(Hellen E. Spear) Secure Flight Program Airline P

TRANSPORTATION ISSUES, POLICIES AND R&D
SECURE FLIGHT PROGRAM

AIRLINE PASSENGER
SCREENING EFFORTS
No part of this digital document may be reproduced, stored in a retrieval system or transmitted in any form or
by any means. The publisher has taken reasonable care in the preparation of this digital document, but makes no
expressed or implied warranty of any kind and assumes no responsibility for any errors or omissions. No
liability is assumed for incidental or consequential damages in connection with or arising out of information
contained herein. This digital document is sold with the clear understanding that the publisher is not engaged in
rendering legal, medical or any other professional services.
TRANSPORTATION ISSUES,
POLICIES AND R&D
Additional books in this series can be found on Nova’s website

under the Series tab.
Additional e-books in this series can be found on Nova’s website

under the e-book tab.
TRANSPORTATION ISSUES, POLICIES AND R&D
SECURE FLIGHT PROGRAM

AIRLINE PASSENGER
SCREENING EFFORTS
HELLEN E. SPEAR
EDITOR
New York
Copyright © 2015 by Nova Science Publishers, Inc.
All rights reserved. No part of this book may be reproduced, stored in a retrieval system or
transmitted in any form or by any means: electronic, electrostatic, magnetic, tape,
mechanical photocopying, recording or otherwise without the written permission of the
Publisher.
For permission to use material from this book please contact us:
Telephone 631-231-7269; Fax 631-231-8175
Web Site: http://www.novapublishers.com
NOTICE TO THE READER

The Publisher has taken reasonable care in the preparation of this book, but makes no
expressed or implied warranty of any kind and assumes no responsibility for any errors or
omissions. No liability is assumed for incidental or consequential damages in connection
with or arising out of information contained in this book. The Publisher shall not be liable
for any special, consequential, or exemplary damages resulting, in whole or in part, from
the readers’ use of, or reliance upon, this material. Any parts of this book based on
government reports are so indicated and copyright is claimed for those parts to the extent
applicable to compilations of such works.
Independent verification should be sought for any data, advice or recommendations

contained in this book. In addition, no responsibility is assumed by the publisher for any
injury and/or damage to persons or property arising from any methods, products,
instructions, ideas or otherwise contained in this publication.
This publication is designed to provide accurate and authoritative information with regard
to the subject matter covered herein. It is sold with the clear understanding that the
Publisher is not engaged in rendering legal or any other professional services. If legal or any
other expert assistance is required, the services of a competent person should be sought.
FROM A DECLARATION OF PARTICIPANTS JOINTLY ADOPTED BY A
COMMITTEE OF THE AMERICAN BAR ASSOCIATION AND A COMMITTEE OF
PUBLISHERS.
Additional color graphics may be available in the e-book version of this book.
Library of Congress Cataloging-in-Publication Data
ISBN: (eBook)
Published by Nova Science Publishers, Inc. † New York

CONTENTS
Preface vii
Chapter 1 Risk-Based Approaches to Airline Passenger Screening 1
Bart Elias
Chapter 2 Secure Flight: TSA Should Take Additional Steps to
Determine Program Effectiveness 31
United States Government Accountability Office
Chapter 3 Secure Flight: TSA Could Take Additional Steps to
Strengthen Privacy Oversight Mechanisms 83
Chapter 4 The No Fly List: Procedural Due Process and Hurdles
to Litigation 117
Jared P. Cole
Index 147
PREFACE
This book examines changes to the Secure Flight program since 2009;
TSA’s efforts to ensure that Secure Flight’s screening determinations for
passengers are implemented at airport checkpoints; and the extent to which
program performance measures assess progress toward goals.
Chapter 1 – Until recently, the Transportation Security Administration
(TSA) had applied relatively uniform methods to screen airline passengers,
focusing primarily on advances in screening technology to improve security
and efficiency. TSA has recently shifted away from this approach, which
assumes a uniform level of risk among all airline travelers, to one that focuses
more intently on passengers thought to pose elevated security risks. Risk-
based passenger screening includes a number of initiatives that fit within a
broader framework addressing security risks, but specifically emphasizes the
detection and management of potential threats posed by passengers.
Various risk-based approaches to airline passenger screening have been
used since the early 1970s, including the application of rudimentary behavioral
profiles, security questions, and analysis of ticket-purchase data to look for
indicators of heightened risk. Additionally, “no-fly” lists were developed to
prevent known or suspected terrorists from boarding aircraft, but prior to the
terrorist attacks on September 11, 2001, these lists were not robust and proved
ineffective.
Following the 9/11 attacks, TSA’s initial risk-based efforts focused on
integrating checks of passenger name records against the “no fly” list of
individuals to be denied boarding and the “selectee” list of individuals of
elevated risk requiring more thorough secondary screening. These efforts
culminated in the deployment of Secure Flight, which screens each
passenger’s full name and date of birth against terrorist watchlists.
viii Hellen E. Spear
Additionally, international passengers are screened by U.S. Customs and

Border Protection (CBP), which uses the Advance Passenger Information
System (APIS) and the Automated Targeting System-Passenger (ATS-P) to
conduct risk assessments.
At airports, TSA employs behavioral detection and analysis under the
Screening Passengers by Observational Techniques (SPOT) program in an
effort to identify suspicious passengers. Another risk-based security program
is Pre-Check, a trusted traveler program designed to expedite processing of
low-risk passengers. In addition to the Pre-Check participants, TSA is routing
certain other passengers through expedited lanes using behavior detection
officers and canine teams to screen for suspicious behavior and explosives
under an initiative called managed inclusion.
Implementation of risk-based passenger screening raises numerous issues
of congressional interest. These include the efficacy of the SPOT program;
how the various elements and programs complement each other and integrate
with TSA’s other layers of security; the risk-based approach’s ability to adapt
and evolve over time; the ability to measure its effectiveness; the potential
impacts of false positives on the traveling public; and implications for
safeguarding data and maintaining privacy.
Chapter 2 – In 2009, DHS’s TSA began using Secure Flight to screen
passengers against high-risk lists. These lists, subsets of the TSDB—the U.S.
government’s consolidated list of known and suspected terrorists—included
the No Fly List, to identify those who should be prohibited from boarding
flights, and the Selectee List, to identify those who should receive enhanced
screening at airport checkpoints.
GAO was asked to assess the current status of the program. This report
examines (1) changes to the Secure Flight program since 2009, (2) TSA’s
efforts to ensure that Secure Flight’s screening determinations for passengers
are implemented at airport checkpoints, and (3) the extent to which program
performance measures assess progress toward goals. GAO analyzed TSA data
and documents—including checkpoint data from 2012 through 2014 and
Secure Flight performance measures—and interviewed relevant DHS officials.
Chapter 3 – Since 2009, Secure Flight has changed from a program that
identifies passengers as high risk solely by matching them against subsets of
the TSDB, to one that uses PII and other information to assign passengers a
risk category: high risk, low risk, or unknown risk. Secure Flight has
established privacy oversight mechanisms to protect this PII.
GAO was asked to assess the current status of the Secure Flight program.
In July 2014, GAO reported on the status of the program’s operations,
Preface ix
including changes to the program since 2009, implementation of Secure Flight

screening determinations at airport checkpoints, and program performance
measures. This report examines (1) the extent to which TSA has implemented
privacy oversight mechanisms to address Secure Flight privacy requirements,
and (2) the extent to which DHS’s redress process addresses any delays and
inconveniences that result from Secure Flight screening. GAO analyzed TSA
data for fiscal years 2011 through 2013 and documents—including Secure
Flight privacy training materials, documentation of privacy protections, and
processing times for redress cases—and interviewed relevant DHS officials.
Chapter 4 – In order to protect national security, the government maintains
various terrorist watchlists, including the “No Fly” list, which contains the
names of individuals to be denied boarding on commercial airline flights.
Travelers on the No Fly list are not permitted to board an American airline or
any flight on a foreign air carrier that lands or departs from U.S. territory or
flies over U.S. airspace. Some persons have claimed that their alleged
placement on the list was the result of an erroneous determination by the
government that they posed a national security threat. In some cases, it has
been reported that persons have been prevented from boarding an aircraft
because they were mistakenly believed to be on the No Fly list, sometimes on
account of having a name similar to another person who was actually on the
list. As a result, various legal challenges to placement on the list have been
brought in court.
The Department of Homeland Security operates a redress process for
people who encounter difficulties while traveling. The government’s policy,
however, is never to confirm or deny whether someone is on the No Fly list;
and the redress process does not provide travelers with an opportunity to
contest their alleged placement on the No Fly list. Instead, the redress process
consists of an administrative review by the government, which can be
followed by an ex parte, in camera judicial review by a United States court of
appeals.
The Due Process Clause provides that no person shall be “deprived of life,
liberty, or property, without due process of law.” Accordingly, when a person
has been deprived of a constitutionally protected liberty interest, the
government must follow certain procedures. Several courts have found that
placement on the No Fly list may impair constitutionally protected interests,
including the right to travel internationally, and the government’s redress
procedures must therefore satisfy due process. Typically, due process requires
that the government provide a person with notice of the deprivation and an
opportunity to be heard before a neutral party. However, the requirements of
x Hellen E. Spear
due process are not fixed, and can vary according to relevant factors. When
determining the proper procedural protections in a given situation, courts
employ the balancing test articulated by the Supreme Court in Matthews v.
Eldridge, which weighs the private interests affected against the government’s
interest. Courts applying this balancing test might consider several factors,
including the severity of the deprivation involved in placement on the No Fly
list. In addition, courts may examine the risk of an erroneous deprivation under
the current procedural framework and the potential value of imposing
additional procedures on the process. Finally, courts may inquire into the
government’s interest in preserving the status quo, including the danger of
permitting plaintiffs to access sensitive national security information.
Resolution of the issue is currently pending as at least two federal courts
have ruled that the government’s redress procedures for travelers challenging
placement on the No Fly list violate due process. Litigation is further
complicated by several legal hurdles, such as the state secrets privilege, that
can bar plaintiffs from accessing certain information.
In: Secure Flight Program ISBN: 978-1-63463-643-8
Editor: Hellen E. Spear © 2015 Nova Science Publishers, Inc.
Chapter 1
RISK-BASED APPROACHES
∗
TO AIRLINE PASSENGER SCREENING
Bart Elias
SUMMARY
Until recently, the Transportation Security Administration (TSA) had
applied relatively uniform methods to screen airline passengers, focusing
primarily on advances in screening technology to improve security and
efficiency. TSA has recently shifted away from this approach, which
assumes a uniform level of risk among all airline travelers, to one that
focuses more intently on passengers thought to pose elevated security
risks. Risk-based passenger screening includes a number of initiatives
that fit within a broader framework addressing security risks, but
specifically emphasizes the detection and management of potential threats
posed by passengers.
Various risk-based approaches to airline passenger screening have
been used since the early 1970s, including the application of rudimentary
behavioral profiles, security questions, and analysis of ticket-purchase
data to look for indicators of heightened risk. Additionally, “no-fly” lists
were developed to prevent known or suspected terrorists from boarding
aircraft, but prior to the terrorist attacks on September 11, 2001, these
lists were not robust and proved ineffective.
∗
This is an edited, reformatted and augmented version of a Congressional Research Service
publication R43456, prepared for Members and Committees of Congress, dated March 31,
2014.
2 Bart Elias
Following the 9/11 attacks, TSA’s initial risk-based efforts focused

on integrating checks of passenger name records against the “no fly” list
of individuals to be denied boarding and the “selectee” list of individuals
of elevated risk requiring more thorough secondary screening. These
efforts culminated in the deployment of Secure Flight, which screens
each passenger’s full name and date of birth against terrorist watchlists.
Additionally, international passengers are screened by U.S. Customs and
Border Protection (CBP), which uses the Advance Passenger Information
System (APIS) and the Automated Targeting System-Passenger (ATS-P)
to conduct risk assessments.
At airports, TSA employs behavioral detection and analysis under
the Screening Passengers by Observational Techniques (SPOT) program
in an effort to identify suspicious passengers. Another risk-based
security program is Pre-Check, a trusted traveler program designed to
expedite processing of low-risk passengers. In addition to the Pre-Check
participants, TSA is routing certain other passengers through expedited
lanes using behavior detection officers and canine teams to screen for
suspicious behavior and explosives under an initiative called managed
inclusion.
Implementation of risk-based passenger screening raises numerous
issues of congressional interest. These include the efficacy of the SPOT
program; how the various elements and programs complement each other
and integrate with TSA’s other layers of security; the risk-based
approach’s ability to adapt and evolve over time; the ability to measure its
effectiveness; the potential impacts of false positives on the traveling
public; and implications for safeguarding data and maintaining privacy.
AIRLINE PASSENGER SCREENING

IN THE POST-9/11 CONTEXT
Airline passenger screening in the United States has been transformed

since the 9/11 terrorist attacks. These transformations fall into two broad
categories: new screening technologies, including advanced X-ray systems for
screening carry-on items and whole-body scanners, and changes in policies,
procedures, and practices such as requiring passengers to remove laptop
computers and liquids from their carry-on luggage at the time of screening.
These changes have been overseen by the Transportation Security
Administration (TSA), the federal agency created in the aftermath of the 9/11
terrorist attacks under provisions in the Aviation Transportation and Security
Act (ATSA; P.L. 107-71).
Risk-Based Approaches to Airline Passenger Screening 3
In ATSA, Congress mandated that TSA provide for comprehensive

security screening of all airline passengers and property carried aboard
passenger air carrier aircraft. ATSA, however, gave TSA authority to
implement trusted traveler programs and utilize available technologies to
expedite the security screening of passengers participating in such programs in
order to allow screening personnel to focus on passengers who should be
subject to more extensive screening. Subsequently, Congress (see P.L. 108-
458) directed TSA to assume responsibility for checking all airline passengers
against terrorist watchlists maintained by the federal government.
Implementing these and other risk-based facets of passenger screening proved
to be extremely challenging. Consequently, TSA has mostly relied on an
assumption of uniform risk among airline passengers in its approach to airport
checkpoint screening. This stands in contrast to the risk-based strategies TSA
has employed to address other aspects of aviation security, such as air cargo
security and security of charter and non-commercial operators.
Technologies such as whole-body imagers and advanced X-ray

equipment have improved detection of a broad array of threat objects,
including nonmetallic weapons and explosives, but technology limitations,
budgetary considerations, and other factors have placed constraints on a
strictly technology-driven approach.
The uniform approach to screening has proven problematic. Under this

approach, efforts to improve screening capabilities and streamline the
screening process have primarily focused on technology. Technologies such as
wholebody imagers and advanced X-ray equipment have improved detection
of a broad array of threat objects, including non-metallic weapons and
explosives, but technology limitations, budgetary considerations, and other
factors have placed constraints on a strictly technology-driven approach to
airport screening. TSA personnel have limited time and resources to screen
passengers and property at airports without creating unacceptably long wait
times. Space limitations at airports and congressional limitations on screener
hiring have constrained TSA’s capability to address these concerns simply by
adding screening lanes and personnel.1 Airline passengers continue to face
sometimes cumbersome procedures, such as removing shoes and separating
laptop computers for X-ray screening, that can make airport wait times
unpredictable and even deter travelers from flying.
Inflexible security methods may have tainted public perceptions of TSA—
a 2012 poll showed 54% of Americans thought TSA was doing a good or
4 Bart Elias
excellent job2—and led to sharp criticism from experts such as former TSA
Administrator Kip Hawley, who has argued, “In attempting to eliminate all
risk from flying, we have made air travel an unending nightmare ..., while at
the same time creating a security system that is brittle where it needs to be
supple.”3
TSA has responded to such criticisms by attempting to shift from an
approach that assumes a uniform level of risk among all airline travelers to one
that focuses on passengers thought to pose elevated security risks. Risk-based
screening has itself been controversial; while some initiatives have been
encouraged or even directed by Congress, others have met with considerable
skepticism among some Members of Congress or outside groups. The
controversy derives, in part, from widely divergent views of what constitutes
risk and how risk should be appropriately assessed and mitigated.
WHAT IS RISK?
The dilemma over where to appropriately focus security efforts can be
informed by the advice Frederick the Great offered to his generals: “Little
minds try to defend everything at once, but sensible people look at the main
point only; they parry the worst blows and stand a little hurt if thereby they
avoid a greater one. If you try to hold everything, you hold nothing.”4 That
view was echoed more recently by former Secretary of Homeland Security
Michael Chertoff, who wrote in 2006, “In a free and open society, we simply
cannot protect every person against every risk at every moment in every place.
There is no perfect security.”5
While security is necessarily imperfect, it nonetheless can be configured in
an informed manner designed to minimize risk. The preliminary step in this
process is to reach an understanding of the nature and characteristics of the
security risk, followed by an identification of specific strategies to mitigate or
manage that risk.
In the aviation security context, risk is often framed as a complex

interaction of three underlying factors: threats, vulnerabilities, and
consequences.
A general definition of risk focuses on the probability of incurring some

type of loss. In the aviation security context, risk is most often framed as a
complex interaction of three underlying factors: threats, vulnerabilities, and
consequences.6 Although risk is a probabilistic construct, the ability to assign

specific probability values to individual threats and vulnerabilities in the
aviation security context is limited.
Consequently, risk-based practices settle for categorical techniques and
scoring methods to quantify threats, vulnerabilities, and security risk in less
precise terms.
A comprehensive risk-based aviation security strategy attempts to mitigate
all three elements of risk. Risk-based passenger screening includes a number
of initiatives that fit within this broader framework, but it focuses specifically
on detecting and managing the threat element of risk.
Risk is mitigated by identifying individuals who may pose threats and
utilizing detection technologies to screen for weapons, explosives, and other
threat objects. Vulnerabilities are identified through various assessment
techniques and addressed through multiple layers of security, such as
reinforcing cockpit doors, deploying air marshals aboard planes, and changing
security protocols based on known or perceived threats.
In contrast to threat and vulnerability, consequences are generally assessed
in terms of their potential severity, often to derive a risk valuation and assess
costs and benefits of specific security strategies. Consequences, however, are
primarily mitigated by emergency management and response and post-incident
recovery activities. These activities are primarily the responsibility of airports,
airlines, and state and federal emergency management agencies, and are not a
principal concern of TSA.
Defining the risk environment and specifying acceptable and unacceptable
levels of risk are key challenges in establishing an effective risk-based strategy
for aviation security. With respect to air cargo security, TSA has made
extensive use of risk scoring to assess risks and plan security strategy. With
respect to commercial passenger aviation, however, the practice of risk scoring
of individuals has been considered so complex and controversial that it has not
been a central part of TSA’s strategy. Rather, risk assessment7 of airline
passengers is performed primarily through categorical processes, such as by
assigning passengers to low-threat, unknown or elevated threat, and high threat
categories after checking biographical data against terrorist and criminal
databases. Risk-based techniques also examine some behavioral indicators,
such as ticket purchasing characteristics and overt behaviors exhibited at the
airport. These indicators are used to derive behavioral-based risk scores, but
the validity of these methods has been questioned.8
6 Bart Elias
There may not be agreement on what specific risks a risk-based security

strategy should seek to mitigate.
Complicating matters further, there may not be agreement on what

specific risks a risk-based security strategy should seek to mitigate. One
example of this occurred following TSA’s March 2013 proposal to allow
passengers to carry small knives and certain sports equipment onboard aircraft,
reversing a long-standing ban. The agency asserted that the threat posed by
these items had diminished and that other security layers, such as deployment
of armed air marshals aboard some flights, arming of some pilots through the
Federal Flight Deck Officers (FFDO) program, and reinforcement of cockpit
doors sufficiently mitigated the risk of a hijacking or terrorist attack posed by
small knives, golf clubs, and baseball bats. Critics, including organizations
representing flight attendants, pilots, and airlines, argued that TSA had failed
to adequately consider risks unrelated to hijacking and terrorism, such as those
posed by unruly passengers wielding knives and golf clubs aboard planes.
After legislation was introduced to prevent TSA from lifting its ban on small
knives, TSA announced that it would not proceed with its proposal.9
ELEMENTS OF RISK-BASED SECURITY

Risk-based passenger screening stands in contrast to TSA’s historical
approach of prohibiting certain items aboard aircraft and instructing
screeners to focus on enforcing those prohibitions.
At the operational level, risk-based passenger screening stands in contrast

to TSA’s historical approach of prohibiting certain items aboard aircraft and
instructing screeners to focus on enforcing those prohibitions. This comports
with the concerns raised by former TSA administrator Hawley, who wrote of
the dilemma faced by TSA screeners, “the fear of missing even the smallest
thing, versus the likelihood that you’ll miss the big picture when you’re
focused on the small stuff.”10
Hawley’s objections are shared by Raphael Ron, an Israeli expert on
aviation security and counterterrorism. Ron asserts that reliance on prohibited
items lists and detection technology reduces the security system’s ability to
respond to shifting threat landscapes; he notes that the box cutters used by
hijackers in the 9/11 attacks were not prohibited items at the time. As he
writes, “Terrorists love our detection technology because they can trust that it
will not do what it is not designed to do and never did before. In a sense, our
technology gives the terrorist a positive feedback on what to expect.” Ron
claims that there has never been a case in which a planned terrorist attack was
prevented by the detection of threat items alone.11
Comments such as Hawley’s and Ron’s point to an approach that does not
dispense with detection technologies, but integrates detection capabilities with
other measures for assessing threats and minimizing vulnerabilities. Such an
approach might depart from TSA’s historical practice of using relatively rigid
and inflexible measures to screen passengers in a uniform manner. They might
require the agency to be more proactive, as opposed to largely reactive, with
respect to specific threats and incidents, and to emphasize flexibility and
unpredictability.
Advocates of risk-based security frequently point to Israel, which employs
demographic profiling, intelligence and law enforcement databases, and
extensive security interviews to identify passengers deemed to pose high risks.
These individuals are then subject to heightened screening measures and in-
depth inquiries to assess any potential threat before they are allowed to board a
plane. Despite continued threats, Israel has avoided any major terrorist attacks
against its airlines and airports for over 40 years. The exact role that its
methods have played in deterring or preventing such attacks is undetermined.
Regardless, adopting an Israeli-style approach in the United States is
considered to be problematic, both legally and pragmatically. Research by
TSA’s Kenneth Fletcher concluded that a risk-based approach to passenger
screening tailored to meet the specific operational and legal framework of
aviation security in the United States would be more effective, as well as more
politically feasible, socially acceptable, and legally defensible, than the
extensive interviewing and targeted screening carried out under the Israeli
airport security model.12
Table 1 identifies the principal attributes of a comprehensive risk-based
aviation security framework, as described by scholars of the subject.
Risk-based screening should be understood as part of a comprehensive,
multi-layered approach to aviation security rather than as an alternative
approach. Risk-based programs closely interact with physical screening
checkpoint measures to allow TSA to focus physical screening resources on
unknown and elevated risk passengers. They also inform the protocols TSA
utilizes to modify security postures based on known or perceived threats. It is
possible that risk-based programs affect decisions related to the posting of
behavioral detection officers and the deployment of air marshals by identifying
8 Bart Elias
which passengers should be more closely observed and which flights may be
considered high-risk, although details about the interaction of these security
components have not been disclosed publicly.
Table 1. Attributes of a Comprehensive Risk-Based Approach to Security
Attribute Description
Intelligence Driven Intelligence information and analysis including both threat and
vulnerability assessments informs decisions regarding security
policies, procedures, practices, and postures.
Unpredictable Elements of the security system should not be routine, predictable, or
overly rigid, and should maintain some degree of random assignment
to various screening techniques. Procedures attempt to minimize the
opportunity for adversaries to test the system in an effort to uncover
latent vulnerabilities.
Adaptable The security system is not overly rigid and can adapt, sometimes on
very short notice, to a changing threat picture. Moreover,
implementation must adapt to cultural norms, societal constraints, and
legal processes, which may also shift over time.
Evolving The security system is not overly rigid, but rather is capable of
evolving to incorporate new technologies, new approaches, and
changing threat landscapes.
Layered The security system incorporates multiple elements, relatively
independent and isolated from one another, and employs
redundancies implemented in a coordinated manner so that a failure
of one component does not expose the entire system to an
unacceptable level of risk.
Source: CRS analysis, based on Raphael Ron, “Airport Security: A National Security
Challenge,” Policy Brief, International Border Security Forum, Washington, DC:
The German Marshall Fund of the United States, May 2013; Kenneth C. Fletcher,
“Aviation Security: A Case for Risk-Based Passenger Screening,” thesis, Naval
Postgraduate School, Monterey, CA, December 2011; and Bartholomew Elias,
Airport and Aviation Security: U.S. Policy and Strategy in the Age of Global
Terrorism (Boca Raton, FL: CRC Press, 2010), pp. 133-158.
RISK-BASED APPROACHES APPLIED

TO AIRLINE PASSENGERS
Risk-based approaches to airline passenger screening have been used since

the early 1970s. At that time, before 100% screening of all airline passengers
went into effect in 1973, the Federal Aviation Administration (FAA) used
rudimentary passenger profiles to determine whether to screen particular

passengers and search their carry-on items.13 In the late 1970s, as walk-
through metal detectors and X-ray scanners for carry-ons were deployed at
commercial passenger airports and became mandatory, these risk-based
profiling techniques were largely abandoned, although FAA continued to
utilize profiling tools to examine information in airlines’ passenger name
records that could signal an increased threat.
In the late 1980s, concern over aircraft bombings led FAA to require that
airlines ask all passengers two basic security questions:
• Has anyone unknown to you asked you to carry any items on this
flight?
• Have any of the items you are traveling with been out of your
immediate control since the time you packed them?
The questions served for years as rudimentary security screening

measures, primarily to target elevated-risk checked baggage, but were often
criticized because their intent seemed so obvious and they were typically
posed by airline ticket agents with little or no security training. Nonetheless,
they served to heighten passenger awareness of potential security threats and
reflected the real threat posed by bombers who may try to dupe an unwitting
individual into carrying a device aboard an aircraft (see Text Box). Although
several other countries and some foreign airlines continue to use these or
similar questions, usually as part of more in-depth interviews or questioning
conducted by security screeners, TSA eliminated use of the questions in
2006.14
Unwitting Bomb Carriers
On November 1, 1955, the crash of United Airlines Flight 629 killed all
44 on board shortly after departing Denver, CO. The cause of the crash was
determined to be a dynamite bomb. John Gilbert Graham confessed to
secretly placing the bomb in his mother’s suitcase. He was convicted of
killing his mother and was executed in 1957.
It has been speculated, but never proven, that the crash of National
Airlines Flight 967 on November 16, 1959, was caused by a concealed
explosive device brought aboard unknowingly by an ex-convict who was
carrying a package given him by a friend from prison.
10 Bart Elias
The suspect is thought to have talked his friend into traveling on a

ticket purchased in the suspect’s name in a scheme to collect a life
insurance payment. All 42 on board were killed when the aircraft crashed in
the Gulf of Mexico on a flight from Tampa, FL, to New Orleans, LA.
On April 17, 1986, Israeli security officers conducting preflight
interrogations of passengers at London Heathrow Airport found an
improvised explosive device in a bag carried by a pregnant Irish woman.
She claimed that the bag had been packed and given to her by her fiancé, a
Jordanian national, who told her he would be traveling separately and
would meet her later in Israel. The incident is frequently cited as an
example of the effectiveness of Israel’s airline security techniques and
motivation for questioning all passengers about the contents of their
baggage.
Following the December 21, 1988, bombing of Pan Am Flight 103 over
Lockerbie, Scotland, FAA and the airlines developed the Computer-Assisted
Passenger Pre-Screening (CAPPS) system, which was implemented in the late
1990s. CAPPS resides on airline reservation systems and relies on patterns in
flight reservation data to identify passengers considered to pose potential
security threats. While the specific algorithms used by CAPPS, which is now
overseen by TSA, are security sensitive, it has been reported that indicators
may include purchasing a one-way ticket or paying with cash.15 Separately,
FAA, in coordination with the Federal Bureau of Investigation (FBI),
developed a list of known terrorists who were to be denied boarding: the “no-
fly” list. However, on the day of the 9/11 attacks only 12 names were on the
list, none of them the 9/11 hijackers, even though other government terrorist
watchlists contained tens of thousands of names.16
After the 9/11 attacks, ATSA directed TSA to establish requirements for
trusted traveler programs and to use available technologies to expedite
screening for participating passengers, thereby allowing screening personnel to
focus on those passengers who should be subject to more extensive screening.
The act, along with the subsequent Intelligence Reform and Terrorism
Prevention Act of 2004 (P.L. 108-458), directed TSA to ensure that CAPPS or
any successor system be used to evaluate all passengers prior to boarding, and
to assure adequate screening of passengers selected by such systems as well as
their carry-on and checked baggage. This emphasis on risk-based screening
reflected recommendations made by the Department of Transportation Airport
Security Rapid Response Team, formed in response to the 9/11 attacks.
Specifically, the team found an urgent need to establish a nationwide program
for voluntarily submitting information for vetting passengers in order to

expedite processing of the vast majority of travelers, thus allowing aviation
security resources to be focused more effectively. The team also recommended
that passenger prescreening performed using CAPPS be applied to assess
passenger risk on all flights.17
In response to these mandates, TSA initiated work on a follow-on system
to CAPPS. Dubbed CAPPS II, the system endeavored to encompass identity
authentication, watch list checks, and expanded risk-based assessments of
passengers. As initially envisioned, CAPPS II was to integrate checks of
passenger name records against the “no fly” list of individuals to be denied
boarding and the “selectee” list of individuals of elevated risk requiring more
thorough secondary screening. It was to include the capability to categorize or
score passengers based on threat assessments, potentially using additional
government and commercial databases. Controversy over privacy, data
protection, and redress processes led TSA to scrap CAPPS II development in
2004, and move forward with a more focused effort to screen all passengers
against terrorist watchlists.
SECURE FLIGHT
Despite missteps in developing CAPPS II, the 9/11 Commission formally
recommended in 2004 that the “no fly” and “automatic selectee” lists be
improved, and that air passengers be screened not only against these lists, but
against the “larger set of watchlists maintained by the federal government.”18
The commission urged that screening be performed by TSA, not by air
carriers, and that carriers be required to supply the information needed to test
the new prescreening system.
Reflecting the recommendations of the 9/11 Commission, the

Intelligence Reform and Terrorism Prevention Act of 2004 (P.L. 108-458)
required TSA to assume the passenger watchlist screening function from air
carriers, after it established a way to utilize the greater set of watchlists
integrated in the Terrorist Screening Database (TSDB) administered by the
FBI.
Reflecting the recommendations of the 9/11 Commission, the Intelligence

Reform and Terrorism Prevention Act of 2004 (P.L. 108-458) required TSA to
assume the passenger watchlist screening function from air carriers, after it
12 Bart Elias
established a way to utilize the greater set of watchlists integrated in the

Terrorist Screening Database (TSDB) administered by the FBI. Appropriations
language, however, expressly forbade TSA from employing algorithms to
assign risk scores to passengers or from using commercial data other than
airline passenger name records in assessing passenger risk.19
In October 2008, TSA published a final rule detailing the operational
implementation of this program, which it called “Secure Flight.”20 The
program was implemented for domestic flights in 2009 and for international
flights in 2010. Secure Flight has been fully operational since 2011, screening
passenger biographic information against terrorist watchlists, principally the
TSDB.
The “no fly” and “selectee” (or “automatic selectee”) lists are subsets of
this database. While the specifics are classified, TSA said in 2008 that the full
TSDB contained fewer than 400,000 names, of which about 50,000 identities
were included in either the “no fly” or “selectee” subsets.21 More recently, the
news media reported in May 2013 that the larger Terrorist Identities Datamart
Environment, or TIDE—a repository maintained by the National
Counterterrorism Center that serves as a principal source of foreign identities
included in the TSDB—has grown to include about 875,000 names.22 TIDE
serves as a principal data source for foreign terrorist identities included in the
TSDB. The expansion of TIDE was attributed in large part to increased
reliance on the system in the aftermath of the failed bombing attempt on
Northwest Flight 253 on December 25, 2009, and subsequent reviews of
intelligence community practices. The TSDB has also expanded, reportedly
containing more than 500,000 identities as of September 2012, as improving
watchlist practices, with a particular emphasis on processing nominations and
removals to assure timeliness, accuracy, and completeness, has been a
significant focus of intelligence community efforts since the attempted
bombing.23
Functionally, Secure Flight compares data from airline passenger name
records against the “no fly” and “selectee” lists, and in certain cases, against
the full TSDB, to determine whether passengers and other individuals seeking
access through airport checkpoints (such as family members assisting disabled
travelers or children traveling as unaccompanied minors) should be denied
access or subject to additional screening measures. Additionally, Secure Flight
compares passenger names to a list of individuals provided by the Centers for
Disease Control and Prevention of persons who should be denied boarding due
to public health concerns.24
If TSA does not identify a potential watchlist match using Secure Flight,
records are to be destroyed within seven days of completion of the travel
itinerary. Potential matches, however, are retained for 7 years and confirmed
watchlist matches may be retained for up to 99 years. Known traveler lists and
lists of individuals disqualified from expedited screening due to past security
incidents are retained until superseded by updated lists.25
PRE-SCREENING INTERNATIONAL PASSENGERS

Secure Flight development benefited from operational experience with the
Advance Passenger Information System (APIS) administered by U.S. Customs
and Border Protection (CBP), which predated Secure Flight and continues to
collect passenger manifest data from airlines for all international flights
inbound to the United States. Air carriers transmit APIS data on passengers
and crew to CBP prior to aircraft departure. CBP cross-checks the data against
law enforcement, customs, and immigration screening databases and terrorist
watchlists.
CBP also relies on its Automated Targeting System-Passenger (ATS-P) to
perform risk assessments on inbound and outbound international travelers. For
inbound flights, ATS-P serves as a tool to assist CBP in making assessments in
advance of arrival as to whether an individual should be admitted to the United
States. Derived from a system developed in the 1990s to identify suspect
cargo, the passenger module of ATS does not use a risk scoring methodology
to determine an individual’s risk. Rather, it compares elements of passenger
name record data for all travelers against terrorist and law enforcement
databases to identify potential matches to terrorist identities and wanted
criminals, and to look for other red flags such as suspected use of a lost or
stolen passport. In contrast, the cargo screening module of ATS relies on risk
scoring methods.
In general, data in the ATS may be retained for up to 15 years.26 In
accordance with an agreement between the United States and the European
Union, however, passenger name record data are depersonalized within six
months, but may otherwise be retained in an active database for up to five
years. Thereafter, the data will be transferred to a dormant database, where
they may be retained for up to 10 years.27
Additionally, travelers with passports from countries in the Visa Waiver
Program28 must electronically submit biographical information through the
Electronic System for Travel Authorization prior to boarding a U.S.-bound
14 Bart Elias
flight.29 That information is checked against law enforcement databases,

databases of lost and stolen passports, visa revocations, and the TSDB. For
each passenger, CBP transmits the resulting status code to Secure Flight
specifying whether the database checks indicate a potential threat.
SCREENING PASSENGERS BY
OBSERVATIONAL TECHNIQUES (SPOT)
Secure Flight seeks to employ risk-based analysis drawing exclusively on
data compiled by government agencies and the airlines. A separate TSA
program, Screening Passengers by Observational Techniques (SPOT),
attempts to identify passengers who could present threats by observing
behavior at airports. TSA initiated early tests of SPOT in 2003. By FY2012,
the program deployed almost 3,000 BDOs at 176 airports, at an annual cost of
about $200 million. Program costs and continued questions over its scientific
validity and operational utility have been central concerns in the continued
controversy over the program since its inception. TSA asserts that its behavior
detection and analysis program is “based on scientifically validated behaviors
to identify individuals who potentially pose a threat to the nation’s
transportation network.”30
SPOT is rooted in law enforcement techniques that rely on criminal
profiling methods and behavioral assessment strategies, including behavioral
observation. TSA asserts that behavior detection techniques that form the basis
for SPOT have been practiced for many years in the context of law
enforcement, customs and border protection, defense, and security. However,
there are several nuanced differences between SPOT and law enforcement
behavior analysis tools and techniques that set the SPOT program apart.
TSA’s SPOT program stands out as unique in its extensive use of

noninvasive observation techniques and its development of a formal scoring
system to rate suspicion on the basis of behavioral indicators, including
nonverbal indicators evaluated by a behavior detection officer.
Law enforcement agencies generally apply behavioral analysis in the

investigation of specific crimes, not with large groups of individuals, and tend
to employ extensive interviewing methods to look for patterns of
inconsistencies in statements and to gather evidence for potential criminal
proceedings. Moreover, whereas behavioral detection as practiced in the TSA

SPOT program focuses heavily on interpretation of non-verbal cues, such as
facial expressions or avoidance of eye contact, such cues generally do not play
a central role in establishing suspicion in a law-enforcement setting. In this
regard, TSA’s SPOT program stands out as unique in its extensive use of non-
invasive observation techniques and its development of a formal scoring
system to rate suspicion on the basis of behavioral indicators, including non-
verbal indicators evaluated by a behavior detection officer. Whereas law
enforcement agencies will use such techniques in combination with other
interrogation practices, often over the course of lengthy interviews and
repeated encounters with persons of interest, TSA has stated that it takes a
BDO less than 30 seconds to meaningfully observe an average passenger.31
Since its inception, reviews of the SPOT program have raised questions
regarding whether it is an effective tool for identifying individuals who pose a
specific threat to aviation. Despite TSA’s assertions regarding effectiveness,
the Government Accountability Office (GAO) reported in 2010 that on at least
23 different occasions, at least 16 known terrorists transited through
checkpoints at eight different airports where BDOs were stationed. GAO could
not determine if the SPOT program had resulted in the arrest of any terrorists
or individuals planning to engage in terrorist activity. It concluded that the
SPOT program had been fielded before being fully validated and without
adequate cost-benefit analysis.32
TSA responded by carrying out validation studies in cooperation with the
Department of Homeland Security (DHS) Science and Technology Directorate
and the American Institutes for Research. According to TSA, the tests
demonstrated that its behavior detection techniques were nine times more
likely to detect high-risk travelers than random selection. It has not released
the study publicly to allow for independent analysis or critique.33 The agency
also said it had taken specific steps to address GAO recommendations for
improving behavior assessment methods, performance metrics, data collection,
and program management. Further, TSA noted that it has partnered with
several international counterparts to exchange operational and programmatic
information and share best practices to further refine the SPOT program.
Despite the seemingly impressive results of the validation study reported
by TSA, both the GAO and the DHS Office of Inspector General have
continued to raise doubts about behavior detection and analysis as employed in
the SPOT program. In 2013, GAO concluded that available evidence still did
not support the validity and utility of behavior detection techniques employed
by TSA.34 A fundamental concern was that the metrics TSA used to evaluate
16 Bart Elias
the program—principally, the number of referrals to law enforcement that

have resulted in confiscations of prohibited items or arrests and detentions for
warrants, parole violations, drug possession, other criminal activity, and illegal
immigration status—do not directly relate to TSA’s mission to deter, detect,
and prevent terrorism and other criminal acts targeting aviation assets. Given
the low occurrence of terrorist acts, developing suitable metrics to evaluate the
impact of the SPOT program on these mission objectives has proven elusive.
GAO reported wide individual differences among BDOs in terms of referrals
to law enforcement, raising questions about the training on and operational use
of behavioral indicators.
Similarly, the DHS Office of Inspector General found that metrics used to
support TSA’s assertion of SPOT’s effectiveness, such as detection of
prohibited items, undeclared currency, and illegal aliens, are not directly related
to aviation security objectives. Its audits revealed significant lapses in records-
keeping, suggesting that incomplete and inaccurate data about the program had
been presented to TSA’s senior leadership. The Inspector General also found
that TSA did not consistently offer formal refresher training for behavior
detection officers, despite a TSA task force’s conclusion that “observation
skills ... need to be constantly honed and refocused on some regular basis.”35
Moreover, a lack of performance evaluation and recurrent training for BDO
instructors raised additional questions about the quality and consistency of
BDO training.
While TSA has championed the SPOT program as a cornerstone of its

riskbased approach to passenger screening, questions remain over the
program’s efficacy.
While TSA has championed the SPOT program as a cornerstone of its

risk-based approach to passenger screening, questions remain over the
program’s efficacy. While some Members of Congress have sought to shutter
the program, Congress has not moved to do so. For example, H.Amdt. 127, an
amendment to the FY2014 DHS appropriations measure which sought to
eliminate funding for the program, failed to pass a floor vote.36 Congress also
has not taken specific action to revamp the program, despite the concerns
raised by GAO and the DHS Office of Inspector General.
THE PRE-CHECK PROGRAM

