06 May 2003
Air Passenger Identification System Protects Privacy, U.S. Says
(Agency committed to "most stringent" privacy controls, TSA's McHale
The Bush administration is confident that an upgraded system designed
to confirm the identity of airline passengers will enhance aviation
security while providing "solid guarantees" of privacy protection, a
U.S. Homeland Security Department official says.
Steve McHale, deputy administrator of the Transportation Security
Administration (TSA) in that department, told a European Parliament
committee in Brussels that TSA is committed to building the "most
stringent state-of-the-art privacy controls" into the new version of
Computer Assisted Passenger Prescreening System, knows as CAPPS II,
which aims to prevent terrorists from boarding commercial airplanes.
He said May 6 that the system will "minimize the amount of information
on travelers coming into the system, collecting only the information
needed to authenticate the passenger's identity and conduct a risk
Lockheed Martin Management and Data Systems is assisting TSA in
developing CAPPS II, which will confirm a passenger's identity and
identify any potential terrorism-related threat to aviation in less
than five seconds, according to a March 11 TSA news release.
TSA emphasized that CAPPS II will use commercial databases that are
routinely employed by private enterprises in hiring or market
McHale said that CAPPS II will be equipped with a system of
"firewalls" to ensure the security of passenger data.
"Commercial data companies assisting with the authentication process
will not acquire traveler personal information and TSA will not have
access to data about passengers from commercial databases," he said.
McHale said that the system will not profile passengers, conduct
surveillance, or employ sophisticated automated data analysis
techniques such as data mining. Nor will it use ethnic, religious or
racial data in selecting passengers for additional security checks, he
McHale said that TSA will operate CAPPS II under a "strict privacy
protection protocol" worked out through discussions with privacy
advocacy groups and the general public, and establish a
"comprehensive" complaint process to enhance passenger rights.
McHale was responding to concerns raised by EU officials and European
privacy groups about the adequacy of passenger data protection in the
airline security regime introduced in the United States after the
September 11, 2001, terrorist attacks in New York and Washington.
During the same hearing another U.S. official assured the commission
that the data the U.S. authorities receive through passenger name
record (PNR) will be processed fairly and lawfully for a "specified
and legitimate purpose."
Passenger name record is the generic name for the files created by
airlines for each journey any passenger books. These files are stored
in the airlines' reservation and departure control databases.
The aviation security law enacted by Congress in November 2001
requires all airlines operating in the United States to provide U.S.
border authorities with electronic access to PNR.
In February the United States and the European Commission reached an
interim agreement that would allow European airlines to comply with
this requirement without compromising EU privacy laws. The two sides
also agreed to continue to work toward a bilateral agreement to
reconcile, if necessary, U.S. requirements with the EU data protection
law. Some European parliamentarians argued that the interim agreement
does not conform to this law and was reached under the threat of U.S.
penalties. Subsequently, they called on the European Commission to
suspend the agreement until it can be realigned with the European data
Following are the texts of U.S. officials' prepared statements:
Transportation Security Administration,
U.S. Department of Homeland Security,
at the European Parliament,
May 6, 2003:
Good morning, Chairman Hernandez-Mollar, ladies and gentleman,
distinguished members of Parliament. Thank you for this opportunity to
appear before you today to discuss a matter of extreme importance to
the citizens of our countries -- how the United States government will
use limited passenger information to safeguard our citizens against
the threat of global terrorism, while protecting the privacy rights
that Americans and Europeans alike have so long cherished. Before I
begin my discussion, I want to commend Sue Binns and the members of
her staff on the Commission who have been working ceaselessly with us
to ensure that international privacy concerns are fully addressed. She
has brought a great deal of knowledge, skill and good common sense to
My colleague, Doug Browning, described to you the role of the Bureau
of Customs and Border Protection in using passenger information to
safeguard international travel and commerce, as part of an integrated
effort by the Department of Homeland Security to protect the United
States from the threat of international terrorism. I will discuss how
the Transportation Security Administration (TSA) will use information
technology to strengthen domestic and international aviation security,
while at the same time protecting the privacy rights of all people who
travel to the United States. This meeting provides an important forum
in our continuing trans-Atlantic dialog to develop a common
understanding of how security and privacy are complementary, not
Airlines in the United States currently operate the Computer Assisted
Passenger Prescreening system, commonly referred to as CAPPS, which is
used to identify passengers for enhanced screening before boarding a
commercial aircraft. In the wake of the tragic events of September 11,
2001, Congress determined that the existing CAPPS system was not an
effective counter-terrorist measure in light of the new international
terrorist threat environment.
In the legislation that created TSA, the Aviation Transportation and
Security Act of 2001, Congress directed TSA to ensure that CAPPS, or
any successor system, would be used to evaluate all passengers before
they board an aircraft, and to include procedures to ensure that
individuals selected by the system and their baggage are adequately
screened. In response to this Congressional mandate, the
Transportation Security Administration began developing the enhanced
Computer Assisted Passenger Prescreening system, or CAPPS II, a fully
automated screening tool that will be operated by TSA.
