7 May 2003
Source:
http://usinfo.state.gov/cgi-bin/washfile/display.pl?p=/products/washfile/latest&f=03050604.clt&t=/products/washfile/newsitem.shtml
US Department of State
International Information Programs
Washington File
_________________________________
06 May 2003
(Agency committed to "most stringent" privacy controls, TSA's McHale says) (3120) The Bush administration is confident that an upgraded system designed to confirm the identity of airline passengers will enhance aviation security while providing "solid guarantees" of privacy protection, a U.S. Homeland Security Department official says. Steve McHale, deputy administrator of the Transportation Security Administration (TSA) in that department, told a European Parliament committee in Brussels that TSA is committed to building the "most stringent state-of-the-art privacy controls" into the new version of Computer Assisted Passenger Prescreening System, knows as CAPPS II, which aims to prevent terrorists from boarding commercial airplanes. He said May 6 that the system will "minimize the amount of information on travelers coming into the system, collecting only the information needed to authenticate the passenger's identity and conduct a risk assessment." Lockheed Martin Management and Data Systems is assisting TSA in developing CAPPS II, which will confirm a passenger's identity and identify any potential terrorism-related threat to aviation in less than five seconds, according to a March 11 TSA news release. TSA emphasized that CAPPS II will use commercial databases that are routinely employed by private enterprises in hiring or market research. McHale said that CAPPS II will be equipped with a system of "firewalls" to ensure the security of passenger data. "Commercial data companies assisting with the authentication process will not acquire traveler personal information and TSA will not have access to data about passengers from commercial databases," he said. McHale said that the system will not profile passengers, conduct surveillance, or employ sophisticated automated data analysis techniques such as data mining. Nor will it use ethnic, religious or racial data in selecting passengers for additional security checks, he added. McHale said that TSA will operate CAPPS II under a "strict privacy protection protocol" worked out through discussions with privacy advocacy groups and the general public, and establish a "comprehensive" complaint process to enhance passenger rights. McHale was responding to concerns raised by EU officials and European privacy groups about the adequacy of passenger data protection in the airline security regime introduced in the United States after the September 11, 2001, terrorist attacks in New York and Washington. During the same hearing another U.S. official assured the commission that the data the U.S. authorities receive through passenger name record (PNR) will be processed fairly and lawfully for a "specified and legitimate purpose." Passenger name record is the generic name for the files created by airlines for each journey any passenger books. These files are stored in the airlines' reservation and departure control databases. The aviation security law enacted by Congress in November 2001 requires all airlines operating in the United States to provide U.S. border authorities with electronic access to PNR. In February the United States and the European Commission reached an interim agreement that would allow European airlines to comply with this requirement without compromising EU privacy laws. The two sides also agreed to continue to work toward a bilateral agreement to reconcile, if necessary, U.S. requirements with the EU data protection law. Some European parliamentarians argued that the interim agreement does not conform to this law and was reached under the threat of U.S. penalties. Subsequently, they called on the European Commission to suspend the agreement until it can be realigned with the European data privacy requirements. Following are the texts of U.S. officials' prepared statements: (begin text) Steve McHale, Deputy Administrator, Transportation Security Administration, U.S. Department of Homeland Security, at the European Parliament, May 6, 2003: Good morning, Chairman Hernandez-Mollar, ladies and gentleman, distinguished members of Parliament. Thank you for this opportunity to appear before you today to discuss a matter of extreme importance to the citizens of our countries -- how the United States government will use limited passenger information to safeguard our citizens against the threat of global terrorism, while protecting the privacy rights that Americans and Europeans alike have so long cherished. Before I begin my discussion, I want to commend Sue Binns and the members of her staff on the Commission who have been working ceaselessly with us to ensure that international privacy concerns are fully addressed. She has brought a great deal of knowledge, skill and good common sense to these discussions. My colleague, Doug Browning, described to you the role of the Bureau of Customs and Border Protection in using passenger information to safeguard international travel and commerce, as part of an integrated effort by the Department of Homeland Security to protect the United States from the threat of international terrorism. I will discuss how the Transportation Security Administration (TSA) will use information technology to strengthen domestic and international aviation security, while at the same time protecting the privacy rights of all people who travel to the United States. This meeting provides an important forum in our continuing trans-Atlantic dialog to develop a common understanding of how security and privacy are complementary, not conflicting, goals. Airlines in the United States currently operate the Computer Assisted Passenger Prescreening system, commonly referred to as CAPPS, which is used to identify passengers for enhanced screening before boarding a commercial aircraft. In the wake of the tragic events of September 11, 2001, Congress determined that the existing CAPPS system was not an effective counter-terrorist measure in light of the new international terrorist threat environment. In the legislation that created TSA, the Aviation Transportation and Security Act of 2001, Congress directed TSA to ensure that CAPPS, or any successor system, would be used to evaluate all passengers before they board an aircraft, and to include procedures to ensure that individuals selected by the system and their baggage are adequately screened. In response to this Congressional mandate, the Transportation Security