While behavioral detection approaches have been sharply criticized,
TSA’s efforts to implement Pre-Check, a trusted traveler program designed to
expedite processing of low-risk passengers, have garnered more favorable
responses. Pre-Check began in October 2011, and became fully operational in
2012. Since then, TSA has been incrementally expanding its scope and
availability. The program is available at no cost to U.S. citizens designated as
select frequent flyers of certain airlines, and to U.S. and Canadian citizens who
are paid members of CBP’s trusted traveler programs (including Global Entry,
SENTRI, and NEXUS). Eligible travelers not in any of these categories may,
for a fee, apply directly at a TSA enrollment center to join Pre-Check.
The Pre-Check program bears some resemblance to the former Registered
Traveler (RT) program, which was scrapped in 2009. RT was implemented
under a public-private partnership model with multiple vendors providing
biographical and biometric data collection and storage. While different
vendors held contracts to issue biometric IDs and operate identity verification
kiosks at different airports, the systems were designed to be interoperable,
theoretically giving registered travelers access to expedited screening lanes at
multiple airports. When RT was launched at 19 airports in 2007, TSA
conducted extensive background checks of applicants based on biographical
data collected by vendors. However, as it expanded the program to additional
airports in 2008, TSA eliminated the background check process and the
associated portion of the program fee, indicating that these checks “were not
core elements in determining threats,”37 as terrorist watchlist checks were
being performed on all passengers under Secure Flight. The program was
dismantled shortly thereafter.
Under Pre-Check, TSA has resurrected extensive biographic-based
background checks, apparently reversing its earlier stance under RT that these
additional checks were of limited value in identifying threats to aviation
security. In contrast to RT, Pre-Check does not issue a biometric credential.
Rather, an approved individual is issued a known traveler number to use when
booking flight reservations. This number is used to indicate the individual’s
status as a Pre-Check member on the boarding pass, thereby allowing the
passenger to use expedited screening lanes. Nonetheless, to deter exploitation
of expedited screening lanes, Pre-Check participants may be selected
randomly to undergo more thorough physical screening.
18 Bart Elias
The exclusive reliance on boarding passes for Pre-Check authentication

may be of concern, given continued limitations in TSA’s capability to
authenticate boarding passes and traveler identification documents.
The exclusive reliance on boarding passes for Pre-Check authentication

may be of concern, given TSA’s limited ability to authenticate boarding passes
and traveler identification documents. TSA’s deployment of document and
boarding pass inspection and authentication technologies, called Credential
Authentication Technology/Boarding Pass Scanning Systems, has been
delayed and faces several ongoing technical and managerial challenges.38
Without the ability to authenticate boarding pass information, TSA may not be
able to assure that access to Pre-Check screening lanes is limited to properly
cleared individuals at all airports.
In September 2013, TSA issued a system of records notice (SORN)
regarding the process for members of the public to voluntarily apply for the
Pre-Check program. The SORN defines the legal context under which TSA
collects and retains information on Pre-Check applicants. Applicants are
required to submit biographic and biometric data (i.e., fingerprints and identity
verification documentation containing a photograph, such as a passport or
driver’s license) to TSA. TSA, in turn, is to use the submitted information to
conduct security threat assessments of individuals, using law enforcement,
immigration, and intelligence databases, including a fingerprint based criminal
history records check through the FBI.
TSA accepts Pre-Check applications from U.S. citizens, U.S. nationals,
and legal permanent residents. Individuals are to be determined ineligible if,
within specified time periods (generally seven years since court determination
or five years since release from prison), they have been convicted of, found
not guilty by reason of insanity, or are under want, warrant, or indictment for
certain specific crimes. Further, TSA may reject an applicant with extensive
foreign or domestic criminal convictions, even if the crimes are not
specifically disqualifying, and may reject an applicant based on information in
government terrorist watchlists, Interpol data, and other international law
enforcement and counterterrorism data.
Pre-Check applicants must pay a non-refundable processing fee of $85.
Once vetted and approved, a traveler is to receive a notification letter from
TSA with an assigned Pre-Check Known Traveler Number, which will be
valid for five years. Applicants who are determined not to be qualified for
Pre-Check must notify TSA within 30 days to indicate their intent to appeal
and to correct information believed to be inaccurate. To obtain corrections,
the applicant must provide certified copies of records supporting the claim
that the initial determination was inappropriate. Since the $85 processing fee
is non-refundable, individuals who have reason to believe they may be
disqualified based on their criminal record or may not meet eligibility
requirements because of other factors, including citizenship or residency
status, may choose not to apply.
In December 2013, TSA opened the first Pre-Check enrollment center for
the general public at the Indianapolis, IN, airport. TSA anticipates that there
will eventually be as many as 300 enrollment centers nationwide as well as an
online application process. Individuals seeking to participate may initiate the
application process by pre-enrolling online, but must visit a physical
enrollment site to provide identification and fingerprints.
Early indications have suggested that frequent travelers are generally
pleased with Pre-Check. A 2012 survey of frequent flyers found that almost
54% of those using Pre-Check were very satisfied or extremely satisfied,
compared to less than 7% of frequent travelers expressing similar opinions of
their most recent TSA screening in general.39
However, rapid expansion of the program could limit some of its benefits.40
TSA has increased availability of Pre-Check’s expedited screening lanes from
40 airports in FY2013 to over 100 airports by January 2014, with a goal of
providing expedited screening to half of all airline passengers by the close of
FY2015. As the Pre-Check program grows in popularity, wait times in Pre-
Check lanes may increase, while non-participating travelers may potentially
stand to save time also as more and more fellow travelers join Pre-Check.
Non-participating travelers may also benefit from possible selection to use a
Pre-Check lane either through occasional selection based on Secure Flight
assessments or under an initiative referred to as managed inclusion.
Managed Inclusion
Managed inclusion refers to a TSA initiative exploring real-time threat

assessments of passengers to identify individuals considered low risk and thus
eligible for random selection for processing using one of the Pre-Check
expedited screening lanes. New passenger screening canine teams, specially
trained to work in crowded areas and sniff passengers to detect the scent of
explosives, along with behavioral detection officers who screen individuals for
behavioral indicators of potential threat, perform initial screening of
passengers in the screening checkpoint queue. If neither the canine team nor
20 Bart Elias
the officer signals that a passenger is an elevated risk, then he or she may be
randomly selected for managed inclusion in a Pre-Check screening lane. Upon
stepping on a mat in front of the travel document checker’s kiosk the
passenger triggers a lighted directional arrow that will indicate whether to
proceed to regular screening lanes or a Pre-Check expedited screening lane,
based on a random selection.
Military Members, Department of Defense Civilians, and Known

Crewmembers
In addition to Pre-Check members and those selected by Secure Flight

selection or managed inclusion, military servicemembers, including active
duty members, reservists, and National Guard members, are allowed to use
Pre-Check screening lanes. Cleared military personnel can use this service for
both official and personal travel. Family members under 12 years old may pass
through the Pre-Check lanes when traveling with cleared military personnel.
However, family members over age 12 must either proceed through standard
screening lanes or independently obtain eligibility for the Pre-Check program
through the various means established by TSA. It has been reported that
civilian employees of the Department of Defense and the Coast Guard will
also be allowed to participate in expedited screening beginning in mid-April
2014 without enrolling in Pre-Check or a CBP trusted traveler program.41
Pre-Check lanes are also being used to expedite screening of uniformed
airline crewmembers, including pilots and flight attendants, participating in
TSA’s Known Crew Member identification initiative. Airline-issued
identification credentials are to be checked against a database of participating
airlines’ flight and cabin crew personnel with valid security background
checks to determine eligibility for expedited screening. Airline crews undergo
TSA managed fingerprint-based criminal history record checks and security
threat assessments as a condition of employment.42 The Known Crew Member
database can serve as a means of verifying airline crew credentials and
eligibility for expedited screening.
Each of these sub-populations undergoes background screening that, at a
minimum, TSA considers equivalent to those performed on Pre-Check
applicants. In many cases, particularly for military personnel and civilian
employees holding defense secret clearances, the background investigation
may be even more extensive, even though the security clearance process for
these individuals has recently been criticized.43
TSA considers individuals in these specific sub-populations to be lower

risk than individuals from the general population who have not undergone a
background investigation, and of comparable risk to trusted travelers vetted
directly by TSA or CBP. Moreover, the credentialing process for military
servicemembers, defense personnel, and airline crews may be seen as
providing a comparatively secure means of assuring an individual’s identity
and eligibility for expedited screening under these provisions. Nonetheless,
TSA continues to use random selection to direct certain members of these sub-
populations to standard non-expedited screening, as it does with Pre-Check
members. This adds an unpredictable element to screening, in keeping with the
principles of a comprehensive risk-based approach to security.
COLLECTION AND RETENTION OF PASSENGER DATA

Each risk-based screening program collects and retains various forms of
biographic, biometric, and/or other identifying data regarding individuals.
Additionally, TSA collects and retains data from intelligence sources and its
own investigations regarding potential threats and identities of individuals
believed to pose some level of threat to the aviation system. Each risk-based
program has separate data collection and retention rules (see Table 2).
TSA has stated that its policy is to delete data that are no longer needed.
Under the terms of its various SORNs, records that correspond to traveling
individuals whose identities are matches or potential matches to terrorist or
criminal databases are retained for extensive periods, whereas other records
are destroyed shortly after completion of the corresponding travel itinerary.
Data submitted voluntarily by individuals who are not considered possible
matches, such as data provided in Pre-Check applications, are typically
retained throughout an individual’s participation in the program, unless
superseded by updated or corrected data. While TSA may use information
from commercial databases and consumer reporting agencies in validating
identities and conducting risk assessments, it does not reciprocate by
disclosing information to consumer reporting agencies.
In general, personal data collected under these various risk-based
programs may be shared among DHS agencies when necessary to support
counterterrorism and homeland security mission functions. Data may also be
shared with intelligence, law enforcement, and judicial agencies at the federal,
state, local, or tribal levels for investigating potential criminal, civil, or
regulatory violations, and with audit or oversight agencies, federal records
22 Bart Elias
management agencies, and federal contractors performing work that requires

access to the specific data. In all these instances, data are to be protected
against inappropriate handling or disclosure in accordance with the Privacy
Act of 1974 (P.L. 93-579), in a manner detailed in each SORN.
Table 2. TSA and CBP Systems of Records
Document Identification/ Federal

System of Records Relevant Program(s) Register Notice
Secure Flight Records Secure Flight DHS/TSA-019; 77 FR 69491 et seq.
TSA Pre-Check Application
Pre-Check DHS/TSA-021; 78 FR 55274 et seq.
Program
Transportation Security SPOT, Federal Air
DHS/TSA-001; 75 FR 28042 et seq.
Enforcement Marshal
Records System Service (FAMS),
Screeners
CBP Advanced Passenger CBP APIS DHS/CBP-005; 73 FR 68435 et seq.
Information System
CBP Automated Targeting
CBP ATS DHS/CBP-006; 77 FR 30297 et seq.
System
Source: Department of Homeland Security, System of Records Notices (SORNs),
available at http://www.dhs.gov/system-records-notices-sorns.
REDRESS
The Intelligence Reform and Terrorism Prevention Act of 2004 (P.L. 108-
458) required TSA and DHS to establish appeals procedures by which persons
who are identified as security threats based on records in the TSDB may
appeal such determinations and have such records, if warranted, modified to
avoid recurrence. Also, provisions in the Implementing Recommendations of
the 9/11 Commission Act of 2007 (P.L. 110-53) required DHS to establish an
Office of Appeals and Redress to establish a timely and fair process for
individuals who believe they have been delayed or prohibited from boarding a
commercial aircraft because they were wrongly identified as a threat. DHS
must maintain records of passengers and individuals who have been
misidentified and have corrected erroneous information.
To meet these statutory requirements, DHS established the DHS Traveler
Redress Inquiry Program (DHS TRIP) as a mechanism for addressing situations
in which individuals claim to have been inappropriately singled out. The DHS
TRIP program allows passengers seeking redress, or their representatives, to

file complaints online or by mail.44 After receiving the completed online
questionnaire or the complaint form, DHS is to request supporting information
within 30 days. Filers are given a control number that allows them to track the
status of their inquiry using the Internet. If the investigation finds that the
traveler was delayed due to a misidentification or name-matching issue, DHS is
to describe the steps required to resolve the issue. For example, the traveler
may be required to retain a copy of the DHS response letter and present it
during the check-in process when traveling on airline flights. If a passenger
disagrees with the resolution decision made by DHS, he or she may take
further steps to appeal the decision. However, TSA decisions based on records
maintained on individuals in connection with the Secure Flight program are
largely exempt from judicial review.45
ANALYZING NON-GOVERNMENTAL DATA

USING THIRD-PARTY PRESCREENING
In January 2013, TSA released a market research announcement seeking
information to expand expedited screening beyond the Pre-Check program by
relying on third-party prescreening of passengers. The announcement sought
solutions using “non-governmental data elements to generate an assessment of
the risk to the aviation transportation system that may be posed by a specific
individual, and to communicate the identity of persons who have successfully
passed this risk based assessment to TSA’s Secure Flight.”46 In response to
clarifying questions on the solicitation, TSA indicated that third parties could
make use of any data services that are legally available to them, but noted that
data accuracy and security are issues of concern that should be taken into
consideration.47
The announcement points to the possible future use of large commercial
databases to cull information about airline travelers. Given the broad range of
commercial data services, this prospect has raised concerns regarding privacy
and the accuracy of data that may form the basis of future passenger risk
assessments. Historically, such data have primarily been used to assess
consumer credit risk and more recently to target marketing and advertising
toward specific individuals.
An article published in the New York Times in October 2013 raised
concerns that passenger prescreening using a wide assortment of non-federal
24 Bart Elias
government and private databases may already be taking place, although

noting that details of specific programs doing so have not been divulged
publicly.48 The article points specifically to CBP’s ATS, although it also
identifies Secure Flight, Pre-Check applications, the Pre-Check
disqualification list, and TSA’s Transportation Security Enforcement Records
System (a database of reports and identities tied to violations and potential
violations of security regulations) as systems in which commercial data may
play a role in risk assessments and where personal information may be used
for purposes other than counterterrorism.
Previously, Congress had acted to restrict the use of commercial data in
airline passenger prescreening. Specifically, Congress included provisions in
appropriations acts during the development and initial deployment of Secure
Flight prohibiting the use of data from nongovernmental sources to assess the
risk of passengers whose names do not appear on government terrorist
watchlists.49 Consequently, congressional oversight and possible legislative
action related to TSA systems utilizing commercial data as part of risk-based
assessments may be an issue of particular interest as TSA’s risk-based
approaches to passenger prescreening evolve.
ISSUES FOR CONGRESS

Since many of the details regarding TSA’s passenger threat assessment
and risk-based screening programs cannot be publicly discussed for security
reasons, congressional oversight serves an important role in reviewing the
various facets of the programs that make up TSA’s risk-based approach to
airline passenger screening to assure that they are effective and efficient,
and provide adequate safeguards for data security and privacy.
In addition to specific concerns raised regarding the use of commercial

data in assessing risk and behavioral profiling techniques, TSA’s foray into
risk-based screening of airline passengers raises a number of broader issues for
Congress. Since many of the details regarding TSA’s passenger threat
assessment and risk-based screening programs cannot be publicly discussed
for security reasons, congressional oversight serves an important role in
reviewing the various facets of TSA’s risk-based approach to airline passenger
screening to assure that they are effective and efficient, and provide adequate
safeguards for data security and privacy.
One broad concern is the extent to which the various risk-based programs
developed by TSA fit into a comprehensive strategy that addresses security
risk. As noted above, most experts in the aviation security field do not
consider risk-based screening to be a stand-alone technique, but rather to
consist of a variety of techniques which, both individually and collectively, fit
within a comprehensive risk-based approach to security such as that presented
in Table 1. There may also be other relevant criteria that would be useful in
assessing the degree to which these programs fit into a broader risk-based
framework.
An issue of potential significance is the extent to which the risk-based
approach, as implemented, is able to effectively adapt and evolve to address
shifting threats and to incorporate new methods and capabilities. It is difficult to
assess whether the risk-based approach to passenger screening is adequately
adaptive and evolving, in part because some elements like the Pre-Check
program are relatively new and, in part, because details necessary to make such
assessments regarding terrorist watchlists and behavioral profiling techniques
are not publicly divulged. The evolution of processes to consolidate and
disseminate terrorist watchlist information has been a key issue for the
intelligence community since the attempted bombing of Northwest Flight 253
on December 25, 2009. However, specific changes made in response have not
been publicly acknowledged. Similarly, information regarding any evolution or
adaptation of behavioral detection methods since the inception of TSA’s
behavioral detection program has not been publicly disclosed. How TSA’s risk-
based strategy and the underlying intelligence practices informing risk-based
decisions have adapted to shifting threat landscapes, potential changes in
resources, and the introduction of new procedures and technologies may be an
issue of interest for congressional oversight.
The selection of appropriate metrics appears to be a key issue in assessing
the effectiveness of TSA’s risk-based strategies. Suitable metrics have been
difficult to identify, again, in part because of the necessary secrecy
surrounding security. Defining suitable metrics may also prove difficult as a
result of relatively limited numbers of encounters with individuals having ties
to terrorism, and even fewer still with those seeking to carry out attacks
against civil aviation. With regard to behavioral detection programs, TSA’s
choice of metrics has been questioned. For other programs, such as Pre-Check,
TSA has emphasized efficiency metrics rather than metrics that specifically
address security effectiveness, at least publicly.
As a practical matter, the limited number of terrorist encounters raises
concerns over the prevalence and implications of false alarms, singling out
26 Bart Elias
individuals as potential threats who in fact pose no threat. Since the number of
suspected terrorists is small relative to the number of airline passengers, false
alarms occur with far greater frequency than valid threat detections. Efforts to
reduce false positives could leave gaps in threat detection capabilities.
Nonetheless, high false alarm rates may lead to potentially significant
consequences by misdirecting limited screening resources and by creating
complications for individuals mistakenly targeted as potential threats. In the
past, initiatives to reduce false alarms associated with Secure Flight have
focused on systematic culling and parsing of terrorist databases to ensure that
information is thorough, accurate, and up to date. Additionally, a
congressionally mandated redress process has been put in place to provide a
mechanism for falsely targeted individuals to seek remediation. The
effectiveness of these steps in reducing false alarm rates in aviation passenger
pre-screening has not been disclosed publicly.
In addition to measuring effectiveness, assessing anticipated efficiency
gains related to risk-based screening initiatives appears to have important
implications for oversight of TSA operations and appropriations. TSA
anticipates that risk-based security efficiencies will result in savings of about
$120 million, and allow staffing reductions of more than 1,500 full-time
equivalent positions in FY2015.50 Congressional oversight may examine
whether these efficiency gains can be realized without compromising security
effectiveness.
Finally, privacy and appropriate data protections are matters of
considerable interest to Congress. Through its various systems of records of
data maintained on individuals, DHS has established practices to protect
personal data and comport with Privacy Act requirements. The extent to which
these various privacy protections and data security measures are being
appropriately implemented in practice may also be a matter of concern.
In summary, as TSA moves forward in its implementation of a risk-based
approach to passenger screening, questions persist as to whether this approach
• appropriately integrates various programs and elements of the

approach and interdependently and collectively exhibits the
characteristics of a comprehensive risk-based strategy outlined in
Table 1;
• adequately adapts and evolves to changes in the threat landscape, to
potential changes in the availability of resources including personnel,
and to the introduction of new procedures and technologies;
• risk-based programs against specific mission goals tied to detecting

and mitigating threats to civil aviation;
• adequately addresses potential impacts of false positives without
compromising threat detection capabilities; and
• ensures appropriate privacy and data protections consistent with those
detailed in the agency’s SORNs and in a manner that appropriately
balances security and intelligence needs with public expectations.
Despite elaborate security measures implemented in the years since the

9/11 terrorist attacks, the potential for a large-scale attack targeting aviation
remains. In this context, debate over how to strike a balance between
maintaining appropriate levels of privacy while implementing efficient and
effective risk-based security strategies to combat terrorism is likely to remain a
central issue for aviation security policy and possible congressional oversight.
End Notes
1
See, e.g., P.L. 113-6, which prohibited FY2013 recruiting or hiring that would result in TSA
exceeding a staffing level of 46,000 full-time equivalent screeners.
2
Frank Newport and Steve Ander, Americans’ Views of TSA More Positive Than Negative,
Gallup, Princeton, NJ, August 8, 2012, http://www.gallup.com/poll/156491/Americans-
Views-TSA-Positive-Negative.aspx.
3
Kip Hawley, “Why Airport Security Is Broken – And How To Fix It,” Wall Street Journal,
April 15, 2012.
4
Frederick the Great, as quoted in Peter G. Tsouras (Ed.), The Greenhill Dictionary of Military
Quotations, Greenhill Books (London, 2000).
5
Michael Chertoff, “There is No Perfect Security,” Wall Street Journal, February 14, 2006.
6
U.S. Department of Homeland Security, Risk Management Fundamentals: Homeland Security
Risk Management Doctrine, April 2011.
7
Although this is generally termed “passenger risk assessment” rather than “passenger threat
assessment,” the technique focuses exclusively on the potential threat posed by an
individual passenger. The terms are interchangeable in this context given an assumption that
other aspects of risk besides threat (i.e., vulnerability and severity of consequences) are held
constant.
8
See, e.g., U.S. Government Accountability Office, Aviation Security: TSA Should Limit Future
Funding for Behavior Detection Activities, GAO-14-159, November 2013.
9
Bart Jansen, “TSA Drops Efforts to Allow Small Knives on Planes,” USA Today, June 5, 2013.
10
Kip Hawley, “Why Airport Security Is Broken – And How To Fix It,” Wall Street Journal,
April 15, 2012.
11
Raphael Ron, “Airport Security: A National Security Challenge,” Policy Brief, International
Border Security Forum, Washington, DC: The German Marshall Fund of the United States,
May 2013.
28 Bart Elias
12
Kenneth C. Fletcher, “Aviation Security: A Case for Risk-Based Passenger Screening,” Thesis,
Naval Postgraduate School, Monterey, CA, December 2011.
13
Bartholomew Elias, Airport and Aviation Security: U.S. Policy and Strategy in the Age of
Global Terrorism (Boca Raton, FL: CRC Press, 2010).
14
ABC News, “Airline Security Questions Scrapped,” January 7, 2006, available at
http://abcnews.go.com/US/story? id=91316&page=1.
15
Ryan Singel, “Life After Death for CAPPS II?” Wired, July 16, 2004.
16
National Commission on Terrorist Attacks Upon the United States, The 9/11 Commission
Report, Authorized ed. (New York: W.W. Norton & Co., 2004), p. 393.
17
U. S. Department of Transportation, Meeting the Airport Security Challenge: Report of the
Secretary’s Rapid Response Team on Airport Security, October 1, 2001
18
National Commission on Terrorist Attacks Upon the United States, The 9/11 Commission
Report, Authorized ed. (New York: W.W Norton & Co., 2004), p. 393.
19
See, e.g., P.L. 109-90, §518.
20
U.S. Department of Homeland Security, Transportation Security Administration, “Secure
Flight Program; Final Rule,” 72 Federal Register 64018-64066, October 28, 2008.
21
Transportation Security Administration, “Myth Buster: TSA’s Watch List is More Than One
Million People Strong.” The TSA Blog, July 14, 2008, available at http://blog.tsa.gov/
2008/07/myth-buster-tsas-watch-list-is-more.html.
22
Mark Hosenball, “Number of Names on U.S. Counter-Terrorism Database Jumps,” Reuters,
May 2, 2013.
23
U.S. Department of Justice, Office of the Inspector General, Audit of the Federal Bureau of
Investigation’s Management of Terrorist Watchlist Nominations, Audit Report 14-16,
March 2014.
24
The public health Do Not Board (DNB) list includes the names of individuals with
communicable diseases who pose a serious threat to the public. The Centers for Disease
Control and Prevention reviews all requests to place a name on the list to verify that the
individual meets the appropriate medical criteria for inclusion. In the first year following
creation of the list in 2007, 42 names were submitted and 33 names were placed on the list,
all referencing individuals thought to have infectious pulmonary tuberculosis.
25
Transportation Security Administration, “Privacy Act of 1974: System of Records; Secure
Flight Records,” 77 Federal Register 69491-69496, November 19, 2012.
26
Department of Homeland Security, “Privacy Act of 1974; U.S. Customs and Border Protection,
DHS/CBP-006— Automated Targeting System, System of Records,” 77 Federal Register
30297-30304, May 22, 2012.
27
See CRS Report RS22030, U.S.-EU Cooperation Against Terrorism, by Kristin Archick.
28
See http://travel.state.gov/content/visas/english/visit/visa-waiver-program.html
29
For more information see CRS Report RL32221, Visa Waiver Program, by Alison Siskin.
30
Transportation Security Administration, Statement of Administrator John S. Pistole, Before the
United States House of Representatives, Committee on Homeland Security, Subcommittee
on Transportation Security, November 13, 2013.
31
U.S. Government Accountability Office, Aviation Security: TSA Should Limit Future Funding
for Behavior Detection Activities, GAO-14-159, November 2013.
32
U.S. Government Accountability Office, Aviation Security: Efforts to Validate TSA’s
Passenger Screening Behavior Detection Program Underway, but Opportunities Exist to
Strengthen Validation and Address Operational Challenges, GAO-10-763, May 2010.
33
Transportation Security Administration, Statement of Administrator John S. Pistole, Before the
United States House of Representatives, Committee on Homeland Security, Subcommittee
on Transportation Security, November 13, 2013.
34
U.S. Government Accountability Office, Aviation Security: TSA Should Limit Future Funding
for Behavior Detection Activities, GAO-14-159, November 2013.
35
Department of Homeland Security, Office of Inspector General, Transportation Security
Administration’s Screening of Passengers by Observation Techniques (Redacted), OIG-13-
91, Washington, DC, May 29, 2013; Department of Homeland Security, Statement of
Charles K. Edwards, Deputy Inspector General, Before the United States House of
Representatives, Committee on Homeland Security, Subcommittee on Transportation
Security, November 13, 2013.
36
See Rep. John Carter, “Department of Homeland Security Appropriations Act, 2014,” House
of Representatives, Congressional Record, Vol. 159, Issue 78 (June 5, 2013), p. H3194.
37
Transportation Security Administration, “TSA Lifts Cap and Eliminates Fee on Registered
Traveler,” Press Release, July 24, 2008; see also Transportation Security Administration,
“Registered Traveler Interoperability Pilot Program,” 73 Federal Register 44275-44278.
38
U.S. Government Accountability Office, Aviation Security: Status of TSA’s Acquisition of
Technology for Screening Passenger Identification and Boarding Passes, GAO-12-826T,
June 19, 2012.
39
Dan Collins, “Poll: 90% of Frequent Flyers Give TSA Fair or Poor Rating,” Frequent Business
Traveler, September 10, 2012.
40
Bart Jansen, “Privacy Concerns Swirl Around TSA Pre-Check Program,” USA Today,
February 24, 2014.
41
Josh Hicks, “TSA’s expedited screening lanes soon open to DOD and Coast Guard civilians,”
Washington Post, March 27, 2014.
42
See 49 CFR §1544.229 and §1544.230.
43
See, e.g., Christian Davenport, “Pentagon considers retaking control of security clearance
checks,” Washington Post, March 20, 2014.
44
Complete instructions for filing complaints under the DHS TRIP program can be found at
http://www.dhs.gov/onestop-travelers-redress-process.
45
Department of Homeland Security, “Privacy Act of 1974; Department of Homeland Security
Transportation Security Administration- DHS/TSA-019 Secure Flight System of Records,”
78 Federal Register 55270-55274, September 10, 2013.
46
Transportation Security Administration, Market Research Announcement: TSA Third Part Pre-
screening, HSTS02- 13-RFI-0001, January 8, 2013.
47
Transportation Security Administration, Market Research Announcement: TSA Third Part Pre-
screening, HSTS02- 13-RFI-0001, Amendment 3, February, 6, 2013.
48
Susan Stellin, “Security Check Now Starts Long Before You Fly,” New York Times, October
21, 2013.
49
See, e.g., P.L. 109-90, §518.
50
Department of Homeland Security, Transportation Security Administration, Aviation Security:
Fiscal Year 2015 Congressional Justification; Department of Homeland Security, Budget-
in-Brief, Fiscal Year 2015.
Chapter 2
SECURE FLIGHT: TSA SHOULD TAKE

ADDITIONAL STEPS TO DETERMINE
PROGRAM EFFECTIVENESS *
WHY GAO DID THIS STUDY

In 2009, DHS’s TSA began using Secure Flight to screen passengers
against high-risk lists. These lists, subsets of the TSDB—the U.S.
government’s consolidated list of known and suspected terrorists—included
the No Fly List, to identify those who should be prohibited from boarding
flights, and the Selectee List, to identify those who should receive enhanced
screening at airport checkpoints.
GAO was asked to assess the current status of the program. This report
examines (1) changes to the Secure Flight program since 2009, (2) TSA’s
efforts to ensure that Secure Flight’s screening determinations for passengers
are implemented at airport checkpoints, and (3) the extent to which program
performance measures assess progress toward goals. GAO analyzed TSA data
and documents—including checkpoint data from 2012 through 2014 and
Secure Flight performance measures—and interviewed relevant DHS officials.
*
This is an edited, reformatted and augmented version of a United States Government
Accountability Office publication, No. GAO-14-531, dated September 2014.
32 United States Government Accountability Office
WHAT GAO RECOMMENDS

GAO recommends that TSA develop a process to regularly evaluate the
root causes of screening errors at security checkpoints and implement
measures to address these causes. GAO also recommends that TSA develop
measures to address all aspects of performance related to program goals and
develop a mechanism to systematically document the number and causes of
Secure Flight system matching errors. DHS concurred with GAO’s
recommendations.
WHAT GAO FOUND

Since 2009, Secure Flight has changed from a program that identifies
passengers as high risk solely by matching them against the No Fly and
Selectee Lists to one that assigns passengers a risk category: high risk, low
risk, or unknown risk. In 2010, following the December 2009 attempted attack
of a U.S.- bound flight, which exposed gaps in how agencies used watchlists to
screen individuals, the Transportation Security Administration (TSA) began
using risk-based criteria to identify additional high-risk passengers who may
not be in the Terrorist Screening Database (TSDB), but who should be
designated as selectees for enhanced screening. Further, in 2011, TSA began
screening against additional identities in the TSDB that are not already
included on the No Fly or Selectee Lists. In addition, as part of TSA Pre9TM, a
2011 program through which TSA designates passengers as low risk for
expedited screening, TSA began screening against several new lists of
preapproved low-risk travelers. TSA also began conducting TSA Pre9IM risk
assessments, an activity distinct from matching against lists that uses the
Secure Flight system to assign passengers scores based upon travel-related
data, for the purpose of identifying them as low risk for a specific flight.
TSA has processes in place to implement Secure Flight screening
determinations at airport checkpoints, but could take steps to enhance these
processes. TSA information from May 2012 through February 2014 indicates
that screening personnel have made errors in implementing Secure Flight
determinations at the checkpoint. However, TSA does not have a process for
systematically evaluating the root causes of these screening errors. GAO’s
interviews with TSA officials at airports yielded examples of root causes TSA
could identify and address. Evaluating the root causes of screening errors, and
Secure Flight 33
then implementing corrective measures, in accordance with federal internal

control standards, to address those causes could allow TSA to strengthen
security screening at airports.
Since 2009, Secure Flight has established program goals that reflect new
program functions to identify additional types of high-risk and also low-risk
passengers; however, current program performance measures do not allow
Secure Flight to fully assess its progress toward achieving all of its goals. For
example, Secure Flight does not have measures to assess the extent of system
matching errors.
Establishing additional performance measures that adequately indicate
progress toward goals would allow Secure Flight to more fully assess the
extent to which it is meeting program goals. Furthermore, TSA lacks timely
and reliable information on all known cases of Secure Flight system matching
errors. More systematic documentation of the number and causes of these
cases, in accordance with federal internal control standards, would help TSA
ensure Secure Flight is functioning as intended.
This is a public version of a sensitive report that GAO issued in July 2014.
Information that the Department of Homeland Security (DHS) and the
Department of Justice deemed sensitive has been removed.
ABBREVIATIONS
ATS-P Automated Targeting System-Passenger
BPSS boarding pass scanning system
CAT Credential Authentication Technology
CBP U.S. Customs and Border Protection
CDC Centers for Disease Control and Prevention
DHS Department of Homeland Security
FBI Federal Bureau of Investigation
GPRA Government Performance and Results Act
IVCC Identity Verification Call Center
OMB Office of Management and Budget
OSO Office of Security Operations
SFPD Secure Flight Passenger Data
SOC Secure Flight Operations Center
TDC Travel Document Checker
TRIP Traveler Redress Inquiry Program
TSA Transportation Security Administration
TSBD Terrorist Screening Database

TSO Transportation Security Officer
***
September 9, 2014
The Honorable Michael T. McCaul

Chairman
The Honorable Bennie G. Thompson
Ranking Member
Committee on Homeland Security
House of Representatives
The Honorable Richard Hudson

Chairman
The Honorable Cedric L. Richmond
Ranking Member
Subcommittee on Transportation Security
The Honorable Mike Rogers

The Transportation Security Administration’s (TSA) Secure Flight

program—established to identify those passengers who may pose security
risks before boarding an aircraft—is a frontline defense against acts of
terrorism that target the nation’s civil aviation system. TSA developed and
implemented Secure Flight in response to requirements in the Intelligence
Reform and Terrorism Prevention Act of 2004 and a recommendation of the
National Commission on Terrorist Attacks upon the United States (the 9/11
Commission) that TSA assume from air carriers the function of matching
passengers against watchlists maintained by the federal government.1 At the
time, these watchlists, which were intended to identify high-risk individuals,
included the No Fly List, composed of individuals who should be precluded
from boarding an aircraft, and the Selectee List, composed of individuals who
should receive enhanced screening at the airport security checkpoint.2 After
initiating the development of Secure Flight in August 2004, TSA began
Secure Flight 35
implementing the program in January 2009, and completed transitioning

foreign and domestic air carriers to the program in November 2010. Secure
Flight is now responsible for screening passengers and certain nontraveling
individuals on all domestic and international commercial flights to, from, and
within the United States; certain flights overflying the continental United
States; and international point-to-point flights operated by U.S. aircraft
operators.3
Beginning with a provision of the fiscal year 2004 Department of
Homeland Security Appropriations Act and pursuant to requests by Congress,
we have had regular and recurring responsibilities to assess and report on
efforts by the Department of Homeland Security (DHS), of which TSA is a
component, to develop and implement a passenger prescreening system, which
TSA eventually implemented as Secure Flight.4 In May 2009, we reported that
after initial challenges, TSA had made significant strides in developing Secure
Flight and that risks associated with implementing the program had been
reduced.5 Specifically, we reported on TSA’s progress with respect to system
accuracy, which involves activities to ensure that the Secure Flight system’s
automated matching of passenger and watchlist data correctly identifies
passengers on watchlists. TSA designed the system to identify passengers who
are the subject of watchlist records without producing an unacceptable number
of misidentifications (incorrect matches). We reported in May 2009 that TSA
was in the process of taking steps to test system accuracy, and without this
testing, TSA would lack adequate assurance that Secure Flight would fully
achieve its desired purpose and operate as intended. Therefore, to ensure the
system was achieving its intended effects, we recommended that TSA
periodically assess the accuracy of the Secure Flight system’s matching
capabilities and results. DHS concurred with our recommendation. In 2012,
we reported that TSA responded to our recommendation by establishing a
multidepartmental Match Review Board and its associated Match Review
Board Working Group to, among other things, review performance
measurement results and recommend changes to improve system
performance.6 Furthermore, TSA reported plans to periodically assess the
extent to which the Secure Flight system did not identify individuals who are
actual matches to the watchlist.7
In May 2009, we also reported that passengers could attempt to provide
fraudulent information when making an airline reservation to avoid Secure
Flight detection.8 For example, an individual on the No Fly or Selectee List
could submit identifying information not included on the terrorist watchlist
when making travel arrangements and, using a corresponding fraudulent
identity document (such as a driver’s license), pass through the security

checkpoint undetected. At the time we issued our report, Secure Flight was
aware of the vulnerability, but we did not assess any of the actions TSA was
taking to address the problem because they were not part of our review.
In light of our prior work, you asked us to review the current status of the
program, identify steps TSA has taken to address the Secure Flight
vulnerability related to passengers providing fraudulent information, and
report upon the effectiveness of TSA’s efforts to assess Secure Flight system
performance.
This report addresses the following questions:
1) How, if at all, has Secure Flight changed since implementation began

in January 2009?
2) To what extent does TSA ensure that Secure Flight screening
determinations for passengers are fully implemented at airport
security checkpoints?
3) To what extent do TSA’s performance measures appropriately assess
progress toward achieving the Secure Flight program goals?
This report is a public version of the prior sensitive report that we

provided to you. DHS and the Department of Justice deemed some of the
information in the report as sensitive security information and law
enforcement sensitive, respectively, both of which must be protected from
public disclosure. Therefore, this report omits this sensitive information, which
includes information about Secure Flight processes, high-risk lists used for
screening, Secure Flight’s ability to correctly identify individuals for
screening, and the ability of Transportation Security Officers (TSO) to carry
out Secure Flight determinations at the checkpoint. In some places throughout
the report, we note that sensitive information was omitted from the text in
order to explain why additional details were not provided. Although the
information provided in this report is more limited in scope, it addresses the
same questions as the sensitive report. Also, the overall methodology used for
both reports is the same.
To identify how the Secure Flight program has changed since 2009, we
analyzed TSA documentation related to new agency initiatives involving
Secure Flight screening, including the Secure Flight program concept of
operations, privacy notices TSA issued from 2008 (in preparation for program
implementation) through 2013, and TSA memorandums describing the
rationale for new agency initiatives involving the Secure Flight system. We
Secure Flight 37
also submitted questions on changes to Secure Flight to TSA’s Office of Chief

Counsel and reviewed its written responses. To clarify our understanding of
new agency initiatives to identify high- and low-risk passengers, we
interviewed the officials responsible for implementing these initiatives from
TSA and also U.S. Customs and Border Protection (CBP), which facilitates the
generation of one high-risk list.
To determine the extent to which TSA ensures that the Secure Flight
vetting results are fully implemented at airport security checkpoints, we
analyzed TSA documents governing the screening checkpoint, such as
standard operating procedures for checkpoint screening operations and Travel
Document Checkers (TDC) and reviewed reports about the performance of
TSOs at the checkpoint by TSA’s Office of Inspections and GAO.9 To
determine the extent to which TSA made errors at the screening checkpoint,
we analyzed certain TSA data on TSO performance at the screening
checkpoint from May 2012, when TSA began tracking these data, through
February 2014, when we conducted the analysis. We examined documentation
about these data and interviewed knowledgeable officials, and determined that
the data were sufficiently reliable for our purposes.10 In addition, to clarify our
understanding of TSA’s checkpoint operations and inform our analysis, we
interviewed officials with TSA’s Office of Security Operations (OSO), which
is responsible for checkpoint operations, and officials at nine airports. We
selected these nine airports based on a variety of factors, such as volume of
passengers screened and geographic dispersion. The results of these interviews
cannot be generalized to all airports, but provide insight into TSA’s challenges
to correctly identify and screen passengers at checkpoints. To better
understand how TSA ensures that all passengers have been appropriately
vetted by Secure Flight, we visited TSA’s Identity Verification Call Center
(IVCC) to interview officials and observe their identity verification
procedures. We compared TSA’s checkpoint procedures against Standards for
Internal Control in the Federal Government.11 Finally, to determine the extent
to which TSA’s planned technology solutions could address checkpoint errors,
we analyzed documents, such as requests for proposals, related to TSA’s
planned technology solutions and interviewed knowledgeable TSA officials.
To determine the extent to which Secure Flight performance measures
appropriately assess progress toward achieving the program’s goals, we
reviewed documentation of TSA’s program goals and performance measures
for fiscal years 2011 through 2013 and assessed these measures against
provisions of the Government Performance and Results Act (GPRA) requiring
agencies to compare actual results with performance goals.12 We also
interviewed relevant TSA officials about the fiscal year 2013 performance
measures for the Secure Flight program and the adequacy of these measures in
assessing TSA’s progress in achieving program goals. In addition, to
understand how TSA uses Secure Flight-related performance data, we
reviewed documentation related to all meetings that TSA identified of the
Secure Flight Match Review Board—a multidepartmental organization
established to, among other things, review performance measures and
recommend changes to improve system performance—from the time the board
was initiated, in March 2010, through August 2013, a total of 51 meetings. To
identify the extent to which TSA monitors and evaluates the reasons for
Secure Flight matching errors, we analyzed a list that TSA compiled at our
request of missed passengers on two high-risk lists (including the reasons for
these matching errors) that occurred from November 2010 through July 2013.
We evaluated TSA’s efforts to track cases in which TSA discovered a Secure
Flight system matching error against Standards for Internal Control in the
Federal Government.13
We conducted this performance audit from March 2013 to September
2014, in accordance with generally accepted government auditing standards.
Those standards require that we plan and perform the audit to obtain sufficient,
appropriate evidence to provide a reasonable basis for our findings and
conclusions based on our audit objectives. We believe that the evidence
obtained provides a reasonable basis for our findings and conclusions.
Additional details on our scope and methodology are contained in appendix I.
BACKGROUND
Responsibility for Secure Flight Operations
Several entities located within TSA’s Office of Intelligence and Analysis

share responsibility for administering the Secure Flight program. Among these
are the Operations Strategy Mission Support Branch, which acts as the
program’s lead office; the Secure Flight Operations Branch, which oversees
passenger vetting and other operational activities; and the Systems
Management and Operations Branch and the Secure Flight Technology
Branch, both of which focus on technology-related issues. Collectively, these
entities received about $93 million to carry out program operations in fiscal
year 2014.
Secure Flight 39
Overview of Secure Flight Matching and Screening Processes at

Implementation
The Secure Flight program, as implemented pursuant to the 2008 Secure

