Focusing public attention on emerging privacy and civil liberties issues

Secure Flight

Top News

  • Homeland Security Revised Traveler Screening Violates Federal Privacy Act: The Transportation Security Administration and Customs and Border Protection, components of the Department of Homeland Security, have announced plans for agency record disclosures without Privacy Act notifications. The agencies Common Operating Picture ("COP") program would permit TSA and CBP to exchange personal information held by the agencies to place travelers on federal watch lists. Although TSA and CBP have proposed new uses for personal data, the agencies have declined to solicit public comments as required by the Privacy Act. Currently, the agencies use the Automated Targeting System to perform "risk assessments." EPIC has called for DHS to suspend "risk-based" passenger profiling and to make public the algorithms that are used to assess travelers. For more information, see EPIC: Secure Flight, EPIC: Passenger Profiling, and EPIC: Air Travel Privacy. (Feb. 10, 2014)
  • EPIC Objects to Secret Profiling of Air Travelers: EPIC has submitted comments to the Department of Homeland Security, objecting to the agency's plan to secretly profile U.S. air travelers and remove Privacy Act safeguards. The DHS proposed to exempt TSA PreCheck from the federal privacy law. The PreCheck database contains detailed personal information, including name, birthdate, biometric information, Social Security Number, and financial information. The TSA plans to release applicant data to federal, state, tribal, local, territorial agencies and foreign governments. However, the TSA proposes to remove the rights of PreCheck applications concerning notification, access, and correction. The agency also intends to keep secret the basis for approving PreCheck applicants. EPIC described the substantial privacy and security risks of Precheck, urged the DHS to narrow the Privacy Act exemptions, and recommended that the DHS withdraw routine use disclosures. For more information, see EPIC: Secure Flight, EPIC: Passenger Profiling, and EPIC: Air Travel Privacy. (Oct. 10, 2013)
  • EPIC-led Coalition Calls For Suspension of Secret Government Watchlist: EPIC and a coalition of privacy, consumer rights, and civil rights organizations filed a statement to the Department of Homeland Security. The group opposed proposed changes to the Watchlist Service, a secretive government database filled with sensitive information. The agency has solicited comments on the program, which entails developing a real-time duplicate copy of the database and expanding the groups and personnel with immediate access to the records. The groups focused on the security and privacy risks posed by the new system, as well as The Privacy Act. Passed by Congress in 1974, the Act requires DHS to notify subjects of government surveillance in addition to providing a meaningful opportunity to correct information that could negatively affect them. EPIC has testified before Congress and published a "Spotlight on Surveillance" report about the Watchlist program. For more information, see EPIC: Secure Flight and EPIC: Passenger Profiling. (Aug. 5, 2011)
  • House Committee Examines Future of Registered Traveler Program: A Congressional committee will hold a hearing today on the the Registered Traveler Program.  The program, which operated under the brand name "Clear," shut down and the company that operated it has declared bankruptcy, leaving open the question of what will happen to the biometric identifiers, including fingerprints and iris scans, that were obtained from customers.  The New York Times reports that the company's assets have been purchased and the program may restart within the year.  EPIC testified before Congress in 2005 that the absence of Privacy Act safeguards would jeopardize air traveler privacy and security.  See also EPIC Air Travel Privacy, EPIC Secure Flight, and EPIC Spotlight on Surveillance - Registered Traveler Card. (Sep. 30, 2009)
  • House Committee Opens Investigation into Clear Data: Leaders of the House Homeland Security Committee sent a letter to the Transportation Security Administration regarding the bankruptcy of Verified Identity Pass, the parent company for the Clear registered traveler (RT) program. Clear was the largest RT program in the nation operating out of 20 airports with about 165,000 members.  The TSA established RT security, privacy and compliance standards for the Clear program and bolstered the company's credentials with the traveling public. The Clear RT application process collected a great deal of personal information from members, such as proof of legal name, data of birth, citizenship status, home address, place of birth, and gender. The information was used to pre-screen travelers for express service through airport security checkpoints.   The committee is investigating among other things: when the TSA became aware of the bankruptcy; whether they have asked the company for its plan regarding its RT data; if the agency is seeking a privacy impact assessment on the bankruptcy; and whether the agency has a contingency plan for safeguarding the data now that the company has gone out of business. See EPIC Air Travel Privacy and EPIC Secure Flight (Jun. 29, 2009)
