CAPPS II

[Dave Farber <dave () farber net>]

Delivered-To: dfarber+ () ux13 sp cs cmu edu
Date: Wed, 10 Mar 2004 10:34:53 -0800
From: Lee Tien <tien () well com>
Subject: [E-PRV] Fwd: Fw: CAPPS II


Subject: Holly Hegeman on CAPPS II


From today's issue of "Plane Business"
<http://www.planebusiness.com>http://www.planebusiness.com (subscription)

CAPPS II: A Bad Idea Getting Worse

Testimony begins on Capitol Hill this week on the proposed 
Computer-Assisted Passenger Prescreening System II security program. 
However, unfortunately, it appears that the hearings currently scheduled 
have been set up to concentrate on the rather narrow issue of the program 
itself, not the more critical overriding issues involving passenger privacy 
concerns.

Not that the program itself, as currently designed, is something that 
should ever see the light of day.

Testifying Thursday will be Kevin Mitchell, chairman of the Business Travel 
Coalition, Tom Blank, Transportation Security Administration, Norm Rabkin, 
General Accounting Office, Jim May, Air Transport Association, Paul 
Rosenzweig, Heritage Foundation, and David Sobel, Electronic Privacy 
Information Center.

Mitchell, whose organization represents a number of large corporations 
which purchase hundreds of millions of dollars in airline travel a year, 
told me Monday that initially, when the story broke that JetBlue had turned 
over passenger records to a government contractor, he did not pay much 
attention to it.

"However, when the news came out about Northwest Airlines and its 
disclosure of passenger information, I began to look into this more 
closely. And to be honest, Holly, I was blown away by the information I 
began to read. There is a awful lot of stuff that has been going on behind 
our backs -- and nobody knows what is going on."

Mitchell continued, "My only interest, at the beginning of my information 
learning curve? To get the debate started. But I have to admit, as I have 
moved into this debate more and more, I've been amazed by some of the stuff 
I've found out."

How do his corporate clients feel about the proposed CAPPS II program?

Mitchell responded that initially they were confused, and that many of them 
were really not sure how the program would be different from a "trusted 
traveler" program. Or to what extent the TSA is involved.

"They knew very little," Mitchell explained.

But as their level of awareness has grown, Mitchell says that now the 
biggest concern of his corporate members is just how, if an employee is 
tagged as a "yellow" (or "unknown risk" --  the second of three risk levels 
-- as CAPPS II terms it), for instance, that employee will then be able to 
simply and quickly clean up his or her record so that it accurately 
reflects who they are.

"Daimler-Chrysler, for instance, employs a great number of people from 
around the world. Some of these folks just fly into the U.S. for a number 
of months and then fly out again. Daimler-Chrysler's concern? What 
assurance is there that if the program, as is being proposed now, is put 
into place, that a mistake could be fixed, and fixed quickly," Mitchell said.

A second concern to Mitchell's corporate members? Disruption to business 
travel.

"Okay, let's say I go to fly on business and the TSA says, 'Nope, you're 
yellow.' Then what? How am I going to be allowed to get on the airplane? 
How long is this process going to take? And what happens if the next time I 
fly, and I get on the flight okay, and then the next time, I'm nabbed 
again. Who is going to pay when I have to pay for a walk-up ticket to get 
from point A to point B, because the TSA kept me from making my flight?" 
Mitchell asked.

The problem of just how an individual can get their record "cleaned up" is 
a major one. The TSA claims, on the one hand, that passenger information 
will not be kept for more than "a number of days" on any given passenger, 
for any given flight.

Okay, so how in the heck will a passenger be able to access the needed 
information, in an effort to clear their name?

Another issue that Mitchell brought up that had not occurred to me, was 
this one. Let's say your nabbed and designated "yellow" and let's say it's 
because of a damaging piece of information that is accurate. Then what?

"Say you are traveling with a number of your co-workers on an important 
business trip. Not an unusual thing. And, say, that everyone gets through 
security but you. How long do you think it is going to take for the 
information that you are a deadbeat dad, or that you have an outstanding 
arrest warrant for a parking ticket two years ago, to get back to the 
office?" Mitchell wondered.

Mitchell, who has a number of members in the Detroit area, says that 
another issue of great concern is the similarity in many Arab and Muslim names.

"There is a huge Arab population in Detroit," Mitchell said. "I ask you, 
how many times do you think some of these folks are going to be stopped by 
this system, just because they have the same last name as some supposed 
'terrorist'?"

Finally, Mitchell brought up the issue of address changes and name changes.

As the CAPPS II program is currently set up, four points of information are 
going to be required of all travelers. Name, address, phone number, and 
birth day.

"Let's take a college student, for example. Now, what address is this 
person going to have? Probably more than one. His parents. His dorm. A 
place where he stayed and worked for the summer. Who knows? But one thing 
is for sure, if just one of those four pieces of information is not in 
synch with whatever commercial databases the government is going to connect 
with -- then we would have to assume this is going to kick this person into 
a 'yellow' category."

