This is an early draft, in response to the Practical Nomad's pointing out that they're pretending to give us a voice. I'd love feedback.

Attn: DHS-TSA Desk Officer

Office of Information and Regulatory Affairs

Office of Management and Budget

By fax to +1-202-395-5806

Docket No. TSA-2004-19160


DHS-TSA Desk Officer,

Thank you for the opportunity to write regarding the TSA's "Secure Flight" program. It is unfortunate that you won't have a chance to evaluate comments before decisions are made, and the privacy of millions of travelers is violated, but as we shall see, that lack of forethought is an endemic aspect of the program, and should not be surprising.

To summarize, the program can not work, will not work, and tramples on the privacy and civil rights not only of Americans, but people around the globe. It should be stopped at least until these issues can be addressed.

My comments are centered around your efforts to:    

[1]      Evaluate whether the proposed information requirement is necessary for the proper performance of the functions of the agency, including whether the information will have practical utility;

(From The Federal Register/Vol. 69, No. 185/Friday, September 24, 2004/Notices, page 57345.)

My comments are also influenced by the final, overall recommendation of the 9/11 Commission:

Recommendation: The burden of proof for retaining a particular governmental power should be on the executive, to explain (a) that the power actually materially enhances security and (b) that there is adequate supervision of the executive's use of the powers to ensure protection of civil liberties. If the power is granted, there must be adequate guidelines and oversight to properly confine its use."

The Database

I will take as the proper performance test for these information requirements to be the prevention of terrorist attacks in the air, and they will not achieve that. For the system to be a necessary part of such a system, it requires a perfect database of would-be hijackers. If the database is incomplete, terrorists may slip through. It is thus clearly an adjunct to good security, not a requirement. I will return to other aspects of imperfection.

The system requires that the databases contents remain secret, even in light of attempts to probe it, and this can not be done. If a would-be hijacker can test the system, and determine that he is in the database, he can be re-assigned to other terrorist activities. Given that a hijacker can easily test to see if he is in the system, and discover if he is a mandatory 'selectee,' or are on the no-fly list, the contents of the database are not usefully secret.

To fill the database, assuming it could be made useful, requires a peculiar character of intelligence, which we will not have. We need intelligence good enough to fully identify a probable terrorist, but not so good that we would choose to arrest or detain them. Given the furtitive nature of terrorist activity, and the acknowledged shortage of intelligence assets in the terrorist groups, it seems unlikely that such a database will be well-filled. And in truth, it has turned out to be poorly filled, with innocents like David Nelson or Johnnie Thomas, with peace activists like Rebecca Gordon and Janet Adams, and with members of Congress Ted Kennedy or John Lewis. I will return to these and other effects of a poorly-filled database. These problems are unlikely to be overcome anytime soon, and those who wish to claim they have been should be subject to the extraordinary proofs that extraordinary claims always require.

The Identity Card

Assuming that these problems could be overcome, that a complete and secret database could be created, would it be useful? If such a database existed and could be used to capture terrorists, then the names which they give us, which are on their papers, are likely to become inaccurate over time. The 9/11 Commission report discussed Al Qaeda's training in forging and altering documents. We can only assume that this will increase as the need for it increases.

Many would-be terrorists may come from areas, like Somalia, without a functional ID card system. Others come from countries which are deeply corrupt. Even in an honest country like the United States, there is a great deal of fraudulent issuance of papers. In a country where the United States is feared or hated, it would be little trouble to get a new identity card or passport in a new name. Biometric-bearing documents or RFID-enabled documents do not help here. I am discussing issuance fraud, where a real passport is issued, based either on local document fraud, or complicity by the issuing office. It is unlikely in the extreme that we will have a database of those few known terrorists who are scary enough not to be allowed to fly, but not so conspiratorial as to be in jail, and that we will have their fingerprints. I can see Inspector Clouseau going undercover, attempting to fingerprint his terrorist suspects, and then trying to maintain a file of fingerprints, photos, and notes, but I can't imagine such an effort outside of farcical movies.

So as our database reaches undreamt-of heights of accuracy and usefulness, foreign document fraud will reduce its effectiveness until it is, at best, an adjunct to real security activity. So, given the question at hand, clearly other security activities are necessary, and this dream that ID cards will make us safe is, at best, and expensive distraction.

The Test

TSA has proposed collecting data on the millions of people who flew in June, 2004. As one of these people, I do not consent to my data being used for an ill-conceived test. As there were no terrorist attacks in the United States in June, 2004, the so-called test can only demonstrate that it will have false positives. It can not even show that the system will draw fewer false positives than the current system, because the number of no-fly matches is not tracked by TSA. (This is perfectly rational from the TSA's perspective, the number would be a national embarrassment.)