Flight Final Rule, requires U.S.- and foreign-based commercial aircraft
operators traveling to, from, within, or overflying the United States, as well as
U.S. commercial aircraft operators with international point-to-point flights, to
collect information from passengers and transmit that information
electronically to TSA.14 This information, known collectively as Secure Flight
Passenger Data (SFPD), includes personally identifiable information, such as
full name, gender, date of birth, passport information (if available), and certain
nonpersonally identifiable information, such as itinerary information and the
unique number associated with a travel record (record number locator).15
Since implementation began in January 2009, the Secure Flight system
has identified high-risk passengers by matching SFPD against the No Fly List
and the Selectee List, subsets of the Terrorist Screening Database (TSDB), the
U.S. government’s consolidated watchlist of known or suspected terrorists
maintained by the Terrorist Screening Center, a multiagency organization
administered by the Federal Bureau of Investigation (FBI).16 (We discuss
screening activities initiated after TSA began implementing Secure Flight in
2009 later in this report.) To carry out this matching, the Secure Flight system
conducts automated matching of passenger and watchlist data to identify a
pool of passengers who are potential matches to the No Fly and Selectee Lists.
Next, the system compares all potential matches against the TSA Cleared List,
a list of individuals who have applied to, and been cleared through, the DHS
redress process.17 Passengers included on the TSA Cleared List must submit a
redress number when making a reservation, which allows the Secure Flight
system to recognize and clear them.18 After the system performs automated
matching, Secure Flight analysts are to conduct manual reviews of potential
matches, which may involve consulting other classified and unclassified data
sources, to further rule out individuals who are not those included on the No
Fly and Selectee Lists.
After the completion of manual reviews, TSA precludes passengers who
remain potential matches to certain lists from receiving their boarding passes.
These passengers, for whom air carriers receive a “passenger inhibited”
message from Secure Flight, must undergo a resolution process at the airport.
This process may involve air carriers sending updated passenger information
back to Secure Flight for automated rematching or placing a call to Secure
Flight for assistance in resolving the match. 19 At the conclusion of automated
and manual screening processes (including the airport resolution process) air
carriers may not issue a boarding pass to a passenger until they receive from
Secure Flight a final screening determination. These determinations include a
“cleared” message, for passengers found not to match a watchlist, and a
“selectee” message, for matches to the Selectee List who are to be to be
designated by air carriers for enhanced screening. For passengers matching the
No Fly List, Secure Flight’s initial “passenger inhibited” message is the final
determination, and the air carrier may not issue a boarding pass (see fig. 1).
Source: GAO analysis of TSA information. ǀ GAO-14-531.
Figure 1. Secure Flight Screening as Implementation Began.
Passenger Screening at Airport Security Checkpoints
In general, passengers undergo one of three types of screening, based on

the Secure Flight determinations shown on boarding passes— standard
screening, enhanced screening for selectees, and expedited screening for low-
risk passengers.20 Standard screening typically includes a walk-through metal
detector or Advanced Imaging Technology screening, which is to identify
objects or anomalies concealed under clothing, and X-ray screening for the
passenger’s accessible property. In the event a walk-through metal detector
triggers an alarm, the Advanced Imaging Technology identifies an anomaly, or
the X-ray machine identifies a suspicious item, additional security measures,
such as pat-downs, explosives trace detection searches (which involve a device
certified by TSA to detect explosive particles), or additional physical searches
may ensue as part of the resolution process.
Secure Flight 41
Enhanced screening includes, in addition to the procedures applied during

a typical standard screening experience, a pat-down and an explosives trace
detection search or physical search of the interior of the passenger’s accessible
property, electronics, and footwear. Expedited screening typically includes
walk-through metal detector screening and X-ray screening of the passenger’s
accessible property, but unlike in standard screening, travelers do not have to,
among other things, remove their belts, shoes, or light outerwear. Passengers
not designated for enhanced or expedited screening generally receive standard
screening unless, for example, identified by TSA for a different type of
screening through the application of random and unpredictable security
measures at the screening checkpoint.21
SECURE FLIGHT INITIALLY IDENTIFIED PASSENGERS ON

TERRORIST WATCHLISTS AND NOW ALSO
DIFFERENTIATES PASSENGERS BASED ON RISK
Since January 2009, the Secure Flight program has changed from one that
identifies high-risk passengers by matching them against the No Fly and
Selectee Lists to one that assigns passengers a risk category: high risk, low
risk, or unknown risk.22 Specifically, Secure Flight now identifies passengers
as high risk if they are matched to watchlists of known or suspected terrorists
or other lists developed using certain high-risk criteria, as low risk if they are
deemed eligible for expedited screening through TSA Pre9TM—a 2011
initiative to preapprove passengers for expedited screening—or through the
application of low-risk rules, and as unknown risk if they do not fall within the
other two risk categories. To separate passengers into these risk categories,
TSA utilizes lists in addition to the No Fly and Selectee Lists, and TSA has
adapted the Secure Flight system to perform risk assessments, a new system
functionality that is distinct from both watchlist matching and matching
against lists of known travelers. At airport checkpoints, those passengers
identified as high risk receive enhanced screening, passengers identified as
low risk are eligible for expedited screening, and passengers identified as
unknown risk generally receive standard screening.23
Secure Flight Is Using New High-Risk Lists for Screening,

Including Two Lists of Individuals Who Meet Various Threat
Criteria, but Who May Not Be Known or Suspected Terrorists
Since January 2009, TSA has been using new high-risk lists for screening,
including two lists to identify passengers who may not be known or suspected
terrorists, but who—based on TSA’s application of threat criteria—should
receive enhanced screening, and an expanded list of known or suspected
terrorists in the TSDB. As initially implemented under the October 2008
Secure Flight Final Rule, the program matched the names of passengers
against the No Fly and Selectee List components of the TSDB. According to
the rule, comparing passenger information against the No Fly and Selectee
components of the TSDB (versus the entire TSDB) would be generally
satisfactory during normal security circumstances to counter the security
threat. The rule also provides that TSA may use the larger set of watchlists
maintained by the federal government as warranted by security considerations,
for example, if TSA learns that flights on a particular route may be subject to
an increased security risk.24 In such circumstances, TSA may decide to
compare passenger information on some or all flights on that route against the
full TSDB or other government databases, such as intelligence or law
enforcement databases.
Rules-Based Watchlists
After the December 25, 2009, attempt to detonate a concealed explosive
on board a U.S.-bound flight by an individual who was not a known or
suspected terrorist in the TSDB, TSA sought to identify ways to mitigate
unknown threats—individuals not in the TSDB for whom TSA has determined
enhanced screening would be prudent. To that end, TSA worked with CBP to
develop new lists for Secure Flight screening, and in April 2010, began using
the lists to identify and designate for enhanced screening passengers who may
represent unknown threats.25 To create these lists, TSA leveraged CBP’s
access to additional data submitted by passengers traveling internationally and
the capabilities of CBP’s Automated Targeting System-Passenger (ATS-P)—a
tool originally created and used by CBP that targets passengers arriving at or
departing the United States by comparing their information against law
enforcement, intelligence, and other enforcement data using risk-based
targeting scenarios and assessments.26 Specifically, analysts within the
Intelligence and Analysis Division of TSA’s Office of Intelligence and
Analysis review current intelligence to identify factors that may indicate an
Secure Flight 43
elevated risk for a passenger. TSA creates rules based on these factors and
provides them to CBP.27 CBP then uses ATS-P to identify passengers who
correspond with the rules and provides TSA information on them in the form
of a list.28 Upon receiving the list, TSA creates another rules-based list—a
subset of the larger rules-based list—based on additional criteria. Through
Secure Flight screening, TSA designates passengers matching either rules-
based list as selectees for enhanced screening.29
The Expanded Selectee List

In addition to the two ATS-P-generated lists, Secure Flight incorporated
an additional list derived from the TSDB into its screening activities in order
to designate more passengers who are known or suspected terrorists as
selectees for enhanced screening.30 Specifically, in April 2011, TSA began
conducting watchlist matching against an Expanded Selectee List that includes
all records in the TSDB with a full name (first name and surname) and full
date of birth that meet the Terrorist Screening Center’s reasonable suspicion
standard to be considered a known or suspected terrorist, but that are not
already included on the No Fly or Selectee List.31 TSA began using the
Expanded Selectee List in response to the December 25, 2009, attempted
attack, as another measure to secure civil aviation. Collectively, the No Fly,
Selectee, and Expanded Selectee Lists are used by Secure Flight to identify
passengers from the government’s consolidated database of known or
suspected terrorists.32
SECURE FLIGHT IS IDENTIFYING LOW-RISK PASSENGERS

BY SCREENING AGAINST TSA PRE9
TM
LISTS AND
CONDUCTING PASSENGER RISK ASSESSMENTS
Since October 2011, TSA has also begun using Secure Flight to identify
passengers as low risk, and therefore eligible for expedited screening, through
the use of new screening lists and by performing passenger risk assessments.33
According to TSA, identifying more passengers as eligible for expedited
screening will permit TSA to reduce screening resources for low-risk travelers,
thereby enabling TSA to concentrate screening resources on higher-risk
passenger populations. In August 2013, TSA officials stated that this approach
would support the agency’s goal of identifying 25 percent of airline passengers
as eligible for expedited screening by the end of calendar year 2013. As of
May 2014, TSA officials stated the goal had been revised to identify 50
percent of airline passengers as eligible for expedited screening by the end of
calendar year 2014.34 According to officials within TSA’s Office of Chief
Counsel, TSA’s efforts to identify low-risk travelers also fulfill a stated goal of
the 2008 Secure Flight rule to implement a “known traveler” concept that
would allow the federal government to assign a unique number to known
travelers for whom the federal government had conducted a threat assessment
and determined did not pose a security threat.
TSA Pre9TM Lists of Preapproved Low-Risk Travelers
In 2011, TSA’s Office of Risk-Based Security began implementing TSA

Pre9TM, a program that allows TSA to differentiate passengers into a low-risk
screening category and therefore identify them as eligible for expedited
screening. 35 As part of TSA’s effort to implement the TSA Pre9TM program,
Secure Flight has begun screening against several new lists of preapproved,
low-risk travelers to identify passengers who are eligible for expedited
screening.36 In October 2011, Secure Flight began screening against the first of
these lists, which contained information on certain members of three CBP
trusted traveler programs (programs in which applicants submit to federal
background checks to be approved as low-risk travelers eligible to receive
expedited processing at ports of entry).37 Since then, TSA has established
separate TSA Pre9TM lists for additional low-risk passenger populations,
including members of the U.S. armed forces, Congressional Medal of Honor
Society members, and members of the Homeland Security Advisory Council
(see app. II for a full listing of TSA Pre9TM lists used by Secure Flight for
screening).38 To identify these and other low-risk populations, TSA
coordinated and entered into agreements with a lead agency or outside entity
willing to compile and maintain the associated TSA Pre9TM list.39 Members of
the list-based, low-risk populations participating in TSA Pre9TM are provided
a unique known traveler number, and their personal identifying information
(name and date of birth), along with the known traveler number, is included on
lists used by Secure Flight for screening.
In addition to TSA Pre9TM lists sponsored by other agencies or entities,
TSA created its own TSA Pre9TM list composed of individuals who apply to
be preapproved as low-risk travelers through the TSA Pre9TM Application
Program, an initiative launched in December 2013.40 The program is another
DHS trusted traveler program, in which DHS collects a fee to conduct a
Secure Flight 45
background investigation for applicants.41 Applicants approved as low risk

through the program receive a known traveler number and are included on an
associated TSA Pre9TM Application Program list used by Secure Flight for
screening. To be recognized as low risk by the Secure Flight system,
individuals on TSA Pre9TM lists must submit their known traveler numbers
when making a flight reservation.42 As of April 2014, there were about 5.6
million individuals who, through TSA Pre9TM program lists, were eligible for
expedited screening.43
TSA Pre9TM Risk Assessments
To further increase the number of passengers identified as low risk (and

therefore TSA Pre9TM eligible), TSA adapted the Secure Flight system to
begin assigning passengers risk scores to designate them as low risk for a
specific flight. Beginning in 2011, TSA piloted a risk-based security program
to identify certain members of participating airlines’ frequent flier programs as
low risk, and therefore eligible for expedited screening for a specific flight. 44
Specifically, TSA used the Secure Flight system to assess data submitted by
these frequent fliers during the course of travel and assign them scores, which
were then used to determine eligibility for expedited screening. In October
2013, TSA expanded the use of these assessments to all passengers, not just
frequent fliers, and also began using other travel-related data to assess
passengers.45 These assessments are conducted only if the passenger has not
been designated as high risk by other Secure Flight screening activities or
matched to one of the TSA Pre9TM Lists.
The scores assigned to passengers correspond with a certain likelihood of
being designated as eligible to receive expedited screening through TSA
Pre9TM.46 According to officials within TSA’s Office of Chief Counsel, the
assessments are not watchlist matching, rather they are a means to facilitate
the secure travel of the public—a purpose of Secure Flight, as stated in the
program’s final rule and in accordance with TSA’s statutory responsibilities to
ensure the security of civil aviation.
As of May 2014, TSA uses Pre9TM risk assessments to determine a
passenger’s low-risk status and resulting eligibility for TSA Pre9TM expedited
screening, but according to TSA officials, TSA also has the capability to use
this functionality to identify high-risk passengers for enhanced screening. TSA
made adjustments to enable the Secure Flight system to perform TSA Pre9TM
risk assessments to identify high-risk passengers in March 2013.
However, TSA officials stated the agency has no immediate plans to use
the assessments to identify high-risk passengers beyond those already included
on watchlists.
New Secure Flight Screening Activities Allow TSA to

Differentiate Passengers by Risk Category
Given the changes in the program since implementation, the current

Secure Flight system screens passengers and returns one of four screening
results to the air carriers for each passenger: TSA Pre9TM eligible (expedited
screening), cleared to fly (standard screening), selectee (enhanced screening),
or do not board (see fig. 2).

a
These passengers are identified for enhanced screening at random; they not are
included on government watchlists.
Figure 2. Secure Flight Screening to Identify High- and Low-Risk Passengers.

Secure Flight 47
TSA HAS PROCESSES IN PLACE TO IMPLEMENT SECURE

FLIGHT SCREENING DETERMINATIONS AT CHECKPOINTS,
BUT COULD TAKE FURTHER ACTION TO ADDRESS
SCREENING ERRORS
TSA has developed processes to help ensure that individuals and their
accessible property receive a level of screening at airport checkpoints that
corresponds to the level of risk determined by Secure Flight.47 However, TSA
could take additional actions to prevent TSO errors in implementing these risk
determinations at the screening checkpoint. Furthermore, fraudulent
identification or boarding passes could enable individuals to evade Secure
Flight vetting, creating a potential vulnerability at the screening checkpoint.
TSA’s planned technology solutions could reduce the risk posed by fraudulent
documents at the screening checkpoint.
TSA Has Developed Processes to Implement Secure Flight

Determinations at Airport Checkpoints
TSA has developed processes to help ensure that individuals and their
accessible property receive a level of screening at airport checkpoints that
corresponds to the level of risk determined by Secure Flight.48 TDCs are
primarily responsible for ensuring that passengers receive the appropriate level
of screening because they are to verify passengers’ identities and identify
passengers’ screening designations. TSA requires passengers to present photo
identification and a boarding pass at the screening checkpoint.49 Using lights
and magnifiers, which allow the TDC to examine security features on the
passenger’s identification documents, the TDC is to examine the identification
and boarding pass to confirm that they appear genuine and pertain to the
passenger. The TDC is also to confirm that the data included on the boarding
pass and in the identity document match one another. According to TSA
standard operating procedures, TDCs may accept minor name variations
between the passenger’s boarding pass and identification.50 If the TDC finds
that the information on the identification varies significantly from the boarding
pass, the TDC is to refer the passenger to another TSA representative for
identity verification through TSA’s Identity Verification Call Center (IVCC).
If the passenger’s information varies from the SFPD submitted to Secure
Flight, the IVCC is to contact Secure Flight to vet the new information. If the
identification or boarding pass appears fraudulent, the TDC is to contact law

enforcement.
The TDC is also required to review the passenger’s boarding pass to
identify his or her Secure Flight passenger screening determination—that is,
whether the passenger should receive standard, enhanced, or expedited
screening. TDCs either examine the boarding pass manually or, where
available, scan the boarding pass using an electronic boarding pass scanning
system (BPSS).
In addition, Secure Flight provides TSA officials in the airports with
advance notice of upcoming selectees from the Selectee and Expanded
Selectee Lists, as well as those on the No Fly List. Secure Flight provides this
information to TSA officials at the passenger’s airport of departure via e-mail
beginning 72 hours prior to flight departure for the No Fly and Selectee Lists,
and via a shared electronic posting beginning 26 to 29 hours prior to flight
departure for the Expanded Selectee List.
TSA also has requirements related to TDC performance. First, according
to TSA officials, TSA designated the TDC a qualified position in February
2013, meaning that TSOs must complete training and pass a job knowledge
test to qualify as TDCs. Second, TSA has documented processes to govern the
screening checkpoint, such as standard operating procedures applicable to the
TDC, the screening checkpoint, and expedited screening that specify
responsibilities and lines of reporting. In March 2011, TSA also updated its
Screening
Management standard operating procedures to clarify that supervisory
TSOs are required to monitor TSO performance to ensure compliance with all
applicable standard operating procedures and correct improper or faulty
application of screening procedures to ensure effective, vigilant, and courteous
screening.
According to officials in TSA’s Office of Inspection, many checkpoint
failures resulted from a lack of supervision. These officials stated that when
TDCs are not properly supervised, they are more likely to take shortcuts and
miss steps in the standard operating procedures and that because working as a
TDC can be tedious and repetitive, supervision and regular rotation are
particularly important to ensure TDCs’ continued vigilance.
Secure Flight 49
TSOs Have Made Errors in Implementing Secure Flight

Screening Determinations at the Screening Checkpoint, and
Additional Actions Could Reduce the Number of Screening
Errors
Our analysis of TSA information from May 2012 through February 2014
found that TSOs have made errors in implementing Secure Flight risk
determinations at the screening checkpoint.51 By evaluating the root causes of
these errors and implementing corrective measures to address those root
causes, TSA could reduce the risk posed by TSO error at the screening
checkpoint. TSA officials we spoke with at five of the nine airports conduct
after-action reviews of screening errors at the checkpoint and have used these
reviews to take action to address the root causes of those errors. However,
TSA does not have a systematic process for evaluating the root causes of
screening errors at the checkpoint across airports, which could allow TSA to
identify trends across airports and target nationwide efforts to address these
issues.
TSA OSO officials told us that evaluating the root causes of screening
errors would be helpful and could allow them to better target TSO training
efforts. In January 2014, TSA OSO officials stated that they are in the early
stages of forming a group to discuss these errors. However, TSA was not able
to provide documentation of the group’s membership, purpose, goals, time
frames, or methodology. Standards for Internal Control in the Federal
Government states that managers should compare actual performance with
expected results and analyze significant differences.52 As TSA moves forward
with its plans to form this group, it will be important for TSA to develop a
process for evaluating the root causes of screening errors at the checkpoint and
identify and implement corrective measures, as needed, to address these root
causes. Uncovering and addressing the root causes of screening errors could
help TSA reduce the number of these errors at the checkpoint.
Fraudulent Documents Pose Risks at Airport Screening

Checkpoints, and TSA’s Planned Technology Solutions Are in
Early Stages
Fraudulent identification or boarding passes could enable individuals to

evade Secure Flight vetting, creating a potential vulnerability at the screening
checkpoint. TDCs are responsible for verifying the validity of identification
documents and boarding passes presented by passengers. In June 2012, the

TSA Assistant Administrator for the Office of Security Capabilities testified
before Congress that the wide variety of identifications and boarding passes
presented to TDCs poses challenges to effective manual verification of
passenger identity, ticketing, and vetting status.53 He testified that there are at
least 2,470 different variations of identification that could be presented at
security checkpoints and stated that it is very difficult for a TSO to have a high
level of proficiency for all of those identifications. From May 2012 through
July 2013, TSA denied 1,384 individuals access to the sterile area as a result of
identity checking procedures. These denials include travelers who did not
appear to match the photo on their identification, who presented identification
that appeared fraudulent or showed signs of tampering, and who were
unwilling or unable to provide identifying information.54 During this same
time period, TDCs also made 852 referrals to airport law enforcement because
of travelers who did not appear to match the photo on their identification,
presented identification or boarding passes that appeared fraudulent or showed
signs of tampering, or exhibited suspicious behaviors. However, TSA would
not know how many travelers successfully flew with fraudulent documents
unless those individuals came to TSA’s attention for another reason.
We have previously reported on security vulnerabilities involving the
identity verification process at the screening checkpoint. For example, in our
May 2009 report on Secure Flight, we identified a vulnerability involving the
Secure Flight system—namely, airline passengers could provide fraudulent
information when making a flight reservation to avoid detection.55 In addition,
in June 2012, we reported on several instances when passengers used
fraudulent documentation to board flights. For example, we reported that in
2006, a university student created a website that enabled individuals to create
fake boarding passes. In addition, in 2011, a man was convicted of stowing
away aboard an aircraft after using an expired boarding pass with someone
else’s name on it to fly from New York to Los Angeles. We also reported that
news reports have highlighted the apparent ease of ordering high-quality
counterfeit driver’s licenses from China.56
TSA’s planned technology solutions could reduce the risk posed by
fraudulent documents at the screening checkpoint. Boarding pass scanners are
designed to verify the digital signature on these boarding passes, allowing
TDCs to know that the boarding passes are genuine. The scanners are also to
notify the TDC when a passenger is a selectee.57 In September 2013, TSA
purchased 1,400 boarding pass scanners, at a cost of $2.6 million, and planned
to deploy 1 for every TDC at airport security checkpoints, beginning with
Secure Flight 51
TDCs in TSA Pre9TM lines. According to TSA officials, as of March 2014,

TSA had deployed all 1,400 scanners at airport security checkpoints.58
In December 2013, TSA released a request for proposal for Credential
Authentication Technology (CAT), which is a system that is designed to verify
passenger identity, ticketing status, and Secure Flight risk determination at the
screening checkpoint. CAT could address the risks of fraudulent
identifications, as well as TSO error and reliance on air carriers to properly
issue boarding passes. CAT is to verify the authenticity of identification
documents presented at the screening checkpoint, confirm the passenger’s
reservation, and provide the Secure Flight screening result for that traveler.
TDCs would no longer need to examine passengers’ boarding passes to
identify those who should receive enhanced screening, which could reduce the
potential for error. In April 2014, TSA awarded a contract for the CAT
technology solution.
TSA has faced long-standing challenges in acquiring CAT technology. In
May 2009, we found that TSA had begun working to address the vulnerability
posed by airline passengers providing fraudulent information when making a
flight reservation to avoid detection. TSA has issued four previous requests for
proposals for CAT/BPSS technology, two of which resulted in no vendors
meeting minimum requirements. In 2012, TSA piloted a joint CAT/BPSS
technology from three vendors at a cost of $4.4 million. According to TSA’s
final report on the pilot, TSA decided not to move forward with these systems
because of significant operability and performance difficulties. None of the
units tested met TSA’s throughput requirements, creating delays at the
screening checkpoint. According to TSA officials, after the joint CAT/BPSS
pilot failed, TSA decided to separate CAT technology from BPSS technology
and procure each separately.
TSA has also faced challenges in estimating the costs associated with the
CAT system. In June 2012, we reported that we could not evaluate the
credibility of TSA’s life-cycle cost estimate for CAT/BPSS because it did not
include an independent cost estimate or an assessment of how changing key
assumptions and other factors would affect the estimate.59 At that time,
according to the life-cycle cost estimate for the Passenger Screening Program,
of which CAT/BPSS is a part, the estimated 20-year life-cycle cost of
CAT/BPSS was approximately $130 million based on a procurement of 4,000
units. As of April 2014, TSA had not approved a new life-cycle cost estimate
for the CAT program, so we were unable to evaluate the extent to which TSA
has addressed these challenges in its new estimate.
TSA LACKS KEY INFORMATION TO DETERMINE

WHETHER THE SECURE FLIGHT PROGRAM IS ACHIEVING
ITS GOALS
Secure Flight Measures Do Not Fully Assess Progress toward
Goals
Secure Flight has six program goals that are relevant to the results of
screening performed by the Secure Flight computer system and the program
analysts who review computer-generated matches, including the following:
• goal 1: prevent individuals on the No Fly List from boarding an

aircraft,
• goal 2: identify individuals on the Selectee List for enhanced
screening,
• goal 3: support TSA’s risk-based security mission by identifying high-
risk passengers for appropriate security measures/actions and
identifying low-risk passengers for expedited screening,
• goal 4: minimize misidentification of individuals as potential threats
to aviation security,
• goal 5: incorporate additional risk-based security capabilities to
streamline processes and accommodate additional aviation
populations, and
• goal 6: protect passengers’ personal information from unauthorized
use and disclosure.
To assess progress with respect to these goals, the program has nine
performance measures that it reports on externally (see app. III for the nine
Secure Flight performance measures and performance results for fiscal years
2012 and 2013).60 In addition, Secure Flight has measures for a number of
other program activities that it reports internally to program managers to keep
them apprised of program performance with respect to the goals (such as the
number of confirmed matches identified to the No Fly and Selectee Lists).61
However, Secure Flight’s performance measures do not fully assess
progress toward achieving its six program goals. For goals 1 through 4 and
goal 6, we found that while TSA measured some aspects of performance
related to these goals, it did not measure aspects of performance necessary to
determine overall progress toward the goals. In addition, for goal 5, we could
Secure Flight 53
not identify any program measures that represented the type of performance
required to make progress toward achieving the goal, in part because the goal
itself did not specify how performance toward the goal should be measured.
GPRA establishes a framework for strategic planning and performance
measurement in the federal government. 62 Part of that framework involves
agencies establishing quantifiable performance measures to demonstrate how
they intend to achieve their program goals and measure the extent to which
they have done so. These measures should adequately indicate progress toward
performance goals so that agencies can compare their programs’ actual results
with desired results.63 Our prior body of work has shown that measures
adequately indicate progress toward performance goals when they represent
the important dimensions of their performance goals and reflect the core
functions of their related programs or activities.64 Further, when performance
goals are not self-measuring, performance measures should translate those
goals into concrete conditions that determine what data to collect in order to
learn whether the program has made progress in achieving its goal.65
Measures Addressing Accuracy (Goals 1 through 4)

With respect to the program’s first four goals, which address the Secure
Flight system’s ability to accurately identify passengers on various watchlists
for high- and low-risk screening, the program does not measure all aspects of
performance that are essential to achieving these goals. To measure
performance toward the first three goals, Secure Flight collects various types
of data, including the number of passengers TSA identifies as matches to high-
and low-risk lists (including the No Fly, Selectee, Expanded Selectee, rules-
based, and TSA Pre9TM lists). However, Secure Flight has no measures to
address the extent to which Secure Flight is missing passengers who are actual
matches to these lists (see table 1).
TSA Secure Flight officials stated that measuring the extent to which the
Secure Flight system may miss passengers on high-risk lists is difficult to
perform in real time.66 However, our prior work and current program
documentation show that the Secure Flight program has used proxy methods
to assess the extent to which the system is missing passengers on watchlists.
For example, we reported in May 2009 that when the Secure Flight system
was under development, TSA conducted a series of tests—using a simulated
passenger list and a simulated watchlist created by a TSA contractor with
expertise in watchlist matching—to measure the extent to which Secure Flight
did not identify all simulated watchlist records.67 In addition, for this review,
we examined meeting minutes of the Secure Flight Match Review Board—a
multidepartmental board that reviews system performance and recommends

changes—for the period May 2010 through August 2013, to determine how
the board assesses system performance. The minutes show that Secure Flight,
when contemplating a change in the system’s search capabilities, measures the
impacts of proposed changes on system performance, including the extent to
which the changes result in failures to identify watchlisted individuals. To
make these assessments, Secure Flight rematches historical passenger data and
watchlist data under proposed system changes, and compares the results with
prior Secure Flight screening outcomes to determine whether any previously
identified individuals on high-risk lists were missed.68 While helpful for Match
Review Board deliberations, the testing reflected in meeting minutes was
performed on an ad hoc basis and therefore is not a substitute for ongoing
performance measurement.
Table 1. Key Aspects of Secure Flight Performance, with Respect to

Accuracy-Related Program Goals, Including Performance That Is Not
Being Measured
Goals Secure Flight performance Performance that TSA

measures that address goal does not measure
1. Prevent • Potential matches:TSA collects • Missed No
individuals on the and regularly reviews data on the Flys:Passengers on the No
No Fly List from number of passengers identified Fly List who were not
boarding an as a potential matches to the No identified as matches by
aircraft Fly List by the Secure Flight the Secure Flight system.
system.
• Confirmed matches:TSA
collects and regularly reviews
data on the number of passengers
confirmed as being individuals on
the No Fly List.
2. Identify • Potential matches:TSA collects •Missed
individuals on the and regularly reviews data on the selectees:Passengers on the
Selectee List for number of passengers identified Selectee List who were not
enhanced as potential matches to the identified as matches by
screening Selectee List by the Secure Flight the Secure Flight system.
system.
• Confirmed matches: TSA
collects and regularly reviews
data on the number of passengers
confirmed as being individuals on
the Selectee List.
Secure Flight 55
Goals Secure Flight performance Performance that TSA

measures that address goal does not measure
3. Support TSA’s • Potential matches to high-risk • Missed high-risk
Risk-Based lists:In addition to regularly passengers:Passengers on
Security mission reviewing data on potential any high-risk list (No Fly,
by identifying matches to the No Fly and Selectee, Expanded
high- and low- Selectee Lists (see 1 and 2 Selectee, or rules-based)
risk passengers above), TSA collects and who were not identified as
for appropriate regularly reviews data on the matches by the Secure
screening number of passengers identified Flight system.
by the Secure Flight system as • Missed low-risk
potential matches to the passengers:Passengers on
Expanded Selectee and rules- TSA Pre9TM Lists who
based lists. were not identified as
• Passengers identified as low matches by the Secure
risk:TSA collects and regularly Flight system.
reviews data on the number of
boarding passes identified as TSA
Pre9TMeligible by the Secure
Flight system—including
passengers matched to TSA
Pre9TMlists and those identified
through Pre9TM risk
assessments.
4. Minimize • Misidentifications:TSA collects • Misidentifications to all
misidentification and regularly reviews data on its high-risk lists:Secure
of individuals as rate of false positives—the Flight’s performance
potential threats percentage of passengers who, measure does not account
to aviation upon arrival at the airport, are for the number of
security found to be incorrectly identified passengers incorrectly
as matches to the No Fly and identified as beingon the
Selectee Lists—and on the Expanded Selectee or
number of passengers cleared rules-basedlists.
through the TSA Cleared List.
Source: GAO analysis of Transportation Security Administration (TSA) data. | GAO-
14-531
In addition, with respect to low-risk lists, TSA could measure the extent to
which the Secure Flight system correctly identifies passengers submitting
valid known traveler numbers (i.e., an actual number on a TSA Pre9TM list)
and designates them for expedited screening.69 TSA officials have stated that
variations in the way passengers enter information when making a reservation
with a valid known traveler number can cause the system to fail to identify
them as TSA Pre9TM eligible. For example, TSA Match Review Board
documentation from December 2012 identified that the Secure Flight system
had failed to identify participants on one TSA Pre9TM list because they used
honorific titles (e.g., the Honorable and Senator) when making reservations,
and, as a result, they were not eligible for expedited screening.TSA has a
process in place to review and resolve inquiries from passengers who believe
they should have received TSA Pre9TM but did not during a recent travel
experience.70 Although helpful for addressing some TSA Pre9TM-related
problems, the process does not provide information on the extent to which
TSA is correctly identifying passengers on low-risk lists, because some
passengers may not report problems.
TSA’s fourth goal (to minimize the number of passengers misidentified as
threats on high-risk lists) also addresses system accuracy. The program’s
related performance measure, its false positive rate, accounts for the number of
passengers who have been misidentified as matches to some, but not all, high-
risk lists and, thus does not fully assess performance toward the related goal
(as shown above, in table 1). TSA’s false positive rate does not account for all
misidentifications, because, under the current Secure Flight process, TSA has
information on passengers misidentified to the No Fly and Selectee Lists, but
does not have information on passengers misidentified to the Expanded
Selectee or rules-based lists.71 TSA is currently implementing changes that
will allow it to collect more information about passengers misidentified to
other high-risk lists.72 This information, if factored into Secure Flight’s false
positive measure, would allow TSA to more fully assess the program’s ability
to minimize the misidentification of individuals as potential threats to aviation
security.
Measures Addressing Risk-Based Security Capabilities (Goal 5)

TSA does not have any measures that clearly address its goal of
incorporating additional risk-based security capabilities to streamline
processes and accommodate additional aviation populations (goal 5).
According to TSA officials, the goal addresses the program’s ability to adapt
the Secure Flight system for risk-based screening initiatives, such as TSA
Pre9TM and similar efforts that allow TSA to distinguish high-risk from low-
risk passengers. TSA officials identified several measures that address this
goal, including program measures for responding to a change in the national
threat level, the system false positive rate, and the system availability
measure.73 However, none of the measures TSA identified clearly relate to the
goal of adapting the Secure Flight system for different risk-based screening
Secure Flight 57
activities, or specify what data should be collected to measure progress toward

the goal.
Measures Addressing Privacy (Goal 6)

Secure Flight’s privacy-related measure does not allow TSA to fully
assess progress toward protecting passenger personal information (goal 6).
Upon implementing the program, in January 2009, TSA established privacy
protections to, among other things, ensure that personally identifiable
information maintained by the Secure Flight system (such as passenger name
and date of birth) is properly collected, used, and stored. To assess
performance in this area, TSA measures the percentage of passenger records
that are purged from the Secure Flight system according to requirements
established when the program was implemented.74 By purging the results of
Secure Flight matching and scoring activities from the Secure Flight system,
TSA ensures that passenger data do not remain in the system and thus will not
be subject to unauthorized use or disclosure. Nevertheless, the measure does
not assess other points in time in which the records could be subject to
unauthorized use or disclosure, such as before the records are purged or when
other government agencies request the results of Secure Flight screening for
various purposes, such as an ongoing investigation. When the Secure Flight
program was in development, TSA included among a list of possible measures
for the fully implemented program a measure for privacy incident compliance
(i.e., percentage of privacy incidents reported in compliance with DHS Privacy
Incident Handling Guidance). According to TSA officials, since then, TSA has
determined that such a measure is not needed because privacy incidents are
tracked and publicly reported on at the department level. Nevertheless,
additional measures, such as the percentage of government agencies’ requests
for Secure Flight data that are handled consistently with program privacy
requirements, would allow Secure Flight to determine the extent to which the
program is appropriately handling passenger information before it is purged
from the system.
Secure Flight’s performance measures provide program managers some
information on its progress with respect to its accuracy-related and privacy-
related goals (goals 1 through 4 and 6), but do not measure all aspects of
performance critical to achieving these goals. In addition, the measures do not
provide information on progress toward the program’s risk-based security
capabilities goal (goal 5). Additional measures that address key performance
aspects related to program goals, and that clearly identify the activities
necessary to achieve goals, would allow the program to more fully assess
progress toward its goals. For example, the extent to which the Secure Flight
system is missing individuals on the No Fly, Selectee, and other high- and
low-risk lists is an important dimension of performance related to each of the
accuracy-related goals and speaks to a core function of the Secure Flight
program—namely to accurately identify passengers on lists. Without measures
that provide a more complete understanding of Secure Flight’s performance,
TSA cannot compare actual with desired results to understand how well the
system is achieving these goals. Similarly, without a measure that reflects
misidentifications to all high-risk lists, TSA cannot appropriately gauge its
performance with respect to its goal of limiting such misidentifications.
Likewise, with respect to its privacy-related goal, additional measures that
address other key points in the Secure Flight process in which passenger
records could be inappropriately accessed would allow Secure Flight to more
fully assess the extent to which it is meeting its goal of protecting passenger
information. Finally, establishing measures that clearly represent the
performance necessary to achieve the program’s goal that addresses risk-based
security capabilities (goal 5) will allow Secure Flight to determine the extent
to which it is meeting its goal of adapting the Secure Flight system for
different risk-based screening activities.
TSA Does Not Have Timely and Reliable Information on the

Secure Flight System’s Matching Errors
TSA does not have timely and reliable information on past Secure Flight
system matching errors. As previously discussed, preventing individuals on
the No Fly List from boarding an aircraft and identifying individuals on the
Selectee List for enhanced screening are key goals of the Secure Flight
program. Standards for Internal Control in the Federal Government states that
agencies must have relevant, reliable, and timely information to determine
whether their operations are performing as expected, and that such information
can assist agencies in taking any necessary corrective actions to achieve
relevant goals.75 According to TSA officials, when TSA receives information
related to matching errors of the Secure Flight system (i.e., the computerized
matching and manual reviews conducted to identify matches of passenger and
watchlist data), the Match Review Board reviews this information to
determine if any actions could be taken to prevent similar errors from
happening again. We reviewed meeting minutes and associated documentation
for the 51 Match Review Board meetings held from March 2010 through
Secure Flight 59
August 2013, and found 16 meetings in which the Match Review Board
discussed system matching errors; investigated possible actions to address
these errors; and, when possible, implemented changes to strengthen system
performance.76
However, when we asked TSA for complete information on the extent and
causes of system matching errors, we found that TSA does not have readily
available or complete information. It took TSA over 6 months to compile a list
of such errors, a process that, according to TSA officials, required a significant
amount of manual investigation and review.77 Further, we found that the list
was not complete because it did not reflect all system errors that were
discussed at the Match Review Board meetings.78 In addition, we identified in
the list TSA provided us discussion of a system error that was not included in
the Match Review Board documentation. We also found that, for many
incidents on the list, TSA’s description of the cause of the error was not
sufficiently detailed to understand whether the Secure Flight system was at
fault.
Developing a mechanism to systematically document the number and
causes of the Secure Flight system’s matching errors would provide Secure
Flight more timely and reliable information on the extent to which the Secure
Flight system is performing as intended. TSA Match Review Board
documentation from February, 2012 confirmed the importance of such
information, citing the need for more detailed information on instances when
the Secure Flight system has not performed as intended. A mechanism to
ensure that the results of Match Review Board investigations are
systematically documented would be one way to provide such information.
Furthermore, without timely and reliable information on system matching
errors, TSA is not in the best position to determine whether Secure Flight is
achieving relevant goals, investigate all potential causes of these errors, and
identify and implement sufficient corrective actions.
CONCLUSION
The Secure Flight program is one of TSA’s key tools for defending civil
aviation against terrorist threats. Since TSA began implementing the program,
in January 2009, Secure Flight has expanded from a system that matches
airline passengers against watchlists of known or suspected terrorists to a
system that uses additional high-risk lists and conducts risk-based screening
assessments of passengers. Specifically, through the use of new high-risk
screening lists, the program now identifies a broader range of high-risk

travelers—including ones who may not be on lists of known and suspected
terrorists but who nevertheless correspond with known threat criteria. TSA has
also begun using Secure Flight to identify low-risk passengers eligible for
expedited screening through TSA Pre9TM. Given Secure Flight’s importance
to securing civil aviation and achieving TSA’s risk-based screening goals, the
extent to which passengers are being accurately identified by the system
(including computerized matching and manual reviews) for standard,
expedited, and enhanced screening is critically important. More broadly, to
fully realize the security benefits of the Secure Flight program, it is critical that
TSA checkpoint personnel correctly identify and appropriately screen travelers
according to Secure Flight determinations. Better information on both system
and checkpoint performance, therefore, would provide TSA with greater
assurance that Secure Flight is achieving its desired purpose to correctly
identify passengers for standard, expedited, and enhanced checkpoint
screening.
Specifically, TSA would have better assurance that all passengers are
screened in accordance with their Secure Flight risk determinations by
investigating checkpoint errors and taking appropriate corrective action.
Evaluating the root causes of screening errors across all airport checkpoints
would provide TSA more complete information on such cases and serve as the
basis for policies to ensure the checkpoint is correctly processing passengers.
In addition, implementing corrective measures to address the root causes that
TSA identifies through its evaluation process would help strengthen
checkpoint operations. Furthermore, establishing measures that cover all
activities necessary to achieve Secure Flight program goals would allow TSA
to more fully assess progress toward these goals. Finally, when TSA learns of
Secure Flight system matching errors, a mechanism to systematically
document the number and causes of these errors would help ensure that TSA
had timely and reliable information to take any corrective action to strengthen
system performance.
RECOMMENDATIONS FOR EXECUTIVE ACTION

We recommend that the Transportation Security Administration’s
Administrator take the following four actions:
Secure Flight 61
• to further improve the implementation of Secure Flight risk

determinations at the screening checkpoint, develop a process for
regularly evaluating the root causes of screening errors across airports
so that corrective measures can be identified;
• to address the root causes of screening errors at the checkpoint,
thereby strengthening checkpoint operations, implement the corrective
measures TSA identifies through a root cause evaluation process;
• to assess the progress of the Secure Flight program toward achieving
its goals, develop additional measures to address key performance
aspects related to each program goal, and ensure these measures
clearly identify the activities necessary to achieve progress toward the
goal; and
• to provide Secure Flight program managers with timely and reliable
information on cases in which TSA learns of Secure Flight system
matching errors, develop a mechanism to systematically document the
number and causes of such cases, for the purpose of improving
program performance.
AGENCY COMMENTS AND OUR EVALUATION

