GAO Report Finds CAPPS II Fails to Meet Congressional Criteria

February 12, 2004. The General Accounting Office (GAO) released a report [53 pages in PDF] titled "Aviation Security: Computer-Assisted Passenger Prescreening System Faces Significant Implementation Challenges". The appropriations bill for the Department of Homeland Security (DHS) for FY 2004 established criteria for the CAPPS II program, and required that the GAO report on the program's compliance with these criteria. The report finds that the most of the criteria have not been met.

Background. CAPPS is the acronym for "Computer Assisted Passenger Prescreening System". Prior to the terrorist airline based attacks of September 11, 2001, the airlines conducted passenger screening, and administered the CAPPS I, subject to federal guidelines.

In late 2001, the Congress passed the Aviation and Transportation Security Act, which created the Transportation Security Administration (TSA) as a unit of the Department of Transportation (DOT). This Act gave the TSA responsibility for airport passenger screening. In late 2002, the Congress passed the Homeland Security Act, which created the DHS, and transferred the TSA from the DOT to the new DHS. The new CAPPS II -- the next generation passenger screening system -- is planned to be a government (TSA) run system that replaces CAPPS I.

The CAPPS II has been criticized on privacy grounds, and the Congress addressed these concerns in the DHS appropriations bill, which President Bush signed on October 1, 2003.

The bill contains language prohibiting the use of funds for the CAPPS II program until the GAO, which is an arm of the Congress, issues a report to the Congress in which it finds that the CAPPS II program meets certain specified criteria set out in the bill.

However, while this language is in the bill, and the President signed the bill, the President wrote in a separate signing statement that this language of the bill is ineffective under the Supreme Court's opinion in INS v. Chadha, 462 U.S. 919 (1983). Bush wrote that while the language is mandatory, he will construe it as merely advisory. Basically, the President asserts that it would be an unconstitutional usurpation of executive power by the legislative branch to allow an agent of the legislative branch to prevent implementation of the law unless the legislative agent reports to the Congress that the executive branch has met certain conditions.

GAO Findings. The GAO report finds that "Key activities in the development of CAPPS II have been delayed, and TSA has not yet completed important system planning activities. Specifically, TSA is currently behind schedule in testing and developing initial increments of CAPPS II, due in large part to delays in obtaining passenger data needed for testing from air carriers because of privacy concerns. Initial operating capability -- the point at which the system will be ready to operate with one airline -- was originally scheduled to be completed in November 2003; however, TSA officials stated that initial operating capability has been delayed and its new completion date is unknown. TSA also has not yet established a complete plan identifying specific system functionality that will be delivered, the schedule for delivery, and the estimated costs throughout the system's development."

The GAO report finds that the DHS has met only one of the eight criteria, the establishment of an internal oversight board to review the development of major DHS systems, including CAPPS II. The report states that "As of January 1, 2004, TSA has not fully addressed seven of the eight CAPPS II issues identified by the Congress as key areas of interest, due in part to the early stage of the system's development."

The report also concludes that "CAPPS II also faces a number of additional challenges that may impede its success. These challenges are developing the international cooperation needed to obtain passenger data, managing the expansion of the programís mission beyond its original purpose, and ensuring that identity theft -- in which an individual poses as and uses information of another individual -- cannot be used to negate the security benefits of the system. We believe that these issues, if not resolved, pose major risks to the successful development, implementation, and operation of CAPPS II."

More on the DHS Appropriations Bill. President Bush signed the Department of Homeland Security Appropriations Act, 2004, on October 1, 2003. It was HR 2555. It is now Public Law No. 108-90.

