Caslon Analytics elephant logo title for Passports and Travel note
home | about | site use | resources | publications | timeline   spacer graphic   Ketupa

overview

studies

passports

visas

issues

travel

profiling

watch lists

ticketing

searches

Aust travel

abduction

refugees

deportation

borders

landmarks












related pages icon
related
Guides:

Privacy

Secrecy

Security
& Infocrime




related pages icon
related
Profiles:

Surveillance

Forgery &
Forensics

Identity
Theft

Australia
Card  

RFIDs

Biometrics

section heading icon     watch lists

This page considers watchlists and networks for the surveillance of domestic and international travellers, such as the US CAPPS II and Secure Flight schemes.

It covers -

  • introduction
  • digital issues - key issues at a glance and some questions about their significance
  • from CAPPS II to Secure Flight - the evolution of contemporary 'total information awareness' schemes in the US and other countries
  • listing

section marker icon     introduction

One aspect of the 'digital revolution' has been a substantial increase in the capacity of governments to monitor travel by their nationals and foreigners, in particular travel across borders and using commercial airlines.

In contrast to past regimes, which were predicated on official authorisation to move between jurisdictions and on registration of the traveler's presence (whether by a bureaucrat or by an agent such as an innkeeper), much of that monitoring is 'non-invasive'. It relies on government agencies accessing information held on private sector databases (eg the computerised reservation systems noted on preceding pages of this note) and information extracted from travellers as the price of passage (eg drawn by migration officers from their passports or from passenger manifests and flight cards).

Readers of Victorian and Edwardian fiction will be aware that it was possible to thwart pre-1914 monitoring schemes through ingenuity, adoption of false moustaches or other disguises and provision of bogus personal particulars - whether for a romantic assignation in a railway hotel or to evade the attention of the Okhrana and Sureté.

Undermining those schemes was possible because of

  • delays in collecting, transmitting and collating information
  • problems in interpreting information
  • the absence of effective personal identification documentation.

As we enter the age of biometrics unique identification should, in principle, be more achievable and the mining of travel information from comprehensive CRS and payment systems should enable what one enthusiast characterises as 'surveillance at a distance', detecting malefactors while freeing the innocent traveller from the whiff of garlic as an official or hotel clerk peers over his/her shoulder.

In practice some claims for 'total information awareness' seem fantastic, given theft or corruption of official documentation, problems with the disambiguation of information, concerns about privacy principles and administration, the very patchy nature of data sources and difficulties with integration of systems across jurisdictions and agencies. Some criminals - or would-be criminals - are for example in possession of legitimate identity documents. Monitoring travel payments tracks payments; in an environment of credit card fraud that is not necessarily the same as tracking people.

section marker icon     digital issues

In the digital environment issues include -

  • low awareness among government agencies, businesses and travellers about privacy-related aspects of domestic and international travel
  • perceptions that data mining and other technologies will allow government agencies to accurately identify substantive threats or build effective electronic borders by using information about who is travelling, where they have been, where they are going and even what they are doing
  • consequent government demands for systematic access to commercial travel-related information (including airline reservations, accommodation and restaurant payments), with and exemption of that data and associated analysis from existing privacy protection regimes
  • associated comprehensive profiling of travelers, reflected in restrictions on freedom of travel (eg Do Not Fly lists), differential treatment of travellers on the basis of Recognised Flyer lists and intrusive searches
  • compulsory provision by travellers of a range of information during reservations and by financial institutions or other entities
  • mandatory identification of travellers, including carrying/display of identity documents and use of biometric identifiers
  • integration of commercial and government databases about travellers, with what critic Edward Hasbrouck condemns as "integration and conversion of travel industry infrastructure into an infrastructure of surveillance"

In some jurisdictions activists have warned about -

  • use of RFID tags on a secure or unsecure basis, with for example claims that tagging will facilitate identity theft or convert the bearer of a tag into a target
  • corporate and government construction of "lifetime personal travel dossiers" from travel bookings and payments, with that information potentially being accessed by or even sold to third parties without the consent or awareness of the traveller
  • inadequate legal protection for travel information, particularly for travel across borders and for information that is silently shared by governments and businesses

Perceptions of those issues differ widely, depending on factors such as occupation, cultural background, personal experience and even position in a queue for security screening at an airport. Gilmore's lament about provision of ID would, we suspect thus appear misplaced to many Australians, who have become accustomed to providing photo ID for entry to a domestic flight.

Tensions among privacy advocacy organisations are reflected in comments that not all concerns are equal: producing ID to board a flight is less offensive than being mauled by an unskilled security contractor during an intimate search, particularly if the passenger is confidence that information in that ID will be safeguarded.

Some concerns may be displaced, with regulatory issues being addressed through a strengthening and systematisation of data protection legislation underpinned by effective industry protocols and greater awareness about the commoditisation of personal information.

section marker icon     from CAPPS II to Secure Flight

The Computer Assisted Passenger Pre-Screening System (CAPPS II) was proposed by the federal Transportation Security Administration (TSA) in the US following 9/11 but tacitly abandoned in the face of legal and technical criticisms, being replaced by plans for a Secure Flight scheme.

The new scheme has been promoted as complementary to the Defense Department's Total Information Awareness (TIA) - later Terrorism Information Awareness - program, criticised as a successor of the unfocussed, wildly ambitious and horrendously expensive Reagan-era starwars program.

Predecessors of CAPPS II sought to match the names of intending passengers with one or more government watchlists, in particular a list of names of terrorists. That matching proved problematical, as many names are not unique, the names of terrorists and others may have been incorrectly captured (particularly if they were expressed in Arabic, Chinese or other non-Roman characters) and those on watchlist might choose to use an invented name or assume someone else's name. Presumably Osama Bin Laden would not take a US commercial flight under his own name. US senator Ted Kennedy - who shares a surname with someone on a wanted list - was recurrently stopped because of that disambiguation problem.

