors to this statement were David Alexander, Amy 
Bernstein, Mona Nichols Blake, John de Ferrari, Christine Fossett, 
Brent Helt, Richard Hung, Thomas Lombardi, C. James Madar, Matthew 
Mohning, David Plocher, Karl Seifert, and William Wadsworth.
                               Appendix I

 Legislatively Mandated Secure Flight Issues to be Certified by the DHS
                           and Reviewed by GAO
------------------------------------------------------------------------
Legislative mandated issue (number
         and short title)               Description of mandated issue
------------------------------------------------------------------------
1. Redress process                  A system of due process exists
                                     whereby aviation passengers
                                     determined to pose a threat are
                                     either delayed or prohibited from
                                     boarding their scheduled flights by
                                     TSA may appeal such decisions and
                                     correct erroneous information
                                     contained in CAPPS II or Secure
                                     Flight or other follow-on/successor
                                     programs.
2. Accuracy of databases and        The underlying error rate of the
 effectiveness of Secure Flight      government and private databases
                                     that will be used to both establish
                                     identity and assign a risk level to
                                     a passenger will not produce a
                                     large number of false positives
                                     that will result in a significant
                                     number of passengers being treated
                                     mistakenly or security resources
                                     being diverted.
3. Stress testing                   TSA has stress-tested and
                                     demonstrated the efficacy and
                                     accuracy of all search technologies
                                     in CAPPS II or Secure Flight or
                                     other follow-on/successor programs
                                     and has demonstrated that CAPPS II
                                     or Secure Flight or other follow-on/
                                     successor programs can make an
                                     accurate predictive assessment of
                                     those passengers who may constitute
                                     a threat to aviation.
4. Internal oversight               The Secretary of Homeland Security
                                     has established an internal
                                     oversight board to monitor the
                                     manner in which CAPPS II or Secure
                                     Flight or other follow-on/successor
                                     programs are being developed and
                                     prepared.
5. Operational safeguards           TSA has built in sufficient
                                     operational safeguards to reduce
                                     the opportunities for abuse.
6. Security measures                Substantial security measures are in
                                     place to protect CAPPS II or Secure
                                     Flight or other follow-on/successor
                                     programs from unauthorized access
                                     by hackers or other intruders.
7. Oversight of system use and      TSA has adopted policies
 operation                           establishing effective oversight of
                                     the use and operation of the
                                     system.
8. Privacy concerns                 There are no specific privacy
                                     concerns with the technological
                                     architecture of the system.
9. Modifications with respect to    TSA has, in accordance with the
 intrastate travel to accommodate    requirements of section 44903
 states with unique air              (j)(2)(B) of title 49, United
 transportation needs                States Code, modified CAPPS II or
                                     Secure Flight or other follow-on/
                                     successor programs with respect to
                                     intrastate transportation to
                                     accommodate states with unique air
                                     transportation needs and passengers
                                     who might otherwise regularly
                                     trigger primary selectee status.
10. Life-cycle cost estimates and   Appropriate life-cycle cost
 expenditure plans                   estimates, and expenditure and
                                     program plans exist.
------------------------------------------------------------------------
Source: GAO.

ENDNOTES
    \1\ Section 518 of the Department of Homeland Security 
Appropriations Act, 2006 (Pub. L. 109-90) requires GAO to report to the 
Committees on Appropriations of the Senate and House of Representatives 
on the 10 issues listed in Sec. 522(a) the Department of Homeland 
Security Appropriations Act, 2005 (Pub. L. 108-334), not later than 90 
days after the Secretary of the Department of Homeland Security 
certifies to the above-named committees that Secure Flight has 
satisfied the 10 issues. These 10 issues relate to system development 
and implementation, effectiveness, program management and oversight, 
and privacy and redress. We are also conducting our ongoing review in 
response to requests from the United States Senate: the Committee on 
Commerce, Science, and Transportation, and its Subcommittee on 
Aviation; Committee on Appropriations, Subcommittee on Homeland 
Security; Committee on Homeland Security and Governmental Affairs; 
Committee on Judiciary; also the House of Representatives: Committee on 
Transportation and Infrastructure, Committee on Homeland Security; and 
the Chairman of the Committee on Government Reform.
    \2\ GAO, Aviation Security: Secure Flight Development and Testing 
Under Way, but Risks Should Be Managed as System Is Further Developed, 
GAO-05-356 (Washington, D.C.: March 2005).
    \3\ This statement does not provide information on the area of 
congressional interest related to modifications with respect to 
intrastate travel to accommodate states with unique air transportation 
needs because data were not yet available to us on the effect of these 
modifications on air carriers.
    \4\ TSC was established in accordance with Homeland Security 
Presidential Directive-6 to consolidate the government's approach to 
terrorism screening, including the use of terrorist information for 
screening purposes. TSC is an interagency effort involving DHS, 
Department of Justice, Department of State, and intelligence community 
representatives and is administered by the Federal Bureau of 
Investigation.
    \5\ CAPPS rules are characteristics that are used to select 
passengers who require additional security scrutiny. CAPPS rules are 
Sensitive Security Information.
    \6\ Aviation and Transportation Security Act, Pub. L. 107-71, 
Sec. 136, 115 Stat. 597, 637 (2001).
    \7\ TSA plans to use this centralized vetting capability to 
identify terrorist threats in support of various DHS and TSA programs. 
In addition to Secure Flight, TSA plans to use the platform to ensure 
that persons working at sensitive locations; serving in trusted 
positions with respect to the transportation infrastructure; or 
traveling as cockpit and cabin crew into, within, and out of the United 
States are properly screened depending on their activity within the 
transportation system. In addition to supporting the Secure Flight and 
Crew Vetting programs, TSA expects to leverage the platform with other 
applications such as TSA screeners and screener applicants, commercial 
truck drivers with hazardous materials endorsements, aviation workers 
with access to secure areas of the airports, alien flight school 
candidates, and applicants for TSA's domestic Registered Traveler 
program.
    \8\ The Intelligence Reform and Terrorism Prevention Act of 2004 
requires that TSA begin to assume responsibility for the passenger 
prescreening function within 180 days after the completion of testing. 
Pub. L. 108-458 Sec. 4012, 118 Stat. 3638, 3714-19 (codified as amended 
at 49 U.S.C. Sec. 44903(j)(2)).
    \9\ This description of the Secure Flight system, as well as the 
graphic illustrating the system in figure1, is based on TSA's draft 
June 9, 2005, concept of operations, a document that gives a high-level 
overview of the Secure Flight system.
    \10\ TSA also plans to utilize a cleared list as part of the watch 
list matching process; the cleared list is composed of individuals who 
are frequently misidentified as being on the TSDB and who have applied, 
and been approved, to be on the list.
    \11\ These measures may include additional screening or other law 
enforcement actions.
    \12\ Some selectees will receive a boarding pass from air carriers, 
but be required to undergo secondary screening prior to boarding the 
aircraft, while other selectees will first be met by law enforcement 
personnel, who will determine if the individual should receive a 
boarding pass. In addition, air carriers, through their application of 
the CAPPS rules, may also designate a passenger as a selectee.
    \13\ Examples of higher-order sources include legislation, which 
may dictate certain requirements, and other system documentation, such 
as the operational concept. When requirements are managed well, 
traceability can be established from the source requirements to lower-
level requirements and from the lower level back to their source. Such 
bidirectional traceability helps determine that all source requirements 
have been addressed completely and that all lower-level requirements 
can be verified as derived from a valid source.
    \14\ Key requirements documentation we reviewed included the 
Transportation Vetting Platform/Secure Flight System Requirements 
Specification (May 13, 2005), the Secure Flight System Security Plan 
(July 15, 2005), the Transportation Vetting Platform System Security 
Plan (July 15, 2005), Transportation Vetting Platform and Secure Flight 
Security Risk Assessment (July 15, 2005), and documentation called for 
under Federal Information Processing Standard (FIPS) 199 (August 23, 
2005).
    \15\ The NIST requirements provide guidelines for selecting and 
specifying security controls for information systems supporting the 
executive agencies of the Federal Governments. The guidelines apply to 
all components of an information system that processes, stores, or 
transmits Federal information.
    \16\ An authorization to operate is issued for the information 
system, if, after assessing the results of the security certification, 
the authorizing official deems that the risk to agency operations, 
agency assets, or individuals is acceptable.
    \17\ OMB, Circular No. A-11, Part 7, Sec. 300. Planning, Budgeting, 
Acquisition, and Management of Capital Assets.
    \18\ The DHS Investment Review Board also reviewed the CAPPS II 
program in October 2003 and authorized the program to proceed with the 
system's development.
    \19\ The Committee was established under the authority of the 
Homeland Security Act, Pub. L. 107-296, in accordance with the 
provisions of the Federal Advisory Committee Act (5 U.S.C. App.2). At 
the first meeting of the Committee, in April 2005, Secure Flight was 
recommended as a program for examination for numerous reasons, 
including the number of citizens affected by the program, weaknesses in 
the program's redress system identified by us in our March 2005 report, 
and the program's potential use as a model for other related DHS 
efforts.
    \20\ The Aviation Security Advisory Committee, now within DHS, was 
formed in 1989 to provide advice on a variety of aviation security 
issues.
    \21\ Department of Justice Office of the Inspector General, Review 
of the Terrorist Screening Center's Efforts to Support the Secure 
Flight Program, August 2005. Congress requested that the DOJ-OIG 
evaluate TSC's plans to support Secure Flight to report these findings 
to the House and Senate Appropriations Committees.
    \22\ Department of Justice Office of the Inspector General, Review 
of the Terrorist Screening Center, June 2005.
    \23\ The current draft of the DTPG also includes several appendices 
that provide additional, detailed program information to airlines, 
including an Interface Control Document containing detailed technical 
information such as message content and screen layout, a high-level 
technical plan for implementing various components of Secure Flight, 
detailed programming specifications for message timing and instructions 
for various passenger vetting scenarios, a recommendation that the 
airline industry develop an industry standard method for communicating 
Full Name (FN) and Date of Birth (DOB), and the system operational test 
plans.
    \24\ Stress testing refers to measuring a system's performance and 
availability in times of particularly heavy (i.e., peak) load.
    \25\ According to the DOJ-OIG, when Secure Flight becomes 
operational, TSC anticipates a significantly greater operational 
workload as a result of the program and an increased need for staff, 
space, and funding.
    \26\ Correspondence to the Honorable Michael Chertoff, Secretary, 
Department of Homeland Security, October 27, 2005.
    \27\ CBP and TSA officials stated they will use this same network 
to transmit data for their respective international and domestic 
prescreening efforts. Different addresses on the passenger information 
will ensure that TSA and CBP data are routed to the appropriate 
handling agencies for screening.
    \28\ For international prescreening, name-matching is conducted 
using data elements from a passport, whereas passports are not required 
for domestic flights.
    \29\ We currently have an on-going review of CBP's international 
prescreening process, including assessing the current process for 
conducting international passenger prescreening and reviewing the 
benefits and challenges of implementing additional or enhanced 
international prescreening strategies.
    \30\ Whereas stress testing is used to determine the maximum 
capacity of the system, operational testing is used to ensure that the 
system operates as intended, including the people and the information 
technology systems operating together in their expected environments.
    \31\ The name matching process depends on the level of false 
positive and false negative matches deemed acceptable. False negatives 
are passengers incorrectly not matched to a watch list.
    \32\ The score is based, in part, on how much weight is given to, 
say, name or date of birth relative to each other.
    \33\ Department of Justice Office of the Inspector General, Review 
of the Terrorist Screening Center, June 2005. According to the DOJ 
Office of the Inspector General's report, some errors in the TSDB might 
be corrected by a manual review conducted by intelligence analysts and 
a redress process.
    \34\ We have an ongoing review of the reasons misidentifications 
occur using TSDB data, and the efforts by the TSC and other agencies to 
reduce these errors.
    \35\ Department of Justice Office of the Inspector General, Review 
of the Terrorist Screening Center's Efforts to Support the Secure 
Flight Program, August 2005.
    \36\ Falsifying identifying information involves passengers 
attempting to hide their true identities by submitting fictitious 
identifying information, such as false addresses, when purchasing 
tickets. Identity theft would involve a passenger ``stealing'' another 
person's identifying information, such as name and date of birth, and 
then using that identifying information to create fraudulent documents 
associated with the identity (such as a driver's license containing the 
stolen identifiers with the thief's picture). This is sometimes 
referred to as identity fraud.
    \37\ The Department of Homeland Security Appropriations Act, 2006, 
Pub. L. 109-90, Sec. 518 (e), 119 Stat. 2064, 2085 (2005).
    \38\ This prohibition on the use of appropriated funds does not 
apply to passenger name record data obtained from air carriers.
    \39\ GAO, Aviation Security: Challenges in Using Biometric 
Technologies, GAO-04-785T (Washington, D.C.: May 19, 2004).
    \40\ Privacy Act of 1974, Pub. L. 93-579, 88 Stat. 1896 (codified 
as amended at 5 U.S.C. Sec. 552a).
    \41\ Also, in its mandate regarding Secure Flight, Congress asked 
that GAO review whether there are any specific privacy concerns with 
the technological architecture of the Secure Flight system.
    \42\ The Privacy Act requires that an agency publish a system of 
records notice in the Federal Register upon establishment or revision 
of the existence and character of any system of records. See 
Sec. 552a(e)(4).
    \43\ The E-Government Act of 2002 requires agencies to conduct a 
privacy impact assessment before developing systems that collect, 
maintain, or disseminate information in an identifiable form. Pub. L. 
107-347, 116 Stat. 2899.
    \44\ GAO, Aviation Security: Transportation Security Administration 
Did Not Fully Disclose Uses of Personal Information during Secure 
Flight Program Testing in Initial Privacy Notices, but Has Recently 
Taken Steps to More Fully Inform the Public, GAO-05-864R (Washington, 
D.C.: July 22, 2005).
    \45\ See Pub. L. Nos. 108-334, Sec. 522(a)(1); and 109-90, 
Sec. 518(a).
    \46\ TSA's Office of Transportation Security Redress manages 
redress for the current watch list matching process conducted by the 
air carriers. Currently OTSR is developing an agency-wide policy for 
redress and has interviewed TSA Officials as part of this effort, but 
found that Secure Flight requirements were not sufficiently defined for 
use in drafting the new policy. TSA officials stated that they are 
continuing to discuss the Secure Flight redress process with OSTR.
    \47\ See Pub. L. 108-458, Sec. 4012(a) (codified at 49 U.S.C. 
Sec. 44903(j)(2)(C), (G)).
    \48\ This requirement generally addresses principles from both the 
Privacy Act--that individuals be able to access and correct their 
personal information--and the Fair Information Practice of individual 
participation--that individuals be able to know about the collection of 
personal information, to access that information, to request 
correction, and to challenge the denial of such requests. However, 
Secure Flight's redress system will be challenging for two significant 
reasons. First, much of the information underlying decisions to add 
individuals to the TSDB is likely to be classified, and as such will 
not be accessible to passengers. Second, TSA does not control the 
content of the TSDB that it intends to use as the primary input in 
making screening decisions.

    The Chairman. Thank you very much.
    Mr. Hawley, since September 11th the Congress mandated 
multiple layers of security benefits to secure commercial 
aviation, including explosive devices--the explosive-device 
systems for baggage and hand screening procedures for 
passengers, expansion of the prohibited-items list, and 
hardened cockpit doors. New technologies, such as full-body 
imaging and explosive detectors for passengers, are also being 
deployed at airports by your agency to be used as secondary 
screening tools. With all of that, what really is the necessity 
for the Secure Flight Program?
    Mr. Hawley. The Secure Flight Program is, I believe, an 
essential layer to that, which is to take known terrorists, who 
could be threats to the aircraft, and not let them get near the 
aircraft. And it's the requirement of the Intelligence Reform 
bill and the recommendation of the 9/11 Commission. So, it is a 
system that is essential and has continued to improve. And I'd 
like to just stress that every known terrorist, known to the 
U.S. Government, is, today, denied boarding. In the real world 
of today, that is in place. And it will become better when 
Secure Flight is implemented, but we're not waiting on Secure 
Flight for that.
    The Chairman. How much has your agency spent to launch this 
and finish the Secure Flight Program? And what about the 
predecessor program, CAPPS II? I think we're interested in what 
we can do to assist, but it does seem that that program's taken 
a lot of money, and there are others coming.
    Mr. Hawley. Yes, sir. $144 million, I believe, is the money 
for Secure Flight. CAPPS II was a program that started off as a 
program to evaluate the security risk of the passenger. It was 
discontinued toward the end of 2004, and Secure Flight went 
forward at that point, just for the terror watch-list matching. 
I think you put your finger on one of the key problems here is 
that the architecture of CAPPS II, which was the original 
system, was used as the base for building Secure Flight on out, 
and the review that we're doing now says, ``Let's just 
rebaseline it and say we're going to do just the terror watch-
list matching, and go from there.''
    The Chairman. I don't want to embarrass anybody, and I 
don't want to get in any trouble at home, but we have people 
like Ted Kennedy being stopped, my wife, Catherine Stevens, 
being questioned whether she's ``Cat Stevens.''
    [Laughter.]
    The Chairman. How do people get off these lists? How do 
they prevent from being approached in a redundant way once 
that's been established?
    Mr. Hawley. There is a process called the Redress Office, 
where we have a phone number and website, that the people who 
have familiar names--or names that are close to those of 
terrorists. They provide additional data. We give them a 
special number that then goes into their passenger record, and 
that list is actually kept, so that if they show up, they are 
removed from that confusion. And when it comes into Secure 
Flight, into the government, the system will run a little bit 
better, because it'll be totally automated, whereas, now it's 
part of the airline process.
    The Chairman. OK.
    I'm going to shift to you, Ms. Berrick. I think that the 
Congress mandated the GAO study ten elements of this program, 
Secure Flight, and it seems to me that TSA has an impossible 
task to move forward because of the criticism it's received 
from your agency on complying with those ten points. Aren't you 
really holding up moving on to further actions by the detail of 
the criticism you've given for so long on Secure Flight?
    Ms. Berrick. Thank you, Mr. Chairman.
    We are mandated to look at those ten issues, and we have 
been working with TSA to be clear on the criteria that we're 
using to assess the program. But I think the real reason for 
the program delays hasn't been the review; it's been, first of 
all, I think, a lack of key policy decisions made by DHS and 
TSA regarding some critical aspects of the program that haven't 
yet been decided. The big decision that hasn't yet been made is 
what data TSA and DHS will require air carriers to provide. The 
air carriers are waiting for a rule to be issued. That rule has 
been pending for quite some time and hasn't been issued.
    I think another reason for the delay is DHS's oversight 
over Secure Flight. DHS has a mechanism in place called the 
Investment Review Board, where they look periodically at major 
IT investments at every major milestone, and at any time they 
feel the program needs to be reviewed, to make sure it's 
progressing. DHS hasn't reviewed Secure Flight in over a year 
through that Investment Review Board process.
    And in addition to the development process of Secure 
Flight, the requirements haven't been fully defined. TSA isn't 
following their own established development process of major IT 
systems.
    The Chairman. Well, how can they finish it if you 
constantly are asking them questions about what they haven't 
done? I'd like you both to give us a timeframe. Mr. Hawley, how 
much time and how much money have you spent on Secure Flight? 
And you tell us how much money--how much time you've spent. But 
I'm interested in how many people you've got holding up the 
total number of people he's got. OK? Just for the record. *
---------------------------------------------------------------------------
    * The information referred to is printed in the Appendix.
---------------------------------------------------------------------------
    The Chairman. Senator Inouye?
    Senator Inouye. We've been concerned about privacy. I'm 
certain you realize that. Yesterday, we had a hearing on cell-
phone privacy. You've spent some time on security and privacy. 
How do you expect to approach this privacy problem?
    Mr. Hawley. Senator, I think the ``privacy problem,'' will 
not go away unless the system is designed from the bottom up, 
with every process done from the start with privacy in mind, 
that is the way that a system will be built that can go forward 
and give people in the public confidence that there's not going 
to be a privacy problem. And that is what we're doing in what I 
said today, recertifying the program will, in fact, do what I 
just suggested. And I believe that is the only way to do it. 
And, as we have known, we have tried very hard over 4 years to 
be perfect on privacy, and that is very hard, unless the system 
is built specifically with that in mind.
    Senator Inouye. Is it true that your agency is considering 
using private vendors to access information, personal 
information, instead of the Government?
    Mr. Hawley. For Secure Flight, no. For Registered Traveler, 
which would be a voluntary program, private-sector program, 
there is a possibility that they would use private-sector 
operations for that.
    Senator Inouye. The GAO has suggested that they have some 
difficulty determining how much has been spent. Do you have any 
idea?
    Mr. Hawley. Yes, I think that we've got a good handle on 
how much is being spent. So, 144 million, I think, is the 
number. The issue that I hear from the GAO is, ``Your 
management controls, which go to being able to see whether 
you're on target or off target, are not as specific as they 
need to be.'' And I think that's a fair criticism.
    Senator Inouye. Do you agree?
    Ms. Berrick. We've been unable to identify specifically how 
much has been spent on Secure Flight and its predecessor. We're 
estimating about 132 million, which is pretty consistent. One 
of the problems we've identified, though, as they're moving 
forward, the need for TSA to develop life-cycle cost estimates, 
and how much they think this program will cost in the out 
years. And that's one of the areas that we think that TSA needs 
to focus on.
    Senator Inouye. Mr. Hawley, I've been told that you're 
considering using private screeners to run your Registered 
Traveler Program. Is that authorized under the law?
    Mr. Hawley. Yes. It is simply the same program that exists 
for every other aspect of TSA screening, that if the airport 
requests some combination of public and private, or all 
private, or all public, it's my understanding that is allowed 
under the law. And so, our attitude is, we exist only in 
airports, as far as aviation is concerned, and we take very 
seriously the request of the local airport.
    Senator Inouye. What about fraudulent or stolen identities? 
Are you being able to cope with that?
    Mr. Hawley. That is one of the major problems, I think, in 
security, is why you spend a lot of time understanding who the 
known terrorist is when that person doesn't use their name. 
That is a challenge. And it is something that has to require 
the different layers of detection, which include--that was 
where I mentioned CAPPS and the behavior aspect. And it's 
something that we're working very hard. And I think, as you 
know, we've done some pilots in the last couple of months that 
would add further layers directed at the unknown terrorist.
    Senator Inouye. Ms. Berrick, my final question, do you 
think that the Secure Flight concept is sound and worth the 
effort?
    Ms. Berrick. I think the program has the potential to 
provide some significant security benefits. The problem is, it 
hasn't yet been proven whether or not it will do so. Some of 
these policy decisions I mentioned that haven't yet been made 
have the ability to significantly influence how effective this 
program is, including how many additional people will be 
selected for screening. So, until these decisions are made and 
TSA follows this process that we've talked about to identify 
what capabilities they're going to deliver, it's difficult to 
determine what impact the system will have on aviation 
security. But I think the potential is there that it could 
strengthen aviation security.
    Senator Inouye. So, it's worthwhile proceeding?
    Ms. Berrick. I think so. I think it's important that TSA 
stop and rebaseline their program, as they're doing, define 
their requirements, and that DHS hold TSA accountable for 
making progress on meeting those requirements, within 
acceptable levels of cost.
    Senator Inouye. Thank you very much.
    Ms. Berrick. Thank you.
    Senator Inouye. Thank you, Mr. Chairman.
    The Chairman. Senator Nelson?
    Senator Ben Nelson. Thank you, Mr. Chairman.
    Mr. Hawley, I've had constituents from Nebraska whose names 
were put on a terror watch list. We've eventually gotten them 
removed by going through the process that you've outlined. Can 
you, without revealing anything that shouldn't be revealed, 
give us some idea about how that could happen?
    Mr. Hawley. Sure.
    Senator Ben Nelson. It wasn't like ``Cat Stevens,'' or it 
wasn't something that was specific. These were fairly generic 
names. For the life of me, I could not understand how their 
names got on there. And we did have, initially, some 
significant difficulties in getting them removed--much, much 
more so than I would have expected.
    Mr. Hawley. That part of the program, the so-called 
``redress,'' has improved as we've gone along, and just like 
the rest of the program, needs further improvement. But the way 
it works----
    Senator Ben Nelson. Well, I can understand that. But how--I 
mean, I--I'm glad it's being improved. But how could it have 
been so flawed at the beginning? That's my question.
    Mr. Hawley. It's that a terrorist is identified, and that 
individual has a name and other identifying characteristics. 
And, unfortunately, there are a lot of people who have similar 
names; and, in many cases, the same name; and, in some cases, 
the same ``other identifying information.'' So, what's happened 
is, there is a terrorist that's using your name, and, once we 
figure out that the Nebraska person--what their identity is, 
and then we get their identifying information, we put that in 
the system, and then they are not confused as the terrorist, at 
that point. But it is possible that when somebody's added to 
the terror watch list, that everybody that flies with that 
identical name is going to have the first-time problem.
    Senator Ben Nelson. OK. But it is being corrected. Do you 
have any indication, in terms of numbers, of how many people 
have had to go through that redress process?
    Mr. Hawley. I know we have it. I don't have it, off the top 
of my head. But we can----
    Senator Ben Nelson. Could you give me that?
    Mr. Hawley. Certainly.
    Senator Ben Nelson. Because it seems like it might be 
disproportionate. I didn't know there were a lot of people with 
the last name ``Moore'' that would have necessarily been on 
that list, so maybe you need to know more about that.
    And then I did mention the two-tiered system, which I can 
understand for air fares, but I don't understand for security 
purposes.
    Mr. Hawley. Yes, sir. The rules are, you enter TSA's 
checkpoint at the point that you present yourself to the 
screener, essentially, and that the airline has the 
responsibility of line management. So, it is at the discretion 
of----
    Senator Ben Nelson. The airline or the airport?
    Mr. Hawley. The airline, I believe.
    Senator Ben Nelson. What if there are multiple airlines 
using----
    Mr. Hawley. Yes. Well----
    Senator Ben Nelson.--the same security?
    Mr. Hawley. There is an agreement that's worked out, of 
actually fairly longstanding practice, of how to work that out.
    Senator Ben Nelson. Well, I----
    Mr. Hawley. In other words, it's not a TSA decision that 
says there should be X number of lines.
    Senator Ben Nelson. OK. You think that's OK? We pay--we all 
pay the two-fifty for each segment of the flight, but we get 
different treatment at the airport prior to security.
    Mr. Hawley. Well, when you show up to a TSA employee, we 
treat people the same, unless there is a security reason not 
to.
    Senator Ben Nelson. All right.
    With respect to the Registered Traveler program, you said 
that it's going to be paid for by the people who voluntarily 
submit themselves to that program. What about recovering 
developmental costs?
    Mr. Hawley. Our plan is to cover the costs of the total 
program by those who use it. And I have just been provided the 
answer to your question about how many, and the answer is 
30,000 total, or about 1500 a week.
    Senator Ben Nelson. That end up on that----
    Mr. Hawley. Redress list.
    Senator Ben Nelson.--redress list.
    What about--do we know what the costs have been for 
development of the Registered Traveler program? And do we have 
an indication of how many people are going to use it, so that 
we get a quantifier of what it's going to cost per person, so 
that there is a recovery of the costs?
    Mr. Hawley. It's a market-based program, and we've worked 
very hard to get the lines for everybody down to a very 
manageable length of time. And that effort continues to be 
successful, which may lessen the market for a Registered 
Traveler Program. That's why we left it to the private sector, 
that says if there is, in fact, a market, they will make 
themselves known, they'll figure it out. But, from the TSA 
point of view, we did not feel it was essential for us to 
invest taxpayer money to go figure out the answer to that 
question.
    Senator Ben Nelson. Well, I would agree, if--except for the 
fact that there's also a risk analysis going along with it, and 
if you have the Registered Traveler program in place, you would 
theoretically, and hope in actual practice, be the case that 
you would have less risk associated with those registered 
travelers; therefore, you could spend less time on them, more 
time where the risk could be greater, because the unknown and 
the uncertainty factors are there. So, they're really--I mean, 
I don't mind going to the outside to pay for it, but I think 
there is a cost savings associated with your agency not having 
to have personnel spend time on registered travelers, not 
because they've got priority treatment, but because they 
represent less of a risk.
    Mr. Hawley. Yes, sir, we agree with that logic.
    Senator Ben Nelson. So, I guess I'm not objecting to your 
going to the outside; I don't see the logic for going to the 
outside.
    Mr. Hawley. It's that we have other priorities that are 
more important; and sometimes in making priorities the Secure 
Flight is a bigger priority for us than Registered Traveler. 
And these other layers of security, we feel, are critical. And 
it's a question of bandwidth, it's a question of money.
    Senator Ben Nelson. In terms of any kind of a cost-benefit 
analysis for Secure Flight or Registered Traveler, do you feel 
that you've been able to--you said that trying to get the costs 
are hard to determine, but have you developed a cost-benefit 
analysis that might help us shed some--might shed some light on 
whether we're improving security or we're just keeping people 
busier going through the airports?
    Ms. Berrick. Yes, Senator. One of the things we looked at 
for Secure Flight--and we didn't look at Registered Traveler--
but with Secure Flight, we looked at: To what extent did TSA 
develop, first of all, a cost-benefit analysis and then define 
requirements and then pursue development of this program? We 
found that TSA didn't develop a cost-benefit analysis for 
Secure Flight, specifically, so that there was nothing for us 
to review.
    I wanted to make one comment about GAO's review of Secure 
Flight. The legislation requires that after TSA certifies that 
they have met these ten issues, then GAO has to assess their 
certification. So, the really--the next point in this process 
is TSA certifying that they've satisfied all these issues 
related to privacy and development. And it's not pending a GAO 
review; they can move forward and do that at any time. But 
we'll continue to look at their development and privacy as they 
move forward with the program.
    Senator Ben Nelson. Thank you.
    And thank you, Mr. Chairman.
    The Chairman. Yes, sir.
    Senator Burns?

