"Secure Flight" comments due Mon., 25 Oct. 2004

Original article with links:
http://hasbrouck.org/blog/archives/000425.html


"Secure Flight" comments due by Monday, 25 October 2004

Public comments are open through Monday, 25 October
2004, on the Secure Flight airline passenger
identification, selection, and surveillance system
proposed by the USA Transportation Security
Administration (TSA) and its Office of National Risk
Assessment (ONRA).

Together, the Secure Flight and Registered Traveler
programs are intended to replace, and considerably
expand, the infringements of travellers' freedoms which
were to have been part of the supposedly-abandoned
CAPPS-II passenger profiling scheme. (Traveller
registration with the TSA is currently "voluntary", but
will eventually be mandatory for anyone who wants to
travel by air.)

The complete TSA docket of notices and comments on
Secure Flight testing (TSA-2004-19160) includes those
comments filed to date with the TSA (there is sometimes
a delay of a couple of days in docketing and posting
comments), as well as well as the three rulemaking
notices and requests for comments:

http://dms.dot.gov/search/searchResu...hTy pe=docket

1. The Office of Management and Budget (OMB)
Information Collection Request notice under the
Paperwork Reduction Act and request for comments
on the proposed order (the full text of the
order itself is included in the notice)
requiring USA-based airlines to turn over all
data in all PNR's , including cancelled PNR's,
that ever included flights that were to have
been taken in June 2004; docket TSA-2004-19160-2

2. The TSA Privacy Act notice or "System Of
Records Notice" (SORN) for the Secure Flight
testing database; docket TSA-2004-19160-3

3. The TSA Privacy Impact Assessment for Secure
flight testing; docket TSA-2004-19160-4

The purported Privacy Act "notice" fails to give notice
of most of the categories of people about whom personal
data is contained in PNR's, and comes well more than a
year after PNR's for June 2004 travel began to be
created (in June 2003 or earlier), making a mockery of
any concept of "notice". By this, and by including
cancelled PNR's, it ensures that even those who wish to
withhold consent, or tried to do so by cancelling their
reservations and not travelling, will be unable to opt
out.

The purported Privacy Impact Assessment is a real piece
of work, failing entirely to acknowledge, much less to
assess, most of the privacy impacts of the proposals.

The most significant portion of the rulemaking, however,
may be that of the OMB. The TSA notices concern only
what the TSA will do with the data, after it is
commandeered from the airlines and, indirectly, from the
people whose data is contained in PNR's: travellers,
people in whose names reservations were made but who did
not travel, people who made reservations for other
people or paid for other people's tickets, and travel
agents and airline staff, among others. Under the
Paperwork Reduction Act, the OMB must also consider the
actual demand for archived PNR data from the airlines
(and, implicitly, from the CRS's that host airline data,
and without whose active collaboration it would be
impossible for airlines to comply with the demand).

TSA is soliciting comments [to the OMB, which must
evaluate them] to --

1. Evaluate whether the proposed information
requirement is necessary for the proper
performance of the functions of the agency,
including whether the information will have
practical utility;

2. Evaluate the accuracy of the agency's
estimate of the burden [imposed by the information
collection requirement];

3. Enhance the quality, utility, and clarity of
the information to be collected; and

4. Minimize the burden of the collection of
information on those who are to respond, including
through the use of appropriate automated, electronic,
mechanical, or other technological collection
techniques or other forms of information
technology.

There's plenty of room for comment on these issues.
Among other things, there is no evidence whatsoever that
information about people whose reservations were
cancelled, and who made no attempt to travel, would have
any relevance to determining which of the people who did
attempt to travel were terrorists. Nor is there any
evidence that most of the data in PNR's, especially the
information about people other than passengers (people
making reservations for other people or paying for other
people's tickets, travel agents and airline staff, etc.)
has any potential utility in identifying terrorists --
its only utility would be for surveillance, not
security.

The test data set is peculiarly ill-chosen to "have
practical utility". Since no airline passengers in the
USA in June of 2004 committed any acts of terrorism, any
identifications of suspects in the proposed tests as
people who would, if allowed to fly, attempt to commit
acts of air terrorism would, by definition, be "false
positives". Since there are no air terrorists in the
proposed June 2004 test data set , the test would be
useless to measure the rates of "true positive"
identifications of the non-existent (in the test data
set) terrorists, or of "false negative" failures to
identify real terrorists.

Note that the OMB standard is whether the proposed
information collection is "necessary for the proper
performance of the functions of the agency", not the
lesser standard of whether it is or might be merely
useful.

The burden on those who are to respond -- the airlines
and the CRS's who host their databases -- would be
extreme, measured in billions or tens of billions or
dollars rather than the hundreds of thousands
disingenuously estimated by the TSA. Because the
retroactive request for archived data precludes any
advance notice or consent, it is unambiguously and
directly counter to the unqualified requirement for
notice and consent in the European Union Code of Conduct
for CRS's.

Amadeus, the one major CRS based in the EU, could not
legally comply with the proposed order, or provide its
airline hosting customers (including, among others,
Continental Airlines in the USA) with the data they
would need to comply. If the proposed order is issued,
Amadeus would be required by the law in its home
jurisdiction to stop providing data to Continental, and
Continental would have to find a new hosting provider.

The other three major CRS's (Sabre, Worldspan, and
Galileo) are based in the USA, and could be forced by
the USA to give airlines data dumps even if the CRS's
know that they will be turned over to the TSA without
the data subjects' consent. But if they do so, those
CRS's would have to stop doing business in the EU,
including ceasing to provide hosting services to EU
airlines or reservation connectivity to EU travel
agencies.

The result would be billions of dollars in lost airline
business and disruption to airlines' and travel
agencies' business.