CAPPS II will enable TSA to conduct far more effective authentication
of traveler identity and improve security through a more robust risk
assessment process, capable of screening all passengers to assess the
terrorist threat to civil aviation. By focusing screening and security
resources more efficiently, the CAPPS II system will enable TSA to
safeguard travelers, protect critical aviation assets and
infrastructure, and also significantly enhance the convenience of all
airline passengers traveling to, from and within the United States.
CAPPS II is a passenger-screening tool only. It is not designed to
look for other criminals, smugglers, or anyone else -- just terrorists
and their associates. CAPPS II will operate under a strict privacy
protection protocol being developed through discussions with privacy
advocacy groups and the public. Strict firewalls and access rules will
protect a traveler's information from inappropriate use, sharing, or
disclosure. CAPPS II will use passenger information and the best U.S.
intelligence information on terrorists and their activities to assess
the terrorist risk of all passengers using commercial aircraft to
enter, leave, transit or travel within US territory. It will do so
quickly and effectively, and will enable TSA to focus its screening
and security resources where the need is greatest, thus expediting
travel by minimizing unnecessary screening of passengers.
CAPPS II will minimize the amount of information on travelers coming
into the system, collecting only that information needed to
authenticate the passenger's identity and conduct a risk assessment.
The CAPPS II authentication function will be conducted using
commercially available data. Commercial data companies assisting with
the authentication process will not acquire traveler personal
information and TSA will not have access to data about the passenger
from commercial databases. CAPPS II will implement a system of
"firewalls" and other technologies to ensure the security of the data.
Virtual Private Network (VPN) technology, and encryption, will be used
to protect all data transmissions. Computers on secure independent
servers will conduct passenger authentication.
A passenger will provide the information used in the CAPPS II system
at the time of reservation or ticketing. Passengers will be given
notice of the information we are collecting, and the reasons for the
collection. The system will not use ethnic, religious or racial data.
The system does not profile, conduct surveillance, or "data mine."
CAPPS II will not use "sensitive data" as defined by Article 8 of the
EU Data Privacy Directive.
CAPPS II will expedite the boarding of passengers who pose no risk of
The system will conduct the analysis, assess risk and identify
terrorists in less than 5 seconds. Once the analysis is completed, a
risk assessment score would be provided in the system. This score will
determine the level of screening the passenger receives when passing
through security. Screeners will not have access to personal data, nor
will they be given information as to the basis for a passenger's
computer-generated risk assessment score.
CAPPS II is designed to reduce the number of people who receive the
enhanced screening. We fully expect that when CAPPS II is implemented,
the vast majority of passengers will proceed directly to the airline
boarding gate through the normal security process. A smaller portion
of passengers will be asked to submit to additional screening prior to
boarding. A very small fraction of passengers may be identified as
known terrorists or the associates of known terrorists -- in such
cases, the appropriate law enforcement authorities in the EU or the
U.S. would be notified. The most significant contribution of CAPPS II
will be its ability to authenticate identity. We expect that there
will be a very substantial reduction in the number of people
misidentified as potential threats.
CAPPS II will also include a comprehensive redress process for
passengers. TSA will appoint a Passenger Advocate to work with our
current Ombudsman program, to handle any inquiries or complaints
raised by passengers with regard to the CAPPS II system. Where a
passenger -- of any nationality -- believes that he or she is being
improperly singled out for heightened scrutiny, this will be the place
for this passenger to turn to have his or her concerns addressed.
Where errors are identified, appropriate corrective action will be
taken. This is more than a matter of fairness -- because CAPPS II is a
resource allocation tool, it is in TSA's interest to know where we are
making mistakes. The Passenger Advocate will thus not only promote
fairness, privacy and passenger confidence, but system effectiveness
and efficiency. As Ms. Kelly will explain in a moment, she, as the
Chief Privacy Officer of the Department of Homeland Security, will
oversee TSA's actions and provide a further avenue of redress.
TSA will implement an automated verification system to monitor
compliance by CAPPS II with all policies governing system operation. A
privacy management program will include methodologies for allowing
testing of the effectiveness of privacy rules. TSA will provide an
annual performance report that will be made available to the public --
the report will detail CAPPS II privacy policies, and the performance
of the system with regard to adherence to those policies. System audit
capabilities, annual reports to Congress and the public, and
appropriate independent oversight will be hallmarks of the CAPPS II
We are confident that the CAPPS II system will enable TSA to enhance
aviation security, protect critical aviation assets and
infrastructure, and most importantly protect the safety of all
passengers while providing solid guarantees of privacy protection.
CAPPS II, however, has a purpose beyond the simple screening of
passengers. It is intended to restore the public's confidence in the
aviation system. If passengers do not feel that they can fly safely,
or that the personal information they provide to the airlines is not
adequately protected, they will be less inclined to fly, and we will
have failed and the terrorists will have secured a victory based on
TSA is committed to building the most stringent state-of-the art
privacy controls into the CAPPS II system. The Secretary of the
Department Homeland Security Tom Ridge has stated that we will not
implement the CAPPS II program until the Department has its own
privacy officer on board. We are pleased that our newly appointed
chief privacy officer, Nuala O'Connor Kelly, was able to join us here
Thank you again for this opportunity to explain the CAPPS II program.
