Brave new skies

Soon, the government and the travel industry may be able to find out everything naughty and nice about you before you board your flight.

Published September 4, 2003 7:30PM (EDT)

If they had been there to discuss anything other than the Bush administration's latest anti-terrorism surveillance plan, the activists who met in Washington on Aug. 25 might have been at each other's throats. On healthcare, tax cuts, affirmative action, the war in Iraq, you name it, these people don't see eye to eye. But here was Hilary Shelton, the NAACP's Washington chief, agreeing with David Keene, chairman of the American Conservative Union, and Grover Norquist, president of Americans for Tax Reform -- two of the most influential conservatives in D.C. And here was Laura Murphy, the ACLU's legislative director, championing the work of "my good friend, former Congressman Bob Barr" -- the same Bob Barr who sponsored a resolution to impeach Bill Clinton in 1997, months before anyone knew anything about those trysts with the intern.

What could have motivated these ideologically disparate advocates to put aside their differences and join forces? The answer is CAPPS II, the air-passenger vetting protocols that the Transportation Security Administration hopes to deploy early next year. By electronically mining commercial and government databases, CAPPS II -- the "computer-assisted passenger prescreening system," version 2 -- will perform instant criminal background checks on everyone boarding an airplane in the United States. It's at once an Orwellian prospect and a potential gold mine for the travel industry: A database of the type envisioned by the government would allow hotels and airlines to get their hands on your lifetime itinerary.

Results of the background check are intended to be used to determine who gets to sail through airport screening, who is accorded greater scrutiny, and who is barred from flying at all. "CAPPS II will ensure that passengers do not sit next to known terrorists and wanted murderers," the TSA said in a recent press release. The agency also insists that CAPPS II won't be intrusive -- the system, it says, "reflects American values, and respects the rights and privacy of the traveling public."

But ever since the TSA first began contemplating CAPPS II, in January, its simple rationale for the system has won few supporters in the public or within the Washington policy establishment. Not even Congress has been happy with it; in a bill to fund the Federal Aviation Administration -- one of those must-pass appropriations bills -- lawmakers are set to order an investigation of the privacy rules in CAPPS II.

The TSA now appears to be on the defensive. On Aug. 1, in an attempt to assuage some concerns, the agency released what was meant to be an improved privacy outline for CAPPS II. The new proposal reduced the length of time the government would keep travel data on passengers and focused the system on stopping suspected terrorists and people wanted for assorted, non-terrorist-related "crimes of violence," rather than for just anybody who may have forgotten to pay a parking ticket. But it's a sign of how distasteful most critics consider CAPPS II that the new guidelines were seen by many as not very good, and to some as even worse than the rules TSA first proposed.

For CAPPS II to work, the system would need to know four bits of information about you -- your name, date of birth, home address and phone number. According to Bill Scannell, a journalist who now spends his time trying to thwart CAPPS II -- he is the man behind Boycott Delta and Don't Spy On.Us, two CAPPS II-protest sites -- once this data is associated with your itinerary, private firms (such as the airlines and hotels) will be able to keep lifetime dossiers of everywhere you travel. Every time you take a flight, every time you check into a hotel, every time you rent a car -- all your data will be entered into your permanent travel record, a file that would be available to travel-industry businesses (for marketing purposes) and to the government (for purposes even more nefarious than marketing).

At the August panel discussion Murphy, of the ACLU, described CAPPS II as being of the same stripe as Total Information Awareness, John Poindexter's now all-but-dead plan to spot the "signatures" of incipient terrorist attacks hidden in commercial databases. Both programs, Murphy said, represent the "logical outgrowth of a bureaucratic fixation on technological quick fixes to highly complicated international and domestic security problems." The words "quick fix" are important. In conversations with Salon, nearly all critics of the CAPPS II, and even some proponents, said that the TSA and its parent agency, Tom Ridge's Department of Homeland Security, do not appear to have fully considered the far-reaching political, social and technological implications of having the government watch everyone who flies.