                STATEMENT OF HON. CONRAD BURNS, 
                   U.S. SENATOR FROM MONTANA

    Senator Burns. I keep looking at TSA, screening and airport 
security. I wish we'd have stayed with my amendment on the 
floor and put airport security in the Department of Justice and 
let the marshals do it. Then we wouldn't be meeting here today. 
We'd probably have these programs already in place. But we lost 
that fight, and now we've got to deal with this.
    I had the same problem with a couple of my constituents in 
Montana that Senator Nelson had. And it took us a year and a 
half on one, and I've still got one in there. And the only 
place that this guy is dangerous is on a golf course.
    [Laughter.]
    Senator Burns. And I just fail to see, whenever you've got 
affidavits and everything else identifying this guy, why--and 
if he's traveling with someone, Mr. Hawley--they take his wife 
or the couple they may be traveling with and question them? 
They make a lot of trips back and forth between Montana and 
Arizona, and every time, they go to the room, and everybody 
that's traveling with him goes too. So, I just wish that 
somebody down there would respond to those things. I understand 
the need for security. We're not complaining about that. And so 
does he. But he has to put another 30 minutes on his airport 
time, knowing that he's going to go to the little room. And 
that's very unhandy.
    Let me just ask a couple of questions on this particular 
program. Say that I have a card for this program. I've paid for 
it, I've complied with all the information. Does your 
department keep a database to keep track of my travel, or is 
that information cleared from the record at a certain point? I 
mean, how long do you keep the records of my travel and travel 
movements, or do you keep a database on it?
    Mr. Hawley. Well, we don't get it for Secure Flight. It's a 
bouncing mechanism that says, Is this person on the watch list, 
or not--yes or no? And that's the end of it.
    Senator Burns. That doesn't record the amount of times that 
I have walked through security to board an airplane?
    Mr. Hawley. No.
    Senator Burns. It's not.
    Mr. Hawley. Not to my knowledge. Yes, 72 hours after the 
trip, we delete the record.
    Senator Burns. You clean the----
    Mr. Hawley. Delete it.
    Senator Burns. You clean the records.
    Mr. Hawley. Yes.
    Senator Burns. Now, if a person is rejected, what is the 
process or the protocol for explaining why they were rejected? 
Is there a protocol? Do you give them the reasons why they were 
rejected?
    Mr. Hawley. In most cases, no. Now, if the person is a 
mistake, then clearly yes. That's a mistake, you shouldn't be 
on the list, there's a number you call, there's a way you get 
yourself off the list. But if someone is on the list and is a 
terrorist, we do not feel the obligation to share with them 
everything that the Government knows.
    Senator Burns. OK. Now, I walked through a new machine at 
National the other day. They call it ``the puffer,'' or 
something.
    Mr. Hawley. Yes, sir.
    Senator Burns. Tell me the difference between that 
particular piece of equipment and the ones we've been using in 
the last year or so.
    Mr. Hawley. The puffer technology dislodges explosive 
particles that permeate you or your clothing or your 
belongings. And so, the puff of air dislodges some of that 
chemistry, it's brought up into the top of the machine, where 
it goes through an analysis that is essentially the same one 
that happens when they do the swab of your material. It's the 
same technology, to compare that with the known explosive. So, 
that's what the technology is. It's a different way. Instead of 
rubbing the surface, it dislodges some of the small particles.
    Senator Burns. I just thought of something. Are they going 
to ask you to survey on what kind of aftershave we're using, or 
anything like that?
    Mr. Hawley. As long as it's not explosive, you'll be fine.
    Senator Burns. OK, just explosives. That's a good thing.
    [Laughter.]
    Senator Burns. That's a good thing.
    And that's all I have, Mr. Chairman. I just wanted to ask 
about those particular items of concern for some of my 
constituents that travel quite a lot. And I find more people 
are willing to join the Registered Traveler program, just 
because they like to go get on the airplane. And so, that's it. 
But thank you very much.
    Ms. Berrick. Senator, if I could add, quickly, the redress 
process that Mr. Hawley just explained was for the current 
prescreening process that the air carriers maintain. The 
redress process for Secure Flight hasn't yet been fully 
defined, and that could also impact how long data is kept after 
the process, so that TSA could go back and make any 
corrections.
    Senator Burns. Yes, we have a tendency to run both of the 
programs together, and I'm sorry about that. I didn't make that 
clear.
    Thank you very much, Mr. Chairman.
    The Chairman. Thank you very much.
    Mr. Hawley, I wanted to arrange a classified briefing with 
you--I want to arrange a classified briefing with you on how 
this intersects with our information systems that will lead to 
intelligence-sharing. So, if we keep that in mind----
    Mr. Hawley. Yes, sir.
    The Chairman. I don't know what your timeframe is, but I do 
want the Committee to have a further briefing on the 
interlocking between this system and the intelligence systems 
that are further designed to assure the traveling public has 
the security it needs.
    We thank you both for being with us today. Thank you very 
much.
    Ms. Berrick. Thank you, Mr. Chairman.
    The Chairman. Did you have any further questions, Senator?
    Our next panel is Jim May, the Chief Executive Officer of 
the Air Transportation Association; Charles Barclay, President 
of the American Association of Airport Executives; Tim 
Sparapani, Legislative Counsel for Privacy Rights at American 
Civil Liberties Union; and Bill Connors, the Executive 
Director, Chief Executive Officer of the National Business 
Travel Association.
    Ms. Snowe is here, and I failed to recognize her to put her 
statement in the record if she wishes. I know she had another 
commitment at Finance.
    We're pleased to have you with us this morning, gentlemen. 
As I indicated before, your statements automatically go in the 
record as though read, and we'll be pleased with your 
summaries.
    Mr. May, we'll call on you first.

  STATEMENT OF JAMES C. MAY, PRESIDENT AND CEO, AIR TRANSPORT 
                  ASSOCIATION OF AMERICA, INC.

    Mr. May. Thank you, Mr. Chairman. In the interest of time, 
I'd like to summarize even my oral statement and make a couple 
of fundamental observations.
    First, I'd like to thank the Committee for again taking a 
principled stand that aviation security is a function of 
national security, and should be paid for as such. Regrettably, 
not everyone agrees with that. And as a result, we have more 
proposals from the Administration, trying to increase the 
security fees that we pay today.
    I think it's important to put that in context as we begin 
this debate on Registered Traveler and Secure Flight, because 
when TSA was started up, it had a budget of roughly $4 billion; 
today it has roughly the same budget. We started paying fees, 
back in 2002 to TSA, that aggregated somewhere a little over 
$1.2 billion, just strictly to TSA. We have three other fees 
that we pay to other elements of the Department of Homeland 
Security. I think we're the only transportation mode that pays 
those. And those fees have now grown, in aggregate to DHS, to 
about $4 billion a year from that initial beginning of $1.25 
billion or $2.6 billion. And we now have proposals for an 
additional billion-four on top of what we're already paying.
    So, we not only care about the business of security from 
the perspective of trying to have our passengers, your 
constituents, move through airports as quickly and efficiently 
as possible, but we care from the perspective of the amount of 
money that we're being charged, and our passengers are being 
charged, every single year by the Department of Homeland 
Security and TSA. And I hope that provides some perspective.
    Now, when it comes to the Registered Traveler program, you 
know, there's an old line in song about ``being country before 
country was cool.'' ATA was one of the original supporters of a 
registered-traveler program, but let me ask you to think back 
to that time. That time was when we had not only people going 
through security, but, once you got to the gate, you had to go 
through the gauntlet one more time. And the likelihood is, if 
you were the third person to go through, everybody knew you 
were going to get pulled aside, and you'd get searched and 
wanded, and you'd have to dump all your materials out onto a 
folding table and so forth. And so, we, at that point, said, 
look, let's try and expedite this process a little bit, and 
maybe we can have a registered-traveler program.
    I hate to think about how much money has been wasted on the 
RT and the Secure Flight programs since that time, but the good 
news is that the process has improved dramatically. We got rid 
of the gate check, we're doing other measured improvements to 
security. People are acustomed to going through the process. 
And instead of having those 2-hour waits, we now have, believe 
it or not, about a 10-minute wait, on average, throughout the 
system. So, the need for that Registered Traveler program that 
we first envisioned, I don't think is there.
    What we really need to do today is get the TSA to focus on 
improving the process for all passengers, not a select few 
passengers. We need to get the better technology, the puffer 
technology that Senator Burns, I think, talked about. We need 
to make sure that we move through crews and pilots in a quicker 
way, because they are already certified to go through the 
process. We need to have more technology, as I said, and we 
need to get the TSA to start putting their part-time workers on 
during peak periods. I think if those changes are made, we're 
going to see the process for everybody improve dramatically.
    Now, as to the RT program itself--or, I'm sorry, the Secure 
Flight program itself, I'd like to point out to the Committee 
that it's not just the Secure Flight program. We, as airlines, 
have had to deal with CAPPS, with CAPPS II, with Secure Flight, 
with Registered Traveler, with APIS, with APIS Plus 60, APIS 
AQQ, the CBP's PNR access program, and, most recently, we're 
being asked to comply with a bunch of requirements on data 
collection by CDC as it relates to avian flu. So, we are facing 
seven different government programs, all of which are intended 
and directed at passenger prescreening. There are some 34 
different data elements that we're being asked for. And there 
are at least 20 countries around the world that have similar 
kinds of programs. In my written testimony, I've suggested a 
series of things that can be done to simplify that process, but 
we are being inundated with data requests.
    So, our real request to this Committee is, please force 
TSA, force DHS, force CBP, force all of these different 
agencies to come up with a single simple template that can be 
used against the watch list, that can be used against other 
programs, and go forward with that, put your energies there, 
along with technology increases, so that we move everybody 
through the process more quickly than we are today, not just a 
special few who are willing to pay a great deal of money to 
become registered travelers for what I, personally, believe are 
going to be very limited benefits.
    Thanks for your time. I'm happy to answer any questions.
    [The prepared statement of Mr. May follows:]

 Prepared Statement of James C. May, President and CEO, Air Transport 
                      Association of America, Inc.

    No consumer service industry is affected by security requirements 
like the U.S. airline industry. That central fact significantly shapes 
the economics of providing air transportation. Yet the airline does not 
control this situation because civil aviation security in the United 
States is a Federal responsibility. This is as it should be but does 
not diminish the airline industry's very legitimate interest in seeing 
that security-related measures are effectively conceived and properly 
and economically implemented.
    In the last several years, the Transportation Security 
Administration has clearly improved its screening of passengers and 
their baggage. Anyone who regularly travels by air has witnessed that 
improvement. And TSA has emphasized its commitment to using risk 
analysis to establish security priorities. These developments are 
encouraging and should be recognized.
    Nevertheless, important elements of the government's aviation 
security programs are not nearly as cohesive or well founded as they 
could be. There is no justification for this. Aviation security is 
obviously dynamic but in these matters, to mix a metaphor, we should 
have gotten our sea legs by now. We need to do so quickly.
    Today's hearing is thus exceptionally important and timely. It is 
an opportunity for us to focus attention not only on the Secure Flight 
Program and the Registered Traveler Program but, equally important, 
also on other existing and emerging aviation security programs that 
will impose substantial new information demands on passengers and 
airlines. The characteristic that is common to these programs is their 
dependence on passenger information. That is where the commonality 
ends. These programs are uncoordinated, which is inexplicable and 
should attract close attention. Intuitively, most of us would assume 
that considerations of efficiency would have produced far more 
commonality among Federal programs that are both security oriented and 
data dependent. The fact that this has not happened should prompt an 
examination of their efficacy--how well they achieve their stated 
aviation security objectives; their efficiency--how economically they 
accomplish those objectives and whether less costly alternatives exist; 
and their protection of privacy--how thoroughly they preserve 
passengers' expectations of privacy, and how adequately and 
transparently they delimit governmental agencies' use of personal 
information.
    TSA's Secure Flight Program and its Registered Traveler Program 
illustrate the complexities of data-based security programs and, in the 
case of Registered Traveler, the need to return to first principles 
when evaluating them.
    Secure Flight is intended to pre-screen airline passengers. As 
envisioned, an airline would submit to TSA certain passenger 
information whenever a reservation is made for a domestic flight. It 
would enable TSA to compare reservation information with the Federal 
Government's no-fly and selectee lists. TSA expects that this 
arrangement will enhance security, improve pre-screening efficiency and 
reduce the number of passengers subjected to secondary screening. Each 
of these outcomes would be very desirable.
    Airlines and ATA have worked with TSA at several points in its 
development of Secure Flight. We have also worked with CBP and CDC on 
their passenger information needs. This experience has left two 
important impressions. First, coordination between government agencies 
and airlines is essential. Any program that involves government access 
to reservation information generates substantial data content, format 
and transmission issues. You cannot simply push a button to get 
passenger data that would be useful to TSA or any other Federal agency. 
Second, privacy issues are of the utmost significance in any government 
program to access passenger data. Privacy issues are an immutable part 
of the landscape.
    The nature of Secure Flight is such that the airline industry's 
involvement with TSA about it, necessarily, has been limited. 
Nevertheless, we are hopeful that its benefits can be soon realized.
    In contrast to our hopes about the Secure Flight Program, the 
Registered Traveler Program has turned into a shifting and dispiriting 
exercise. It compels you to ask, ``Where's the beef ?''
    The airlines were early and ardent advocates of the registered 
traveler concept. Four years ago we urged the development of a 
government system that would speed the screening of those passengers 
who did not present security concerns and thereby facilitate the 
processing of the vast majority of travelers. Today's Registered 
Traveler Program promises no such benefits to our customers. Indeed, 
the Registered Traveler Program as currently constituted has become 
even less attractive because it has been morphed into an orphan 
program; TSA has largely lateraled it to the private sector. Finally, 
the systemwide improvement in passenger screening that TSA has 
accomplished in the last few years begs the question of why this sorry 
state of affairs should continue.
    We are unaware of any evidence that Registered Traveler will 
produce the tangible and widely available benefits to passengers that 
we had envisioned in 2002; or that it will attract significant numbers 
of registrants; or that it will generate a pronounced improvement in 
overall security; or that vendor interoperability issues will be 
overcome; or that systemwide passenger wait times will diminish; or 
that passenger privacy issues have been confronted and satisfactorily 
resolved. We, however, do know that what was originally conceived as a 
straightforward governmental program to benefit the vast majority of 
passengers has been transformed into a commercial enterprise for what 
increasingly looks like the few.
    Registered Traveler neither offers the benefits to passengers nor 
the breadth of use that justify its introduction as a permanent 
program. It should be eliminated.
    As I observed at the beginning of my testimony, other existing and 
contemplated aviation security programs rely or will rely on government 
access to passenger information. Expanding passenger information 
requirements create substantial new demands on governmental agencies, 
airlines, and travelers. The problem is that government passenger 
information requirements thus far have only produced a mosaic. It 
remains to be seen if a coherent a picture will emerge.
    This is a serious situation. Given the security threats confronting 
civil aviation, there is no reason to believe that the government's 
passenger information needs will abate. Passenger data will be required 
for the Secure Flight program and the Registered Traveler program. In 
addition, passenger information is currently required for CBP's Advance 
Passenger Information System and CBP's passenger reservation 
information access program. Moreover, foreign governments are imposing 
similar demands on airlines flying to their countries, including U.S. 
air carriers. This unmistakable international trend is most evident 
with the ever-increasing number of countries that require APIS 
information but also is reflected in the Canadian requirement for 
access to passenger reservation information for international flights 
bound for Canada, including flights from the United States. Finally, 
the Centers for Disease Control has proposed a rule that would require 
that airlines collect and store broad new categories of passenger 
contact information.
    Information management is precisely where the government should be 
able to achieve a coherent policy. We appreciate the ongoing efforts of 
CBP and TSA to more closely align APIS and Secure Flight data 
requirements. However, the continued absence of a comprehensive, 
government-wide passenger information access policy is a matter of real 
concern to us. Nor is there any indication that any element of the 
Federal Government is inclined to assume the responsibility to develop 
and oversee such a comprehensive policy.
    This needs to change quickly. The U.S. Government must produce a 
uniform passenger information collection policy that applies to all of 
its civil aviation security and facilitation programs. Our government 
should also lead an effort to create such a policy for worldwide 
application.
    A workable government-wide passenger information policy should be 
predicated on four fundamental considerations.
    The first consideration is the recognition that a uniform policy is 
indispensable to the efficient collection, retention and use of 
passenger information. Multiple, uncoordinated information demands do 
not advance aviation security. Instead, they create unneeded 
complexity, wasteful duplication, and unjustifiable costs to the 
government, customers and airlines.
    The second consideration is that a uniform policy must be based on 
a single passenger information template that contains the only 
authorized categories of data that a Federal agency can require 
collection of or access to. Agencies should be prohibited from imposing 
unilateral data requirements that go beyond the template. A uniform 
policy means no ad hoc data requirements.
    Similarly, uncoordinated methods of data transmission are 
unnecessarily complex and costly. This is not the forum to explore how 
best to resolve this issue. But I want to highlight the importance of 
working as best we can to develop a single ``pipeline'' to transmit 
passenger data to Federal agencies. Independent transmission channels 
to multiple Federal agencies mean duplicative work for both airlines 
and the government, and the unnecessary cost and drain on scarce 
resources that inevitably result from such inefficiency.
    The third consideration is that the justification for every 
passenger information collection program should be evaluated under 
uniform criteria. The needs of individual agencies may vary but the 
conditions under which any agency is permitted to collect or access 
passenger information should not vary. Six basic criteria should be 
relied upon:

   Demonstrate civil aviation security or facilitation need. A 
        clear, direct relationship between the security threat or 
        facilitation need and the information sought should be 
        demonstrated. Presumably, this will be tied to the agency's 
        risk assessment. Data needs not associated with security or 
        facilitation should not be part of any passenger information 
        program.

   Minimize data demand. Data required should be the minimum 
        necessary to fulfill an agency's needs. This will reduce 
        impositions on passenger privacy and diminish airline 
        compliance costs.

   Use existing information sources. To the extent feasible, 
        agencies should rely on existing government passenger 
        information programs to fulfill their data needs.

   Avoid adverse effects on passenger processing. Information 
        collection requirements must avoid adversely affecting 
        passenger processing, whether during the reservations process, 
        airport check-in, security screening, or arrival in the United 
        States from overseas.

   Conduct thorough cost evaluation. Passenger information 
        collection, storage and transmission costs, as well as 
        individual passenger compliance costs must be recognized and 
        carefully evaluated. A cost-benefit analysis based on these 
        factors should be undertaken for each information collection or 
        access program.

   Minimize false hits. If passenger information is used to 
        evaluate a passenger for security purposes, the program must 
        contain measures that minimize false hits and enable the agency 
        to evaluate its false hit experience.

    The fourth consideration is that the privacy implications of any 
proposed passenger information requirement must be rigorously examined 
before the implementation of such a program. This is a matter of both 
accountability and legitimacy. It is a matter of accountability because 
the government should not demand personal information without 
performing such a careful analysis. It is a matter of legitimacy 
because the traveling program will not long support a government-
imposed information program that it believes does not scrupulously 
protect an individual's privacy.
    At the very least, this means that government programs must adhere 
to privacy principles that focus on information collection purpose, 
content, retention and onward transmission limitations. In addition, a 
prompt and effective redress mechanism must be available to those 
customers who believe that they have been adversely treated.
    Foreign governments' data privacy principles must also be taken 
into account because U.S. airlines that operate overseas are subject to 
them. Compliance in other nations is often enforced through both civil 
and criminal penalties. No U.S. airline should be subject to the 
conflicting requirements of the U.S. Government and a foreign 
government. This concern is very concrete. U.S. airlines operating to 
Europe confronted that prospect several years ago when European 
governments expressed skepticism about the adequacy of CBP's protection 
and use of passenger reservation information that it accesses. That 
situation has been resolved for the time being. It, however, left us 
with the clear realization that the U.S. Government--and not the U.S. 
airline industry--has the responsibility for resolving conflicts 
between its information requirements and the data privacy regulations 
of other nations.
    My experience over the last several years with security issues has 
convinced me of several things. First, coordination between the 
government and industry at the outset of the development of any 
aviation security program is critical and is plainly in the interest of 
the government, customers, and airlines. Second, we know how to measure 
the effectiveness of these programs; we should not be afraid to apply 
to them appropriate metrics--including risk and cost-benefit analyses. 
Third, we need to formulate, in very short order, a coherent 
government-wide policy about passenger information collection 
requirements. Fourth, resolution of privacy issues is crucial to the 
success of these programs and that resolution is the government's 
responsibility.
    Aviation security needs will change over time but the 
considerations that I have described in my testimony should facilitate 
prompt and effective responses to them, no matter how they may evolve.

    The Chairman. Thank you very much.
    The President of the American Association of Airport 
Executives, Chip Barclay.
    Chip?

