TSA releases its final 'Secure Flight' watchlist program rules
The Transportation Security Administration (TSA) will take over responsibility for the controversial "Secure Flight" passenger screening program in early 2009, according to documentation released by the Department of Homeland Security yesterday. DHS also revealed just how large its watchlist is.
Those responsibilities were previously managed by individual airlines.
The change most visible to average flyers will turn up during the reservation process, where the list of booking information required will expand to include full name, date of birth, sex, and gender (those last two as per Wednesday's press conference from Sec. Michael Chertoff, see paragraph 7).
Under the new system, passenger data -- names, the identifying information, and flight numbers -- will be sent from the airlines to TSA, which confirms that each flyer is good to go. The agency says that data will be encrypted and data for anyone "not close to a match," as TSA head Kip Hawley puts it, will be disposed of after seven days.
The change in what information is required will allegedly cut down on false positives at the airport, since though many people might share a name, it's rarer for them to share both a name and a birthdate.
Civil-liberties groups such as the Electronic Privacy Information Center (EPIC) have been critical of Secure Flight since its predecessor, CAPPS II, was abandoned after public uproar. Over the years, the effort to develop a watchlist-based passenger-screening system -- whatever its name -- has run into a succession of controversies, ranging from outrage over Delta's participation in an early trial (using passenger data without passenger permission) to repeated incidents in which would-be travelers found themselves barred from travel, often with no idea how they got on the list and no way of correcting the information. (TSA claims it provides and will continue to provide a "robust redress process" for such situations.)
On the Papers, Please! blog, representatives of The Identity Project noted that while they're still combing through the 195-page document (PDF available here), the essential plan appears to remain unchanged from the Secure Flight plan against which the group testified last October.
The Identity Project in 2007 pointed out a host of potential problems ranging from the fundamental (the system operates in contravention of the long-held American right to assemble -- that includes travel -- without seeking government permissions) to the pernicious (there are few privacy controls in place to prevent third parties from using and abusing passenger data). In addition, the group points out that in the new final plan "there are major discrepancies between the (nonbinding) description at the start of the regulatory notice issued...and the actual regulations that follow it (the last 20 pages of the notice)."
Originally expected to launch in 2005, at one point in the program's history Secure Flight was delayed until at least 2010 after scathing reports from government auditors, including one 2006 GAO filing that found the program's development and security culture to be disastrously undisciplined. A followup report in early 2008 found progress, but indicated that problems still remained.
The press conference mentioned above did have one interesting piece of new data: For the first time ever, Sec. Chertoff provided some concrete numbers about the size of the TSA's list of names.
Chertoff stated that as of right now there are 16,000 individuals on the "selectee" list, which means they get extra scrutiny at check-in, and 2,500 on the absolutely-no-fly list. (Estimates in the press had ranged as high as one million "selectees.") Name variations and aliases are not included in that count, and neither are people who for whatever reason trigger special attention at a specific airport on a specific day.
The Secure Flights rules will become effective 60 days after publication in the Federal Register, which is expected very soon.