CAPPS

September 5, 2002 - Backgrounder

Privacyactivism staff counsel Linda Ackerman spoke about CAPPS (Computer-Aided Passenger Pre-Screening) to the Transportation Review Board, July 1, 2002: "It’s an area where government surveillance is expanding radically that hasn’t gotten the attention it should."

I’d like to thank John Strahan for giving me the opportunity to speak today about CAPPS. It’s an area where government surveillance is expanding radically that hasn’t gotten the attention it should.

Since September 11 this country has been moving steadily in the direction of becoming a surveillance state. Polls tell us repeatedly that people are willing give up privacy and civil liberties for security. This may be true right now and for a few years ahead, but I believe that view will change once people realize just how much they’ve given up and how little of the promised security they've gained for it.

One piece of the new surveillance architecture is CAPPS—computer assisted passenger pre-screening. We've had CAPPS I since January 1998—instituted in response to the 1996 crash of TWA 800 and the Atlanta Olympics bombing, both initially thought to have been terrorist related. CAPPS I screening is based on address, travel history, criminal records, and other unspecified information about passengers—a few dozen variables in all. It's not known how many passengers have been stopped by CAPPS or whether it prevented any terrorist incidents. It certainly was not an impediment to the Sept. 11 hijackers.

CAPPS II is now in development. The TSA has announced that it will start deploying the system in November of this year. This is a supposedly more subtle and sophisticated profiling system than CAPPS I, and its database will include thousands of variables. Four firms are designing prototypes of neural-network based predictive software that does real-time threat analysis of airline passengers at the time they purchase a ticket. If the system rates you as a threat you'll be stopped at check-in.

CAPPS raises many questions that should be discussed before the program is implemented and we begin to see its consequences. Today I'll talk about four aspects of CAPPS:

• First the database that will contain the information, how errors can be introduced into it, and security problems with databases.
• Next, computer profiling—what it is and whether we can really expect it to identify terrorists.
• Then I’ll discuss the civil liberties issues that CAPPS presents and questions of what remedies will be available to people misidentified by the system.
• And finally, are there other, perhaps better, but definitely less intrusive ways to improve airline security than CAPPS?

What I’d like you to think about is whether the risks of this system are worth the assumed benefits, and whether CAPPS is actually capable of delivering the benefits it promises.

1. DATABASES
   First let’s look at the CAPPS database and the information it will hold.
   The information that comes out of a database is only as good as the information that goes into it. We don't know many specifics of what will go into CAPPS II. The TSA says only that CAPPS will fuse threat data gathered from state, federal, and private sector sources.
   
   State and federal information.
   State and federal information will presumably include law enforcement data such as arrest and conviction records, FBI records, and motor vehicle registration records. I don't know what the error rate is in government data—one source I'd hesitate to rely on says 30%. But let me offer an example from a National Review article of the error rates in one state government database—the Colorado Central Registry of Child Protection. This database tracks all reports of child abuse and neglect in Colorado and conducts background checks on people working with children. It's not a predictive database like CAPPS—it checks data without drawing inferences. In 2001 the state audited its Registry of Child Protection. It found over 107,000 records with information on around 113,000 confirmed perpetrators and 144,000 kids. It receives about 450 reports a month. It's a rather small database—compared to one that would cover the estimated 600 million passengers who fly annually on U.S. carriers—but it had a very high error rate. 31 incident reports had a total of 44 data entry errors, 50,000 of the total of 107,000 records were incomplete. 40% of a sample of 48 known sex offenders were not listed in the registry. Of almost 1600 people acquitted of charges who should have been removed from the registry 191 names remained. If this is taken as representative of a government database, what does it say about the government information that will go into CAPPS?
   
   Private data sources.
   What about private sources? Two of the four known CAPPS prototype developers are partnered with data aggregators: HNC with Acxiom and Accenture with Equifax.
   
