The Dangerous Illusion of CAPPS II

Proposed Air Security Program Threatens Our Privacy and Safety, Not Terrorists

By Jeff Milchen and Jeffrey Kaplan
First published in The Chicago Tribune April 19, 2004
(updated July, 2004)

The ongoing controversy over who knew of which terrorist threats and when has obscured one specific and telling finding from the commission investigating the 9/11 attacks. The commission revealed earlier this year that nine of the 19 hijackers were identified as safety risks by the federal government’s Computer-Assisted Passenger Pre-screening System (CAPPS) when they checked in for their flights.

The commission’s July, 2004 report added that “All five of the American Airlines Flight 77 hijackers [departing from Washington Dulles International Airport] were selected for security scrutiny,” via CAPPS. Luggage checked by the nine flagged hijackers was inspected, but the killers boarded their flights with no trouble.

If security personnel couldn’t employ information identifying suspect passengers to keep even one of those killers from their mission, how can the Bush Administration justify the proposed CAPPS II, a massive surveillance program that would create dossiers on every U.S. airline passenger?  It’s a critical time to ask, for CAPPS II soon could compromise both the privacy and safety of most Americans.

On March 17, the federal government announced that it will require airlines to collect and hand over selected information on all passengers to the Transportation Security Administration, an agency of the “Homeland Security” Department, to begin testing of CAPPS II.

This would initiate the largest surveillance program in U.S. history.

CAPPS II purportedly would help focus security resources by identifying airline passengers who pose the greatest risk of committing terrorist acts. The 2 million or so passengers flying to or from a U.S. airport each day would receive a risk assessment of green, yellow or red. Passengers rated green would receive routine screening. A yellow rating generates additional scrutiny. Red means say goodbye to your ticket and hello to law-enforcement agents–you won’t be boarding your flight.

Here’s how it works: When you make a flight reservation, the booking agent or airline records your name, address, phone number, date of birth and travel destination (that’s just for starters–the TSA could later expand the requirements). The data goes to the TSA, which forwards it to a company contracted to verify your identity. The TSA then feeds your data into a computer program to generate your risk assessment using government databases and algorithms.

So what criteria can label you yellow or red, and how does one challenge inaccurate data? Incredibly, the TSA provides passengers no right to know why they are deemed a security threat or to examine the accuracy of the government’s data.

This is just one glaring problem cited recently by the U.S. General Accounting Office (GAO) — an independent investigative arm of Congress. A GAO report on the CAPPS II plan faulted the TSA for lacking a credible budget, a timeline, adequate privacy protection policies, and any procedure for citizens victimized by false data to correct their record. Of eight critical concerns identified by Congress, the GAO said only one was addressed adequately. TSA officials insist the failures could be corrected.

Since even the most narrowly devised criteria will produce far more false positives than IDs of true security threats, CAPPS II is generating resistance well beyond privacy watchdogs.

Most business travel associations oppose the plan, too. This includes the Association of Corporate Travel Executives, which spoke up after 95 percent of its surveyed members said the proposed program is unacceptable. Among their concerns: If only 2 percent or so of passengers are coded red, as the TSA claims, 12 million people would be detained annually!

To appease businesses, the TSA will test a “registered traveler program” this summer whereby individuals able and willing to pay a fee and submit to a more invasive background check will be given a special ID card that entitles them to use an”express lane.”

TSA officials claim CAPPS II has been scaled back in response to earlier criticism that passengers would be forced to check their Fourth Amendment rights along with their bags. The TSA initially will not collect credit histories, for example, and promised to discard information soon after a passenger’s travels.

This promise is meaningless, however, since the “Patriot Act” empowers the government to procure these records at will from the contracted companies (which may retain and sell those records).  At a minimum, the government would be creating dossiers of our lifetime travel histories. And though the information the TSA says it will collect initially may seem inoffensive, the registered traveler program would coerce people to “volunteer” much more information in order to avoid second-class treatment and even longer airport lines.

Critics also are alarmed by TSA officials’ admission of plans to employ CAPPS II well beyond airports and for broader law enforcement purposes like catching common criminals — contradicting earlier promises to focus only on aviation security. Some critics even question whether government may legally detain a passenger unless a criminal charge can be filed against them.

A gift to terrorists?
The growing controversy over privacy and civil liberties threatens to obscure another fundamental question: can CAPPS II improve national security?

That’s doubtful, for the weakness in its underlying logic renders the program ineffective — or worse. A legal advice column in the trade journal Travel Weekly warned, “The system would be a terrorist’s delight.”

Why? CAPPS II proponents claim sacrificing privacy will allow most people to check in with less hassle by enabling aviation security to focus on high-risk passengers. Terrorist groups, however, easily could probe the system, determine which travelers get green ratings and consistently minimal screening and take advantage of that weakness.

Those members then could embark on a mission with greater confidence than with a more random selection process or one that relies on well-trained personnel to select passengers for intensive scrutiny.

And does any TSA official honestly believe that terrorists can’t obtain a false identification — available on any college campus or over the internet? According to federal investigators, at least two of the 9/11 hijackers’ passports “were clearly doctored.” It’s hard not to suspect they’ll announce the obvious later: the system is easily gamed, and Americans must therefore submit to a national ID card connected with a database of fingerprints or retina scans. Even the GAO report raises this scenario.