Then there is the issue of name changes. Mitchell explained, "How many 
people get married, divorced, change their name for any number of reasons? 
Suppose someone attempts to board a plane and uses a driver's license and 
it has their new name on it. What happens when this does not match any 
'known' record?"

At this point, I assured Kevin that I more than got the point.

From the airline perspective, besides the fact that the airline industry 
would become a surrogate sheriff and bounty hunter, there is one and only 
one big concern with CAPPS II.

Cost.

More than one industry observer has pegged the projected cost to implement 
the proposed plan in excess of $1 billion. Now, it is unclear how much of 
this would have to be absorbed by the GDS companies, and how much by the 
airlines themselves -- but there is no doubt that existing information 
databases would have to be changed to accommodate the additional information.

In terms of the bigger issues involved with the potential CAPPS II program, 
there are two very large ones -- one, the issue of privacy and two, the 
issue of just how effective such a program would be in the long run.

In May 2002, a group of MIT students proved pretty conclusively that a 
CAPPS type of mandated identity program is practically useless in keeping 
terrorists off an airplane. In their study, Carnival Booth: An Algorithm 
for Defeating the Computer-Assisted Passenger Screening System, the 
students proved that since CAPPS uses profiles to select passengers for 
increased scrutiny, it is actually less secure than systems that employ 
random searches. In particular, the students presented an algorithm called 
Carnival Booth that demonstrated how a terrorist cell could easily defeat 
the CAPPS system. Using a combination of statistical analysis and computer 
simulation, the students evaluated the efficacy of Carnival Booth and 
illustrated that CAPPS is an ineffective security measure. Essentially all 
the terrorists would have to do is send out decoys to "test" whatever 
information was pre-existing on them in the profile. As soon as someone was 
a "green" to go -- the terrorist would then know he would be free to pass 
through the system undeterred.

But by far, besides the operational issues of just how such a system would 
work (or wouldn't work, as I suspect would be more the case), there are 
major privacy issues with the proposed CAPPS II plan.

First and foremost, the system would, in a backhanded way, construct a 
national identification system. Second, while the government has said that 
it would not allow the information gathered to be used for any other 
purpose, I simply refuse to believe this.

One, because there have already been comments made by government officials 
that imply CAPPS could be a godsend to law enforcement agencies. Just as 
the photo identification program that the U.S. has begun for certain 
incoming passengers from overseas has also been used to catch criminals -- 
there are those in law enforcement who would like nothing better than to 
have every airline passenger's identity screened. In fact, one of the 
databases that will be accessed every time you or I attempt to set foot on 
an airplane will be a criminal database.

Secondly, why should I believe the government about this issue, when it is 
clear the government continues to move forward on a number of "data-mining" 
initiatives?

Last year, Congress ordered the Pentagon to stop its Total Information 
Awareness program -- the brainchild of former Iran Contra scandal alum John 
Poindexter, after news of the program's intent became public.

Ironically, the program had already changed its name to "Terrorism 
Information Awareness" -- in an attempt to make its mission seem more 
palatable.

The program sought to create a data-mining program that would have given 
the Pentagon unrestricted access to large amounts of personal and private 
information on U.S. citizens.

But, while the Defense Department says it has not shared any of the 
technology that it developed as part of the program, the government 
certainly seems to be pursuing other smaller, but more highly targeted 
efforts. CAPPS II is one of these.

In a recent article in the Washington Times, it was noted that while data 
mining has been used for years by marketers, in an attempt to target people 
who might be prospective customers, it was only after the events of Sept. 
11, 2001, that the government seems to have come up with the bright idea 
that this would be a great law enforcement tool.

Speaking of, the Terrorist Threat Integration Center is the government's 
new data warehouse. According to the Times, it now has the specific task of 
fusing and analyzing all sources of information related to "terrorism."

Now, let's not forget -- that would also include all the information about 
you -- if you flew on an airplane and CAPPS II was in effect.

However, as a spokesperson for the CIA told the Times, "The term data 
mining is not appropriate and should not be used in reference to the TTIC. 
The words we use are 'advanced analytic searches' or 'sophisticated 
analytic search tools' that we use to create linkages and relationships 
between information."

Well, I for one, certainly feel better about whatever it is they are 
amassing, now that I have heard that corporate-speak delineation.

What about other countries? How are they tackling this issue?

As many of you know, the U.S. recently asked the European Union to supply 
passenger name records to U.S. authorities.

This request, while initially given a somewhat favorable response by the 
European Commission, is not exactly being received enthusiastically by the 
European Parliament.

In fact, as Edward Hasbrouck reported last week, "If, as it is now 
considering doing, Parliament sends the European Commission's draft deal 
with the U.S.A. on CAPPS II testing back to the drawing board, any eventual 
Parliamentary approval will certainly take months -- if it is ever 
forthcoming at all."