   Data aggregators mine personal information from pubic records, including court records—such as criminal convictions, civil suits, bankruptcy and divorce—property records, and voter rolls. They also collect consumer purchase records, subscription lists, all types of directory information—both public telephone and private organizational directories, insurance coverage, warranty card and sweepstakes information supplied by consumers—any information that is at least arguably not a credit report and is therefore not covered by the Fair Credit Reporting Act requirements that your personal credit information must be made available to you and you must be able to correct it. A 1998 US PIRG study found a 30% rate of serious errors in credit reporting information—that is, in the information that you're entitled by law to see and correct.
   
   Data error rates: statistical and anecdotal.
   We have no way of knowing what the error rate is in unregulated aggregator information, but we do have a report from the U.S. Commission on Civil Rights, titled "Voting Irregularities in Florida During the 2000 Presidential Election." The commission found that almost one of every seven people, or 14%, on a list of alleged felons provided by DBT (owned by information broker Choicepoint) was incorrectly identified and wrongly disqualified from voting.
   
   Richard M. Smith, a privacy and information security consultant, learned that he had an FBI file. Then he learned from a Wall Street Journal article that the FBI buys information from Choicepoint. He got his own 60-page Choicepoint dossier—you can buy them, but you can't correct them—and found that he'd previously been married to someone named Mary (he hadn't) and that he had died in 1976. Choicepoint searched Texas criminal records and found nothing under his name, but suggested a further search under names such as "Ricky Smith" and "Rickie Smith" because there were people in jail under these names. ChoicePoint thought he might be involved in more than 30 small businesses around the country where the name "Richard Smith" appeared as a company officer. Think about the effect on our Richard M. Smith's threat index reading if one of the 30 companies with an officer named Richard Smith imported clothing and crafts from Pakistan or recycled freon from old Saudi air conditioners.
   
   PCWorld writer Andrew Brandt hired Choicepoint to do a background check on himself. They found a "Drew Brandt" on a Texas database of felony convicts, but noted that he didn’t "match all necessary criteria" and they couldn't say for sure he was a felon. There were several clerical errors, including one that associated Brandt’s Social Security number with someone named Bobby Williams.
   
   Such errors have limited consequences when the information is used for marketing, but the effects of denying someone access to a plane—not to mention arrest and the incommunicado detention that other alleged terrorists have been placed under—can and will be devastating.
   
   How are errors introduced into data?
   This happens in a number of ways. There’s incorrect data entry—generally inadvertent, but in a law enforcement database like CAPPS, it has serious consequences. Also in the National Review is the story of a woman who became dead to Medicare when a nursing home clerk mistakenly checked the "expired" box on her discharge papers. She was unable to correct the error through the SSA, her congressman or regulatory oversight agencies. When the Washington Post picked up the story 3 1/2 months later, she was still dead.
   
   Incorrect data can also be entered intentionally. In SF we were reminded recently of the FBI's covert activities and disinformation campaign in the 1960s against UC faculty and particularly against UC President Clark Kerr. As the result of an FBI smear campaign based on deliberate lies, Kerr was fired by the UC board of regents in January 1967. Anyone who wanted to derail your life today could intentionally enter false data linking you to terrorists.
   
   Is there any such thing as a secure database?
   The answer is "no," whether the threat is from external hackers or internal malefactors. Access to a database should certainly be limited and controlled, but the fact is that anyone with the computer skills and the desire to hack a database can get in. The group I work with, Privacyactivism, has been keeping a list for the last two years that we call Data Valdez. It covers data spilled either through hacking, internal sabotage, or inattentiveness—in other words, stupidity. Here are some recent examples:
   
   

• The Riverside California Press-Enterprise reported on June 14 that a hacker had gained access to the county computer system used to track, maintain, and record all court cases. The hacker changed the status of his own record and those of three other people so that all charges against them were dismissed. In order to do this, he had to acquire 5 unique passwords. Whether he got them from someone inside the system or by using a keystroke monitor is not known.
• A hacker recently got into a California state database containing payroll direct deposit and other personal financial information, as well as full name and SSN for 260,000 state employees. The break-ins went on for several months, but weren't discovered until May 7 and the employees affected were not notified until May 24. A security task force looking into the hack found that few of the security procedures that were supposed to be in place were actually being used.
• In January of this year, Choicepoint left a database containing internal corporate documents viewable on its public web site for several weeks.
• techtv.com recently reported 10 stories of internal hacking and abuse of law enforcement databases. One particularly egregious example involves a clerk in the Nevada AG's office and a former FBI agent who were caught selling information from the FBI National Criminal Information Center database to organized crime syndicates and other criminals for more than $100,000.
  