CAPPS II does have one sound premise: profiling of some kind can help allocate passenger screening resources most effectively.  It goes wrong in relying so heavily on technology. Observation and questioning by a trained human being (which admittedly could generate other concerns) can reveal tip-offs that no computer ever will catch.  Yet personal questioning of travelers who raise suspicion — the most critical component of an effective security program for Israeli airline El Al (widely considered the most secure airline in the world) — is not even under serious discussion.

Why? Real security is not as “efficient” as placebos. We often are sold a largely false choice: that we must sacrifice freedom or privacy to be secure. Speed vs. safety, however, is a genuine trade-off. Effective passenger profiling would result in some delays and inconveniences, impeding airline profits. Hence, the airline industry welcomed the installation of million-dollar x-ray scanners in more than 400 airports to check for luggage bombs, despite the intrinsic inability of x-rays to detect explosives (though they can be a useful tool when used by trained professionals). Transportation Secretary Norman Mineta admitted a false-positive rate of 35 percent for the machines.

Ironically, this is the one security realm where technology could provide help. But rather than investing in machines capable of detecting traces of explosives from outside luggage, Homeland Security officials and airlines preferred to project the illusion of increased safety.

Each expansion of federal power is framed as “fighting terror,” but the most effective terrorism prevention rarely demands sacrifices of our liberty. As the 9/11 commission report noted, “Gaining access to the cockpit was not a particularly difficult challenge.” Securing cockpit doors, strengthening onboard security procedures, and banning such potential weapons as small knives and box-cutters were all sensible moves that left freedom completely unscathed.

The corporate profit motive vs. safety
Bag matching, which prevents a bag from flying unless its owner also is aboard, is an effective measure that long has been standard practice in many countries. But U.S. airlines have blocked full implementation domestically, claiming extra costs from resulting flight delays would be crippling. This takes some nerve after grabbing more than $14 billion in taxpayer subsidies above and beyond the $1 billion in losses that were attributed to post – 9/11 shutdowns.

Although bag matching can’t prevent a suicide bombing, unaccompanied luggage bombs caused three of the worst air disasters of the 1980s including the deadliest airline bombing ever, 329 deaths on Air India flight 182. Until 9/11, the airline industry blocked requirements for secure cockpit doors despite 30 documented cockpit intrusions in the two years preceding the attack.

The role of corporate profit-seeking in creating the vulnerabilities that enabled 9/11 remains remarkably under-reported.

Securing our vulnerabilities
We should seek further improvements in airline security, but focusing backward on where terrorists last attacked, rather than identifying and securing other vulnerable targets, may endanger our safety. “Even suicide terrorists are extremely risk-averse,” said Andrew Thomas, safety expert and author of Aviation Insecurity . “They may perceive glory in killing, but not in getting caught.” So as passenger security improves, would-be terrorists increasingly will seek less risky targets, thus demanding we shore up vulnerabilities in other realms (including non-passenger aspects of airport security).

Identifying a terrorist is hard — “much harder than simply finding needles in a haystack,” one Homeland Security official said. It’s relatively easy, however, to identify and secure vulnerable targets that terrorists could strike and cause catastrophic damage.

As the Spain subway bombing demonstrated, physical defenses never will insulate us from harm, but we should pay particular attention to preventing the most deadly scenarios, like attacks on chemical or nuclear plants. Determined efforts at those sites could dramatically improve our resistance to both terrorist threats and accidental catastrophes that could dwarf the carnage wreaked on 9/11. Yet the Bush Administration seems determined to invite disaster by eliminating federal enforcement of many safety standards at nuclear weapons facilities to promote business efficiency.

CAPPS II may distract public attention from the truth that basic security and intelligence failures — not a lack of information or power by law enforcement officials — allowed the 9/11 tragedy to occur. What CAPPS II does not do, however, is make us safer. Congress should stop funding CAPPS II and rethink how to allocate our finite security resources in ways most likely to save lives.

The rest of us should scrutinize new “anti-terror” measures and defend ourselves against the reflexes of the White House and Congress to extend federal dominion in the name of security. Those promoting these expansions of power may be well-intentioned, but ultimately their policies endanger both our freedom and our safety.

Milchen directs, a non-profit organization working to restore citizen authority over corporations and defend constitutional rights. Kaplan has worked for 25 years as an information technology consultant. The authors thank Edward Hasbrouk, Andrew Thomas and Salim Jiwa for their assistance.

Update / Suggested Actions

Victory!  Or is it? On July 14, CAPPS II was pulled from consideration in it’s current form, but we’re not ready to declare the fight over (see our August 4, 2004 feature on the “Registered Traveler” program for details). Nevertheless, we know hundreds of readers sent copies of this article to your U.S. Representative and/or Senators, and you made a difference. Thank you!

Recommended Resources

  • Andrew Thomas’ book Aviation Insecurity explains thoroughly the failings of our air security system and offers solid suggestions for improvement. Look for it at your local independently-owned bookstore.
  • Edward Hasbrouk’s fine website for travelers has blog that covers CAPPS II and other timely issues. He wrote an exhaustive letter (54 pp pdf ) to the TSA outlining objections to CAPPS II.
  • Feb 13 GAO report summary (pdf) or full GAO report (53 pp, pdf)