Review of the Terrorist Screening Center's
Efforts to Support the Secure Flight Program
(Redacted for Public Release)
Audit Report 05-34
Office of the Inspector General
The need to strengthen commercial aviation security escalated after the attacks of September 11, 2001. Among other security measures, the U.S. government has sought to enhance the prescreening of passengers before they board commercial airliners at airports across the country.
The National Commission on Terrorist Attacks Upon the United States (9/11 Commission) recommended that the Transportation Security Administration (TSA) within the U.S. Department of Homeland Security (DHS) assume the responsibility for screening commercial airline passengers, and that the DHS use information contained within federal government watch lists to do so.9 The 9/11 Commission further recommended that air carriers be required to provide the TSA with the necessary passenger information to conduct such screening. Shortly thereafter, the Intelligence Reform and Terrorism Prevention Act of 2004 directed the Assistant Secretary of Homeland Security to "commence testing of an advanced passenger prescreening system that will allow the Department of Homeland Security to assume the performance of comparing passenger information . . . to the automatic selectee and no-fly lists, utilizing all appropriate records in the consolidated and integrated terrorist watch list maintained by the Federal Government."10
The Terrorist Screening Center's (TSC) consolidated terrorist watch list - known as the Terrorist Screening Database, or the TSDB - is intended to be used in the Secure Flight screening process. The TSC was established through Homeland Security Presidential Directive-6 on September 16, 2003, and began initial operations on December 1, 2003. The TSC is a multi-agency effort, administered by the FBI, and was created to consolidate the government's approach to terrorist screening.11
We conducted this review in response to House Report 109-072 (Emergency Supplemental Appropriations Act for Defense, the Global War on Terror, and Tsunami Relief 2005), which directed the Office of the Inspector General to evaluate the TSC's plan to support the Secure Flight program and to report to the House and Senate Appropriations Committee on the results of our review by August 1, 2005.
In the late-1990s, the Department of Transportation began using the Computer Assisted Passenger Prescreening System (CAPPS I) to screen air travelers and select individuals for additional airport security screening. Air carriers conducted this screening by comparing domestic airline passenger manifest information (passenger name records) against certain aviation risk criteria known as the CAPPS I rules. Additionally, after September 11, 2001, air carriers began comparing passenger information against: (1) the federal government's "no-fly" list, which includes names of individuals who are to be denied transport on commercial flights because they are deemed a threat to civil aviation; and (2) the federal government's "selectee" list, which includes names of individuals that air carriers are required to select for additional screening prior to permitting them to board an aircraft.
On November 19, 2001, Congress enacted the Aviation and Transportation Security Act, which established the Transportation Security Administration (TSA) in the Department of Transportation.12 On March 1, 2003, the TSA and its management of CAPPS I was transferred to the newly created Department of Homeland Security, as mandated in the Homeland Security Act of 2002.13
Also in March 2003, the TSA began developing the next phase of the CAPPS program, or CAPPS II, under the TSA's Office of National Risk Assessment. The CAPPS II program planned for transferring responsibility for prescreening passenger information from the airlines to the federal government. A Government Accountability Office (GAO) report compared the CAPPS II program to its predecessor and described the new initiative as a screening system "to perform different analyses and access more diverse data, including data from government and commercial databases, to classify passengers according to their level of risk (i.e., acceptable risk, unknown risk, or unacceptable risk), which would in turn be used to determine the level of security screening each passenger would receive."14 However, another review conducted by the GAO had identified a number of problems with the CAPPS II program that had not been addressed, including the lack of critical elements necessary for sound project planning and privacy protection.15 TSA officials cancelled CAPPS II in August 2004 in light of a DHS internal review of the program, the 9/11 Commission recommendation for including the terrorist watch list in the passenger screening process, and other factors.
Soon after the TSA cancelled the CAPPS II program, it announced the Secure Flight initiative. This new program for prescreening domestic commercial aviation passengers was intended to replace aspects of CAPPS II by screening passenger records against the government's consolidated watch list of known or suspected terrorists maintained by the TSC.
The TSA originally had planned to implement its Secure Flight program in April 2005. However, TSA delayed the start of the initial passenger prescreening operations to August 19, 2005. According to the March 2005 GAO report, the delay in the program implementation date and other supporting TSA milestones resulted from a number of factors, including the receipt of hundreds of comments on privacy issues related to Secure Flight.
In early July 2005, the TSA announced another change in Secure Flight's implementation date. As a result of the air carriers' request to TSA not to implement the program before the Labor Day holiday, the TSA pushed the launch date for the initial phase of Secure Flight (referred to as "pre-operational testing") to the second week of September 2005.
According to the TSA, Secure Flight will result in greater effectiveness, efficiency, and consistency by consolidating functions now separately conducted by 65 air carriers that transport 1.8 million passengers on 30,000 flights each day from approximately 450 airports where security screening is required.16 TSA officials said that when Secure Flight initially begins operations in September 2005, it will involve anywhere from one to seven carriers. The total number of passengers initially screened will be determined based upon the specific carriers involved. For example, in an initial estimate using two air carriers (one major and one minor carrier), the TSA estimated that approximately 350,000 domestic passengers would be screened per day. This number represents approximately 20 percent of the 1.8 million total domestic airline passengers per day. In fiscal year (FY) 2006, the Secure Flight program is expected to gradually increase the number of carriers involved. According to the TSA, full implementation of Secure Flight is currently scheduled for FY 2007.17
To bring air passenger prescreening under government control and include the consolidated terrorist watch list in the screening process, the TSA, working in conjunction with the TSC, developed an initial flow chart that illustrated the process of exchanging critical data and the performance of essential tasks.
According to the flow chart, when an individual makes or changes a flight reservation with a commercial airline, a record is created in the airline's reservation system.18 [SENSITIVE INFORMATION REDACTED] prior to the passenger's departure, the airlines will electronically transmit a portion of the record to the TSA Secure Flight office.19 The Secure Flight system will electronically compare this record against a copy of the TSDB residing at the TSA. Possible matches against the database (called "hits") will be sent to a TSA Secure Flight analyst for additional review, while records that did not result in a hit against the TSDB will be cleared with the airline for passenger travel. For all passenger records that result in a hit against the database, the TSA will electronically notify the airline that the passenger cannot be issued a boarding pass. When handling hits, the TSA Secure Flight analyst will search the National Counterterrorism Center's (NCTC) Terrorist Identities Datamart Environment (TIDE) in an effort to eliminate any false positives from these initial matches.20
Watch list hits that have not been cleared by TSA analysts will be electronically transmitted to the TSC for final adjudication. The record transmitted to the TSC will contain passenger information as well as the results of the TSA Secure Flight analyst's efforts to adjudicate the match. The TSC analyst will review the record, conduct additional database searches, and make a final determination as to whether the individual attempting to travel is a valid match against the consolidated terrorist watch list.21 For encounters with individuals who are determined to be valid hits against the watch list, the TSC will notify the appropriate responding agency. The following chart provides an overview of the flow of information in the Secure Flight process.
Overview of Secure Flight Information Flow