Shelton, of the NAACP, says he fears that CAPPS II will single out minorities for greater scrutiny at airports. James Dempsey, executive director of the Center for Democracy and Technology, worries about "mission creep." The TSA says that CAPPS II will focus on international as well as domestic terrorists, but who's to say who's a domestic terrorist? "Some people would call antiabortion activists terrorists, and the FBI has called certain environmentalists terrorists," Dempsey says. Bob Barr worries about the intrusion of the federal government into state matters -- why will the Homeland Security Department act on local criminal warrants at airports? And they all say that -- unlike financial or medical data -- travel information is bound by precious few regulations; once the TSA starts mixing your name and birthday with your flight information, your individualized travel file will be available to virtually anyone with access to a computerized travel database -- not a small group.

All of this might be necessary, some critics say, if the TSA could show that CAPPS II will make a tremendous difference in the safety of air travel -- if the agency could prove that this is the only thing we can do to make flying safe. But that's not the case; on Sept. 11, 2001, terrorists exploited any number of holes in the national security apparatus, and the government would do well, critics of CAPPS II say, to first patch those holes. You could bolster foreign intelligence services, you could staff airports with more diligent screeners, you could fit planes with antimissile systems. (Or you could, as the Bush administration announced on Tuesday, expand the air marshal program.)

You could even put the United States on friendlier terms with the rest of the world. Anything's better, isn't it, than a massive surveillance program? "If Sept. 11 could have been avoided by four pilots with four .22s, why is the response to that to profile everybody?" Grover Norquist asks. "What's the deal with that?"

The TSA's first public notice for CAPPS II, printed in the Federal Register on Jan. 15, appears now to be an invitation to disaster. Looking at it, you wonder how the agency thought it could ever get away with such a bold plan. The notice seemed to contemplate an all-powerful worldwide police force, a group responsible for moving into action whenever CAPPS II determined that there might be even a "potential violation" of "civil or criminal law." In the first notice, the government also said that it intended to keep records on some people for "up to 50 years," and because it seemed almost purposefully vague, some critics saw the notice as suggesting that the government would deny flights to people with bad credit records or too many unpaid parking tickets or other minor infractions. The TSA vehemently denied that the program was as bad as its privacy notice seemed to suggest, but, with Scannell launching a high-profile boycott of Delta, the first airline that agreed to test CAPPS II, the entire proposal was quickly embroiled in controversy.

Since then, the Homeland Security Department has moved to quell the storm. In April, the department hired Nuala O'Connor Kelly, a lawyer and a former executive at the Internet advertising firm Doubleclick, as its first privacy officer. (Kelly was unavailable for comment to Salon.) Critics of CAPPS II say that Kelly has reached out to them and tried, whether out of earnestness or for public relations, to address their fears. Recently, the TSA met privately with Barr and Keene to see what they disliked about CAPPS II. And in the agency's new privacy notice for CAPPS II, the TSA indicates that it read some of the many public comments that poured in and that it tried to address at least some of them.

"I have no doubt of the genuineness of the effort to grapple with these problems," says James Dempsey of the Center for Democracy and Technology. "I think the first notice was a hide-the-ball notice" -- meaning that the agency seemed to be intentionally obfuscating the specifics of CAPPS II. "Now there's a genuine effort to say more or less what the thing is about."

But unfortunately for the TSA, the new, more specific notice -- published in the Federal Register on Aug. 1 -- also gave added ammunition to CAPPS II opponents. Before this notice, the TSA had not explained how it intended to get all of the data on travelers it needs to run CAPPS II. Was it going to get the information from airlines, or travel agents, or from individual travelers at the airport? All of that had been a mystery -- but now the whole thing is clear.