 STATEMENT OF CHARLES BARCLAY, PRESIDENT, AMERICAN ASSOCIATION 
                     OF AIRPORT EXECUTIVES

    Mr. Barclay. Thank you, Mr. Chairman, Mr. Co-Chairman, 
Members of the Committee. It's always a privilege to appear 
before the Commerce Committee.
    I'd like to make three points in summarizing our testimony.
    The first is that airports continue to believe that the key 
lesson of 9/11 is that dangerous people pose the greatest 
threat to our system. On 9/11, the powerful weapon used against 
us was the terrorists' knowledge and manipulation of our 
hijacking policies of that day. And, while those policies have 
changed, what hasn't is that deliberate, smart terrorists will 
seek to exploit any system that we have or put in place in the 
future. So, in addition to other security efforts, we need to 
develop better tools that look for dangerous people.
    That job has two components. One is identifying the people 
that don't pose a threat to the system, which is the great 
majority. And the second is identifying those few that present 
either unknown or potentially dangerous factors. Secure Flight 
appropriately seeks to go after that second goal, while 
Registered Traveler, or RT, offers a voluntary effective path 
to go after the first.
    Registered Traveler provides an option for individuals to 
volunteer information on themselves, permit TSA to determine 
they don't present a risk to the system, verify their identity 
each time they travel, and those individuals will pay for all 
the costs of that program.
    The privacy issues about both these programs raised by TSA 
and others during the hearing need careful attention and 
transparency in their resolution. But it is equally important 
to recognize that the constitutional protection to the right of 
privacy is not a right to anonymity. Accurate, verifiable 
identification is a reasonable request of each airline 
passenger as a tool for maintaining a safe public-
transportation system for all airline passengers.
    My second point is to let the Committee know that a 
significant group of airports and technology companies, some 70 
airports and 40 companies, have collaborated, through an 
organization called the Registered Traveler Interoperability 
Consortium, to come up with a secure, nationwide, and 
interoperable Registered Traveler program. The recommendations 
leave key security standards and the approval of individuals as 
qualified for Registered Traveler to TSA, but accomplishes much 
of the remaining work through local airports in whose terminals 
the programs must operate, and TSA-certified technology 
companies that can enable the highly accurate and consistent 
operating process required.
    My third point is that industry, local government, and 
Federal Government can work effectively as partners in security 
credentialing programs. One program the Committee has heard 
little about, because it's effective, efficient, and has 
operated without controversy, is the aviation-worker Criminal 
History Record Check for employees with access to secure areas 
at commercial airports. Prior to 9/11, fewer than 10 percent of 
aviation workers were required to obtain the CHRC checks 
through a Federally operated process. Those checks averaged, at 
that time, almost 2 months to complete, even though the FBI 
computer check of fingerprints usually takes only minutes. The 
system was fraught with black holes, poor communication, and no 
reconciliation of the process for end users.
    Post-9/11 reviews brought a new requirement to have these 
criminal history record checks for all workers with access to 
secure areas at airports, which was about a million in the year 
2002, as well as a new organization, the Transportation 
Security Clearinghouse, that's operated by AAAE. The background 
checks that it does there, it does in partnership with 
airports, airlines, and TSA. (Initially, that was with FAA).
    Four years later, the average criminal history record check 
takes 4 hours, instead of 52 days. The price per transaction 
has been reduced from $31 to $29, while an identical check for 
HAZMAT truckers costs $100. And the TSA has processed just shy 
of 2 million background checks, making it the largest such 
clearinghouse outside the Department of Defense in the last 4 
years.
    The most important of those facts is the time savings, from 
months to hours, of these checks. It represents personnel cost 
savings in our industry of hundreds of millions of dollars 
annually. This successful credentialing program works in a 24/7 
realtime industry. Because it's an effective partnership of 
DHS, TSA, airports, airlines, and the Clearinghouse, each with 
well-defined roles, it's a model, we believe, for other 
programs and industries. And I've got some further information 
on that I'd like to add to the record, if I could.
    Finally, Mr. Chairman, while not on point for this hearing, 
I do not want this opportunity to pass without a brief mention 
of another program over which the Committee has jurisdiction, 
the Aviation Trust Fund.
    The Administration's budget request of earlier this week is 
seriously flawed from the perspective of the Nation's airports. 
As this Committee knows, as the author of the Aviation Trust 
Fund, it was originally designed to collect taxes from 
passengers for capital developments of the system, not for 
operations. The recent budget request turns that fundamental 
priority of the Trust Fund on its head, requesting large-
operations budget increases while slashing the capital-
improvement programs almost $1 billion from the AIP program 
from the level authorized by this Committee. We think such cuts 
are unwise and shortsighted, and we hope that the Committee 
will agree and fight to fully fund the capital programs.
    Thank you, Mr. Chairman.
    [The prepared statement of Mr. Barclay follows:]

Prepared Statement of Charles Barclay, President, American Association 
                         of Airport Executives

    Thank you for the opportunity to share with the Committee the views 
of the airport community on Transportation Security Administration 
aviation passenger pre-screening programs, including the Registered 
Traveler and Secure Flight programs. I am testifying today on behalf of 
the American Association of Airport Executives (AAAE), Airports Council 
International--North America (ACI-NA), and our Airport Legislative 
Alliance, a joint legislative advocacy organization. AAAE represents 
the men and women who manage primary, commercial service, reliever, and 
general aviation airports. ACI-NA represents local, regional and state 
governing bodies that own and operate commercial airports in the United 
States and Canada.

Registered Traveler, Secure Flight Effectively Focus Limited Resources 
        on Greatest Risk
    Let me begin, Chairman Stevens and Co-Chairman Inouye, by thanking 
you for your continued focus on the operations and priorities of the 
TSA. The programs the Committee has selected to examine today in the 
area of passenger pre-screening hold enormous potential in improving 
the effectiveness and efficiency of security screening operations at 
airports across the country. With aviation traffic returning to record 
levels and with Federal resources becoming ever scarcer, it is 
imperative that we get the most out of every dollar we devote to 
security. Utilizing better technology--such as Registered Traveler and 
Secure Flight--to effectively manage risk results in better security 
and a more efficient use of Federal and industry investments.
    In our view, one of the key components to improving passenger 
screening is shifting the focus from finding dangerous ``things'' to 
finding dangerous ``people.'' The most important weapon that the 19 
terrorists had on September 11 wasn't box cutters; it was knowledge--
knowledge of our aviation system and existing security protocols, which 
they used to their advantage. We simply must do more to identify 
potential threats. Secure Flight offers opportunity in that regard, 
although we recognize that it must be pursued with careful 
consideration provided to a full range of individual privacy issues.
    Additionally, we must quickly take advantage of the opportunity 
that exists through deployment of a Registered Traveler program to more 
effectively calibrate the resource allocation at airport screening 
checkpoints. With more than 700 million passengers traveling through 
the U.S. aviation system each year--a number that is anticipated to 
grow to more than one billion annually within the next decade--we 
simply must take a better approach to security screening. Relatively 
few passengers make up the overwhelming majority of all travel, and we 
should make every effort to provide a different screening protocol for 
this group of travelers. Doing so will help expedite the screening 
process for all travelers and allow screeners to focus more intensely 
on unknown and potential threats.
    Our challenge with regard to passenger screening remains to find 
the proverbial needle in the haystack. Registered Traveler can help 
reduce the size of the haystack, and Secure Flight can help ensure that 
more resources are devoted to finding the needle. Both goals are 
important, and both programs deserve the continued support of Congress 
and the TSA.
    Along those lines, we are extremely encouraged by the leadership 
that Department of Homeland Security Assistant Secretary Kip Hawley has 
provided since taking over the helm of TSA and believe that he deserves 
a great deal of credit for recognizing the promise of these programs 
and for working to expedite their implementation. On Registered 
Traveler, in particular, Administrator Hawley has moved the program 
past the ``pilot'' program phase and announced a timeline for making a 
nationwide, interoperable program a reality by this summer. It is our 
sincere hope and expectation that the announced timelines will be met, 
and we look forward to continuing our work with TSA and the Congress to 
ensure that is the case.

Public/Private Partnerships Have Proven Effective and Should Be Further 
        Utilized
    While the Federal Government obviously plays a leading role with 
regard to passenger pre-screening and other areas of aviation security, 
airports and the aviation industry can and should play an active role 
in partnering with the Federal Government to design and implement 
meaningful solutions to security challenges. The establishment of 
effective public/private partnerships has already proven extremely 
successful, for example, in building a system for processing 
fingerprint-based background checks and additional background screening 
for more than 1.9 million airport and airline employees through the 
Transportation Security Clearinghouse. We believe that the public/
private model offers one possible solution in the areas under 
discussion today.
    On the Registered Traveler front as I will discuss in more detail, 
the representatives of the airport community and its aviation partners 
have proposed a public/private model that will be both interoperable 
and innovative. Undoubtedly, the best path forward is one in which 
Federal resources and standards are combined with the knowledge, 
expertise and creativity of airports, airlines and aviation-oriented 
businesses.

Secure Flight Is Critical Tool in Identifying Dangerous People
    While the majority of my comments today are focused on Registered 
Traveler, I would like to highlight the critical nature of the Secure 
Flight program and to urge the Committee's continued support. While 
there are critical privacy issues that must be addressed, it is 
indisputable that the more we know about individuals traveling through 
the aviation system, the more secure it will be. In today's high-threat 
world, we must all recognize that the Constitutional right to privacy 
that we enjoy as Americans does not provide a right to anonymity.
    Knowledge is power and the more we know about potential threats 
before they have a chance to proceed to a security checkpoint or board 
a plane, the better off we all will be. Secure Flight adds yet another 
critical layer of security to the system and ensures that we don't rely 
solely on physical screening to identify those who seek to do us harm. 
Once privacy protections are ensured, the Federal Government can and 
should move forward with Secure Flight as soon as possible.

Registered Traveler Program Will Improve Security and Efficiency at 
        Airports
    Before discussing some of the specific efforts of airports to 
partner with TSA in making Registered Traveler a reality, it is 
important to highlight again the value of a nationwide program and to 
remind the Committee of the strong endorsement the concept received 
from the 9/11 Commission and numerous others. In an era of risk 
management, limited Federal resources must be focused on known and 
unknown risks to the aviation system. Registered Traveler accomplishes 
that goal by helping TSA to better align screeners and resources with 
potential risks.
    Given existing traffic levels and anticipated system growth over 
the next decade, we simply must take a smarter approach to passenger 
screening. Today's personnel-dependent screening system is already 
being pushed to the brink. One can only imagine what the situation will 
become as 300 million or more additional passengers are added to the 
system.
    While a nationwide Registered Traveler Program will be open to all 
whom are eligible, there is no doubt that the frequent fliers who make 
up the overwhelming majority of all travel will be the ones most likely 
to enroll. By providing a different screening protocol for this group 
of registered and scrutinized travelers--which we believe is a critical 
component of the program moving forward--TSA will be able to better 
target security resources, expedite processing for all passengers and 
reduce the passenger ``hassle factor.''
    We have learned a great deal from the recently concluded Registered 
Traveler pilot programs that involved five airports partnering with a 
single air carrier at each airport. Although the original TSA pilot 
programs were popular with participants, they were not interoperable by 
design, which limited benefits to only one air carrier at each of the 
five original airports. Additionally, participants largely were 
subjected to the exact same security protocol--the removal of laptops, 
shoes, and coats were still required, for example--as non-participants, 
meaning that the only real benefit was being moved to a shorter 
screening line with limited secondary screening.
    Moving forward, it is clear that in order to realize the true 
potential of Registered Traveler, the program must be nationwide and 
interoperable. Participants who sign up in Phoenix, in other words, 
must be recognized and accepted as they travel to other airports that 
have chosen to participate in the program, be it Denver, Atlanta, 
Washington or other airports throughout the aviation system. 
Additionally, security screening protocols should be adjusted for 
program participants in recognition of the extensive background vetting 
they have received. Passengers who are willing to provide substantial 
background information and undergo government security threat 
assessments should be accommodated with tangible screening benefits, 
such as non-divestiture of shoes, outer garments and laptops.
    As TSA proceeds with implementation of the Registered Traveler 
program, it is also important to note several potential pitfalls that 
the Federal Government must work to avoid. First, Registered Traveler 
cannot be viewed within DHS and the Federal Government as simply a way 
to save money or to compensate for insufficient screening resources. At 
its core, Registered Traveler is a security-based program that will 
augment other screening efforts and better focus resources. It cannot 
be used as an excuse to shortchange other screening needs. To that end, 
we again call on TSA to issue and publish performance standards for 
security screening that apply to all screening locations.
    Additionally, the Federal Government must ensure that all data 
collected in conjunction with Registered Traveler is fully secure. TSA 
needs robust safeguards to protect proprietary data it will collect 
through the program's implementation. Such assurances are critical to 
ensure participation by the traveling public. Potential Registered 
Traveler program participants have a right to expect that these issues 
will be addressed before implementation just as all individuals have a 
right to expect that privacy issues will be addressed before Secure 
Flight becomes operational.
    Finally, all fees associated with program participation must be 
transparent, cost-based, and kept to a minimum. The cost component is 
critical if we expect this voluntary program to work as promised.
Airport Registered Traveler Interoperability Consortium (RTIC)
    As I now turn to the Registered Traveler Interoperability 
Consortium (RTIC), I would note that ACI-NA is not a party to the RTIC 
process. As such, the following comments on the consortium reflect only 
those of AAAE and are specific to the 70 airports and 40 service 
providers that participated in the RTIC process.
    Airports, in light of their public nature and responsibilities to 
the communities they serve, remain eager to partner with the TSA to 
improve the effectiveness and efficiency of the security screening 
process. In recognition of the promise that Registered Traveler in 
particular holds in achieving these goals, airport professionals have 
been working diligently to move forward operationally with the program. 
The RTIC represents one voluntary initiative focused on that goal.
    The RTIC is a group of more than 70 airports and 40 service 
providers that have worked for the past six months to define and 
establish the mutual and common business practices and technical 
standards that will complement Federal standards and help push forward 
a national program. RTIC represents a significant attempt by a large 
group in the airport community to partner with TSA in making the 
promise of RT a reality as quickly as possible.
    The goal of the RTIC has been to develop a common set of business 
processes and technical rules on an open, secure and industry-driven 
network among airports that will create a fair and seamless platform 
for airports, airlines and vendors to interface with DHS and each 
other. Rather than pre-ordaining any one proprietary system, this open-
architecture approach ensures that airports have an opportunity to work 
with any number of technologies or vendors to design a system that 
works best at their facility. This approach also ensures that the 
creativity and competition of the private sector is unleashed to better 
serve local needs and to keep program costs in check.

  Current Airport Members of the RTIC Include the Following Arranged by
          Size (Enplanements) Based on Calendar Year 2004 Data
Hartsfield-Jackson Atlanta              Des Moines International Airport
 International Airport
Denver International Airport            McGhee Tyson Airport
Phoenix Sky Harbor International        Wichita Mid-Continent Airport
 Airport
John F. Kennedy International Airport   Palm Springs International
                                         Airport
Minneapolis-St. Paul International      Tallahassee Regional Airport
 Airport
George Bush Intercontinental/Houston    Huntsville International-Carl T.
 Airport                                 Jones Field
Detroit Metropolitan Wayne County       Lexington Blue Grass Airport
 Airport
Newark Liberty International Airport    Atlantic City International
                                         Airport
Orlando International Airport           Northwest Arkansas Regional
                                         Airport
Miami International Airport             Newport News/Williamsburg Int'l
                                         Airport
Seattle-Tacoma International Airport    Santa Barbara Municipal Airport
Philadelphia International              Fort Wayne International Airport
Boston Logan International Airport      Daytona Beach International
                                         Airport
New York La Guardia                     Roanoke Regional/Woodrum Field
Washington Dulles International         Bangor International
 Airport
Baltimore-Washington International      Yeager Airport
 Airport
Fort Lauderdale/Hollywood               Wilmington International
 International Airport
Ronald Reagan Washington National       Chattanooga Lovell Field
 Airport
Pittsburgh International Airport        Kalamazoo/Battle Creek
                                         International Airport
Lambert-St. Louis International         Jackson Hole Airport
 Airport
Memphis International Airport           Cherry Capital Traverse City
                                         Airport
Nashville International Airport         Monterey Peninsula Airport
William P. Hobby Airport                Lafayette Regional Airport
Austin-Bergstrom International Airport  Redmond Roberts Field Airport
Palm Beach International Airport        Grand Forks International
                                         Airport
General Mitchell International Airport  Waco Regional Airport
Port Columbus International Airport     Redding Municipal Airport
T.F. Green State Airport                Greater Rockford Airport
Reno/Tahoe International Airport        St. George Municipal Airport
Ted Stevens Anchorage International     Flagstaff Pulliam Airport
 Airport
Manchester Airport                      Barkley Regional Airport
Tucson International Airport            Tupelo Regional Airport
Louisville International-Standiford     Pullman/Moscow Regional Airport
 Field
Albany International Airport            Mid-Ohio Valley Regional
Lihue Airport                           Shenandoah Valley Regional
                                         Airport
Gerald R. Ford International            Dickinson-Theodore Roosevelt
                                         Regional Airport


    For the past six months, members of the RTIC have been working 
diligently to establish and agree on common core principles that will 
enable technical interoperability across a broad and varied airport 
network. In comments filed with TSA in late January in response to the 
Agency's Request for Information on the Registered Traveler program, 
RTIC and its Service Provider Council provided a detailed series of 
agreed upon financial standards, technical interoperability standards 
and common business processes for the program.
    These recommendations provide a consensus framework for rapid, 
secure, and seamless deployment of a Registered Traveler program at the 
Nation's airports that will result in enhanced security and quicker 
security processing. It is our hope that these consensus 
recommendations will be adopted by TSA as the agency moves forward with 
program implementation.
    While we would be happy to offer the Committee details on the RTIC 
filing with TSA, we wanted to simply summarize those efforts here. With 
regard to common business processes, the RTIC has identified each of 
the key players in a national, interoperable RT program--enrollment 
service providers, verification service providers, the Registered 
Traveler Management System, TSA, applicant and participant--and 
detailed the potential roles and responsibilities of each. On technical 
operability, the RTIC has made specific technical recommendations on 
system messaging, ensuring a chain of trust, optimizing the use of 
biometrics, leveraging appropriate token technologies, ensuring system 
security, protecting privacy, and ensuring cross-provider 
interoperability. In the area of financial standards, RTIC has proposed 
a simplistic and straight-forward approach to enabling the maximum 
flexibility and competition for solutions for both enrollment and 
verification service providers.
    The RTIC is committed to working closely with TSA to meet the 
timeline established by the agency and its pledge to: use a public-
private partnership model, build off of existing security networks 
through utilization of the Transportation Security Clearinghouse, 
establish a sustainable, biometrically enabled and interoperable 
system, and establish a program where travelers will receive screening 
benefits through in-depth background checks.
    By establishing a sustainable and cost-driven approach in 
partnership with TSA, airports can help ensure a Registered Traveler 
program that focuses on enhanced security above all else in addition to 
expediting the travel experience. These two pillars are the primary 
values that the Nation's frequent air travelers want and that each of 
you as policymakers rightly will demand. By bringing efficiency back 
into the Nation's airport screening checkpoints, TSA screeners will be 
able to better focus their limited resources on the critical task of 
providing more rigorous screening to individuals about whom we know 
less than those who have voluntarily submitted their background for 
extensive vetting and clearance.
    As frequent travelers, each Member of this Committee knows that 
every airport is unique. A successful, long-term Registered Traveler 
Program depends on the implementation of a technical, operational and 
business model capable of supporting individual airport needs, while 
providing the common infrastructure that allows passengers to use this 
capability at any airport nationwide. In recognition of that fact, it 
is critical that a permanent Registered Traveler Program be airport-
driven and run largely outside of government with careful and 
consistent government background checks, standards and oversight.
    Mr. Chairman, more than four years after the tragic events of 
September 11, we still have a great deal of work to accomplish in 
transforming the existing personnel-dependent screening system into the 
system of the future. In an era dramatically increasing demands on our 
Nation's air transportation system, it is critical that we move forward 
as quickly as possible with promising technology like Secure Flight and 
Registered Traveler. Airports and the aviation industry have a key role 
to play in working with the Federal Government, and we are pleased to 
report great progress in that regard. It is our sincere hope and 
expectation that the Federal Government will continue to fulfill its 
responsibilities so that these programs can become a reality in the 
very near future.
    Again, we appreciate the leadership of this Committee and the 
opportunity to testify today.
                                 ______
                                 
          Additional Information Submitted by Charles Barclay

                 Airport Magazine, May/June 2005 Issue

                 Inside TSC: Saving Money, Saving Time

                    Compiled From AAAE Staff Reports

    A dramatic reduction in fingerprint processing time from 52 days to 
four hours that saves the aviation community hundreds of millions of 
dollars annually resulted from advances in technology and customer 
service developed by AAAE's Transportation Security Clearinghouse (TSC) 
in its scant three years of existence.
    Lori Beckman, A.A.E., security director at Denver International 
Airport, offered this assessment: ``The TSC has been instrumental in 
decreasing the CHRC (criminal history records check) processing time 
and dramatically improving customer service. Another benefit is the TSC 
stores the fingerprint data submitted, which we will be able to use in 
the future for recurrent checks, thus eliminating the need to re-
fingerprint employees.''
    Brian Thompson, operations director at Yuma (Arizona) International 
Airport, agreed, stating that, `` Turnaround times on fingerprint 
submissions and results have decreased significantly over a short 
period of time, a testament to the success of the TSC.''
    The TSC was born in the aftermath of the September 11, 2001, 
terrorist attacks against the United States when FAA mandated that a 
criminal history records check be initiated on every individual 
employed in or applying for a position in secure areas of U.S. 
airports. Realizing that the Federal system in place at that time for 
conducting records checks--which took 52 days or longer to process 
fingerprint submissions--wouldn't meet the test, FAA signed an 
agreement with AAAE to facilitate fingerprint processing for aviation 
employees.
    AAAE developed the TSC process over the past three years, using 
technical and administrative innovations that would save the aviation 
industry valuable dollars as well as time. Once established, the TSC 
was able to reduce the time it took for the aviation community to 
receive fingerprint results from months to an average of four hours, 
with most reports completed in 40 minutes.
    Regardless of the size of airport, the TSC has enabled airport and 
airline employees to begin a new job or return to work quickly without 
delays caused by obtaining security clearances, thus virtually 
eliminating the problem of lost productivity. As Sgt. Carlos Garcia at 
San Antonio International Airport explained, ``The entire staff at the 
TSC has always been able to provide answers and provide suggestions and 
solutions in a very timely manner to the multiple problems my office 
has encountered while attempting to comply with TSA (Transportation 
Security Administration) fingerprint requirements. The TSC has provided 
the logistics for the airports to comply with the TSA fingerprint 
mandate in a professional and very helpful manner.''
    Airlines as well as airports have been positive in their assessment 
of the TSC.
    Darby James, senior manager-staffing administration for Continental 
Airlines, recalled the TSC's challenge: `` They had the burden of 
bringing a flow to the process and there was very little room for 
error. It seemed the clearinghouse had taken on a responsibility they 
were not equipped to handle. The Air Transport Association held 
numerous conferences to discuss air carrier frustrations. In one 
conference, Continental requested a representative from AAAE attend and 
answer some of our questions and concerns. It was clear from this 
meeting that AAAE understood their responsibility and were working hard 
to make improvements. In 2002, we began seeing marked improvement from 
AAAE. They listened to our concerns, made improvements based on our 
suggestions and the process started to pick up speed. The time it takes 
to receive results has gone from nearly three months to 24 hours and in 
some cases, we receive results within hours. AAAE overcame a seemingly 
insurmountable task. Their efficiencies translate into millions of 
dollars in savings for the air carriers and airport operators.''
    Northwest Airlines said that, due to the TSC, the carrier has 
``significantly reduced our new employee processing costs and decreased 
the time it takes to perform one of our background checks.'' Southwest 
noted the TSC's successful efforts ``to streamline and improve the 
fingerprint based criminal history record checks process.'' The carrier 
added that, `` We have noticed a marked improvement in the turnaround 
time for receipt of CHRC results since the TSC took over as the 
fingerprint submission clearinghouse for airlines and airports.''
    In addition to significant improvements in fingerprint processing 
times, the TSC has one of the lowest per record error rates--2 percent 
compared with the 8 percent average Federal rate. This allows employees 
to keep on working, without the need for repeat trips to the badging 
office. Further, the TSC facilitated the first high-speed secure 
connection to the Federal fingerprint processing system and, through 
other technology improvements, allowed the TSA to lower electronic 
fingerprint processing prices to the aviation community. The TSC 
continues to work with TSA to offer the aviation industry even lower 
processing prices.
    Effective and timely customer service by TSC employees helps to 
resolve mistakes made in fingerprinting at the airport or airline level 
before they turn into delays at the Federal level.
    Laura Hoke, an airport security and public safety official at San 
Diego International Airport, offered the TSC staff praise for a 
``helpful attitude'' and ``prompt resolutions to our problems.'' In 
addition, Hoke stated, ``You always take the time to be patient, help 
figure out what the problems are and get them resolved quickly. Your 
dedication to customer service is admirable.'' 



    While aviation companies have benefited from the TSC's productivity 
advancements, commercial truckers who are applying for endorsements to 
carry hazardous materials (hazmat) are paying steep fees and taking 
weeks or months to obtain CHRC results, according to the American 
Trucking Associations (ATA).
    Daniel England, CEO of C.R. England, Inc. trucking company, 
testified on behalf of the ATA at a May 11 hearing of the House 
Transportation and Infrastructure Subcommittee on Highways, Transit and 
Pipelines. ``At a time when carriers are struggling to attract 
qualified drivers--and I want to emphasize that; it's one of the most 
serious problems we have--and freight volumes are up, TSA has imposed 
upon the industry an unwieldy fingerprint process that discourages 
drivers from obtaining hazardous materials endorsements,'' England told 
panel members.
    England pointed to several failures in the process mandated for 
truckers:

   As of March 4, 2005, a month after the requirement had gone 
        into effect for new applicants for hazmat endorsements, 
        Illinois had submitted 644 fingerprint requests and received no 
        responses from TSA;

   New York had submitted 350 fingerprint requests and received 
        no responses;

   Vermont had submitted 10 fingerprint requests and received 
        no responses;

   Iowa had submitted 138 fingerprint requests and received no 
        responses;

   Mississippi had submitted 100 fingerprint requests and 
        received zero responses;

   Kansas had submitted 150 fingerprint requests and received 
        40 responses;

   Florida had submitted 700 fingerprint requests and received 
        14 responses.

