"My story is simple yet complicated," begins one letter. "Since June 2002 I have flown various airlines, and each time I have almost been denied boarding, ticket agents and security personnel informing me that my name is on their no-fly list. And each time I have been embarrassed and even humiliated by those staff people who interrogate me ... before they finally believe I am who I am: a 71-year-old gray-haired American-born English teacher."
Another person explains that there's no reason to consider him a risk to airlines just because he has a name that "in the Middle East is as common as 'Jones' in America." He asks, "Is there not something that can be done to remove [my name] from the list?" As if to prove that he couldn't possibly be a threat, he says, "I have never traveled to the Middle East" and "cannot speak a word of Arabic."
These stories are excerpted from dozens of letters recently released by the Transportation Security Administration, the federal agency created after Sept. 11 to improve airline safety. The letters were forwarded to the TSA by members of Congress who were concerned that the agency had erroneously placed their law-abiding constituents on terrorist watch lists. Rumors of a federal "no fly" list have circulated since Sept. 11, 2001, and they were corroborated last year by an official confirmation of a blacklist. But several documents produced by the Transportation Security Administration late in March -- in response to a Freedom of Information Act request filed by the Electronic Privacy Information Center, a privacy watchdog group -- illustrate, for the first time, the scope of the federal no-fly program.
The documents indicate that the TSA actually keeps two main watch lists -- one "no-fly" list of people "to be denied transport," and one "selectee list" of people who need "additional screening prior to boarding," according to an internal memo released by the agency. These lists have "expanded almost daily" since November 2001, the memo says.
But judging by the letters, there are mistakes either on the lists themselves or in the way they're being implemented at airports, because innocent people are being fingered.
Why is this happening? Judging from the documents produced by the FOIA request, the TSA doesn't seem to have instituted thorough checks to prevent the abuse of these lists, and it's conceivable that people have been placed on them for reasons other than terrorism. But the most likely explanation is that such cases are instances of mistaken identity: A traveler is being scrutinized because his name is similar or identical to that of a wanted terrorist on a watch list, or because he fits the "profile" of a known terrorist -- meaning that a computer program has determined that his travel plan is statistically similar to the kind of trip an actual terrorist might take.
The TSA readily admits that its methods of determining whether an airline passenger is a terrorist -- or might merely share a name or profile with one -- are not as good as they could be. That's why the agency is building a system that it promises will be far more accurate when it picks out the bad guys from the good guys. The new program is called CAPPS II, the second generation of the "computer-assisted passenger prescreening system," or CAPPS, currently in use -- but the new CAPPS works completely differently from the old one. Instead of making guesses about passengers based on their travel information -- on, for example, whether someone has purchased a ticket with cash, or is flying one-way -- the new system will perform an individualized check of each traveler at check-in. CAPPS II will contact commercial databases -- the kind used to determine a person's credit worthiness -- to make sure that someone with a given name, birth date and other identifying characteristics actually exists. At the same time, CAPPS II will contact various law-enforcement databases and perform an instant criminal background check of the passenger. If the person is clean, he's let on the plane; if there's some question about his past, he's searched more thoroughly, or barred from flight.
The appeal of CAPPS II is that it might make the problems of mistaken identity go away. But accepting such a system is clearly a Faustian bargain, and the cure may be much worse than the disease. In order to remove the question marks that surround some of us, the government wants to look more closely at all of us. But such a move may not clear any of us of suspicion; after all, the government runs the databases and the watch lists, and who knows what they've stored? More than that, there's no indication that CAPPS II will even find terrorists; indeed, there are some strong signs that it won't.
Although the documents released by the TSA are heavily redacted -- on some of the pages provided, almost every single word is blacked out -- they shed light on the mechanics of the no-fly program and on why some people might have been mistakenly placed on watch lists. In one internal letter from October 2002, Claudio Manno, TSA's acting associate undersecretary for intelligence, says that a person is put on the list when one of several intelligence or law enforcement agencies asks the TSA to do so -- but the agencies empowered to do this have been kept hidden, as have been any steps the TSA might take to make sure that the person is actually a threat.
"The placement of individuals on the No-Fly or Selectee lists has been guided by two primary principles," Manno writes -- but the principles are blacked out. One page is headed "Problems and Recommendations," and every single problem and recommendation is kept secret. If you're on one of these lists, how can you be removed? When you are "no longer assessed to be a threat to the U.S."
