System For Screening Passengers For Terrorism Risk Not Ready For Liftoff, Report Says

The Government Accountability Office said in a report Monday that, while the Transportation Security Administration is making progress in its program to identify passengers who should face additional preflight screening, the program called Secure Flight needs a lot more work before it can become operational.

TSA is working on improving Secure Flight's ability to identify passengers for additional security scrutiny, in place of the prescreening conducted by air carriers themselves. GAO recommends that the Homeland Security Department direct TSA to finalize Secure Flight requirements, test plans, privacy safeguards, and cost estimates.

GAO points out that, based on the lack of progress TSA has made in addressing concerns about Secure Flight, it's impossible to tell whether the program will be effective. TSA, for example, hasn't determined how passenger data will be transmitted from air carriers to TSA in support of Secure Flight. It's also questionable just how accurate Secure Flight will be at matching passenger data to information contained in a terrorist-screening database.

In October, Congress directed GAO to assess and report on 10 aspects of Secure Flight development. Other than establishing boards and working groups within TSA to manage and oversee Secure Flight, TSA hasn't fully met any of Congress's criteria. The agency hasn't yet finalized oversight policies governing the use and operation of Secure Flight or completed performance metrics to measure program results.

TSA officials have been in contact with key air carriers and other groups that will be affected by Secure Flight, but these stakeholders are concerned that the system modifications and costs requirements for Secure Flight are so uncertain at this point. TSA will need to resolve any conflicts over data requirements and associated impacts on air carriers before it can begin its planned initial operations with two air carriers in August, the GAO report says.

One area of the GAO report sure to be a lightning rod is the lack of clarity over the program's privacy impact. U.S. Rep. Loretta Sanchez, D-Calif., the ranking member of the House Homeland Security Subcommittee on Infrastructure and Border Security, noted during a press conference Friday that, if Secure Flight doesn't work properly, it will become a burden to air travel security. Speaking at a press conference hosted by the American Civil Liberties Union, Sanchez said that a flawed system that goes after the same innocent passengers over and over takes away resources that protect passengers from legitimate threats.

Early attempts to protect air travel from terrorist attacks have yielded mixed results. Passenger prescreening has since the late 1990s been conducted using the Computer-Assisted Passenger Prescreening System. Under CAPPS I, data related to a passenger's reservation and travel itinerary are compared against characteristics used to select passengers who require additional security scrutiny. In July, the 9/11 Commission reported that the current passenger prescreening system needed improvements and that the watch lists used by the air carriers didn't include all known terrorists or terrorism suspects because of concerns about sharing intelligence information with private companies and foreign countries. The commission recommended that passenger screening be performed by the federal government and make use of the larger consolidated watch-list database maintained by the government.

A series of concerns about accuracy and data privacy grounded CAPPS II in August, prompting TSA to introduce Secure Flight. This new program is expected to take over passenger prescreening responsibility from the airlines and make use of a large, consolidated watch-list database not currently available to air carriers.

Yet some still question the very premise of a "no-fly list" and passenger prescreening system. "Think about the no-fly list and who's on it," said Bruce Schneier, founder and chief technology officer of managed security services provider Counterpane Internet Security Inc., at Friday's ACLU press conference. "It's a list of people so dangerous that we can't let them fly on an airplane, but 'not guilty' enough that we can't arrest them under the Patriot Act. Building a passive system seems a lot less effective than going out and arresting the bad guys." Schneier acknowledged, however, that Secure Flight will improve security if it meets Congress's criteria.