We provided a draft of this report to DHS and the Department of Justice
for their review and comment. DHS provided written comments on August 25,
2014, which are summarized below. DHS concurred with all four of our
recommendations and described actions under way or planned to address
them. In addition, DHS provided written technical comments, which we
incorporated into the report as appropriate.
DHS concurred with our first recommendation, that TSA develop a
process for regularly evaluating the root causes of checkpoint screening errors
across airports so that corrective measures can be identified. DHS stated that
TSA is collecting data on the root causes of checkpoint screening errors in its
Security Incident Reporting Tool (SIRT) and that TSA OSO’s Operations
Performance Division will develop a process for regularly evaluating the root
causes of checkpoint screening errors across airports and identify corrective
measures. DHS estimates that this will be completed by September 30, 2014.
These actions, if implemented effectively, should address the intent of our
recommendation.
Regarding our second recommendation, that TSA implement the
corrective measures it identifies through a root cause evaluation process, DHS
concurred. DHS stated that TSA OSO’s Operations Performance Division will
evaluate the data gathered from airports through SIRT to identify root causes
of checkpoint screening errors and on the basis of the root cause, work with
the appropriate TSA program office to implement corrective measures. Such
actions could help to reduce the likelihood that TSA will fail to appropriately
screen passengers at the screening checkpoint. Additionally, DHS concurred
with our third recommendation, that TSA develop additional measures to
address key performance aspects related to each program goal and ensure
these measures clearly identify the activities necessary to achieve progress
toward the goal. DHS stated that TSA's Office of Intelligence and Analysis
will evaluate its current Secure Flight performance goals and measures and
develop new performance measures as necessary. DHS further stated that TSA
will explore the possibility of implementing analyses to measure match
effectiveness through the use of test data sets. Such actions could help TSA
better monitor the performance of the Secure Flight program.
DHS also concurred with our fourth recommendation, that TSA develop a
mechanism to systematically document the number and causes of cases in
which TSA learns that the Secure Flight system has made a matching error.
DHS stated that TSA's Office of Intelligence and Analysis will develop a more
robust process to track all known cases in which the Secure Flight system has
made a matching error, and that the Secure Flight Match Review Board will
conduct reviews to identify potential system improvement measures on a
quarterly basis. TSA plans to implement these efforts by December 31, 2014.
These actions, if implemented effectively, should address the intent of our
recommendation. We will continue to monitor DHS’s efforts.
The Department of Justice did not have formal comments on our draft
report, but provided technical comments, which we incorporated as
appropriate.
Jennifer A. Grover, Director

Homeland Security and Justice Issues
APPENDIX I: OBJECTIVES, SCOPE, AND METHODOLOGY

This report addresses the following questions:
1) How, if at all, has Secure Flight changed since implementation began

in January 2009?
Secure Flight 63
2) To what extent does the Transportation Security Administration

(TSA) ensure that Secure Flight screening determinations for
passengers are fully implemented at airport security checkpoints?
3) To what extent do TSA’s performance measures appropriately assess
progress toward achieving the Secure Flight program goals?
To identify how the Secure Flight program has changed since

implementation began, we analyzed TSA documentation related to new
agency initiatives involving Secure Flight screening since January 2009,
including the Secure Flight program concept of operations, privacy notices
TSA issued from 2008 (in preparation to begin program implementation)
through 2013, and TSA memorandums describing the rationale for new
agency initiatives involving the Secure Flight system. We also submitted
questions on how Secure Flight has changed to TSA’s Office of Chief Counsel
and reviewed its responses. To clarify our understanding of a new agency
initiative to identify high-risk passengers not already included in the Terrorist
Screening Database (TSDB)—the U.S. government’s consolidated list of
known or suspected terrorists—we spoke with relevant officials in the
Intelligence and Analysis Division of TSA’s Office of Intelligence and
Analysis, who are responsible for the initiative, and with officials from U.S.
Customs and Border Protection, who facilitate the generation of one rules-
based list. In addition, to understand new initiatives involving Secure Flight
screening to identify low-risk travelers, we spoke with Secure Flight program
officials and with officials in TSA’s Office of Risk Based Security who
oversee TSA Pre9TM, a 2011 program that allows TSA to designate
preapproved passengers as low risk, and TSA Pre9TM risk assessments,
another initiative to identify passengers as low risk for a specific flight.
To determine the extent to which TSA ensures that the Secure Flight
vetting results are fully implemented at airport security checkpoints, we
analyzed TSA documents governing the screening checkpoint, such as
standard operating procedures for checkpoint screening operations and Travel
Document Checkers (TDC) and reviewed reports about the performance of
Transportation Security Officers (TSO) at the checkpoint by TSA’s Office of
Inspections and GAO.1 To determine the extent to which TSA made errors at
the screening checkpoint, we analyzed certain TSA data on TSO performance
at the screening checkpoint from May 2012, when TSA began tracking these
data, through February 2014, when we conducted the analysis.2 We examined
documentation about these data and interviewed knowledgeable officials, and
determined that the data were sufficiently reliable for our purposes. In
addition, to clarify our understanding of TSA’s checkpoint operations and

inform our analysis, we interviewed officials within TSA’s Office of Security
Operations, which is responsible for checkpoint operations, and TSA officials
at nine airports. We selected these nine airports based on a variety of factors,
such as volume of passengers screened and geographic dispersion. The results
of these interviews cannot be generalized to all airports, but provide insight
into TSA’s challenges to correctly identify and screen passengers at
checkpoints. To better understand how TSA ensures that all passengers have
been appropriately screened by Secure Flight, we visited TSA’s Identity
Verification Call Center to interview officials and observe their identity
verification procedures. We compared TSA’s checkpoint procedures against
Standards for Internal Control in the Federal Government.3 Finally, to
determine the extent to which TSA’s planned technology solutions could
address checkpoint errors, we analyzed documents, such as requests for
proposals, related to TSA’s planned technology solutions and interviewed
knowledgeable TSA officials.
To determine the extent to which Secure Flight performance measures
appropriately assess progress toward achieving the program goals, we
reviewed documentation of TSA’s program goals and performance measures
for fiscal years 2012 and 2013—including the measures Secure Flight reports
externally to the Department of Homeland Security and the Office of
Management and Budget (OMB), as well as other internal performance
measures Secure Flight officials use for program management purposes—and
discussed these measures with Secure Flight officials. We assessed these
measures against provisions of the Government Performance and Results Act
(GPRA) of 1993 and the GPRA Modernization Act of 2010 requiring agencies
to compare actual results with performance goals.4 Although GPRA’s
requirements apply at the agency level, in our prior work, we have reported
that these requirements can serve as leading practices at lower levels within an
organization, such as individual programs or initiatives, through a review of
our related products, OMB guidance, and studies by the National Academy of
Public Administration and the Urban Institute.5 We also interviewed relevant
TSA officials about the current performance measures for the Secure Flight
program and the adequacy of these measures in assessing TSA’s progress in
achieving program goals.
In addition, to understand how TSA uses Secure Flight-related
performance data, we reviewed documentation related to all meetings that
TSA identified of the Secure Flight Match Review Board—a
multidepartmental entity established to, among other things, review
Secure Flight 65
performance measures and recommend changes to improve system

performance—from the time was the board was initiated, in March 2010,
through August 2013, a total of 51 meetings. To identify the extent to which
TSA monitors and evaluates the reasons for any Secure Flight system
matching errors, we analyzed a list of such errors that occurred from
November 2010 (the point at which the Secure Flight program was
implemented for all covered domestic and foreign air carriers) through July
2013 that TSA compiled at our request. To assess the accuracy and
completeness of the list TSA provided, we also checked to see if system
matching errors we identified in documentation from the Match Review Board
meetings were included in TSA’s list. We evaluated TSA’s efforts to
document system matching errors against standards for information and
communications identified in GAO’s Standards for Internal Control in the
Federal Government.6
We conducted this performance audit from March 2013 to September
2014 in accordance with generally accepted government auditing standards.
Those standards require that we plan and perform the audit to obtain sufficient,
obtained provides a reasonable basis for our findings and conclusions.
APPENDIX II: SECURE FLIGHT SCREENING LISTS

AND ACTIVITIES
In January 2009, the Transportation Security Administration (TSA) began

implementing the Secure Flight program to facilitate the identification of high-
risk passengers who may pose security risks to civil aviation, and designate
them for additional screening at airport checkpoints. Since then, TSA has
begun using Secure Flight to identify low-risk passengers eligible for more
efficient processing at the checkpoint. This appendix presents an overview of
the lists and other activities as of July 2013 that Secure Flight uses to identify
passengers as high risk or low risk.1 The Secure Flight program, as
implemented pursuant to the 2008 Secure Flight Final Rule, requires
commercial aircraft operators traveling to, from, within, or overflying the
United States to collect information from passengers and transmit that
information electronically to TSA.2
a
All TSDB-based watchlists utilized by the Secure Flight program contain records determined to meet the Terrorist Screening Center’s
reasonable suspicion standard. In general, to meet the reasonable suspicion standard, the agency nominating an individual for inclusion in
the TSDB must consider the totality of information available that, taken together with rational inferences from that information, reasonably
warrants a determination that an individual is known or suspected to be or have been knowingly engaged in conduct constituting, in
preparation for, in aid of, or related to terrorism or terrorist activities. In addition, to be included on the No Fly or Selectee Lists,
individuals must meet certain criteria specific to these lists. The TSDB, which is the U.S. government’s consolidated watchlist of known or
suspected terrorists, also contains records on additional populations of individuals that do not meet the reasonable suspicion standard
articulated above but that other federal agencies utilize to support their border and immigration screening missions.
Figure 3. Secure Fight Screening Activities to Identify High-Risk Passengers.

a
In addition to U.S. citizens, the CBP Trusted Traveler Lists also includes U.S. lawful permanent residents and non-U.S. citizen
members.
Figure 4. Secure Flight Screening Activities to Identify Low-Risk Passengers.

Figure 5. Other Lists Secure Flight Uses for Screening.

Secure Flight 69
The Secure Flight system uses this information to screen passengers by

conducting computerized matching against government lists and other risk
assessment activities.3 As a result of this screening, passengers identified as
high risk receive enhanced screening, which includes, in addition to the
procedures applied during a typical standard screening experience, a pat-down
and either an explosive trace detection search involving a device certified by
TSA to detect explosive particles or a physical search of the interior of the
passenger’s accessible property, electronics, and footwear.4 Those passengers
Secure Flight identifies as low risk are eligible to receive expedited screening,
which unlike standard screening, affords travelers certain conveniences, such
as not having to remove their belts, shoes, or light outerwear when screened.
Figure 3 provides information on the lists Secure Flight uses to identify
high-risk passengers. Figure 4 describes Secure Flight’s activities to identify
low-risk passengers, including screening against lists associated with the TSA
Pre9TM Program, a 2011 initiative that allows TSA to designate preapproved
passengers as low risk, and TSA Pre9TM risk assessments, which assess
passengers’ risk using data submitted to Secure Flight for screening. Figure 5
describes two additional lists Secure Flight uses for passenger screening that,
depending on the list, exempt passengers from being designated as low or high
risk.
APPENDIX III: SECURE FLIGHT PERFORMANCE DATA FOR

FISCAL YEARS 2012 AND 2013
This appendix presents data on the Secure Flight program’s performance
measures and associated performance results that the Transportation Security
Administration (TSA) reported externally to the Department of Homeland
Security (DHS) and the Office of Management and Budget (OMB).
Specifically, table 2 displays data on six Secure Flight Key Performance
Parameters—key system capabilities that must be met in order for a system to
meet its operational goals—that TSA management reported to DHS for fiscal
years 2012 and 2013. Table 3 displays data on five Secure Flight program
measures that TSA management reported to OMB for fiscal years 2012 and
2013. The OMB measures are part of the program’s yearly exhibit 300, also
called the Capital Asset Plan and Business Case, a document that agencies
submit to OMB to justify resource requests for major information technology
investments.1 TSA reports performance data for all these measures on a
monthly basis, and for each measure, we have provided the range of the
performance measurement results for each fiscal year.
Overview of the Secure Flight Screening Process

Flight Final Rule, requires commercial aircraft operators traveling to, from, or
overflying the United States to collect information from passengers and
transmit that information electronically to TSA. This information, known
collectively as Secure Flight Passenger Data (SFPD), includes personally
identifiable information, such as full name, gender, date of birth, passport
information (if available), and certain nonpersonally identifiable information,
such as itinerary information and the unique number associated with a travel
record (record number locator).2
The Secure Flight program designates passengers for risk-appropriate
screening by matching SFPD against various lists composed of individuals
who should be identified, for the purpose of checkpoint screening, as either
high risk or low risk.3 With respect to matching passengers against lists, the
Secure Flight computer system first conducts automated matching of
passenger and watchlist data to identify a pool of passengers who are potential
matches to various lists. Next, the system compares all potential matches
against the TSA Cleared List, a list of individuals who have applied to, and
been cleared through, the DHS redress process.4 Passengers included on the
TSA Cleared List submit a redress number when making a reservation, which
allows the Secure Flight system to recognize and clear them.5 After the system
performs automated matching, Secure Flight analysts conduct manual reviews
of potential matches to further rule out individuals who are not included on the
No Fly and Selectee Lists.
After the completion of manual reviews, TSA precludes passengers who
remain potential matches to certain lists from receiving their boarding passes.
These passengers, for whom air carriers receive a “passenger inhibited”
message from Secure Flight, must undergo a resolution process at the airport.
This process may involve air carriers sending updated passenger information
back to Secure Flight for automated rematching or placing a call to Secure
Flight for assistance in resolving the match.6 At the conclusion of automated
and manual screening processes, Secure Flight provides air carriers with a
final screening determination for each passenger.7 At airport checkpoints,
Secure Flight 71
those passengers identified as high risk receive enhanced screening and those
identified as low risk are eligible for expedited screening.8
Table 2. Secure Flight Key Performance Parameters and Results for

Fiscal Years 2012 and 2013
Goal Definition Thresholda Objectiveb Range for Range for

2012 2013
Program Secure Flight’s 48 hours 24 hours 24 hoursd Not
response ability to adjust the applicablee
time to a Secure Flight system
change in and appropriately
threat level staff the Secure
Flight Operations
Center (SOC) to
match a change in
threat levelc
Resolution The percentage of 88% 90% 79.73% 94.85%
Service phone calls to the to to 98.03%
Center SOC that are 97.51%f
service answered in 10
level seconds or less
Secure The estimated match 0.125% <=0.1% 0.08% 0.07%
Flight rates by the Secure to 0.12% to 0.09%
system Flight system under
match rates normal operating
(domestic) circumstances,
assuming that the
passenger
information
provided includes
full name and date
of birth
False The percentage of 0.06% 0.03% 0.0015% 0.0017%
positive rate passengers whose to to
name is deemed a 0.0023% 0.0026%
match after being
processed through
the Secure Flight
name-matching
processing,
including
identification
verification
Service The total percentage 99.95% 99.99% 99.98% 100%j
availabilityg of time the system is to 100%i
up and runningh
Table 2. (Continued)
Goal Definition Thresholda Objectiveb Range for Range for

2012 2013
Automated The percentage of 98% 99.99% 99.57% 99.78%
clearing of redressed to to 99.99%
redressed individuals 99.99%
individualsk automatically
cleared by Secure
Flight who have
submitted a redress
number that is on
the Transportation
Security
Administration
(TSA) Cleared List
Source: GAO analysis of Transportation Security Administration data. | GAO-14-531
a
According to Secure Flight officials, the threshold represents the minimum acceptable
performance for the parameter.
b
According to Secure Flight officials, the objective represents Secure Flight’s desired
level of performance for the parameter.
c
The Department of Homeland Security National Terrorism Advisory System is to
communicate information about the risk of a terrorist attack on the United States
by providing timely, detailed information to the public, government agencies, first
responders, airports and other transportation hubs, and the private sector. Using
available information, the Secretary of Homeland Security will make a statement
to indicate that there has been a change in the threat level. These alerts are to
provide a clear statement that there is an imminent threat or an elevated threat.
d
There was one change in threat level during fiscal year 2012, and in response to that
change, Secure Flight met its performance objective.
e
According to TSA officials, there are no performance data for this measure for fiscal
year 2013 because there was no change in the national threat level during this
period.
f
S ecure Flight did not meet its performance threshold or objective for Resolution
Service Center Service Level for 1 month during fiscal year 2012. According to a
TSA official, there was a high number of airline system outages reported to the
SOC for multiple airlines, which caused an unexpected workload increase.
g
Secure Flight also tracks service availability as one of its Office of Management and
Budget (OMB)- reported measures (see table 3).
h
The percentage is derived from a 12-month rolling average.
I
Secure Flight did not meet its performance objective for service availability for 2
months in fiscal year 2012.
j
Performance results were 100 percent throughout fiscal year 2013.
k
Secure Flight also tracks automated clearing of redressed individuals as one of its
OMB-reported measures (see table 3).
Secure Flight 73
Table 3. Secure Flight Office of Management and Budget (OMB)

Performance Measures and Results for Fiscal Years 2012 and 2013
Measure Definition Performance Range Range

target for 2012 for2013
Percentage of aircraft The percentage of aircraft 100% 100%a 100%a
operators on-boarded operators on-boarded with
with Secure Flight Secure Flight of all aircraft
operators covered by the
Secure Flight final rule
Automated clearing of The percentage of redressed 95% 99.57% 99.78%
redressed individualsb individuals automatically to to
cleared by Secure Flight who 99.99% 99.99%
have submitted a redress
number that is on the
Transportation Security
Administration (TSA) Cleared
List
Percentage of records The percentage of records 100% 100%d 100%d
purged in accordance purged of those records
with National Archives scheduled to be purged
and Records
Administration
schedule retention
guidelinesc
Service availabilitye The total monthly minutes of 99.99% 99.98% 100%g
Secure Flight system to 100%f
availability minus the total
duration in minutes of
significant Secure Flight
system disruptions, divided by
total monthly availability of
Secure Flight in minutes
Compliant Secure The percentage of air carrier 100% 97.24% 97.44%
Flight Passenger Data submissions that include the to to
(SFPD) submissions passenger’s full name, date of 97.88%h 99.96%h
birth, and gender (i.e., the key
passenger data required for
Secure Flight screening)
Source: GAO analysis of TSA data. | GAO-14-531
a
Performance results were 100 percent for each month of the fiscal year.
b
Secure Flight also tracks automated clearing of redress individuals as one of its Key
Performance Parameters (see table 2). According to Secure Flight officials, the
Key Performance Parameter objective and the OMB 300 performance target
should not be different for this measure.
c
In implementing Secure Flight, TSA established privacy protections to, among other
things, ensure that personally identifiable information maintained by the Secure
Flight system, such as passenger name and date of birth, is properly collected,
used, and stored. Specifically, the requirements allow Secure Flight to store results
for passengers not identified as a match to a government watchlist for up to 7
days, potential matches for up to 7 years, and confirmed matches for 99 years,
after which they must be purged from the system. According to Secure Flight
documentation, records for passengers identified as low risk are treated the same
as nonmatches and must be purged within 7 days. Records for passengers who
match the Expanded Selectee and rules-based lists are treated as potential matches
and must be purged within 7 years.
d
Performance results were 100 percent throughout the fiscal year.
e
Secure Flight also tracks service availability as one of its Key Performance
Parameters (see table 2).
f
Secure Flight did not meet its performance target for service availability for 2 months
during the fiscal year.
g
Performance results were 100 percent throughout fiscal year 2013.
h
Secure Flight did not meet its performance target for any month during this fiscal
year. Secure Flight officials stated that this metric is outside of the program’s
control because Secure Flight relies on air carriers to submit these data. According
to TSA officials, to improve air carrier compliance, TSA monitors carrier
submissions and works with carriers to inform them about Secure Flight data
requirements.
End Notes
1
See Pub. L. No. 108-458, § 4012(a), 118 Stat. 3638, 3714-18 (2004) (codified at 49 U.S.C. §
44903(j)(2)(C)). The 9/11 Commission, The 9/11 Commission Report: Final Report of the
National Commission on Terrorist Attacks upon the United States, (Washington, D.C.: July
2004). TSA efforts to develop a computer-assisted passenger prescreening system predated
the Intelligence Reform and Terrorism Prevention Act and the report of the 9/11
Commission.
2
The No Fly and Selectee Lists are subsets of the Terrorist Screening Database (TSDB)— the
U.S. government’s consolidated watchlist of known or suspected terrorists. Not all identities
within the TSDB are included on the No Fly and Selectee Lists; rather, to be included on
either list, individuals must meet certain criteria specific to the list.
3
In addition to passengers, Secure Flight screens certain nontraveling individuals, such as escorts
for minor, elderly, and disabled passengers; airport and aircraft operator employees; and law
enforcement officers who are authorized to access the airport’s sterile area—the portion of
an airport beyond the security screening checkpoint that provides passengers access to
boarding aircraft and to which access is generally controlled through the screening of
persons and property. See 49 C.F.R. § 1540.5. Also, Secure Flight began screening
passengers on certain flights operated by foreign air carriers overflying United States
airspace on October 24, 2012. Specifically, this includes flights over the continental United
States, which includes the contiguous lower 48 states and excludes Hawaii and Alaska, and
flights transiting the continental United States between two airports or locations in the same
country where that country is Canada or Mexico. In addition, on October 31, 2013, Secure
Secure Flight 75
Flight began screening passengers traveling on certain Department of Defense flights. For
purposes of this report, the terms “commercial flight” and “commercial aircraft operators”
include the passenger operations of U.S. and foreign-flagged air carriers operating in
accordance with 49 C.F.R. §§ 1544.101(a) and 1546.101(a)-(b), respectively. These terms
correspond to “covered flight” and “covered aircraft operator,” respectively as those terms
are defined in the Secure Flight Final Rule. See 49 C.F.R. § 1560.3.
4
In 2003, TSA initiated work on developing a passenger prescreening system operated by the
federal government. At the time, passenger prescreening involved U.S. and foreign air
carriers matching passenger information against watchlists to identify passengers who
should undergo additional security scrutiny. We performed this work in accordance with
statutory mandates, beginning with the Department of Homeland Security Appropriations
Act, 2004, Pub. L. No. 108-90, § 519, 117 Stat. 1137, 1155-56 (2003), and, most recently,
the Department of Homeland Security Appropriations Act, 2009, Pub. L. No. 110-329, Div.
D, § 512, 122 Stat. 3574, 3682-83 (2008), and pursuant to the requests of various
congressional committees.
5
GAO, Aviation Security: TSA Has Completed Key Activities Associated with Implementing
Secure Flight, but Additional Actions Are Needed to Mitigate Risks, GAO-09-292
(Washington, D.C.: May 13, 2009).
6
GAO, Terrorist Watchlist: Routinely Assessing Impacts of Agency Actions since the December
25, 2009, Attempted Attack Could Help Inform Future Efforts, GAO-12-476 (Washington,
D.C.: May 31, 2012).
7
GAO-12-476. These actions addressed our 2009 recommendation.
8
GAO-09-292.
9
For purposes of this report, and unless otherwise noted, references to TSOs, which include
TDCs, include both TSA-employed screening personnel and screening personnel employed
by a private sector company contracted with TSA to perform screening services at airports
participating in TSA’s Screening Partnership Program. See 49 U.S.C. § 44920.
10
We did not evaluate the extent to which Secure Flight screening determinations for low-risk
passengers are implemented at airport security checkpoints.
11
GAO, Internal Control: Standards for Internal Control in the Federal Government,
GAO/AIMD-00-21.3.1 (Washington, D.C.: Nov. 1, 1999).
12
See generally Government Performance and Results Act of 1993 (GPRA), Pub. L. No. 103-62,
107 Stat. 285 (1993). GPRA was updated by the GPRA Modernization Act of 2010, Pub. L.
No. 111-352, 124 Stat. 3866 (2011). Although GPRA’s requirements apply at the agency
level, on the basis of our review of related GAO products, Office of Management and
Budget (OMB) guidance, and studies by the National Academy of Public Administration
and the Urban Institute, we have previously reported that these requirements can serve as
leading practices in lower levels within an organization, such as with individual programs or
initiatives. See GAO, Pipeline Safety: Management of the Office of Pipeline Safety’s
Enforcement Program Needs Further Strengthening, GAO-04-801 (Washington D.C.: Jul.
23, 2004).
13
GAO/AIMD-00-21.3.1.
14
Secure Flight Program, 73 Fed. Reg. 64,018 (Oct. 28, 2008) (codified at 49 C.F.R. pt. 1560).
15
See 49 C.F.R. § 1560.3. Aircraft operators must transmit available SFPD to Secure Flight
approximately 72 hours prior to scheduled flight departure. For reservations created within
72 hours of flight departure, covered aircraft operators must submit passenger data as soon
as they become available.
16
Secure Flight also matches passenger data against the Centers for Disease Control and
Prevention (CDC) Do Not Board List, which includes individuals who pose a significant
health risk to other travelers and are not allowed to fly. The Do Not Board List is managed
by CDC. See app. II for information on all the lists Secure Flight uses for screening.
17
The DHS Traveler Redress Inquiry Program (DHS TRIP) administers the TSA Cleared List.
DHS established DHS TRIP in February 2007 to provide individuals, including those who
believe they have been delayed or inconvenienced during travel because they have been
wrongly identified as the subject of a watchlist record, an opportunity to be cleared. We
have ongoing work on the extent to which DHS TRIP addresses delays and inconveniences
associated with Secure Flight screening and expect to report on this work in September
2014.
18
Because of the application of other TSA security measures, such as random selection, an
individual’s presence on the Cleared List will diminish, but not preclude, the possibility of
being selected for enhanced screening. The technical term for redress number is “redress
control number.”
19
This process may also involve the Secure Flight analyst contacting the Terrorist Screening
Center for assistance in confirming or ruling out the match.
20
This section describes checkpoint screening activities as of May 2014. When Secure Flight
implementation began, in 2009, TSA did not have a program in place to identify low-risk
passengers eligible for expedited screening. We discuss more recent activities of TSA and
the Secure Flight program to identify low-risk passengers for expedited screening later in
this report.
21
Passengers who are to receive standard screening could receive expedited screening as part of
Managed Inclusion at the screening checkpoint. Under Managed Inclusion, TSA randomly
directs a certain percentage of passengers not otherwise designated that day as eligible for
expedited screening to the expedited screening lane. Additionally, passengers designated for
expedited screening may receive standard screening as part of random and unpredictable
security measures. We expect to issue a report on expedited screening, including managed
inclusion, later this year.
22
The level of screening for a passenger may change from flight to flight based on the particulars
of a flight or the individual.
23
Passengers matched to the No Fly and CDC Do Not Board Lists are considered highest risk,
and thus are not to receive boarding passes, and should not be allowed entry at airport
checkpoints.
24
Pursuant to the Intelligence Reform and Terrorism Prevention Act of 2004, TSA was to assume
performance of the passenger prescreening function of comparing passenger information
against the No Fly and Selectee Lists and utilize all appropriate records in the consolidated
and integrated terrorist watchlist maintained by the federal government in performing that
function. See 49 U.S.C. § 44903(j)(2)(C).
25
TSA uses two separate lists to address vulnerabilities exposed by the 2009 attempted attack.
Further detail about these lists has been designated sensitive information, and thus cannot be
included in a public report.
26
CBP collects additional passenger information in order to fulfill its mission of securing the
U.S. border while facilitating lawful travel and trade. See 19 C.F.R. § 122.49a(b)(3).
27
These rules are criteria used by ATS-P to create the rules-based watchlists. The Department of
Homeland Security’s Office for Civil Rights and Civil Liberties, Privacy Office, and Office
of the General Counsel are responsible for conducting quarterly reviews of these rules. The
reviews are intended to ensure the rules are based on current intelligence identifying
Secure Flight 77
specific potential threats; are deactivated when no longer necessary to address those threats;
are appropriately tailored to minimize the impact upon bona fide travelers’ civil rights, civil
liberties, and privacy; and are in compliance with relevant legal authorities, regulations, and
DHS policies.
28
According to TSA officials, individuals remain on the list for the time required to cover the
scheduled travel.
29
According to officials within TSA’s Office of Chief Counsel, Secure Flight’s use of rules-
based watchlists is consistent with conducting watchlist matching under the “larger set of
watchlists maintained by the Federal government as warranted by security considerations”
as explained in the Secure Flight Final Rule, and nothing in statute or regulation prevents
TSA from using non-TSDB-derived watchlists citing, among other provisions, 49 U.S.C. §§
114 and 44903(j)(2)(C).
30
According to TSA officials, the entire TSDB is not used for Secure Flight screening because
records with partial data (i.e., without first name, surname, and date of birth) could result in
a significant increase in the number of passengers misidentified as being on the watchlist
and cause unwarranted delay or inconvenience to travelers.
31
All TSDB-based watchlists utilized by the Secure Flight program contain records determined
to have met the reasonable suspicion standard. In general, to meet the reasonable suspicion
standard, the agency nominating an individual for inclusion in the TSDB must consider the
totality of information available that, taken together with rational inferences from that
information, reasonably warrants a determination that an individual is known or suspected
to be or have been knowingly engaged in conduct constituting, in preparation for, in aid of,
or related to terrorism or terrorist activities. As previously discussed, to be included on the
No Fly and Selectee Lists, individuals must meet criteria specific to these lists. The TSDB,
which is the U.S. government’s consolidated watchlist of known or suspected terrorists, also
contains records on additional populations of individuals that do not meet the reasonable
suspicion standard articulated above that other federal agencies utilize to support their
border and immigration screening missions.
32
Secure Flight also randomly identifies passengers as selectees for enhanced screening.
33
When TSA, through Secure Flight, determines that a passenger is eligible for expedited
screening, the passenger’s boarding pass is encoded so that he or she is routed to the proper
screening lane.
34
TSA also tracks the number of passengers who receive expedited screening.
35
We expect to issue a report on TSA’s Pre9TM program later this year.
36
I ndividuals on the TSA Pre9TM lists receive Known Traveler Numbers that they must submit
when making travel reservations to be identified as low-risk. See 49 C.F.R. § 1560.3
(defining “Known Traveler Number”). TSA also refers to these lists as Known Traveler
lists.
37
The three CBP Trusted Traveler programs are NEXUS, SENTRI, and Global Entry. See GAO,
Trusted Travelers: Programs Provide Benefits but Enrollment Processes Could Be
Strengthened, GAO-14-483 (Washington, D.C.: May 30, 2014).
38
As of March 2014, the TSA Pre9TM list for the U.S. armed forces included eligible members of
the Army, Navy, Marine Corps, Air Force, and Coast Guard.
39
According to TSA officials, per these agreements, agencies are to maintain the lists by ensuring
that individuals continue to meet the criteria for inclusion and to update the lists as needed.
We did not review the extent to which agencies are maintaining the lists.
40
TSA leveraged existing federal capabilities to both enroll and conduct background checks for
program applicants. For example, for the TSA Pre9TM Application Program, TSA is using
enrollment centers previously established for the Transportation Worker Identification

Credential Program (TSA’s program to provide a biometric credential to certain
transportation workers) and existing transportation vetting systems to conduct applicant
background checks.
41
An applicant must be a U.S. citizen, U.S. national, or lawful permanent resident and cannot
have been convicted of certain crimes. To apply, individuals must visit an enrollment
center, provide biographic information (name, date of birth, and address) and valid identity
and citizenship documentation, and be fingerprinted. The program requires a nonrefundable
application processing fee of $85.00.
42
Passengers identified by Secure Flight as low risk are eligible for expedited screening through
TSA Pre9TM, but may not receive this expedited screening. For example, TSA Pre9TM
includes a level of randomness to ensure unpredictable results. One potential result of the
randomness is that a passenger who is eligible to receive expedited screening may instead
be randomly selected to receive standard or enhanced screening.
43
In July 2012, TSA also began screening against a TSA Pre9TM Disqualification Protocol List, a
watchlist created and maintained by TSA that includes individuals who, based upon their
involvement in violations of security regulations of sufficient severity or frequency (e.g.,
bringing a loaded firearm to the checkpoint), are disqualified from receiving expedited
screening for some period of time or permanently.
44
Only those frequent flier members who meet the criteria established by TSA are eligible for
these assessments. Because Secure Flight does not collect or maintain frequent flier
information, air carriers signal to TSA which passengers meet these criteria.
45
In addition, TSA continues to use frequent flier data to identify as low risk those individuals
who opted into the TSA Pre9TM program through their airline during the pilot.
46
Also, because these TSA Pre9TM risk assessments identify percentages of passengers likely to
have received expedited screening, the same passenger who is TSA Pre9TM eligible on one
flight may not be designated as such on another flight.
47
At airports participating in TSA’s Screening Partnership Program, private companies under
contract to TSA are to perform screening functions with TSA supervision and in accordance
with TSA standard operating procedures. See 49 U.S.C. § 44920. At these airports, private
sector screeners, and not TSA employees, have responsibility for screening passengers and
their property. For purposes of this report, references to TSOs include both TSA employees
and screeners employed by private screening contractors.
48
This report focuses on TSA efforts to ensure that individuals receive appropriate levels of
screening at U.S. airports. At foreign airports, U.S.- and foreign-flagged air carrier
operations destined for the United States are responsible for ensuring that passengers and
their carry-on baggage are screened according to their risk level—consistent with
requirements in the air carriers’ TSA-approved security programs and any applicable TSA
security directives or emergency amendments. See generally 49 C.F.R. pts. 1544 and 1546.
Unlike at U.S. airports, TSA does not conduct or oversee screening operations at foreign
airports. Therefore, we are not discussing passenger screening at foreign airports in this
report. TSA’s Office of Global Strategies inspects air carrier compliance with Secure
Flight-related requirements at foreign airports. We reported in October 2011 on the
challenges the Office of Global Strategies faces in this process, including limited access to
some foreign airports. See GAO, Aviation Security: TSA Has Taken Steps to Enhance Its
Foreign Airport Assessments, but Opportunities Exist to Strengthen the Program, GAO-12-
163 (Washington, D.C.: Oct. 21, 2011).
Secure Flight 79
49
In November 2007, in addition to allowing paper boarding passes, TSA began allowing air
carriers to issue mobile boarding passes, which, for example, passengers may download to
their cell phones.
50
These variations are identified in the TDC standard operating procedures.
51
The details of these screening errors are considered sensitive information.
52
GAO/AIMD-00-21.3.1.
53
Statement of Kelly Hoggan, Assistant Administrator, TSA Office of Security Capabilities,
before the House Committee on Homeland Security, Subcommittee on Transportation
Security, June 19, 2012.
54
See, e.g., 49 C.F.R. § 1540.107(c) (prohibiting, in general, an individual from entering a sterile
area or boarding an aircraft if the individual does not present a verifying identity document
when requested for purposes of watchlist matching).
55
GAO-09-292.
56
GAO, Aviation Security: Status of TSA’s Acquisition of Technology for Screening Passenger
Identification and Boarding Passes, GAO-12-826T (Washington, D.C.: June 19, 2012).
57
Boarding pass scanners also indicate when a passenger is eligible for expedited screening
through TSA Pre9TM.
58
TSA initially used boarding pass scanners provided and owned by airlines to scan TSA Pre9TM
and mobile boarding passes. According to TSA officials, as these airline-owned scanners
become inoperable, TSA plans to phase them out and replace them with TSAowned
scanners.
59
GAO-12-826T.
60
Secure Flight program management reports externally (to DHS and the Office of Management
and Budget (OMB)) on nine measures. Specifically, Secure Flight reports to DHS on six
Key Performance Parameters, which are key system capabilities that must be met for a
system to meet its operational goals. In addition, Secure Flight reports on five measures to
OMB as part of its yearly exhibit 300, also called the Capital Asset Plan and Business
Case—a document that agencies submit to OMB to justify resource requests for major
information technology (IT) investments. Two of the Key Performance Parameters and
OMB measures are the same; therefore, the program reports externally on nine distinct
measures.
61
The measures are contained on the Secure Flight Executive Dashboard, a compilation of data
capturing various aspects of Secure Flight’s operations on a weekly, monthly, and year-to-
date basis.
62
Government Performance and Results Act of 1993, Pub. L. No. 103-62, 107 Stat. 285 (1993).
GPRA was updated by the GPRA Modernization Act of 2010. Pub. L. No. 111- 352, 124
stat. 3866 (2011).
63
GAO, Agencies’ Annual Performance Plans under the Results Act: An Assessment Guide to
Facilitate Congressional Decisionmaking, GAO/GGD/AIMD,10.1.18 (Washington, D.C.:
February 1998), and The Results Act: An Evaluator’s Guide to Assessing Agency Annual
Performance Plans, GAO/GGD-10.1.20 (Washington, D.C.: April 1998).
64
GAO/GGD-10.1.20.
65
GAO/GGD-10.1.20.
66
Further details on the challenges TSA faces in identifying when Secure Flight may miss
individuals on lists is sensitive information and therefore could not be included in a public
report.
67
GAO-09-292.
68
These passenger data are available to Secure Flight for testing purposes because the system
retains passenger data and the results of Secure Flight matches in the system for up to 7
days after completion of the passenger’s directional travel. After 7 days, all data for
passengers not identified as matches to a high-risk watchlist must be expunged from the
system.
69
Valid Known Traveler Numbers are those that appear on TSA Pre9TM program lists of
passengers eligible for expedited screening.
70
The process involves TSA’s Contact Center, which is staffed with personnel to answer
passenger questions or accept passenger feedback about travel-related security screening.
Specifically, when passengers submit oral or written feedback that involves failure to
receive TSA Pre9TM screening, a Contact Center representative is to forward this
information to Secure Flight. Secure Flight staff investigate these cases to identify and, if
necessary, address factors that caused the passenger not to receive TSA Pre9TM status, such
as, for example, mistyping the known travel number or other personal information when
making a reservation.
71
A more detailed explanation of why Secure Flight does not have this information is considered
sensitive information and therefore could not be included in a public report.
72
According to TSA officials, as of June 2014, Secure Flight had not obtained authorization for
additional staff that would be necessary to obtain additional information on
misidentifications; therefore, officials were unable to provide a time frame for when these
requirements would be implemented.
73
The Secure Flight system availability measure—a Key Performance Parameter and an OMB
300 Measure—tracks the total amount of time the Secure Flight system (within Secure
Flight bounds) is available for matching activities. Secure Flight’s false positive measure
was discussed previously. All Secure Flight measures are defined in app. III.
74
These requirements allow Secure Flight to retain Secure Flight matching results for passengers
not identified as a match to a government watchlist for up to 7 days, potential matches for
up to 7 years, and confirmed matches for up to 99 years, after which they must be purged
from the system. According to Secure Flight documentation, records for passengers
identified as low risk (either because they match one of the low-risk TSA Pre9TM Lists or
because they were identified as low risk through Secure Flight’s flight-byflight
assessments) are treated the same as nonmatches and must be purged within 7 days.
Records for passengers who match other watchlists are treated as potential matches and
must be purged within 7 years.
75
GAO/AIMD-00-21.3.1.
76
We requested documentation for all meetings of the Match Review Board since its
implementation in March 2010 through fiscal year 2013, and TSA provided documentation
pertaining to 51 meetings. The documentation distributed for meetings included meeting
minutes and Power Point slides. The Power Point slides contained detailed information
(such as the results of analyses or the status of ongoing work) pertaining to meeting agenda
items. More detailed information on performance issues discussed in the meetings is
considered sensitive information and cannot be included in a public report.
77
Information on the time frames of our request and the number of system matching errors TSA
identified is considered sensitive information and cannot be included in a public report.
78
These cases were ones in which the Match Review Board documentation contained sufficient
identifying information about Secure Flight system matching errors to allow us to determine
it was not included on the list TSA provided us.
Secure Flight 81
End Notes for Appendix I

1
For purposes of this report, and unless otherwise noted, references to TSOs, which include
TDCs, include both TSA-employed screening personnel and screening personnel employed
by a private sector company contracted with TSA to perform screening services at airports
participating in TSA’s Screening Partnership Program. See 49 U.S.C. § 44920.
2
We did not evaluate the extent to which Secure Flight screening determinations for low-risk
passengers are implemented at airport security checkpoints. We expect to issue a report on
screening for low-risk passengers later this year.
3
GAO/AIMD-00-21.3.1 (Washington, D.C.: Nov. 1, 1999).
4
Government Performance and Results Act of 1993, Pub. L. No. 103-62, 107 Stat. 285 (1993).
GPRA was updated by the GPRA Modernization Act of 2010. Pub. L. No. 111- 352, 124
Stat. 3866 (2011).
5
See GAO. Pipeline Safety: Management of the Office of Pipeline Safety’s Enforcement Program
Needs Further Strengthening, GAO-04-801 (Washington, D.C.: July 2004).
6
GAO/AIMD-00-21.3.1.
End Notes for Appendix II

1
TSA considers passengers who are not identified by Secure Flight as either low risk or high risk
as having unknown risk.
2
This information, known collectively as Secure Flight Passenger Data (SFPD), includes
personally identifiable information, such as full name, gender, date of birth, passport
information (if available), and certain nonpersonally identifiable information, such as
itinerary information and the unique number associated with a travel record (record number
locator). See 49 C.F.R. § 1560.3.
3
TSA also screens certain nontraveling individuals who are authorized to access the airport’s
sterile area, such as escorts for minor, elderly, and disabled passengers; airport and aircraft
operator employees; and law enforcement officers. In general, the “sterile area” is the
portion of an airport beyond the security screening checkpoint that provides passengers
access to boarding aircraft and to which access is generally controlled or overseen by TSA.
See 49 C.F.R. § 1540.5.
4
Standard screening typically includes a walk-through metal detector or Advanced Imaging
Technology screening, which is to identify objects or anomalies concealed under clothing,
and X-ray screening for the passenger’s accessible property.
End Notes for Appendix III

