The TSA's first public notice for CAPPS II, printed in the Federal Register on Jan. 15, appears now to be an invitation to disaster. Looking at it, you wonder how the agency thought it could ever get away with such a bold plan. The notice seemed to contemplate an all-powerful worldwide police force, a group responsible for moving into action whenever CAPPS II determined that there might be even a "potential violation" of "civil or criminal law." In the first notice, the government also said that it intended to keep records on some people for "up to 50 years," and because it seemed almost purposefully vague, some critics saw the notice as suggesting that the government would deny flights to people with bad credit records or too many unpaid parking tickets or other minor infractions. The TSA vehemently denied that the program was as bad as its privacy notice seemed to suggest, but, with Scannell launching a high-profile boycott of Delta, the first airline that agreed to test CAPPS II, the entire proposal was quickly embroiled in controversy.

Since then, the Homeland Security Department has moved to quell the storm. In April, the department hired Nuala O'Connor Kelly, a lawyer and a former executive at the Internet advertising firm Doubleclick, as its first privacy officer. (Kelly was unavailable for comment to Salon.) Critics of CAPPS II say that Kelly has reached out to them and tried, whether out of earnestness or for public relations, to address their fears. Recently, the TSA met privately with Barr and Keene to see what they disliked about CAPPS II. And in the agency's new privacy notice for CAPPS II, the TSA indicates that it read some of the many public comments that poured in and that it tried to address at least some of them.

"I have no doubt of the genuineness of the effort to grapple with these problems," says James Dempsey of the Center for Democracy and Technology. "I think the first notice was a hide-the-ball notice" -- meaning that the agency seemed to be intentionally obfuscating the specifics of CAPPS II. "Now there's a genuine effort to say more or less what the thing is about."

But unfortunately for the TSA, the new, more specific notice -- published in the Federal Register on Aug. 1 -- also gave added ammunition to CAPPS II opponents. Before this notice, the TSA had not explained how it intended to get all of the data on travelers it needs to run CAPPS II. Was it going to get the information from airlines, or travel agents, or from individual travelers at the airport? All of that had been a mystery -- but now the whole thing is clear.

The TSA wants to tap into the four major worldwide databases that keep track of virtually all passenger records in the world. Most airline travelers have likely never heard of these systems, called computerized reservation systems, or CRSs, but they're vital for air travel -- as important as the planes themselves. The four databases are maintained by separate corporations: Sabre Holdings, which owns Travelocity.com; Galileo International, a subsidiary of the giant Cendant Corp.; Worldspan, a privately held American firm; and Amadeus, a Spanish company. If CAPPS II is imposed on the travel industry, these firms will need to make significant changes in their systems to accommodate the government's plans -- and critics of the proposed system say that the firms would accede to doing this only if they had the chance to somehow recoup their investment in CAPPS II. The theory is that after CAPPS II is implemented, these companies would make money by selling your travel data in much the same way that financial firms sell your credit history.

Edward Hasbrouck, a travel agent in San Francisco and the author of the "Practical Nomad" series of travel books, is an expert on the technology that keeps the travel industry humming. The system, he says, is both gargantuan and mind-numbingly complex; the worldwide constellation of airlines, travel agents, hotels, car rental agencies, cruise lines, travel Web sites and airports constitutes one of the largest computer networks in the world (until the mid-1990s, when it was overtaken by the Internet, it was the largest). It is also one of the most antiquated, depending on ages-old protocols to communicate between machines of varying sophistication. The TSA's proposal will require all these systems to integrate data that is not routinely collected -- when was the last time you gave your date-of-birth to book a flight? -- and will, consequently, cost the industry billions, he estimates.

But there could be a payoff. "The key impact of the proposal would be that it would enable the CRS to correlate previously separate reservations for trips into a lifelong history of your travel," Hasbrouck says. "That would mean that it would become very easy to investigate your travel history -- where you went, who you went with, did you stay in a gay resort, did you ask for one bed or two? It would be easy for them to use it for marketing data, and for the government to get it." Hasbrouck continues: "Are the CRSs now in a position to make a practice of selling to all comers what they'd like to know? 'We'd like to know who's rented a car in Cleveland for the last six months'? This is utterly unregulated. Many of [the CRS firms] don't even have any privacy policy -- and to the extent that they do, they the policies allow unrestricted affiliate sharing. Cendant, which owns Galileo, allows the sharing of data to affiliates" -- firms such as Avis, Budget, Travelodge, Howard Johnson, Century 21..."

In theory, says Hasbrouck, records collected by the CRS firms are kept forever: Although they are periodically "purged" from live databases, the CRSs keep them in archives for as long as possible. There is, in fact, no technical way to delete a single passenger record in a CRS database; the protocols are so old that, when the databases were built, nobody seems to have anticipated the need for a delete function. So every reservation you make, every reservation you cancel, everything piles up in the CRS database.

This, obviously, would be a gold mine for government snoops. And Hasbrouck says that CRS firms are always happy to cooperate with the government: "Every travel company privacy policy I've ever seen gives blanket permission to give any data in response to any request from the government" -- not a subpoena, but any informal request whatsoever.

On Aug. 11, Scannell read an article on CAPPS II in TravelAge West, a travel-agent industry trade publication, that contained this line: "Galileo has said it held limited discussions with the TSA and it will cooperate with testing." He says that this led him to check out some other sources, and he discovered that Galileo was working closely with the TSA on CAPPS II. On his Web site, he calls on passengers to book tickets with airlines that don't use Galileo, to boycott other Cendant products, and to sell off stock in the company. Scannell says that by working with CAPPS II, Galileo is helping to enable a de facto national I.D. card system and an "internal border-control" apparatus. "Is that the America we want?" Scannell asks. "Let's have a discussion about it. I'm personally against both, but let's have a national discussion, and let's not go through the back door."

Dawn Lyon, a spokeswoman for Cendant, said that there has been "a lot of confusion" over Galileo's role in CAPPS II. "Our involvement to date is that we have stated we will cooperate with the U.S. Department of Homeland Security during what they're classifying as a testing process," she said. The exact nature of that cooperation, though, has yet to be determined. Lyon also said that Galileo is not the only CRS cooperating with Homeland Security, though she did not say what the other firms were doing.

Lyon insisted that Galileo goes out of its way to ensure that the data it collects on travel is kept private and secure. "It's always at the forefront of our minds," she said. "We always comply with legal requirements that exist. The U.S. is just one country where we operate, and we've prided ourselves on working diligently to protect all customer data" and to make sure that it's not used for purposes other than the trip at hand. Lyon did not explicitly say that Galileo would never use the collected data for marketing. When asked about whether, after CAPPS II was implemented, she could see Galileo selling personal travel dossiers to anyone who paid, she said, "Our operating philosophy is that we will protect and work diligently to protect the privacy of customer data."

Recent Stories