The TSA wants to tap into the four major worldwide databases that keep track of virtually all passenger records in the world. Most airline travelers have likely never heard of these systems, called computerized reservation systems, or CRSs, but they're vital for air travel -- as important as the planes themselves. The four databases are maintained by separate corporations: Sabre Holdings, which owns Travelocity.com; Galileo International, a subsidiary of the giant Cendant Corp.; Worldspan, a privately held American firm; and Amadeus, a Spanish company. If CAPPS II is imposed on the travel industry, these firms will need to make significant changes in their systems to accommodate the government's plans -- and critics of the proposed system say that the firms would accede to doing this only if they had the chance to somehow recoup their investment in CAPPS II. The theory is that after CAPPS II is implemented, these companies would make money by selling your travel data in much the same way that financial firms sell your credit history.

Edward Hasbrouck, a travel agent in San Francisco and the author of the "Practical Nomad" series of travel books, is an expert on the technology that keeps the travel industry humming. The system, he says, is both gargantuan and mind-numbingly complex; the worldwide constellation of airlines, travel agents, hotels, car rental agencies, cruise lines, travel Web sites and airports constitutes one of the largest computer networks in the world (until the mid-1990s, when it was overtaken by the Internet, it was the largest). It is also one of the most antiquated, depending on ages-old protocols to communicate between machines of varying sophistication. The TSA's proposal will require all these systems to integrate data that is not routinely collected -- when was the last time you gave your date-of-birth to book a flight? -- and will, consequently, cost the industry billions, he estimates.

But there could be a payoff. "The key impact of the proposal would be that it would enable the CRS to correlate previously separate reservations for trips into a lifelong history of your travel," Hasbrouck says. "That would mean that it would become very easy to investigate your travel history -- where you went, who you went with, did you stay in a gay resort, did you ask for one bed or two? It would be easy for them to use it for marketing data, and for the government to get it." Hasbrouck continues: "Are the CRSs now in a position to make a practice of selling to all comers what they'd like to know? 'We'd like to know who's rented a car in Cleveland for the last six months'? This is utterly unregulated. Many of [the CRS firms] don't even have any privacy policy -- and to the extent that they do, they the policies allow unrestricted affiliate sharing. Cendant, which owns Galileo, allows the sharing of data to affiliates" -- firms such as Avis, Budget, Travelodge, Howard Johnson, Century 21..."

In theory, says Hasbrouck, records collected by the CRS firms are kept forever: Although they are periodically "purged" from live databases, the CRSs keep them in archives for as long as possible. There is, in fact, no technical way to delete a single passenger record in a CRS database; the protocols are so old that, when the databases were built, nobody seems to have anticipated the need for a delete function. So every reservation you make, every reservation you cancel, everything piles up in the CRS database.

This, obviously, would be a gold mine for government snoops. And Hasbrouck says that CRS firms are always happy to cooperate with the government: "Every travel company privacy policy I've ever seen gives blanket permission to give any data in response to any request from the government" -- not a subpoena, but any informal request whatsoever.

On Aug. 11, Scannell read an article on CAPPS II in TravelAge West, a travel-agent industry trade publication, that contained this line: "Galileo has said it held limited discussions with the TSA and it will cooperate with testing." He says that this led him to check out some other sources, and he discovered that Galileo was working closely with the TSA on CAPPS II. On his Web site, he calls on passengers to book tickets with airlines that don't use Galileo, to boycott other Cendant products, and to sell off stock in the company. Scannell says that by working with CAPPS II, Galileo is helping to enable a de facto national I.D. card system and an "internal border-control" apparatus. "Is that the America we want?" Scannell asks. "Let's have a discussion about it. I'm personally against both, but let's have a national discussion, and let's not go through the back door."

Dawn Lyon, a spokeswoman for Cendant, said that there has been "a lot of confusion" over Galileo's role in CAPPS II. "Our involvement to date is that we have stated we will cooperate with the U.S. Department of Homeland Security during what they're classifying as a testing process," she said. The exact nature of that cooperation, though, has yet to be determined. Lyon also said that Galileo is not the only CRS cooperating with Homeland Security, though she did not say what the other firms were doing.