1
Measures prepared as part of the agency’s exhibit 300 are displayed on the Federal Information
Technology dashboard website, which was established to provide information on the
effectiveness of government information technology programs and to support decisions
regarding the investment and management of resources.
2
72 hours of flight departure, covered aircraft operators must submit passenger data as soon
as they become available.
3
The lists Secure Flight uses to identify high-risk passengers include the No Fly, Selectee, and
Expanded Selectee Lists, which are subsets derived from the Terrorist Screening Database,
the U.S. government’s consolidated watchlist of known or suspected terrorists that is
maintained by the Terrorist Screening Center, a multiagency organization administered by
the Federal Bureau of Investigation. The lists Secure Flight uses to identify low-risk
passengers are associated with the TSA Pre9TM Program, a 2011 initiative that allows TSA
to designate preapproved passengers as low risk. In addition, the system uses passenger data
to perform TSA Pre9TM risk assessments to identify travelers as low risk for a specific
flight.
4
The DHS Traveler Redress Inquiry Program (DHS TRIP) administers the TSA Cleared List.
DHS established DHS TRIP in February 2007 to provide individuals, including those who
believe they have been delayed or inconvenienced during travel because they have been
wrongly identified as the subject of a watchlist record, an opportunity to be cleared. We
plan to report later this year on Secure Flight-related redress issues.
5
individual’s presence on the Cleared List will likely diminish, but not preclude, the
possibility of being selected for enhanced screening. The technical term for redress number
is “redress control number.”
6
This process may also involve the Secure Flight analyst contacting the Terrorist Screening
Center for assistance in confirming or ruling out the match. The Secure Flight Operations
Center (SOC) serves as a centralized point for handling the manual review of potential
matches, resolving potential matches at the airport, and answering general air carrier
questions.
7
See 49 C.F.R. § 1560.105(b).
8
Standard screening typically includes a walk-through metal detector or Advanced Imaging
Technology screening, which identifies objects or anomalies concealed under clothing, and
X-ray screening for the passenger’s accessible property. In the event a walk-through metal
detector triggers an alarm or the Advanced Imaging Technology identifies an anomaly or
suspicious item, additional security measures—such as pat-downs, explosives trace
detection searches (which involve a device certified by TSA to detect explosive particles),
or additional physical searches—may ensue as part of the resolution process. Enhanced
screening includes, in addition to the procedures applied during a typical standard screening
experience, a pat-down and an explosives trace detection search or physical search of the
interior of the passenger’s accessible property, electronics, and footwear. Expedited
screening typically includes walk-through metal detector screening and X-ray screening of
the passenger’s accessible property, but unlike in standard screening, travelers do not have
to, among other things, remove their belts, shoes, or light outerwear. Passengers with
boarding passes that are not marked for enhanced or expedited screening receive standard
screening, unless otherwise identified by TSA for enhanced or expedited screening through
the application of random and unpredictable security measures at the screening checkpoint.
Chapter 3
SECURE FLIGHT: TSA COULD TAKE

ADDITIONAL STEPS TO STRENGTHEN
PRIVACY OVERSIGHT MECHANISMS *
WHY GAO DID THIS STUDY

Since 2009, Secure Flight has changed from a program that identifies
passengers as high risk solely by matching them against subsets of the TSDB,
to one that uses PII and other information to assign passengers a risk category:
high risk, low risk, or unknown risk. Secure Flight has established privacy
oversight mechanisms to protect this PII.
GAO was asked to assess the current status of the Secure Flight program.
In July 2014, GAO reported on the status of the program’s operations,
including changes to the program since 2009, implementation of Secure Flight
screening determinations at airport checkpoints, and program performance
measures. This report examines (1) the extent to which TSA has implemented
privacy oversight mechanisms to address Secure Flight privacy requirements,
and (2) the extent to which DHS’s redress process addresses any delays and
inconveniences that result from Secure Flight screening. GAO analyzed TSA
data for fiscal years 2011 through 2013 and documents—including Secure
*
This is an edited, reformatted and augmented version of a United States Government
Accountability Office publication, No. GAO-14-647, dated September 2014.
Flight privacy training materials, documentation of privacy protections, and

processing times for redress cases—and interviewed relevant DHS officials.
WHAT GAO RECOMMENDS

GAO recommends that TSA provide job-specific privacy refresher
training for Secure Flight staff and develop a mechanism to document and
track key Secure Flight privacy issues and decisions. DHS concurred with
GAO’s recommendations.
WHAT GAO FOUND

The Transportation Security Administration (TSA) has taken steps to
implement several of the privacy oversight mechanisms it planned to establish
when Secure Flight implementation began in 2009, but additional actions
could allow TSA to sustain and strengthen its efforts. Overall, TSA has
implemented mechanisms to identify privacy implications associated with
program operations and address them as necessary. For example, TSA has
regularly updated privacy documents to address changes in the Secure Flight
program. TSA has also implemented privacy training for new Secure Flight
staff, and all Department of Homeland Security (DHS) employees receive
annual privacy training. However, existing Secure Flight staff do not receive
job-specific privacy refresher training consistent with Office of Management
and Budget (OMB) requirements. Providing job-specific privacy refresher
training could further strengthen Secure Flight’s protection of personally
identifiable information (PII). TSA also documents some aspects of its Secure
Flight privacy oversight mechanisms, such as scheduled destructions of
passenger data and reviews of planned changes to the Secure Flight system.
However, TSA does not have a mechanism to comprehensively document and
track key privacy-related issues and decisions that arise through the
development and use of Secure Flight—a mechanism TSA planned to develop
when Secure Flight was implemented in 2009. Comprehensively documenting
and tracking key privacy-related issues and decisions, in accordance with
federal internal control standards, could help TSA ensure that these decisions
are carried into the future in the event of a change in personnel.
Secure Flight 85
The DHS Traveler Redress Inquiry Program (DHS TRIP) affords

passengers who may have been incorrectly matched to or listed on high-risk
lists based on the Terrorist Screening Database (TSDB)—the U.S.
government’s consolidated list of known and suspected terrorists—an
opportunity to seek redress. Passengers who, through the redress process, are
determined to have been misidentified to a TSDB-based high-risk list are
added to the TSA Cleared List, which allows them to be cleared (not identified
as high risk) nearly 100 percent of time. The DHS TRIP process also allows
passengers determined to have been improperly included on a TSDB-based list
(mislisted) to be removed, minimizing the likelihood they will be identified as
matches during future travels. Although DHS TRIP is not able to provide
redress for passengers who may have been misidentified to high-risk, rules-
based lists—TSA’s lists of passengers who meet intelligence-driven criteria
indicating they may pose a greater security risk— according to TSA officials,
TSA procedures for using the lists mitigate impacts on these passengers. In
fiscal year 2013, DHS TRIP began working to reduce processing time for its
redress and appeals cases. In fiscal year 2014, DHS TRIP reduced its target for
one of its key performance indicators—average number of days for DHS TRIP
redress cases to be closed—from 93 to 78 days—and, for the first time,
established a performance goal for the appeals process of 92 days. For fiscal
years 2011 through 2013, the average total processing time for an appeals case
was about 276 days. DHS TRIP plans to periodically review its progress in
achieving its appeals performance goal and determine by February 2015
whether further changes to the appeals process are warranted.
ABBREVIATIONS
CBP U.S. Customs and Border Protection
CDC Centers for Disease Control and Prevention
DHS Department of Homeland Security
FBI Federal Bureau of Investigation
FIPPs Fair Information Practices Principles
OIA Office of Intelligence and Analysis
OMB Office of Management and Budget
PIA Privacy Impact Assessment
PII personally identifiable information
RMS Redress Management System
SFPD Secure Flight Passenger Data
SORN System of Records Notice

TRIP Traveler Redress Inquiry Program
TSA Transportation Security Administration
TSC Terrorist Screening Center
TSDB Terrorist Screening Database
***
September 9, 2014
The Honorable Michael T. McCaul

Chairman
The Honorable Bennie G. Thompson
Ranking Member
The Honorable Richard Hudson

Chairman
The Honorable Cedric L. Richmond
Ranking Member
Subcommittee on Transportation Security
The Honorable Mike Rogers

The Transportation Security Administration’s (TSA) Secure Flight

program screens approximately 2 million passengers each day, matching
passenger-provided personally identifiable information (PII) such as name and
date of birth against federal government watchlists and other information to
determine if passengers may pose a security risk and to assign them a risk
category.1 By identifying those passengers who may pose security risks,
Secure Flight helps protect against potential acts of terrorism that might target
the nation’s civil aviation system. However, Secure Flight can also have
inadvertent and potentially inappropriate impacts on the traveling public, such
as when passengers are identified as high risk because they share a similar
name and date of birth with an individual listed on a watchlist, and thus
Secure Flight 87
experience delays and inconveniences during their travels. In order to

minimize such impacts on passengers, the Department of Homeland Security
(DHS) Traveler Redress Inquiry Program (TRIP) provides an opportunity for
travelers who believe they have been delayed or inconvenienced because they
have been incorrectly matched to or wrongly identified as the subject of
certain watchlist records to seek redress. In addition, Secure Flight has privacy
requirements that are intended to protect passengers’ PII from unauthorized
use or disclosure.
TSA developed and implemented Secure Flight in response to
requirements in the Intelligence Reform and Terrorism Prevention Act of
2004, and a recommendation of the National Commission on Terrorist Attacks
upon the United States (the 9/11 Commission) that TSA assume from air
carriers the function of matching passengers against watchlists maintained by
the federal government.2 By assuming the matching functions previously
performed by air carriers, Secure Flight was intended to, among other things,
reduce the risk of unauthorized disclosure of sensitive watchlist information
and better integrate information from DHS’s existing traveler redress process
into watchlist matching so that individuals would be less likely to be, for
example, delayed or prohibited from boarding an aircraft. After initiating
development of Secure Flight in August 2004, TSA began implementing it in
2009, and completed transitioning foreign and domestic air carriers to the
program in November 2010.3 Secure Flight now screens passengers and
certain non-traveling individuals on all domestic and international commercial
flights to, from, and within the United States; certain flights overflying the
continental United States; and international point-to-point flights operated by
U.S. aircraft operators.4
Beginning with a provision of the fiscal year 2004 Department of
Homeland Security Appropriations Act and pursuant to requests by Congress,
we have had regular and recurring responsibilities to assess and report on
DHS’s efforts to develop and implement a passenger prescreening program.5
Our initial reports identified a number of challenges faced by TSA in
developing this capability, including creating plans for managing and
overseeing the Secure Flight program, coordinating with federal and private
sector stakeholders, addressing key factors affecting system effectiveness,
reducing program impacts on passenger privacy, and protecting passenger
rights.6 In May 2009, we found that after initial challenges, TSA had made
significant strides in developing Secure Flight and that risks associated with
implementing the program had been reduced.7 For example, we found that
TSA had made progress with respect to establishing privacy protections to,
among other things, ensure that PII maintained by the Secure Flight system
(such as passenger name and date of birth) is properly collected, used, and
stored. We also reported that TSA planned to use the redress process managed
by DHS TRIP to assist passengers who may have been adversely affected by
Secure Flight screening.8
In light of our prior work, you asked us to report upon the effectiveness of
TSA’s efforts to address Secure Flight system performance, privacy
protections, and redress.
In July 2014, we issued a sensitive security information/law enforcement
sensitive report on the performance of the Secure Flight program, including
how the program has changed since implementation began in 2009, the extent
to which Secure Flight vetting results are fully implemented at airport security
checkpoints, and the extent to which TSA’s performance measures
appropriately assess progress toward achieving the Secure Flight program
goals.9
This report addresses the following two questions:
1) To what extent has TSA implemented privacy oversight mechanisms

to address Secure Flight privacy requirements?
2) To what extent is DHS’s redress process addressing the delays and
inconveniences that result from Secure Flight screening?
To answer our first question, we reviewed our 2009 report on Secure

Flight’s implementation, which identified the privacy oversight mechanisms
that TSA planned to implement at that time.10 We obtained and analyzed key
TSA documents on these oversight mechanisms to assess TSA’s progress in
implementing them. Specifically, we reviewed the basic, advanced, and
refresher privacy training materials that TSA uses to train Secure Flight staff
and assessed these trainings against the Office of Management and Budget’s
(OMB) privacy training requirements and our assessment guide for reviewing
training and development efforts in the federal government.11 We also
reviewed TSA’s monthly purge status reports for the period from April 2012
through May 2013 to assess the extent to which TSA has purged Secure Flight
passenger data in accordance with Secure Flight data retention requirements.
In addition, to evaluate TSA’s documentation of Secure Flight privacy issues
and decisions, we reviewed relevant documents prepared by TSA privacy
officials and contract staff, including privacy compliance validation reports for
the period from April 2012 through April 2013, monthly status reports
prepared by TSA’s privacy contractor for the period from March 2013 through
Secure Flight 89
April 2014, and Secure Flight’s Privacy Issue Tracker. We assessed these
documents against Standards for Internal Control in the Federal
Government.12 To clarify our understanding of Secure Flight’s privacy
requirements and the mechanisms for monitoring compliance with these
requirements, we reviewed key TSA documents that provide information on
Secure Flight privacy requirements, such as management directives, the
Secure Flight Privacy Rules of Behavior, and Secure Flight System of Records
Notices and Privacy Impact Assessments, and interviewed Secure Flight
privacy officials and a representative of the contract staff who are responsible
for monitoring compliance with these requirements.
To answer our second question, we reviewed DHS TRIP standard
operating procedures and other documentation related to the redress process,
such as the standard letters DHS sends to redress applicants. To identify the
outcomes of the DHS TRIP redress process, we reviewed relevant DHS TRIP
data for fiscal years 2011 through 2013 on the number of travelers who
applied for redress and the number of redress cases DHS TRIP forwarded to
the Terrorist Screening Center (TSC)—a multi-agency organization
administered by the Federal Bureau of Investigation (FBI)—for review. We
also reviewed TSC data on the extent to which redress applications resulted in
individuals being delisted from certain watchlists, meaning that they were
removed from a watchlist because TSC determined that they did not meet
current criteria for inclusion on that watchlist. To determine the extent to
which DHS TRIP is meeting performance goals for the redress process, we
reviewed DHS TRIP performance data. Additionally, to determine the extent
to which DHS TRIP is meeting its performance goal for processing appeals
cases, we calculated the average processing time for 49 closed appeals cases
DHS TRIP received during fiscal years 2011 through 2013, using DHS TRIP
data, and compared this average with the goal. To assess the reliability of DHS
TRIP redress and appeals data, we examined documentation about these data,
interviewed knowledgeable officials, and reviewed the data for obvious errors
and inconsistencies. To further assess the reliability of the appeals data used to
calculate average processing times, we compared the DHS TRIP data with
data on appeals cases maintained by TSC, which reviews and makes
recommendations on appeals, and followed up on any discrepancies. Although
there were some discrepancies, we determined that the data were sufficiently
reliable for the purpose of comparison to the performance goal. To better
understand redress and appeals procedures and DHS TRIP’s efforts to reduce
processing time, we interviewed DHS TRIP and TSC officials. To better
understand TSA’s attempts to assist individuals for whom the DHS TRIP
process cannot provide redress (i.e., individuals misidentified to the rules-

based high-risk lists discussed later in this report), we interviewed DHS TRIP
and TSA Office of Intelligence and Analysis officials.
We conducted this performance audit from March to September 2014 in
accordance with generally accepted government auditing standards. Those
standards require that we plan and perform the audit to obtain sufficient,
obtained provides a reasonable basis for our findings and conclusions based on
our audit objectives.
BACKGROUND
Flight Final Rule, requires commercial aircraft operators traveling to, from,
within, or overflying the United States to collect information from passengers
and transmit that information electronically to TSA.13 This information,
known collectively as Secure Flight Passenger Data (SFPD), includes PII,
including full name, gender, date of birth, passport information, and certain
non-personally identifiable information provided by the airline, such as
itinerary information and the unique number associated with a travel record
(record number locator).14
The Secure Flight program uses SFPD to screen passengers and assign
them a risk category: high risk, low risk, or unknown risk. Table 1 describes
Secure Flight’s primary screening activities.
Secure Flight screening against watchlists involves the automated
comparison of SFPD and list data and a manual review process by Secure
Flight analysts of all passengers identified by the system as potential matches.
Air carriers may not issue a boarding pass to a passenger who is a potential
match to the No Fly or Selectee lists until they receive from Secure Flight a
final determination on how the passenger will be screened at the checkpoint if
provided a boarding pass.
These determinations include a “TSA Pre9TM eligible” message for
passengers who may receive expedited screening; a “cleared” message for
passengers found not to match any high or low-risk list and who, therefore,
will receive standard screening; and a “selectee” message for passengers who
are to be selected for additional screening.15 For passengers matching the No
Fly List, the air carrier may not issue a boarding pass.
Secure Flight 91
Table 1. Secure Flight Screening Activities
Screening Activity Description

No Fly List (high The No Fly List is a subset of the Terrorist Screening
risk) Database (TSDB), the U.S. government’s
consolidated watchlist of known or suspected
terrorists maintained by the Terrorist Screening
Center (TSC), a multi-agency organization
administered by the Federal Bureau of Investigation.
The No Fly List contains records of individuals who
are suspected or known to pose a threat to aviation or
national security and are prohibited from boarding an
aircraft or entering the sterile area of an
airport.aSecure Flight has matched passengers
against the No Fly List since 2009.
Selectee List (high The Selectee List is a subset of the TSDB containing
risk) records of individuals who must undergo additional
security screening before being permitted to enter the
sterile area or board an aircraft. Secure Flight has
matched against the Selectee List since 2009.
Expanded Selectee The Expanded Selectee List includes terrorist records
List (high risk) in the TSDB with a complete name and date of birth
that meet the reasonable suspicion standard to be
considered a known or suspected terrorist, but that do
not meet the criteria to be placed on the No Fly or
Selectee Lists. Secure Flight began matching against
the Expanded Selectee List in April 2011.b
Transportation The high-risk rules-based lists include two lists of
Security passengers who may not be known or suspected
Administration terrorists, but who, according to intelligence-driven,
(TSA) rules-based scenario-based rules developed byTSA in
lists (high risk) consultation with U.S. Customs and Border
Protection (CBP), may pose an increased risk to
transportation or national security.
Centers for Disease The CDC Do Not Board List is managed by CDC. It
Control and includes individuals who pose a significant health
Prevention (CDC) risk to other travelers and are not allowed to fly.
Do Not Board List
(high risk)
Table 1. (Continued)
Screening Activity Description

TSA Pre9TM lists TSA Pre9TM lists include lists of pre-approved, low-
(low risk) risk travelers, such as certain members of CBP’s
Trusted Traveler programs, members of the U.S.
armed forces, Congressional Medal of Honor Society
members, and Members of Congress—groups of
individuals TSA has determined pose a low risk to
transportation or national security—as well as a
TSAPre9TM list, created by TSA and composed of
individuals who apply and are pre-approved as low-
risk travelers through the TSA Pre9TM Application
Program.cSecure Flight began matching against its
first set of low-risk lists, CBP Trusted Traveler Lists,
in October 2011 and instituted the TSA Pre9TM
Application Program in December 2013.
TSA Pre9TM The TSA Pre9TM Disqualification List is a list of
Disqualification List individuals who, based upon their involvement in
(ineligible for low violations of security regulations of sufficient
risk) severity or frequency, are disqualified from receiving
expedited screening for some period of time or
permanently (e.g., bringing a loaded firearm to
thecheckpoint).
TSA Pre9TM risk Secure Flight assesses certain travel-related
assessments (low information submitted by passengers and assigns
risk) them scores that correspond to a likelihood of being
eligible for expedited screening for a specific flight.
Secure Flight began performing these assessments
for select frequent flier members in October 2011
and, in October 2013, began using them to evaluate
all passengers not determinedto be a match to a high-
risk or low-risk list.
Source: GAO analysis of TSA and TSC information. | GAO-14-647
a
In general, the “sterile area” is the portion of an airport beyond the security screening
checkpoint that provides passengers access to boarding aircraft and to which
access is generally controlled through the screening of persons or property. See 49
C.F.R. § 1540.5.
b
All TSDB-based watchlists utilized by the Secure Flight program contain records
determined to have met TSC’s reasonable suspicion standard. In general, to meet
the reasonable suspicion standard, the agency nominating an individual for
Secure Flight 93
inclusion in the TSDB must consider the totality of information available that,
taken together with rational inferences from that information, reasonably warrants
a determination that an individual is known or suspected to be or have been
knowingly engaged in conduct constituting, in preparation for, in aid of, or related
to terrorism or terrorist activities. As previously discussed, to be included on the
No Fly and Selectee Lists, individuals must meet criteria specific to these lists.
The TSDB, which is the U.S. government’s consolidated watchlist of known or
suspected terrorists, also contains records on additional populations of individuals
that do not meet the reasonable suspicion standard articulated above, but that other
federal agencies utilize to support their border and immigration screening
missions. In addition, according to TSA officials, Secure Flight does not utilize all
terrorist records in the TSDB because records with partial data (i.e., without first
name, surname, and date of birth) could result in a significant increase in the
number of passengers misidentified as being on the watchlist and potentially cause
unwarranted delay or inconvenience to travelers.
c
Individuals on all low-risk lists receive a Known Traveler Number that they must
submit when making travel reservations to be identified as low-risk. See 49 C.F.R.
§ 1560.3 (defining “Known Traveler Number”). TSA also refers to these lists as
Known Traveler lists.
Secure Flight Privacy Requirements
Statutory requirements govern the protection of PII by federal agencies,

including the use of air passengers’ information by Secure Flight. For
example, the Privacy Act of 1974 places limitations on agencies’ collection,
disclosure, and use of personal information maintained in systems of records.16
Among other things, the Privacy Act requires agencies to publish a notice—
known as a System of Records Notice (SORN)—in the Federal Register
describing such things as the type of personal information collected, the types
of individuals about whom information is collected, the intended “routine” use
of the data, and procedures that individuals can use to review and correct
personal information. Also, the E-Government Act of 2002 requires agencies
to conduct Privacy Impact Assessments (PIA) that analyze how personal
information is collected, stored, shared, and managed in a federal system.17
Agencies are required to make their PIAs publicly available if practicable. In
May 2009, we reported that TSA had published required privacy documents,
such as the PIA and SORN, that discuss the purposes, uses, and protections for
passenger data, and outline which data elements are to be collected and from
whom.18 TSA has since published three updates to the Secure Flight PIA and
two updates to the Secure Flight SORN.
DHS privacy policies also govern Secure Flight’s handling of passenger

information. For example, since 2008, it has been DHS policy to follow the
Fair Information Practices Principles (FIPPs), which provide a framework for
balancing the need for privacy with other public policy interests, such as
national security and law enforcement. 19 (See app. I for a description of the
FIPPs.)
Redress for Secure Flight
DHS established DHS TRIP in February 2007 as the central processing

point within DHS for travel-related redress inquiries.20 DHS TRIP provides
passengers who believe they have been unfairly or incorrectly delayed, denied
boarding, or identified for additional screening with an opportunity to be
cleared if they are determined not to be a match to TSDB-based watchlist
records (i.e., misidentified) or if they have been wrongly identified as the
subject of a TSDB watchlist record (i.e., mislisted). Passengers apply to DHS
TRIP using an online application, by e-mail, or by mail. Upon receipt of a
complete application, DHS TRIP sends a notification of receipt with a redress
control number to the passenger. DHS TRIP adds the name, date of birth, and
redress control number of applicants determined not to match a TSDB-based
list to the TSA Cleared List. Passengers included on the TSA Cleared List
must then submit their redress control number when making a reservation to
allow the Secure Flight system to recognize and clear them. However, if DHS
TRIP determines that an individual is still a potential match to a TSDB
watchlist record, it refers the matter to TSC for further review. TSC then
conducts its own review of whether the individual has been misidentified to a
watchlist and should be added to the TSA Cleared List. If TSC determines that
the individual was correctly matched to a watchlist, TSC then reviews, based
on the most current available information and criteria for inclusion on the list,
whether the individual is either correctly assigned to the list, or is wrongly
assigned and should be removed from the list. If DHS TRIP and TSC
determine that no change in the passenger’s status is warranted, the passenger
is notified of this decision, and depending on the determination, some
passengers are permitted the opportunity to appeal the decision.21 Applicants
eligible for appeals receive a letter providing instruction on how to engage in
the process, which is carried out by DHS TRIP and TSC.
Secure Flight 95
TSA HAS IMPLEMENTED OVERSIGHT MECHANISMS

TO ADDRESS PASSENGER PRIVACY REQUIREMENTS,
BUT ADDITIONAL ACTIONS COULD BETTER ENSURE
FULL COMPLIANCE
TSA has taken steps to implement several of the privacy oversight
mechanisms it planned to establish in 2009, when Secure Flight
implementation began, but additional actions could allow TSA to sustain and
strengthen its efforts. In May 2009, we found that TSA had taken actions that
generally addressed the FIPPs, such as instituting access controls to ensure that
data are not accidentally or maliciously altered or destroyed, filtering
unauthorized data from incoming data to ensure collection is limited to
predefined types of information, and developing incident response procedures
to address and contain privacy incidents. We also reported that TSA had
designated a program privacy officer and a team of privacy experts to work on
various aspects of the Secure Flight program, and planned to establish several
privacy oversight mechanisms, including the following:
• privacy rules of behavior, which require that individuals handling PII

use it only for a stated purpose;22
• audit logs of system and user events to provide oversight of system
activities, such as access to PII and transfer of PII into or out of the
system;
• general privacy training for all Secure Flight staff and role-based
privacy training for employees handling PII;
• periodic privacy compliance reports, intended to track and aggregate
privacy concerns or incidents; and
• a system for tracking privacy issues that arise throughout the
development and use of Secure Flight, and conducting follow-up
analysis of significant privacy issues and providing resolution
strategies for management consideration.
Since our May 2009 report, TSA has made progress in implementing
some of these privacy oversight mechanisms, although more work remains to
fully implement them. Overall, the Secure Flight privacy team, composed of
TSA’s Privacy Officer, the designated Secure Flight program privacy officer,
TSA’s Office of the Chief Counsel, and dedicated contract staff, has worked
closely with the DHS Privacy Office to ensure periodic consultation on
program plans and operations that may have privacy implications.23 The
publication of revised PIAs and SORNs to address the changes in the Secure
Flight program, such as the use of rules-based high-risk lists and TSA Pre9 TM
risk assessments, is evidence of this consultation process. TSA issued Secure
Flight Privacy Rules of Behavior in September 2008 that set forth the practices
staff (including federal employees, contractors, and other persons authorized
to access or use SFPD) should follow in accessing, using, maintaining or
collecting Secure Flight PII. According to TSA officials, in 2013, TSA
initiated a review of the rules of behavior to ensure that they still align with
current Secure Flight directives and practices, which have changed since the
rules of behavior were first issued in 2008. In May 2014, TSA officials stated
that they are in the final stages of developing an updated version of the Privacy
Rules of Behavior. In December 2013, TSA also issued a management
directive discussing TSA’s policy for responding to requests for Secure Flight
data by TSA employees and other agencies. Secure Flight also maintains audit
logs of Secure Flight system and user events, as it planned to do in 2009.
Specifically, TSA maintains logs of
• successful and unsuccessful log in attempts to access the component

of Secure Flight that allows carriers to submit passenger information
via the Internet, known as eSecure Flight;
• the Secure Flight User Interface, which is the system Secure Flight
analysts use to retrieve passenger data and review potential matches;
and
• requests to access the Report Management System, which generates
reports on Secure Flight activities.
According to Secure Flight privacy officials, the TSA Security Operations

Center monitors these logs 24 hours a day, 7 days a week. Officials stated that
these logs allow TSA to be aware of any attempts to gain unauthorized access
to the system and can be used to make adjustments in access controls, should
they be needed, in response to identified threats.
TSA has also implemented privacy training for new Secure Flight staff
and documented privacy issues and decisions through, for example, periodic
compliance privacy reports. However, additional actions could allow TSA to
sustain and strengthen its efforts to ensure compliance with Secure Flight
privacy requirements.
Secure Flight 97
Privacy Training for Secure Flight Staff
TSA has developed and implemented basic and advanced privacy training
that, according to TSA officials, is required for all new Secure Flight staff.24 In
addition, all DHS staff are required to complete annual DHS privacy training,
which discusses the importance of safeguarding PII. However, Secure Flight
staff do not receive job-specific privacy refresher training after they complete
the initial Secure Flight training. OMB requires agencies to train employees on
their privacy and security responsibilities before permitting access to agency
information and information systems, and thereafter to provide at least annual
refresher training to ensure employees continue to understand their
responsibilities.25 The OMB memorandum also states that this refresher
training must be job-specific and commensurate with the employee’s
responsibilities. TSA officials stated that the annual DHS privacy training
serves as refresher training for Secure Flight staff. However, DHS’s annual
refresher training is not job-specific and does not reflect the unique privacy
requirements of the Secure Flight program. For example, the DHS training
provides a general overview of privacy requirements Department-wide, but
does not provide information on the unique privacy risks of the Secure Flight
program, such as the potential misuse or unauthorized disclosure of airline
passenger data.
Furthermore, the Secure Flight program has expanded from a program that
solely identifies high-risk passengers on the No Fly and Selectee Lists to one
that also identifies additional high-risk passengers using other records in the
TSDB and through rules-based high-risk lists, as well as low-risk passengers.
TSA’s PIAs for these new screening activities discuss new privacy risks
unique to these activities. For example, Secure Flight’s September 2013 PIA
update discusses the importance of restricting the use and dissemination of
TSA Pre√TM lists in order to mitigate the risk associated with collecting and
storing information on low-risk travelers. TSA officials told us that TSA
updated its privacy training for new Secure Flight staff in December 2013 to
reflect Secure Flight’s updated PIAs and SORNs. However, because the DHS
privacy refresher training is not job-specific, staff who joined Secure Flight
prior to December 2013, when TSA updated its privacy training for new staff,
may not have received privacy training specific to Secure Flight’s new
screening activities. Our assessment guide for reviewing training and
development efforts in the federal government states that changes, such as new
initiatives, technological innovations, or reorganizations and restructuring, will
likely require agencies to develop new or revised training programs, and that
agencies should have a formal process for incorporating these strategic and
tactical changes to ensure that new and revised training efforts are quickly
brought on line.26 Providing at least annual job-specific privacy refresher
training, consistent with OMB requirements, could further strengthen Secure
Flight’s protection of PII.
Documenting Privacy Issues
TSA documents some aspects of its privacy oversight mechanisms, such

as scheduled destructions of SFPD and reviews of planned changes to the
Secure Flight system. However, TSA does not have a mechanism to
comprehensively document and track key privacy-related issues and decisions
that arise through the development and use of Secure Flight—a mechanism
TSA planned to develop when Secure Flight was implemented in 2009.
First, TSA prepares purge reports to document the monthly destruction of
SFPD in accordance with Secure Flight’s data retention schedule. We
requested and reviewed documentation for the 14-month period from April
2012 through May 2013. The documentation showed that TSA consistently
purged passenger records in accordance with its retention schedule, with the
exception of a 2-month period.27
Second, Secure Flight privacy staff members prepare privacy compliance
validation reports to document privacy concerns or issues that are raised by
staff in the software development process. According to Secure Flight
officials, a proposed change to the Secure Flight system cannot be
implemented until the privacy team completes a compliance validation report,
which includes a summary of privacy findings, conclusions, and
recommendations for corrective measures. For example, two of the eight
reports we reviewed for the period from April 2012 through April 2013
identified a potential privacy issue in Secure Flight’s plans to conduct TSA
Pre√TM risk assessments. Specifically, the March and April 2013 reports stated
that Secure Flight should not begin conducting these assessments until the new
PIA and SORN were approved.28
Last, Secure Flight privacy staff also maintain a set of notes regarding
some privacy issues or privacy-related tasks. These notes, referred to
collectively as the Privacy Issue Tracker, do not describe the nature, basis, or
resolution of the issues, nor do they aggregate all privacy concerns raised by
staff or the key decisions made in response, such as concerns about TSA’s
plans to conduct TSA Pre√TM risk assessments, discussed in the March and
Secure Flight 99
April 2013 compliance validation reports. Secure Flight privacy officials

stated that TSA did not intend for the Privacy Issue Tracker to serve as the
agency’s system for systematically tracking Secure Flight privacy issues and
incidents.
In the absence of a system for comprehensively documenting and tracking
privacy-related issues and decisions, TSA’s Secure Flight privacy officer
stated that Secure Flight relies on its privacy contract staff to oversee and
monitor privacy protections, in consultation with the designated Secure Flight
program privacy officer and the TSA Privacy Officer. The privacy contract
staff are broadly tasked with ensuring compliance with Secure Flight’s privacy
policies and requirements, identifying privacy issues, and providing resolution
strategies for management consideration. According to TSA officials, the
contract staff accomplish this through being embedded in the day-to-day
operations of the Secure Flight program. For example, the contract staff attend
meetings in which Secure Flight software or system changes are being
discussed to ensure that the planned software update remains within the scope
of the Secure Flight program mission and that prior to deployment, a software
release has no privacy concerns or that any concerns have been resolved or
mitigated. Contract staff also issue monthly status reports, which provide an
overview of contractors’ accomplishments and planned activities. These
reports refer to ongoing privacy issues, but according to TSA officials, were
not intended to consistently describe the nature, basis, or resolution of these
issues. According to TSA’s Privacy Officer and the contract staff we spoke
with, the contract staff recognize the potential for privacy issues based on their
experience and professional judgment, and raise the issues as appropriate.
Officials also stated that most privacy issues are resolved through discussions.
Additionally, the TSA Privacy Officer stated that the frequent interaction
between the contract staff, program privacy officer, and TSA Privacy Officer
creates a robust understanding of Secure Flight operations and plans.
However, it is unknown whether this ad hoc communication between key
Secure Flight privacy staff would be sustained after a personnel change in
Secure Flight’s privacy team or contractor personnel, and whether privacy-
related decisions previously made would continue to be implemented without
documentation to inform new staff. Further, TSA previously stated that it
would institute a system for tracking privacy issues that arise throughout the
development and use of Secure Flight. By institutionalizing such a mechanism,
TSA would have greater assurance that its oversight of Secure Flight privacy
protections is effective because TSA would know the extent to which privacy
issues are identified and resolved.
DHS has established a department-wide Online Incident Handling System

to document and track information on DHS privacy incidents, which would
include incidents related to the Secure Flight program.29 TSA and Secure
Flight privacy officials stated that there have not been any privacy incidents,
such as unauthorized disclosures, uses, or modifications of PII, since Secure
Flight implementation began in January 2009.30 However, should the Secure
Flight program become aware of a privacy incident, the TSA Privacy Officer
would be required to submit a Privacy Incident Report in the Online Incident
Handling System, thereby notifying senior DHS officials of the incident.
Though these Privacy Incident Reports would track suspected and confirmed
incidents involving PII (e.g., unauthorized disclosure or access of PII),
according to DHS officials, they were not intended to address privacy issues
that arise in the development and use of Secure Flight when they do not rise to
the level of an incident, such as the potential privacy issues Secure Flight
identified when reviewing system changes. Therefore, the DHS Online
Incident Handling System does not document efforts by Secure Flight officials
to identify and address issues before they result in an incident.
Standards for Internal Control in the Federal Government calls for federal
agencies to design and implement control activities to enforce management’s
directives and to monitor the effectiveness of those controls. 31 Recording and
documenting key decisions are among the suite of control activities that are an
essential part of an agency’s planning, implementing, and reviewing, and they
are essential for proper stewardship and accountability for government
resources and achieving efficient and effective program results.
Comprehensively documenting and tracking key privacy issues and decisions,
as TSA planned when Secure Flight implementation began in 2009, could help
ensure that these decisions, which have allowed it to successfully avoid
privacy incidents to date, are carried into the future.
DHS TRIP ADDRESSES INCONVENIENCES AND DELAYS

RELATED TO TSDB-BASED LISTS, AND IS TAKING
ACTIONS TO REDUCE CASE PROCESSING TIME
Passengers who, through the DHS TRIP redress process, are determined to
have been misidentified to a TSDB-based high-risk list are added to the TSA
Cleared List, which allows them to be cleared (not identified as high risk)
nearly 100 percent of time.32 The DHS TRIP process also allows passengers
Secure Flight 101
determined to have been either improperly placed or no longer appropriate for

inclusion on a list (mislisted) to be removed from a TSDB-based list, reducing
the likelihood they will be identified as matches during future travels.33 DHS
TRIP is not able to provide redress for passengers who may have been
misidentified to high-risk, rules-based lists and subsequently applied to DHS
TRIP for redress. However, according to TSA officials, TSA has taken steps to
mitigate impacts on these passengers. DHS has also reduced its average
processing time for redress cases, and is taking actions to reduce processing
times for appeals cases.
DHS TRIP Provides Passengers an Opportunity to Seek Redress

for Impacts Associated with TSDBBased Lists, and TSA
Procedures for Using Rules-Based Lists Mitigate Impacts
Associated with Being Misidentified
Passengers may be inconvenienced, delayed, or denied boarding because

of Secure Flight vetting if they are misidentified to a watchlist record, meaning
that Secure Flight matched their SFPD to a watchlist record that does not,
upon further review, relate to the passenger; or mislisted, meaning that Secure
Flight correctly identified the passenger as the subject of a watchlist record,
but either the passenger should have a different watchlist status (e.g., should
be included on the Selectee List rather than the No Fly List), or should not be
included on a watchlist based upon the most current information.34 The
specific impacts experienced by a passenger who has been matched to a
watchlist vary depending upon the list to which the passenger is matched. For
example, an individual with a name similar to someone who is on the No Fly
list likely will be unable to utilize the convenience of Internet, curbside, and
airport kiosk check-in options.
Redress for TSDB-Based Lists

DHS TRIP affords passengers adversely affected by TSA screening
processes an opportunity to address inconveniences and delays associated with
being potentially misidentified to a TSDB-based list (the No Fly, Selectee, and
Expanded Selectee Lists) and, if appropriate, to be added to the TSA Cleared
List. If added to the TSA Cleared List, passengers who correctly use their
redress control numbers when making a reservation should not experience
delays and inconveniences associated with being misidentified to a TSDB-
based list. As of February 2014, there were approximately 135,000 individuals
included on the TSA Cleared List. According to Secure Flight performance

data for fiscal years 2012 through 2013, passengers on the TSA Cleared List
who correctly submitted their redress control numbers when making a travel
reservation were automatically cleared nearly 100 percent of the time by the
Secure Flight system.35
DHS TRIP also affords passengers an opportunity to address
inconveniences and delays associated with being potentially mislisted on a
TSDB-based watchlist. As part of its review of DHS TRIP applicants who are
found to be actual matches to the No Fly, Selectee, or Expanded Selectee
Lists, TSC reviews whether the individuals currently meet criteria for
inclusion on these lists. In some cases, TSC finds that the individual does not
meet the criteria for inclusion, and the individual is removed from the list
(delisted).36 According to DHS TRIP data for fiscal years 2011 through 2013,
the program received about 20,000 new, complete TSA-related redress
applications and forwarded about 10 percent of these to TSC for review
because the individuals seeking redress were a close or exact match to an
individual on one of the TSDBbased lists.37 During fiscal years 2011 through
2013, according to TSC data, screening agencies (including TSA) referred a
total of 2,058 DHS TRIP applications to TSC for review.38 Over the same time
period, TSC confirmed that 1,333 DHS TRIP applicants matched the No Fly,
Selectee, or Expanded Selectee lists, and delisted about 95 of these
individuals. According to TSC officials, TSC will delist an individual when
TSC analysts reviewing the case find the most current information available
indicates the individual should be removed from the list. In addition, according
to a DHS TRIP official, all delisted individuals are added to the TSA Cleared
List, which reduces the likelihood they will be identified as matches to TSDB-
based lists during future travels, thereby addressing any delays or
inconveniences they may have experienced because of Secure Flight watchlist
matching against such lists.
TSA Efforts to Mitigate Impacts Caused by Rules-Based Lists

DHS TRIP is not able to provide redress for passengers who may have
been misidentified to high-risk, rules-based lists and subsequently applied to
DHS TRIP for redress. However, according to TSA officials, TSA procedures
for using the high-risk, rules-based lists mitigate impacts on passengers who
may have been misidentified to these lists. These officials stated that there is a
possibility that a passenger could be misidentified to a rules-based list if their
name and date of birth are similar to those of an individual on the list. TSA has
established procedures for using the rules-based lists to mitigate impacts on
Secure Flight 103
passengers from screening against the lists. These procedures could assist
those misidentified as a result of Secure Flight screening and may result in
TSA removing passengers from the lists.39 By removing individuals from
rules-based lists, TSA ensures that passengers who are misidentified to those
individuals will no longer be identified as a match, and thus delayed or
inconvenienced as a result. In certain circumstances, TSA also reviews
questionable matches to the rules-based lists to determine whether individuals
on the list should be removed. According to TSA officials, starting in 2012,
TSA’s Office of Intelligence and Analysis (OIA) began monitoring the
number of questionable matches to the list. According to TSA officials, the
rate of questionable matches is less than 1 percent of all matches to the list for
April 2012 through May 2014. TSA officials stated that the TSA Intelligence
Analysis Division manually reviews these questionable matches and removes
individuals from the list who have been erroneously included on the list. By
removing these individuals from the list, TSA ensures that passengers will no
longer be erroneously matched to them, and thus delayed or inconvenienced as
a result. However, according to TSA officials, TSA’s effort to identify and
remove questionable matches does not address all possible misidentifications
to the rules-based list. For example, TSA officials stated they do not review
some matches because TSA does not have additional information about those
passengers—beyond that included in the SFPD—that would be necessary to
determine whether the passenger was actually misidentified to the rules-based
high-risk list.
DHS Has Reduced Its Average Processing Time for Redress