Administration began developing the enhanced Computer Assisted Passenger Prescreening system, or CAPPS II, a fully automated screening tool that will be operated by TSA. CAPPS II will enable TSA to conduct far more effective authentication of traveler identity and improve security through a more robust risk assessment process, capable of screening all passengers to assess the terrorist threat to civil aviation. By focusing screening and security resources more efficiently, the CAPPS II system will enable TSA to safeguard travelers, protect critical aviation assets and infrastructure, and also significantly enhance the convenience of all airline passengers traveling to, from and within the United States. CAPPS II is a passenger-screening tool only. It is not designed to look for other criminals, smugglers, or anyone else -- just terrorists and their associates. CAPPS II will operate under a strict privacy protection protocol being developed through discussions with privacy advocacy groups and the public. Strict firewalls and access rules will protect a traveler's information from inappropriate use, sharing, or disclosure. CAPPS II will use passenger information and the best U.S. intelligence information on terrorists and their activities to assess the terrorist risk of all passengers using commercial aircraft to enter, leave, transit or travel within US territory. It will do so quickly and effectively, and will enable TSA to focus its screening and security resources where the need is greatest, thus expediting travel by minimizing unnecessary screening of passengers. CAPPS II will minimize the amount of information on travelers coming into the system, collecting only that information needed to authenticate the passenger's identity and conduct a risk assessment. The CAPPS II authentication function will be conducted using commercially available data. Commercial data companies assisting with the authentication process will not acquire traveler personal information and TSA will not have access to data about the passenger from commercial databases. CAPPS II will implement a system of "firewalls" and other technologies to ensure the security of the data. Virtual Private Network (VPN) technology, and encryption, will be used to protect all data transmissions. Computers on secure independent servers will conduct passenger authentication. A passenger will provide the information used in the CAPPS II system at the time of reservation or ticketing. Passengers will be given notice of the information we are collecting, and the reasons for the collection. The system will not use ethnic, religious or racial data. The system does not profile, conduct surveillance, or "data mine." CAPPS II will not use "sensitive data" as defined by Article 8 of the EU Data Privacy Directive. CAPPS II will expedite the boarding of passengers who pose no risk of terrorism. The system will conduct the analysis, assess risk and identify terrorists in less than 5 seconds. Once the analysis is completed, a risk assessment score would be provided in the system. This score will determine the level of screening the passenger receives when passing through security. Screeners will not have access to personal data, nor will they be given information as to the basis for a passenger's computer-generated risk assessment score. CAPPS II is designed to reduce the number of people who receive the enhanced screening. We fully expect that when CAPPS II is implemented, the vast majority of passengers will proceed directly to the airline boarding gate through the normal security process. A smaller portion of passengers will be asked to submit to additional screening prior to boarding. A very small fraction of passengers may be identified as known terrorists or the associates of known terrorists -- in such cases, the appropriate law enforcement authorities in the EU or the U.S. would be notified. The most significant contribution of CAPPS II will be its ability to authenticate identity. We expect that there will be a very substantial reduction in the number of people misidentified as potential threats. CAPPS II will also include a comprehensive redress process for passengers. TSA will appoint a Passenger Advocate to work with our current Ombudsman program, to handle any inquiries or complaints raised by passengers with regard to the CAPPS II system. Where a passenger -- of any nationality -- believes that he or she is being improperly singled out for heightened scrutiny, this will be the place for this passenger to turn to have his or her concerns addressed. Where errors are identified, appropriate corrective action will be taken. This is more than a matter of fairness -- because CAPPS II is a resource allocation tool, it is in TSA's interest to know where we are making mistakes. The Passenger Advocate will thus not only promote fairness, privacy and passenger confidence, but system effectiveness and efficiency. As Ms. Kelly will explain in a moment, she, as the Chief Privacy Officer of the Department of Homeland Security, will oversee TSA's actions and provide a further avenue of redress. TSA will implement an automated verification system to monitor compliance by CAPPS II with all policies governing system operation. A privacy management program will include methodologies for allowing testing of the effectiveness of privacy rules. TSA will provide an annual performance report that will be made available to the public -- the report will detail CAPPS II privacy policies, and the performance of the system with regard to adherence to those policies. System audit capabilities, annual reports to Congress and the public, and appropriate independent oversight will be hallmarks of the CAPPS II system. We are confident that the CAPPS II system will enable TSA to enhance aviation security, protect critical aviation assets and infrastructure, and most importantly protect the safety of all passengers while providing solid guarantees of privacy protection. CAPPS II, however, has a purpose beyond the simple screening of passengers. It is intended to restore the public's confidence in the aviation system. If passengers do not feel that they can fly safely, or that the personal information they provide to the airlines is not adequately protected, they will be less inclined to fly, and we will have failed and the terrorists will have secured a victory based on fear. TSA is committed to building the most stringent state-of-the art privacy controls into the CAPPS II system. The Secretary of the Department Homeland Security Tom Ridge has stated that we will not implement the CAPPS II program until