    Several states are implementing the hazmat regulation unevenly, 
highlighting the problem with lack of uniformity, England stated. 
``Although the fingerprint requirement for renewals and transfers does 
not take effect until May 31, 2005, several states were stripping the 
hazmat endorsement from drivers who moved from one state to another, 
thus making them ineligible to haul hazardous materials loads until TSA 
processed the results of their background checks. Since a large number 
of carriers require drivers to have hazardous materials endorsements as 
a condition of work, these workers are eventually unable to work for a 
period of time,'' he said.
    Although some of these problems have since been addressed, ``It is 
unconscionable that these problems were allowed to detrimentally affect 
drivers' livelihoods and carriers' business for months after the 
program went into effect,'' England testified. ``There are problems 
that the trucking industry still faces today that do not appear likely 
to be corrected in advance of May 31. In its analysis of its 
regulation, TSA estimated that there would be a 20 percent reduction in 
the number of drivers with hazardous materials endorsements. If the 
reduction is a result of individuals who are identified as threats 
being excluded from the transport of hazardous materials, then so be 
it. However, ATA cannot stand idly by if the reduction is attributable 
to a poorly designed process that dissuades drivers from seeking or 
renewing their hazardous materials endorsements. At a time of driver 
shortage, I would argue that the Nation's economy cannot afford this 
process to continue.''
    Todd Zinser, DOT deputy inspector general, told lawmakers at the 
same hearing that the TSC has completed more than 1.6 million 
fingerprint-based background checks since it began operations in 
January 2002. ``While initially a concern, the issue of timeliness 
turned out to be a non-factor,'' Zinser said. ``In that case, the 
American Association of Airport Executives served as a clearinghouse to 
facilitate the process of fingerprints for the airports and airlines. 
Since TSA is no longer part of the department, we do not have firsthand 
knowledge of how TSA is implementing the program or whether the 
experience at the airports provide any lessons to the hazmat 
endorsement rule,'' he added. But based on our observations at airports 
and airlines, strong cooperation among all stakeholders is absolutely 
critical to make the process efficient and effective.''
    The establishment of the TSC as the central location for processing 
and tracking fingerprint submissions also has resulted in numerous 
productivity enhancements that have allowed TSA to lower electronic 
fingerprint processing prices to the aviation community.
    While hazmat truckers pay nearly $100 per person for fingerprint 
processing, Rep. Peter DeFazio (D-Ore.) pointed out that aviation 
industry employees using the TSC pay far less for more efficient 
processing. DeFazio told panel members that TSC ``has more integrity 
and it's more efficient and they're apparently somehow either breaking 
even or making money on it at $29. And they're accessing the same 
database, which costs $22 so their processing cost is $7.''
    At another point in the hearing, DeFazio noted that the hazmat 
trucker background check ``is a Federal certification for national 
security purposes.'' He asked, ``Could we not go to a system like is 
being used in aviation, which works very well?''
    For the future, the TSC has outlined plans to offer enhanced 
services to help the aviation industry meet its security challenges. In 
2003, the TSC began offering Enhanced Background Screening Services 
(EBSS). Through EBSS, airports and airlines are able to verify the 
identity of individuals, complete criminal history checks, obtain 
driving records, and validate employment history, professional 
credentials, financial status and immigration status. These services 
have allowed airports and companies to answer questions about an 
individual's criminal history left unresolved by fingerprint checks 
done by the Federal Bureau of Investigation, as well as to examine 
other aspects of an individual's background relevant to assessing a job 
applicant's trustworthiness.
    ``TSC has developed a unique and enviable record of success in 
bridging non-Federal and Federal biometric-based background checks,'' 
said AAAE President Charles Barclay. ``It has the processes, custom 
software and customer service focus needed for today's fast-moving work 
environment. TSC will not only continue to play a key role in CHRC for 
aviation workers, but will also be increasingly important for programs 
like Registered Traveler, TWIC and others that need to move forward and 
value speed,'' he said.
    ``AAAE, its members and its customers have made a significant 
investment to get this right for aviation, because the difference 
between months and hours for these checks has enormous implications for 
personnel costs in aviation,'' Barclay said. ``We are eager to share 
the knowledge and systems we have carefully honed with other biometric 
credentialing programs in aviation and other industries.''
                                 ______
                                 
Transportation Security Clearinghouse
Industry-driven Federal partnership dramatically increases security and 
        saves industry hundreds of millions of dollars
    AAAE has recognized a new milestone in their successful security 
partnership with DHS. The Transportation Security Clearinghouse (TSC), 
a unique public-private partnership charged with strengthening the 
security and efficiency of aviation employee background checks, 
surpassed 1.8 million fingerprint-based background checks successfully 
completed. Since its creation in December 2001, the TSC has processed 
1.8 million criminal history record checks for airport and airline 
employees and has saved the airport and airline industry both time and 
money through its commitment to efficiency and technological 
innovation.
    In fact:

   The TSC process has reduced the time it takes for airports 
        to get fingerprint results from an average of 52 days, pre-
        September 11, when submitting to OPM, to an average of 4 hours, 
        with most reports completed in around 40 minutes. This 
        reduction in time has enabled airports to put their employees 
        on the job where they are needed, without the need to pull 
        another valuable employee from their duties to serve as an 
        escort. The TSC has saved the industry hundreds of millions of 
        dollars in productivity gains and employee retention as a 
        result of reduced fingerprint check processing times.

   Because of innovative in-house technical work, the TSC 
        performs ``real-time'' processing to transmit fingerprints to 
        the Federal system in an average of 16 minutes. The TSC's 
        ``real-time'' processing dramatically increased the efficiency 
        and timeliness of the airport fingerprint submission process.

   Centralization of the fingerprint tracking process allows 
        for accurate fingerprint submission status at any point in the 
        background check process virtually eliminating ``lost 
        fingerprints'' within the Federal system. Ensuring that airport 
        employees can return to work and not have to be called back for 
        repeated fingerprinting due to missing fingerprints. This 
        centralized process has saved airports thousands of wasted 
        employee work hours over the last three years.

   The TSC is paid by and works for the airports and airlines 
        conducting employee checks, not by TSA. This affords the TSC 
        the opportunity to make quick changes on behalf of airports 
        without having to worry about going through burdensome TSA 
        approvals for every change it makes to its process.

   TSC provided an industry first Virtual Private Network (VPN) 
        connectivity for fingerprint submissions. This innovative 
        approach which was provided by the TSC to airports free of 
        charge connects the livescan devices at the airports to the TSC 
        and currently saves some airports over $1,000 a month in long 
        distance telephone charges.

   Because of AAAE's ability to do the technical and 
        administration work ``in-house'' and subsidize labor and other 
        costs for the formation of the clearinghouse, the resulting 
        cost savings allowed TSA to lower fingerprint processing prices 
         from $31 to $29 (for electronic submissions), saving the 
        industry over $3 million dollars. The TSC has been working with 
        TSA to reduce the processing fee to an even lower rate.

   FBI indicates that the submissions of the aviation community 
        done through the TSC had one of the best error rates in the 
        U.S. (2 percent) and that this reduced error rate was directly 
        related to the quality checks and error corrections performed 
        by the TSC. The current Federal average error rate is 8 
        percent. Since the TSC began operations, the error rate has 
        continued to decline, with a significant drop when the TSC 
        brought its ``in-house'' developed software package online. 
        This equates to approximately 32,000 aviation workers that did 
        not have to go through the time consuming process of reprinting 
        due to errors created at the airports' print office with a cost 
        savings of $2.5 million dollars to the industry. The TSC also 
        warehouses submitted fingerprints allowing correction and 
        resubmission when errors occur between the TSA and FBI, saving 
        industry valuable time, effort and more importantly saved labor 
        costs.

    The Transportation Security Clearinghouse (TSC) has been remarkably 
successful in providing one central location where the mandated task of 
checking the backgrounds of hundreds of thousands of airport and 
airline employees can begin. The TSC established a quick and secure 
method to collect employee fingerprints, user payment and offer 
customer service for over 500 airports and multiple airlines across the 
country for further processing by the FBI.
    As demonstrated above, the Clearinghouse has taken a number of 
steps to make the process as easy and efficient as possible for the 
aviation industry. We facilitated the first high speed secure 
connection to the Federal fingerprint processing system, set up and 
brought online over 500 separate submitting entities for fingerprint 
processing and have served over 1.8 million fingerprint records that 
were passed on to the Federal Government for processing at an average 
speed of 16 minutes per record.
    The Clearinghouse is committed to continuous improvement and 
working with airports, airlines and government agencies on all the 
issues that impede a smooth-functioning criminal history record check 
process.

    The Chairman. Thank you very much.
    Our next witness is Tim Sparapani--I hope I'm saying that 
right----
    Mr. Sparapani. That's perfect.
    The Chairman.--legal counsel for privacy rights, American 
Civil Liberties Union. Please.

    STATEMENT OF TIMOTHY D. SPARAPANI, LEGISLATIVE COUNSEL, 
                 AMERICAN CIVIL LIBERTIES UNION

    Mr. Sparapani. Good morning, Chairman Stevens, Co-Chairman 
Inouye, and distinguished Members of the Committee.
    The ACLU, representing its 600,000 members, respectfully 
submits this testimony opposing Secure Flight and Registered 
Traveler.
    It's time for Congress to decide that enough is enough. 
Secure Flight and Registered Traveler will not make us any 
safer, and they will certainly make us less free. Let me start 
with Secure Flight, and then turn to Registered Traveler.
    For 4\1/2\ years, nearly 200 million wasted tax dollars, 
several name changes, and repeated unsuccessful modifications, 
Secure Flight is no closer to implementation today than when it 
was first proposed, shortly after 9/11. TSA's repeated failures 
to launch Secure Flight suggests this program should be 
abandoned.
    While it seemed like a simple commonsense concept at first 
blush, attempts to implement Secure Flight demonstrated it is 
laden with unforeseen complexities, making it impractical, 
technologically difficult, and unlikely to improve our 
security. It also threatened civil liberties, and it's a poor 
use of limited security dollars compared to other options. 
Simply put, it's time to pull the plug.
    Let's take one example: the redress procedure, which we've 
heard a little bit about this morning. No one questions the 
importance of establishing a procedure to help innocent 
Americans wrongly put on the ``No-Fly'' and ``Selectee Lists'' 
to get off, and stay off, the lists, yet, 4 years later, TSA 
still hasn't developed one.
    If TSA cannot provide redress after 4 years, how can 
Congress have any confidence that TSA can build the rest of 
Secure Flight?
    Secure Flight suffers from one critical security weakness. 
No matter how it's redesigned, Secure Flight will not stop a 
single terrorist from boarding an airplane, unless the 
terrorist tries to fly using their own name and documents. 
Unfortunately, as we all know, identity theft is all too 
common.
    Security dollars are, unfortunately, limited, so we must 
spend wisely. Since Secure Flight can't make us safer, Congress 
needs to redirect TSA's energies to programs more likely to 
save lives. The hundreds of millions Secure Flight will cost 
should be redirected to more effective, straightforward 
security that has fewer complications for civil liberties, 
privacy, and the airlines. For example, many of your 
constituents might be surprised to learn that even now, not all 
carry-on bags, luggage, and cargo are screened for weapons and 
explosives. Congress should scrap these other programs and 
invest in new, narrowly tailored technologies to get this 
screening done.
    Let me turn to Registered Traveler. Like Secure Flight, 
this concept seems commonsensical and appealing, at first 
blush. But, again, Registered Traveler opens up a snakes nest 
of complexities once you delve into rating Americans' riskiness 
and sorting them into categories about how trustworthy they 
are. And this program's security benefits remain unclear, 
because Registered Traveler cannot identify and stop terrorists 
who belong to a sleeper cell.
    Every Registered Traveler supporter assumes that, of 
course, they will belong to the program. But, of course, some 
people will be denied, and other innocent Americans will be 
wrongly labeled too risky. No one, not Congress, not TSA, the 
companies pushing the program, or the ACLU, for that matter, 
knows the consequences for those wrongly denied participation. 
Will this create a third list of undesirable flyers, the 
``unregisterable travelers''? If so, will that list be used to 
automatically select someone for additional intrusive scrutiny 
every single time they try to fly, or to deny a security 
clearance necessary for a job, or to enter a government 
building? If companies wrongly determine that an applicant is 
risky, what legal recourse will applicants have to challenge 
that finding and its consequences?
    Registered Traveler is flawed, from a security perspective, 
because no one knows what criteria will distinguish innocent 
travelers from a sleeper-cell terrorist awaiting instructions 
to attack. It's a flawed premise that, by checking a flyer's 
commercial data background, the Government or a company can 
identify terrorists.
    Last fall, Congress decided commercial data was too often 
erroneous to be useful to prescreen passengers for Secure 
Flight. It was the right decision, and Congress should do the 
same thing for Registered Traveler by explicitly denying both 
TSA and participating companies commercial data to prescreen 
passengers.
    In conclusion, since neither of these programs will provide 
the enhanced aviation security that proponents promise, this 
Committee should act now to prevent them being built at all, 
because they all pose unacceptable risks to civil liberties and 
personal privacy.
    Extreme applications of either program that wrongly label 
an innocent American a risk could threaten a person's 
constitutionally protected, Supreme-Court-ratified right to 
travel. We urge Congress to revoke TSA's authorization for both 
programs. And let me reiterate that we're eager to work with 
you to make flying safer and consistent with our constitutional 
principles.
    Mr. Chairman, this concludes my testimony, and I look 
forward to your questions.
    [The prepared statement of Mr. Sparapani follows:]

   Prepared Statement of Timothy D. Sparapani, Legislative Counsel, 
                     American Civil Liberties Union

I. Introduction and Summary of Requests for Committee Action
    The Honorable Chairman Stevens and Ranking Member Inouye, the 
American Civil Liberties Union (``ACLU''), representing its nearly 
600,000 members, respectfully submits this testimony in opposition to 
the Secure Flight and Registered Traveler programs.
    After four and one-half years, nearly $200 million wasted tax 
dollars, \1\ several name changes, and repeated, unsuccessful 
reformulations of the underlying proposals, Secure Flight and 
Registered Traveler are no closer to implementation than when they were 
first proposed shortly after the tragic events of September 11, 2001. 
First introduced as CAPPS II and Trusted Traveler, Secure Flight and 
Registered Traveler remain predicated on the unproven, theoretical, and 
flawed premise that the government can predict whether an individual 
will at some future date commit a terrorist act. The Secure Flight 
Working Group, convened by the Transportation Security Administration 
(``TSA'') to provide it with advice, concluded that `` . . . there is 
not sufficient available intelligence to determine what characteristics 
indicate someone will be a threat.'' Secure Flight Working Group Rep., 
presented to the TSA, September 19, 2005, at 3. This premise, akin to 
alchemy and astrology in its scientific accuracy, has led TSA to 
misdirect its resources towards establishing two passenger pre-
screening programs that will not make us any safer but will make us 
less free. Attempts to establish these programs have served as massive 
diversions that to this day prevent TSA screeners from accomplishing 
their core mission. Congress can only draw one conclusion from the 
failure to build Secure Flight and the inherent weaknesses of 
Registered Traveler: authorizations for both programs must be 
terminated expressly, and Congress must force TSA to refocus on 
achieving its core mission by keeping known terrorists who are threats 
to aviation security off planes, and--for the first time--screening all 
carry-on bags, luggage, and cargo for weapons and explosives.
    The ACLU requests that this Committee and Congress explicitly 
revoke authorization for both Secure Flight and Registered Traveler, no 
matter what they are called, and instead insist that the Department of 
Homeland Security's (``DHS'') TSA focus its passenger pre-screening on 
accomplishing two goals: (1) paring the No-Fly and Selectee Lists 
maintained by the Federal Bureau of Investigation's Terrorist Screening 
Center (``TSC'') down to known terrorists who personally pose a 
specific threat to aviation security only; and (2) simply comparing 
passenger manifest lists to this refocused list. \2\
    If the TSA attempts to implement Registered Traveler, the ACLU 
requests that Congress expressly block the privatization of Registered 
Traveler and prevent the use of commercial data concerning applicants 
to determine whether a would-be flyer is qualified to sign up for 
Registered Traveler. Neither the government, nor companies should 
assign individuals a risk assessment based on commercial data, because 
the consequences of a wrongful determination could lead to many future 
deprivations of the exercise of rights and privileges. However, it is 
significantly more inappropriate to allow private companies to perform 
a governmental role to determine whether a passenger constitutes a 
threat and the Government still must act in a Constitutional manner, 
even if it has outsourced its responsibilities to the private sector. 
Companies cannot be trusted to make such determinations accurately. The 
consequences of such a negative determination would likely add the 
rejected applicant to a new third list--similar to the No Fly List or 
Selectee List--of undesirable flyers who are virtually certain to be 
subject to, at a minimum, extra scrutiny every time they attempt to 
fly, and, at worst, a permanent bar from flying altogether. As is 
discussed in greater detail below, this new third list of ``Un-
Register-Able travelers'' would likely be shared with other Registered 
Traveler companies, the TSA, TSC, and, likely, other government 
agencies. Further, as Congress recognized last fall when it expressly 
prohibited the TSA from utilizing commercial data to pre-screen 
passengers for Secure Flight, commercial data contains enormous error 
rates, is unreliable, and is not useful as a tool to predict whether a 
would-be flyer is a threat to aviation security. \3\

II. Secure Flight: A Dangerously Flawed Proposal that Should Be 
        Terminated
    Secure Flight, regardless of its form, permits unacceptable 
security weaknesses, while threatening civil liberties and personal 
privacy. It is hard to say for sure what Secure Flight will ultimately 
do since TSA has still not finalized a working plan, flow chart or 
business model for the concept. However, it appears that Secure Flight 
would:

        1) Require TSA to gather passenger name record (``PNR'') data 
        from the airlines and travel agents who book tickets;

        2) Require TSA to forward this information to the Federal 
        Bureau of Investigation's Terrorist Screening Center (``TSC''), 
        to compare the names of the ticket purchasers to those names on 
        the No-Fly and Selectee Lists;

        3) Require TSC to inform TSA whether a person attempting to fly 
        is on either list; and

        4) Require TSA to tell its airport screeners to (a) allow the 
        person to fly unimpeded except for normal screening, (b) select 
        the person for some additional and more intrusive screening, 
        such as opening bags, patting the person down, screening for 
        explosive residue, and/or detaining the person for questioning, 
        or (c) inform the would-be passenger that their name is similar 
        to that of someone on the No-Fly list and they are barred from 
        flying.

    While this concept appears easy to implement, it suffers from 
numerous and intractable problems.
A. Security Weaknesses Render Secure Flight Unwise
    Secure Flight is fatally flawed from a security standpoint. To 
support Secure Flight, a person must accept the dubious premise that 
terrorists will attempt to book a ticket and board a flight under their 
own names. This is a simplistic approach and one upon which we cannot 
allow our airline security to rely. Again, no terrorists will be 
prevented from boarding airplanes unless a terrorist both attempts to 
book a ticket and shows up to board a plane under his or her own name 
and documents. The ease with which identity theft and document fraud is 
accomplished renders this premise highly suspect, however. The U.S. 
Federal Trade Commission estimated in 2003 that ``over a one-year 
period nearly 10 million people--or 4.6 percent of the adult 
population--had discovered that they were victims of some form of 
identity theft.'' Prepared Statement of the Federal Trade Commission 
before the Committee on Banking, Housing, and Urban Affairs, U.S. 
Senate on Identity Theft: Recent Developments Involving the Security of 
Sensitive Consumer Information, Deborah Platt Majoras, Chair of the 
Federal Trade Commission, March 10, 2005, available at http://
www.consumer.gov/idtheft/pdf/ftc--03.10.05.pdf.
    The intelligence community presumes that the Nation's enemies, such 
as Al Qaeda, are: (1) patient; (2) well-funded; (3) capable of 
committing identity theft with remarkable ease; and (4) capable of 
producing high-quality, forged identification documents that allow a 
terrorist to purchase tickets and present virtually undetectable papers 
under an assumed name. This programmatic weakness leads to what 
security experts dub False Negatives, an inability of Secure Flight to 
detect actual terrorists. If the system is not able to identify known 
terrorists, TSA's screening will have failed.
    Again, the ACLU does not oppose the TSA vetting passenger lists 
against a narrowly constructed list of known terrorists who pose a 
specific threat to aviation security. If a wanted terrorist is foolish 
enough to fly under his or her own name, the government should 
immediately arrest the suspect or monitor the terrorist's activities 
while preventing the terrorist from committing acts of terror and 
violence.
    The problem from a security and civil liberties perspective is that 
both the No Fly and Selectee Lists, which are at the heart of the 
Secure Flight proposal, are bloated with names of individuals who have 
absolutely no connection to terror and do not have the capability of 
threatening aviation security. This leads to numerous cases of False 
Positives, which distract TSA from finding the actual terrorists. False 
positive stories are ubiquitous. Each Senator who is a Member of this 
Committee likely has innocent constituents who have been unnecessarily 
harassed, delayed or outright denied the ability to fly. The ACLU has 
collected complaints from 1,000 of such constituents, 740 of which were 
gathered through our internet intake process, but we will highlight 
just four:

   Passenger David XXXXX (Aug. 16, 2005) was surrounded by 
        armed police with guns drawn at the ticket counter when he was 
        mistakenly identified as being on the No Fly List. Moreover, 
        when he arrived at the gate, his checked luggage was brought to 
        him, and he was forced to witness the search of his belongings 
        at the gate, the whole process taking two hours.

   Passenger Gregory XXXXX (May 9, 2005), after having his 
        luggage thoroughly searched, was separated from his five-year-
        old son who was hysterically crying and escorted into a private 
        room where he was subjected to a cavity search and genital 
        inspection. Gregory has been wrongly delayed overnight on five 
        separate occasions and whoever is accompanying him is also 
        subject to delays and searches.

   Passenger, Mary XXXXX (May 16, 2005) was forced by TSA 
        screeners to be screened with a machine (Smiths Detection 
        Ionscan Sentinel II), which she was told checked ``to see if I 
        have a bomb inside me.'' This machine photographed her and TSA 
        denied her repeated requests to view the picture or be provided 
        a copy.

   Passenger Hussein XXXXX (July 23, 2005) is a Lebanese 
        citizen who has been a legal resident of the U.S. since 1992. 
        During his layover in Minneapolis, Minnesota while flying from 
        Lebanon to Seattle, Washington, he was escorted off the plane 
        by five security officers to a room away from the gate. He was 
        questioned about his family, extended family, how he files 
        taxes, his business, his real estate holdings and so forth. 
        Additionally, the officers demanded he give them access to his 
        computer, which he initially refused because it contained 
        confidential information about his clients. After five hours of 
        interrogation, he was exhausted and delirious so the officers 
        gave him a choice of either being detained overnight and being 
        questioned the following day or having an appeal inspection in 
        Seattle. He was scheduled to appear at the U.S. Customs and 
        Border Protection Office in Seattle on July 25, 2005. In the 
        past, he has had similar experiences. For example, on October 
        3, 2004, he was stopped in Portland, Oregon on his way to 
        Frankfurt, Germany by U.S. Customs who interrogated him. He was 
        given no medical attention when he fainted, and security 
        officers laughed at him while they waited until he regained 
        consciousness.

    At least four Members of Congress--the Honorable Senator Ted 
Kennedy (D-MA), and the Honorable Congressmen Darrell Issa (R-CA), John 
Lewis (D-GA) and Don Young (R-AK)--have names similar to those of 
individuals on those bloated Lists. The Honorable Congresswoman Zoe 
Lofgren (D-CA) reported in Congressional hearings last summer that her 
husband has been repeatedly selected for additional security screening. 
Nuns and infants have been found on the No Fly List. To be effective, 
the Lists must be paired down only to known terrorists--not criminals, 
not deadbeat dads, not drug dealers. The advice provided by an 
independent panel of experts to the Department of Homeland Security 
concurs:

        Secure Flight should be narrowly focused.

        TSA should limit Secure Flight's mission to correctly identify 
        individuals in the traveling public who are on the Do Not Fly 
        and Selectee lists. The case has not been made for any 
        expansion of the mission of Secure Flight beyond identification 
        of individuals on those lists.

    Department of Homeland Security Data Privacy and Integrity Advisory 
Committee: Recommendation on the Secure Flight Program Rep., Adopted 
Dec. 7, 2005, at 2 (emphasis in original). Limiting the names on the 
list is the only way that TSA can focus on its core mission: preventing 
another terrorist attack on an airplane. Senator Kennedy (D-MA) 
revealed at a Senate hearing that due to the fact an ``E. Kennedy'' was 
on the No Fly List, Senator Kennedy repeatedly was selected for 
additional screening. Every minute spent treating Senator Kennedy like 
a potential terrorist is one less minute that could be spent catching 
the next Mohammed Atta.
B. Civil Liberties: Secure Flight Leads to a Denial of the Right to 
        Travel in Extreme Cases and Leads to Racial Profiling
    In addition to being fatally flawed from a security standpoint, 
Secure Flight also is flawed from a civil liberties standpoint. First, 
using a bloated No Fly List to prevent innocent people from flying 
wrongly deprives them of their constitutionally protected Right to 
Travel. The United States Supreme Court has stated that:

        The word ``travel'' is not found in the text of the 
        Constitution. Yet the ``constitutional right to travel from one 
        State to another'' is firmly embedded in our jurisprudence. 
        United States v. Guest, 383 U.S. 745, 757, 86 S.Ct. 1170 
        (1966). Indeed, as Justice Stewart reminded us in Shapiro v. 
        Thompson, 394 U.S. 618, 89 S.Ct. 1322 (1969), the right is so 
        important that it is ``assertable against private interference 
        as well as governmental action . . . a virtually unconditional 
        personal right, guaranteed by the Constitution to us all.'' 
        Id., at 643, 89 S.Ct. 1322. (concurring opinion).