Enthusiasts for CAPPS II justified the scheme as a mechanism for combatting terrorism, in particular by preventing hijacking of large civilian aircraft. It has been characterised as a model for travel databases in other jurisdictions and for screening rail or other modes of transport.

It was envisaged that CAPPS II would draw on information from government and commercial databases, including 'life data' such as age and place of birth and activity data such as information about the frequency and departure/destination points of past travel. A 2004 Australian parliamentary committee report on aviation safety sagely comments that "hijackers have tended not to be frequent fliers".

That data would be used to assign each passenger a color-coded score -

  • 'Green' flags that the passenger does not appear to pose a threat to safety and is free to board the plane
  • 'Yellow' flags that the passenger appears to pose a potential threat and should accordingly undergo further security checks before being allowed to board
  • 'Red' flags that the passenger is likely to pose an "imminent threat" and will thus not be allowed to board the flight, with some likelihood that the person will be required to undergo official questioning.

Statistics about the number of people whose profiles have resulted in a red or yellow score are contentious, as is the effectiveness of models used in generation of those profiles.

Concerns identified by privacy and consumer advocacy groups include -

  • data accuracy, with questions about the validity of information in some government and industry databases (particular those maintained by credit reference services) and about updating those databases in the event that an inaccuracy is detected
  • sharing of source data or individual profiles with federal/state agencies and with other governments
  • inappropriate use of data sources, in particular financial and medical records
  • network integrity, in particular fears that personal information collected by the TSA will be improperly accessed (eg for identity theft)
  • uncertain or ineffective mechanisms for public access and redress, with US politicians, ordinary citizens and foreign nationals complaining that they had been improperly prevented from flying, couldn't find out why they had been prevented and weren't able to ensure that faulty data was corrected
  • mission creep, with inappropriate sharing of information collected by the TSA
  • comments that screening could be circumvented by 'borrowing' an impeccable life/activity history and using forged identity documents to get past undertrained, demotivated and harried security staff

In response to those criticisms the TSA has sought to expand its data collection, leading critics to comment that it is 'solving' the problem of muddy data by doubling the amount of muddy data. The Secure Flight scheme will apparently receive the entire Passenger Name Record (PNR) from airline reservation systems encompassing name, address, phone number, email address, credit card details and special medical or religious dietary requirements. Subject to meeting EU data protection requirements, Secure Flight will also draw on PNR data from EU-based airlines.

Another response has been to buttress the system by requiring use of biometric identifiers, with passengers for example undergoing retina scans or palm scans.

The TSA is also exploring 'trusted traveller' schemes.

Those schemes typically involve frequent travellers gaining a smart card after undergoing a background check. Information on the card would include the traveller's flight booking history (their PNR) and print patterns from two fingers as a biometric identifier. Security personnel at a screening point would receive information about
the passenger as the card was read, subject to a match between the biometric data on the card and the traveller's fingerprint patterns. If the system indicated that the person represented a "lower security risk" that individual would be fast tracked for
boarding.

Privacy issues are supposedly addressed by the traveller retaining the card "and therefore the personal information it contained", with personal and flight information on the system becoming unreadable after 24 hours "unless needed for government investigations" and deleted after 30 days. US proponents envisage use of kiosks for self-check-in by passengers, with a staff member "always in attendance ... to watch for signs of nervousness indicating whether a particular passenger posed a security risk".

In May 2006 the European Court of Justice threw out the 2004 agreement between the European Union and the US government that had allowed the US to access to European airline passenger data.  The Court ruled that the Council of Europe could not declare that the US government's promises provided "adequate" privacy, as the Council had no legal authority under the EU data protection directive to address public security matters. The Court allowed the PNR transfers to continue until October 2006 on a transitional basis.

The Canadian national government announced plans for a 'Specified Persons List' in 2006, to come into effect in mid-2007.

That list, expected to cover around 1,000 people, is to be provided to all airlines that fly within or in/out of Canada. It includes the name, birth date and gender of anyone who "might pose an immediate threat to aviation security" should they board a flight.

The airlines will be required to screen each person's name against the list before issuing a boarding pass. They will be required to ensure that every passenger who appears to be 18 years of age or older carries valid government-issued photo ID or two identity documents without a photograph. From the end of 2007 anyone appearing to be older than 12 years of age must carry one or more identity documents, including a health card, a birth certificate, a driver's licence or a social insurance card.

As noted elsewhere on this site, it is likely that a substantial number of bogus documents are in circulation in Australia, Canada and elsewhere, with few scrutineers having forensic training to determine whether a card or certificate is what it purports to be and that it has been properly obtained.

section marker icon     listing

In 2006 the UK Home Office was revealed to have compiled a 'hit list' of 45,000 "undesirable" Hungarians and Romanians prior to admission of those nations to the European Union.

The secret "warnings index" of alleged criminals and possible security risks is intended to alert officials to the identity of people who will be given the legal right to live in the UK after the two countries join the EU. One government forecast is that up to 140,000 Bulgarians and Hungarians may move to the UK. Junior Home Office minister Joan Ryan claimed that EU freedom of movement rules mean they cannot be barred from the UK; police accordingly need to be warned about their identities.

In October 2006 it was revealed that there were over 12,000 'Robert Johnson's on the US list, leading one critic to comment that

It would seem that the next step will be terrorists polluting of the 'No Fly' list with bogus traffic. How many thousands of people with the names John Smith, Jane Smith, Robert Smith, and so on will it take to overload the system and make it impossible to travel effectively?

 





icon for link to next page   next page (searches) 



this site
the web

Google

 

version of May 2007
© Bruce Arnold
caslon.com.au | caslon analytics