More eye-opening, in reading through Edward's latest entry concerning the 
E.U.,  the proposed European Parliament resolution noted, "in the U.S.A. 
the protection of privacy... is not regarded as a fundamental right... nor 
is there any right of legal redress should the measures restricting the 
freedom to travel be abused."

Hmmmm.

If you think this statement is off base, consider comments from the recent 
GAO report on the proposed program.

"..TSA plans to exempt CAPPS II from the Privacy Act's requirements to 
maintain only that information about an individual that is relevant and 
necessary to accomplish a proper agency purpose. These plans reflect the 
the subordination of the use limitation practice and data quality practice 
(personal information should be relevant to the purpose for which it is 
collected) to other goals and raises concerns that TSA may collect and 
maintain more information than is needed for the purpose of CAPPS II, and 
perhaps use this information for new purposes in the future.

Further, TSA plans to limit the application of the individual participation 
practice -- which states that individuals should have the right to know 
about the collection of personal information, to access that information, 
and request correction -- by prohibiting passenger access to all personal 
information about them accessed by CAPPS II. This raises concerns that 
inaccurate personal information will remain uncorrected and continue to be 
accessed by CAPPS II".

According to Hasbrouck, the chances of other countries throughout the world 
simply handing over PNR information to the U.S. is slim.  "It's not 
hyperbole to describe E.U. and Canadian data privacy laws as exemplifying 
emerging global norms of privacy as a human right.  Many other countries 
have similar laws, including for example several Latin American countries 
with large volumes of passenger air traffic to and from the U.S. that have 
based their data protection laws almost verbatim on those of Spain, and 
thus the E.U. The only question is how many of these and other countries 
will assert their right to be consulted before their citizens' privacy 
rights are violated by nonconsensual U.S. government access to passenger 
reservation records."

So, let's see. First, we have a respected study that says 
passenger-profiling programs are ineffective at catching terrorists. But, 
undeterred by this, or by advice from other leading countries known for 
their security acumen, notably Israel, we have just such a plan in the 
works by the TSA. This proposed plan by the TSA would rely on matching 
databases of commercial and law enforcement agencies against a passenger's 
name and address -- a situation fraught with problems right from the start. 
(Ever pulled a copy of your credit report and seen how many incorrect 
pieces of information are on there?)

Then, if a passenger is classified a "yellow," much less a dreaded "red," 
the TSA does not seem to be too forthcoming in just how someone would 
quickly clear up the problem. (And think about it -- if they are matching 
your information across a number of commercial databases, how are they 
going to know where the mismatch is? And how in the heck is the passenger 
going to be able to fix the problem?)

Finally, in terms of the effect of this on the airline industry -- I see 
very little positive. The industry would experience massive problems in 
terms of airport backups and delayed boardings -- leading to reduced 
passenger levels (worse, I believe than what we saw post-Sept. 11, 2001); 
there would be additional costs, as part of the implementation of such a 
program; and would passengers feel safer because of all this?

I think not.

Bottom line -- passengers lose and airlines lose. But U.S. citizens would 
lose most of all.

Pertinent Links

MIT: Carnival Booth: An Algorithm for Defeating the Computer-Assisted 
Passenger Screening System, May 2002

Edward Hasbrouck: "The Practical Nomad" and "Total Travel Information 
Awareness" -- An updated version of the 2003 Lowell Thomas Travel 
Journalism Award for investigative reporting on the issue of air traveler 
privacy. If you want a good background read -- this is the place to go.

ACLU: CAPPS II

Don't Spy on Us: Bill Scannell can go over the top at times, I admit, but I 
found his linking of David Stempler's Air Traveler's Association with 
Cendant's Traveler's Advantage program pretty interesting. Essentially, it 
looks like Stempler's website and that of Cendant's Traveler's Advantage 
are both owned and managed by the Trilegiant Corporation, a Cendant 
subsidiary. So much for the independent passenger voice.

I found this especially interesting, in that I recently jumped on Stempler 
for posting a rather rah-rah post on the CAPPS II program on an industry 
email list. Scannell's take is that Stempler appears to be little more than 
a front for Cendant, whose Galileo subsidiary could stand to gain a new 
profit center if CAPPS II is implemented.

This apparent cozy little relationship brings up an entirely separate 
argument -- how would the additional passenger travel information in PNRs, 
that GDS companies would now have access to, be protected once that 
information was routinely accessed? Answer: It couldn't be. Translation? 
The expanded PNR information would represent a marketing gold mine.

Latest GAO report on CAPPS II (PDF download).

Scott McMurren
Alaska Travelgram
http://www.alaskatravelgram.com
mailto:zoom () gci net

Scott McMurren
Alaska Travelgram
http://www.alaskatravelgram.com
mailto:zoom () gci net



-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/