  • Airport Security Program Closes Operations - What Happens to the Data?: Verified Identity Pass, a company that provided the Registered Traveler program, under the brand name "Clear" shut down operation on June 22, 2009 citing inability to "negotiate an agreement with its senior creditor." The Clear program provided travelers who had undergone an extensive background check to go through special security lines at airports. The screening process required extensive data collection, including biometric identifiers, from passengers. The closure raises concern about the transfer of the customer data, which may be attached by creditors in a bankruptcy proceeding. Clear's Privacy Policy is silent on the issue. At a 2005 Congressional hearing, EPIC warned that the absence of Privacy Act safeguards would post a security risk to Clear customers. See also EPIC's page on Registered Traveler Card. (Jun. 23, 2009)
  • Homeland Security Clears Secure Flight but Watchlist Questions Remain. The Department of Homeland Security announced today the Final Regulations for the Secure Flight program. All airlines will now be required to collect date of birth and gender from customers and provide this information to the TSA for watchlist verification. A DHS Redress number, if previously issued, would also be collected. EPIC has warned in Congressional testimony that accuracy problems will continue to plague Secure Flight unless passengers are able to challenge the government's watchlist determinations. EPIC also recommended that the redress procedures be modified to limit data collection and to prescribe penalties for Privacy Act violations. For more information, see EPIC Secure Flight page and "Spotlight on Surveillance: Secure Flight Should Remain Grounded Until Security and Privacy Problems Are Resolved." (Oct. 22, 2008)
  • Spotlight: Secure Flight Should Remain Grounded. EPIC's Spotlight on Surveillance project focuses on the Secure Flight traveler prescreening program. Introduced in 2004, the Secure Flight has been roundly criticized (pdf) and the system was suspended in 2006, because it contained massive security and privacy vulnerabilities. Though Secure Flight has been revamped, it remains fundamentally flawed. The core of the program rests on watch lists so full of errors that the Department of Justice's Inspector General (pdf) has suggested that there is "a deficiency in the integrity of watchlist information." EPIC's Spotlight on Surveillance on Secure Flight. (September 28, 2007)
  • EPIC Recommends Continued Suspension of Secure Flight Traveler Prescreening Program. In comments (pdf) to the Department of Homeland Security, EPIC urged the agency to either continue to suspend or significantly revise its system of records notice for the Secure Flight program. EPIC explained that the watch lists that Secure Flight used to screen passengers were so error-filled that the Department of Justice Inspector General indicated (pdf) "a deficiency in the integrity of watchlist information." Also the proposed redress procedures are "poor substitutes" for the Privacy Act's judicially enforceable rights of access and correction. DHS suspended Secure Flight in 2006 for a "comprehensive review." Though substantial changes have been made, the program is still full of problems, and EPIC recommended the agency continue Secure Flight's suspension until the problems can be addressed. (Sept. 24, 2007)
  • DHS Revamps Secure Flight Program. More than a year after Secure Flight was suspended for a comprehensive review, the Department of Homeland Security has announced major revisions to the program. Previously, DHS sought to use Secure Flight to assess possibilities for criminal behavior from travelers. The new program will "determine if passenger data matches the information on government watch lists, and transmit matching results to aircraft operators," according to DHS. Currently, the airlines run passenger names against the watchlists. Secure Flight was grounded in February 2006 after government investigations (pdf) found numerous security and privacy vulnerabilities. There are ongoing concerns about the secrecy and accuracy of watchlists and adequacy of redress procedures. See EPIC's Spotlight on Surveillance on the Traveler Redress Inquiry Program. (Aug. 9, 2007)
  • Secure Flight Delayed Until 2010. Implementation of Secure Flight, a federal passenger prescreening program, will be delayed until 2010, at least five years behind schedule, according to the head of the Transportation Security Administration. Secure Flight was suspended for a comprehensive review of the program's information security measures a year ago after two government reports detailed security and privacy problems. One report (pdf) said the program had inconclusive risk assessments and 144 known security vulnerabilities. About $140 million has been spent on Secure Flight, and the program will require at least another $80 million for proposed improvements, the agency said. (Feb. 23, 2007)