Lyon insisted that Galileo goes out of its way to ensure that the data it collects on travel is kept private and secure. "It's always at the forefront of our minds," she said. "We always comply with legal requirements that exist. The U.S. is just one country where we operate, and we've prided ourselves on working diligently to protect all customer data" and to make sure that it's not used for purposes other than the trip at hand. Lyon did not explicitly say that Galileo would never use the collected data for marketing. When asked about whether, after CAPPS II was implemented, she could see Galileo selling personal travel dossiers to anyone who paid, she said, "Our operating philosophy is that we will protect and work diligently to protect the privacy of customer data."

Israel's national airline, El Al, is often said to have most terrorist-resistant air fleet in the world. On El Al, security is built into every design element of the airplane: Cockpit doors are (and have long been) locked, armed agents fly on every flight, passenger luggage is thoroughly inspected (by hand and by machine), and the planes are fitted with antimissile systems. El Al also makes extensive use of profiling. The airline checks passenger identities in criminal databases, and agents are trained to ask all passengers questions about their flight. Travelers who appear especially nervous -- or who are Arab; El Al admits to using ethnicity as a factor in its security decisions -- are singled out for much tougher questioning, and the airline routinely bars people from flying.

But for both practical and obvious political reasons, El Al's approach to profiling turns out to be a bad model for the United States, security experts say. "U.S. airlines fly a lot more planes and a lot more passengers over much shorter routes," explains John Pike, the director of GlobalSecurity.org. Each day, El Al has only a few flights, while thousands take off in the United States. And El Al is a long-haul airline, which makes profiling easier. "If you're going to sit on one of those airplanes for six or eight or 10 hours, you might not think that an elaborate, robust interview process and physical security check is out of the question," Pike says. Most American passengers, however, people whose flights typically last less than a couple of hours, would balk at such procedures. Indeed, Pike says, "the level of security they have right now is on the verge of altering travel patterns. For most passengers, the experience is unbearable. I no longer fly between Washington and New York -- I'll either take the train or drive, because the annoyance of having to park far away from the terminal and to go through the whole rigmarole, it's too much to bear."

Pike's point is key to understanding the federal government's desire for CAPPS II. The U.S. aviation industry is suffering a historic downturn, and at least part of the reason is the peculiar psychology of American travelers: People are both too afraid to fly and too annoyed to fly. Americans want their planes to be as secure as El Al's, but they don't want to face the hassles of El Al. CAPPS II has to be seen as an effort to fit that bill: a profiling system meant to be as rigorous as El Al's, but automated, hidden and a hassle to only some of the passengers.

Capt. Steve Luckey, the chairman of the Air Line Pilots Association's flight security committee and a proponent of CAPPS II, says that critics of the plan fail to grasp this idea: "They don't realize that this is actually protecting the individual rights of most people by minimizing the scrutiny." What he means is that once CAPPS II is implemented, the vast majority of people will have an easier time at airports than they do now. CAPPS II will concentrate security resources on the most likely terrorist threats, Luckey says. For instance, if the computer clears someone of any potential mischief, his bags don't need to be very extensively checked by hand or with slow, expensive computer-topography screening systems. And that's good for all of us, because "right now, good people are being scrutinized. The wrong people are paying for 9/11. We need to utilize the tools to work smart rather than work harder."

But from a security standpoint, Luckey's idea does not make very much sense, critics of CAPPS II say. If you do your profiling by computer, rather than by in-person interviews, you're bound to miss all sorts of clues that could lead you in the right direction, and you could give too much weight to other clues that could lead you astray. Scannell notes that Timothy McVeigh had an Army security clearance -- he would presumably have passed through CAPPS II with no trouble. Shelton, of the NAACP, says, "The fastest-growing religion in the African-American community is Islam, and when many people in the African-American community become Muslim they change their name to an Arab name. You see Leroy Jones who has now changed his name to Muhammad Ali. You see Susan Washington who has changed her name to Kadida Muhammad." Under CAPPS II, are all these African-Americans going to be subject to extra screening while the John Walker Lindhs of the world make it through just fine?