Cases, and Is Taking Actions to Reduce Processing Times for
Appeals Cases
In fiscal year 2013, DHS TRIP officials began working to reduce overall
processing time and the backlog of redress and appeals cases. As described
previously, the DHS TRIP redress process involves adding applicants found
not to be individuals on a TSDB-based list to the TSA Cleared List. At the
conclusion of the redress process, certain individuals who apply to DHS TRIP
receive a letter informing them there has been no change to their record and
providing instructions on how to appeal the decision.40 This additional
process—known as the appeals process— involves an additional set of
activities carried out by the appellant (the redress applicant submitting the
appeal), DHS TRIP, and TSC. The process begins when the appellant files the
appeal, and DHS TRIP forwards all completed appeals paperwork to TSC, as
shown in figure 1. Once TSC receives the documentation, TSC analysts are to
review all derogatory information maintained on the appellant to make a
written recommendation to TSA on the appeal.41 TSA then reviews TSC’s
recommendation through its own internal process, which can include going
back to TSC for additional information, before the TSA Administrator makes
the final determination to uphold the appellant’s status, recommend that TSC
downgrade the appellant to another TSDBbased list, or recommend that TSC
remove the appellant from the list.42
Source: GAO; TSA (logo); Art Explosion (clip art). ǀ GAO-14-647.

a
Some passengers are not permitted to appeal the agency decision. The specific types
of passengers who are permitted to appeal are considered law enforcement
sensitive/sensitive security information.
Figure 1. Department of Homeland Security (DHS) Traveler Redress Inquiry Program

(TRIP) Redress and Appeals Process.
Redress Process
With respect to the redress process, DHS TRIP officials took several steps
in fiscal year 2013 to reduce the overall processing time and a backlog of
redress cases. First, in fiscal year 2013, DHS automated its response to DHS
TRIP applicants, a step that, according to DHS TRIP, should reduce the initial
response time from 3 days to 1 day. Second, DHS hired additional staff for
DHS TRIP, achieving its authorized staffing level of 11 full-time positions.
Third, in January 2013, DHS TRIP implemented and began training staff on a
Secure Flight 105
new redress case management system, the Redress Management System

(RMS). As part of the migration of the data from the prior system to RMS,
DHS TRIP administratively closed approximately 30,000 cases that were
either duplicates or incomplete because documentation was never received
from the applicant. The new system also includes reporting capabilities that
enable DHS TRIP to generate reports used to monitor its performance in
meeting its performance targets. Fourth, DHS TRIP created and filled a DHS
TRIP Operations Manager position with the intent that this individual would
increase the office’s focus on developing, analyzing, and monitoring
performance metrics.43 According to DHS TRIP officials, at the beginning of
fiscal year 2014, DHS TRIP’s average case-processing time for redress cases
was about 100 days, and as of June 2014, the average case-processing time
was about 42 days.
Consistent with its efforts to reduce processing time for redress, in January
2014, DHS TRIP reduced its target for one of the department’s key
performance indicators—average number of days for DHS TRIP redress cases
to be closed—from 93 to 78 days.44
Appeals Process
DHS also took action in fiscal year 2013 to address timeframes associated
with the appeals process. Appeals applicants receive a letter stating that DHS
will provide a final agency decision on the appeal within 60 days of receipt of
the appeal. However, the average total processing time for the appeals process
for fiscal years 2011 through 2013 was 276 days, as shown in table 2.
In fiscal year 2013, DHS TRIP began taking several actions to make the
appeals process more structured and reduce the overall review time. To
provide a more structured appeals process, DHS TRIP took the following
steps:
• It created an appeals team to manage both the intelligence analysis

and the administrative aspects of appeals.
• It developed and began distributing a document that provides
information on the status and, if available, outcome of each appeal
case.
• It implemented a more formalized process for reviewing appeals. This
process includes distributing appeal information to TSC, TSA OIA,
and TSA’s Office of Chief Counsel and conducting pre-meetings
among stakeholders, including TSA OIA, TSA’s Office of Chief
Counsel, and DHS TRIP; meetings with TSA leadership; and, as

appropriate, a decision meeting with the TSA Administrator.
• It developed a draft of the Functional Roles and Responsibilities
Document (formerly known as the DHS TRIP standard operating
procedures), which outlines the role of DHS TRIP officials in the
appeals process.45
• It developed and implemented a database to track appeals specifically
and improve process timeliness.
Table 2. Average Processing Time Frames for Key Phases of Closed

Appeals Cases Received during Fiscal Years 2011-2013 (n=49)a
Processing data point Mean Range

(in days) (in days)
Time between receipt of complete appeal by DHS 33 1-603
TRIP and the submission of appeal by DHS TRIP to
TSC
Time between TSC’s receipt of complete appeal and 154b 8-811
its recommendation to TSA
Time between TSC’s recommendation to TSA and the 89 1-832
closing of the appeal
Total processing time 276 28-1023
(Covers time period from the date DHS TRIP received
the complete appeal to the date the appeal was closed)
Source: GAO analysis of DHS TRIP appeals case data. | GAO-14-647SU
a
According to DHS TRIP data, as of July 16, 2014, 5 additional appeals cases received
during fiscal years 2011 and 2013 remained open.
b
According to TSC data for these 49 cases, the average number of days to complete
TSC’s review (i.e., the time between TSC’s receipt of the complete appeal and its
recommendation to TSA) was 130 days, as opposed to the 154 days based on
DHS TRIP data. TSC and DHS TRIP officials attributed this difference to
inconsistent record keeping between the two agencies for recording the sent and
received dates for the cases. DHS TRIP officials also noted that data transmission
errors delayed TSC’s receipt of some cases. As discussed later in this report, the
agencies are taking steps to improve communication regarding appeals cases.
Additionally, in January 2014, DHS TRIP officials stated they were

reviewing TSC’s appeals standard operating procedures to identify
opportunities for the agencies to further reduce time frames. According to
DHS TRIP officials, as of May 2014, the program director had completed a
Secure Flight 107
review of TSC’s appeals standard operating procedures, provided metrics on

TSC’s timeliness, and provided suggestions to TSC for reducing its time
frames. TSC officials also stated that they meet monthly with DHS TRIP to
discuss opportunities to improve efficiency and reduce time frames. From
fiscal year 2011—the first fiscal year in which DHS TRIP received a redress
appeal—through fiscal year 2013, for appeals closed within that period, the
average number of days, according to DHS TRIP data, for TSC to review an
appeal package and submit a recommendation to TSA was about 154 days, as
shown in table 2. Therefore, TSC’s review accounted for over half (154 of 276
days) of the total review time. In addition, DHS TRIP is working to further
reduce processing times for other parts of the appeals process. Specifically,
according to DHS TRIP officials, DHS TRIP has committed to reducing the
number of meetings with TSA’s Office of Chief Counsel and TSA OIA. In
addition, for those meetings that do take place, DHS TRIP officials and TSA
leadership are anticipating questions from participants that could delay the
appeal’s progress through the system because they require significant follow-
up, and working to obtain the answers in advance.
In addition, in January 2014, DHS TRIP established intermediate and
long-term performance goals for the appeals process for the first time.
Specifically, the intermediate performance goal calls for an average total
processing time of 92 days, while the long-term performance goal calls for an
average processing time of 60 days, consistent with the time frame DHS TRIP
commits to achieving in the letter informing applicants of their right to appeal.
According to DHS TRIP officials, the agency plans to periodically assess its
progress toward achieving its intermediate and long-term goals for reducing
appeals-processing times. Officials stated that if DHS TRIP finds it is not
making adequate progress by February 2015—about 1 year after the program
began taking specific actions to reduce the overall review time—it would first
evaluate whether further changes and improvements could be made to shorten
the appeals process before considering, in collaboration with TSC and the
DHS Screening Coordination Office, a change to the 60-day time frame stated
in the appeals letter.
CONCLUSION
The Secure Flight program is one of TSA’s key tools for defending
commercial flights against terrorist threats. However, because the program
relies on sensitive information, including personally identifiable information
from the approximately 2 million people Secure Flight screens each day,
privacy incidents and inappropriate disclosures could have significant negative
impacts on the traveling public. Since TSA began implementing Secure Flight,
in 2009, the program has made significant progress in addressing privacy
protections. TSA could further strengthen these protections by providing job-
specific privacy refresher training consistent with OMB requirements.
Furthermore, developing a mechanism to comprehensively document and
track key Secure Flight privacy-related issues and decisions could help TSA
ensure that its oversight of privacy protections is effective and that the
decisions that have allowed it to successfully avoid privacy incidents to date
are carried into the future. DHS TRIP and TSC have also made progress in
addressing Secure Flight misidentifications to TSDB-based lists, and their
planned actions for reducing redress and appeals case-processing time could
further improve the redress process. It will be important for DHS TRIP to
conduct its assessments of performance data as planned to determine whether
further changes to the appeals process, such as changes to the time frames
presented in DHS’s appeals letter, are warranted.
RECOMMENDATIONS FOR EXECUTIVE ACTION

We recommend that the Transportation Security Administration’s
Administrator take the following two actions:
• to further protect personally identifiable information in the Secure

Flight system, provide job-specific privacy refresher training for
Secure Flight staff, and
• to ensure Secure Flight has complete information for effective
oversight of its privacy controls, develop a mechanism to
comprehensively document and track key Secure Flight privacy issues
and decisions.
AGENCY COMMENTS
We provided a draft of this report to DHS and the Department of Justice
for their review and comment. DHS provided written comments on July 17,
2014, which are summarized below. DHS concurred with both of our two
Secure Flight 109
recommendations and described planned actions to address them. In addition,

DHS provided written technical comments, which we incorporated into the
report as appropriate.
DHS concurred with our first recommendation that TSA provide job-
specific privacy refresher training for Secure Flight staff. DHS stated that
TSA’s OIA will develop and deliver job-specific privacy refresher training for
all Secure Flight staff. TSA plans to complete this effort by December 31,
2014. These actions, if implemented effectively, should address our
recommendation and help further protect personally identifiable information in
the Secure Flight system.
DHS also concurred with our second recommendation that TSA develop a
mechanism to comprehensively document and track key Secure Flight privacy
issues and decisions. DHS noted that TSA’s OIA currently identifies and
addresses privacy issues through the efforts of privacy personnel within TSA
and those embedded within the Secure Flight program and stated that TSA will
develop a mechanism for documenting and tracking key Secure Flight privacy
issues and decisions. TSA plans to complete this effort by March 31, 2015.
This action, if implemented effectively, will help ensure Secure Flight has
complete information for effective oversight of its privacy controls. We will
continue to monitor DHS’s efforts.
The Department of Justice did not have formal comments on our draft
report, but provided technical comments, which we incorporated as
appropriate.
Jennifer A. Grover
Director
Homeland Security and Justice Issues
APPENDIX I: FAIR INFORMATION PRACTICES PRINCIPLES

Since December 2008, it has been Department of Homeland Security
(DHS) policy to follow the Fair Information Practices Principles (FIPPs). The
FIPPs, a set of principles first proposed in 1973 by a U.S. government
advisory committee, are used with some variation by organizations to address
privacy considerations in their business practices and are also the basis of
privacy laws and related policies in many countries, including the United
States, Australia, and New Zealand, and in the European Union. DHS’s
privacy policy guidance lists eight FIPPs:1
• Transparency: DHS should be transparent and provide notice to the

individual regarding its collection, use, dissemination, and
maintenance of personally identifiable information (PII).2
• Individual participation: DHS should involve the individual in the
process of using PII and, to the extent practicable, seek individual
consent for the collection, use, dissemination, and maintenance of PII.
DHS should also provide mechanisms for appropriate access,
correction, and redress regarding DHS’s use of PII.
• Purpose specification: DHS should specifically articulate the
authority that permits the collection of PII and specifically articulate
the purpose or purposes for which the PII is intended to be used.
• Data minimization: DHS should collect only PII that is directly
relevant and necessary to accomplish the specified purpose(s) and
retain PII only as long as is necessary to fulfill the specified
purpose(s).
• Use limitation: DHS should use PII solely for the purpose(s)
specified in the notice. Sharing PII outside the department should be
for a purpose compatible with the purpose for which the PII was
collected.
• Data quality and integrity: DHS should, to the extent practicable,
ensure that PII is accurate, relevant, timely, and complete.
• Security: DHS should protect PII (in all media) through appropriate
security safeguards against risks such as loss, unauthorized access or
use, destruction, modification, or unintended or inappropriate
disclosure.
• Accountability and auditing: DHS should be accountable for
complying with these principles, providing training to all employees
and contractors who use PII, and auditing the actual use of PII to
demonstrate compliance with these principles and all applicable
privacy protection requirements.
End Notes
1
PII is any information that permits the identity of an individual to be directly or indirectly
inferred, including other information that is linked or linkable to an individual. See
Department of Homeland Security, Privacy Policy and Compliance, DHS Instruction 047-
01-001 (Washington, D.C.: July 25, 2011).
2
See Pub. L. No. 108-458, § 4012(a), 118 Stat. 3638, 3714-18 (2004) (codified at 49 U.S.C. §
44903(j)(2)(C)). The 9/11 Commission, The 9/11 Commission Report: Final Report of the
Secure Flight 111
National Commission on Terrorist Attacks upon the United States, July 2004. TSA efforts
to develop a computer-assisted passenger prescreening system predated the Intelligence
Reform and Terrorism Prevention Act and the report of the 9/11 Commission.
3
TSA began implementing Secure Flight pursuant to the Secure Flight Program Final Rule,
issued in October 2008. See 73 Fed. Reg. 64,018 (Oct. 28, 2008).
4
Secure Flight screens certain non-traveling individuals, such as escorts for minor, elderly, and
disabled passengers, who are authorized to access the airport’s sterile area—the portion of
an airport defined in the airport security program that provides passengers access to
boarding aircraft and to which access is generally controlled through the screening of
persons and property. See 49 C.F.R. § 1540.5. Secure Flight began screening passengers on
certain flights operated by foreign air carriers overflying the continental United States
(excluding Alaska and Hawaii) on October 24, 2012. For purposes of this report, the term
“commercial flight” encompasses all air carrier operations covered by and subject to the
Secure Flight Final Rule. See 49 C.F.R. § 1560.3 (defining “covered flight” for purposes of
the Secure Flight Program).
5
GAO has performed this work in accordance with statutory mandates, beginning with the
Department of Homeland Security Appropriations Act, 2004, Pub. L. No. 108-90, § 519,
117 Stat. 1137, 1155-56 (2003), and, most recently, the Department of Homeland Security
Appropriations Act, 2009, Pub. L. No. 110-329, Div. D, § 512, 122 Stat. 3574, 3682-83
(2008), and pursuant to the requests of various congressional committees.
6
GAO, Aviation Security: Secure Flight Development and Testing Under Way, but Risks Should
Be Managed as System Is Further Developed, GAO-05-356 (Washington, D.C.: Mar. 28,
2005); Aviation Security: Significant Management Challenges May Adversely Affect
Implementation of the Transportation Security Administration’s Secure Flight Program,
GAO-06-374T (Washington, D.C.: Feb. 9, 2006); Aviation Security: Management
Challenges Remain for the Transportation Security Administration’s Secure Flight
Program, GAO-06-864T (Washington, D.C.: June 14, 2006); Aviation Security:
Transportation Security Administration Has Strengthened Planning to Guide Investments in
Key Aviation Security Programs, but More Work Remains, GAO-08-456T (Washington,
D.C.: Feb. 28, 2008).
7
GAO, Aviation Security: TSA Has Completed Key Activities Associated with Implementing
Secure Flight, but Additional Actions Are Needed to Mitigate Risks, GAO-09-292
(Washington, D.C.: May 13, 2009).
8
DHS TRIP is a single point of contact for individuals who have inquiries or seek resolution
regarding difficulties they experienced during their travel screening at transportation hubs—
like airports and train stations—or crossing U.S. borders, including inspection problems at
ports of entry and situations where travelers believe they have been unfairly or incorrectly
delayed, denied boarding, or identified for additional screening or inspection at our nation’s
transportation hubs. While serving as the point of contact for the receipt, tracking, and
response to redress applications, DHS TRIP refers cases to the appropriate agency for
review and adjudication.
9
We did not assess the extent to which Secure Flight vetting results for low-risk passengers are
implemented at checkpoints.
10
GAO-09-292.
11
GAO, Human Capital: A Guide for Assessing Strategic Training and Development Efforts in
the Federal Government, GAO-04-546G (Washington, D.C.: March 2004). The guide
summarizes elements of effective training programs and presents related questions on the
components of the training and development process in four broad, interrelated components:
(1) planning/front-end analysis, (2) design/development, (3) implementation, and (4)

evaluation. These criteria remain useful today because they are the most recent relevant
guidance available to assess how agencies plan, design, implement, and evaluate effective
federal training and development programs.
12
GAO/AIMD-00-21.3.1 (Washington, D.C.: November 1999).
13
For purposes of this report, the term “commercial aircraft operator” includes the passenger
operations of a U.S.- and foreign-flagged air carrier operating in accordance with 49 C.F.R.
§§ 1544.101(a) and 1546.101(a)-(b), respectively (also referred to as a “covered aircraft
operator”). See 49 C.F.R. § 1560.3.
14
72 hours of flight departure, aircraft operators must submit passenger data as soon as they
become available.
15
Standard screening typically includes passing through a walk-through metal detector or
Advanced Imaging Technology screening, which identifies objects or anomalies on the
outside of the body, and X-ray screening for the passenger’s accessible property. Enhanced
screening includes, in addition to the procedures applied during a typical standard screening
experience, a pat-down and an explosive trace detection search or physical search of the
interior of the passenger’s accessible property, electronics, and footwear. Expedited
screening typically includes walk-through metal detector screening and X-ray screening of
the passenger’s accessible property, but unlike in standard screening, travelers do not have
to, among other things, remove their belts, shoes, or light outerwear. The Secure Flight
system may also return an error response to air carriers regarding passengers for whom
Secure Flight has received incomplete data.
16
A system of records is any item or grouping of information about an individual under the
control of an agency from which information is retrieved by the name of the individual or
some number or other identifying particular. See 5 U.S.C. § 552a(a)(5).
17
See Pub. L. No. 107-347, § 208, 116 Stat. 2899, 2921-23 (2002).
18
GAO-09-292.
19
See DHS, The Fair Information Practice Principles: Framework for Privacy Policy at the
Department of Homeland Security, DHS Privacy Policy Guidance Memorandum 2008-01
(Washington, D.C., Dec. 29, 2008), and DHS, Privacy Policy and Compliance, DHS
Directive 047-01-001 (Washington, D.C., July 25, 2011). The FIPPs, a set of principles first
proposed in 1973 by a U.S. government advisory committee, are used with some variation
by organizations to address privacy considerations in their business practices and are also
the basis of privacy laws and related policies in many countries, including the United States,
Australia, and New Zealand, and in the European Union.
20
Pursuant to the Intelligence Reform and Terrorism Prevention Act, TSA was to establish a
timely and fair process for individuals identified as a threat as a result of TSA’s passenger
prescreening system to appeal to TSA the determination and correct any erroneous
information. See 49 U.S.C. § 44903(j)(2)(G)(i).
21
The types of passengers who are permitted to appeal this decision are considered sensitive
security information.
22
SFPD includes several data elements that are considered PII—passenger name, date of birth,
gender, and passport information; it also includes non-PII data, such as itinerary information
and the unique number associated with a travel record (record locator number). See 49
C.F.R. § 1560.3.
Secure Flight 113
23
According to TSA officials, the Secure Flight program privacy officer also currently serves as
the Secure Flight program manager, and is therefore well-informed about Secure Flight
operations and well-positioned to implement privacy decisions.
24
The basic training course covers practices for the collection, use, and safeguarding of PII. The
advanced training addresses the additional privacy responsibilities required of Secure Flight
Operations Center analysts—who work independently and with air carriers to resolve
system matching results and thus deal extensively with passenger PII—and information
technology staff for the use, sharing, protection, retention, and destruction of PII.
25
Office of Management and Budget, Safeguarding Against and Responding to the Breach of
Personally Identifiable Information, OMB Memorandum M-07-16 (Washington, D.C.:
2007).
26
GAO-04-546G.
27
There was a 2-month period in 2012 when the automated purge reports were inoperable
because the generation of these reports was slowing overall Secure Flight system
performance and causing instability in the Secure Flight system. During this period, TSA
was unable to validate that purges of passenger PII were occurring in accordance with the
agreed-upon schedules. Once a fix was implemented, TSA was able to review the purge
reports retroactively and confirm that there were no purge violations.
28
Both reports concluded that upon approval and publication of the updated privacy impact
assessment and system of records notice, there would be no privacy concerns with the
release of the new software.
29
DHS defines “privacy incident” as “the loss of control, compromise, unauthorized disclosure,
unauthorized acquisition, unauthorized access, or any similar term referring to situations
where persons other than authorized users, have access or potential access to PII in usable
form, whether physical or electronic, or where authorized users access PII for an
unauthorized purpose. The term encompasses both suspected and confirmed incidents
involving PII which raise a reasonable risk of harm.”
30
TSA Secure Flight and privacy officials also stated that there has not been any unauthorized
access of PII, unauthorized PII collection, breaches of data-sharing agreements, or phishing
or social engineering.
31
GAO/AIMD-00-21.3.1.
32
individual’s presence on the Cleared List may diminish, but will not preclude, the
possibility of being selected for enhanced screening.
33
During the pendency of this review, various courts have issued decisions relating to the No Fly
List and DHS TRIP. For example, in January 2014, a judge of the U.S. District Court for the
Northern District of California issued a findings of fact, conclusions of law, and order for
relief in the case of Ibrahim v. Dep’t of Homeland Security, No. C 06-00545 WHA (N.D.
Cal. Jan 14, 2014) (redacted). Specifically, the court found that in this matter, which
involved facts dating back to 2004, the plaintiff had been placed on the No Fly List as a
result of an FBI agent’s human error and that, among other things, the redress response
letter provided to plaintiff by the redress program in place prior the establishment of DHS
TRIP was inadequate at the time because the response was vague and “fell short of
providing any assurance to [the Plaintiff]...that the mistake had been traced down in all its
forms and venues and corrected.” In June 2014, a judge of the U.S. District Court for the
District of Oregon issued an opinion and order concluding, among other things, that because
DHS TRIP procedures do not afford individuals the requirements of due process in so much
as it does not provide them with notice regarding their status on the No Fly List and the
reasons for placement on the list, “the absence of any meaningful procedures to afford
Plaintiffs the opportunity to contest their placement on the No Fly List violates Plaintiffs’
rights to procedural due process.” See Latif v. Holder, No. 3:10-cv-00750-BR (D. Or. June
24, 2014). Our review focused on the procedures and data relating to implementation of the
DHS TRIP redress and appeals processes and did not evaluate DHS TRIP on sufficiency of
procedural due process grounds.
34
As of February 2014, Secure Flight officials were not aware of any passengers who have been
misidentified to the CDC Do Not Board List. DHS TRIP officials stated that any inquiries
related to the CDC Do Not Board List are forwarded to CDC for adjudication. Secure Flight
officials were also unaware of any misidentifications to the TSA Pre√TM Disqualification
List. A person misidentified to the TSA Pre√TM Disqualification List would be precluded
from receiving the benefit of expedited screening, but would not be subjected to enhanced
screening as a result of this misidentification. According to Secure Flight officials, Secure
Flight is not developing a redress process for the TSA Pre√TM Disqualification List because
the matching algorithm for the list was designed in such a way as to ensure minimal risk of
misidentification. According to TSA officials, TSA also has a process for responding to
individuals who have questions about their TSA Pre√TM status and individuals who TSA has
disqualified from TSA Pre√TM eligibility who want to request that TSA reconsider its
decision.
35
To experience the benefit of being on the TSA Cleared List, passengers must submit their full
name and date of birth, as provided to DHS TRIP, in addition to their redress control
number when making a reservation.
36
TSC conducts the review to determine whether the individual meets the criteria for inclusion
on a TSDB-derived watchlist in accordance with TSC’s standard operating procedures for
redress.
37
DHS TRIP forwards all redress applicants matching the No Fly, Selectee, or Expanded
Selectee List to TSC, on behalf of TSA (the screening agency). Other federal entities with a
redress function, such as the Department of State or U.S. Customs and Border Protection,
conduct their own investigations of DHS TRIP applications involving their screening
activities.
38
TSC does not keep data on the number of DHS TRIP applications it reviews by agency;
therefore, the 2,058 DHS TRIP applications TSC reviewed over fiscal years 2011 through
2013 could include applications forwarded to TSC from other screening agencies.
Furthermore, according to TSC, because of the time frames associated with TSC’s review
process, the total number of TSA-related cases TSC reviewed during fiscal years 2011
through 2013 is less than the number of those forwarded to it by TSA.
39
The details of these procedures are considered sensitive security information.
40
These individuals then have 30 days from the receipt of the decision to submit an appeal, after
which, failure to file an appeal will result in the decision becoming a final agency decision.
41
According to TSC officials, analysts within TSC’s Redress Unit conduct the initial review for a
redress application; analysts within TSC’s Office of Intelligence and Analysis conduct
reviews for all appeals. According to TSC officials, analysts in both offices follow the same
procedures to conduct these reviews.
42
TSC, in the course of its review, may also find the appellant was misidentified to a TSDB-
based list.
43
DHS TRIP is also planning to implement two customer feedback surveys. The first survey,
which will be administered at the time an individual is applying for redress, will solicit
applicants’ views on their experience during the DHS TRIP process. The second survey,
Secure Flight 115
which will be administered 90 days after the final agency decision letter is provided, will
gather information on passenger experiences using the redress control number. As of July
2014, both surveys were under review by OMB. According to DHS officials, the program
plans to begin administering the survey as soon as OMB completes its review.
44
This performance target is used to measure DHS’s progress in meeting one of the department’s
three priority goals—to strengthen aviation security counterterrorism capabilities by using
intelligence-driven information and risk-based decisions. DHS TRIP revised the
performance target for TSA-only redress cases, that is, cases that do not involve any other
DHS components, from an average total processing time of 43 days to 20 days.
45
The Functional Roles and Responsibilities Document was finalized in January 2014.
End Notes for Appendix I

1
DHS, The Fair Information Practice Principles: Framework for Privacy Policy at the
Department of Homeland Security, DHS Privacy Policy Guidance Memorandum 2008-01
(Washington, D.C., Dec. 29, 2008).
2
PII is any information that permits the identity of an individual to be directly or indirectly
inferred, including other information that is linked or linkable to an individual. See DHS,
Privacy Policy and Compliance, DHS Instruction 047-01-001 (Washington, D.C.: July 25,
2011).
Chapter 4
THE NO FLY LIST: PROCEDURAL DUE

PROCESS AND HURDLES TO LITIGATION∗
Jared P. Cole
SUMMARY
In order to protect national security, the government maintains
various terrorist watchlists, including the “No Fly” list, which contains
the names of individuals to be denied boarding on commercial airline
flights. Travelers on the No Fly list are not permitted to board an
American airline or any flight on a foreign air carrier that lands or departs
from U.S. territory or flies over U.S. airspace. Some persons have
claimed that their alleged placement on the list was the result of an
erroneous determination by the government that they posed a national
security threat. In some cases, it has been reported that persons have been
prevented from boarding an aircraft because they were mistakenly
believed to be on the No Fly list, sometimes on account of having a name
similar to another person who was actually on the list. As a result, various
legal challenges to placement on the list have been brought in court.
The Department of Homeland Security operates a redress process for
people who encounter difficulties while traveling. The government’s
policy, however, is never to confirm or deny whether someone is on the
No Fly list; and the redress process does not provide travelers with an
∗
This is an edited, reformatted and augmented version of a Congressional Research Service
publication R43730, prepared for Members and Committees of Congress, dated September
18, 2014.
118 Jared P. Cole
opportunity to contest their alleged placement on the No Fly list. Instead,

the redress process consists of an administrative review by the
government, which can be followed by an ex parte, in camera judicial
review by a United States court of appeals.
The Due Process Clause provides that no person shall be “deprived of
life, liberty, or property, without due process of law.” Accordingly, when a
person has been deprived of a constitutionally protected liberty interest,
the government must follow certain procedures. Several courts have found
that placement on the No Fly list may impair constitutionally protected
interests, including the right to travel internationally, and the government’s
redress procedures must therefore satisfy due process. Typically, due
process requires that the government provide a person with notice of the
deprivation and an opportunity to be heard before a neutral party.
However, the requirements of due process are not fixed, and can vary
according to relevant factors. When determining the proper procedural
protections in a given situation, courts employ the balancing test
articulated by the Supreme Court in Matthews v. Eldridge, which weighs
the private interests affected against the government’s interest. Courts
applying this balancing test might consider several factors, including the
severity of the deprivation involved in placement on the No Fly list. In
addition, courts may examine the risk of an erroneous deprivation under
the current procedural framework and the potential value of imposing
additional procedures on the process. Finally, courts may inquire into the
government’s interest in preserving the status quo, including the danger of
permitting plaintiffs to access sensitive national security information.
Resolution of the issue is currently pending as at least two federal
courts have ruled that the government’s redress procedures for travelers
challenging placement on the No Fly list violate due process. Litigation is
further complicated by several legal hurdles, such as the state secrets
privilege, that can bar plaintiffs from accessing certain information.
INTRODUCTION
The safety of air travel, particularly after the terrorist attacks of September
11, 2001, is an important priority for the U.S. government. The Aviation and
Transportation Security Act of 2001 created the Transportation Security
Administration (TSA) and charged it with ensuring the security of all modes of
transportation, including civil aviation.1 The TSA is responsible for
prescreening all potential commercial airline travelers before they board an
aircraft.2 Pursuant to this responsibility, TSA uses the “No Fly” list to identify
individuals who pose a threat to aviation safety. Persons attempting to board
an aircraft who are matched to an identity on the No Fly list are not allowed to
The No Fly List: Procedural due Process and Hurdles to Litigation 119
board. Recent news reports claim that 47,000 people are currently on the No
Fly list, including 800 Americans.3
However, some persons have claimed that their alleged placement on the
list was the result of an erroneous determination by the government that they
posed a national security threat. In some cases, it has been reported that
persons have been prevented from boarding an aircraft because they were
mistakenly believed to be on the No Fly list, sometimes on account of having a
name similar to another person who was actually on the list.4 The Department
of Homeland Security (DHS) operates a redress process for travelers who wish
to contest their right to board an aircraft, but this procedure has been
challenged in federal court as violating the Fifth Amendment right to due
process.5 After an adverse ruling in a recent federal district court,6 the
executive branch is apparently revising the process.7 This report will provide
an overview of the operation of the government’s watchlists, examine some of
the legal issues implicated by challenges to the No Fly list, and describe recent
case law on the matter.
BACKGROUND OF GOVERNMENT WATCHLISTS

Terrorist Databases
The National Counterterrorism Center (NCTC) serves as the central

information bank for the U.S. government on “known and suspected terrorists
and international terrorist groups.”8 It is the government’s principal
organization for “analyzing and integrating” intelligence concerning terrorism
and counterterrorism.9 The NCTC maintains the Terrorist Identities Datamart
Environment (TIDE), the central repository of the U.S. government containing
derogatory information about suspected international terrorists.10 Based on
evaluations of intelligence information, agencies in the intelligence
community (IC)11 nominate individuals known or suspected to be international
terrorists and forward the names to the NCTC.12 Using a nonexclusive list of
possible factors, the NCTC determines if each name merits inclusion on the
list.13 As of December 2013, according to the NCTC, about 1.1 million persons
were included in TIDE, and about 25,000 were U.S. persons (citizens and
lawful permanent residents).14 TIDE contains all of the government’s
information regarding persons “known or appropriately suspected to be or to
have been involved in activities constituting, in preparation for, in aid of, or
related to terrorism (with the exception of purely domestic terrorism
120 Jared P. Cole
information).”15 Due to the national security importance of this information,

the contents of the database are classified.16
The NCTC “exports” an unclassified subset of the data, including
biometric and biographic identifiers, to the Terrorist Screening Center (TSC),
which in turn, operates the Terrorist Screening Database (TSDB).17 In contrast
to TIDE (operated by NCTC), the TSDB (operated by TSC) does not include
“derogatory intelligence information.”18 Instead, it consists of “sensitive but
unclassified terrorist identity information consisting of biographic identifying
information such as name or date of birth or biometric information such as
photographs, iris scans, and fingerprints.”19 Established pursuant to Homeland
Security Presidential Directive 6, the TSC is managed by the Federal Bureau
of Investigation (FBI) and receives support from various federal agencies. The
information in the TSDB is obtained from two sources.20 First, as mentioned
above, TIDE provides information on the identity of suspected international
terrorists.21 Second, the FBI’s Automated Case Support System (ACSS)
provides additional information on suspected domestic terrorists directly to the
TSC.22
Whether receiving information from TIDE or ACSS, the TSC will review
each file to ensure that it satisfies the government’s watchlist standards before
adding the name to the TSDB.23 The information received by TSC must satisfy
two requirements to merit inclusion on the TSDB.24 First, the “biographic
information associated with a nomination must contain sufficient identifying
data so that a person being screened can be matched or disassociated from a
watchlisted terrorist.”25 Second, the “facts and circumstances” must “meet the
reasonable suspicion standard of review.”26 This means “articulable facts
which, taken together with rational inferences, reasonably warrant the
determination that an individual is known or suspected to be or has been
engaged in conduct constituting, in preparation for, in aid of, or related to
terrorism and terrorist activities.”27 This standard was not mandated by statute,
but was “adopted by internal Executive Branch policy and practice.”28 In
addition, a recent district court case indicates that there is a “secret exception
to the reasonable suspicion standard,” but the “nature of the exception and the
reasons ... for nomination are claimed to be state secrets.”29
As mentioned above, in contrast to the classified contents of TIDE, the
TSDB contains sensitive, but not classified, information about the identity of
suspected terrorists. The unclassified nature of the list permits a broad range of
federal, state, and local organizations to access the data.30 Accordingly, the
TSC provides various frontline screening agencies with subsets of the TSDB
for use in combating terrorism. These watchlists are tailored in accordance
with the agency’s mission(s) and statutory authorities.31 For the purposes of
monitoring flights, TSA receives two such lists: the No Fly list and the
Selectee list. People on the first are prohibited from boarding an American
airline or any flight that comes in contact with U.S. territory or airspace. Those
on the second are subject to enhanced screening procedures when they attempt
to do so.32 The No Fly and Selectee lists have their own substantive
requirements for inclusion, which executive officials have stated are more
stringent than the reasonable suspicion standard for placement on the TSDB.33
TSC requires “sufficient biographical information and sufficient derogatory
information” for inclusion on the No Fly and Selectee List.34 When a person is
placed on the list, they will not receive notice; instead, they will simply be
denied boarding or subjected to enhanced screening procedures if they attempt
to board a plane.35
However, in a departure from the traditional requirements for inclusion on
the No Fly list, after the failed terrorist attack of the so called “underwear
bomber,” who attempted to destroy a commercial plane traveling from
Amsterdam to Detroit on Christmas Day 2009, the NCTC and TSC were
ordered to add a number of individuals from the TIDE database to the No Fly
list.36 This included a number of “individuals without any information indicating
a personal involvement in terrorism.”37 Accordingly, a number of individuals
were placed on the No Fly list who may not have met the normal standards for
inclusion. Subsequently, TSC, in coordination with the FBI and other
intelligence agencies, conducted a review of all the individuals who had been
upgraded. This review was completed more than two years after the original
upgrading.38 A recent Department of Justice (DOJ) Office of Inspector
General audit expressed “concerns about the TSC’s ability to ensure that all
watchlist records that were modified as a result of the attempted attack were
reviewed and returned to the appropriate individualized status.”39
The precise guidelines and particular factors the government relies on to
place individuals on terrorist watchlists are not made public. The criteria for
placement on the No Fly list, as well as whether a person is on the No Fly list,
are considered “Sensitive Security Information” (SSI) and have not been
publicly released by the federal government.40
Secure Flight
In the past, TSA required aircraft operators to screen passengers by

matching data against the No Fly and Selectee lists.41 Following the release of
122 Jared P. Cole
the 9/11 Commission Report, the Intelligence Reform and Terrorism

Prevention Act of 2004 altered this arrangement by requiring TSA to conduct
the matching itself.42 The act also requires aircraft operators to provide
passenger information to TSA for prescreening purposes.43 TSA issued the
Secure Flight Final Rule on October 28, 2008, implementing the act’s
requirements.44 Under the program, TSA requires aircraft operators to collect
Secure Flight Passenger Data (SFPD) from passengers and provide it to TSA.
SFPD includes passengers’ full name, date of birth, and gender.45 The
information is collected when a potential passenger makes a flight reservation.
This information must be provided to TSA about 72 hours prior to the flight.
For reservations that occur after this deadline, aircraft operators must provide
the SFPD as soon as possible.
TSA then matches the data with the No Fly and Selectee lists.46 It also has
discretion to check against the TSDB and other watchlists,47 and appears to do
so to select certain individuals for additional screening procedures.48 When TSA
identifies a possible match, it contacts the TSC, which decides if it is a positive
match with the TSDB watchlist.49 After the matching process is finished,
aircraft operators are provided with a Boarding Pass Printing Result that clears
the passenger for boarding, identifies the passenger for additional screening, or
denies the passenger permission to board.50 In 2012, Secure Flight was
estimated to prescreen approximately 2 million passengers every day.51 As of
May 2012, according to the Government Accountability Office (GAO), the
Secure Flight program “has reduced the likelihood of passengers misidentified
as being on the watchlist.”52
Redress Process
A number of travelers who dispute any connection to terrorism have

alleged that they have been denied boarding on commercial aircraft.53 A denial
of entry can occur, for example, when a person’s name and/or date of birth
correspond or are similar to the identity of someone in the government’s
watchlist database. The Implementing Recommendations of the 9/11
Commission Act of 2007 directed DHS to create an Office of Appeals and
Redress for people who believe they have been denied boarding or subjected
to heightened screening for security reasons.54 Pursuant to these requirements,
DHS has established the Traveler Redress Inquiry Program (TRIP) to resolve
such issues.55 The program is designed to offer an efficient remedy for
travelers who encounter difficulty with the government’s screening process
and to centralize a multiagency process of reviewing and responding to any

traveler complaints.56 Passengers who have been denied boarding or subjected
to additional screening procedures may seek redress by filing a complaint
online or by mailing a complaint form.57 All travelers who do so are assigned a
redress number. If DHS decides that a person seeking redress is a match or
near match to an identity contained in the TSDB, the agency will refer the
potential match to the redress unit of the TSC. TSC then determines if the
person is an actual match with the identity of someone in the TSDB. If the
person is determined to be a match, TSC next determines whether the person
should continue to be in the TSDB; and, finally, whether the person should
continue to be on the No Fly or Selectee list.58 Those travelers determined not
to match a person in the TSDB are added to the DHS TRIP Cleared List and
receive a corresponding traveler redress number.59 Subsequently, a traveler
may enter his or her redress number when purchasing an airline ticket. If
travelers are on the DHS TRIP Cleared List, they will be cleared by Secure
Flight,60 and presumably will receive authorization to board an aircraft.
When the review process is completed, DHS TRIP sends a letter to
travelers notifying them that the review is complete. The letter, however, does
not confirm or deny whether an individual is on the No Fly list or is in the
TSDB.61 Notifications usually provide that travelers may seek judicial review
in a U.S. court of appeals under 49 U.S.C. § 46110.62 That review consists of an
ex parte and in camera examination by the court of the administrative record
provided by the government containing the evidence it relied upon.63 If the
court disagrees with the government’s determination, the court may remand the
case to the agency for further consideration.64 Even after judicial review by a
U.S. court of appeals, travelers are never informed of their status on any
watchlist or whether they will be permitted to board an aircraft traveling to,
from, or within the United States in the future.65 Instead, a person on a No Fly
list who attempts to board a plane will simply be denied boarding. The DHS
TRIP redress process does not provide travelers with reasons for inclusion on
the list, or a hearing where they might challenge their inclusion on the list. At
no point do travelers have the opportunity “to contest or to offer corrections to
the record on which any such determination may be based.”66 In fact, the
“government’s policy is never to confirm or to deny an individual’s placement
on the No Fly list.”67
While the administrative and judicial review process described above has
been established— pursuant to statute—by the government to consider
travelers’ complaints, some travelers have brought legal challenges outside of
124 Jared P. Cole
this process in federal courts, challenging both their alleged placement on the
No Fly list and the adequacy of the government’s redress procedures.68
SELECT LEGAL ISSUES IMPLICATED

BY THE NO FLY LIST
The Fifth Amendment of the U.S. Constitution provides that no person

shall be “deprived of life, liberty, or property, without due process of law.”69
This protection extends to U.S. citizens and noncitizens who have sufficient
ties to the United States.70 Courts have developed two major legal doctrines to
protect rights and liberty interests under the Due Process Clause—procedural
and substantive due process. “Procedural due process imposes constraints on
governmental decisions which deprive individuals of ‘liberty’ or ‘property’
interests within the meaning of the Due Process Clause of the Fifth or
Fourteenth Amendment.”71 As explained below, the particular procedures
required may vary according to the situation.72 Substantive due process
encapsulates the Supreme Court’s notion that the Due Process Clause
“provides heightened protection against government interference with certain
fundamental rights and liberty interests.”73 Courts have found that placement
on the No Fly list can potentially implicate procedural or substantive due
process rights.74 However, because claims alleging substantive due process
violations are somewhat underdeveloped as of yet, this report primarily
examines procedural due process claims, which have received more extensive
analysis by federal courts.
Procedural due Process
Some travelers who challenge their placement on the No Fly list and the
government’s redress process have alleged that their right to international
travel has been deprived without due process of law. Courts assessing
procedural due process claims first ask “whether the plaintiff has been
deprived of a [constitutionally] protected interest.”75 If so, courts next
“consider whether the procedures used by the government in effecting the
deprivation ‘comport with due process.’”76
Constitutionally Protected Interests

Placement on the No Fly list can impede one’s ability to travel
internationally. While a “right to travel” is not expressly mentioned in the
Constitution, the Supreme Court has recognized a right to travel as “a part of
the ‘liberty’ of which the citizen cannot be deprived without due process of
law under the Fifth Amendment.”77 The right to interstate travel is less
susceptible to government restraint than the right to international travel, as the
Court has described the former as “virtually unqualified.”78 However, the right
to international travel is nonetheless a “liberty protected by the Due Process
Clause.”79 Accordingly, the right to international travel is subject to
“reasonable governmental regulations”;80 and not every restriction on a
person’s right to travel will raise a significant due process concern.81 In
assessing whether a governmental policy infringes upon such a right, courts
will often examine the scope of the policy and the degree to which it impairs
the ability of a person to feasibly travel.82
Not every impediment to travel is considered a deprivation of a
constitutionally protected interest. In Gilmore v. Gonzales, for example, the
U.S. Court of Appeals for the Ninth Circuit rejected a constitutional challenge
to the TSA’s requirement that an airline passenger present identification before
boarding a flight from Oakland to Baltimore-Washington International
Airport.83 The court noted that the plaintiff was barred from only one form of
interstate travel, and ruled that the government’s policy did not violate the
plaintiff’s right to interstate travel “because the Constitution does not
guarantee the right to travel by any particular form of transportation.”84 The
court explained that the “burden” of presenting identification was not
unreasonable and “other forms of travel remain[ed] possible.”85
Several federal courts, however, have distinguished certain challenges to
placement on the No Fly list from this case and determined that placement on
the No Fly list can deprive someone of a constitutionally protected liberty
interest in international travel.86 For example, one district court noted that
Gilmore concerned a plaintiff’s right to fly within the United States, while
placement on the No Fly list bars international flight.87 While there may be
“alternatives to flying for domestic travel within the continental United States,”
the court reasoned, flying is often the only feasible method of international
travel.88 Further, Gilmore concerned a requirement to show identification in
order to board an airline, while placement on the No Fly list bars flying
indefinitely.89 For these courts, placement on the No Fly list is a deprivation of
a constitutionally protected interest, and the government’s procedures must
therefore comport with due process.
126 Jared P. Cole
Another liberty interest that can be implicated by placement on the No Fly

list—thus triggering procedural due process protection—is harm to one’s
reputation combined with a denial of a legal right or status.90 Under this
“stigma-plus” doctrine,91 a plaintiff can establish a due process claim by
showing (1) “the public disclosure of a stigmatizing statement by the
government, the accuracy of which is contested” and (2) “the denial of ‘some
more tangible interest’ ... or the alteration of a right or status recognized by
state law.”92 For example, one federal district court found that the plaintiffs,
who allegedly had names similar to names on the No Fly list and were
regularly subjected to enhanced screening procedures in view of their fellow
travelers, satisfied the first prong because public association with terrorism
was sufficiently stigmatizing.93 However, the court found that the plaintiffs
failed to satisfy the second prong, because they did not show a “tangible
harm.”94 The court noted that the “Plaintiffs do not have a right to travel
without any impediments whatsoever,” and “have not alleged any tangible
harm to their personal or professional lives that is attributable to their
association with the No-Fly List, and which would rise to the level of a
Constitutional deprivation of a liberty right.”95
In contrast, another federal district court found that plaintiffs who had
actually been prevented from flying met both factors.96 The first was met
because placement on a No Fly list “carries with it the stigma of being a
suspected terrorist that is publicly disclosed to airline employees and other
travelers.”97 The second was met because the plaintiffs suffered a “change in
legal status”—they are legally barred from traveling by air to or from the
United States, which they would do had they not been placed on the No Fly
list.98 Nonetheless, another district court, in weighing a challenge to placement
on the No Fly list, found the stigma plus doctrine was not satisfied because the
plaintiff failed to sufficiently allege facts that would “give rise to an inference
that the stigmatizing statements reached the other passengers so as to cause
harm to Plaintiff’s reputation.”99
What Process Is due?