    Saenz v. Roe, 526 U.S. 489, 498-99 (1999). We suspect that TSA will 
soon begin to apply the Secure Flight concept to those who travel by 
train, interstate bus, boat and ferry. Some Americans living in remote 
regions of Alaska, or on the islands of Hawaii and Puerto Rico simply 
cannot drive to conduct their business, so the consequence for someone 
who is wrongly put on the No Fly List is severe and could force them to 
move to conduct their daily affairs. \4\
    Second, as too many Americans have experienced, people who are 
wrongly put on either list have no guarantee that they will be able to 
ever get off and stay off the lists. Establishing a transparent, 
workable redress procedure to help people wrongly listed should have 
been the first and easiest thing TSA accomplished. TSA has provided 
numerous promises that such a redress process would be provided but, to 
date, has still not accomplished this goal:

   ``CAPPS II will include a comprehensive redress process for 
        those passengers who have questions concerning their 
        experience. TSA will appoint an Ombudsman to handle any 
        inquiries. These capabilities will result in improved resource 
        scheduling and other operational efficiencies.'' (March 7, 
        2003) Congressional briefing by Ben H. Bell, III, Dir. Office 
        of National Risk Assessment (``ONRA'') TSA, available at http:/
        /www.acte.org/initiatives/CAPPS_II_CongressBriefing.pdf.

   ``CAPPS II will also include a comprehensive redress process 
        for passengers. TSA will appoint a Passenger Advocate to work 
        with our current Ombudsman program, to handle any inquiries or 
        complaints raised by passengers with regard to the CAPPS II 
        system. Where a passenger--of any nationality--believes that he 
        or she is being improperly singled out for heightened scrutiny, 
        this will be the place for this passenger to turn to have his 
        or her concerns addressed. This is more than a matter of 
        fairness--because CAPPS II is also a resource allocation tool, 
        it is in TSA's interest to know where we are making mistakes. 
        The Passenger Advocate will thus not only promote fairness and 
        privacy and passenger confidence, but system effectiveness and 
        efficiency.'' (May 6, 2003) Statement of Stephen McHale to the 
        European Parliament, Dep. Admin., TSA, available at http://
        www.europarl.eu.int/comparl/libe/elsj/events/hearings/20030506/
        mchale_speech.pdf.

   ``The redress system is based on having an ombudsman and a 
        passenger advocate designated and a process in place so that 
        when an individual finds that they are being repeatedly 
        selected as a secondary screenee during their transit through 
        the airport that they will have an opportunity then to contact 
        TSA, the ombudsman, and the passenger advocate and then we will 
        have the capability to have a decision made at the TSA level 
        concerning going in on that individual and then adjusting the 
        criteria for that individual after we verify their name, date 
        of birth, address to [sic] for into that and make these 
        decisions, we think, in a rapid matter so that it is not a 
        bureaucratic system of waiting forever to get a response. Our 
        goal is to have a redress system that has flexibility in it and 
        speed and scratches the itch for the traveling public regarding 
        frustrations over being selected repeatedly.'' (March 17, 2004) 
        David M. Stone before House of Representatives Transportation 
        Committee, Subcommittee on Aviation, available at http://
        www.house.gov/transportation/aviation/03-17-04/stone.pdf.

   ``In addition, the new program [Secure Flight] will also 
        include a redress mechanism through which people can resolve 
        questions if they believe they have been unfairly or 
        incorrectly selected for additional screening.'' (August 26, 
        2004) TSA Press Release, available at http://www.tsa.gov/
        public/display?theme=44&content=09000519800c6c77.

   ``Before implementing a final program, however, TSA will 
        create a robust redress mechanism to resolve disputes 
        concerning the Secure Flight program.'' (June 17, 2005) Lisa S. 
        Dean, TSA Privacy Officer, Secure Flight Test Phase Privacy 
        Impact Assessment, available at http://www.tsa.gov/interweb/
        assetlibrary/Secure_Flight_SORN_PIA.pdf.

   ``In conjunction with the Secure Flight program, TSA has 
        charged a separate Office of Transportation Security Redress to 
        further refine the redress process under the Secure Flight 
        program. The redress process will be coordinated with other DHS 
        redress processes as appropriate. Utilizing current fiscal year 
        funding, resources have been committed to this Office to enable 
        it to increase staffing and to move forward on this important 
        work. TSA recognizes that additional work remains to ensure 
        that there is a fair and accessible redress process for persons 
        who are mistakenly correlated with persons on the watch lists, 
        as well as for persons who do not in actuality pose a security 
        threat but are included on a watch list. (June 29, 2005) 
        Statement of Secure Flight Assistant Administrator Justin 
        Oberman to House of Representatives Subcommittee on Economic 
        Security, Infrastructure Protection, and Cybersecurity, 
        available at http://homeland.house.gov/files/
        TestimonyOberman.pdf.

    Yet, four and one-half years later, TSA has still not managed to 
accomplish this goal. Congressional frustration over this failure led, 
in part, to the express requirement codified in both the FY 2005 and 
2006 DHS Appropriations bills, Pub. L. No. 108-774 Sec. 522(a), (d)-(f) 
(2004) \5\ and Pub. L. 109-90 Sec. 518(a)-(b) (2005) \6\ that the 
Government Accountability Office (``GAO'') certify the establishment of 
a working, fair redress procedure before Secure Flight can be 
implemented. As the GAO's March 28, 2005 report regarding Secure Flight 
stated, TSA has failed to accomplish even this simple matter. U.S. 
Government Accountability Office Rep., Aviation Security, Secure Flight 
Development and Testing Under Way, but Risks Should be Managed as 
System is Further Developed (``GAO Report''), March 28, 2005, at 1. 
Just three weeks ago, DHS Secretary Chertoff and Secretary of State 
Rice issued a joint statement pledging the rollout of a workable 
redress process. `` `One Stop' Redress for Travelers. Sometimes 
mistakes are made. Travelers need simpler ways to fix them. Therefore, 
DHS and State will accelerate efforts to establish a government-wide 
traveler screening redress process to resolve questions if travelers 
are incorrectly selected for additional screening.'' Rice-Chertoff 
Joint Vision: Secure Borders and Open Doors in the Information Age. 
Department of Homeland Security, Department of State: Joint Press 
Release, Jan. 17, 2006, available at http://www.state.gov/r/pa/prs/ps/
2006/59242.htm (emphasis in original). As too many Americans have 
experienced, and reported to the ACLU, the ``passenger identity 
verification form'' process TSA now utilizes is inadequate and does not 
guarantee that passengers will not be delayed or denied when trying to 
fly in the future. As the GAO reported, ``. . . the effectiveness of 
the current redress process is uncertain,'' and ``[t]he draft redress 
process documentation does not address a means for passengers who are 
inappropriately denied boarding to seek redress.'' GAO Report at 56, 
58. Thus, people whose names are wrongly added to the lists--or, more 
likely, have names similar to others on the Lists--are perpetually 
doomed to--at best--unnecessary harassment, embarrassment and delays 
every time they fly. At worst, they will be denied the ability to fly 
at all. Congress should ask: If TSA cannot build a redress process 
after nearly four and one-half years for Secure Flight to prevent 
against civil liberties violations, how can TSA be trusted to build an 
effective, civil liberties-respecting passenger pre-screening program?
    Secure Flight will likely lead to impermissible racial profiling. 
The names most likely to be on the No Fly and Selectee Lists that will 
be utilized for Secure Flight are likely to be those of Muslims, or 
people of Arab or Middle Eastern dissent. Thus, a disproportionate 
number of people who are wrongly selected for additional screening or 
barred from flying outright will be those of these classes. Congress 
must guard against allowing a program designed to increase security 
from becoming a tool for racial profiling. Such profiling wastes 
precious resources and ignores the fact that the next terrorists may 
draw from those demographics that are the majority races, religions or 
ethnic backgrounds in this country.
C. Privacy: TSA's Failures to Safeguard Personal Data for Secure Flight 
        Unacceptably Threaten Personal Privacy
    As demonstrated by the tortured attempts to test the viability of 
CAPPS II and Secure Flight, Secure Flight, if implemented, unacceptably 
threatens personal privacy. Testing of Secure Flight has led to two 
high profile and massive privacy violations. In 2003, JetBlue Airways 
gave 5 million actual passenger itineraries to Torch Concepts, a 
Defense Department contractor, which was attempting to study whether 
the government could prescreen passengers to determine who was a high-
risk customer. Bruce Mohl, ``Airlines Weigh Privacy Issues,'' Boston 
Globe, Oct. 12, 2003. In a separate incident last summer, the GAO 
reported that TSA had violated the Privacy Act of 1974, Pub. L. No. 93-
579 (1974), codified at 5 U.S.C. Sec. 552, by giving personally 
identifiable information on millions of people without giving legally 
required public notice. As stated by Senators Collins and Lieberman in 
a July 22, 2005 press release and letter to Secretary of the U.S. 
Department of Homeland Security Michael Chertoff, the GAO reported that 
``TSA failed to comply fully with the Privacy Act when it `collected 
and stored commercial data records even though TSA stated in its 
privacy notices that it would not do so.''' That letter further stated 
that a private contractor had ``obtained more than 100 million records 
from commercial data aggregators in violation of the Privacy Act.'' 
Senators Collins and Lieberman Criticize TSA for Violating Privacy Laws 
While Testing Passenger Prescreening System: GAO Findings Conclude TSA 
Failed to Comply with the Privacy Act, July 22, 2005, available at 
http://hsgac.senate.gov/
index.cfm?Fuseaction=PressReleases.Detail%PressRelease--id=106.
    Further, TSA has not learned from its privacy breaches; it has not 
yet even fully assessed the impact of implementing Secure Flight on 
passengers' personal privacy despite a Congressional mandate. The GAO's 
report regarding Secure Flight concluded that ``TSA has not yet clearly 
defined the privacy impacts of the operational system or all of the 
actions TSA plans to take to mitigate potential impacts.'' GAO Report, 
at 1. If past experience is the best guarantee of future performance, 
TSA cannot be trusted with the sensitive, private data it will demand 
from each passenger. The inability of the TSA to adequately safeguard 
sensitive, personally identifiable information about actual passengers 
during testing of the program's efficacy and viability provides no 
assurance that should the program be implemented each passenger's 
information will be safeguarded. Indeed, if Secure Flight is 
implemented, the personal information of 1.8 million passengers on 
30,000 flights will be electronically transferred from airlines and 
ticketing companies to TSA and TSC every single day. This will lead to 
numerous data breaches that dump sensitive information into the public 
sphere. For identity thieves, it will be like taking candy from a baby.
D. Track Record of Failure: Past TSA Failures Suggest Future Launch 
        Efforts Will Not Be Better for Secure Flight
    Regardless of the security, civil liberties and privacy risks 
raised by what TSA's public statements concerning Secure Flight 
suggest, the program remains wholly conceptual more than four years 
after passage of the Aviation and Transportation Security Act, Pub. L. 
No. 107-71 (2001), that authorized its creation. Slippage of deadlines 
has been the rule for Secure Flight and its predecessor CAPPS II:

   ``TSA expects to test CAPPS II this spring and implement it 
        throughout the U.S. commercial air travel system by the summer 
        of 2004.'' TSA Press Release, March 11, 2003, available at 
        http://www.tsa.gov/public/
        display?theme=44&content=09000519800193c2.

   ``Of note, the terrorist screening center remains on 
        schedule to bring the first version of the consolidated 
        terrorist screening database on line by March 31, 2004, and 
        achieve full operation capability by the end of the year.'' 
        Testimony of David M. Stone, before Hearing of House of 
        Representatives Comm. on Transportation, Subcomm. on Aviation 
        on status of CAPPS II, March 17, 2004, available at http://
        www.house.gov/transportation/aviation/03-17-04/stone.pdf.

