Secure Flight program faces slow takeoff

Despite ambitious plans to begin rolling out the Secure Flight passenger-screening program early next year, the Transportation Security Administration has not yet finalized how the system will work or what information it will use.

TSA has ordered airlines to turn over passenger records for tests, which Justin Oberman, chief of TSA's National Risk Assessment Office, said are scheduled to begin "momentarily." The agency plans to bring the system online for the first airlines in early 2005.

"We're fairly confident" of that schedule, Oberman said yesterday at the e-Gov Institute's Homeland Security conference in Washington.

But Oberman said his office has not yet decided what personal information will be required to match passengers against government watch lists, or whether TSA will be able to run matches against commercial databases to verify identities. He said Secure Flight testing would include use of commercial data.

"I think the use of commercial data will be illuminating, whichever way the policy decision goes," he said.

Secure Flight is one of several initiatives intended to screen air travelers, which the 9/11 Commission identified as necessary in the wake of the 2001 terrorist attacks. Susan Ginsburg, the commission's border security team leader, said border security was not a national security priority before the attacks, and the intelligence community did not track travelers to spot likely terrorists.

Failures identified by the commission that let terrorists operate in this country include the lack of an integrated, fully operational watch list; insufficient attention paid at borders to travel documents; inadequate visa processes that do not detect falsehoods in applications; and inadequate enforcement of entry and overstay regulations.

Among the government's responses to these shortfalls is the Advance Passenger Information System, which provides border personnel with passenger lists for international flights entering the country. APIS was in use before the attacks, but airlines' participation was voluntary, said Paul Mangus, executive vice president of Bart & Associates Inc., an enterprise software integrator in Marietta, Ga.

The Aviation Transportation Security Act of 2001 made APIS mandatory, and the Homeland Security Department now receives 600,000 names a day through the program.

Mangus said TSA next week plans to launch eAPIS, a Web system to make APIS easier to use for small carriers. It will let carriers submit passenger information through a secure Web site. If they have the technology, they also can fill out forms automatically with data from reservation systems.

But TSA is relying on Secure Flight to screen 1.8 million domestic air passengers each day. It replaces the Computer Assisted Passenger Prescreening System II, an effort that TSA scrapped earlier this year because of privacy concerns. CAPPS II was itself a successor to CAPPS, a screening system that the airlines used before the Sept. 11 attacks.

For Secure Flight, TSA workers will do the screening and use it in conjunction with the current CAPPS, Oberman said.

TSA has $35 million to spend on Secure Flight this fiscal year and is preparing its fiscal 2006 budget request. Oberman said the agency would ramp up procurement activity early next year as the system rolls out to one or two airlines.
But the program faces major hurdles before that can begin.

Although TSA has commandeered airlines' passenger information from June to use in tests, Oberman said airlines don't collect much of the information needed for Secure Flight. For instance, people often do not provide a home phone number or home address when making flight reservations.

He also said there is no plan for how the privacy of additional personal information submitted to airlines would be protected. Such details presumably must be worked out before Secure Flight passes muster in a Government Accountability Office evaluation of security and privacy, mandated by Congress, before the system can go live.