Section 519(a) of HR 2555 provides that "None of the funds provided by this or previous appropriations Acts may be obligated for deployment or implementation, on other than a test basis, of the Computer Assisted Passenger Prescreening System (CAPPS II) that the Transportation Security Administration (TSA) plans to utilize to screen aviation passengers, until the General Accounting Office has reported to the Committees on Appropriations of the Senate and the House of Representatives that--
  (1) a system of due process exists whereby aviation passengers determined to pose a threat and either delayed or prohibited from boarding their scheduled flights by the TSA may appeal such decision and correct erroneous information contained in CAPPS II;
  (2) the underlying error rate of the government and private data bases that will be used both to establish identity and assign a risk level to a passenger will not produce a large number of false positives that will result in a significant number of passengers being treated mistakenly or security resources being diverted;
  (3) the TSA has stress-tested and demonstrated the efficacy and accuracy of all search tools in CAPPS II and has demonstrated that CAPPS II can make an accurate predictive assessment of those passengers who may constitute a threat to aviation;
  (4) the Secretary of Homeland Security has established an internal oversight board to monitor the manner in which CAPPS II is being developed and prepared;
  (5) the TSA has built in sufficient operational safeguards to reduce the opportunities for abuse;
  (6) substantial security measures are in place to protect CAPPS II from unauthorized access by hackers or other intruders;
  (7) the TSA has adopted policies establishing effective oversight of the use and operation of the system; and
  (8) there are no specific privacy concerns with the technological architecture of the system."

Reaction of Privacy Groups. Jim Dempsey, Executive Director of the Center for Democracy and Technology (CDT), stated in a release that "The screening system in place today doesn't work very well and it ends up with too many innocent people being pulled aside ... But we can't walk away from the problem. We need a new passenger screening system. The GAO may have killed CAPPS II, but we're going to need something to replace what we have and we better start thinking seriously about it now."

Marc Rotenberg, Executive Director of the Electronic Privacy Information Center (EPIC), stated in a release that "The report confirms that the Department of Homeland Security has failed to address the very significant privacy issues that lie at the heart of CAPPS II. It shows that international opposition to the U.S. initiative is well-founded, and makes it unlikely that European officials will approve the transfer of passenger data to the United States."

DHS Reaction. Nuala Kelly, Chief Privacy Office of the DHS, stated at a media roundtable that "For the most part, I think the GAO Report is quite fair and I think it's accurate and I think it's a fair statement to say that there is good work that has been done and a great deal of work that still remains to be done on my issues and on other parts of the program as well." See, transcript.

The DHS also issued a release. It states that "CAPPS II is not an intelligence gathering database. It is a prescreening system that will assess the likelihood that travelers are who they claim to be and perform a risk assessment to detect individuals who may pose a terrorist-related threat or who have outstanding Federal or state warrants for crimes of violence."

It continues that "CAPPS II modernizes an existing program that was created in 1997 as an additional measure to help prevent a terrorist attack on passenger aircraft.

"It assesses the identity of every passenger by matching limited information about the traveler (including name, date of birth, address, and phone number) with commercially available information. This check is done between databases outside of a government firewall. CAPPS II will not bring any information contained in the commercial databases into the governmentís system and the commercial databases are prohibited from keeping or using the information provided by CAPPS II", states the DHS release. "CAPPS II also performs a risk assessment, including a check against lists of terrorists and known or suspected threats, to detect individuals who may pose a terrorist-related threat or who have outstanding Federal or state warrants for crimes of violence."

The DHS also states that "Once the system has computed a travelerís risk score, it will send an encoded message to be printed on the boarding pass indicating the appropriate level of screening. Eventually, this information is planned to be transmitted directly to screeners at security checkpoints."

See also, statement by Under Secretary of Homeland Security Asa Hutchinson, and second press release dated February 12, 2004.

Related stories: 

"Democratic Representatives Write Bush Re CAPPS II" in TLJ Daily E-Mail Alert No. 836, February 13, 2003.

"Bush Signs Homeland Security Appropriations Bill", "TSA Receives Comments In CAPPS II Privacy Proceeding", and "Homeland Security Appropriations Bill Purports to Restrict Use of Funds for CAPPS II" in TLJ Daily E-Mail Alert No. 751, October 2, 2003.

"Senate Commerce Committee Holds Hearing on Transportation Security" in TLJ Daily E-Mail Alert No. 736, September 10, 2003.

"TSA and EPIC Reach Agreement Regarding Production of Documents Regarding CAPPS II" in TLJ Daily E-Mail Alert No. 734, September 8, 2003.

"EPIC Files FOIA Suit For CAPPS II Records" in TLJ Daily E-Mail Alert No. 733, September 5, 2003.