This test also is probably in violation of the privacy rights of Europeans, Canadians, Australians and New Zealanders who are protected by national privacy laws, and whose travel data, if booked from home, may be protected from such drag-nets as TSA is trying to implement. Given that the test serves no useful purpose, it seems a shame to expose the American taxpayers to the potential liabilities entailed.

The Imperfect System

So what if the system is imperfect? Is it still useful? It is important to address these questions, because if it were free of cost, free of distraction effects and free of harmful side effects, it might then be a good idea.

Unfortunately, $103 million dollars into the project, there is still no evidence that it can work. There is no evidence that the system can ever address these issues. There is, however, ample evidence that the system is irrepairably broken (Gordon et al. v. FBI et al.), that TSA has lied to the public, that TSA has taken substantial effort to evade Congressional scrutiny and requirements by renaming the program, that TSA is evading its commitments to the European Union, and that these problems are endemic and inherent. That $103 million and all the moneys not yet spent or allocated could be better spent by say, having a big bonfire. We would have caught as many terrorists, inconvenienced fewer travelers, and impinged on fewer civil liberties. And there would be no doubt that the money was wasted.

There are two important distractions caused by the CAPPS/CAPPS II/Secure Flight family of systems. The first is that the mirage of knowing who's trustworthy distracts us from building a system in which we accept that terrorists will slip through. There are numerous steps which could be taken, from weapons in cockpits, to more air marshals, to a redesign of the flight deck area as a whole, which would be better uses for this money. (For just one example, if the front of the aircraft had the flight deck, a restroom, and space for an air marshal all separated from the cabin by a locked and alarmed door, then anyone trying to reach the controls of the airplane would have to risk an armed air marshal who would be authorized to shoot if the door were opened. This is a change free of civil-liberties impact. It would have an effect on the operating costs of an airliner. Those costs could be weighed against faster lines, less and fewer intrusive searches, higher confidence from the flying public, which might increase the number of people willing to fly.)

The second is that as the CAPPS system sends far too many innocent people into 'secondary screening,' effort is taken from other threats. The FBI has complained about the effort taken to respond to those flagged as 'no-fly.' (See and associated documents.)

The 'computer is always right' syndrome has already been successful in keeping people like Senator Ted Kennedy off airplanes. The ratio of innocents to terrorists will train people that the computer really doesn't mean it when it flags someone.

The Harm of an Imperfect System

We have no good data about how widespread problems are because of the no-fly lists. We have numerous anecdotes. We have, thanks to the ACLU, FBI and TSA internal documents which show that the system frustrates the law enforcement officials who work with it. We know that many Americans have been refused the right to travel, or been forced to submit to unreasonable searches justified only by the poor algorithm designs of the CAPPS system. They include:

The right of Americans to peaceably assemble is protected by the First Amendment. Their right to do so anonymously, immune from police surveillance, has been upheld by the Supreme Court in NAACP v. Alabama. The current no-fly list has abused the rights of American citizens such as Rebecca Gordon, Janet Adams, and many others.

The right of Americans to petition Congress for a redress of wrongs is protected by the First Amendment. Activist John Gilmore was denied the ability to board a plane (perhaps under secret law), after asserting a 4th amendment right not to be searched except on reasonable suspicion. He was thus barred from traveling to discuss issues with his congressional representatives.

The right of Americans to free speech is protected by the First Amendment. Those exercising their free speech rights in their choice of reading, or t-shirts have found themselves subject to extra harassment from unaccountable TSA employees.

The right of Americans to be secure in their persons and papers against unreasonable searches, except on warrants issued by a Judge, is protected by the Fourth Amendment. This program abrogates those powers to a computer system, which the Justice department and TSA claim is immune to judicial review (Gilmore vs. Ashcroft). Recent releases of documents under FOIA show that the FBI is not satisfied with the way that data is entered into the system. If even the FBI is not satisfied with the system, imagine what the courts will decide when the TSA stops obstructing justice.

Some have argued that keeping Americans alive is a more fundamental goal than protecting our rights. That argument is specious, because CAPPS II and Secure Flight will not prevent another terrorist attack.

The idea that an American citizen should need the permission of the police in order to travel is repugnant. It is reminiscent of the Soviet system of Internal Passports. It should require a very high bar, a strongly reliable system and enhancement to the quality and security of Americans' lives, for such a thing to be considered. CAPPS/Secure Flight/ad nauseum do not come close to meeting those goals. They can not come close to meeting those goals. They do not make us safer. This program should be stopped from now until hell freezes over, or the problems outlines herein are fixed. Whichever comes first.