the Department has its own privacy officer on board. We are pleased that our newly appointed chief privacy officer, Nuala O'Connor Kelly, was able to join us here today. Thank you again for this opportunity to explain the CAPPS II program. I would be pleased to answer any questions you may have. (end text) (begin text) Douglas M. Browning, Deputy Commissioner of Customs and Border Protection, U.S. Department of Homeland Security, before the European Parliament's Civil Liberties Committee, May 6 Good morning, ladies and gentlemen. It is a pleasure for me to have this opportunity to speak to you about a critically important issue for the U.S. Customs and Border Protection: the receipt of Passenger Name Record information. This is not the first time that my team and I have come to Brussels to discuss the issue of access to PNR data. As many of you know, I led a delegation here to negotiate with the European Commission a few months ago. After some very difficult but constructive discussions, I think we were successful in crafting a valuable interim agreement so that we, in the United States, could begin to quickly address a critical element in our strategy to prevent the commission of terrorist acts. The meeting was also instructive in identifying for us what are some of the more sensitive issues for the Community requiring our attention, and we agreed as a result of that meeting to commit time and resources to resolving these issues. It has been a time intensive process, but again, this is a critical issue for the Border and Transportation Security Directorate, CBP [Customs and Border Protection Bureau] and TSA, and for this reason, something we felt warranted a high level of attention and a commitment to finding a way forward. First, let me emphasize that this is a significant security issue for us. But when I say "us", I am not solely referring to the United States. Knowing more about the traveling public, developing an understanding of who potentially poses a terrorist risk, is something that is valuable to all governments. Using the principles of risk assessment coupled with better information, allows us to accomplish this objective. It would never be our preferred approach to stop and examine everyone entering our country through its international airports, just as we would never want to bring trade to a crawl with 100 percent cargo inspections at arrival. Such actions would be difficult to accomplish, given our reliance on fast, efficient trade and travel. But making decisions about whom we need to speak to in greater depth -- and whom we can permit to enter without delay -- requires that we have information. The better the information we get, the more informed and targeted our decisions can be -- and the safer the international traveling public as a whole will be. From a CBP perspective, this is about security and continued facilitation of legitimate travelers. Receiving this information prior to the airplane' departure is the ideal. By the time an international flight lands, we have conducted our risk assessments -- and we know what actions we will take if there are any persons of concern. Our actions can therefore be carefully targeted, affecting only those who might represent a higher degree of risk. I would note that the receipt of advance information in the passenger realm is not a new idea. It's something we have done for some time. It's something the industry has collaborated with us on for a number of years. And it's something that has been instrumental in improving and preserving the efficiency of air travel -- particularly given the significant increases in the number of air passengers over the years. The fact that we are now mandated by law to collect PNR information should not diminish its proven value in both the facilitation and security arenas. Of course, dealing in the realm of personal data introduces some very specific concerns, particularly as the level of detail increases. We have a clear appreciation for those that have been expressed over the course of our discussions with the Commission during the past several months. Frankly, such concerns are not unfamiliar to us. In fact, we share many of them. I think they would be reasonably found in any democratic society. Our agency is governed by laws and procedures designed to ensure the protection of data collected about any individual. And to ensure that the data we do collect is not overly burdensome and is proportionate to the need for that data. Our collection, treatment and use of PNR data would be subject to this same strict regime. This is not about building a database; it is an issue of being able to analyze data against a set of established rules to determine levels of risk. It is about calibrating our response at the time of arrival to the risks a given individual presents. It is about facilitating the vast majority of air passengers who pose no threat -- while at the same time providing the level of security necessary to protect the citizens of our respective countries. My objective this morning is to talk with you about how critical the collection and use of PNR data is to our security efforts, and to discuss further the protections that exist and those we are willing to undertake. I am confident that our existing system of data privacy protection will ensure that the data we receive through PNR information will be: (1) processed fairly and lawfully; (2) is being collected for a specified and legitimate purpose; (3) and any further processing will be compatible with that purpose; (4) that the information is relevant and not overly burdensome; (5) that there are mechanisms to ensure its accuracy and integrity; and (6) it will only be retained for as long as is necessary. Working with the Commission, we are prepared to address any real or perceived gaps that may exist within our system. As government authorities responsible for the integrity of our ports of entry and the space between them, there are a number of things we have had to do differently to adapt to the threats present in today's environment. But these changes do not relieve us of the obligation to be sensitive to the privacy interest of those we are seeking to protect. In the case of Customs and Border Protection, we have been working to ensure that we continue to process the entry of people and cargo quickly and efficiently. The goal for all of us is facilitation with security. PNR data is one of the tools that will help us to accomplish this goal. (end text) (Distributed by the Office of International Information Programs, U.S. Department of State. Web site: http://usinfo.state.gov)