13 February 2004
Congressional Report Outlines Risks to Passenger Screening System
Shortcomings include lack of international cooperation, GAO says
The successful development, implementation and operation of a
new U.S. air passenger prescreening system may be impeded by a
lack of international cooperation, uncertainty over the possible
expansion of the program's original mission and the system's inability
to recognize identity theft, a congressional investigative group
In a report published February 12, the General Accounting Office
(GAO) said that the Transportation Security Administration (TSA)
in the Department of Homeland Security (DHS), which has been working
on an expanded and modernized version of the Computer-Assisted
Passenger Prescreening System known as CAPPS II, needs to deal
with those issues as well as other developmental, operational and
public acceptance challenges.
CAPPS II is designed to protect the commercial aviation system
from terrorist threats by identifying higher-risk passengers for
additional security procedures. The system is supposed to check
quickly a passenger's identity and conduct risk assessment using
commercially available databases and intelligence information.
To prescreen passengers on flights originating in foreign countries,
CAPPS II must obtain passenger name record data (PNR) on travelers
residing in those countries, flying on foreign airlines or purchasing
tickets through foreign outlets.
Other countries, however, particularly those in the European Union
(EU), have objected to releasing data on their citizens for use
by the system on the grounds that CAPPS II requirements are inconsistent
with EU privacy laws, the report said.
While DHS and EU officials are negotiating an understanding regarding
the transfer of PNR data for use by the department's customs bureau,
the European Commission, the EU executive body, said in December
that it would not agree to the use of the data for CAPPS II until
internal U.S. processes are completed and privacy concerns are
resolved, GAO said.
Referring to TSA announcements about the possibility of expanding
the system to target violent criminals, fugitives and illegal immigrants,
the report said that such an expansion could divert TSA attention
from the program's fundamental purpose and lead to an erosion of
As for identity theft risk, GAO said that TSA officials believe
that although CAPPS II is not foolproof against such a risk, it
is an improvement over the existing system.
The report said that key activities in the development of CAPPS
II have been delayed, mostly, because airlines concerned about
privacy issues are reluctant to provide passenger data for testing
In addition, GAO said that TSA has not completed important system
planning activities nor addressed most of the issues identified
by Congress as key areas such as the database accuracy, protection
from abuse and unauthorized access, and a process for passengers
to appeal decisions and correct what they believe is erroneous
GAO said DHS officials generally agreed with recommendations made
in the report to strengthen CAPPS II planning, mitigate program
risks, provide greater oversight of the system's operations and
use, and clarify passenger redress procedures.
Following are excerpts from the report:
General Accounting Office
RESULTS IN BRIEF
Key activities in the development of CAPPS II have been delayed,
and TSA has not yet completed important system planning activities.
Specifically, TSA is currently behind schedule in testing and developing
initial increments of CAPPS II, due in large part to delays in
obtaining passenger data needed for testing from air carriers because
of privacy concerns. Initial operating capability -- the point
at which the system will be ready to operate with one airline --
was originally scheduled to be completed in November 2003; however,
TSA officials stated that initial operating capability has been
delayed and its new completion date is unknown. TSA also has not
yet established a complete plan identifying specific system functionality
that will be delivered, the schedule for delivery, and the estimated
costs throughout the system's development. Establishing such plans
is critical to maintaining project focus and achieving intended
system results. Project officials reported that they have developed
cost and schedule plans for initial increments, but are unable
to plan for future increments with any certainty due to testing
As of January 1, 2004, TSA has not fully addressed seven of the
eight CAPPS II issues identified by the Congress as key areas of
interest, due in part to the early stage of the system's development.
These issues relate to (1) the effective management and monitoring
of the system's development and operation and (2) the public's
acceptance of the system through the protection of passengers'
privacy and enabling passengers to seek redress when errors occur.
The Department of Homeland Security (DHS) has addressed one of
the eight issues by establishing an internal oversight board to
review the development of major DHS systems, including CAPPS II.
