October 11, 2007 - The Transportation Security Administration through Oct. 22 is collecting public feedback on proposed changes to its nascent Secure Flight air passenger security program. Under the proposed rules, TSA would collect data from airlines on passengers booked on all flights operated within, to, from and over the United States; check that data against terrorist watch lists; and then inform airlines of which passengers should and should not be issued boarding passes. The overall tone of more than 100 comments already filed--as well as the remarks from industry participants during a public TSA meeting last month--was decidedly negative.
Some suggested the program violates constitutional rights to privacy and expressed opposition to what they perceived as a requirement to ask the federal government for the permission to travel. Others questioned if airlines and travel agents would have sufficient time to adjust their business processes.
The Association of Corporate Travel Executives said TSA had taken "a step in the right direction" by saying it would no longer rely on commercial databases to perform security checks, reducing the number of names on the federal "no-fly" list and shifting the responsibility for checking passenger data from airlines to itself. Yet, ACTE still noted "serious concerns" related to how the federal government would collect, use, store and correct passenger data.
TSA in August filed a notice of proposed rulemaking in the
Federal Register on Secure Flight in which it described how airlines would request certain information from passengers at the time of booking and transmit that information to TSA "approximately 72 hours prior to the scheduled flight departure time." Specifically, airlines would request a passenger's full name, gender, date of birth, passport information (if available) and "certain non-personally identifiable information such as itinerary information, record locator numbers, etc."--though only a full name would be required to actually make a reservation.
"This proposed rule would not compel the passenger ... to provide the majority of the information," according to TSA's NPRM. "However, if that individual elected not to provide the requested information, TSA may have insufficient information to distinguish him or her from a person on the watch list. Accordingly, the individual may be more likely to experience delays, be subject to additional screening, be denied transport, or be denied authorization to enter a sterile area. ... For the vast majority of individuals, a decision to forgo providing these data elements should have no effect on their watch list matching results and will result in less information being held by TSA."
TSA said the 72-hour requirement would provide enough time to "prioritize the domestic and international watch-list matching workload," resolve as many "false positives" as possible before those individuals arrive at the airport and allow airlines "to begin issuing boarding passes to passengers 24 hours prior to departure." For reservations and ticket changes within 72 hours, TSA would require airlines to transmit information "immediately."
TSA said passenger data "in general" would be compared to the federal government's consolidated terrorist watch list, but in certain circumstances, it would also use "other government databases, such as intelligence or law enforcement databases." The agency proposed to retain passenger data records "for a short period of time," with "the vast majority ... destroyed within seven days of completion of directional travel."
In the same volume of the
Federal Register, U.S. Customs and Border Protection published a final rule on the
Advance Passenger Information System for international flights arriving in or departing from the United States. It requires airlines to transmit passenger data to CBP "no later than the time the flight crew secure the aircraft doors for takeoff." The new rule takes effect in February.
"We propose that, when the Secure Flight rule becomes final, aircraft operators would submit passenger information to the U.S. Department of Transportation through a single DHS portal for both the Secure Flight and APIS programs," according to TSA's NPRM. "This would allow DHS to integrate the watch list matching component of APIS into Secure Flight, resulting in one DHS system responsible for watch list matching for all aviation passengers."
The revised Secure Flight program would take effect 60 days after the new rules are finalized and published in the
Federal Register.
Industry feedback
In its filing, ACTE specifically questioned whether the program would rely in any way on the federal
Automated Targeting System, a screening program that was disclosed late last year, blasted by critics and, according to ACTE, "never fully explained nor dismantled."
During TSA's public meeting last month, TSA administrator Kip Hawley said Secure Flight "does not use commercial data. It does not assign a score based on risk."
ACTE also stated that it would not support any security program without an effective redress process allowing passengers to correct inaccurate data. "Despite the creation of the DHS [Traveler Redress Inquiry Program], our position has not changed," according to the association. "There is little information on the success of the TRIP program with regard to the number of situations that were resolved, or the number of passengers who have had unrestricted travel privileges restored."
Other industry representatives suggested that 60 days would not be enough time for airlines and travel agencies to adapt their processes to the new rules. It is "still unclear to us how the data the travel agents will end up collecting--because they are the front-line sales force for most of the people who end up on airplanes--is going to be passed from the global distribution systems ... to the airlines to the government," said American Society of Travel Agents senior vice president of legal and industry affairs Paul Ruden. "My impression is that there's a gap here that is not being addressed and it is fundamental to the way business is operated.
"The travel management companies that specialize in this business ... have invested huge sums in creating systems to keep that information on file so that it could be entered automatically in passenger name records and make the booking process as efficient as possible," Ruden continued. "Those profiles are going to have to be changed. Maybe there will be new programming requirements to accommodate this new information because we don't generally collect people's date of birth today. And the issue of coordination between the GDS systems and travel agency back office systems where this information resides is also a huge cost question. So, this cannot be accomplished in 60 days."
Regional Airline Association vice president of technical services Dave Lotterer suggested similar challenges for smaller airlines. "The computerized system needed to support this activity certainly isn't in place" for many RAA members, he told TSA.
Lotterer also questioned the logistics of communication between TSA and airlines for reservations and ticket changes made within 72 hours of departure. "You're in effect putting the government into the business process of having passengers denied boarding at the last minute," he said. "And I guess the airlines--I would think all of the airlines--would be very nervous about a government entity so intimately involved in their business process of getting customers on board their [airplanes]."
First Amendment rights activist Edward Hasbrouck, working for The Identity Project, during the TSA meeting said that the "core of the proposed rule" is a requirement for "would-be air travelers to obtain permission from the government before they can travel." That, he said, infringes on freedoms of assembly of movement. Hasbrouck also suggested that data collected by airlines--at TSA's request--could be kept, used, sold or shared by the airlines, regardless of the data retention restrictions imposed on the government.
In his filing, Douglas Lavin, International Air Transport Association regional vice president in North America, requested an extension for the public comment period, to Jan. 21, 2008. He cited "the complexity and scope" of the NPRM, which he described as "a comprehensive change to passenger data collection, processing and transmission activities of both domestic and foreign air carriers."
At press time, the deadline for public comment was unchanged at Oct. 22. Interested parties can submit comments electronically via
dms.dot.gov or
www.regulations.gov; in person or by U.S. mail to U.S. Department of Transportation, Docket Operations, M-30, West Building Ground Floor, Room W 12- 140, 1200 New Jersey Ave. SE, Washington, DC 20590; or via fax to (202) 493-2251. The associated docket number is TSA-2007-28572.
Related resource:
Transportation Security Administration Secure Flight Notice of Proposed Rulemaking