The TSA itself has rejected some forms of profiling in part because of this potential for missing key threats. Since 9/11, many pundits have criticized the department for hassling senior citizens and children at airports, people who, the pundits cry, are obviously no threat to U.S. national security. But the TSA routinely finds contraband hidden on kids and old people. On July 12 at Orlando International Airport, for instance, screeners found a loaded .22 handgun stuffed inside a 10-year-old boy's teddy bear. (The bear had been given to the boy by another boy a few days before the flight. After questioning the child and his family at the airport, the FBI allowed them all to board the plane.) TSA agents have found knives hidden in senior citizens' prosthetic legs and in baby car seats. According to the agency, since February 2002, it has caught "1,437 firearms, 2.3 million knives and 49,331 box cutters," and James Loy, the agency's director, has said that such items don't come only from people who fit what most would guess is the profile of a terrorist. "The suggestion that our screeners should pay less attention to grandmas and babies is like giving a free pass to terrorists," Loy said in a statement on July 18. (For pictures of items in which people have "artfully concealed" weapons, see this TSA gallery.)

Because the agency will still need to look closely at kids and grandmothers, not to mention everyone else, it's not clear that CAPPS II will decrease the scrutiny, and the hassle, most of us face at the airport -- yet it will certainly increase the scrutiny and hassle some of us face. Some number of these hits will be false positives; and even if it's a small rate, just 1 or 2 percent, that's still millions of people falsely identified as potential terrorists every year.

Given this difficulty of spotting terrorists, many critics of CAPPS II wonder why the TSA says that it wants to use the system not just for terrorism but also for other violent crimes. "If a person's not a terrorist and they just assault someone with a deadly weapon at a bar, I'm not worrying about them sitting next to me on the airplane," says Dempsey. "I don't think we should use the gate at the airplane to catch them. I think resources are being diverted from air safety. But there are clearly some in Homeland Security who want to make it a general all-purpose law-enforcement agency." A few of the critics of CAPPS II said they would be satisfied if the TSA made it clear that the system would be used only to make sure that a given passenger was not on a known terrorist watch list. "My view is that having a database that is comprised of terrorists and known associates of terrorists, and which is updated and based on sound intelligence, is not at all problematic," Barr says. It is worth noting that a system like this is currently in place, and was in place on 9/11 as well -- the only problem was that the watch lists didn't include the names of the known terrorists.

Because the problems with CAPPS II are so glaringly obvious, many critics seem confident that the proposal will have a hard time surviving without significant changes. A system called CAPPS II might eventually come into use, but if the public loudly objects, it won't be the system the TSA is now putting forward. Barr says that Americans have now started to see that the fight against terrorism is costing them civil rights, and he believes they're beginning to fight back. "I think the public is expressing their concerns to their members of Congress, and that's why we are starting to see Congress starting to wake up to these kinds of programs," he says. For example, on July 22, the House passed the Otter Amendment, which prohibits law enforcement agencies from engaging in "sneak and peek" activities -- surreptitiously searching the homes of suspected terrorists.

While there's no doubt that he's an ardent civil libertarian, Barr still seems somewhat reluctant to criticize the president. Asked if he believed that the White House, like the Congress, was starting to concern itself with privacy rights, he started to say, "They don't care at all," but then caught himself. "They don't seem to be focused on that at this point," he ended up saying. "The response by the Justice Department to the Otter Amendment a few weeks ago was, 'The sky is falling, the sky is falling, if this goes into law it will gut our war against terrorism.'"

But Barr believes that the administration may come around. "On the one hand it's a good sign that the attorney general felt the need to go on this whistle-stop tour defending the PATRIOT Act," Barr said. "At least they're feeling the heat to the extent that they think they need to defend themselves." But whether the pressure makes the White House enact real changes in its policies, Barr can't say. "If they don't, hopefully Congress will do its job."


By Farhad Manjoo

Farhad Manjoo is a Salon staff writer and the author of True Enough: Learning to Live in a Post-Fact Society.

MORE FROM Farhad Manjoo


Related Topics ------------------------------------------

Air Travel Privacy Travel