After more than a decade, two aborted programs, and a false start, the U.S. Transportation Security Administration (TSA) has begun the transition to its Secure Flight internal passenger prescreening program. The change is expected to reduce the nagging inconvenience of false positives, in which innocent travelers are flagged because their names are the same as or similar to one on the national terrorist watch list. Experts, however, say that the critical security risk of false negatives will remain due to the ease with which terrorists could fraudulently obtain legitimately issued government identification.
Passenger prescreening began in the late 1990s with the Computer Assisted Passenger Prescreening System (CAPPS), which assigned passengers a risk score based largely on the extent of their personal business data history—drawing on items such as credit data and frequent flyer program enrollment.
Aviation security consultant Douglas R. Laird Sr., who helped develop CAPPS while head of security at Northwest Airlines, is frank about the program’s greatest shortcoming: an 80-year-old grandmother flying for the first time might receive a high risk score. Laird, however, also points out that nine of the 19 9-11 hijackers were selected by CAPPS for secondary screening, which amounted to inspection of their checked bags for explosives.
Soon after 9-11, the new TSA rolled out CAPPS II, which set the framework for passenger prescreening through this year. Under that program, the TSA provided airlines two subsets of the national terrorist watch list daily, one a “no-fly” list, the other “selectees” who are subject to secondary screening before being permitted to board.
CAPPS II’s greatest shortcoming was its reliance on names as identifiers. That led to the much-publicized problem of false positives, whereby travelers were subject to secondary screening or denied the right to board flights because they had the same name as a person on the terrorist watch list.
A related problem is similar-name matching. A passenger might purchase his ticket under the name Robert Smith at a time when that day’s TSA lists included the name R. A. Smith. Decisions about similar-name matching fell to the judgment of individual airlines, sometimes in consultation with federal authorities. The delays created by that process at check-in quickly became a critical concern to the airlines.
On the recommendation of the 9/11 Commission, the Intelligence Reform and Terrorism Prevention Act of 2004 mandated that TSA assume responsibility for vetting air travelers against watch lists internally. Secure Flight, unveiled that same year, called for airlines to provide passenger names to the TSA, which would vet the names internally and send the results back to airlines. The program, however, stalled for five years as TSA worked to satisfy conditions set forth by Congress.
TSA originally proposed that airlines submit only passengers’ names, and do so no later than 24 hours prior to departure. Under the agency’s final rule for the program, however, airlines must provide each passenger’s name, date of birth, gender, and if available, the ticketholder’s itinerary and tracking data concerning travel records. Information must be provided 72 hours prior to departure, or as soon as possible for travelers who buy tickets after that point.
Collection of data beyond the traveler’s name serves to reduce the incidence of false positives and reduce confusion due to similar-name matching. According to Cathleen Berrick of the U.S. Government Accountability Office (GAO), the decision software will consider similar name matches and incorporate its determination into a passenger’s risk score.
The score thresholds for selectee and no-fly determination fall to the discretion of TSA, which must balance security against the strain secondary screening places on airlines trying to get passengers into their seats, GAO reports. (See related article in the September “Intelligence” department, titled “Streamlining Air Passenger Security Screening.”)
TSA began Secure Flight’s rollout in March with a requirement that passengers purchase tickets for domestic flights under the name that appears on the government-issued ID they will use to check in. In August, TSA began requiring date of birth and gender. At the end of this month, U.S. carriers must provide the same information for international flights. By the end of 2010, prescreening for U.S.-bound international flights, which is administered by U.S. Customs and Border Protection using passports as identity documents, will be folded into Secure Flight, according to TSA.
While these measures may reduce false positives, the threat of false negatives remains, experts say. A would-be terrorist could obtain legitimate government-issued identification through fraudulent means or could use another individual’s ID and boarding pass.
With 2005’s REAL ID Act, lawmakers sought to mitigate that risk by setting minimum standards for state-issued drivers’ licenses that could be used to board commercial airline flights. REAL ID’s unfunded mandate, however, led to a revolt in which 19 states passed laws either dissenting from the measure or rejecting its implementation altogether. After the REAL ID deadline of December 31, 2009, residents of “revolt” states won’t be able to use their driver’s license as an ID for the purposes of commercial air travel; they will need a qualifying ID, such as a passport or passport card.
A pending bill, the PASS ID Act, would extend compliance deadlines; it also originally included language that would prohibit airlines from denying boarding to passengers who did not hold compliant drivers’ licenses. An amended version of the bill leaves the matter at the discretion of the secretary of the Department of Homeland Security, TSA’s parent agency. But it’s unclear whether the bill will pass.
Former Bush Administration Assistant Secretary of Homeland Security for Policy Stewart Baker told Security Management that getting a legitimate, government-issued ID through fraudulent means is still “the most obvious way to defeat our security system.”
Laird, has a slightly different view. He says that REAL ID or no REAL ID, aviation security comes down to reinforced cockpit doors and robust screening of passengers and their bags. “I just don’t trust names,” he says. “I think the most important thing is denying the person getting on the plane an opportunity to commit sabotage.”