As explained above, if a court finds that the government has deprived
someone of a constitutionally protected liberty interest—one’s right to
international travel, for example—then the government must provide that
person with due process. This usually requires the government to provide the
person with notice of the deprivation100 and an opportunity to be heard101
before a neutral party.102 The Supreme Court has explained, however, that due
process is not a “technical conception with a fixed content unrelated to time,
place, and circumstances.”103 Instead, the concept is “flexible and calls for
such procedural protections as the particular situation demands.”104
Consequently, the precise type of notice, the manner and time of a hearing,
and the identity of the decision maker can vary according to the situation.
When determining the proper procedural protections in a given situation,
courts will weigh the private interests affected against the government’s
interest. In Matthews v. Eldridge, the Supreme Court articulated the
balancing test for deciding what procedural protections are required when the
government deprives someone of life, liberty, or property.105 A court must
examine three broad factors:
First, the private interest that will be affected by the official action;
second, the risk of an erroneous deprivation of such interest through the
procedures used, and the probable value, if any, of additional or substitute
procedural safeguards; and finally, the Government’s interest, including
the function involved and the fiscal and administrative burdens that the
additional or substitute procedural requirement would entail.106
Therefore, as explained more fully below, when a court confronts a

challenge to a governmental deprivation of a constitutionally protected liberty
interest, a court will balance each of these factors in order to determine what
procedural protections due process requires.
Plaintiff’s Interest
As explained above, the right to international travel is a constitutionally
protected liberty interest that some courts have found to be infringed by
placement on the No Fly list.107 In assessing a procedural due process
challenge to the governmental procedures when a person’s liberty is infringed,
courts will first weigh the private interest affected by the government’s action.
In assessing the significance of the deprivation, the Supreme Court has
examined a number of different factors, including the severity, length, and the
finality of a deprivation.108 For example, the Court has found the termination
of welfare benefits—which are based on financial need—to be more severe
than the termination of disability benefits, which are not.109 In the latter case,
the Court has ruled, less procedural protections are required.110 Similarly, the
Court has noted the difference between absolute termination and a temporary
suspension from one’s employment.111 Again, the latter requires less
procedural protections.112
128 Jared P. Cole
The weight given the private interest by courts weighing challenges to

placement on the No Fly list might turn on the level of generality the court
uses to interpret the deprivation. One might argue, for example, that for most
people, air travel is often the only feasible method for international travel
available.113 Arguably, placement on the No Fly list can effectively bar
someone from traveling internationally.114 Analyzing the deprivation in this
manner might point towards finding the deprivation of a significant liberty
interest. In contrast, one might characterize placement on a No Fly list as
limited to a restriction on a person’s “preferred method of travel,” rather than
the ability to travel at all.115 In litigation concerning the No Fly list, the DOJ
has argued that “[t]he Constitution does not guarantee ... a right to the most
convenient means of travel, nor does it create a liberty interest in travel by
airplane in particular.”116 Following this line of argument, because a person
on the No Fly list is not barred from travel entirely, the deprivation is of a less
significant liberty interest.
Risk of Erroneous Deprivation and Value of Additional Procedures

A court would next examine the risk of an erroneous deprivation of liberty
under the current procedural framework and the potential value of imposing
additional procedures on the process.117 Put another way, a court would
investigate how likely it is that someone would be incorrectly placed on the
No Fly list, and how helpful requiring different procedures would be in
preventing such errors.
In analyzing the risk of error, a court might examine both the standard
used by the government to make its initial decision to place someone on the
No Fly list, as well as the procedures currently afforded travelers via DHS
TRIP, including its judicial review provision.118 One factor courts examine in
weighing the risk of error is the amount of discretion afforded the decision
maker. For example, the Supreme Court has distinguished between a
deprivation based on a medical assessment and one predicated on a variety of
disparate information including “witness credibility and veracity.”119 For the
Court, the latter situation involves a greater risk of error than the former.120
Another factor might be the standard of proof required for the government to
deprive someone of liberty. For example, the Court has held that before a state
may permanently sever a parent’s relation with a child, a state must meet a
higher evidentiary threshold than “fair preponderance of the evidence.”121
Yet another factor is the ability to see and challenge the evidence relied on
to justify a deprivation.122 In the context of a security clearance revocation that
resulted in the impairment of a plaintiff’s job opportunities, the Supreme Court
stressed that “where governmental action seriously injures an individual, and

the reasonableness of the action depends on fact findings, the evidence used to
prove the Government’s case must be disclosed to the individual so that he has
an opportunity to show that it is untrue.”123 Likewise, in the disability benefits
context, the Court has noted the important “safeguard against mistake” of
permitting access to the government’s information and the reasons for the
government’s action, as well as the ability of a claimant to submit his own
arguments and challenge the accuracy of the government’s conclusion.124
Finally, in the context of considering the government’s detention of a U.S.
citizen in an armed conflict, the Supreme Court has ruled that a process where
“the Executive’s factual assertions go wholly unchallenged or are simply
presumed correct without any opportunity ... to demonstrate otherwise falls
constitutionally short.”125 When a “citizen-detainee ... challenge[s] his
classification as an enemy combatant [he] must receive fair notice of the
factual basis for his classification, and a fair opportunity to rebut the
Government’s factual assertions before a neutral decisionmaker.”126
Some plaintiffs who have challenged their alleged placement on the No Fly
list have argued both that the current standard used to place someone on a No
Fly list entails a high risk of error, and that the current procedure afforded those
seeking to challenge their placement on the No Fly list creates a high risk of an
erroneous deprivation.127 There is arguably a considerable amount of discretion
involved in making the determination that someone is a danger to aviation
safety. In addition, if the government has faulty information, a traveler does not
have the opportunity to evaluate the evidence against her or to present her own
evidence to correct the record. Some courts have noted government studies that
document numerous errors with the operation of the watch lists;128 and media
accounts have highlighted mistaken placements on the No Fly list.129
The executive branch has argued, however, that such studies predate the
current methods used under the Secure Flight program, which has reduced the
number of travelers wrongly denied boarding.130 In addition, DHS TRIP does
provide a redress process, which can be appealed to a United States court of
appeals.131 One might argue that this opportunity for judicial review of the
agency’s determination is sufficient to prevent erroneous deprivations.
Government’s Interest
Finally, a court would examine the government’s interest in the matter and
the cost of imposing additional procedures. The government has a strong
interest in preventing terrorism, which includes ensuring the safety of air
travel.132 The operation of the No Fly list arguably is an important tool to do
130 Jared P. Cole
so.133 The government also has an interest in protecting sensitive national

security information. The executive branch has argued that “protecting TSDB
information enables agencies to share that information across the government,
without fear that it will be disclosed whenever anyone sues after he or she
cannot travel as he or she might choose.”134 Requiring DHS to reveal
classified information through this process, even to the complainant, could
“damage ... national security, including by jeopardizing intelligence sources
and methods.”135
Accordingly, the danger to the public of disclosing certain material might,
in some observers’ view, outweigh the benefit to the plaintiff. Indeed, the
executive branch has argued that “opportunities for confrontation and rebuttal
are not absolute requirements of due process, particularly where the
information upon which the government acts is highly sensitive.”136 More
generally, courts have sometimes been reluctant to require the executive
branch to release information that implicates national security concerns.137 In
cases bringing procedural due process claims that concern sensitive materials
outside of No Fly list challenges, courts have often declined to require the
government to release classified information directly to the plaintiff.138
Nonetheless, as explained below, one federal district court—in ruling on a
challenge to placement on the No Fly list—has signaled that permitting a
plaintiff’s counsel with proper security clearances to access the government’s
evidence might alleviate some national security concerns.139 However, in
contexts outside of challenges to the No Fly list, some courts have declined to
interpret this possibility as foreclosing the government’s interest in protecting
national security. As the Seventh Circuit explained recently, counsel might,
“in their zeal to defend their client ... inadvertently say things that would
provide clues to classified material.”140 In contrast, other courts, including the
Ninth Circuit, have approved this procedure, at least in appropriate
circumstances.141 Finally, one alternative used in other national security
contexts is a requirement that the government provide unclassified summaries
of particular information to a plaintiff, rather than the classified material
itself.142
In addition, specific forms of procedural protections might compromise
national security more than others. A requirement that the government provide
prior notice to anyone placed on a No Fly list and a pre-deprivation hearing
where both sides presented evidence might “aid terrorists in their plans to
bomb and kill Americans” by providing advance notice to all suspected
terrorists.143 More generally, the Supreme Court has recognized that a pre-
deprivation hearing is not necessary in certain situations, for example, those

implicating substantial national security concerns144 or public safety.145
Possible Outcomes of the Balancing Test

Judicial resolution of a due process challenge requires a balancing of all
three factors to determine what process is due. Several federal district courts
have directly addressed challenges to placement on the No Fly list which
allege that the government’s procedures violate due process.146 In a case in the
Northern District of California, a federal court ruled on a claim brought by
Rahinah Ibrahim, a Malaysian national who was present in the United States
under a student visa in 2005, when she was prevented from boarding a plane to
Malaysia and temporarily detained for several hours. During the trial, the
government admitted that it had mistakenly placed her on the No Fly list. The
court ruled that when the government mistakenly places someone on a No Fly
list, due process “requires the government to cleanse and/or correct its lists and
records of the mistaken information and to certify under oath that such
correction(s) have been made.”147 In addition to ordering this remedy, the
judge also directed the government to reveal to the plaintiff whether she was
currently on the No Fly list.148 At least in this situation, the court ruled, where
a plaintiff is mistakenly placed on the No Fly list, the current redress
procedures under DHS TRIP did not satisfy due process.149 However, the
scope of the ruling is rather narrow. The court explained that its ruling was
limited to a situation where the government admits that it has mistakenly
placed a traveler on the list. The court left open situations where the
government had not conceded error.150
In contrast, a federal district court in Oregon ruled that the government’s
procedures violated due process in a case where the government did not appear
to concede error. In Latif v. Holder, the plaintiffs had been barred from flying
and submitted complaints via the DHS TRIP process; pursuant to the
procedures described above, the government’s reply did not confirm or deny
whether they were on a No Fly list or provide any reason why plaintiffs could
not board an aircraft.151 The court found that the plaintiffs had
“constitutionally-protected liberty interests in traveling internationally by air,
which are significantly affected by being placed on the No-Fly list.”152 The
court conducted a Matthews balancing test and concluded that the DHS TRIP
process failed to provide due process.153 The court noted the various harms that
can result from being denied boarding on international flights and concluded
that the deprivation was “significant.”154 Turning to the second Matthews
factor, the court noted a “fundamental flaw” of the procedures in both the DHS
132 Jared P. Cole
TRIP and judicial review process: a low evidentiary standard—reasonable

suspicion—sufficient to be placed on the No Fly list, combined with a one
sided review process.155 Taken together, the court found, these aspects made it
likely that factual errors in the government’s record could go uncorrected.
Therefore, the court concluded, the government’s procedures “contain[ed] a
high risk of erroneous deprivation” of the plaintiffs’ liberty interests.156 Further,
the court found, providing notice of inclusion on the list, a list of reasons for
placement on the list, and/or the opportunity to present exculpatory evidence
“would have significant probative value in ensuring that individuals are not
erroneously deprived of their constitutionally-protected liberty interests.”157 On
the other hand, the court recognized the significant government interest in
national security, the third Matthews factor.158 Nonetheless, the court noted that
certain procedural protections were possible that did not endanger national
security, such as providing summaries of classified information or permitting
defense counsel with appropriate clearances to access sensitive material.159
Consequently, the court held that “the absence of any meaningful
procedures” to contest plaintiffs’ placement on the No Fly list violated due
process.160 The court ordered the government to “fashion new procedures” that
satisfied due process, including notifying the plaintiffs whether or not they were
on the No Fly list and “the reasons for placement on that List.”161 That notice
must be sufficient to provide the plaintiffs with a meaningful opportunity to
respond, and that response must be taken into account at both the judicial and
administrative review stages.162 However, the court left the precise type of
procedures up to the government and allowed for the possibility that such
disclosure might “create an undue risk to national security.”163 That
determination, however, had to be made on a case-by-case basis.164
Hurdles to Litigation
As explained above, some travelers have challenged their alleged

placement on the No Fly list and the government’s redress process in federal
court outside of the DHS TRIP review mechanism. However, governmental
privileges barring disclosure of sensitive information present hurdles for
plaintiffs.165 In No Fly list cases brought in federal courts, a number of
common law and statutory privileges have been invoked by the government to
bar a plaintiff’s access to certain information via discovery, including the state
secrets, law enforcement, and deliberative process privileges.166 When
properly invoked and accepted by courts, these privileges can prevent
plaintiffs from examining certain sensitive information potentially relevant to

their case, potentially impeding their ability to challenge placement on the list.
For example, the state secrets privilege is an evidentiary privilege that allows
the government to withhold information during civil litigation if there is a
reasonable danger that disclosure would endanger national security.167 If the
government invokes the privilege during litigation, the court will then make an
independent determination of the validity of the claim, possibly via in camera
review of the relevant materials.168 If the court is satisfied that the privilege
applies, that information will be unavailable to the plaintiff.169
Recently, in a case challenging a plaintiff’s placement on the No Fly list, the
government invoked the state secrets privilege and moved to dismiss the case
entirely.170 The government claimed that the privilege applied both to the
“sensitive policies and procedures used in the watchlisting process” and any
substantive underlying information regarding the reasons for placement on the
No Fly list.171 According to the government, this precluded any consideration of
the adequacy of the redress process,172 as well as a full inquiry into “the
possibility of substitute procedures.”173
Indeed, “any attempt to litigate how these nomination procedures were
applied in this case ... risks disclosure of the privileged information.”174 In
addition, the government argued that due to the potential for sensitive matters
to be probed via discovery, “future proceedings will inherently put the
privileged information at risk of being disclosed.”175 Accordingly, the
government moved to dismiss the case entirely.176
The law enforcement privilege has also been invoked by the government
in challenges to placement on the No Fly list.177 The purpose of the privilege is
“to prevent disclosure of law enforcement techniques and procedures, to
preserve the confidentiality of sources, to protect witnesses and law
enforcement personnel, to safeguard the privacy of individuals involved in an
investigation, and otherwise to prevent interference with an investigation.”178
The investigation is not required to be ongoing, as disclosure of past tactics
might impair future investigations.179 However, the privilege is not absolute:
“[t]he public interest in nondisclosure must be balanced against the need of a
particular litigant for access to the privileged information.”180 In order to
conduct this balancing test, courts often examine an extensive list of factors.181
Courts may examine the evidence in camera in order to determine if the
privilege applies and balance the litigant’s need against the public interest in
nondisclosure.182 If a court determines that the privilege applies, then that
information will not be available to the defendant. In No Fly list cases, the
executive branch has asserted this privilege over a “plaintiff’s status on any
134 Jared P. Cole
terrorist database and the policies and procedures used for determining how an
individual’s name is placed in such a database.”183
Similarly, the deliberative process privilege has been invoked by the
executive branch in challenges to placement on the No Fly list.184 The privilege
allows the government to withhold material that “reflect[] advisory opinions,
recommendations and deliberations comprising part of a process by which
governmental decisions and policies are formulated.”185 In order to qualify,
documents must be “predecisional” and “deliberative.”186 A document qualifies
as the former if it “was prepared in order to assist an agency decisionmaker in
arriving at his decision,” and the latter if its release would “expose an agency’s
decisionmaking process in such a way as to discourage candid discussion
within the agency and thereby undermine the agency’s ability to perform its
functions.”187 As with the other privileges, however, its invocation by the
government is not absolute. A plaintiff “may obtain deliberative materials if his
or her need for the materials and the need for accurate fact-finding over-ride the
government’s interest in non-disclosure.”188 In the No Fly list context, this
privilege might be invoked in an attempt to withhold documents used in certain
decision-making processes, such as whether to place an individual on the No
Fly list.
Finally, TSA has statutory discretion to designate certain material as
“sensitive security information,” or “information obtained ... in the conduct of
security activities ... the disclosure of which TSA has determined would ... [b]e
detrimental to the security of transportation.”189 Such information is “not
available for public inspection,”190 and the government has claimed exemptions
from disclosure at trial on this basis.191 Nonetheless, as with the privileges
discussed above, plaintiffs and their counsel can access information in certain
circumstances.192
CONCLUSION
Properly balancing the important national security interest of preventing
terrorist attacks with the civil liberties of travelers prevented from boarding a
plane is a complicated and delicate matter. Operation of the government’s No
Fly list implicates a wide variety of statutory and constitutional issues. As
more challenges to the No Fly list are adjudicated in courts, the redress process
for travelers might change considerably. Ultimately, if federal courts reach
disparate rulings on the due process requirements of placement on the No Fly
list, federal agencies will receive conflicting directives on how to proceed.
End Notes
1
See 49 U.S.C. § 114 (a), (d). The Homeland Security Act of 2002 transferred TSA to the
Department of Homeland Security. See 6 U.S.C. § 203.
2
See DEPARTMENT OF HOMELAND SECURITY, OFFICE OF INSPECTOR GENERAL,
ROLE OF THE NO FLY AND SELECTEE LISTS IN SECURING COMMERCIAL
AVIATION 3 (2009).
3
See Adam Goldman, More Than 1 Million People Are Listed in U.S. Terrorism Database,
WASHINGTON POST (Aug. 5, 2014) available at http://www.washingtonpost.com/world/
national-security/more-than-1-million-people-are-listedin-us-terrorism-
database/2014/08/05/a66de30c-1ccc-11e4-ab7b-696c295ddfd1_story.html.
4
See, e.g., Mike McIntire, Ensnared by Error on Growing U.S. Watch List, NEW YORK TIMES
(April 6, 2010) available at http://www.nytimes.com/2010/04/07/us/07 watch.html?
pagewanted=all; U.S. DEPARTMENT OF JUSTICE, OFFICE OF THE INSPECTOR
GENERAL, REPORT TO CONGRESS ON IMPLEMENTATION OF SECTION 1001 OF
THE USA PATRIOT ACT 13 (2009).
5
See U.S. CONST. amend. V. Another challenge alleges that Federal Bureau of Investigation
(FBI) agents used placement on the list to coerce Muslims to spy on their communities. See
First Amended Complaint, Tanvir v. Holder, No. 1:13-cv-06951-RA (S.D.N.Y. April 22,
2014) available at http://www.ccrjustice.org/files/ Tanvir%20v%20Comey%2013-cv-
6951%20First%20Amended%20Complaint%202014_04_22%20— %20AS%20FILED.pdf.
The plaintiffs alleged violations of their right to due process under the Fifth Amendment,
and violations of the First Amendment, the Religious Freedom Restoration Act, and the
Administrative Procedure Act. The alleged utilization of the No Fly list as a coercive tool is,
however, beyond the scope of this report. Instead, this report focuses on the operation of the
No Fly list and legal challenges to placement on the list under the Due Process Clause of the
U.S. Constitution.
6
See Latif v. Holder, 3:10-CV-00750-BR, 2014 WL 2871346 (D. Or. June 24, 2014).
7
See Joint Status Report, Latif v. Holder, 3:10-CV-00750-BR (D. Or. August 4, 2014).
8
DEPARTMENT OF HOMELAND SECURITY, OFFICE OF INSPECTOR GENERAL,
IMPLEMENTATION AND COORDINATION OF TSA’S SECURE FLIGHT PROGRAM
4 (2012) [hereinafter 2012 IG REPORT].
9
50 U.S.C. § 3056.
10
See 2012 IG REPORT, supra note 8, at 4.
11
The Intelligence Community includes the Office of the Director of National Intelligence, the
Central Intelligence Agency, the National Security Agency, the Defense Intelligence
Agency, the National Geospatial-Intelligence Agency, the National Reconnaissance Office,
other Department of Defense offices, intelligence units of the Armed Forces, the FBI, the
DEA, and DHS, the Bureau of Intelligence and Research of the Department of State, and
the Office of Intelligence and Analysis at the Department of the Treasury. 50 U.S.C. §
30003.
12
See 2012 IG REPORT, supra note 8, at 4.
13
Some examples of conduct that merits entry into TIDE include persons who: engage in, plan,
or prepare international terrorist activity; collect information on targets for terrorist activity;
solicit funds for or membership in a terrorist organization; provide material support for
terrorism. GOVERNMENT ACCOUNTABILITY OFFICE, GAO-12-476, TERRORIST
WATCHLIST, ROUTINELY ASSESSING IMPACTS OF AGENCY ACTIONS SINCE
THE DECEMBER 25, 2009, ATTEMPTED ATTACK COULD HELP INFORM FUTURE
136 Jared P. Cole
AGENTS 17-18 (2012) [hereinafter 2012 GAO REPORT]; see Secure Flight Program;
Final Rule, 73 Fed. Reg. 64018-64066 (Oct. 28, 2008).
14
National Counterterrorism Center, Terrorist Identities Datamart Environment Fact Sheet
available at http://www.nctc.gov/docs/tidefactsheet_Aug12014.pdf [hereinafter NCTC Fact
Sheet].
15
Id.
16
2012 IG REPORT, supra note 8, at 4.
17
See NCTC FACT SHEET, supra note 14; DEPARTMENT OF HOMELAND SECURITY,
OFFICE OF INSPECTOR GENERAL, ROLE OF THE NO FLY AND SELECTEE LISTS
IN SECURING COMMERCIAL AVIATION 5-9 (2009).
18
Mohamed v. Holder, 995 F. Supp. 2d 520, 526 n.8 (E.D. Va. 2014) (E.D. Va. Jan. 22, 2014)
(quotations omitted).
19
Id.
20
See Homeland Security Presidential Directive—6, Integration and Use of Screening
Information to Protect Against Terrorism (Sept. 16, 2003). See also Homeland Security
Presidential Directive—11, Comprehensive Terrorist-Related Screening Procedures (Aug.
27, 2004); Homeland Security Presidential Directive—24: Biometrics for Identification and
Screening to Enhance National Security (Jun. 5, 2008).
21
“[I]nternational terrorism” means activities that—
(A) involve violent acts or acts dangerous to human life that are a violation of the criminal
laws of the United States or of any State, or that would be a criminal violation if committed
within the jurisdiction of the United States or of any State;
(B) appear to be intended—
i. to intimidate or coerce a civilian population;
ii. to influence the policy of a government by intimidation or coercion; or
iii. to affect the conduct of a government by mass destruction, assassination, or
kidnapping; and
(C) occur primarily outside the territorial jurisdiction of the United States, or transcend
national
boundaries in terms of the means by which they are accomplished, the persons they appear
intended to intimidate or coerce, or the locale in which their perpetrators operate or seek
asylum. 50 U.S.C. § 2331(1).
22
“[D]omestic terrorism means activities that—
(A) involve acts dangerous to human life that are a violation of the criminal laws of the
United States or of any State;
(B) appear to be intended—(i) to intimidate or coerce a civilian population; (ii) to
influence the policy of a government by intimidation or coercion; or (iii) to affect the
conduct of a government by mass destruction, assassination, or kidnapping; and
(C) occur primarily within the territorial jurisdiction of the United States. 50 U.S.C. §
2331(5).
23
24
Statement of Timothy J. Healy, Director, Terrorist Screening Center, Federal Bureau of
Investigation, before the Committee on Homeland Security and Governmental Affairs, U.S.
Senate, The Lessons and Implications of the Christmas Day Attack: Watchlisting and Pre-
screening (Mar. 10, 2010) [hereinafter Healy Statement] available at http://www.fbi.gov
/news/testimony/the-lessons-and-implications-of-the-christmas-day-attack-watchlisting-
and-prescreening.
25
Id. at 2.
26
Id.
27
Ibrahim v. Department of Homeland Security, No. C 06-00545 WHA, slip op. at 12 (N.D. Cal.
Jan. 14, 2014).
28
Id. at 12.
29
Id. at 19.
30
31
The TSC compiles a number of such lists for frontline agencies. These include the Department
of State’s Consular Lookout and Support System (CLASS) for screening of passports and
visas, the U.S. Customs and Border Protection TECS system, the No Fly and Selectee list,
the FBI’s National Crime and Information Center’s Known or Suspected Terrorist File, and
the Interagency Border Inspection System.
32
Placement on the Selectee list, which can result in enhanced screening procedures at an airport,
may also present an impediment to travel; however, the legal issues raised by the Selectee
list are beyond the scope of this report, which focuses instead on placement on the No Fly
list.
33
Healy Statement, supra note 24, at 4.
34
Id. at 5.
35
See Ibrahim v. Dep’t of Homeland Sec., No. C 06-00545 WHA, slip op. at 13 (N.D. Cal. Jan.
14, 2014).
36
See U.S. DEPARTMENT OF JUSTICE, OFFICE OF THE INSPECTOR GENERAL, AUDIT
DIVISION, AUDIT OF THE FEDERAL BUREAU OF INVESTIGATION’S
MANAGEMENT OF TERRORIST WATCHLIST NOMINATIONS (March 2014).
37
Id. at 19.
38
Id. at 23.
39
Id. at 28.
40
News sources report that “Watchlisting Guidance” reportedly used by the government, dated
March 2013, has been published by The Intercept, an online magazine that has published
documents it says have been obtained from Edward Snowden. Spencer Ackerman, How the
US’s Terrorism Watchlists Work – And How You Could End Up on One,
THEGUARDIAN.COM (July 24, 2014); Charlie Savage, Over Government Objections,
Rules on No-Fly List are Made Public, NYTIMES.COM (July 23, 2014).
41
Prior to 9/11, aviation security was handled by the Federal Aviation Administration (FAA).
The FAA ordered air carriers not to board certain individuals who were deemed a threat to
aviation safety. On 9/11, this “no fly” list contained 12 names. See NAT’L COMM’N ON
TERRORIST ATTACKS UPON THE U.S., THE 9/11 COMMISSION REPORT 83
(2004).
42
P.L. 108-458, 118 Stat. 3638, Dec. 17, 2004 Sec. 4012.
43
Id.
44
Secure Flight Program; Final Rule, 73 Fed. Reg. 64018-64066 (Oct. 28, 2008).
45
2012 IG Report, supra note 8, at 10.
46
Id.
47
See 2012 GAO Report, supra note 13, at 17-18; see also Secure Flight Program; Final Rule, 73
Fed. Reg. 64018- 64066 (Oct. 28, 2008).
48
See 2012 IG REPORT, supra note 8, at 11. Secure Flight screens TSDB records that have a
“full name and date of birth that are not already on the No Fly or Selectee Lists” for this
purpose. Id. at 11. See also 2012 GAO REPORT, supra note 13, at 17-18.
138 Jared P. Cole
49
See 2012 IG REPORT, supra note 8, at 17-18. For a more thorough examination of the process
used to conduct matching, which may include searching other government databases, see
2012 IG REPORT, supra note 8, at 20-26.
50
Id. at 9-11. For a more complete explanation of how uncertainties are resolved in the matching
process, see 2012 IG REPORT, supra note 8, at 20-26.
51
Id. at 22.
52
2012 GAO REPORT, supra note 13, at 42.
53
See, e.g., Latif v. Holder, 3:10-CV-00750-BR, 2014 WL 2871346 (D. Or. June 24, 2014)
(challenge brought by thirteen plaintiffs denied boarding on flight).
54
P.L. 110-53; codified at 49 U.S.C. § 44926(a). The Intelligence Reform and Terrorism
Prevention Act of 2004 required TSA to establish procedures for persons identified as
security threats to appeal such determinations. P.L. 108- 458; codified at 49 U.S.C. §
44926(a)(j)(2)(G) & 44909(c)(6)(B).
55
See Department of Homeland Security, One-Stop Travelers’ Redress Process, https://
www.dhs.gov/one-stoptravelers-redress-process; see generally DEPARTMENT OF
HOMELAND SECURITY, OFFICE OF INSPECTOR GENERAL, EFFECTIVENESS OF
THE DEPARTMENT OF HOMELAND SECURITY TRAVELLER REDRESS INQUIRY
PROGRAM 7-9 (2009).
56
2012 IG REPORT, supra note 8, at 18. DHS TRIP is a department-wide redress process that
covers any of the “department’s component agencies,” including TSA programs as well as
Customs and Border Protection. See NCTC FACT SHEET, supra note 14.
57
Instructions for filing a complaint can be found at https://www.dhs.gov/one-stop-travelers-
redress-process.
58
Ibrahim v. Department of Homeland Security, No. C 06-00545 WHA, slip op. at 14 (N.D. Cal.
Jan. 14, 2014).
59
60
Id.
61
See Latif v. Holder, 969 F. Supp. 2d 1293, 1297 (D. Or. 2013); Mohamed v. Holder, 995 F.
Supp. 2d 520, 527 (E.D. Va. 2014). The government has asserted that its practice of neither
confirming nor denying a person’s watchlist status is conducted pursuant to its “Glomar”
policy, see Phillippi v. CIA, 546 F.2d 1009, 1013 (D.C. Cir. 1976), a judicially recognized
exception to FOIA requests seeking national security information. See Defendant’s
Memorandum of Law in Support of Motion for Partial Summary Judgment at 15, Latif v.
Holder, No. 3:10-cv-00750-BR (D.Or. Feb. 13, 2013).
62
See Latif v. Holder, 969 F. Supp. 2d 1293, 1297 (D. Or. 2013); Mohamed v. Holder, 995 F.
Supp. 2d 520, 527 (E.D. Va. 2014). A letter will sometimes notify the traveler that he or she
may seek further administrative review with DHS. Id. In that case, the final determination
letter will notify the traveler that he or she may seek review in a United States court of
appeals. These letters also do not confirm or deny whether the traveler is or was on a
watchlist. See Third Joint Statement of Stipulated Facts, Latif v. Holder, No. 3:10-cv-
00750-BR (D.Or. 2013).
63
Defendants’ Supplemental Brief at 9-10, Latif v. Holder, No. 3:10-cv-00750-BR (D.Or. Oct.
25, 2013).
64
Id. at 7-8.
65
Latif v. Holder, 969 F. Supp. 2d 1293, 1297 (D. Or. 2013).
66
Id. at 1298.
67
Id. at 1305. Exceptions to this policy have been made in rare circumstances. See Federal
Bureau of Investigation, Press Release, International Government Officials not on No Fly
List, Oct. 6, 2006 (announcing that two foreign elected officials were not on the No Fly
list).
68
See e.g., Ibrahim v. Department of Homeland Security, 669 F.3d 983 (9th Cir. 2012) (claim
brought by foreign national barred from flying seeking an injunction requiring the
government to remove her name from its terrorist watchlists); Latif v. Holder, 969 F. Supp.
2d 1293, 1296 (D. Or. 2013) (claim brought by citizens and lawful permanent residents who
were not allowed to board an aircraft alleging a violation of their right to procedural due
process because the government failed to deliver post-deprivation notice or a meaningful
opportunity to contest inclusion on the No Fly list).
69
U.S. Const. amend. V. The No Fly list and airport screening procedures might raise equal
protection issues as well, but these issues are beyond the scope of this report.
70
See Verdugo-Urquidez v. United States, 494 U.S. 259, 270-71 (1990) (“[A]liens receive
constitutional protections when they have come within the territory of the United States and
developed substantial connections with this country.”). Aliens outside the country generally
lack constitutional protection. Id. at 269 (“[W]e have rejected the claim that aliens are
entitled to Fifth Amendment rights outside the sovereign territory of the United States.”)
But see Ibrahim v. Department of Homeland Security, 669 F.3d 983, 997 (9th Cir. 2012)
(holding that an alien not currently in the country, but had been lawfully present in the
United States for four years before departing the country and being prevented from
returning, had established a “significant voluntary connection” to the United States
sufficient to assert claims under the First and Fifth Amendments).
71
Mathews v. Eldridge, 424 U.S. 319, 332 (1976).
72
The Fourteenth Amendment provides that no state shall “deprive any person of life, liberty, or
property, without due process of law.” U.S. Const. amend. XIV, § 1.
73
Washington v. Glucksberg, 521 U.S. 702, 720 (1997).
74
See infra, notes 86-99 and accompanying text.
75
Am. Mfrs. Mut. Ins. Co. v. Sullivan, 526 U.S. 40, 59 (1999). See Board of Regents v. Roth,
408 U.S. 564, 570-71 (1972) (“But, to determine whether due process requirements apply in
the first place, we must look not to the ‘weight’ but to the nature of the interest at stake. We
must look to see if the interest is within the Fourteenth Amendment’s protection of liberty
and property.”) (citations omitted).
76
Ralls Corp. v. Comm. on Foreign Inv. in U.S., 758 F.3d 296, 315 (D.C. Cir. 2014) (quoting
Am. Mfrs,. 526 U.S. at 59). But see Latif v. Holder, 3:10-CV-00750-BR, 2014 WL
2871346 (D. Or. June 24, 2014) (appearing to include the recognition of a liberty interest
within Matthews’ first step, rather than as a preliminary finding).
77
Kent v. Dulles, 357 U.S. 116, 125 (1958).
78
Califano v. Aznavorian, 439 U.S. 170, 176 (1978) (citations omitted) (italics added).
79
Id. See Aptheker v. Secretary of State, 378 U.S. 500, 505–508 (1964).
80
Haig v. Agee, 453 U.S. 280, 306-07 (1981) (citation omitted).
81
See Mackey v. Montrym, 443 U.S. 1 (1979) (states may exercise regulatory powers to deter
drunk driving); Miller v. Reed, 176 F.3d 1202, 1205–1206 (9th Cir. 1999); Cramer v.
Skinner, 931 F.2d 1020, 1031 (5th Cir. 1991).
82
See, e.g., Gilmore v. Gonzales, 435 F.3d 1125 (9th Cir. 2006).
83
Id.
84
Id. at 1136.
85
Id. at 1137.
86
See, e.g., Mohamed v. Holder, 995 F. Supp. 2d 520, 522 (E.D. Va. 2014); Ibrahim v. Dep't of
Homeland Sec., C 06- 00545 WHA, 2012 WL 6652362 (N.D. Cal. Dec. 20, 2012).
140 Jared P. Cole
87
Latif v. Holder, 969 F. Supp. 2d 1293, 1303 (D. Or. 2013).
88
Id.
89
Id.
90
See Paul v. Davis, 424 U.S. 693, 709 (1976). Closely related to a liberty interest in
international travel, but legally distinct, is a citizen’s right to reenter the United States.
Some federal courts have found that the right of an American citizen to return to the United
States from abroad is a substantive due process right. See Fikre v. F.B.I., 3:13-CV00899-
BR, 2014 WL 2335343 (D. Or. May 29, 2014); Tarhuni v. Holder, 3:13-CV-00001-BR,
2014 WL 1269655 (D. Or. Mar. 26, 2014); see also Nguyen v. Immigration and
Naturalization Serv., 533 U.S. 53, 67 (2001) (discussing privileges of U.S. citizenship,
including “the absolute right to enter [the] borders” of the United States). Placement on the
No Fly list, under this theory, can infringe upon this right. For example, one district court
has ruled that a U.S. citizen, allegedly placed on the No Fly list while abroad, raised a
colorable substantive due process claim related to his right to reenter the United States.
Mohamed v. Holder, 995 F. Supp. 2d 520, 536-37 (E.D. Va. 2014). In that case, the
government argued that the right of reentry applies only to citizens who present themselves
at the border, and does not apply to impediments preventing one’s ability to actually reach
the United States. Id. The government asserted that the plaintiff had never actually been
denied entry into the United States, and would be permitted to enter if he found an
alternative mode of transportation (other than flying) that enabled the plaintiff to present
himself at a port of entry. The district court rejected these arguments, concluding that the
right of reentry “entails more than simply the right to step over the border after having
arrived there.” Government actions to prevent a citizen from reaching the border, the court
explained, can “infringe” upon the right to reentry. Id.
The outcome of a substantive due process challenge often turns on the level of scrutiny a
court uses to examine the government’s action. See ERWIN CHEMERINSKY,
CONSTITUTIONAL LAW, PRINCIPLES AND POLICIES 546-47 (2006). However,
substantive due process challenges to placement on the No Fly list are less developed in
federal courts than claims under procedural due process, as no court appears to have fully
adjudicated the issue. One court recognized a substantive due process right to return to the
United States, but ultimately dismissed the claim because the plaintiff had alternative means
to return. See Fikre v. F.B.I., 3:13-CV-00899-BR, 2014 WL 2335343 (D. Or. May 29,
2014). Another recognized the same right and denied the government’s motion to dismiss.
See Tarhuni v. Holder, 3:13-CV00001-BR, 2014 WL 1269655 (D. Or. Mar. 26, 2014).
Because it is unclear what the proper level of scrutiny is in a substantive due process
challenge to placement on the No Fly list, resolution of the matter is uncertain at this time.
91
See Mead v. Independence Ass'n, 684 F.3d 226, 233 (1st Cir. 2012); Miller v. California, 355
F.3d 1172, 1178 (9th Cir. 2004).
92
Ulrich v. City & Cnty. of San Francisco, 308 F.3d 968, 982 (9th Cir. 2002) (quoting Paul, 424
U.S. at 701).
93
Green v. Transportation Security Admin., 351 F.Supp.2d 1119, 1129 (W.D. Wa. 2005),
94
Id. at 1130.
95
Id.
96
Latif v. Holder, No. 3:10-cv-00750-BR, 2014 WL 2871346 (D.Or. Jun. 24, 2014).
97
Id. at *12.
98
Id.
99
See Tarhuni v. Holder, 3:13-CV-00001-BR, 2014 WL 1269655 at *14 (D. Or. Mar. 26, 2014).
100
Cleveland Bd. of Ed. v. Loudermill, 470 U.S. 532, 542 (1985).
101
Goldberg v. Kelly, 397 U.S. 254, 263-64 (1970).
102
Hamdi v. Rumsfeld, 542 U.S. 507, 533 (2004).
103
Cafeteria Workers v. McElroy, 367 U.S. 886, 895 (1961).
104
Morrissey v. Brewer, 408 U.S. 471, 481 (1972).
105
Matthews v. Eldridge, 424 U.S. 319, 334 (1976).
106
Id. at 335.
107
Challenges to No Fly list placements that only burden the right to interstate travel – rather
than international – might be less likely to raise a due process issue because of the
availability of alternative modes of transportation for interstate travel. See Tarhuni v.
Holder, 3:13-CV-00001-BR, 2014 WL 1269655 at *12 (D. Or. Mar. 26, 2014); Gilmore v.
Gonzales, 435 F.3d 1125, 1137 (9th Cir. 2006).
108
See Gilbert v. Homar, 520 U.S. 924, 932 (1997) (“But while our opinions have recognized the
severity of depriving someone of the means of his livelihood ... they have also emphasized
that in determining what process is due, account must be taken of ‘the length’ and ‘finality
of the deprivation.’”) (quoting Logan v. Zimmerman Brush Co., 455 U.S. 422, 434 (1982)).
109
Compare Goldberg v. Kelly, 397 U.S. 254 (1970) (welfare benefits) with Matthews v.
Eldridge, 424 U.S. 319 (1976) (disability benefits).
110
Matthews, 424 U.S. at 340.
111
Compare Gilbert v. Homar 520 U.S. 924 (1997) (temporary suspension) with Cleveland Bd.
of Educ. v. Loudermill, 470 U.S. 532 (1985) (termination).
112
Loudermill, 470 U.S. at 932.
113
See, e.g., Tarhuni v. Holder, 3:13-CV-00001-BR, 2014 WL 1269655 at *11 (D. Or. Mar. 26,
2014); Latif v. Holder, 969 F. Supp. 2d 1293, 1303 (D. Or. 2013).
114
See Tarhuni v. Holder, 3:13-CV-00001-BR, 2014 WL 1269655 at *11 (D. Or. Mar. 26, 2014).
115
Reply Memorandum in Support of Defendants’ Motion for Partial Summary Judgment at 12,
Latif v. Holder, No. 3:10-cv-00750-BR (D. Ore. Mar. 26, 2013).
116
Id. at 11.
117
Matthews, 424 U.S. at 335.
118
See Latif v. Holder, 3:10-CV-00750-BR, 2014 WL 2871346 at *13-16 (D. Or. June 24, 2014).
119
Compare Goldberg v. Kelly, 397 U.S. 254, 269 (1970) with Matthews v. Eldridge, 424 U.S.
319, 343-44 (1976). 120Matthews, 424 U.S. at 343-45.
121
Santosky v. Kramer, 455 U.S. 745, 761-64 (1982).
122
In Nat'l Council of Resistance of Iran v. Dep't of State, 251 F.3d 192 (D.C. Cir. 2001), the
D.C. Circuit examined the Secretary of State’s designation of an entity to be a Foreign
Terrorist Organization under the Anti-Terrorism and Effective Death Penalty Act. The
relevant judicial review provision did not permit the entity to “access, comment on, or
contest the critical material.” Id. at 197. The court ruled that this review was not sufficient
to satisfy due process. The court required the Secretary to provide the entity with the
unclassified material to be used to make the designation and “the opportunity to present, at
least in written form, such evidence as those entities may be able to produce to rebut the
administrative record or otherwise negate the proposition that they are foreign terrorist
organizations.” Id. at 208- 209. See People’s Mojahedin Organization of Iran v. U.S. Dep’t
of State, 613 F.3d 220, 227-28 (D.C. Cir. 2010) (similar holding). In Al Haramain Islamic
Foundation, Inc. v. U.S. Dep’t of Treasury, 686 F.3d 965, 983 (9th Cir. 2011), the Ninth
Circuit examined the procedures used when the Office of Foreign Assets Control designated
an entity to be a “specially designated global terrorist.” Id. at 970. The court noted the high
risk of error when the government relies upon classified information without disclosure and
held that the government must, at least when it does not implicate national security, provide
142 Jared P. Cole
the entity with mitigation measures such as unclassified summaries of information or