   ```We're in great shape as we enter the testing phase' of 
        the program, Oberman said. He said if all goes according to 
        plan, the new system will go into operation in late spring or 
        early summer of 2005.'' Wash. Post, Nov. 13, 2004, available at 
        http://www.washingtonpost.com/wp-dyn/articles/A46610-
        2004Nov12.html.

    Every review by a government agency or independent commission in 
the last year found Secure Flight to be woefully undefined because of 
the myriad conceptual and practical flaws, no matter how the program is 
modified.

   On March 28, 2005, the GAO summarized ``TSA's Status in 
        Addressing Ten Areas of Congressional Interested included in 
        Public Law 108-334,'' finding that TSA had only achieved one of 
        the ten requirements--establishing an internal oversight 
        board--and had not yet even finalized a ``draft concept of 
        operations.'' GAO Report, at 4.

   On September 19, 2005, TSA's Secure Flight Working Group 
        concluded that:

        Congress should prohibit live testing of Secure Flight until it 
        receives . . . a written statement of the goals of Secure 
        Flight signed by the Secretary of DHS that only can be changed 
        on the Secretary's order. Accompanying documentation should 
        include: (1) a description of the technology, policy and 
        processes in place to ensure that the system is only used to 
        achieve the stated goals; (2) a schematic that describes 
        exactly what data is collected, from what entities, and how it 
        flows through the system; (3) rules that describe who has 
        access to the data and under what circumstances; and (4) 
        specific procedures for destruction of the data.

    Report of the Secure Flight Working Group, Presented to the TSA, 
September 19, 2005, at 32.

   In August 2005, the Department of Justice's Inspector 
        General issued a report, which said that TSC could not plan to 
        assist in Secure Flight because TSA failed to even establish a 
        working flow chart for Secure Flight. ``The TSC's difficulties 
        in estimating the costs for Secure Flight are exacerbated by 
        the TSA's failure to specifically define the scope of each 
        implementation phase. As a result, the TSC has been unable to 
        adequately project its resource requirements for responding to 
        the expected increase in workload.'' Review of the Terrorist 
        Screening Center's Efforts to Support the Secure Flight 
        Program, U.S. Department of Justice Office of the Inspector 
        General, at (ix). Further, the report concluded that `` . . . 
        TSC is trying to plan for a program that has several major 
        undefined parameters. Specifically, the TSC does not know when 
        Secure Flight will start, the volume of inquiries expected and 
        the resulting number of resources required to respond, the 
        quality of data it will have to analyze and the specific 
        details of the phased-in approach for taking the program from 
        `pre-operational testing' in September 2005 to full operational 
        capability in FY 2007.'' Id. at (ix).

    On December 7, 2005, a panel of independent experts advising DHS 
found that `` . . . the program is not yet fully defined . . . '' and 
recommended that `` . . . there must be an overall system description 
that addresses all aspects of the Secure Flight system including 
external supporting systems, policies, applications and 
infrastructures, as well as related business processes managed by 
entities external to the Secure Flight program office.'' Department of 
Homeland Security Data Privacy and Integrity Advisory Comm. Rep., 
Recommendation on the Secure Flight Program, Adopted Dec. 7, 2005, at 
1, 2.

    As the ACLU stated at the outset, this program--like Registered 
Traveler--is a moving target, which leads to only one conclusion: the 
testing thus far has been unable to demonstrate that Secure Flight can 
predict those flyers who are potential terrorists and/or identify and 
prevent known terrorists from flying. No modification can change the 
conclusion that Secure Flight simply will not work, the ACLU recommends 
that Congress:

        1) Direct the TSC only to maintain a short list of known 
        terrorists who pose a specific threat to aviation security and 
        dispense with the bloated No Fly and Selectee Lists.

        2) Explicitly repeal the authorization for Secure Flight or any 
        similar program, and, instead, use TSA and TSC to compare names 
        of would-be passengers to the pared down list of known 
        terrorists who pose a specific threat to aviation security.

        3) Utilize the funds saved by eliminating Secure Flight to 
        invest in programs that will greatly enhance physical screening 
        including the introduction of appropriate new technologies and 
        the screening of all carry-on bags, luggage and cargo for 
        explosives and weapons.

        4) If Congress decides to allow Secure Flight testing to 
        continue, it should insist that TSA comply with the spirit and 
        letter of the law expressed in both the FY 2005 and FY 2006 DHS 
        Appropriations laws. Congress should insist expressly that TSA 
        not implement the program, even on a test basis impacting 
        actual passengers, unless and until the GAO certifies first 
        that all ten of the Congressionally mandated criteria have been 
        satisfied.

III. Registered Traveler: The Misalignment of Profit and Security 
        Trades the Promise of Speed for Personal Privacy and the 
        Illusion of Enhanced Security
    Like Secure Flight, TSA's proposed Registered Traveler program 
should be blocked from implementation. The Registered Traveler concept, 
whether entirely government run or partially privatized, trades the 
promise of speedy screening for the illusion of enhanced security. This 
concept misaligns the profit motive with the country's need for safety. 
The ACLU does not believe that security should be traded for 
expediency. The ACLU therefore recommends that Congress eliminate TSA's 
authorization to develop Registered Traveler. If Congress does proceed 
with Registered Traveler, the ACLU recommends that TSA not privatize 
Registered Traveler. If Congress does allow TSA to privatize Registered 
Traveler, the ACLU recommends that the government--not commercial 
companies--undertake background checks on program applicants, and that 
Congress expressly prohibit private companies from accessing third-
party companies' commercial data to determine applicants' risk 
assessments.
    Registered Traveler also remains largely undefined, but the TSA's 
public pronouncements suggest the basic parameters of the program. 
Frequent flyers would be granted some combination of alternating 
security screening benefits, which would induce them to undergo an 
extensive background check to pre-clear them for flying. Passengers 
would be required to provide extensive amounts of sensitive, personally 
identifiable information to qualify. The information provided is likely 
to include, but not be limited to, financial and credit information, 
residence history, and biometrics such as an iris scan or fingerprint. 
If the background check--either undertaken by the government or a 
private sector company--raises no red flags, the applicant would either 
(depending on the airport) be permitted to cut to the front of the 
security screening lines (as has been done in the Orlando, Florida 
pilot program), or would be ushered into a screening lane dedicated 
solely for Registered Traveler participants.
A. Security: Registered Traveler Wrongly Assumes Background Data can 
        Predict a Person's Future Behavior
    Like Secure Flight, Registered Traveler rests on a dangerously 
flawed premise, which causes it to provide the illusion of greater 
security without actually making airlines safer. Registered Traveler 
will be vulnerable to ``sleeper cells,'' i.e., terrorists with no 
previously known or detectable ties to terror who could establish 
themselves as unremarkable members of society. To support Registered 
Traveler, one must accept the untested premise that by checking a 
would-be flyer's background, the government (or a commercial 
enterprise) can identify terrorists and predict a flyer's future 
behavior. This premise is fatally flawed. The data that will be 
provided for a background check may allow a credit card company to 
determine whether a person is a credit risk, but it cannot identify 
someone harboring a dangerous plan and a willingness and capability to 
undertake a terrorist attack that causes a threat to aviation. No one 
knows what criteria will allow the government to ferret out the 
innocent traveler from the sleeper cell participant waiting for 
instructions to carry out a terrorist attack. For example, the four men 
who bombed the London, England subway system on July 7, 2005 reportedly 
had no prior known ties to terror. Thus, no amount of data could have 
uncovered their sympathies or plans. Similarly, the 9/11 terrorists 
spent many months in this country, demonstrating that Al Qaeda is 
patient and well funded. Congress should expect that similar cells of 
innocent-seeming individuals could be sent to this country to establish 
lives that would allow them to pass the Registered Traveler background 
checks. This would allow them to avoid suspicion until they later 
receive instructions to conduct terrorist attacks. Because glaring 
loopholes exist in the Nation's physical screening, no amount of 
``layered security'' will detect these sleeper cells.
    Further, while background checks look at people's data histories, 
they only provide a review at one moment in time. Thus, they cannot 
predict future behavior. Simply because a person has not, to date, 
demonstrated indicia of adherence to a dangerous ideology does not mean 
that a person's ideology will not evolve. No one could have predicted 
the rapid transformation of John Walker Lindh from college student to 
disgruntled Taliban fighter. Further, TSA must not focus solely on Al 
Qaeda. Lone, disgruntled individuals may lose their minds and some may 
attempt to commit a terrorist attack on aviation. If that person has 
previously been an upstanding member of society, there would be nothing 
to prevent them from participation in Registered Traveler and its 
lessened security screening.
B. Privatization of Registered Traveler is Dangerous: Registered 
        Traveler Misaligns Profit Motive with Security
    Registered Traveler will make Americans less safe because it 
misaligns profit incentives with the national security needs of this 
country. Corporations exist to make profit for their owners and 
shareholders. That legal reality creates an incentive to optimize and 
cut corners where possible. Thus, privatization of such a program will 
make us less safe in two different ways.
    First, to attract participants, companies will offer the fastest 
possible screening lanes, while maximizing profits. This will require 
hiring low-cost, low-skill laborers who will go through the motions of 
screening Registered Traveler participants for weapons and explosives. 
The government's TSA screeners already routinely fail to identify such 
dangerous contraband during routine testing. Private screeners, 
overseen by managers who are intent on maximizing the attractiveness of 
the Registered Traveler screening lanes, will have a disincentive to go 
the extra mile to identify items that could bring down a plane or harm 
the crew and passengers; doing so slows down screening and eliminates 
the one advantage for participants. Furthermore, the same company will 
take applications for Registered Traveler, conduct the background 
checks on applicants, gather the biometric data to issue pass cards, 
and then may perform screenings at the airports. This streamlined, 
profitable vision does not provide for sufficient security oversight. 
If a terrorist fools the one company the terrorist applies to, the 
terrorist will be given a Registered Traveler pass providing them with 
reduced physical screening at the airport every time they attempt to 
fly.
    Second, offering ``advantages'' to decrease screening time per 
flyer, such as those TSA has publicly promised--i.e., not forcing 
individuals to have their shoes, jackets and laptop computers 
screened--creates vulnerabilities. If there is a security value in 
screening for these items, then all flyers--whether they are in the 
regular screening lanes or the dedicated Registered Traveler screening 
lanes--should be forced to comply. Congress should expect that Al Qaeda 
or other enemies of this Nation will detect the weaker security 
protocols for Registered Travelers and will attempt to exploit them to 
carry out future attacks.
C. Civil Liberties: Reliance on Flawed Commercial Data Leads to the 
        Wrongful Placement on a List of Un-Register-able Travelers with 
        Unknown Consequences
    Registered Traveler also impermissibly threatens civil liberties. 
The background checks will rely on commercial data, which is 
notoriously inaccurate. Data errors are common in every database. 
Numbers and names get transposed. While there can be only one Senator 
Ted Stevens, data about people with similar names, like T. Stevens, 
Teddy Stevens or Theodore Stevens could be wrongly merged with the 
Senators files collected by various companies. \7\ The data aggregators 
who are most likely to provide the commercial data, like ChoicePoint, 
do not audit the accuracy of their dossiers of information. Thus, 
either the government or a private company will assign a risk 
assessment to Registered Traveler applicants that could be 
fundamentally wrong. Current law does not give consumers the right to 
access, review, and correct errors in files maintained by commercial 
enterprises.
    In the fall of 2005, Congress decided this risk was unacceptable 
and passed a law expressly prohibiting TSA from using commercial data 
to pre-screen passengers for Secure Flight. Congress codified this 
understanding in the FY 2006 Department of Homeland Security 
Appropriations bill. During the Senate Appropriations Committee's mark-
up of the bill, Ranking Member Robert Byrd (D-WV) said that:

         . . . the bill contains an important protection for the 
        privacy rights of Americans. We need always to keep these 
        rights in mind. I thank Chairman Gregg for his support of 
        language that I recommended concerning Secure Flight, the 
        Department's proposed new airline passenger profiling system. 
        The language would prohibit the use of commercial databases for 
        confirming the identity of airline passengers. Such commercial 
        databases are unreliable and potentially invade people's 
        privacy.
    Transcript of Senate Appropriations Committee Mark of H.R. 2360, 
the FY 2006 DHS Appropriations bill, July 7, 2005 (emphasis added). On 
January 20, 2006, TSA demonstrated that it did not get the message when 
it announced that the newly reformulated Registered Traveler program 
would have private companies screen data collected by other private 
companies concerning applicants. The ACLU, therefore, requests that 
Congress again expressly prohibit by statute TSA--or companies with 
which TSA contracts to perform Registered Traveler services--from 
utilizing commercial data to assess applicants for Registered Traveler.
    No one--not Congress, TSA, the companies wishing to operate 
Registered Traveler programs, or the ACLU--knows what it will mean for 
someone to be wrongly denied when they apply for Registered Traveler. 
If a third list of Un-Registerable Travelers is created from those 
blocked from joining Registered Traveler, there may be other 
consequences such as that list being used to deny the applicant a 
government security clearance necessary for a job, or to prevent the 
applicant from entering a government building. Several questions about 
the consequences should be considered:

        1) Will those denied registration be put into a third list of 
        undesirable flyers--the ``Un-Registerable Travelers?''

        2) If so, will they be automatically selected for additional, 
        intrusive screening every single time they fly?

        3) If private companies, essentially functioning as government 
        actors, wrongly determine that an applicant poses a risk, what 
        legal recourse will the flyer have to challenge that finding if 
        it is used to create a third list?

    Moreover, those denied the chance to be Registered Travelers will 
be forever required to pass through the ``slow'' screening lanes for 
all flyers. There, they will be subjected to more invasive screening 
than the Registered Travelers. Finally, those denied are likely to be 
disproportionately poor, minorities, and women; these groups simply are 
less likely to have the lengthy data trail and credit standing to 
guarantee participation. Congress will need to ensure that this program 
cannot create a de facto second-class status for would-be flyers whose 
commercial data is not as clean as that of wealthy businessmen.
D. Privacy: Frequent Travelers Should Not be Forced to Choose Between 
        their Sensitive, Private Information and Speed of Screening
    Registered Traveler also poses an unacceptable inducement that 
causes business and other frequent travelers to involuntarily forego 
their personal privacy for the promise of speed and efficiency in 
screening. This is a choice that Congress should not ratify. No one 
should be forced to choose between privacy and speed. When screening 
lanes are taken from the mass of the flying public and dedicated for 
Registered Travelers, the lines for everyone else get significantly 
longer. This creates a scarcity of time and screening lanes. 
Inevitably, the occasional traveler or privacy-sensitive traveler will 
be induced to undergo extensive background checks and share their most 
sensitive, personally identifiable information to migrate to the faster 
lanes. Given a truly equal choice, almost no one would voluntarily 
share his or her private information. But when the TSA turns screening 
into a chokepoint at airports, it forces people to override their 
instincts. This enforced scarcity renders the choice to share private 
information involuntary.
E. Speed and Efficiency Benefits Negligible, Unproven and Possibly 
        Illusory
    Ironically, the benefits of participation in Registered Traveler 
remain unclear and will likely prove illusory as the program grows and 
increasing numbers of people are registered for the ``fast lane.'' To 
date, the TSA has not published any studies demonstrating that either 
dedicating screening lanes for Registered Traveler participants, or 
allowing Registered Traveler participants to jump to the front of the 
line, will not make the lines for the mass of the flying public longer. 
A small percentage of frequent flyers constitute a disproportionate 
percentage of the individual screening interactions. Therefore, simply 
removing them from the ``slow'' screening lines will not necessarily 
translate into faster screening lanes for Registered Travelers. If we 
assume that the vast majority of all the targeted frequent flyers 
participate, then the dedicated lines for Registered Travelers will be 
lengthy at peak flying times. During off-peak hours, the lines are not 
likely to be long in either the normal screening lanes or the 
Registered Traveler lanes. Similarly, some airports do not experience 
the lengthy lines that would push people to apply for Registered 
Traveler. Finally, TSA promises to occasionally modify the screening 
protocols for Registered Travelers to avoid predictability by 
terrorists. This will erode or eliminate any of the already negligible 
speed and efficiency gains and it does little for frequent flyers eager 
to fly during peak hours. The ACLU, therefore, wonders how TSA can 
guarantee Registered Traveler participants any benefits at all.
    The ACLU recommends that Congress expressly eliminate the 
authorization for Registered Traveler and ensure that all flyers be 
treated efficiently during screening. The ACLU further recommends that 
Congress utilize the funds saved to redesign some airports to permit 
for more screening lanes to be used by all flyers, purchase more 
screening equipment and hire more TSA screeners.
IV. Conclusion: Secure Flight and Registered Traveler are Not Ready for 
        Take Off and Congress Must Take Action
    The ACLU has shown that Secure Flight and Registered Traveler pose 
unacceptable risks to security, civil liberties and privacy. For too 
long, TSA has wasted money attempting to launch programs predicated on 
a flawed assumption that a flyer's behavior can be predicted by 
reviewing information collected about their past. Since TSA cannot 
demonstrate the benefits of these programs Congress should:

   Expressly eliminate the statutory authorization for TSA to 
        test and implement these programs, irrespective of the 
        programs' names.

   Request that the TSC scrap the bloated No Fly and Selectee 
        Lists and instead maintain a pared down list of known 
        terrorists who pose a specific threat to aviation security. TSA 
        and TSC should then be directed to compare passenger manifest 
        lists to the names of those terrorists who buy tickets and 
        attempt to fly under their own names.

   If Congress permits Registered Traveler to proceed, Congress 
        should insist that it be solely government run and operated.

   If Congress insists that Registered Traveler be partially 
        privatized, it should prohibit expressly Registered Traveler 
        companies, or any companies performing background checks, from 
        utilizing commercial data about applicants obtained from other 
        companies.
ENDNOTES
    \1\ During Fiscal Years 2002 through 2006, Congress has 
appropriated a total of $162.3 million for the combined CAPPS II and 
Secure Flight program, and $30 million for Registered Traveler. The 
Presidents' FY 2007 budget requests an additional $40 million for 
Secure Flight.
    \2\ The ACLU does not oppose the Federal Government's keeping and 
maintenance of a list of terrorists known to pose a threat to aviation 
security. Keeping such a list, limited only to known terrorists, 
focuses the Nation's anti-terror efforts to prevent against another 
attack on a passenger airline. Coupling a refocused list with (1) 
improved physical screening of all carry-on bags, luggage and cargo; 
and (2) the introduction of new technologies that are narrowly tailored 
to search for threats such as plastic explosives which cannot be 
detected by current metal detectors, will substantially improve the 
safety of domestic commercial air flights, while eliminating 
infringements on civil liberties and privacy. Where, in the rare 
instance, people attempting to fly have names similar to such known 
threats to aviation security, TSA and TSC could request the submission 
of the bare minimum of additional personally identifiable information--
such as three part name and date of birth--that will distinguish 
innocent travelers from terrorists. TSA and TSC also should be forced 
to provide a means for permanently removing these innocent people from 
suspicion, perhaps through the government's provision of a unique 
identifier.
    \3\ See, H.R. Conf. Rep. No. 109-241, at 54 (2005). (``The 
provision also prohibits the use of commercial data.''); and Pub. L. 
No. 109-90 Sec. 518(e), (``None of the funds provided in this or 
previous appropriations Acts may be utilized for data or a database 
that is obtained from or remains under the control of a non-Federal 
entity: Provided, That this restriction shall not apply to Passenger 
Name Record data obtained from air carriers.'').
    \4\ The ACLU fears that unless Congress acts, the principle of 
information sharing will lead to the migration of the No Fly and 
Selectee Lists to other government agencies, which may use the lists to 
wrongly deny innocent individuals access to government buildings. It 
would be unacceptable for these Lists, which should be used only to 
find and stop those who threaten aviation, to be used to prevent 
innocent people from accessing government buildings. Members do not 
want veterans wrongly denied access to Veterans Affairs offices or 
senior citizens wrongly denied access to Social Security Administration 
buildings. Furthermore, circulation of these lists--once pared down to 
one list consisting solely of those known threats to aviation 
security--make it far more likely that terrorists will know the 
government is looking for them by name. Thus, national security 
concerns suggest that the revised List be kept close and used only for 
passenger pre-screening. Therefore, the ACLU recommends that Congress 
should explicitly mandate that the No Fly and Selectee lists not 
metastasize and migrate to be used by other Federal, State and local 
governments.
    \5\ Section 522 provides in pertinent part:
    (a) None of the funds provided by this or previous appropriations 
Acts may be obligated for deployment or implementation, on other than a 
test basis, of the Computer Assisted Passenger Prescreening System 
(CAPPS II) or Secure Flight or other follow on/successor programs, that 
the Transportation Security Administration (TSA), or any other 
Department of Homeland Security component, plans to utilize to screen 
aviation passengers, until the Government Accountability Office has 
reported to the Committees on Appropriations of the Senate and the 
House of Representatives that--

        (1) a system of due process exists whereby aviation passengers 
        determined to pose a threat are either delayed or prohibited 
        from boarding their scheduled flights by the TSA may appeal 
        such decision and correct erroneous information contained in 
        CAPPS II or Secure Flight or other follow on/successor 
        programs;

        (2) the underlying error rate of the government and private 
        data bases that will be used both to establish identity and 
        assign a risk level to a passenger will not produce a large 
        number of false positives that will result in a significant 
        number of passengers being treated mistakenly or security 
        resources being diverted;

        (3) the TSA has stress-tested and demonstrated the efficacy and 
        accuracy of all search tools in CAPPS II or Secure Flight or 
        other follow on/successor programs and has demonstrated that 
        CAPPS II or Secure Flight or other follow on/successor programs 
        can make an accurate predictive assessment of those passengers 
        who may constitute a threat to aviation;

        (4) the Secretary of Homeland Security has established an 
        internal oversight board to monitor the manner in which CAPPS 
        II or Secure Flight or other follow on/successor programs are 
        being developed and prepared;

        (5) the TSA has built in sufficient operational safeguards to 
        reduce the opportunities for abuse;

        (6) substantial security measures are in place to protect CAPPS 
        II or Secure Flight or other follow on/successor programs from 
        unauthorized access by hackers or other intruders;

        (7) the TSA has adopted policies establishing effective 
        oversight of the use and operation of the system;

        (8) there are no specific privacy concerns with the 
        technological architecture of the system;

        (9) the TSA has, pursuant to the requirements of section 
        44903(i)(2)(A) of title 49, United States Code, modified CAPPS 
        II or Secure Flight or other follow on/successor programs with 
        respect to intrastate transportation to accommodate States with 
        unique air transportation needs and passengers who might 
        otherwise regularly trigger primary selectee status; and

        (10) appropriate life-cycle cost estimates, and expenditure and 
        program plans exist.

    (d) None of the funds provided in this or any previous 
appropriations Act may be utilized to test an identity verification 
system that utilizes at least one database that is obtained from or 
remains under the control of a non-Federal entity until TSA has 
developed measures to determine the impact of such verification on 
aviation security and the Government Accountability Office has reported 
on its evaluation of the measures.
    (e) TSA shall cooperate fully with the Government Accountability 
Office, and provide timely responses to the Government Accountability 
Office requests for documentation and information.
    (f) The Government Accountability Office shall submit the report 
required under paragraph (a) of this section no later than March 28, 
2005.
    \6\ Section 518 provides in pertinent part:
    (a) None of the funds provided by this or previous appropriations 
Acts may be obligated for deployment or implementation, on other than a 
test basis, of the Secure Flight program or any other follow on or 
successor passenger prescreening programs, until the Secretary of 
Homeland Security certifies, and the Government Accountability Office 
reports, to the Committees on Appropriations of the Senate and the 
House of Representatives, that all ten of the elements contained in 
paragraphs (1) through (10) of section 522(a) of Public Law 108-334 
(118 Stat. 1319) have been successfully met.
    (b) The report required by subsection (a) shall be submitted within 
90 days after the certification required by such subsection is 
provided, and periodically thereafter, if necessary, until the 
Government Accountability Office confirms that all ten elements have 
been successfully met.
    \7\ This is a similar issue to that, discussed above, that 
reportedly plagued U.S. Senator Ted Kennedy.

    The Chairman. Thank you very much.
    Our next witness is Bill Connors, the Executive Director 
and Chief Executive Officer of the National Business Travel 
Association.
    Mr. Connors?

    STATEMENT OF BILL CONNORS, EXECUTIVE DIRECTOR AND CHIEF 
    OPERATING OFFICER, NATIONAL BUSINESS TRAVEL ASSOCIATION

    Mr. Connors. Mr. Chairman, pleasure to be here--Senator 
Inouye--thank you for inviting us.
    Distinguished Committee Members, the National Business 
Travel Association's honored to be here today to participate in 
this discussion regarding the Registered Traveler Program and 
Secure Flight.
    NBTA is the world's largest association of corporate travel 
buyers, corporate meeting planners, and travel purchasing 
professionals. A majority of the Fortune 500 companies in this 
country have travel managers within our organization. Our 
members direct millions and millions of business travelers each 
day. So, we're pleased to be here representing the interests of 
America's corporations, their travelers, and their ability to 
conduct commerce around the globe.
    NBTA has been particularly focused on the issues of travel 
security and travel facilitation since 9/11. We're especially 
interested in the Registered Traveler Program, and look forward 
to its expansion. As a participant, myself, in the Registered 
Traveler pilot program here at Reagan Airport, I think the 
program offers business travelers two important improvements: 
productivity and predictability.
    In recent NBTA surveys, we found that 92 percent of 
frequent business travelers have a desire to join an RT 
program, so there's clearly a demand for this concept.
    NBTA has been encouraged by the recent vision set forth by 
Secretaries Rice and Chertoff regarding issues of security and 
travel facilitation. We've been further encouraged by a growing 
theme from our friends at DHS and TSA suggesting resources 
should be focused on the most serious potential risks to our 
Nation. The Registered Traveler Program is a good example of 
how smart risk management can both enhance the airport 
experience and allow for greater focus on finding potential bad 
guys. The RT Program will allow TSA to search a smaller 
haystack while moving people more efficiently through our 
airports.
    NBTA has been a strong supporter of the RT Program, 
provided four basic requirements are met in any public or 
private administration of the program. Those four are, number 
one, that the program is strictly voluntary; number two, that 
the privacy of the participants is protected; number three, the 
program actually saves time for participants, while not slowing 
down nonparticipants; number four, the program is 
interoperable, secure, and overseen broadly by Federal 
authority.
    We've heard a lot today about the Registered Traveler 
program, and while I'm aware there's great interest in this 
program, I am also aware that it's been very slow to 
materialize. Mr. Chairman, we could use your leadership on this 
particular issue. We would be happy to see you establish some 
specific program deadlines, and perhaps even recall this 
Committee three months from now to talk about progress on the 
Registered Traveler Program.
    It is our hope that the RT program will be up and running 
in 2006 at scores of airports across this country, helping 
thousands of business travelers get back on the road to do the 
business of America.
    Though we're largely here to talk about Registered 
Traveler, I would like to say a couple of things about Secure 
Flight. In regards to the Secure Flight program, we agree with 
many others here that airport screening procedures should use 
passenger data that is clean, clear, consolidated, and current. 
Pinging passenger names off multiple lists from multiple 
agencies yields multiple results.
    The Secure Flight program must comply with the ten 
operational standards laid out by Congress and reported in the 
GAO report of March 2005. And we want to emphasize one of those 
standards in particular, which several others have emphasized 
here, as well. There must be a simple, secure passenger-redress 
system for removal from No-Fly lists. This must become a 
priority immediately in moving forward in any future program.
    Finally, any changes in data-collection policies must 
consider costs to the corporations, the agencies, and the 
airlines who are asked to collect that data. That last point 
implies that involving private-sector in all of these 
discussions about passenger screening would help facilitate the 
program. In that regard, we again applaud the shared vision 
statement from Secretaries Chertoff and Rice calling for a 
private-sector advisory board to offer input on programs like 
the very two that we're talking about today.
    The National Business Travel Association stands ready to 
support and serve with DHS and State in standing up such a 
body.
    Thank you very much for the opportunity to be here.
    [The prepared statement of Mr. Connors follows:]

   Prepared Statement of Bill Connors, Executive Director and Chief 
        Operating Officer, National Business Travel Association

    Thank you Mr. Chairman, Senator Inouye and Members of the 
Committee. I am Bill Connors, Executive Director and COO of the 
National Business Travel Association (NBTA). On behalf of our members, 
I appreciate the opportunity to participate in today's hearing 
regarding TSA's passenger prescreening programs--specifically Secure 
Flight and Registered Traveler.
    The National Business Travel Association is the authoritative voice 
of the business travel community, representing more than 2,700 
corporate travel managers and travel service providers who collectively 
manage and direct more than $170 billion of expenditures, primarily for 
Fortune 1000 companies. Our members represent a broad cross-section of 
corporate America including millions of business travelers.
    I want to first express the collective appreciation of the business 
travel community for your commitment to addressing the important issues 
of the Registered Traveler and Secure Flight programs and for including 
the perspective of the frequent business traveler in today's hearing. 
Our members share a common bond with many of the Members of this 
Committee in that travel is an occupational necessity.
    Each day, thousands of business travelers arrive at airports across 
the Nation, ready to traverse the security checkpoints. Theirs is a 
perspective which differs significantly from other stakeholders in this 
process. Our Nation's most frequent travelers have a unique view of the 
effectiveness and the deficiencies of our current security regime, and 
it is vitally important that this perspective be considered in the 
debate over new security programs.
    Business travelers over the past four years have experienced 
significant constraints given the cascading security requirements set 
forth by the Congress and implemented by the Department of Homeland 
Security. Business travelers are among the most experienced visitors at 
our airports and certainly understand and appreciate the necessity for 
these security measures to ensure national security and the continued 
viability of commercial aviation.
    NBTA supports the goals of the prescreening and physical screening 
regimes put in place in response to the 9/11 attacks. In the aftermath 
of the terrorist attacks, business travelers were among the first 
passengers in the sky, and are again traveling in record numbers, as 
aviation levels return and even surpassing record levels. Over the past 
four years, one universal theme has been iterated by the vast majority 
of these travelers--we can and must establish more efficient and 
effective security measures by soliciting the cooperation of frequent 
travelers and utilizing available technologies to accomplish a less 
onerous and more effective level of safety and security.
Registered Traveler
    The announcement by the Transportation Security Administration 
(TSA) regarding the national Registered Traveler plan was a welcome 
development for business travelers. RT pilot programs, such as the one 