  As the Latin saying goes: Quis custodiet ipsos custodes? Or, who will guard the guardians?
  
  As for the federal government's record on computer security, according to its own watchdog agency, it's worse than poor. In 1998 the GAO failed seven of 24 major agencies, including the DOL; DHHS; the DOJ; and the Office of Personnel Management, the personnel office for the entire federal government. Can we really expect government computers to become 100% secure with the CAPPS system—even assuming they could be, which they can't.
  
  Function creep is a problem.
  A database as huge and comprehensive as CAPPS II will be represents temptation to others who will want to use it. It will be particularly alluring to state and federal law enforcement agencies at all levels. Recall that the SSN was specifically not intended to be used as an ID number—some of us still have social security cards that say that. With CAPPS the most minimal notion of protection demands that no agency other than the TSA should be able to tap into the database and risk widening the spread of extremely sensitive and possibly incorrect or misleading information. It disturbs me to concede that CAPPS II is a done deal but if it is the fair use practices codified in the 1974 Privacy Act should apply and the database should be absolutely untouchable for any other purpose than screening airline passengers.
  
  

2. Profiling
   CAPPS II will use neural-network profiling.
   Profiling is a surveillance technique that infers the characteristics of a particular class of person—in the case of CAPPS, a terrorist—from past experience and available personal data. It then compares a database of digital personae—us—created out of information pooled from public and private databases against a composite digital person of the terrorist class. I've already discussed the flaws in the information that goes into sculpting these digital facsimiles of ourselves. Now let's look at the particular class. If the digital terrorist is constructed from the reservoir of known terrorists, what kind of Frankenstein do we get? What exactly would a combination of 20 young male Muslims from Middle Eastern countries, plus Timothy McVeigh, Ted Kaczynski, Ulrike Meinhof, Carlos the Jackal, Shoko Asahara, Richard Reid, and Jose Padilla—some of whom we have very little personal information about—look like? Just who is the prototypical terrorist against whom to compare the rest of us? Does such a prototype exist? And, in view of current events, will profiling be heavily slanted toward characteristics of race, religion, and national origin, still constitutionally suspect classifications in law enforcement stops.
   
   In the absence of any information about the criteria for identifying a prototypical terrorist, we can only speculate what they are and whether any of them apply to us. What behavioral patterns do our addresses, consumer purchases, or reading or web surfing habits reveal? What might our travel history and phone records reveal?
   
   Let me cite an example of a friend whose completely innocent behavior might register as a threat. She lives in San Francisco and her husband lives in Seattle. She flies to Seattle twice a month on the same airline, generally on the same flight. She often sees the same people on the flight and says hello to them. They know each other as strangers who see each other often in the same place, but nothing more. What if one of those people is a Muslim who travels with any frequency to Egypt and has a record of phone calls to Cairo? Will neural network software identify my friend as part of a terrorist conspiracy? Is she guilty by association with people she doesn't know?
   
   
3. Civil liberties and remedies.
   CAPPS II presents major civil liberties issues and questions of remedies.
   In the first place CAPPS II amounts to the US government conducting background checks on a huge number of its citizens. Even if you believe you have nothing to hide, that you fit into whatever standard is determined to be "normal," you should find it chilling to know
   1) that your government has you under surveillance and is accumulating a large dossier on your transactions, movements, associations, and patterns of behavior and
   2) that a computer could sort all this information, some of which may be correct, some incorrect, much of which will be taken out of context, and based on this information, could identify you as a threat.
   
   Another question is what happens if you ARE identified as a threat? Is the burden on you to prove you're not? How do you do that? As of now, there is no process for doing it. No agency is responsible for misidentifying you or for correcting the problem.
   
