RealTime IT News

DHS Issues New CAPPS II Guidelines

The Department of Homeland Security (DHS) has issued a new set of proposed guidelines for its controversial Computer Assisted Passenger Prescreening System (CAPPS II). The Transportation Safety Administration (TSA), which administers the program, ceased testing CAPPS II in June pending a thorough privacy policy review.

In early March, the Bush administration revealed the TSA planned to scan government and commercial databases for potential terrorist threats when a passenger makes flight reservations. Under the program, airline passengers would be required to provide their full name plus address, phone number and date of birth.

Once that information was entered, the airline computer reservation system, initially tested by Delta Airlines, automatically linked to the TSA for a computer background check on the traveler that can include a credit, banking history and criminal background check. The TSA would then assign a red, yellow or green score to the passenger based on the agency's risk assessment of the traveler.

The program was sharply criticized by privacy advocates and lawmakers. The Senate Appropriations Committee two weeks ago denied any funding for CAPPS II until the General Accounting Office (GAO) produces a study on the privacy impact of the program.

Under the new guidelines, passengers will still be required to provide the airlines with their name, address, telephone number and date of birth, as well as some information about the passenger's itinerary. According to the DHS, "No additional information beyond this data is required to be collected from passengers for the operation of CAPPS II."

The airlines will then access the CAPPS II system prior to the departure of the passenger's flight. "Selected" information will be "securely transmitted to commercial data providers, for the sole purpose of authenticating passenger identity." The authentication will be accomplished not by a permanent co-mingling of data, but by the commercial data providers transmitting back to TSA a numeric score, which is an indication of the percentage of accuracy of the match between the commercial data and the data held by TSA.

The commercial providers to the TSA will not acquire ownership of the data, nor will they be permitted to retain the data in any commercially usable form.

"TSA will not permit the commercial data providers to use this data for any purpose other than in connection with the CAPPS II program," the guidelines state. "Importantly, the commercial data provider will not retain information about the response they provide to TSA in any record about the individual that they maintain. Further, no persistent link between an individual's records in the private sector and that person's records within the CAPPS II system will be created."

Once CAPPS II has authenticated a passenger's identity, it will conduct a passenger risk assessment, done internally within the U.S. government and determine the "likelihood that a passenger is a known terrorist, or has identifiable links to known terrorists or terrorist organizations."

National security information from within the federal government, as well as information reflecting federal officials with high levels of security clearance, will be part of the risk analysis.

If the CAPPS II system ultimately becomes operational, the DHS says it contemplates that information regarding persons with outstanding state or federal arrest warrants for crimes of violence may also be analyzed and applied in the context of this system. If there is an indication of a "serious violation of criminal law," information may be shared between law enforcement agencies and DHS and appropriate action may be taken.

"It is important to note the CAPPS II system is designed to determine the likelihood that a passenger is a known terrorist, or has identifiable links to known terrorists or terrorist organizations, including both foreign and domestic terrorist organizations," the guidelines state. "Lastly, it is anticipated that dynamic inputs to the system from intelligence sources will allow the system to respond to current threat conditions and information on a timely basis"

According to the DHS, in the "vast majority of cases," passengers will be identified as "low risk" and will simply pass through the ordinary airport security screening process to their flights.

In a small percentage of cases, passengers may be found to present an elevated, uncertain or "unknown risk" of terrorism. In such cases, the passengers in question will be subjected to "heightened security screening prior to boarding their flights." Once these passengers have successfully completed this screening, they will proceed to their flights in the normal manner; they will not be penalized, nor will additional information about them be retained within the CAPPS II system.

Passengers will be able to request a copy of most information contained about them in the system from the CAPPS II passenger advocate.