The proposed order would also impose mandates on
airlines and travel agencies contrary to their
obligations under the EU Data Protection Directive and
EU national data protection laws. The USA negotiated an
agreement with the European Commission (currently under
challenge by the European Parliament in the European
Court of Justice) to permit use of data about passengers
for testing of CAPPS-II, but it doesn't extend to Secure
Flight or to data subjects other than passengers.

Unless a new USA-EU agreement is concluded before the
effective data of the proposed order, airlines in the
USA that comply with the order will be unable legally to
operate in, or accept reservations from, the EU. That
consequence -- cessation of USA-EU flights by USA-based
airlines -- would increase the cost burden of the
proposed information collection requirement into the
tens of billions of dollars.

As for minimizing the burden of collecting the
information -- assuming that there is a Constitutional
and statutory basis for its collection, which I doubt --
the way for the government to collect it which would
least burden the airlines or the subjects of the data
would be for TSA personnel to collect any required data
directly from passengers at the TSA security
checkpoints. That would eliminate any collection of data
on people other than passengers, and any burden on
airlines, CRS's, or travel agencies and agents. But the
TSA doesn't want that because it would give the TSA less
data to retain or pass on in "travel history"
surveillance records for future use, and because it
would force the government to bear more of the cost
itself, instead of foisting the cost of data collection
onto the travel industry.

Comments to the OMB (it's probably best to copy all
comments to both the TSA and OMB) can be submitted to
the Office of Information and Regulatory Affairs, Office
of Management and Budget, Attn: DHS-TSA Desk Officer,
only by fax to +1-202-395-5806. Be sure your fax is
addressed "Attn: DHS-TSA Desk Officer" and refers to
"Docket No. TSA-2004-19160".

Comments to the TSA can be submitted through the comment
submission form on the TSA Web site:

http://dmses.dot.gov/submit/dspSubmission.cfm

Be sure to enter "TSA-2004-19160" in the "Docket ID"
field. You can type your comments into the form on the
Web page, or attach them as a text, PDF, word processor,
or other document file.

It's not necessary to be a citizen or resident of the
USA to submit your comments or have them entered into
the official record of the USA government rulemaking
proceedings.

EFF and the ACLU built Web-bots for submitting comments
on the second of the two CAPPS-II Privacy Act notices.
If they do so again for Secure Flight, I'll link them
here.

This time there's a form to submit brief text comments
to the TSA at UnSecureFlight.com . You'll still need to
fax your comments separately to the OMB. If you want to
submit mlengthier comments, or to accach document files,
go directly to the TSA (DOT) docket system -- again, be
sure to enter "TSA-2004-19160" in the "Docket ID" field.

The last CAPPS-II notice prompted the largest volume of
public comments ever in response to a Privacy Act
notice, almost universally critical of the scheme, and
many of them still not posted on the DHS Privacy
Officer's Web site . (For some reason the previous round
of CAPPS-II comments weren't processed through the
relatively accessible Web-based DOT docket management
system. And the OMB comments won't be, either.) It's
important that the alphabet soup of Federal agencies
involved (DHS, TSA, ONRA, and OMB), as well as
Congressional and European observers, not get the false
impression that travellers think the latest version of
The Program Formerly Known As CAPPS-II is an acceptable
replacement, rather than another egregious affront to
our Constitutional, civil, and human rights to travel.

----------------
Edward Hasbrouck

http://hasbrouck.org

"The Practical Nomad: How to Travel Around the World"
(3rd edition, February 2004)
"The Practical Nomad Guide to the Online Travel Marketplace"
http://www.practicalnomad.com

Edward Hasbrouck wrote:
were to have been part of the supposedly-abandoned
CAPPS-II passenger profiling scheme.

Is there a comparison betwene what CAPPS-II would have done versus this new
one ?
Or is it the same thing with a different name ?

requiring USA-based airlines to turn over all
data in all PNR's , including cancelled PNR's,
that ever included flights that were to have
been taken in June 2004; docket TSA-2004-19160-2

But what about foreign airlines flying into the USA ? must they also provide
all that data for those flights that go into the USA ?

I can understand sending reservation info on flight numbers, passport number
and country and passenger name and date of birth. Nothing else should be sent.
It is then up to the relevant US authority to consult with the country of
origin to get more data about that particular passenger if they feel it necessary.

This should only be used to flag "interersting" passengers, it should not be
used in an orwelian "we know about all your moves" database of all passenger
movements inside the USA.

Mobile phone companies will start to issue temporary phone numbers, customers
will start to use temporary credit card numbers to ensure that the government
cannot associate purchases done for airlines with purchases done for hotels,
wallmart, food store, explosive/gun shops etc.

Edward Hasbrouck wrote:
were to have been part of the supposedly-abandoned
CAPPS-II passenger profiling scheme.

Is there a comparison betwene what CAPPS-II would have done versus this new
one ?
Or is it the same thing with a different name ?

requiring USA-based airlines to turn over all
data in all PNR's , including cancelled PNR's,
that ever included flights that were to have
been taken in June 2004; docket TSA-2004-19160-2

But what about foreign airlines flying into the USA ? must they also provide
all that data for those flights that go into the USA ?

I can understand sending reservation info on flight numbers, passport number
and country and passenger name and date of birth. Nothing else should be sent.
It is then up to the relevant US authority to consult with the country of
origin to get more data about that particular passenger if they feel it necessary.

This should only be used to flag "interersting" passengers, it should not be
used in an orwelian "we know about all your moves" database of all passenger
movements inside the USA.

Mobile phone companies will start to issue temporary phone numbers, customers
will start to use temporary credit card numbers to ensure that the government
cannot associate purchases done for airlines with purchases done for hotels,
wallmart, food store, explosive/gun shops etc.