DHS and TSA are taking steps to address the remaining seven issues,
however, they have not yet
-- determined and verified the accuracy of the databases to be
used by CAPPS II,
-- stress tested and demonstrated the accuracy and effectiveness
of all search tools to be used by CAPPS II,
-- completed a security plan to reduce opportunities for abuse
and protect the system from unauthorized access,
-- adopted policies to establish effective oversight of the use
and operation of the system,
-- identified and addressed all privacy concerns, and
-- developed and documented a process under which passengers impacted
by CAPPS II can appeal decisions and correct erroneous information.
In addition to facing developmental, operational, and public acceptance
challenges related to the key areas of interest of the Congress,
CAPPS II also faces a number of additional challenges that may
impede its success. These challenges are developing the international
cooperation needed to obtain passenger data, managing the expansion
of the program's mission beyond its original purpose, and ensuring
that identity theft-in which an individual poses as and uses information
of another individual-cannot be used to negate the security benefits
of the system. We believe that these issues, if not resolved, pose
major risks to the successful development, implementation, and
operation of CAPPS II.
In order to address the shortcomings we have identified, we are
making a number of recommendations to the Secretary of Homeland
Security to strengthen CAPPS II project planning, develop plans
to mitigate program risks, provide greater oversight of CAPPS II
operations and use, and clarify passenger redress procedures.
We provided a draft of this report to DHS for its review and comment.
In commenting on the draft report, the department generally concurred
with the report and its recommendations, but expressed some concerns
with the draft report's presentation of CAPPS II progress, international
cooperation, and mission expansion. We considered the department's
comments in finalizing the report, and made revisions where appropriate.
For CAPPS II to operate fully and effectively, it needs data not
only on U.S. citizens who are passengers on flights of domestic
origin, but also on foreign nationals on domestic flights and on
flights to the United States originating in other countries. This
information is critical to achieving the program's objective of
reducing the risk of foreign terrorism and helping to avoid events
like those of September 11, 2001. Moreover, as evidenced by the
cancellation for security reasons of several flights to the United
States from December 2003 through February 2004, the use of commercial
aircraft originating in foreign countries may be the means terrorists
choose to use to attempt future attacks.
To prescreen passengers on flights originating in foreign countries
requires that CAPPS II obtain Passenger Name Record data on passengers
from foreign countries, flying on foreign airlines, or purchasing
tickets through foreign sources. However, obtaining international
cooperation for access to this data remains a substantial challenge.
The European Union, in particular, has objected to its citizens'
data being used by CAPPS II, whether a citizen of a European Union
country flies on a U.S. carrier or an air carrier under another
country's flag. The European Union has asserted that using such
data is not in compliance with its privacy directive and violates
the civil liberties and privacy rights of its citizens. Its position
extends not only to international flights to the United States,
but also to U.S. domestic flights that carry citizens of European
DHS and European Union officials are in the process of finalizing
an understanding regarding the transfer of passenger data for use
by the Bureau of Customs and Border Protection for preventing and
combating (1) terrorism and related crimes; (2) other serious crimes,
including organized crime, that are transnational in nature; and
(3) flight from warrants or custody for these crimes. However,
this understanding does not permit the passenger data to be used
by TSA in the operation of CAPPS II but does allow for the data
to be used for testing purposes. According to a December 16, 2003,
report from the Commission of European Communities, the European
Union will not be in a position to agree to the use of its citizens'
passenger data for CAPPS II until internal U.S. processes have
been completed and it is clear that the U.S. Congress's privacy
concerns have been resolved. The Commission stated that it would
discuss the use of European Union citizen passenger data in a second,
later round of discussions.
TSA officials stated that in the short term, the lack of data
on non-U.S. citizens could potentially affect the implementation
of the system's initial operating capabilities. Moreover, officials
stated that in the longer term, an inability to obtain data on
non-U.S. citizens would hamper the effectiveness of the system.
Without data on foreign nationals traveling to, from, and within
the United States, CAPPS II would be unable to assess the threat
posed by all individuals or by a group of passengers on a single
flight, thus compromising the full capabilities and effectiveness
of CAPPS II.