GAO Echoes CDT Criticisms of CAPPS II; Coalition Calls for Hearings
CDT POLICY POST Volume 10, Number 5, February 26, 2004
A Briefing On Public Policy Issues Affecting Civil Liberties Online
The Center For Democracy and Technology
(1) GAO Echoes CDT Criticisms of CAPPS II; Coalition Calls for Hearings
Two recent reports -- a highly critical audit of the government's proposed airline passenger screening system and an internal review of the disclosure of JetBlue records to the Army -- and the launching of a data collection system at US entry points highlight the lack of privacy guidelines for use of personal information in efforts to prevent terrorism. Taken together, the actions demonstrate why addressing privacy is crucial to developing any effective anti-terror information sharing and analysis system.
On February 16, the General Accounting Office (GAO) issued its Congressionally-mandated report on the proposed Computer-Assisted Passenger Pre-Screening System (CAPPS II). The GAO echoed many criticisms made last year by CDT and confirmed the need for a ground-up redesign of the proposed program. According to the GAO, the Transportation Security Administration (TSA), which is responsible for airport screening, has not shown that the proposed new system would be effective in identifying possible terrorists and has not resolved key privacy and due process issues. GAO reported that the system is behind schedule and faces further delays because TSA has not developed key testing, scheduling and cost plans, nor crucial privacy oversight and passenger redress mechanisms.
The GAO report does not spell the end of efforts to develop a new passenger screening system. The current method of passenger screening, which uses static behavioral criteria and airline-operated "no-fly" lists, is widely recognized as ineffective. It also has created significant problems for passengers with names similar to those on "no-fly" lists who are delayed every time they fly. A new system is needed, but CDT believes that privacy advocates, government officials and industry representatives should go back to basics, working together to develop a system that is both effective and privacy-protective.
In response to the GAO Report, a coalition of organizations from the left and right sent a letter to key congressional committees asking for hearings on CAPPS II.
- GAO Report, Computer-Assisted Passenger Prescreening System Faces Significant Implementation Challenges, February 2004: http://www.gao.gov/cgi-bin/getrpt?GAO-04-385.
- Coalition letter seeking congressional hearings, February 17, 2004: http://www.cdt.org/security/usapatriot/20040217cappsii.pdf.
(2) DHS Privacy Office Issues Report Criticizing JetBlue Disclosure
In a related story, the Department of Homeland Security's Chief Privacy Officer issued a report on February 20 critical of TSA's role in the disclosure of passenger data by JetBlue to an Army contractor. The report acknowledged that while TSA did not receive the information itself, it played a role in approving the data transfer. The Privacy Office recommended privacy training for DHS employees and further review by the DHS Inspector General, and called for guidelines to govern data sharing between the private sector and the government.
A related investigation into the Army's role in the data transfer, including potential Privacy Act violations, is being conducted by the Army Inspector General but has not yet been released.
Senate Government Affairs Committee Chairwoman Susan Collins (R-ME) and Ranking Member Joeseph Lieberman (D-CT) have also expressed concerns with the role of both the Army and TSA and have said that they will continue investigating.
- DHS Privacy Office's Report to the Public on Events Surrounding jetBlue Data Transfer, February 20, 2004: http://www.cdt.org/privacy/20040220dhsreport.pdf.
- Letter from Senators Collins and Lieberman to Under Secretary Hutchinson asking for more details about TSA's involvement, February 13, 2004: http://www.cdt.org/privacy/20040213tsaletter.pdf.
- CDT Policy Post 9.20, JetBlue Disclosure Prompts Multiple Inquiries, Underscores Need for Clearer Privacy Rules, October 17, 2003: http://www.cdt.org/publications/pp_9.20.shtml.
(3) Privacy Plans for US-VISIT Need Further Attention
The government did a better, albeit incomplete job, of addressing privacy issues when it developed the United States Visitor and Immigrant Status Indicator Technology (US-VISIT) program. The Department of Homeland Security (DHS) conducted a Privacy Impact Assessment (PIA), which DHS issued on January 6, 2004, the day that the first phase of US-VISIT became operational. The PIA was one of the first to be issued by a federal agency since the E-Gov Act of 2002 was passed requiring PIAs to be conducted whenever there are new collections of information.
While the PIA appropriately covered many of the important privacy issues raised by the US-VISIT program and contained a detailed description of how the program will function, CDT has urged DHS to issue PIAs for future increments of US-VISIT well in advance of implementation so that public comments can be taken into account before the new program components become operational. CDT also highlighted some critical privacy issues that the PIA did not satisfactorily cover -- redress, access to data, data retention policies and data quality.
- CDT's Comments on US-VISIT Privacy Impact Assessment for Increment 1, February 4, 2004: http://www.cdt.org/security/usvisit/20040204cdt.pdf.
- US-VISIT Privacy Impact Assessment (PIA), dated December 18, 2003, released January 6, 2004: http://www.cdt.org/security/usvisit/.