Mihir Kshirsagar, a policy analyst at the Electronic Privacy Information Center, says that he was most surprised that "there is no independent entity responsible for verifying this list. It sounds like the intelligence service pulls these names together, and it doesn't sound like they do anything more than that. We were always wondering, Where's the oversight? Who's going to verify it? Our worry is, if the FBI starts putting people who are on the most-wanted list for other things, how would you know that they are there?"
The identities of the people complaining about being constantly stopped at airports have been kept secret, so one can't say why the TSA might have put those people on the watch lists. Do they all share names with those of wanted terrorists? A few of them say that they are Arabs, and one person says he has a "Spanish name" and feels he's being "unfairly" singled out because of it. The angriest letters, though, come from people who insist that they couldn't possibly fit a terrorist profile; these people indicate that they're "American-born" or "Caucasian," and give other characteristics -- being "a grandmother," for instance -- that would tend to rule out terrorist intentions.
The TSA concedes that this is a problem. The department uses "a series of protocols that we have found aren't the best way of dealing with things," says Heather Rosenker, a TSA spokeswoman. "They aren't as clean as they need to be -- we don't just find the needle in the haystack, we pick up lots of hay in the haystack as well." Hence the need for CAPPS II.
The TSA was charged with building the new passenger-profiling system in the Aviation and Transportation Security Act, which Congress passed immediately after Sept. 11. It began talking about CAPPS II last year, but the system became embroiled in controversy early in 2003, when Delta Airlines agreed to test it. In response, Bill Scannell, a software executive in the Silicon Valley, put up a site called Boycott Delta which brought significant press attention to what the agency had hoped would be a low-profile plan. Several newspapers around the country, including USA Today and the New York Times, have since called for the TSA to change its plans.
But TSA insists that it will work to ensure privacy rights in CAPPS II. The system, says Rosenker, is still in its very earliest stages, and the developers are paying attention to civil liberties at every step of the process. The agency also says that the media has carried much misinformation about CAPPS II. Contrary to some reports, the system will not make a determination on whether you can fly based on your credit rating. It will also not take into account a passenger's "race, religion, ethnicity or physical appearance," says Rosenker, and it cannot be used to track how people travel around the country, as all records of inquiries are destroyed by the time your trip ends. Finally, Rosenker says that no airport agents get to see any private data. At the end of a person's CAPPS II check -- which TSA hopes will take less than five seconds per passenger -- the passenger is given a color coding. Green is go. Yellow requires further security checks. A red would prevent the passenger from flying, and the airport may call in the police.
Here is how CAPPS II will work. When you check in to a flight, the system will feed in your name, address, telephone number and date of birth -- information that airlines already have about each passenger -- into a commercial database. This step would try to determine whether "you are who you say you are," Rosenker says. The computer could get from these databases the same sort of information that many businesses easily have access to -- your known addresses, your employer, whether you own or rent your home, that kind of thing. Rosenker says that CAPPS II will analyze this information to check that you're "rooted in the community," meaning "that you routinely are where you say you are."
Rosenker describes CAPPS II as being a kind of progressive system -- it would scan as few databases as it needs to determine that someone checks out. "If every single commercial database says, yes, there's a Farhad Manjoo with this address and this date of birth and this phone number, the system says you're OK. What this allows us to do is not complicate the lives of people who don't need more checking." On the other hand, she says, "if it comes up that this person has only been living here for four months and there's no sign of him before that, then we'd need to go to the next level of identification."
This next level would check law-enforcement databases to determine whether you're on a watch list or, "if need be, your behavioral patterns," she says. "But that's only if need be -- and you don't need to do the same degree of testing for every person."
This last test of behavioral patterns is the most mysterious thing about the system. The TSA won't say what kind of behavioral patterns it means, because if terrorists find out what the agency is looking for, they'll change their behavior. Recently, to show that it was concerned about civil liberties, the agency held CAPPS II briefings for a number of privacy groups. Lee Tien, an attorney at the Electronic Frontier Foundation who attended one of these briefings, says that the department said nothing about what factors it uses to deem someone a threat.
But he has his suspicions: They'll check everything, he says. "Let's suppose you've got an FBI file, you've got a record" -- the TSA may look at that. But there may well be other inquiries, he says, "because there's really nothing that prevents them from checking everything they can. Think TIA."
It's easy to see how CAPPS II might create as many problems as it solves. Commercial credit data, for instance, can be shoddy, subject to the whims of thousands of companies who have access to your record, or the actions of identity thieves. Your criminal record, too, can be wrong -- or irrelevant to the threat you may pose to an airliner.
"Remember, this isn't just about privacy, it's also about accountability," Tien says. "It's not just Orwell -- it's Kafka."