undertaken at the Orlando International Airport, demonstrate that 
frequent travelers will embrace an opt-in system which provides a level 
of expediency and predictability to the screening process.
    The RT initiative is a concept endorsed by the 9/11 Commission and 
Members of Congress as a way to enable security personnel to dedicate 
resources to more targeted risks. This concept is rooted in the belief 
that strong, effective travel security lessens unnecessary burdens on 
travelers. Registered Traveler is a demonstrable example that 
utilization of current technologies has the potential to provide the 
more than six million frequent business travelers with a more rapid, 
yet still secure screening process.
    Affording passengers the opportunity to opt-in to the RT program 
provides a measure of predictability and reliability that corporate 
America has long sought. As companies seek to squeeze greater 
productivity gains out of their workforce, the ability of traveling 
employees to navigate through a web of security checkpoints in an 
efficient and reliable manner is critical in reducing time spent in the 
airport and increasing time spent conducting business.
    Wait times at security checkpoints are anything but constant and 
current protocols dictate that passengers must arrive even earlier to 
ensure they are processed through security. Further, passengers 
traveling to different airports throughout the country have no ability 
to gauge wait times at each respective airport. While TSA has made 
measurable progress over the past year in addressing this issue, RT 
provides the promise that frequent business travelers will realize an 
increased level of measurability with respect to checkpoint wait times.
    Much of the anecdotal evidence received from NBTA members 
participating in the Orlando International Airport pilot project 
indicates that RT participants indeed realized significantly reduced 
wait times. This was true even though the Orlando participants received 
the same security scrutiny (such as removal of shoes and coats) as did 
non-Registered Traveler participants. However, participants did benefit 
from access to a segregated security screening line. We fully expect 
that business travelers will derive even greater benefits when the full 
program is implemented and a complete slate of additional benefits is 
available to participants.
    The success of the Orlando pilot project holds much promise for the 
potential of a national RT program, yet to ensure the fundamental 
success of the program, TSA must continue to address certain 
fundamental issues. TSA must continue to provide assurances that 
privacy concerns will be addressed in the implementation of the 
national Registered Traveler program. In a joint survey conducted by 
NBTA and the Travel Industry of America, 92 percent of business 
travelers indicated a desire to participate in this program, and we 
expect that number to increase as the process becomes more transparent 
and TSA continues to offer assurances that passenger information 
privacy will be a primary tenet of the RT program. TSA's Registered 
Traveler archetype of a market-driven, private sector model must have 
informational safeguards governing the provision of personal 
information to third parties.
    TSA has indicated that a core security assessment will be a 
requirement for each applicant seeking participation in the RT program, 
but more in-depth background checks using commercially available data 
may be undertaken by the private program providers. The trade-off for 
increased security scrutiny, as iterated by TSA, will be ``a variety of 
enhanced or time-saving participant benefits at passenger screening 
checkpoints.'' As an opt-in system, RT applicants will have the final 
say in the information they seek to provide above and beyond the 
required TSA baseline information. Additionally, these enhanced 
security benefits could be derived through the deployment of additional 
security technology at RT checkpoints, such as Trace Detection 
equipment.
    NBTA has joined many other stakeholders in this process in calling 
for a system of mandatory interoperability. Enrollees must be able to 
reap the benefits of participation at all airports engaging in the RT 
program. Corporate travel managers must be assured that private 
companies offering Registered Traveler cards will indeed work to 
develop a network where participants have universal access to RT 
privileges, regardless of the company providing the card. Additionally, 
interoperability will increase competition among companies offering RT 
cards, and as a consequence consumers will likely receive increased 
benefits at competitive costs. Stakeholder groups under the umbrella of 
the Voluntary Credentialing Industry Coalition (VCIC) have already 
initiated efforts to establish interoperability standards. These 
efforts signal a willingness on the part of industry to cooperatively 
engage with TSA in crafting a system that is viable and attractive to 
the business community.
    Registered Traveler is a unique concept in the current security 
environment because it constitutes the first program dedicated 
exclusively to both traveler facilitation and focusing limited security 
resources in a threat based model. Significant progress has been made 
in outlining the RT program, and it will take the cooperative 
involvement of the aviation industry, government officials and 
travelers to ensure the system can continue to provide visceral 
benefits to participants.
Secure Flight
    NBTA supports the steps taken by Congress to ensure the viability 
of Secure Flight before it becomes operational. As we all know, the 
current system draws too many people into secondary screening. Many 
frequent travelers have witnessed grandparents, children, and even 
Members of Congress unnecessarily selected for secondary screening. Not 
only is this process frustrating to the traveler, but it draws 
important resources away from the screening process. The process 
reflects the need to move forward in crafting a more pensive, 
comprehensive, threat-based model of security screening.
    As TSA moves closer to launching Secure Flight, we urge careful 
consideration of several critical issues outlined in the March 2005 
General Accountability Office (GAO) report to Congress. GAO described 
the progress that TSA has made in addressing the ten critical elements 
outlined by Congress, but GAO also appropriately recognized that 
additional progress is necessary leading up to the implementation of 
Secure Flight. Specifically issues of passenger redress as well as 
privacy concerns must be fully addressed in advance of the roll-out of 
this program.
    It is difficult to discuss Secure Flight or passenger pre-screening 
issues without addressing the issue of passenger redress. Numerous 
business travelers have been ensnared on TSA's No Fly List or Selectee 
List, with little knowledge of how to navigate through the recourse 
process. These travelers then find out that they must complete the 
Passenger Identity Verification Form, mail the form to TSA, and wait 
for a finding. This antiquated system is time consuming and 
inefficient.
    While the high profile cases of mistaken identity might provide 
amusing headlines, the hundreds of cases of mistaken identity involving 
less famous business travelers are just as serious. A recent survey 
conducted by NBTA found that over one-fourth of our member companies 
have over 5,000 business travelers per year. The frequency of business 
travel offers many chances for a case of mistaken identity and the 
disruptions that come with it. Many of our member companies struggle 
daily with watch lists issues that eventually are resolved, but the 
length of the process and the interim time spent waiting for resolution 
is costly to American businesses. An expedited process utilizing 
current technologies is not only possible, it's necessary.
    Recently, Homeland Security Secretary Chertoff and Secretary of 
State Rice announced the Secure Borders and Open Doors initiative which 
included a proposal for ``one stop'' redress for travelers ensnared on 
the watch lists. This initiative promises a government-wide traveler 
screening redress process to resolve questions if travelers are 
incorrectly selected for prescreening. This is an extremely positive 
development, and NBTA fully supports the effort undertaken by both the 
Department of State and Department of Homeland Security to develop a 
system that utilizes current technologies to expedite passenger 
redress. As this system is being developed, TSA has indicated that it 
will continue to utilize its current Office of Redress to handle any 
watch list issues.
    One of the fundamental problems of the current system is that most 
business travelers and their corporate travel managers are not aware of 
the procedures for redress. Even those travelers who are aware of their 
redress options find the current system exceedingly difficult to 
maneuver through. Many passengers have reported continued problems with 
repeated additional screening even after they have undergone all 
redress procedures and have been cleared by TSA. We urge that 
throughout the life of the current system and in advance of the 
implementation of the new passenger redress system, TSA undertake 
efforts to educate the traveling population on the steps passengers can 
take to resolve the questions of selection for additional screening.
    While the problems with passenger redress may appear to be an 
individual problem, it has a definitive and collective impact on 
corporate travel planning. Similarly, seemingly insignificant changes 
to informational requirements have had significant financial impacts on 
several corporations. Secure Flight will require passengers to provide 
additional personal information in advance of travel. While this may 
seem innocuous to individuals required to provide the information, it 
poses some concerns for corporate travel.
    Seventy percent of corporate travel managers currently utilize 
corporate online booking tools to capture the information necessary to 
book travel for their corporate travelers. That number is expected to 
grow to 90 percent or more within two years. And while there is no 
institutional resistance to making these appropriate changes to 
accommodate passenger prescreening, changes in the fields of 
information required by TSA would impose a significant cost on 
companies and businesses utilizing online booking tools, as they would 
have to revamp the software to capture and send newly required data.
    Additionally, it is possible that information required by Secure 
Flight could force companies to undertake the cost of revamping 
internal privacy polices, as many companies currently prohibit 
providing employee personal information, such as social security 
numbers and date of birth, to third parties. NBTA encourages TSA to 
work closely with the private sector to ensure that Secure Flight can 
work with current and future systems used for booking travel. Corporate 
travel managers have made several changes to travel booking software 
over the last four years, and will continue to work to ensure corporate 
compliance with new security regulations. Yet, Federal officials must 
understand that small changes in informational requirements impose 
significant costs on corporate travel. From proposed CDC avian flu 
regulations seeking additional passenger information to Secure Flight 
informational requirements, costs on business could be significantly 
reduced if Federal agencies would work in concert to determine what 
type and format of information will be required and impose those 
requirements at one time.
    The Secure Borders and Open Doors program may provide a framework 
for meeting that goal. Among the initiatives outlined in the Department 
of Homeland Security and the Department of State announcement, was 
developing an advisory board that would help determine best practices 
related to travel policies. NBTA supports this concept as we believe 
that this forum provides an opportunity to present unique private 
sector views to Federal officials in advance of significant rulemaking 
processes.
    Ultimately Secure Flight will allow the U.S. government to focus 
more on the real threats and less on the millions of frequent travelers 
who are going about the Nation's business. However, there is a need for 
a clear and stable regulatory framework to guarantee free movement of 
personal and corporate data while maintaining privacy, confidentiality 
and security. More importantly, this framework will help to ensure 
consumer and corporate confidence in the exchange of information 
through the security screening process.
    Mr. Chairman, I appreciate the opportunity to testify today, and 
thank you and the Committee for your leadership in recognizing the 
critical impact of these issues on business travel.

    The Chairman. Thank you very much for that comment.
    Well, Mr. May, I'm back where I started before. This is not 
the subject of this hearing, but the baggage still bothers me. 
And I know that you've got layers of security measures that you 
have to deal with. And the question I asked the other day was, 
Why isn't that little box that the bag has to fit in to go 
under the seat right there beside the screeners? I was told by 
people, when I objected to someone walking in front of me that 
had two suitcases larger than mine, and on the top of the 
little handle was a briefcase larger than my suitcase, and it 
had, obviously, a lot of computer stuff in it. Neither one of 
them would fit, hardly, in the overhead, let alone under the 
seat.
    Now, doesn't the whole problem of these programs we're 
discussing here--aren't they affected by the time with which it 
takes to take all that baggage onboard an airplane?
    Mr. May. Mr. Chairman, the good news is that I've had a 
series of conversations with some of our most senior executives 
since you and I spoke, night before last, on this subject. And, 
of course, it was a repeat of a conversation we had at another 
hearing in this room, a month or so ago. And I think the good 
news is that we share many of your concerns. The carriers are 
distinctly worried that people bringing on more bags than are 
allowed, bringing oversized bags, heavier bags, et cetera, is 
slowing down the process, it's having a real impact on 
productivity. And so, I'm here to tell you today that we are 
committed to pull the industry together to see if we can't come 
up with some very real solutions.
    As you've identified, there was a time when those size-wise 
so-called requirements were put on the TSA screening equipment, 
so that if it didn't fit through that, size-wise, you had to go 
check it before you even went through security. And I think 
that and a number of other ideas need to be explored as to how 
we go forward. And I'll commit to you today that we're going to 
engage the industry in this right away.
    The Chairman. Well, thank you for that.
    Do you believe that this extra layer now in Secure Flight 
is necessary for security?
    Mr. May. Senator, I think--quite frankly, I shudder to 
think of the hundreds of millions of dollars that have been 
spent on the bigger subject of passenger prescreening. And 
it's, quite frankly, been wasted money, because we don't have a 
program today. I think we absolutely have to have a program 
that is simple, straightforward, that matches passenger 
identification against appropriate watch lists, No-Fly lists, 
et cetera. There probably is not a bigger priority for us, and 
we're the ones, ultimately, that are paying for this. We care 
more about moving people through the process faster and 
efficiently than probably anybody else in the business. And so, 
I think that's where the focus needs to be. I don't think the 
focus needs to be, quite frankly, as popular as it may be, on 
Registered Traveler.
    Mr. Hawley, my good friend, used the word ``market-based,'' 
and I sort of cringe a little bit every time I hear that word, 
``market-based,'' when it applies to aviation, because it 
generally is translated into ``airlines pay.'' And I know that 
TSA--I looked at their budget the other day--plans on making 
about $30 million, in this next cycle, on RT. I know that my 
good friend, Mr. Barclay, has a congressionally mandated 
monopoly on being the entity that checks all this. That was put 
in the appropriations bill last year. I know that a number of 
other people are planning to make a profit off of Registered 
Traveler. And I don't--I'm a great free-enterprise person--I 
think that's all wonderful, but what I don't want to see is the 
airlines ending up paying for yet another failed program that 
doesn't work for everybody. And I'd like to see, instead, the 
focus placed on reducing those seven Government programs down 
to one, those 34 or more data requirements that we're being hit 
with, here and in countries all over the world, simplified to a 
simple template so that we have security that works here, 
security that works in London or wherever the case might be. 
And that's where the focus of this Committee ought to be.
    The Chairman. I think we should take 5 minutes on each 
witness in this panel.
    Senator Inouye?
    Senator Inouye. Needless to say, Alaska and Hawaii have 
unique problems. Interstate travel/intrastate travel require 
air travel. In fact, in our case, it's about 95 percent of the 
travel for the people of my state. And so, this is very 
important to me.
    What sort of coordination do you have with TSA? Do they 
confer with you, or do you regularly meet?
    Mr. May. Senator----
    Senator Inouye. I gather, from these discussions, that we 
have separate entities trying to undo each other.
    Mr. May. Right. I think the fair answer to that question is 
that, historically, the door at TSA has always been open, the 
ears haven't necessarily followed. So, now we have an 
administrator that I think is doing a bang-up job. Very 
difficult circumstances. It's probably one of the tougher jobs 
in town. And I think Kip Hawley is really making some progress.
    I'm pleased with the fact they're finally listening to 
complaints that we first registered with them back in 2002 and 
2003 as to the multiplicity of these different passenger 
prescreening programs, the complaints that they've gotten on 
watch lists. But, as some of the other witnesses have said, 
they've got a mountain of problems in front of them trying to 
get all these programs worked out, getting a redress system put 
in place that's really effective, making sure you've got a 
watch list that's accurate, and a No-Fly list that's accurate. 
It's not an easy job. And I think we, and you, need to help 
them focus on that and on expediting everybody through the 
checkpoints with better technology, putting part-time workers 
on during peak times, finding ways to expedite pilots and 
crews, who are already certified, et cetera, so that we can 
really put the focus on where it's needed.
    They're doing a better job. I think this TSA is the best 
I've seen in the time I've been in this industry. But they 
still have a ways to go.
    Senator Inouye. This question should have been asked of Mr. 
Hawley, but, as a matter of instinct now, I'm at the airport 2 
hours ahead. And I do travel much, and over long distances. And 
I go through the metal detector, like all of you. I find that, 
over half the time, I'm given the special treatment, zip-zap 
all over the place. And here I am taking off my wristwatch, 
shoes, everything else, and coins. Do they adjust the metal 
detector?
    Mr. May. Senator, it--you've asked me for my impression, 
and I think the answer to that is, yes, they do make some 
adjustments. Sometimes it seems that, when I go through--and 
maybe I've forgotten something that's in my pocket, and it 
doesn't set it off; other times, when I think I've really 
cleaned myself out, I set it off. So, I'm not sure but what 
there isn't a different adjustment available to them along the 
way.
    I will tell you this. And it's sort of off the subject. 
This Committee passed legislation telling TSA that we wanted to 
ban lighters in baggage. We talked about the scissors, a little 
bit earlier. I'm advised that fully two-thirds of the bags that 
go to secondary search, that slow up the process for everybody, 
are as a result of those lighters. And I would suggest that, if 
this Committee does anything, it give very careful 
consideration to get rid of that ban, along with the scissors 
and some of the other things, because I think it will expedite 
the process for everybody immeasurably. And I'm not convinced 
that having a BIC lighter in your briefcase is a significant 
security threat.
    Senator Inouye. Do you pass on all of the costs incurred 
through Government activity to the passengers?
    Mr. May. No, sir. I wish we could. We don't have the 
pricing power that we would like to have. And that's why that 
$4 to $5 billion a year that we're paying to DHS and TSA hits 
us so hard. I mean, I look at an agency that has remained 
relatively flat in their budgeting since their inception--it's 
about 4.5, 4.6 billion--and I see our fees have gone from that 
billion-250/260 range up to 4 billion without, by the way, any 
additional congressional or Administration mandates. That's 
just the growth of--based on the fact it's a ticket tax, and 
we've got more fees going in, with the minor--there have been 
administrative increases in the Customs fee and the Agriculture 
fee, for example. So, it's mission creep--in this case, it's 
tax creep--that hits us.
    Senator Inouye. Senator Nelson asked a very interesting 
question, that, at several airports, you have two lines, first 
class and----
    Mr. May. Right.
    Senator Inouye.--economy. Do you have any good rationale or 
justification for that?
    Mr. May. I think--I think the----
    Senator Inouye. I can see where, first class----
    Mr. May. Sure.
    Senator Inouye.--you could have a bigger seat and all of 
that. But on the security?
    Mr. May. Senator, there are expedited lines available in a 
number of different--principally hub airports--all over the 
country, where individual carriers permit their frequent flyers 
and first-class passengers, to move up in what generally is a 
partially separated line, because it then gets merged, because 
everybody goes through the same level of security, no matter 
what. They don't have special security treatment. And to the 
extent that frequent flyers and others have a benefit, I think 
that's perfectly appropriate.
    What I think ought to happen, though, is, once those two 
lines merge, that we have an overall security process that is 
even faster and better than the one we have today. And that's 
where I'd like to see us focus. Rather than reducing some of 
those security requirements to benefit a very few people, let's 
have it available for everybody.
    Senator Inouye. None of us here are technicians. It would 
help very much if all of you can get together and tell us how 
this consolidation of programs can be carried out.
    Mr. May. We have a series of suggestions in my written 
testimony, Senator--I encourage you and your staff to look at 
those--as to how we can bring some of these programs together.
    Senator Inouye. I'm very concerned about identity theft and 
privacy and all those matters, as you know.
    Thank you very much, Mr. Chairman.
    The Chairman. Senator Burns?
    Senator Burns. I have, after listening to all the testimony 
and then reading everything that's in the paper--and, by the 
way, Senator Inouye, I could be riding first class, but I stay 
over there in the economy class, because I'm afraid somebody 
will hit me in the head with a bag when I go walking down 
through there. I don't want to cause a scene or anything.
    Senator Inouye. A man of the people.
    Senator Burns. That's right, a man of the people is exactly 
right.
    I just have one question. Do you still support the 
Registered Traveler and the Secure Flight programs? Are you 
still supportive of those programs, even though we're 
struggling to get them in place in a proper way?
    Mr. May. Senator Burns, from the ATA perspective, we 
absolutely support the concept of Secure Flight, or whatever 
name you want to give to passenger prescreening. It's the 
concept that we support. We don't support, at this time, 
Registered Traveler. We think it takes the focus away from 
where we really ought to have it.
    Senator Burns. Mr. Barclay?
    Mr. Barclay. Senator, airports strongly support both 
programs.
    Senator Burns. Mr. Sparapani?
    Mr. Sparapani. That's excellent, sir, actually. Thank you, 
Senator.
    As I said in my statement, we think that both programs 
ought to be scrapped, and, instead, what Congress should do is 
insist that we retain this idea of focusing on a watch list 
that's vastly pared down to really known threats to aviation 
security. That's where we need to put our energies into. Those 
are the people we need to stop. And I don't think that's 
inconsistent with what Mr. May just said to you. In fact, I 
think if you just whittled that list down, and then prescreen 
against that smaller list, you'll have far fewer of your 
constituents who are stopped or put on these lists and can't 
get off of them. So, there's some consistency here on that 
part.
    Senator Burns. How do we find these bad people?
    Mr. Sparapani. We're going to have to do some work. And our 
Government's going to have to spend some time doing it. I'll 
leave that to the intelligence experts. But I will point out, 
for these two programs, they're premised on a faulty premise, 
which is that--one that we reject, and I think most 
intelligence experts would reject--that terrorists are going to 
show up, buy a ticket--attempt to buy a ticket, and attempt to 
show up under their own name or documents. Once we know who 
they are, they're not going to do that. That's a pre-9/11 
mentality. Identity theft is just simply too easy, Senator.
    Senator Burns. Mr. Connors?
    Mr. Connors. Senator Burns, we agree with our colleagues at 
ATA in supporting Secure Flight, particularly what Mr. May has 
said about having a uniform passenger information-collection 
policy.
    We differ a little bit on our views of Registered Traveler. 
We certainly encourage the expansion of the Registered Traveler 
program so that all citizens who are interested could go 
through the same sorts of lines that Mr. May just described for 
first-class passengers.
    Senator Burns. Well, I've looked at this thing, and they 
keep struggling over there, and I take to heart what Mr. 
Sparapani said. How long do we fiddle around with this thing 
before we finally get something that will work?
    I support the Secure Flight program. And, even with the 
Registered Traveler, I'd be willing to buy a card, I think, you 
know. But, nonetheless, we've got to, some way or other, draw 
some conclusions and either take what we've got and go with it 
or dive completely out of it. It sounds like, to me, we're 
making work. That's what I'm saying. And we're just throwing 
good money after bad. And money that we don't have, by the way.
    And so, those are the questions I had. I'm opposed to 
increasing the tax, I will tell you that right now. I'll----
    Mr. May. Thank you, sir.
    Senator Burns.--go on record. Right now, you look down that 
ticket, and they're going to have to make a bigger ticket. Not 
for a guy that's got a bigger name, or the seat, but how many 
taxes you're going to list on that darn thing. And so, it's 
from that standpoint that I'm pretty up-front about these fees.
    Thank you, Mr. Chairman.
    The Chairman. Thank you.
    Senator Burns. And thank you for your testimony. I 
appreciate it. We've gleaned a lot of stuff from it.
    The Chairman. Thank you.
    Chip, when we look at this program, the new Registered 
Traveler program, it appears as if it was merged with an eye-
scan concept or something, that it would give us a chance to 
deal with people who are really frequent flyers. Now, when you 
look at that program--have you looked at it from the point of 
view of fraud? Can it stand up alone? Can we depend on those 
cards? Do we have to have the eye scan to go along with them?
    Mr. Barclay. The--well, let me go back and say that the big 
distinction--and I think Senator Burns' comments about the two 
different programs points it out--Secure Flight, it's a much 
harder program, because it is looking for terrorists. 
Registered Traveler is about identifying people, at least at 
first, that we know are not threats to the system. That's 
something that we can do. We can figure out who are people that 
don't threaten the system. We can avoid the problems that have 
been raised about identity theft and other problems by making 
sure biometrics are part of the system. And that can be eye 
scans. Some people that may be handicapped and wouldn't have 
the ten fingerprint can use eye scans. You can use the 
fingerprints. So, you make sure, each time that person you 
identified as not being a threat to the system goes through, 
you know that's the person that you've got there, because of 
the matching of the biometrics.
    It's very similar to what we're trying to do at airports 
with the access to secure areas, putting biometrics on many of 
the doors to make sure that, once we vet a person and know 
they're not a risk to the system, we know we've got that person 
every time they go through a door.
    We need to do the same thing with frequent flyers in the 
system, because, as everyone here knows, if you are someone who 
uses the system a lot, you're putting aside a lot of extra time 
in case--not because there are often delays or long lines 
winding through the terminals, but there are, occasionally, so 
you put aside that extra hour every time you fly. The 
productivity loss to people and the economy is enormous. And we 
have these fairly small number of people who represent a great 
percentage of the passengers that want to be treated like 
employees at the airports are treated now.
    If I can make a point, one thing that I think a lot of 
people don't realize is that every day in this country we let 
hundreds of people on airplanes with loaded guns because we've 
done background checks on them, and we trust them not to be 
dangers to the system. We could certainly let people, after 
doing the same kind of background checks on them, not take off 
their shoes and not take out their laptop, and vet them through 
the system more quickly so we can direct our security assets to 
the highest risks. That's what Registered Traveler is really 
about. It's saying, we've got limited security resources, let's 
use them on the highest risks, because we've got a lot of 
people who volunteer information on themselves and pay for the 
program to be able to eliminate them from the risk pool.
    The Chairman. Well, I thank you for that. I do think there 
are a great many of those frequent-flyer people who will go to 
the Registered Traveler Program. Their time is money. I mean, 
they are compensated by the hour. This system, currently, 
really is denying them the use of the valuable time, daytime, 
that they have to use in pursuing their livelihood. I think 
it's a good program.
    Mr. Sparapani, I am a little disturbed about your 
testimony. And you want us to revoke the authorization for both 
Secure Flight and Registered Traveler and set up a process to 
deal with known terrorists.
    Mr. Sparapani. I do. That's----
    The Chairman. Have you----
    Mr. Sparapani.--that's correct, Senator.
    The Chairman.--have you got a list of known terrorists?
    Mr. Sparapani. I'm sorry?
    The Chairman. Have you got a list of known terrorists?
    Mr. Sparapani. No. But the----
    The Chairman. Do you think----
    Mr. Sparapani.--the government----
    The Chairman.--we have a list of known terrorists?
    Mr. Sparapani. I think the Terrorist Screening Center does. 
And that's the public statement from the FBI.
    The Chairman. Well, I'm----
    Mr. Sparapani. And----
    The Chairman.--I'm not so sure. Do you support the 
President's program right now that's under attack, in terms of 
intercepting and tracking the people called within this country 
from outside of the country? You support that?
    Mr. Sparapani. Well, I don't want to equate the two 
programs, Senator.
    The Chairman. Well, I'm asking you if you support it. You 
oppose it, don't you?
    Mr. Sparapani. I--we do oppose the unconstitutional 
application----
    The Chairman. Well, then what's----
    Mr. Sparapani.--of that program.
    The Chairman. What do you support to determine who is a 
terrorist?
    Mr. Sparapani. When we have good intelligence that has 
identified a threat to aviation, we believe there should be a 
list of those people. This is just commonsense safety and 
security. That's the list that I want the Government to use to 
screen for aviation security. And I think if we do that, 
Senator, we're going to have vastly improved security without 
all the civil-liberties deprivations that might arise from a 
bloated list. We can't simply have every Senator Kennedy--
everyone who has a name like Senator Kennedy being stopped 
every time, because there's an E. Kennedy on a list. You 
mentioned your wife's situation----
    The Chairman. Well, Kennedy was embarrassed, but I don't 
think he was really hurt. And I don't think any of us are hurt 
by trying to have the system check us to make sure we are safe 
to get on the plane with other people who are traveling. You 
seem to believe, though, we should somehow or other dream up a 
list of known terrorists, and only they should be subject to 
screening.
    Mr. Sparapani. I think we need to put our focused resources 
onto those people who pose the threat. And if we do so, 
Senator, I really believe that we're going to have vastly 
improved security. We want to--we really want to focus on those 
people who have the capability of threatening airline security, 
and we want to keep that list close. Right now, some of that 
list goes to the airlines every day, but not all of it. So, 
we're not currently----
    The Chairman. But--wait a minute----
    Mr. Sparapani.--vetting against----
    The Chairman. But that's not your statement. You say you do 
not oppose the Federal Government keeping and maintaining a 
list of terrorists known to pose a threat to aviation security.
    Mr. Sparapani. That's correct.
    The Chairman. If a person is known to be a terrorist that 
has other targets in mind, you would let them on the airplane, 
right?
    Mr. Sparapani. No. Senator, if somebody's been violent, I 
would consider that somebody who is a threat to aviation 
security.
    The Chairman. Well, how do you define a person who's a 
threat to aviation security as a terrorist, as opposed to other 
terrorists?
    Mr. Sparapani. Again, if somebody's violent, Senator, and 
has a propensity, and the Government has good intelligence 
based on that, we don't oppose having a list of those people.
    The Chairman. Respectfully, we don't have a list of people 
who are known to be a threat to aviation security. We are 
looking for terrorists----
    Mr. Sparapani. Well, if that's true, Senator----
    The Chairman.--generically.
    Mr. Sparapani.--if that's true, Senator, then the No-Fly 
list itself is----
    The Chairman. All right.
    Mr. Sparapani.--is faulty.
    The Chairman. Well, I--you make some points in your 
testimony that appeal to some of us, in terms of trying to find 
some way to get to the point where we really have a system that 
works, but then you come down and say, ``But it should only 
apply to people who are a threat to security.'' I just cannot 
buy that. And I think that you destroy the value of your 
comments by telling us we should have a list of terrorists who 
are a threat to aviation security. I assume we'd have a list of 
terrorists that pose a threat to Federal buildings. This is 
getting down to the point where I just don't think we can find 
a way to predict terrorist acts.
    Mr. Sparapani. And, Senator, we have an extra additional 
recommendation, which I think would resolve the concern that 
you're raising. We suggest that the money saved should be spent 
on those high-quality, narrowly tailored screening 
technologies, like this new puffer machine; if done right, that 
will prevent weapons and explosives from getting on planes. And 
if you do those two things, I think you're really going to 
demonstrably improve airline passenger safety and security. And 
I think that's what we all want.
    Senator Burns. Would the Senator yield on that point?
    The Chairman. I'd be happy to yield.
    Senator Burns. Explosives being carried on the airplane is 
not the danger. They're not blowing up the airplanes; they're 
running them into things. I think, basically, that's not the 
priority. And then, how do you--if we don't, under a suspect, 
have the right to surveil, I don't see how we find these 
people. Some way or other, it seems to me that we have 
forfeited a little bit of our right to privacy whenever 
terrorists decided to operate like they're operating now. And 
to seek those people out who are the high-risk people, that's 
really the travelers program. Yes, that deals with the majority 
of us; we're the known. But whenever we get over to standing--
oh, about the clandestine and the unknown, I'm going to leave 
that to the clandestine and covert people to collect that 
information.
    But to take a rigid line saying the President is--I'm not 
going to argue the legal end of it, but I will tell you, if I 
was sitting in that school room, and my aide comes in there and 
tells me I've got two buildings down, the Pentagon's been hit, 
and there's a plane down in Pennsylvania, and I've got to make 
a decision, there's not very many of us that have occupied that 
seat, and I want all the information I can get before I jump, 
but I don't have a lot of time to jump. And we're all sworn to 
protect this country against all enemies, foreign and domestic. 
And I think we're venturing into an area here where we all 
