Early Prime Day Deals Laptop Recommendations AT&T vs. Xfinity Prime Day Deals on TVs 4th of July Sales Best iPhone VPN 2023 Acura Integra Review Best Fitbits

Feds consider lowering passenger data requirements

Privacy advocates say preflight screening proposal is less "intrusive" but doesn't correct underlying problems with watch list databases.

The U.S. Department of Homeland Security has taken a preliminary step in overhauling plans for an air traveler-screening program that has alarmed privacy advocates in the past.

Under a new proposal for a controversial program known as Secure Flight (click for PDF), the Transportation Security Administration would assume the duty of checking passengers against terrorist watch list databases, which is currently done by U.S. air carriers. In a nod to earlier privacy concerns, it proposes scaling back the amount of data that airlines would be obligated to submit about their passengers.

Unlike earlier plans, "it's not going to rely on collecting commercial data; it's not going to assign a risk score to passengers; it's not going to try to predict behavior," Homeland Security Secretary Michael Chertoff said at a press conference on Thursday. "It's only designed to collect a minimum amount of personal identifying information so that we can do an effective job of matching the traveler to a person whose name and identity is on a watch list."

"It's only designed to collect a minimum amount of personal identifying information so that we can do an effective job of matching the traveler to a person whose name and identity is on a watch list."
--Homeland Security Secretary Michael Chertoff

The plans aren't final. They are set to be open for public comment for 60 days after their publication in the Federal Register. A TSA spokeswoman said the agency expects to begin implementing the new rules late next year.

Secure Flight, which was born in 2004, has already been put on hold amid privacy "mishaps" flagged by government auditors and others. As a result, Congress decreed that Homeland Security can't proceed with a watch list-checking program until it shows that it's sufficiently privacy-protective and functional.

The latest approach is intended to improve security amid what Homeland Security says are inconsistent watch list-checking practices by airlines. It's also designed to give federal agents more time to resolve the "false positive" matches that have notoriously arisen under the current system, leading to delays for innocent travelers.

For international flights, some changes will be coming sooner. In a separate rule issued Thursday, Homeland Security said Customs and Border Protection will soon begin requiring airlines to submit, no later than 30 minutes before takeoff, a passenger's full name, date of birth, gender, passport information, citizenship information, and flight and itinerary information.

Much of that data doesn't currently get sent for checks against watch lists until after the flight has already taken off, which Homeland Security says is "too late" to do effective screening.

In its 139-page proposed rules for Secure Flight, Homeland Security says it would require passengers only to submit their full names--as they appear on their identification documents--to airlines when making flight reservations.

Airlines would also be required to request other information, such as the passenger's date of birth and gender, but giving it would be voluntary. Homeland Security warned, however, that withholding those extra details could prompt extra screening at the airport or prevent early check-in, as it may be more difficult for federal agents to distinguish innocent travelers from terrorist watch list designees.

Passengers would also be asked to voluntarily submit to their airline two somewhat mysterious new identification numbers developed by TSA. Those, too, are intended to make the screening process easier.

One is called a "redress number," which TSA plans to assign to passengers who have reported through its redress process being "incorrectly" delayed in their travels. The other is a "known traveler" number, which would be given to travelers who have already undergone what Homeland Security calls a "terrorist security threat assessment" and been deemed benign.

It's unclear how that process would unfold, but the idea resembles an existing program called Registered Traveler, in which passengers can pay a fee, submit biometric and biographic information and, if they pass muster, receive a special card designed to allow speedier passage through security checkpoints.

All that information--which TSA says must also include data about a passenger's flight itinerary, if available--would have to be handed over to federal agents within about 72 hours of the flight's scheduled takeoff. The same procedure would also be required for anyone who wants to pass through security but is not getting on a plane--for instance, an adult accompanying a minor who is flying solo.

After doing its checks, TSA would send back to the airline instructions about whether to issue a boarding pass to an individual, to flag the individual for extra screening at airport security checkpoints, or to deny the traveler's transportation.

TSA has proposed storing individual information that doesn't produce a watch list match for a week for "auditing purposes." Records for "potential matches" would be stored for seven years, and confirmed matches would have their records stored for 99 years. TSA said it plans to give its employees privacy training and to use various "access controls" and "audit logging" to keep tabs on who views those records.

Also, in an effort to thwart use of phony boarding passes, Homeland Security plans to require airlines to place unique coding, such as a bar code, on the document. It would be designed to vouch for its authenticity but would not, Homeland Security said, contain personal information.

Electronic Privacy Information Center executive director Marc Rotenberg said the proposed changes are "significant" in that they request "less intrusive" information than previous programs. But he said problems remain with the watch lists themselves, including the possibility that their uses could be expanded to "other settings, including access to railway stations, federal office buildings and amusement parks."

Chris Calabrese, counsel for the American Civil Liberties Union's Technology and Liberty Project, said the government still isn't doing enough to make its watch list practices transparent.

Although TSA has a "redress" process for passengers who feel they have been improperly detained, it says it still can't actually confirm or deny who's on its lists. (Name matches have infamously detained congressmen, infants and myriad other innocent travelers.)

"You still have the incredible unasked question of...what are those criteria, how do I get off that list?" Calabrese said in a telephone interview. "That question is not answered, and they don't seem to be inclined to answer it."

Chertoff, for his part, said centralizing the watch lists checks within TSA should help to head off some of those inconveniences. Airlines often don't have the most up-to-date watch list information, but TSA will have access to lists that reflect real-time updates, he said.

The department has emphasized that it will do "operational testing" with airlines before rolling out the Secure Flight program. It expects to implement the new rules in two phases, beginning first with flights between two domestic points and then moving on to flights to or from the United States, or flights that happen to fly over the nation.