Introduction

Secure Flight is an airline passenger prescreening program currently under development by the Transportation Security Administration (TSA). This program is intended to compare passenger information from Passenger Name Records, which contain information given by passengers when they book their flights, against watch lists maintained by the federal government. In November 2004, the TSA ordered (pdf) 72 commercial airlines to turn over their passenger records from the month of June 2004 in order to test the new system. Deployment of the system has been delayed numerous times.

History

TSA introduced Secure Flight in August 2004, shortly after the agency abandoned plans for its predecessor, the second generation Computer Assisted Passenger Prescreening System (CAPPS II). CAPPS II would have examined commercial and government databases to assess the risk posed by each passenger: green for minimal threat, yellow for those deserving of heightened security, and red for those judged to pose an acute danger, who would be referred to law enforcement for possible arrest. CAPPS II was scheduled for a test run in the spring of 2003 using passenger data provided by Delta Airlines. Following a public outcry, however, Delta refused to provide the data and the test run was delayed indefinitely.

In the summer of 2004, TSA abandoned CAPPS II, due in part to irresolvable privacy and security concerns. A significant number of these problems continue to plague the Secure Flight proposal.

Description

TSA explains that Secure Flight will compare Passenger Name Records (PNRs) against information compiled by the Terrorist Screening Center, which will include expanded "selectee" and "no fly" lists. TSA will also seek to identify "suspicious indicators associated with travel behavior" in passengers' itinerary PNR data. TSA will administer the program, removing all passenger screening responsibility from the airlines. TSA began testing Secure Flight in early 2005.

During Secure Flight's test phase, TSA examined the possibility of using of commercial data within the program. The agency explained that it wanted to determine the effectiveness of commercial data "in identifying passenger information that is inaccurate or incorrect." However, a TSA official said in July 2005 that Secure Flight might also use commercial data to detect dangerous passengers who are not on watch lists, such as members of terrorist "sleeper cells." In fall 2005, TSA abandoned its plans to use commercial data in Secure Flight, in part due to privacy concerns.

Like its predecessor CAPPS II, the test phase of Secure Flight was initially exempted from crucial provisions of the Privacy Act of 1974, which would have severely limited the rights individuals typically would have in the personal information the government maintains about them. For instance, Secure Flight would have collected and used personal information irrelevant and unnecessary for aviation security. Furthermore, passengers would have had no judicially enforceable rights to access and correct the personal information maintained about them for the program. In June 2005, however, TSA published a notice (pdf) revoking all the Privacy Act exemptions it had initially claimed. It is unclear whether TSA intends to claim Privacy Act exemptions when Secure Flight becomes operational.

TSA assured the public in September 2004 that "upon completion of the testing phase, and before Secure Flight is operational, TSA will establish comprehensive passenger redress procedures and personal data and civil liberties protections for the Secure Flight program." It remains unclear, however, how this process will work.

The government has long used "selectee" and "no fly" lists for aviation security purposes, but passengers have experienced great difficulty clearing their names when improperly flagged. In 2002, EPIC obtained through the Freedom of Information Act dozens of complaint letters sent to TSA by irate passengers who felt they had been incorrectly identified for additional security or were denied boarding because of the watch lists. The complaints describe the bureaucratic maze passengers encounter if they happen to be mistaken for individuals on the list, as well as the difficulty they encounter trying to exonerate themselves.