sacrificed a little bit when what happened on--at 9/11. We all 
sacrificed.
    Thank you very much, Mr. Chairman.
    The Chairman. Mr. Sparapani, has your organization taken a 
position on the increase in fees for airline passengers that 
was discussed here?
    Mr. Sparapani. Not directly, Senator. I wouldn't want to 
speak whether it's good from a free-enterprise perspective or 
not for these fees. But we all want the flying public to be 
safer. We're trying to help. We want to work with you and this 
Committee, and the TSA, to make the flying public safer. And 
that's the goal that we have and we cherish, as well.
    The Chairman. Thank you.
    Mr. Connors, do you depend on a poll of your members to 
present the statement you've presented here today?
    Mr. Connors. Presented--I'm sorry?
    The Chairman. Did you rely on a poll of your members, or 
some way to contact your members, for the statement that you 
are representing the whole National Business Travel 
Association. I take it these are operators of travel bureaus 
and things like that, right?
    Mr. Connors. No, actually our members are people within big 
corporations across the country who direct, manage, purchase, 
travel on behalf of all----
    The Chairman. I see.
    Mr. Connors.--of those corporate travelers.
    The Chairman. Well, thank you----
    Mr. Connors. So, they're not agencies; they're within 
corporate----
    The Chairman. How did you----
    Mr. Connors. But, to answer your question, we did make a 
reference to a survey that we did with our friends at TIA, 
where we surveyed frequent business travelers. And 92 percent 
of those wanted in on a concept, whatever that concept may look 
like in the end, called Registered Traveler.
    And I'd go a step further and--whether we have research or 
not, you've got an experiment down in Orlando that shows that 
there's a tremendous demand for this. You've got only one 
airport, no interoperability, yet you've got 15,000 people down 
there who are willing to pay 80 bucks, give up all sorts of 
background information, and go through background checks. This 
obviously is going to have tremendous demand once you get more 
than one airport into the system.
    The Chairman. Did you discuss a limit on the cost of that 
card?
    Mr. Connors. We haven't discussed that, and I think the 
marketplace would bear that out.
    The Chairman. Do you have a list of what registered 
travelers would be willing to disclose to get a card?
    Mr. Connors. Well, that's an interesting question. And 
we're looking to TSA, to explain what they are going to ask for 
and what they will get in return. There are two models that are 
being discussed, as far as Registered Traveler goes. There is 
the trust model, which is the one that you're talking about, 
where we ask for more and more background information, and, 
based on that, we'll give you the OK to be in the program. And 
there is the technology model that says if we invest in certain 
technologies, we won't need as much information, whether it's 
foot-screening equipment, things like that to get people 
through without taking their shoes off and all that kind of 
thing. We're interested in pursuing both models but, again, 
we're just waiting for the details about what you need to 
provide for what you get.
    But you know, and I know, that there's a spectrum of people 
out there that won't be interested in this program at all. They 
don't want to give up background information. That's fine. It's 
a voluntary program. Then there are people on this end of the 
spectrum--and I throw myself in this--who would probably give 
you blood, hair samples, DNA, whatever it is, to get through 
that airport faster.
    And I think the experiment in Orlando shows that there's a 
tremendous demand for this, even though the benefits are pretty 
minimal at this point. It's one airport. And you can talk to 
the folks who are running that program. There are people buying 
cards for the Orlando Airport experiment who don't live in 
Orlando. They're just buying it on the back-end trip, because 
they do business there.
    So, we think there's tremendous demand. And you made the 
point that we make all the time about this particular program, 
and that is, time is money. I represent America's corporate 
travelers, and time is, indeed, money. I was a Registered 
Traveler here at Reagan Airport, and that program is no longer 
in use. When I go to the airport now I have a whole different 
time that I leave for the airport now. When I used to be in 
that program, I used to leave an hour before, and now I have to 
leave two 2 hours before. That's an hour, times every single 
trip that I take. Time is money.
    The Chairman. Have you participated with TSA in the 
discussions of the details of the Registered Traveler program?
    Mr. Connors. We have, and we have been pleased that at 
least they've said, ``Yes, we're going to the next step.'' 
Again, we would like to see more details about what they're 
going to ask for, in terms of data on folks, and what they're 
going to offer, in terms of benefits.
    The Chairman. I failed to discuss this with the prior 
panel, but I found out, in recent travel, that if you buy a 
one-way ticket to a certain destination--let's take 
California--I was going there, and then I drove from that 
destination to another place, and then I had a ticket, going 
on. I was treated differently than if I had had a ticket going 
from the first location. These segments are separated, and it 
brings about an additional delay. Do you think the Registered 
Traveler program can be managed to take out that delay so that 
a person having a series of tickets that are sort of looked at 
like they're one-way tickets would be treated the same way as 
someone who had a roundtrip ticket?
    Mr. Connors. Right. Ideally, that's where we'd like to see 
the program go, that there is interoperability between 
airports. So, all I need is my biometric card, and I won't have 
that issue, whether it's at that airport or the one that I'm 
transferring to. So, that's why we're hoping for 
interoperability. Additionally we know that the companies that 
are running this have airports signed up already. They're just 
waiting for that green light from TSA.
    The Chairman. Mr. May, I think as everyone realizes, this 
Committee has jurisdiction over the airline system, as well as 
the TSA system. But we are very worried about the cost of these 
layered systems to the commercial aviation system, passenger 
system, because they're already in trouble, with increased fuel 
costs and increased costs all over the system. Have you got any 
estimate of how much the industry itself has spent on security 
since 9/11? I mean, talk about what the companies have paid for 
CAPPS I, CAPPS II, Secure Flight, and now planning the 
registered system.
    Mr. May. Senator, I don't have any hard-and-fast estimates 
in the aggregate since 9/11, but I think it's fair to say that 
we've gone from spending somewhere in the range of $2.5 to $3 
billion a year in imputed costs as a result of those security 
measures that we are required to perform because TSA won't; 
i.e., that ticket-checker that you see when you stand in line 
is paid for by the airlines, not by TSA. When there is catering 
security, cargo security, it is paid for by the airlines, not 
by TSA. So, we've gone from roughly $3 billion a year at the 
outset, of what we were paying in a total of taxes, fees, and 
imputed costs, to now something well over $4 billion, and if 
the Administration's proposals were to be adopted on the ASIF 
fee and the segment tax, you'd add another billion-four or -
five to that. So, if you multiply out--that out times the 
number of years, it's double-digit billions of dollars that 
this industry has paid for what we fundamentally believe is a 
function of national security.
    The Chairman. Do you have any more questions, Senator?
    Senator Inouye. No, thank you.
    The Chairman. Well, we thank you all for coming. We thank 
the first panel, too. I do believe Mr. Connors has a point and 
that is that we have an ongoing review of the system. So, I 
would like to assure you that sometime by the end of May, we 
will be asking for additional information to see what, if 
anything, we might have to do to suggest a change in law or to 
find a way to deal with the complications of this security 
system. The airline passengers are the only ones that are 
paying for their security today, and the airline companies are 
the only ones that are really paying totally for the security. 
And I think that the security system across all modes of 
transportation needs to have a review. We'll talk about that 
later, too.
    But we do appreciate what you're doing. I think, Mr. 
Hawley, we're pleased with the way you're moving forward and 
trying to get this program really to the point where it has 
greater support from the public. All of us in Congress, I 
think, get as much comment about this subject, of the delays in 
air transportation and the impacts of the security program, 
than any other subject we deal with.
    So, we hope to be back and have a--if not a formal hearing, 
at least a discussion with the participants sometime by late 
May to see what's happened and what, if anything, we can do to 
assure that this program will mature and get to the point where 
it has, really, the support it needs from the traveling public.
    Well, we thank you very much.
    Senator do you have anything further?
    Thank you all very much.
    [Whereupon, at 11:55 a.m., the hearing was adjourned.]

                            A P P E N D I X

  Prepared Statement of Hon. Gordon H. Smith, U.S. Senator from Oregon

    Thank you Mr. Chairman for holding this important hearing to review 
the Transportation Security Administration's Aviation Passenger Pre-
Screening programs.
    The TSA faces a challenge ensuring the safety of those who travel 
on our airlines while preventing the screening process from becoming 
overly burdensome. While I understand the dilemma of balancing security 
and civil rights, I support the TSA's attempts at determining potential 
risks prior to their boarding.
    I am concerned about potential cuts to Transportation Security 
Officers at Portland International Airport (PDX) from 509 full-time 
equivalents to approximately 356 full-time equivalents. This reduction 
is one of the largest decreases among U.S. airports both in percentage 
and in absolute terms.
    PDX is a critical transportation facility for both Oregon and 
Washington and plays a vital role in the Pacific Northwest's economy. 
Serving 13 million passengers annually, Portland International Airport 
handles more than a quarter million tons of air cargo and provides 31 
carriers with more than 500 passenger flights daily. It impacts over 
75,000 jobs in the Portland metropolitan area and generates $3.5 
billion dollars annually for the region.
    Passenger traffic at PDX is growing dramatically, not shrinking as 
the cuts in the screening force would suggest. The current screening 
force at PDX is already struggling to handle existing passenger loads. 
A cut of this magnitude would increase passenger wait time and lead to 
a reduction in security for planes leaving Portland. Additionally, 
these concerns are shared by the Port of Portland. which owns PDX.
    I am concerned about the impact these cuts will have on the 
Portland International Airport's security screening process, the stress 
this will place on the screeners and the amount of time it will take 
for the airport's passengers to proceed through the security line.
    Thank you for taking your time to come before this Committee. I 
look forward to your testimony.
                                 ______
                                 
  Prepared Statement of Kevin P. Mitchell, Chairman, Business Travel 
                               Coalition

    Mr. Chairman and Members of the Committee thank you for inviting 
the Business Travel Coalition (BTC) to submit testimony on this 
important subject, and for your interest in the views of the customer 
of the commercial air transportation system.

I. Background
    In the weeks immediately following 9/11, BTC conducted meetings in 
every region of the country to identify barriers to the return of 
business travelers to the skies, rental cars, hotel rooms and 
restaurants. A major theme in those meetings was the need for some sort 
of pre-screening program for business travelers, referred to then as 
``trusted traveler.'' BTC has been advocating such a program since.
    During the ensuing years, Congress, DOT, TSA, DHS and other 
industry participants' interest has waxed and waned. However, business 
travelers have never lost interest in the now-called Registered 
Traveler (RT) program. BTC surveys since 2001 and right up to January 
2006 show a huge airport security screening problem and great business 
traveler frustration. Thankfully, Congress and TSA are now fully 
committed to RT program implementation, though misperceptions about the 
program and some marketplace confusion remain.

II. Problem Statement
    ``It is faster to clear El Al security than to get to the gate at a 
U.S. airport. It has taken me over 2 hours to reach the gate at 
Honolulu, San Diego, Rochester, Albany and DC in the past two months. 
Security is critical--but there MUST be a better way.''
    This is a representative quote from one of 644 business travelers 
who participated in a January 2006 BTC survey. During peak business 
travel times, security screening wait times can vary widely. This is a 
huge problem for business travelers, 64 percent of whom responded that 
without a RT program they believed that wait times at their home 
airports would likely get worse. With air passenger growth expected to 
be 3 percent to 5 percent over the coming years, and TSA's screening 
budget shrinking, these travelers' concerns appear well-founded.
    In a June 2005 BTC survey of 651 business travelers, 37 percent 
indicated that long lines were their #1 concern. Some 38 percent 
indicated that inconsistency of screening processes and the 
unpredictability of wait times among airports was #1. Some observers 
dismiss such concerns by referring to average wait times posted by TSA. 
As a success metric, average wait times obscure much higher peak travel 
wait times, which tend to disproportionately impact business travelers, 
for example, en route to early morning meetings. This metric becomes 
more meaningful when the extra time that business travelers must pad 
their schedules with, due to screening time unpredictability, is added 
in.
    Unpredictability of wait times steals the business traveler's 
valuable time. Not knowing whether an airport security line will be 5 
or 50 minutes long requires that business travelers arrive at an 
airport 90 minutes or more in advance, sometimes cutting short a 
productive meeting with a client or important work in the office. The 
enterprise-wide productivity of the corporations that fund business 
travel activities is negatively impacted, and by extension, so is the 
national economy.
    Handicapped business travelers are especially impacted by current 
screening processes and have been given very little attention in this 
debate. Theirs is an airport security experience of extra time, 
inconvenience and stress. Consider these statements from business 
travelers writing to BTC:

        ``Give me a photo ID or take a picture of the stump of my 
        missing right foot so I don't have to undress each time I 
        travel using airports.''

        ``I'm handicapped missing my right foot. I wear special shoes. 
        When I remove my shoes I can't walk, I can only hop. Why can't 
        TSA give me a photo ID stating I'm handicapped so I'm not held 
        up for additional screening?''

        ``I have metal knees and activate the walk-thru detector. If I 
        do not set it off, it is not working properly but I keep my 
        mouth shut to avoid an airport lockdown. Thus, I know I will be 
        subject to secondary screening and will have to take off my 
        shoes.''

III. Market Demand
    In an April 2002 BTC survey of 181 corporate travel managers, 69 
percent of respondents indicated that they thought their travelers 
would support a ``Trusted Traveler'' program. In a follow-up June 2002 
survey of 408 very frequent business travelers, 72 percent indicated 
they would support a ``Registered Traveler'' program to speed and 
improve the quality of airport security processes. Fast forwarding to a 
2005 BTC survey, 77 percent of business travelers indicated they would 
``strongly support'' or ``support'' a Registered Traveler program.
    Of course, surveys do not always tell the whole story. It was not 
until July 2005 that the industry had a chance to see if true 
marketplace demand would materialize. The Orlando airport contracted 
with a RT service firm to provide services for $79.95 per member, per 
year. Over 14,000 travelers have enrolled to date. Feedback from 
members has been overwhelmingly positive. (Listen to RT member 
interview on BTC Radio at http://btcblog.typepad.com/btcradio/. )
    Another important indicator of demand is that the majority of major 
North American airports are actively investigating the RT program 
responding to business traveler demand in their markets. Several have 
already made decisions to implement. Likewise, many North American 
airlines are keenly interested in the program.

IV. RT Program Benefits
A. RT Members
    The major benefit of a RT program, from the perspective of the 
business traveler, is the high degree of certainty regarding an 
efficient processing through airport security. There are other benefits 
under consideration by TSA such as not having to remove shoes, laptops, 
or outer clothing. Such benefits will come after RT service providers 
implement enabling service lane technologies.
    Notwithstanding the importance of the benefits above, RT members 
stand to benefit in other ways such as:

    1) Customer Service. A RT program member at Orlando called the 
customer service ``beyond excellent'' and spoke of being ``pampered'' 
by the RT service provider's staff. This is important and valued by 
business travelers.

    2) Interoperability. Today a business traveler flying out of a 
major hub likely has access to an airline's Elite security line, if 
they qualify. However, at least 50 percent of a business traveler's 
experience is at his non-home airport where there may or may not be an 
Elite line hosted by his preferred airline. Moreover, many business 
travelers originate out of mid-size airports where such Elite lines may 
not exist. TSA has rightly set a standard that mandates that a RT 
member can use his card, without additional cost, at any airport 
serviced by any RT service provider. Interoperability is not a big 
technological challenge. (See Addendum: BTC Interoperability 
Statement).

    3) Boarding Passes. The ability to go through security and secure a 
boarding pass on the air side would benefit business travelers and 
bring relief to kiosk stations during peak times.

    4) Smaller Land Side Crowds. Avoiding large crowds on the 
relatively low-security land side of an airport is important as airport 
lobbies have been historically high profile, easy terrorist targets. 
Moving business travelers through security efficiently, and improving 
overall security system throughput, is prudent risk management. 
Corporate Risk Managers would value having traveling employees enter 
the more secure air side of an airport as quickly as possible.

    5) Safer Travel. Since 9/11, the so-called security hassle has 
caused many business travelers to drive their cars in short-haul 
markets (under 500 miles). The falloff has only partially rebounded. 
Southwest Airlines, for example, still reports a 20 percent decline in 
short haul for its Love Field operations. Driving a car is exceedingly 
more dangerous than traveling by airplane. More efficient security 
would help save lives on the highways, reduce congestion and help the 
environment.

    6) Handicapped Travel. Greater respect, customer service and 
convenience await the thousands of handicap travelers who navigate 
North American airports.

B. Benefits: Traveling Public
    1) Faster Processing. A properly functioning RT program, in the 
mold of the interstate electronic fast pass tolling, will improve the 
overall throughput for non-RT program travelers saving them time. For 
example, a dedicated RT lane, that represents 10 percent of the 
throughput capacity, could actually handle 15 percent or more of the 
passengers due to the prescreening and service configuration 
efficiencies. Public security lines will not become longer. Moreover, 
where physically feasible, RT vendors will likely pay for the 
construction and equipping of entirely new lanes.

    2) Smaller Crowds. With business travelers bypassing land side 
kiosks for boarding passes and moving through security quickly, and 
overall faster security system throughput, the traveling public's 
experience and safety will improve.
C. Benefits: TSA
    1) Optimizing Limited Resources. Air traffic is expanding, TSA's 
budget is shrinking. RT allows TSA to NOT focus on 100 percent of 
passengers as if they were all equal threats to the aviation system. RT 
will allow TSA to focus its limited resources of money, time, people 
and equipment on a smaller subset of the traveling public.

    2) Enhanced Security. In joining a RT program, a traveler receives 
better service in return for being subjected to a higher level of 
information-based security, and physical security screening. An example 
would be a shoe scanner that is paid for by the RT provider and 
deployed to identify explosives. Such a device would be used so that a 
RT member would not have to remove his shoes. This technology is 
superior to X-ray machines currently used. As such, the 10 percent to 
15 percent of travelers who generate 40 percent to 50 percent of 
airports' traffic will actually receive greater security scrutiny 
making the overall system more secure.

    3) Crowd Control. As mentioned, TSA's mission would be supported if 
the large crowds that often build up on the land side were 
significantly reduced.

    4) Customer Service. TSA will be implementing a randomizing of RT 
processes and benefits. This represents a best-in-class security 
approach in use throughout the world and is not mutually exclusive of 
the desire of business travelers wanting more certainty in the 
screening process. What business travelers want is the certainty of the 
amount of time they will need to budget for security, not the absolute 
predictability of process components. Add to this the enhanced customer 
service provided by the RT providers and TSA can be commended for 
improving the customer service result.
D. Benefits: Airlines
    1) Cost. RT service providers and their customers will incur all 
the costs of establishing, marketing and operating the program. 
Moreover, some RT providers will likely be willing to revenue share 
with airlines in turn for their help in marketing the program to their 
frequent flyer bases.

    2) Additional Passenger Revenues. The last 6 airline passengers who 
board typically make the difference between profit and loss on a given 
flight. A consistent, positive security experience will bring back many 
of those high-yield business travelers who have abandoned airlines for 
automobiles, trains, limos, buses, fractional jets and other options, 
including not taking a trip.

    3) Customer Service. The RT program will provide the opportunity 
for exceptional customer service for airlines' best customers.
E. Benefits: Airports
    1) Better Service. Business travelers can comprise 10 percent to 20 
percent of an airport's total customer base, but 40 percent to 50 
percent of its traffic. Clearly it is every airport architect's and 
operator's mission to service these important customers well. RT is a 
strategic solution to this problem.

    2) Revenues. Winning back business travelers who have defected to 
other modes of transportation or communications technology, e.g., video 
conferencing, is a priority for airports. It has a direct bearing on 
maintaining air services to many markets. Likewise, airports benefit 
from greater parking and concession revenue with increased numbers of 
business travelers.

    3) Crowd Control. As previously mentioned, moving passengers from 
the less secure land side of an airport to the air side enhances the 
overall security environment. Additionally, the more time passengers 
have on the air side, the more they will spend in stores generating 
revenue for the airport.

V. Private Sector Rationale
    The private sector's primary role will be to work with airport 
authorities to establish and market a RT program. TSA will set and 
oversee security standards. RT providers will be encouraged, through 
marketplace forces, to continually enhance the customer service 
experience in the RT lane. The competencies required for success 
include branding, consumer marketing, subscription-based services and 
strategic marketing alliances. These are not the usual competencies 
found in governments.

VI. Privacy
    Business travelers have become sensitive to data privacy issues, 
particularly over the past few years. TSA and airlines have misused 
data, and commercial data aggregators have failed in their mission to 
protect consumers' information. Identity theft is on the rise. For RT 
to work system-wide it needs a critical mass of members, supported by 
low member costs, met service expectations and strict privacy 
protections.
    The Orlando RT model, having generated 14,000 members to date, 
appears to have hit the mark with the RT service provider's data 
privacy commitments. TSA's proposal to use commercial databases as an 
exclusive way to provide additional RT program benefits is overreach in 
BTC's view, and could significantly dampen business traveler demand for 
the RT program.

VII. Equity
    Some observers are of the view that the RT program asks a citizen 
to pay a fee to demonstrate that he or she is not a terrorist risk, and 
some find this offensive. However, no one is asking a citizen to do 
anything. The marketplace and capital providers are simply offering a 
service. Moreover, travelers are paying today, through TSA security 
fees, to demonstrate that they are not terrorist threats before they 
are allowed to board a plane. Importantly, all costs associated with 
the RT program will be borne by RT service providers and their 
customers, not taxpayers.
    Mr. Chairman, BTC is very supportive of the RT program and 
appreciative of a renewed TSA commitment to reach out to the travel 
industry for input. We believe we are on the cusp of creating the best 
airport security protocol in the world.
    Thank you for the opportunity to contribute.

                Addendum: BTC Interoperability Statement

Registered Traveler Interoperability
Business Travel Coalition, January 2006
    The June 2005 launch of the Orlando Registered Traveler program 
marked the expansion of the Registered Traveler program to the private 
sector. The Transportation Security Administration (TSA) had incubated 
the program by testing technology and piloting the overall concept at 
five airports. With Orlando, it was turned over to the private sector 
for a rollout that would be self-supported. Orlando Registered 
Travelers have begun to receive their Clear Cards, from Verified 
Identity Pass Inc., the program service provider, and are utilizing a 
designated ``fast lane'' and line at Orlando airport.
    As Registered Traveler (RT) programs expand, travelers will be able 
to use fast lanes at other airports across the country. Since TSA has 
mandated that private sector RT programs be interoperable, Registered 
Travelers will benefit from the program network no matter what company 
provides their card.

Standards To Be Set
    Since testing the technology in the pilots, TSA has aimed to make 
the programs interoperable so that members who enrolled at Los Angeles, 
for example, could use their cards at Dulles. Making the pilot programs 
interoperable has been more difficult than it will be to make future RT 
programs interoperable. That's because, in order to test different 
technologies, TSA purposely created five completely separate programs 
that used different hardware and software. That was the point: to test 
different technologies. This complication makes linking the pilot pro-
grams, so that they are interoperable with their present 
configurations, a hurdle.
    However, interoperability among future programs--and even between 
and among the pilot airports--is not actually a difficult issue if the 
pilots are viewed as testbeds for establishing the common, 
interoperable standard. Indeed, TSA, after testing the technology in 
the pilot programs, seems to have set a standard in Orlando that 
service providers will use for future RT programs.
    TSA combined the use of iris images and fingerprint images, and in 
detail pro-vided a technical spec for the operation of the program. 
Thus, to make the existing pilot programs interoperable with Orlando 
and future RT programs, the simplest way would be for pilot airports to 
require any RT service provider bidding to set up shop for a rolled-out 
private sector program to agree to reissue the existing members' cards 
for free in return for their having participated in the pilot. It is 
cheaper and easier than trying to create a software fix that will not 
be necessary in the future.
    Put simply, interoperability is an obstacle easily overcome by 
taking the standards set by TSA in Orlando (or for that matter any 
modified standard that TSA sets once it sees how operations work in 
Orlando) and applying them to future RT programs.

Clearinghouse Structure
    The second interoperability issue has to do with a clearinghouse 
that would combine the names of those enrolled in RT programs at 
various airports and by service providers. Someone enrolled in a 
program at O'Hare run by service provider A must be able to have his 
card recognized by a program at Tampa run by service provider B. Thus, 
a clearinghouse would be needed to collect the names of currently valid 
members and send them along with daily updates to all the kiosks run by 
all of the providers at all of the airports.
    This represents a simple technology challenge, given that TSA has 
already set common membership criteria (it approves all members based 
on one standard), and apparently set the common technology standards 
for biometric capture and the smart card. The primary requirements of 
the clearinghouse would be meeting the strictest privacy and security 
requirements set by the service providers, having the trust and 
confidence of TSA, and the ability to do this without adding more than 
a few pennies of cost to the customer for this relatively simple task.
    In short, with TSA having been active in the hard work of setting 
the technology and security standards, the path to interoperability is 
not nearly as difficult as it has been depicted.
                                 ______
                                 
                          American Society of Travel Agents
                            Alexandria, Virginia, February 21, 2006
Hon. Ted Stevens,
Chairman,
Senate Committee on Commerce, Science, and Transportation,
    Washington, DC.

    Dear Senator Stevens:

    The American Society of Travel Agents (ASTA) applauds your efforts 
in holding the February 9, 2006 oversight hearing on commercial 
aviation security. ASTA wishes to go on record with respect to the 
Department of Homeland Security (DHS) Transportation Security 
Administration's (TSA) passenger screening programs Registered Traveler 
and Secure Flight. We ask that this letter become part of the official 
hearing record.
    ASTA was established in 1931 and is today the leading professional 
travel trade organization in the world. Its current membership consists 
of approximately 5,800 travel agents across the Nation, with a total 
membership of 13,700 members in some 138 countries. ASTA's corporate 
purposes specifically include promoting and representing the views and 
interests of travel agents to all levels of government and industry, 
promoting professional and ethical conduct in the travel agency 
industry worldwide, and promoting consumer protection for the traveling 
public.
    Public confidence in our Nation's security is essential to the 
maintenance and growth of travel demand. Federal policies and practices 
can and do influence the demand for and the cost of delivering travel 
services. A careful balance between security and the flow of travelers 
requires passenger screening procedures to be free of unreasonable 
restrictions and obstacles that deter people from traveling. ASTA 
supports the permanent implementation of TSA's Registered Traveler 
program which will efficiently enhance the facilitation of the 
screening process for those frequent travelers who have voluntarily 
opted to qualify in advance.
    In a related vein, the proposed regulations for Federal programs 
such as Secure Flight and the Centers for Disease Control and 
Prevention's Control of Communicable Diseases are major concerns for 
the travel agency industry. These programs are proposing the additional 
collection of passenger information and data by the private sector. The 
time has come for the U.S. Government to streamline and standardize 
passenger data collection across Federal agencies before any new 
regulations are adopted.
    On behalf of the thousands of travelers that travel agents service 
throughout the year, we thank you again for your leadership role in 
reviewing the issues pertaining to passenger pre-screening in the post-
September 11 world.
        Sincerely,
                                  Kathryn W. Sudeikis, CTC,
                                                         President.
                                 ______
                                 
    Response to Written Questions Submitted by Hon. Ted Stevens to 
                       Hon. Edmund ``Kip'' Hawley

    Question. Mr. Hawley, how much time and how much money have you 
spent on Secure Flight?
    Answer. Exclusive of any spending for CAPPS II, some of which has 
also benefited Secure Flight, during the 18-months Secure Flight has 
been active, August 2004 through February 2006, the program has 
obligated $52.8 million in support of this effort. When spending on 
CAPPS II and projected obligations for Fiscal Year 2006, expected to 
total $42.2 million, are included, approximately $144 million has been 
obligated since November 2002.
                                 ______
                                 
    Response to Written Questions Submitted by Hon. Ted Stevens to 
                          Cathleen A. Berrick

    Question. Do you know the approximate number of man-hours and 
amount of funding that GAO has devoted to assessing the Secure Flight 
program?
    Answer. Our review of the Secure Flight program, and of the 
Computer-Assisted Passenger Prescreening System II (CAPPS-II)--the 
predecessor to Secure Flight--have provided a detailed status of the 
programs' development and implementation to the Congress and have 
resulted in thirteen recommendations to the Department of Homeland 
Security (DHS) and the Transportation Security Administration (TSA) 
designed to help ensure the programs' successful implementation. In 
response to mandates contained in Fiscal Years 2004, 2005, and 2006 
appropriations legislation, \1\ and bi-partisan requests from eight 
Congressional committees, GAO has dedicated approximately 4.5 full time 
equivalent staff per year to review these programs since June 2003. 
During this time, we issued five reports, testified three times before 
several Congressional Committees, and provided numerous briefings to 
Congressional staff. Our work also contributed to several additional 
testimonies before Congressional Committees on TSA's overall efforts to 
strengthen the security of commercial aviation. TSA reported spending 
approximately $144 million on the development of Secure Flight.
---------------------------------------------------------------------------
    \1\ The Department of Homeland Security Appropriations Act, 2004, 
Pub. L. 108-90, Sec. 519, 117 Stat. 1137, 1155-56 (2003); Department of 
Homeland Security Appropriations Act, 2005, Pub. L. No. 108-334, 
Sec. 522, 118 Stat. 1298, 1319-20 (2004); and Department of Homeland 
Security Appropriations Act, 2006, Pub. L. 109-90, Sec. 518, 119 Stat. 
2064, 2085 (2005).
---------------------------------------------------------------------------
    As TSA proceeds towards implementation of Secure Flight, the FY 
2006 appropriations legislation requires (1) DHS to certify that the 
program has addressed 10 areas related to the systems development and 
implementation and, (2) GAO to report to the Congress on DHS's 
certification of these issues no later than 90 days after DHS 
certification. \2\ In accordance with this legislation, DHS can certify 
that Secure Flight has satisfied these 10 areas at any time either 
incrementally or in total, and does not have to wait for a GAO review 
to do so. Further, in an effort to be as constructive as possible, we 
have offered to provide to TSA the specific criteria we plan to use to 
review their certification of the 10 areas, and are exploring 
additional ways in which we can provide assistance to TSA as 
development progresses while maintaining our independence. We also 
appreciate the challenges TSA faces that are inherent in the 
development of a program such as Secure Flight, and will continue to 
work to minimize any impact our work may have on TSA as we conduct the 
remainder of our review.
---------------------------------------------------------------------------
    \2\ Section 518 of the FY 2006 Appropriations Act references the 
ten areas related to systems development and implementation listed in 
section 522 of the FY 2005 Appropriations Act.
---------------------------------------------------------------------------

                                  
