WASHINGTON, March 17 (UPI) -- Acting chief of the Transportation Security Administration, David M. Stone told lawmakers that he would shortly appoint a special privacy officer and an external privacy oversight board to calm public fears about the "Big Brother" character of the agency's computerized passenger threat profiling system.
But along with the soothing stroke came the stinging slap of firm government. Stone also said that the TSA would use the draconian powers given it by Congress to force airlines to co-operate with a CAPPS II testing program despite the carriers' unease about public perceptions and the long- and short-term financial effects on an industry that has never really recovered from the terror attacks of Sept. 11, 2001.
CAPPS II -- Computer Assisted Passenger Pre-screening System, second generation -- will use public, commercial databases to verify travelers' identities and combine that data with intelligence information to allocate passengers a threat rating analogous to a credit score. Those with low scores will be allowed to board after the normal screening process. Those with high scores will be selected for extra screening. And a small percentage that intelligence indicates may be terrorism suspects will be referred to law enforcement. CAPPS II is designed to replace the current system for identifying possible threats, which uses an algorithm based on information about where, how and when the tickets were bought.
But ever since it was first mooted, the program has been lambasted by privacy and civil liberties advocates from both the right and the left. Critics claim that it violates passengers' privacy and due process; that it is easy to get around such a system by simple identity theft; and that it is subject to "mission creep," already officials say they will check passengers against not only terrorist watch lists, but against lists of felons wanted by state and federal authorities for violent crimes.
With such a plethora of perceived flaws it is easy to see how CAPPS II has become something of a congressional whipping boy.
Last year, lawmakers wrote language into several bills barring any funding for the program until a series of eight privacy, civil liberty and effectiveness goals were met. A report last month by congressional auditors found the program had met only one of the targets and that in a highly attenuated fashion.
The auditors found that TSA had met the oversight requirement despite the fact that the oversight body -- the Investment Review Board, which looks at purchase decisions and monitors program implementation -- is also responsible for up to 100 other major Department of Homeland Security projects. "DHS officials acknowledged that the board is having difficulty reviewing all of the critical departmental programs in a timely manner," said the auditors.
"There was quite a lot of debate about the precise meaning of that term 'oversight,'" said David Powner, one of the officials from the Government Accounting Office who carried out the audit. "Did it mean you should have dedicated oversight? The congressional language just says 'oversight' and that's what we have to go with."
Many lawmakers are unhappy about the way purchasing and other management decisions have been made. Ranking member and long time CAPPS II critic Peter DeFazio, D-Ore., said public money was being squandered on a system that could never be made to work in a way that was acceptable to the American public. He compared CAPPS II to the Comanche helicopter program, which he said had been cancelled only after billions of dollars had been wasted. "I know that Lockheed Martin (which has been engaged to build and operate CAPPS II) is a defense contractor and this is the way they like to operate," he said.
But at a hearing Wednesday, although there were many familiar complaints from familiar quarters, there was also a previously unprecedented level of frustration among even CAPPS II supporters.
For the first time, Rep. John Mica, R-Fla., one of the system's strongest backers on Capitol Hill, wondered aloud whether it might be time to write the whole idea off and start again. He asked whether CAPPS II was worth pursuing. DeFazio was blunter. "This is a stupid system," he said, "is it better than nothing at all?"
Norm Rabkin, with the General Accounting Office, told Mica the current system is not working. "Something better is needed," he said, but added that "whether CAPPS II itself is the answer" remained to be seen.
One of the many things delaying the system's implementation is the fact that the TSA has not been able to test a prototype of the system. The agency has been unable to obtain the passenger data it needs for tests from the airlines, which have fought the project since public outrage erupted over the Jet Blue case, when TSA officials intervened to persuade the budget airline to pass passenger data to a defense contractor, which used it to study data-mining techniques. A report last month by the privacy office of the Department of Homeland Security found that the transfer may have broken the 1974 Privacy Act, and criticized the officials for "violating the spirit" of the law.
Mica was keen for testing to begin, and pointed out that Congress had given the agency sweeping powers to impose so-called security directives on the aviation industry. Unlike conventional rules, such directives can be imposed without consultation or comment periods. But Stone told the hearing that the TSA was looking at a twin track process, where security directives would be used get data to begin testing the system, side by side with a "parallel effort" to develop rules acceptable to the airlines and other components of the industry for the running of the system itself.
"Our recommendation ... is that in order to build trust with the industry and the public," security directives should not be used to implement the system proper, Stone said.
"But that just means more delay," an annoyed Mica pointed out. Stone replied that the TSA was moving "to make these decisions in what we think is a rapid manner" and said officials would have decided how to proceed "within the next couple of months."
"I can only imagine the outrage of those falsely identified as an unacceptable risk and who miss weddings, funerals or graduations as a result," said Rep. Bill Pascrell, D-N.J. Stone said that the number of so-called false positives -- innocuous travelers wrongly labeled a threat -- was likely to be smaller under the new system.
Pascrell, still dissatisfied, echoed the views of many committee members when he said the agency needed "to do a much better job of assuring the American people that CAPPS II is not Big Brother."
Stone explained that the planned appointment of a privacy officer and an external privacy oversight panel was designed to provide just such reassurance. It would "also result in an improvement in our privacy practice and compliance" overall, he said.
One senior administration official said that the agency had been under pressure to make such an appointment for more than a year. The official said it was only the public chastisement they received over the agency's role in facilitating the possibly unlawful transfer of data from Jet Blue to a defense contractor that persuaded its leadership to take the plunge. "It's just a shame it took them so long," the official said.
Privacy experts cautioned that -- in order to be truly effective and independent, the oversight board would need to include people who are willing to challenge and question the agency. "They ought to include persistent critics of the program," said one long time privacy professional who asked not to be named, "If they're all ex-TSA employees that will be a danger sign."
But despite these doubts, the news was welcomed by the Department of Homeland Security's own privacy officer, Nuala O'Connor Kelly, who told United Press International she was "thrilled" by the move.
Kelly -- seen as a tough advocate for privacy rights within the department -- said that the appointee would be the fourth specialist privacy officer within the department. The national cybersecurity division and the biometric border control program called US-VISIT have already announced similar appointments.
She said the field of candidates was very strong and she expected to be able to work well with whoever was appointed.
The privacy officers report to senior officials within their division or program, but they also report to Kelly. "Each agency employs their own privacy officer, so the direct report is through (that agency's) management, but in policy terms, they report to this office."
She says this duality is "the hardest thing about being a privacy officer: you have to be both inside and outside. You have to be a part of the team, to be involved in all the policy discussions at the highest levels; but at the same time, you have to be ready to make constructive criticisms when they're necessary, and you have to remember your broader responsibility. As privacy officer, I have a statutory duty not just to the department, but to congress and through them to the public."