Even members of Congress have found themselves improperly flagged by the watch lists. In August 2004, Senator Edward Kennedy (D-MA) revealed in a Senate Judiciary Committee hearing on border security that on multiple occasions airline agents tried to prevent him from boarding flights because his name appeared on a watch list. He was halted three times before his staff called TSA, and afterwards continued to be stalled at the gate. Senator Kennedy was forced to call Homeland Security Secretary Tom Ridge in order to clear his name, an option available to very few travelers. The name on the watch list preventing Kennedy's travel was apparently "T. Kennedy." Reps. John Lewis (D-GA) and Don Young (R-AK) have also been flagged by the watch lists.

On June 15, 2005, the Department of Homeland Security Privacy Office announced that it is investigating whether the agency violated federal privacy law during the test phase of Secure Flight. Just days later, on June 22, TSA admitted in a Federal Register notice (pdf) that it had collected and maintained detailed commercial data about thousands of travelers in violation of an order issued in November 2004 stating it wouldn't do so. The notice said that the agency continued to store commercial data a contractor purchased, combined with information from airlines, and turned over to the agency on CD-ROMs during the testing of Secure Flight. It is unclear whether this data is still maintained by the agency or has been destroyed.

TSA chief Kip Hawley told the Senate Commerce Committee in February 2006 that plans for Secure Flight have been suspended until a "comprehensive audit" of the program's information technology security is completed. Testimony (pdf) from the General Accountability Office revealed that in September, TSA approved the program's operation despite inconclusive risk assessments and 144 known security vulnerabilities.