I would be pleased to answer any questions you may have.
Douglas M. Browning,
Deputy Commissioner of Customs and Border Protection,
U.S. Department of Homeland Security,
before the European Parliament's Civil Liberties Committee,
Good morning, ladies and gentlemen. It is a pleasure for me to have
this opportunity to speak to you about a critically important issue
for the U.S. Customs and Border Protection: the receipt of Passenger
Name Record information.
This is not the first time that my team and I have come to Brussels to
discuss the issue of access to PNR data. As many of you know, I led a
delegation here to negotiate with the European Commission a few months
ago. After some very difficult but constructive discussions, I think
we were successful in crafting a valuable interim agreement so that
we, in the United States, could begin to quickly address a critical
element in our strategy to prevent the commission of terrorist acts.
The meeting was also instructive in identifying for us what are some
of the more sensitive issues for the Community requiring our
attention, and we agreed as a result of that meeting to commit time
and resources to resolving these issues. It has been a time intensive
process, but again, this is a critical issue for the Border and
Transportation Security Directorate, CBP [Customs and Border
Protection Bureau] and TSA, and for this reason, something we felt
warranted a high level of attention and a commitment to finding a way
First, let me emphasize that this is a significant security issue for
us. But when I say "us", I am not solely referring to the United
States. Knowing more about the traveling public, developing an
understanding of who potentially poses a terrorist risk, is something
that is valuable to all governments. Using the principles of risk
assessment coupled with better information, allows us to accomplish
It would never be our preferred approach to stop and examine everyone
entering our country through its international airports, just as we
would never want to bring trade to a crawl with 100 percent cargo
inspections at arrival. Such actions would be difficult to accomplish,
given our reliance on fast, efficient trade and travel. But making
decisions about whom we need to speak to in greater depth -- and whom
we can permit to enter without delay -- requires that we have
information. The better the information we get, the more informed and
targeted our decisions can be -- and the safer the international
traveling public as a whole will be. From a CBP perspective, this is
about security and continued facilitation of legitimate travelers.
Receiving this information prior to the airplane' departure is the
ideal. By the time an international flight lands, we have conducted
our risk assessments -- and we know what actions we will take if there
are any persons of concern. Our actions can therefore be carefully
targeted, affecting only those who might represent a higher degree of
I would note that the receipt of advance information in the passenger
realm is not a new idea. It's something we have done for some time.
It's something the industry has collaborated with us on for a number
of years. And it's something that has been instrumental in improving
and preserving the efficiency of air travel -- particularly given the
significant increases in the number of air passengers over the years.
The fact that we are now mandated by law to collect PNR information
should not diminish its proven value in both the facilitation and
Of course, dealing in the realm of personal data introduces some very
specific concerns, particularly as the level of detail increases. We
have a clear appreciation for those that have been expressed over the
course of our discussions with the Commission during the past several
months. Frankly, such concerns are not unfamiliar to us. In fact, we
share many of them. I think they would be reasonably found in any
democratic society. Our agency is governed by laws and procedures
designed to ensure the protection of data collected about any
individual. And to ensure that the data we do collect is not overly
burdensome and is proportionate to the need for that data. Our
collection, treatment and use of PNR data would be subject to this
same strict regime.
This is not about building a database; it is an issue of being able to
analyze data against a set of established rules to determine levels of
risk. It is about calibrating our response at the time of arrival to
the risks a given individual presents. It is about facilitating the
vast majority of air passengers who pose no threat -- while at the
same time providing the level of security necessary to protect the
citizens of our respective countries.
My objective this morning is to talk with you about how critical the
collection and use of PNR data is to our security efforts, and to
discuss further the protections that exist and those we are willing to
I am confident that our existing system of data privacy protection
will ensure that the data we receive through PNR information will be:
(1) processed fairly and lawfully;
(2) is being collected for a specified and legitimate purpose;
(3) and any further processing will be compatible with that purpose;
(4) that the information is relevant and not overly burdensome;
(5) that there are mechanisms to ensure its accuracy and integrity;
(6) it will only be retained for as long as is necessary.
Working with the Commission, we are prepared to address any real or
perceived gaps that may exist within our system.
As government authorities responsible for the integrity of our ports
of entry and the space between them, there are a number of things we
have had to do differently to adapt to the threats present in today's
environment. But these changes do not relieve us of the obligation to
be sensitive to the privacy interest of those we are seeking to
protect. In the case of Customs and Border Protection, we have been
working to ensure that we continue to process the entry of people and
cargo quickly and efficiently. The goal for all of us is facilitation
with security. PNR data is one of the tools that will help us to
accomplish this goal.
(Distributed by the Office of International Information Programs, U.S.
Department of State. Web site: http://usinfo.state.gov)