“CAPPS IV”: TSA Expands Profiling Of Domestic US Airline Passengers

Papers, Please!

TSA

Under color of a vestigial provision of Federal law related to an airline passenger profiling program that was discontinued more than four years ago, and applying the name of that program (and attempting to apply the same legal mandate) to an entirely new scheme, the TSA is adding a new, additional layer of passenger profiling to its pre-crime system for domestic airline flights within the Unites States.

The existence and TSA-mandated implementation of the new so-called “Computer-Assisted Passenger Prescreening System (CAPPS)” was first disclosed publicly in an obscure posting this Monday on the DHS website and an equally obscure notice published the same day in the Federal Register.   According to both documents, the new CAPPS scheme has been under development since at least 2013, in secret collaboration between the TSA, the inter-departmental National Counterterrorism Center (NCTC), airlines, and private contractors.

What was the old CAPPS? What is the new CAPPS? And what does this mean for the rights of travelers?

Answering these simple-seeming questions requires understanding the history of government-mandated airline passenger profiling in the US and the shell game of labels that the government has applied to profiling schemes, as well as careful parsing of this week’s abstruse and uninformative (to the uninitiated) official notices.

The original CAPPS was the first government-mandated airline passenger profiling system. It was developed by the Federal Aviation Administration (part of the Department of Transportation), which at the time was a revolving-door regulatory agency that worked closely with the airline industry.  Beginning in 1998, the FAA required airlines to apply a secret CAPPS profiling algorithm to all passengers boarding flights in the US, to decide which passengers to subject to more intrusive searches (”secondary screening”).

CAPPS profiling was carried out by airlines, based on information contained in reservations (”Passenger Name Records” or PNRs) and/or on tickets. The original CAPPS profiling algorithm was fairly simple, and most of the data elements and criteria became well-known through reverse engineering of travelers’ experiences. Travelers were most likely to be subjected to secondary screening if they were traveling on one-way tickets purchased for cash at the last minute.  The outcome of CAPPS profiling was a binary score: normal screening or secondary screening.

At the time, searching (”screening”) of passengers and baggage was carried out by airlines or their contractors, not by government employees or contractors. There was no system for routine transmission of the results of CAPPS profiling, much less of the data on which it was based, to any government agency.

When the TSA was created after 9/11, one of its first projects was the development of a new airline passenger profiling system, which came to be designated as “CAPPS II”.  The new TSA initially regarded anyone with pre 9/11 experience or expertise in aviation security, either with the FAA or the airline industry, as presumptively tainted with incompetence by their association with the “security failure” of 9/11.  As a result, CAPPS II was developed in almost complete secrecy, largely by people from NSA and other military and “intelligence” agencies with little or no knowledge of aviation industry norms and procedures. The airline industry was largely if not entirely excluded from this process.

CAPPS II was conceived of as a system that would be based on existing airline reservation data. But the designers of CAPPS II presumed that airlines already collected, recorded, and would be able to transmit to the government, in normalized form, much more data about passengers than they actually did or were able to.

TSA officials and the other architects of CAPPS II were shocked to discover, when they began presenting their CAPPS II plan to the airline industry as a fait accompli in early 2003, that airlines didn’t routinely record passenger addresses in reservations, almost never recorded dates of birth, sometimes didn’t record passengers’ telephone numbers (especially if reservations were made through travel agencies), didn’t have any standard formats for recording or transmitting this data, and sometimes held reservations, especially for groups, without even knowing passengers’ names until they checked in.

Civil libertarians, privacy advocates, and members of the traveling public also complained about the proposed use of secret profiling algorithms and the proposed transfer of passenger data to the government.

In response to the public and political objections, the TSA renamed CAPPS II as “Secure Flight”, so that it could say that CAPPS II had been “canceled” while continuing to develop and deploy essentially the same system, or its successor, under the new name.

In response to the quieter but more problematic practical objections from the industry, the TSA made two major changes from the original CAPPS II concept to Secure Flight as it was eventually implemented:

First, the TSA — out of necessity rather than choice — postponed implementation of “Secure Flight” for several years until airlines, computerized reservations systems, and other information technology providers had spent the several billion dollars necessary to modify their systems, from database formats and data transmission protocols through every system and interface layer, to accommodate collection, retention, and normalization of the information about passengers desired by the TSA as part of the input to its profiling system.  In effect, the industry had to build government-mandated passenger surveillance capabilities into airline reservations infrastructure, something that it was simply impossible to do cheaply or overnight.

Second, the TSA and its parent agency, the DHS, separated international and domestic flights in their “security” rules, and applied different data collection, data transmission, profiling, and surveillance requirements, on different implementation timelines, to those two categories of flights.

International flights were subjected to something closer to the initial CAPPS II concept, on an earlier schedule than domestic flights.  That could be because there are fewer passengers on international flights that on domestic flights at US airports, so that more burdensome requirements could be tested first at smaller scale if they were applied first to international flights. It could also be because the government could claim, if challenged, that the PNR and API data it demanded for international travelers could have been obtained by custom and immigration inspection of tickets and documents, and would be covered by border exceptions to Fourth Amendment restrictions on warrantless, suspicionless searches and seizures.

(Such a claim would be false: Much of the information in PNRs could not be obtained from tickets or other documents subject to inspection at international airports or borders. But although DHS has made such a bogus claim, we don’t know whether it would stand up in court: So far as we can tell, no US or foreign airline has made any legal challenge to DHS demands for passenger data, or to similar demands by other governments, so the government hasn’t needed to try to justify these demands to the courts.)