Resources

News Articles

Secure Flight Resources

Previous Top News

  • EPIC Recommends Privacy Safeguards for Traveler Screening Program. In comments (pdf) to the Department of Homeland Security, EPIC urged the agency to fully apply Privacy Act requirements of notice, access, and correction to the new traveler redress program and the underlying watch list system. Instead of following the Privacy Act, the agency is asking the public to rely on its "internal quality assurance procedures." EPIC explained that these procedures aren't working and cited a government report (pdf) that found significant problems with the handling of personal information and violations of privacy laws by DHS. Tens of thousands of people have applied for redress after being mistakenly matched as federal officials have struggled to trim the bloated watch lists. (Feb. 20, 2007)
  • Spotlight Fiscal Year 2008 Budget and Surveillance. More than 30,000 travelers have been mistakenly linked to names on terror watch lists when they crossed the border, boarded commercial airliners or were stopped for traffic violations, according to a report (pdf) by the Government Accountability Office. EPIC has repeatedly (pdf) warned that the false positive problem -- when a person who is not a suspect is mistakenly matched to a watch list -- is difficult to fix. The watch lists include 325,000 names of terrorism suspects or people suspected to aid them, more than quadruple the 75,000 names on the lists when they were created in 2003. (Feb. 13, 2007)
  • Government Report: Thousands Misidentified on Watch Lists. The head of the Transportation Security Administration told a congressional committee today that Secure Flight has been suspended for a comprehensive review of the program's information security measures. Testimony (pdf) from the General Accountability Office revealed that TSA approved Secure Flight to become operational in September, despite inconclusive risk assessments and 144 known security vulnerabilities. "TSA may not have proper controls in place to protect sensitive information," the GAO said. (Oct. 14, 2006)
  • Security Concerns Ground Secure Flight. The head of the Transportation Security Administration told a congressional committee today that Secure Flight has been suspended for a comprehensive review of the program's information security measures. Testimony (pdf) from the General Accountability Office revealed that TSA approved Secure Flight to become operational in September, despite inconclusive risk assessments and 144 known security vulnerabilities. "TSA may not have proper controls in place to protect sensitive information," the GAO said. (Feb. 9, 2006)
  • Transportation Agency Scraps Commercial Data Plans. The Transportation Security Administration has abandoned plans to use information from data aggregators to check airline passengers' backgrounds. TSA made the decision shortly before a working group issued a scathing report (pdf) on the program. Last year, an EPIC FOIA request revealed (pdf) that Axciom proposed to water down federal privacy laws so that it could sell data to the government for traveler screening. (Sept. 22, 2005)
  • Justice Inspector General: Secure Flight Hampered by Poor Planning. The Justice Department Inspector General recently concluded that Transportation Security Administration missteps have made it difficult for the government office responsible for the terrorist watch list to prepare for the launch of Secure Flight. The Terrorist Screening Center maintains the government's consolidated watch list, which is planned to be a vital part of the prescreening program. According to the Inspector General's report, Terrorist Screening Center officials "believe that their ability to prepare for the implementation of Secure Flight has been hampered by the TSA's failure to make, communicate, and comply with key program and policy decisions in a timely manner." The Inspector General cited several issues as potentially problematic, including costs, redress, and data accuracy. (Sept. 16, 2005)
  • EPIC Calls for Government Watch List Accuracy. In comments to the FBI (also available in pdf), EPIC urged the agency to hold off on expanding the Terrorist Screening Center's watch list record system until the Bureau resolves significant privacy issues. EPIC objected to the FBI's proposal to exempt the watch list from legal requirements that require record accuracy. EPIC also said that there are inadequate redress procedures for people who are improperly flagged as watch list matches. (Sept. 7, 2005)
  • Accountability Office: Security Agency Did Not Follow Privacy Law. In a letter to Congress (pdf), the Government Accountability Office has concluded that the Transportation Security Administration violated the Privacy Act when it obtained personal information about airline passengers from commercial data brokers. The agency's public statements about the screening program failed to describe this activity. According to the GAO letter, "the agency did not provide appropriate disclosure about its collection, use and storage of personal information as required by the Privacy Act," and "the public did not receive the full protections" of the law. (July 25, 2005)
  • Agency Violated Privacy Act Order. The Transportation Security Administration has admitted (pdf) that it collected and maintained detailed commercial data about thousands of travelers in violation of an order issued last year stating it wouldn't do so. The agency continues to store commercial data a contractor purchased, combined with information from airlines, and turned over to the agency on CD-ROMs during the testing of Secure Flight, a passenger prescreening proposal. The Department of Homeland Security Privacy Office announced last week that it is investigating whether the agency violated federal privacy law during the test phase of Secure Flight. (June 21, 2005)
  • Accountability Office: Secure Flight Has Long Way to Go. The Government Accountability Office has reported (pdf) that the Transportation Security Administration still has many issues to address before the viability of the Secure Flight passenger prescreening program can be determined. The office was unable to assess, among other things, the effectiveness of the system, the accuracy of intelligence data which will determine whether passengers may fly, safeguards to protect passenger privacy, and the adequacy of redress for passengers who are improperly flagged by Secure Flight. (March 28, 2005)
