Feeds

Passenger screening gimmick stuck at the gate

'CAPPS-3' not ready for takeoff

  • alert
  • submit to reddit

The essential guide to IT transformation

The US Transportation Security Administration (TSA) is behind schedule in developing a new terrorist-busting database system called Secure Flight, a report by the Government Accounting Office (GAO) says.

After confronting the obvious defects in the old pre-9/11 CAPPS (computer-assisted passenger pre-screening system), which allowed 19 violent terrorists to board flights on a single morning, the TSA set out to develop CAPPS-2, supposedly an improvement. When that project failed to result in a working system, TSA announced that it would re-work the entire scheme.

Proposed improvements included letting the government, rather than airlines, administer the system, so that secret counter-terrorist intel could be used, and merging airline passenger data with commercial data such as that stored by privacy invasion outfits like ChoicePoint.

TSA got off to a strong start, successfully changing the system's name, for example, but has since fallen behind on lower-priority modifications, such as establishing privacy standards, and basically making it work.

Congress established ten milestones that Secure Flight must pass before its intended roll-out in August. Of these, nine remain to be satisfied. (An advisory committee has actually been chosen as required, but the criteria on which its advice will be based are still up in the air.)

According to the report, the nine milestones remaining are: "Stress test system and demonstrate efficacy and accuracy; Assess accuracy of databases; Make modifications with respect to intrastate travel to accommodate states with unique air transportation needs; Establish effective oversight of system use and operation; Install operational safeguards to protect system from abuse; Install security measures to protect system from unauthorized access; Life-cycle costs and expenditure plans; Address all privacy concerns; Create redress process for passengers to correct erroneous information."

That's quite a shopping list, and it is hard to imagine a bureaucracy like DHS/TSA getting through it, even in the highly unlikely event that everything goes well. And if there are major problems, they will have to be identified and corrected, after the customary blame game has been enacted on Capitol Hill.

So the chance that this scheme will actually be implemented in August is very slim, especially when one considers the extraordinary capacities that it is expected to have.

An anti-terrorist machine

According to GAO, the required system capabilities are: "Comparison of data contained in the passenger's reservation (PNR) with information contained in government watch lists; Matching information in the PNR to CAPPS I rules to identify individuals who should be subject to additional security screening; Checking PNR data against commercial databases to assist in confirming the passenger's identity; Matching PNR data against lists of international fugitives and government 'wanted lists' to identify known criminals; Using algorithms developed through intelligence modeling to identify previously unknown terrorists; Maintaining a list of individuals, who have been previously cleared under credentialing programs, to minimize the volume of passengers that must be prescreened; Providing the capability to create a temporary watch list based on information extracted from current intelligence reports, such as blocks of stolen passports."

A computerized system that could reliably satisfy one of those requirements day-in, day-out, with passenger volumes as heavy as the USA's, would be mighty impressive. But here we have something out of Star Trek, in which taxpayers are investing billions, with so many potential points of failure that it will be a miracle if it doesn't increase the risk of hijackings.

It will be full of bad data that will repeatedly flag and inconvenience the wrong travellers. (The existing CAPPS system didn't stop the 9/11 hijackers, although it did catch US Senator Edward Kennedy and former singer Cat Stevens, for example.)

Worse, a system such as this is, by design, exceptionally easy for terrorists to reverse-engineer. By making a series of 'dry runs,' a terrorist crew can easily learn which members get flagged and which don't, insight of tremendous value for choosing the individuals most likely to succeed in an actual attack.

So it comes as no surprise that TSA should have fallen behind in developing a system intended to do the impossible. The only odd thing here is the fact that the law enforcement establishment, the public, and Congress foolishly persist in believing that "information technology" is the answer to real-world security problems. ®

Related stories

DHS comes clean on CAPPS, lets self off hook
ID theft is inescapable
Uncle Sam demands all air travel records
Airport snoop system thrown in $102m garbage can
Airport security failures justify snoop system

Build a business case: developing custom apps

More from The Register

next story
Hello, police, El Reg here. Are we a bunch of terrorists now?
Do Brits risk arrest for watching beheading video nasty? We asked the fuzz
UK fuzz want PINCODES on ALL mobile phones
Met Police calls for mandatory passwords on all new mobes
Munich considers dumping Linux for ... GULP ... Windows!
Give a penguinista a hug, the Outlook's not good for open source's poster child
EU justice chief blasts Google on 'right to be forgotten'
Don't pretend it's a freedom of speech issue – interim commish
Detroit losing MILLIONS because it buys CHEAP BATTERIES – report
Man at hardware store was right: name brands DO last longer
Snowden on NSA's MonsterMind TERROR: It may trigger cyberwar
Plus: Syria's internet going down? That was a US cock-up
UK government accused of hiding TRUTH about Universal Credit fiasco
'Reset rating keeps secrets on one-dole-to-rule-them-all plan', say MPs
Caught red-handed: UK cops, PCSOs, specials behaving badly… on social media
No Mr Fuzz, don't ask a crime victim to be your pal on Facebook
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
Yes, but what are your plans if a DRAGON attacks?
Local UK gov outs most ridiculous FoI requests...
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.