   An example of this appeared in the May 13th New Yorker story of a 70-year-old black woman named Johnny Thomas, not a unique name, who was stopped at the USAirways Boston-NY shuttle check-in on March 23rd. After a delay she was told that whenever she tried to fly the airline would have to call the state police, who would call the FBI, who would check on her date and place of birth. When she got home she called the FBI in Paterson, NJ, the office nearest to her. Someone who wouldn't give his name told her to hire a lawyer. She made no progress with her senators. Eventually she called the TSA, where a Mrs. Boyd told her that she was on the FBI "no-fly" list because one Christian Michael Longo, currently awaiting trial for murder in Oregon, had used the alias "John Thomas Christopher" and had been on the FBI's 10 most wanted list at the time of his arrest. Mr. Longo is a white male, born in 1974, with blue eyes and reddish blond hair. Many phone calls later she'd gotten no further in solving her problem. The next time she flew on U.S. Air, the word "error" appeared next to her name, but she was eventually allowed to fly. On the return flight "not allowed to fly" appeared next to her name. This time her checked bags were x-rayed, her carryon inspected, and she got the wand. She did board the plane. She has no idea what to expect the next time she tries to fly—or if she will ever be able to remove her name from whatever list it is on.
   
   Airport = Constitution-free zone?
   Another issue that concerns me is what constitutional rights apply in a CAPPS stop. Will CAPPS turn airports into a Constitution-free zone? Have we already waived our 4th Amendment rights against search and seizure by years of passing ourselves and our luggage through metal detectors? Does a CAPPS stop amount to the kind of detention that causes your 5th amendment right against self-incrimination to kick in? Are you entitled to a Miranda warning? Is being identified as a security threat by a computer the equivalent of being charged and does it trigger your 6th amendment right to have an attorney present? If you’re incorrectly identified and eventually prove it, do you have a right to sue the government for violation of your constitutional rights? And does that right extend to government contractors who developed the system and supplied it with incorrect or misleading information about you that led you to be flagged as a terrorist?
   
   Finally, what are the consequences of making mass surveillance of the population a matter of routine? According to Harvard law Professor Jonathan Zittmer: this is “the sine qua non of a police state. It means spying on people otherwise presumed innocent, since it means spying on everyone.” I’m sure most Americans were appalled when it came to light that the Staasi had a file on almost every person in East Germany—for security reasons, of course. Is CAPPs really all that different?
   
   
4. Can we have reasonable security without mass surveillance?
   Are there alternatives to mass surveillance that could improve airport security?
   It's my opinion that CAPPS won't solve the problem of airline security and that misidentifications will cause problems of their own that will be difficult to impossible to resolve. I believe that the best security measures need not have any effect on civil liberties, need not create monster databases that are vulnerable to error, abuse, and hacking—both internal and external, and need not push us further along the road to becoming a surveillance state. Instead of CAPPS, why not reinforce cockpit doors, match passengers with their luggage, employ explosive-sensing detectors or dogs on passengers, baggage and cargo. Consider fly by wire guidance systems that would allow a pilot to flip a switch to automatically land an endangered plane at the nearest military airport.
   
   Broad surveillance is simply a mark of bad security. CAPPS II is the quick fix that the airline industry is hoping will bail it out of the abyss. The tech industry sees a multi-billion dollar budget for homeland security as the resurrection. To quote Norman Mineta: We've got every salesman—20,000 of them I think—approaching us about how they've got some machine that will take care of everything we do, including not only detecting explosives but athlete's foot as well." Peter Swire, Clinton's Chief Counselor for Privacy, labels it "the security-industrial complex," —and indeed it is doing all it can to drive policy, or why would Larry Ellison be offering the government, absolutely free of charge except for maintenance and updates, a National ID card database?
   
   The massive surveillance project that CAPPS II represents to me is disturbing. As William Safire said in a recent column: "All your personal data is right there at the crossroads of modern marketing and federal law enforcement. And all in the name of the war on terror." I would ask you to consider whether we're really gaining any security for all that we're giving up.

-- 

More information is available at <http://www.privacyactivism.org/Item/77>.

Last updated March 2, 2003