  • Inspector General Criticizes Agency's Passenger Data Practices. The Department of Homeland Security Inspector General has issued a report (pdf) on the Transportation Security Administration's use and dissemination of airline passenger data. The report states that the agency has been involved in 14 transfers of data involving more the 12 million passenger records. The report finds, among other things, that "TSA did not consistently apply privacy protections in the course of its involvement in airline passenger data transfers," and that TSA has not accurately represented the scope of its passenger data collection and use. (March 25, 2005)
  • Report Issued on Secure Flight Commercial Data Test. The Government Accountability Office has released a report (pdf) on measures for testing the use of commercial data within Secure Flight, the passenger prescreening program currently being developed by the Transportation Security Administration. The report concluded that the agency has developed preliminary measures for concept testing, but further review is needed to determine whether the measures will be effective for actual use in Secure Flight. (Feb. 25, 2005)
  • EPIC Questions Secrecy of TSA Privacy Advisory Group. In a letter (pdf) to the Transportation Security Administration's privacy officer, EPIC has asked why the Secure Flight Privacy/IT Working Group is not being operated in accordance with federal law intended to ensure transparency of government advisory committees. "EPIC has urged TSA, since the earliest days of its existence, to develop aviation security policies and initiatives in an open and public manner," EPIC stated. "Given the clear privacy implications of the Secure Flight program . . . and the obvious public concern surrounding a system that will conduct background checks on tens of millions of citizens, we be live it is critical that any assessments of Secure Flight be made in an open manner." (Jan. 31, 2005)
  • EPIC Sues FBI Again For Terrorist Database Information. For the second time in three months, EPIC has asked a federal court for an emergency court order (pdf) forcing the FBI to turn over information about the Terrorist Screening Database and how it will be used in Secure Flight. In October, EPIC sued the agency when it refused to recognize that EPIC was entitled to a quick release of the documents. The FBI backed down and the case was dismissed, but the agency has not given EPIC the information. (Dec. 21, 2004)
  • Airlines Ordered to Hand Over Passenger Info. The Transportation Security Administration has ordered 72 airlines to turn over a month's worth of passenger data to test the Secure Flight passenger prescreening program. The airlines have been told they must give the agency all passenger records from June 2004 domestic flights by November 23. (Nov. 11, 2004)
  • EPIC Urges Postponement of Secure Flight. EPIC has called upon (pdf) the Transportation Security Administration to suspend the test phase of Secure Flight until the program's significant privacy issues are resolved and the government is willing to be more forthcoming about the program's details. EPIC also urged (pdf) the Office of Management and Budget not to permit TSA to collect a month's worth of passenger information for Secure Flight testing purposes until the program's privacy and transparency issues are addressed. (Oct. 28, 2004)
  • FBI Folds in EPIC Lawsuit for Secure Flight Info. Just a day after EPIC applied for an emergency court order (pdf) asking federal court to order the FBI to immediately release documents about the Terrorist Screening Database and its role in Secure Flight, the agency has backed down. Conceding that EPIC met its burden of demonstrating "compelling need" for the documents, the FBI must release the information as soon as practicable. (Oct. 14, 2004)
  • EPIC Sues For Release of Secure Flight Info. EPIC has applied for an emergency court order (pdf) requiring the FBI to release information about the Terrorist Screening Database and its role in Secure Flight, the government's proposed passenger prescreening system. Secure Flight will compare passenger records against information in the database, which will include expanded "selectee" and "no fly" lists. EPIC argued that information about the database must be made available prior to the October 25 deadline for public comments on the Transportation Security Administration's plans for testing Secure Flight. (Oct. 13, 2004)
  • Details Emerge on New Passenger Prescreening Program. The Transportation Security Administration has released a Privacy Act notice (pdf) and privacy impact assessment (pdf) for the test phase of Secure Flight, the passenger prescreening initiative under development to replace CAPPS II. The notice shows that Secure Flight, like CAPPS II, will be a secretive program that may collect personal information irrelevant and unnecessary for aviation security. Furthermore, passengers will be deprived of judicially enforceable rights to access and correct personal information. The Transportation Security Administration has also issued a proposed order (pdf) that will require airlines to turn over passenger records from June 2004 to test Secure Flight. (Sept. 22, 2004)
  • TSA to Test New Passenger Prescreening Program. The Transportation Security Administration has announced it will begin testing Secure Flight, a new passenger prescreening system, in November. The program, which is intended to replace the now-defunct CAPPS II, will compare passenger records to expanded "selectee" and "no fly" lists already in use. Passengers whose records match names on the lists will be subject to commercial background checks to verify their identities. The agency stated that it plans to have a redress process for individuals improperly flagged by Secure Flight, but it is unclear how this process will work. (Aug. 26, 2004)

Related EPIC Policy Pages