Whatever its reasons, the DHS has required airlines to provide the TSA with only a more limited set of “Secure Flight Passenger Data” (SFPD) and certain other itinerary data for each passenger on a domestic flight, rather than the complete PNR required for each passenger on an international flight.  This data is used as part of the basis (along with other data in DHS files about travelers, data from other government agencies, and data from commercial sources) for the profiling conducted by the TSA as part of “Secure Flight”.

The TSA said that with the implementation of “Secure Flight”, it was taking over “watchlist matching” (a euphemism for what has subsequently been shown to be a much more complex pre-crime profiling process) from the airlines. But because some of the data on which CAPPS profiles had been based, such as the form of payment used to purchase tickets, is not included in the SFPD dataset, Secure Flight profiling of domestic air travelers could not be based on these factors. (This data is included in the complete PNRs required to be copied to the TSA for international flights, so the CAPPS factors could continue be included in DHS profiling algorithms for international travelers.)

If these original CAPPS factors had actually been considered significant, the TSA could have ordered airlines to continue to carry out CAPPS profiling, based on complete PNR data, in addition to the Secure Flight profiling now being conducted by the TSA.  The TSA did not do so, however.

According to this week’s Federal Register notice:

By November 2010, TSA fully assumed the watch list matching function from aircraft operators and air carriers in Secure Flight. Since that time, CAPPS has not been used to determine whether additional screening is warranted for certain passengers. Notably, however, IRTPA did not remove or amend the statutory requirement for aircraft operators to use CAPPS. Accordingly, the statutory and regulatory authorities for the use of CAPPS remain.

This suggests that the TSA had realized that the use of cash to buy airline tickets, or the other CAPPS factors not included in the SFPD dataset, were not useful pre-crime indicia of intent to commit air terrorism.

Yet despite this, according to the latest notice, “TSA plans to incorporate a CAPPS assessment generated by aircraft operators into its Secure Flight risk-based analysis of passenger and other prescreening data… [R]ecords containing assessments generated by aircraft operators under the Computer-Assisted Passenger Prescreening System (CAPPS)” will be passed on to the TSA along with the SFPD dataset for each passenger on a domestic US flight, and may be retained by the TSA in its Secure Flight records system.

If CAPPS was dead, and had been abandoned by the TSA since 2010, why is it being resurrected in 2015?

The answer may lie in what is being resurrected — or, perhaps more accurately, in what new profiling program is being cloaked in the corpse and assigned the name of “CAPPS”.

According to the latest notice:

TSA has taken a number of steps to review the security value of CAPPS data…. First, TSA worked with its airline partners to re-assess the security value of the individual CAPPS data elements. This effort resulted in refining CAPPS data elements. Second, TSA engaged the Civil Aviation Threat Working Group (CATWG), which is composed of analysts from various Federal Government agencies and led by a representative from the National Counterterrorism Center, to provide its assessment of the security value of CAPPS data. The CATWG provided its report of findings and recommendations in September 2013, which further refined the security value assigned to CAPPS data elements. Third, TSA asked the Homeland Security Studies and Analysis Institute [24]  (a federally-funded research and development center) to review its approach to risk-based security screening including the use of CAPPS assessments. In March 2014, the Institute endorsed TSA’s approach for conducting Secure Flight risk-based analysis and recommended that TSA continue to strengthen this analysis by including CAPPS assessments. Finally, TSA reviewed its plans to use CAPPS assessments with senior officials from the Department of Homeland Security Offices of Privacy, Civil Rights and Liberties, and General Counsel. TSA further refined the security value assigned to CAPPS data elements based on input from these offices.

The key sentence in this bland-seeming history is, “This effort resulted in refining CAPPS data elements,” which appears both broad and vague enough to encompass adding new data elements to those used as the basis for CAPPS profiling and pre-crime scoring.

It seems unlikely that the TSA would decide, after a hiatus of more than four years, that it needs to reinstate profiling based on the original CAPPS data elements such as cash as a form of payment for tickets.

More likely, what is happened is the TSA wants to carry out more complex and intrusive profiling of domestic air travelers, using some of the elements of PNR data that aren’t included in SFPD dataset.  Imposing such a scheme would require legislation or regulations mandating that airlines either (b) hand over additional data (such as complete PNRs) for domestic air travelers to the TSA, or (b) carry out this profiling themselves.

Rather than ask Congress to enact new laws, the TSA has seized on the vestigial statutory mandate for airlines to use “CAPPS”.  So what if CAPPS has been dead for years?  Presumably, the TSA interpretation of the law is that if the TSA calls this new profiling scheme (or anything else) “CAPPS”, airlines are required to implement it.

This resembles, of course, the TSA’s claim that because air travelers are required to submit to “screening”, we are required to submit to whatever any TSA employee or contractor decides constitutes “screening”.

Under the system described in the TSA’s latest notices, the airline operating a domestic flight within the US will first profile and score each would-be passenger, on the basis of  the “refined” set of PNR data elements. That score for each passenger (or possibly multiple scores based on different criteria or data elements) would be passed on to the TSA along with the SFPD data elements. Both the CAPSS score(s) and the SFPD data eleemtns would be among the inputs to the TSA’s second-stage profiling and scoring process.

If CAPPS II was really scrapped, that would make Secure Flight “CAPPS III”, and this new scheme “CAPPS IV “.

The TSA will no doubt claim that CAPPS IV is merely a minor “refinement” of the CAPPS system that was used (and, the TSA won’t mention, widely criticized and derided) for years.  Even if that is true, addition of this new airline-operated layer to the TSA’s passenger profiling scheme opens the door to more extrajudicial interference with the rights of travelers, and misuse of any or all of the data elements included in PNRs.

Papers, Please!