Kshirsagar, of EPIC, echoes that theme. "We really worry about the credit data -- if your name is mismatched, say, or your date of birth or address is wrong, you could get searched every time." That's alarming, he says, because "they're creating a new identification standard through these databases." Both Kshirsagar and Tien say TSA's use of commercial databases to identify people would be conceptually no different from the creation of a national I.D. card.
When asked how incorrect credit data would affect one's CAPPS II score, Rosenker, the TSA spokeswoman, said, "Well, first, the industry itself encourages the general public to make sure that [credit] information is correct, so that's something we should all be doing. But number two, should there ever be a problem, we will have an ombudsman program to deal with that. We will have a check and balance in that regard. If there's a problem, a passenger would literally be able to be on the phone with them then and clear it up." She said the experience would be not unlike having your credit card declined at a store: a bit unpleasant but easily corrected.
A bigger problem with CAPPS II, though, is that it may not work very well at finding terrorists. In May 2002, Samidh Chakrabarti and Aaron Strauss, two graduate students in computer science (and a few other disciplines) at MIT, decided to see if they could come up with an algorithm that terrorists might use to beat a profiling system like the current version of CAPPS. After studying everything that is publicly known about CAPPS, the pair determined that anyone with the will and not very many resources could easily get around the system. They concluded that airlines would be safer if, instead of profiling, they instead selected a portion of fliers at random and subjected them to more thorough searches for weapons. (Chakrabarti and Strauss wrote up their findings in a term paper for a class, but it was picked up by First Monday, a peer-reviewed academic journal on the Web.)
The first thing one has to understand about security in U.S. air travel is that a lot of people take airplanes. In 2001, about 640 million people passed through U.S. airports, and it would be impossible to subject each person to a thorough check. It is also unnecessary to do so, of course, since the overwhelming majority of people flying are not terrorists.
Profiling systems were developed to pick out the people considered most likely to pose a threat in order to give them closer attention. The trouble, say Chakrabarti and Strauss, is that every time someone is picked out by a profiling system, the scrutiny he's given -- a bag search, for example -- tips him off that he fits the profile. If this person is part of a terrorist group, he can use the information to develop a plan for a future attack.
"Transparency is the Achilles' Heel of CAPPS; the fact that individuals know their CAPPS status enables the system to be reverse engineered," Chakrabarti and Strauss write. "You ... know if your carry-ons have been manually inspected. You know if you've been questioned. You know if you're asked to stand in a special line. You know if you've been frisked. All of this open scrutiny makes it possible to learn an anti-profile to defeat CAPPS, even if the profile itself is always kept secret."
How would a terrorist go about defeating CAPPS? All you'd have to do is have everyone in your cell take several flights; the people who don't get searched don't fit the profile, meaning that they're the ones who should carry out the attack.
In an interview on Tuesday, Strauss said that the same problem would apply to CAPPS II. Unless it's a "magic formula," a system that could catch everyone with terrorist intentions, it can be fooled. A random search, on the other hand, does not have that flaw. Every time a terrorist tried to get on a plane, there would be a probability that he would be searched, a probability that would stay the same no matter what he did or which members of the cell were sent.
The problem with a random search, though, is that it would subject a lot of people who clearly do not fit the "profile" of a terrorist to extra scrutiny. However much the country changed after Sept. 11, the fact remains that nobody likes being searched at airports. It's not only humiliating, it's not only a hassle, but because you're innocent, it's also -- to you -- completely unnecessary. While they're rifling through your belongings, security agents are very possibly missing a real terrorist -- and, if you look around you at that moment, there'll surely be some people who, you think, deserve to be searched more than you.
One gets this sense of indignation from many of the complaint letters released by the TSA. "Did we really deserve that much of your valuable time and attention?" one couple, who describe themselves as "natural-born, patriotic citizens of the United States," ask the TSA. The couple says they were "obviously profiled and systematically harassed" on a trip, and they wonder, "What is your organization going to do to eliminate this type of harassment of citizens so that the focus can be placed on that element of the population from which the threat really exists?"
It's a good question, and for that couple -- people who were so bothered by the TSA that they decided to file a complaint with lawmakers -- perhaps a system like CAPPS II, one that goes after more "terrorist-like" people, is in order.
If you really want to be safer in the air, though, and especially if you'd rather not give the government the power to check into your records, perhaps it'd be best if you -- and everyone else -- accepted the possibility of being thoroughly searched at an airport every once in a while. "Maybe that's just the price you have to pay after Sept. 11," Strauss says.
Shares