permitting counsel with an appropriate security clearance to access the material. Id. at 982-
83. In Jifry v. F.A.A., 370 F.3d 1174 (D.C. Cir. 2004), however, the D.C. Circuit upheld a
process wherein plaintiffs did not receive the materials explaining the factual basis for the
government’s deprivation. Id. at 1184. In that case, the Federal Aviation Administration
revoked the airman certificates of two nonresident alien pilots because they presented a
security risk. Id. at 1177. After noting that the pilots’ interest in a possessing certificates to
fly foreign aircraft “pales in significance to the government’s security interests in
preventing pilots from using civil aircraft as instruments of terror,” the court ruled that
notice to the plaintiffs and the opportunity to present their own evidence to rebut the record
– without a chance to view the underlying facts – satisfied due process. Id. at 1183-84.
123
Greene v. McElroy, 360 U.S. 474, 496 (1959). 124Matthews, 424 U.S. at 345-46.
125
Hamdi v. Rumsfeld, 542 U.S. 507, 537 (2004).
126
Id. at 533.
127
See Latif v. Holder, 3:10-CV-00750-BR, 2014 WL 2871346 (D. Or. June 24, 2014).
128
See, e.g., Ibrahim v. Department of Homeland Security, 669 F.3d 983, 990 (9th Cir. 2012);
Latif v. Holder, 969 F. Supp. 2d 1293, 1306 (D. Or. 2013). See also U.S. DEPARTMENT
OF JUSTICE, OFFICE OF THE INSPECTOR GENERAL, REPORT TO CONGRESS ON
IMPLEMENTATION OF SECTION 1001 OF THE USA PATRIOT ACT 13 (2009).
129
See, e.g., Mike McIntire, Ensnared by Error on Growing U.S. Watch List, NEW YORK
TIMES (April 6, 2010) available at http://www.nytimes.com/2010/04/07/us/07 watch.html?
pagewanted=all.
130
Latif v. Holder, 969 F. Supp. 2d 1293, 1306 (D. Or. 2013); see 2012 GAO Report, supra note
13.
131
See 49 U.S.C. § 46110.
132
See e.g., Latif v. Holder, 3:10-CV-00750-BR, 2014 WL 2871346 at *16 (D. Or. June 24,
2014).
133
The chair of the Senate Intelligence Committee, Dianne Feinstein, has remarked that the No
Fly list is “one of our best lines of defense” in preventing terrorism. Scott Shane, Senators
Demand Tighter Rules on No-Fly List and Addition to Terror Group List, NEW YORK
TIMES (May 11, 2010) available at http://www.nytimes.com/2010/05/12/ world/americas/
12investigate.html?_r=0.
134
Defendants’ Supplemental Brief at 12, Latif v. Holder, No. 3:10-cv-00750-BR (D.Or. Oct. 25,
2013).
135
Id.
136
Defendants’ Supplemental Brief at 13, Latif v. Holder, No. 3:10-cv-00750-BR (D.Or. Oct. 25,
2013) (citing Jiffrey v .FAA, 370 F.3d 1174, 1183-84 (D.C. Cir. 2004)).
137
See, e.g., United States v. Reynolds, 345 U.S. 1, 10 (1953); Mohamed v. Jeppesen Dataplan,
Inc., 614 F.3d 1070 (9th Cir. 2010); El-Masri v. United States, 479 F.3d 296 (4th Cir.
2007).
138
See, e.g., Ralls Corp. v. Comm. on Foreign Inv. in U.S., 758 F.3d 296, 319 (D.C. Cir. 2014);
Al Haramain Islamic Foundation, Inc. v. U.S. Dep’t of Treasury, 686 F.3d 965, 980-81 (9th
Cir. 2011); Holy Land Found. for Relief & Dev. v. Ashcroft, 333 F.3d 156, 164 (D.C. Cir.
2003); People’s Mojahedin Org. of Iran v. Dep't of State, 327 F.3d 1238, 1242 (D.C. Cir.
2003); Nat'l Council of Resistance of Iran v. Dep't of State, 251 F.3d 192, 208-09 (D.C. Cir.
2001); see generally Global Relief Found., Inc. v. O'Neill, 315 F.3d 748, 754 (7th Cir.
2002).
139
See Latif v. Holder, 3:10-CV-00750-BR, 2014 WL 2871346 at *23-24 (D. Or. June 24, 2014).
140
United States v. Daoud, 755 F.3d 479, 484 (7th Cir. 2014) supplemented, 14-1284, 2014 WL
3734136 (7th Cir. July 14, 2014). See United States v. El-Mezain, 664 F.3d 467, 468 (5th
Cir. 2011).
141
See Al Haramain Islamic Foundation, Inc. v. U.S. Dep’t of Treasury, 686 F.3d 965, 983 (9th
Cir. 2011); KindHearts for Charitable Humanitarian Dev., Inc. v. Geithner, 710 F. Supp. 2d
637, 660 (N.D. Ohio 2010) (“If declassification or summarization of classified information
is insufficient or impossible, then KindHearts’ counsel will obtain an adequate security
clearance to view the necessary documents, and will then view these documents in camera,
under protective order, and without disclosing the contents to KindHearts.”).
142
See Al Haramain Islamic Foundation, Inc. v. U.S. Dep’t of Treasury, 686 F.3d 965, 982-83
(9th Cir. 2011). In the criminal context, this procedure is authorized under the Classified
Information Procedure Act. See 18 U.S.C.A. § 4 (“The court, upon a sufficient showing,
may authorize the United States to delete specified items of classified information from
documents to be made available to the defendant through discovery under the Federal Rules
of Criminal Procedure, to substitute a summary of the information for such classified
documents, or to substitute a statement admitting relevant facts that the classified
information would tend to prove.”).
143
Ibrahim v. Dep’t of Homeland Sec., slip op. at 29, No. 3:06-cv-00545-WHA (N.D. Ca. Jan.
14, 2014).
144
Haig v. Agee, 453 U.S. 280, 309 (1981); see also Palestine Information Office v. Shultz, 853
F.2d 932, 942-43 (D.C. Cir.1988); Global Relief Found., Inc. v. O'Neill, 315 F.3d 748, 754
(7th Cir. 2002).
145
Mackey v. Montrym, 443 U.S. 1, 19 (1979).
146
49 U.S.C. § 46110 provides that a person challenging a TSA order may petition a United
States court of appeals for review. Some courts have determined that challenges to the No
Fly list may nonetheless be brought in federal district court. See Ibrahim v. Dep't of
Homeland Sec., 538 F.3d 1250 (9th Cir. 2008); Mohamed v. Holder, No. 1:11-cv-00050-
AJT-TRJ (4th Cir. May 28, 2013). Others have concluded that challenges are proper in the
United States courts of appeals. See Scherfen v. United States Dep't of Homeland Sec.,
2010 U.S. Dist. LEXIS 8336 (M.D. Penn 2010) (distinguishing Ibrahim as “focused solely
on the question of whether placement on the No Fly List fell within § 46110,” while the
case at hand followed the receipt of a TRIP determination letter); Tooley v. Bush, CIV.A.
06-306, 2006 WL 3783142 (D.D.C. Dec. 21, 2006) rev'd in part sub nom. Tooley v.
Napolitano, 556 F.3d 836 on reh'g, 586 F.3d 1006 (D.C. Cir. 2009) and aff'd sub nom.
Tooley v. Napolitano, 586 F.3d 1006 (D.C. Cir. 2009).
147
Ibrahim v. Dep’t of Homeland Sec., Case3:06-cv-005450WHA, slip op. at 2 (N.D. Ca. Jan 14,
2014) (summary of order).
148
Id.
149
Ibrahim v. Dep’t of Homeland Sec., Case3:06-cv-00545-WHA, slip op. at 31 (N.D. Ca. Jan.
14, 2014).
150
Id. at 30.
151
Latif v. Holder, 3:10-CV-00750-BR, 2014 WL 2871346 (D. Or. June 24, 2014).
152
Id. at *11.
153
Id. at *9-24. The district court described the first Matthews step as including (1) a recognition
of a liberty interest and (2) a weighing of that interest “against the other factors.” Id. at *11.
154
Id. at *12. In addition, the court concluded that the injury to the plaintiffs’ reputations from
being placed on the list—though somewhat limited in scope because disclosure was limited
144 Jared P. Cole
to those individuals near the traveler in the airport—implicated the plaintiffs’ “interests in
their reputations.” Id. at *12-13.
155
Id. at *15.
156
Id.
157
Id. at *16.
158
Id.
159
Id. at *23-24.
160
Id. at *24.
161
Id.
162
Id.
163
Id.
164
Id. In a filing with the court on September 4, 2014, the DOJ indicated that it did “not intend to
seek an appeal” of this order “at this time.” Supplemental Joint Status Report at 3, Latif v.
Holder, No. CV 10-00750-BR (D. Or. Sept. 4, 2014).
165
These privileges would not be invoked within the DHS TRIP process itself because that
review mechanism never reveals information to the traveler beyond the status of the review
process.
166
See, e.g., Ibrahim v. Dep't of Homeland Sec., C 06-00545 WHA, 2014 WL 1493561 at *2
(N.D. Cal. Apr. 16, 2014).
167
See U.S. v. Reynolds, 345 U.S. 1, 10 (1953); see also CRS Report R41741, The State Secrets
Privilege: Preventing the Disclosure of Sensitive National Security Information During
Civil Litigation, by Todd Garvey and Edward C. Liu.
168
See Reynolds, 345 U.S. at 8.
169
See id. at 9.
170
See Defendant’s Memorandum in Support of Their Motion to Dismiss Plaintiff’s Complaint as
a Result of the Assertion of the State Secrets Privilege, Mohamed v. Holder, No. 1:11-cv-
0050 (E.D. Va. May 28, 2014).
171
Id. at 11.
172
Id.
173
Id. at 12.
174
Id.
175
Id. at 14.
176
Id. The case is currently pending in the district court.
177
See, e.g., Ibrahim v. Dep't of Homeland Sec., C 06-00545 WHA, 2014 WL 1493561 (N.D.
Cal. Apr. 16, 2014).
178
In re Dep't of Investigation of City of New York, 856 F.2d 481, 484 (2d Cir. 1988). See also
Aspin v. Dep't of Defense, 491 F.2d 24, 29-30 (D.C.Cir.1973); Frankel v. Securities and
Exchange Commission, 460 F.2d 813, 817 (2d Cir. 1972); Ibrahim v. Dep't of Homeland
Sec., C 06-00545 WHA, 2014 WL 1493561 (N.D. Cal. Apr. 16, 2014).
179
See In re The City of New York, 607 F.3d 923, 944 (2d Cir. 2010); see also Nat'l Congress for
P.R. Rights ex rel. Perez v. City of N.Y., 194 F.R.D. 88, 95 (S.D.N.Y.2000); Halpern v.
FBI, 181 F.3d 279, 294 (2d Cir.1999).
180
In re Sealed Case, 856 F.2d 268, 272 (D.C. Cir. 1988); see also In re The City of New York,
607 F.3d 923, 945 (2d Cir. 2010).
181
One district court summarized the law as follows:
In deciding whether the privilege should apply, courts typically balance the following
factors:
“(1) the extent to which disclosure will thwart governmental processes by discouraging
citizens from giving the government information; (2) the impact upon persons who have
given information of having their identities disclosed; (3) the degree to which governmental
self-evaluation and consequent program improvement will be chilled by disclosure; (4)
whether the information sought is factual data or evaluative summary; (5) whether the party
seeking the discovery is an actual or potential defendant in any criminal proceeding either
pending or reasonably likely to follow from the incident in question; (6) whether the police
investigation has been completed; (7) whether any intradepartmental disciplinary
proceedings have arisen or may arise from the investigation; (8) whether the plaintiff’s suit
is non-frivolous and brought in good faith; (9) whether the information sought is available
through other discovery or from other sources; and (10) the importance of the information
sought to the plaintiff’s case.’”
S.E.C. v. Gowrish, C 09-05883 SI, 2010 WL 1929498 (N.D. Cal. May 12, 2010) (quoting
Frankenhauser v. Rizzo, 59 F.R.D. 339, 344 (E.D.Pa.1973), overruled on other grounds,
Startzell v. City of Phila., No. 05– 05287, 2006 WL 2945226 (E.D.Pa. Oct.13, 2006)). See
also Friedman v. Bache Halsey Stuart Shields, Inc., 738 F.2d 1336, 1342 (D.C. Cir. 1984)
(invoking the same factors).
182
See, e.g., In re The City of New York, 607 F.3d 923, 948 (2d Cir. 2010).
183
(N.D. Cal. Dec. 17, 2009) vacated and remanded, 669 F.3d 983 (9th Cir. 2012).
184
See, e.g., Ibrahim v. Dep't of Homeland Sec., C 06-00545 WHA, 2013 WL 1703367 at *5-6
(N.D. Cal. Apr. 19, 2013).
185
N. L. R. B. v. Sears, Roebuck & Co., 421 U.S. 132, 150 (1975) (citation omitted).
186
Hongsermeier v. C.I.R., 621 F.3d 890, 904 (9th Cir. 2010).
187
Id. (citations and quotations omitted).
188
Ibrahim v. Dep't of Homeland Sec., C 06-00545 WHA, 2013 WL 1703367 at *2 (N.D. Cal.
Apr. 19, 2013) (quoting Cal. State Foster Parent Ass'n v. Wagner, No. 07–05086 WHA,
2008 WL 2872775 at *4 (N.D.Cal. July 23, 2008)).
189
49 C.F.R. § 1520.5.
190
49 C.F.R. § 1520.15.
191
(N.D. Cal. Dec. 17, 2009) vacated and remanded, 669 F.3d 983 (9th Cir. 2012).
192
See, e.g., id.; see also Department of Homeland Security Appropriations Act of 2007, P.L.
109-295, 120 Stat. 1355 (Oct. 4, 2006).
INDEX
airport checkpoints, vii, viii, ix, 12, 31, 32,

# 41, 47, 60, 65, 70, 76, 83
airports, viii, 2, 3, 5, 7, 9, 14, 15, 17, 18, 19,
9/11, vii, 2, 6, 10, 11, 22, 27, 28, 34, 74, 87,
32, 37, 48, 49, 61, 62, 64, 72, 74, 75, 78,
110, 122, 137
81, 111
9/11 Commission, 11, 22, 28, 34, 74, 87,
Alaska, 74, 111
110, 122
algorithm, 114
American airline, ix, 117, 121
A APIS, viii, 2, 13, 22
appropriations, 16, 24, 26
access, x, 12, 17, 18, 22, 42, 50, 74, 78, 81, Appropriations Act, 29, 35, 75, 87, 111, 145
92, 95, 96, 97, 100, 110, 111, 113, 118, armed conflict, 129
120, 129, 130, 132, 133, 134, 141 armed forces, 44, 77, 92
accountability, 100 arrest(s), 15, 16
adaptation, 25 assassination, 136
Administrative Procedure Act, 135 assessment, 5, 14, 15, 23, 24, 27, 44, 51, 69,
Advance Passenger Information System, 88, 97, 113, 128
viii, 2, 13 assessment techniques, 5
age, 20 assets, 16
agencies, 5, 14, 21, 32, 37, 44, 53, 57, 58, asylum, 136
64, 66, 69, 72, 77, 79, 93, 96, 97, 100, ATS-P, viii, 2, 13, 33, 42, 43, 76
102, 106, 112, 114, 119, 120, 121, 130, audit(s), 16, 21, 38, 65, 90, 95, 96, 110, 121
134, 137, 138 authentication, 11, 18
agency initiatives, 36, 63 authenticity, 51
air carriers, 11, 34, 39, 46, 51, 65, 70, 74, authority(s), 3, 77, 110, 121
75, 78, 79, 87, 111, 112, 113, 137 Automated Targeting System-Passenger,
Air Force, 77 viii, 2, 13, 33, 42
airline passenger screening, vii, 1, 8, 24 avoidance, 15
airline passengers, vii, 1, 3, 5, 8, 19, 24, 26, awareness, 9
43, 50, 51, 59
airline travelers, vii, 1, 4, 23, 118
148 Index
commercial, ix, 3, 5, 9, 11, 12, 21, 22, 23,

B 24, 35, 39, 65, 70, 75, 87, 90, 107, 111,
112, 117, 118, 121, 122
baggage, 9, 10, 78
common law, 132
ban, 6
communication, 99, 106
base, vii, viii, 1, 2, 3, 5, 6, 7, 9, 10, 11, 14,
community(s), 12, 25, 119, 135
21, 24, 25, 26, 27, 42, 52, 53, 55, 56, 57,
compilation, 79
63, 74, 77, 85, 91, 96, 97, 101, 102, 115
complement, viii, 2
behavior detection officers, viii, 2, 16
compliance, 48, 57, 74, 77, 78, 88, 95, 96,
behavioral assessment, 14
98, 99, 110
behavioral profiles, vii, 1
complications, 26
behaviors, 5, 14, 50
computer, 52, 70, 74, 111
benefits, 5, 19, 60, 127, 129, 141
conception, 126
BI, 120
confidentiality, 133
body image, 3
conflict, 129
bounds, 80
confrontation, 130
Congress, 1, 3, 4, 16, 24, 26, 35, 50, 87, 92,
C 117, 144
consent, 110
case law, 119 Constitution, 124, 125, 128, 135
cash, 10 constitutional issues, 134
category a, 44 consulting, 39
CBP, viii, 2, 13, 14, 17, 20, 21, 22, 24, 28, controversial, 4, 5
33, 37, 42, 44, 67, 76, 77, 85, 91, 92 cooperation, 15
CDC, 33, 76, 85, 91, 114 coordination, 10, 121
cell phones, 79 cost, 14, 15, 17, 50, 51, 129
CFR, 29 cost-benefit analysis, 15
challenges, ix, 5, 18, 35, 37, 50, 51, 64, 78, counsel, 130, 132, 134, 142, 143
79, 87, 117, 119, 123, 125, 128, 130, counterterrorism, 6, 18, 21, 24, 115, 119
131, 133, 134, 135, 140, 143 Court of Appeals, 125
children, 12 credentials, 20
China, 50 crimes, 14, 18, 78
CIA, 138 criminal activity, 16
citizens, 17, 119, 124, 139, 140, 145 criminal acts, 16
citizenship, 19, 78, 140 criminals, 13
City, 140, 144, 145 criticism, 4
civil liberties, 77, 134 cues, 15
civil rights, 77 cultural norms, 8
classification, 129 currency, 16
clothing, 40, 81, 82 Customs and Border Protection, viii, 2, 13,
Coast Guard, 20, 29, 77 28, 33, 37, 63, 85, 91, 114, 137, 138
coercion, 136 CV, 135, 138, 139, 140, 141, 142, 143, 144
collaboration, 107
Index 149
D E
danger, x, 118, 129, 130, 133 E-Government Act, 93

data collection, 15, 17, 21 e-mail, 48, 94
data set, 62 emergency, 5, 78
database, 12, 13, 14, 20, 24, 43, 106, 120, emergency management, 5
121, 122, 134, 135 employees, 20, 74, 78, 81, 84, 95, 96, 97,
DEA, 135 110, 126
decision-making process, 134 employment, 20, 127
denial, 122, 126 enforcement, 7, 13, 14, 16, 18, 21, 36, 42,
Department of Defense, 20, 75, 135 48, 50, 74, 81, 88, 94, 104, 132, 133
Department of Homeland Security, ix, 15, engineering, 113
22, 27, 28, 29, 33, 35, 64, 69, 72, 75, 76, enrollment, 17, 19, 78
84, 85, 87, 104, 109, 110, 111, 112, 115, environment, 5
117, 119, 135, 137, 138, 139, 142, 145 equipment, 3, 6
Department of Justice, 28, 33, 36, 61, 62, European Union (EU), 13, 28, 109, 112
108, 109, 121 evidence, 14, 15, 38, 65, 90, 96, 123, 128,
Department of the Treasury, 135 129, 130, 132, 133, 141
Department of Transportation, 10, 28 evolution, 25
deprivation, ix, 118, 124, 125, 126, 127, executive branch, 119, 129, 130, 133, 134
128, 129, 130, 131, 139, 141, 142 exercise, 139
depth, 7, 9 expertise, 53
destruction, 98, 110, 113, 136 exploitation, 17
detection, vii, viii, 1, 2, 3, 5, 6, 7, 14, 15, 16, explosives, viii, 2, 3, 5, 19, 40, 41, 82
17, 19, 25, 26, 27, 35, 40, 41, 50, 51, 69, exports, 120
82, 112
detection techniques, 14, 15
detention, 129 F
directives, 78, 89, 96, 100, 134
FAA, 8, 9, 10, 137, 142
disability, 127, 129, 141
facial expression, 15
disclosure, 22, 36, 52, 57, 87, 93, 97, 100,
faith, 145
110, 113, 126, 132, 133, 134, 141, 143,
145 false alarms, 25
false positive, viii, 2, 26, 27, 55, 56, 80
diseases, 28
family members, 12, 20
dispersion, 37, 64
fear, 6, 130
district courts, 131
federal agency, 2
DOJ, 121, 128, 144
draft, 61, 62, 106, 108, 109 Federal Bureau of Investigation (FBI), 10,
11, 12, 18, 28, 33, 39, 82, 85, 89, 91,
drawing, 14
113, 120, 121, 135, 136, 137, 138, 144
due process, ix, x, 113, 118, 119, 124, 125,
federal courts, x, 118, 124, 125, 132, 134,
126, 127, 130, 131, 132, 134, 135, 139,
140
140, 141
federal government, 3, 11, 24, 34, 37, 38,
42, 44, 49, 53, 58, 64, 65, 75, 76, 81, 86,
87, 88, 89, 97, 100, 111, 112, 121
150 Index
Federal Register, 28, 29, 93 human, 113, 136

Fifth Amendment, 119, 124, 125, 135, 139
financial, 127
fingerprints, 18, 19, 120 I
First Amendment, 135
identification, 4, 18, 19, 20, 47, 49, 51, 65,
first responders, 72
71, 125
flexibility, 7
identity, 11, 17, 18, 21, 23, 36, 37, 47, 50,
flight(s), viii, ix, 6, 8, 9, 10, 11, 12, 13, 14,
51, 64, 78, 79, 110, 115, 118, 120, 122,
17, 20, 23, 31, 32, 35, 39, 42, 45, 48, 50,
127
51, 63, 74, 75, 76, 78, 80, 82, 87, 92,
illegal aliens, 16
107, 111, 112, 117, 121, 122, 125, 131,
immigration, 13, 16, 18, 66, 77, 93
138
impact assessment, 85, 89, 93, 113
flight attendant, 6, 20
improvements, 107
footwear, 41, 69, 82, 112
Independence, 140
force, 16
individual differences, 16
foreign air carrier, ix, 65, 74, 75, 111, 117
inferences, 66, 77, 93, 120
Fourteenth Amendment, 124, 139
information technology, 69, 79, 81, 113
frequent fliers, 45
injury, 143
funding, 16
insanity, 18
funds, 135
integrity, 110
intelligence, 7, 12, 18, 21, 25, 27, 42, 76,
G 85, 91, 105, 115, 119, 120, 121, 130, 135
Intelligence Reform and Terrorism
GAO, viii, 15, 16, 27, 28, 29, 31, 32, 33, 37, Prevention Act, 10, 11, 22, 34, 74, 76,
40, 46, 55, 63, 65, 66, 67, 68, 72, 73, 75, 87, 111, 112, 122, 138
77, 78, 79, 80, 81, 83, 84, 92, 104, 106, interference, 124, 133
111, 112, 113, 122, 135, 137, 138, 142 international law, 18
GPRA, 33, 37, 53, 64, 75, 79, 81 international passengers, viii, 2
grouping, 112 interrogations, 9
guidance, 64, 75, 109, 112 intimidation, 136
guidelines, 121 investment(s), 69, 79, 81
guilty, 18 Iran, 141, 142
Gulf of Mexico, 9 iris, 120
Israel, 7, 9
issues, viii, 2, 23, 24, 38, 49, 80, 82, 84, 88,
H 95, 96, 98, 99, 100, 108, 109, 119, 122,
134, 137, 139
Hawaii, 74, 111
health, 12, 28, 76, 91
hiring, 3, 27 J
history, 18, 20
homeland security, 21 jurisdiction, 136
Homeland Security Act, 135
House, 28, 29, 34, 79, 86
House of Representatives, 28, 29, 34, 86
Index 151
measurement, 35, 53, 54, 70

K media, 12, 110, 129
medical, 28, 128
kidnapping, 136
membership, 49, 135
kill, 130
methodology, 13, 36, 38, 49
Mexico, 9, 74
L migration, 105
military, 20, 21
landscape(s), 6, 8, 25, 26 minors, 12
laptop, 2, 3 mission(s), 16, 21, 27, 52, 55, 66, 76, 77,
law enforcement, 7, 13, 14, 15, 16, 18, 21, 93, 99, 121
36, 42, 48, 50, 74, 81, 88, 94, 104, 132, misuse, 97
133 modifications, 100
laws, 109, 112, 136 motivation, 9
lead, 26, 38, 44 Muslims, 135
leadership, 16, 106, 107
legal issues, 119, 137
N
legislation, 6
liberty, ix, 118, 124, 125, 126, 127, 128,
National Counterterrorism Center (NCTC),
131, 139, 140, 143
12, 119, 136
light, 36, 41, 69, 82, 88, 112
national security, ix, x, 91, 92, 94, 117, 118,
liquids, 2
119, 120, 130, 132, 133, 134, 138, 141
litigation, 128, 133
National Security Agency, 135
love, 7
NCTC, 119, 120, 121, 136, 138
low risk, viii, 19, 32, 41, 43, 45, 55, 63, 65,
neutral, ix, 118, 126, 129
69, 70, 71, 74, 78, 80, 81, 82, 83, 90, 92
New Zealand, 109, 112
low-risk passengers, viii, 2, 17, 33, 37, 40,
No Fly list, v, viii, ix, x, 31, 34, 39, 40, 48,
52, 55, 56, 60, 65, 69, 75, 76, 81, 82, 97,
52, 54, 58, 90, 91, 101, 113, 117, 118,
111
119, 121, 123, 124, 125, 126, 127, 128,
luggage, 2
129, 130, 131, 132, 133, 134, 135, 137,
139, 140, 141, 142, 143
M noncitizens, 124
majority, 11
O
Malaysia, 131
man, 50
Office of Management and Budget (OMB),
managed inclusion, viii, 2, 19, 20, 76
33, 64, 69, 72, 73, 75, 79, 80, 84, 85, 88,
management, vii, 1, 5, 15, 22, 64, 69, 79,
97, 98, 108, 113, 115
81, 89, 95, 96, 99, 100, 105
Office of the Inspector General, 28
Marine Corps, 77
operations, viii, 26, 36, 37, 38, 58, 60, 61,
marketing, 23
63, 75, 78, 79, 83, 84, 96, 99, 111, 112,
mass, 136
113
materials, ix, 84, 88, 130, 133, 134, 142
opportunities, 106, 128, 130
matter, 25, 26, 94, 113, 119, 129, 134, 140
Matthews v. Eldridge, x, 118, 127, 141
152 Index
oversight, viii, ix, 21, 24, 25, 26, 27, 83, 84,
88, 95, 98, 99, 108, 109
R
race, 40, 41, 82

P random assignment, 8
real time, 53
parole, 16 recognition, 139, 143
participants, viii, 2, 17, 56, 107 recommendations, 10, 11, 15, 32, 61, 84, 89,
passenger privacy, 87 98, 109, 134
Pentagon, 29 recovery, 5
performance indicator, 85, 105 recruiting, 27
performance measurement, 35, 53, 54, 70 recurrence, 22
permission, 122 Reform, 10, 11, 22, 34, 74, 76, 87, 111, 112,
permit, 43, 141 122, 138
perpetrators, 136 regulations, 24, 77, 78, 92, 125
photographs, 120 reinforcement, 6
planned action, 108, 109 reliability, 89
police, 145 relief, 113
policy, ix, 21, 27, 94, 96, 109, 117, 120, remediation, 26
123, 125, 136, 138 reputation, 126
population, 21, 136 requirements, ix, 10, 19, 22, 26, 34, 48, 51,
port of entry, 140 57, 64, 74, 75, 78, 80, 83, 84, 87, 88, 93,
positive feedback, 7 96, 97, 98, 99, 108, 110, 113, 118, 120,
Pre-Check, viii, 2, 17, 18, 19, 20, 21, 22, 23, 121, 122, 130, 134, 139
24, 25, 29 resolution, 23, 39, 40, 70, 82, 95, 98, 99,
preparation, 36, 63, 66, 77, 93, 119, 120 111, 131, 140
principles, 21, 109, 110, 112 resources, 3, 7, 11, 25, 26, 43, 81, 100
private sector, 72, 75, 78, 81, 87 response, 5, 10, 11, 23, 25, 34, 43, 71, 72,
probability, 4 87, 95, 96, 98, 104, 111, 112, 113, 132
procurement, 51 response time, 71, 104
proposition, 141 restructuring, 97
protection, 11, 14, 84, 93, 98, 110, 113, 124, rights, 77, 87, 114, 124, 139
126, 139 risk assessment, viii, 2, 5, 13, 21, 23, 24, 27,
public health, 12, 28 32, 41, 43, 45, 55, 63, 69, 78, 82, 92, 96,
public interest, 133 98
public policy, 94 risk-based passenger screening, vii, viii, 1,
public safety, 131 2, 5, 6
root, 32, 49, 60, 61
rules, 21, 41, 43, 53, 55, 56, 63, 74, 76, 77,
Q 85, 90, 91, 95, 96, 97, 101, 102
questioning, 9
questionnaire, 23 S
safety, 118, 129, 131, 137

savings, 26
Index 153
scent, 19
scientific validity, 14
T
scope, 17, 36, 38, 99, 125, 131, 135, 137,
tactics, 133
139, 143
target, 9, 23, 34, 49, 73, 74, 85, 86, 105, 115
Screening Passengers by Observational
teams, viii, 2, 19
Techniques, viii, 2, 14
technical comments, 61, 62, 109
screening technology, vii, 1
techniques, 5, 8, 9, 14, 15, 24, 25, 133
Secretary of Homeland Security, 4, 72
technology(s), vii, 1, 3, 5, 6, 10, 25, 37, 38,
Secure Flight program, vii, viii, 23, 31, 34,
47, 50, 51, 64, 69, 79, 81, 113
36, 38, 39, 41, 53, 57, 58, 59, 60, 61, 62,
territorial, 136
63, 64, 65, 66, 69, 70, 76, 77, 79, 83, 84,
territory, ix, 117, 121, 139
86, 87, 88, 90, 92, 95, 97, 99, 100, 107,
terrorism, 6, 16, 25, 27, 34, 66, 77, 86, 93,
109, 113, 122, 129
119, 120, 121, 122, 126, 129, 135, 136,
security questions, vii, 1, 9
142
security risks, vii, 1, 4, 34, 65, 86
terrorist activities, 66, 77, 93, 120
security threats, 9, 10, 22, 138
terrorist acts, 16
Selectee List, viii, 31, 32, 34, 35, 39, 40, 41,
terrorist attack, vii, 1, 2, 6, 7, 27, 72, 118,
42, 43, 48, 52, 54, 55, 56, 58, 66, 70, 74,
121, 134
76, 77, 82, 91, 93, 97, 101, 102, 114,
terrorist groups, 119
121, 137
terrorist organization, 135, 141
Senate, 136, 142
terrorist watchlist, vii, ix, 2, 3, 10, 11, 12,
September 11, vii, 1, 118
13, 17, 18, 24, 25, 35, 76, 117, 121, 139
services, 23, 75, 81
terrorists, vii, viii, 1, 10, 15, 26, 31, 39, 41,
showing, 126, 143
42, 43, 59, 63, 66, 74, 77, 82, 85, 91, 93,
signals, 20
119, 120, 130
signs, 50
test data, 62
society, 4
testing, 35, 54, 80
software, 98, 99, 113
The Homeland Security Act, 135
solution, 51
threat assessment, 11, 18, 19, 20, 24, 27, 44
SPOT, viii, 2, 14, 15, 16, 22
threats, vii, 1, 4, 5, 7, 9, 10, 14, 17, 21, 22,
SSI, 121
25, 26, 27, 42, 52, 55, 56, 59, 77, 96,
staff members, 98
107, 138
staffing, 26, 27, 104
ticket-purchase data, vii, 1
stakeholders, 87, 105
time frame, 49, 80, 106, 107, 108, 114
state(s), x, 5, 21, 28, 49, 58, 74, 97, 118,
time periods, 18
120, 126, 128, 132, 133, 139
tracks, 72, 73, 74, 77, 80
sterile, 50, 74, 79, 81, 91, 92, 111
trade, 76
stigma, 126
training, ix, 9, 16, 48, 49, 84, 88, 95, 96, 97,
storage, 17
104, 108, 109, 110, 111, 113
strategic planning, 53
training programs, 97, 111
style, 7
transformations, 2
supervision, 48, 78
transmission, 106
Supreme Court, x, 118, 124, 125, 126, 127,
transportation, 14, 23, 72, 78, 91, 92, 111,
128, 130
118, 125, 134, 140, 141
suspicious passengers, viii, 2
154 Index
Transportation Security Administration, vii, 126, 129, 131, 136, 138, 139, 140, 142,
1, 2, 28, 29, 32, 33, 34, 55, 60, 63, 65, 143
69, 72, 73, 84, 86, 91, 108, 111, 118 Urban Institute, 64, 75
Treasury, 135, 141, 142, 143 USA, 27, 29, 135, 142
trial, 131, 134
triggers, 20, 40, 82
trusted traveler program, viii, 2, 3, 10, 17, V
20, 44
validation, 15, 88, 98, 99
TSDB, viii, 11, 12, 14, 22, 31, 32, 39, 42,
valuation, 5
43, 63, 66, 74, 77, 83, 85, 86, 91, 92, 94,
variations, 47, 50, 55, 79
97, 100, 101, 102, 103, 108, 114, 120,
Verdugo-Urquidez, 139
122, 123, 130, 137
Visa Waiver Program, 13, 28
tuberculosis, 28
vote, 16
vulnerability, 5, 8, 27, 36, 47, 49, 50, 51
U
U.S. airspace, ix, 117 W

uniform, vii, 1, 3, 4, 7
waiver, 28
United, v, ix, 2, 7, 8, 9, 13, 27, 28, 29, 31,
Washington, 8, 27, 29, 74, 75, 77, 78, 79,
34, 39, 42, 65, 70, 72, 74, 78, 83, 87, 90,
81, 110, 111, 112, 113, 115, 125, 139
109, 111, 112, 118, 123, 124, 125, 126,
watchlisting, 133, 136
129, 131, 136, 138, 139, 140, 142, 143
weapons, 3, 5
United Airlines, 9
welfare, 127, 141
United States, v, ix, 2, 7, 8, 13, 27, 28, 29,
witnesses, 133
31, 34, 39, 42, 65, 70, 72, 74, 78, 83, 87,
workers, 78
90, 109, 111, 112, 118, 123, 124, 125,
workload, 72

(Hellen E. Spear) Secure Flight Program Airline P

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

(Hellen E. Spear) Secure Flight Program Airline P

Uploaded by

Copyright:

Available Formats

TRANSPORTATION ISSUES, POLICIES AND R&D

SECURE FLIGHT PROGRAM

Additional books in this series can be found on Nova’s website

Additional e-books in this series can be found on Nova’s website

SECURE FLIGHT PROGRAM

NOTICE TO THE READER

Independent verification should be sought for any data, advice or recommendations

Library of Congress Cataloging-in-Publication Data

ISBN:  (eBook)

Published by Nova Science Publishers, Inc. † New York

Additionally, international passengers are screened by U.S. Customs and

including changes to the program since 2009, implementation of Secure Flight

Following the 9/11 attacks, TSA’s initial risk-based efforts focused

AIRLINE PASSENGER SCREENING

Airline passenger screening in the United States has been transformed

In ATSA, Congress mandated that TSA provide for comprehensive

Technologies such as whole-body imagers and advanced X-ray

The uniform approach to screening has proven problematic. Under this

In the aviation security context, risk is often framed as a complex

A general definition of risk focuses on the probability of incurring some

consequences.6 Although risk is a probabilistic construct, the ability to assign

There may not be agreement on what specific risks a risk-based security

Complicating matters further, there may not be agreement on what

ELEMENTS OF RISK-BASED SECURITY

At the operational level, risk-based passenger screening stands in contrast

Table 1. Attributes of a Comprehensive Risk-Based Approach to Security

RISK-BASED APPROACHES APPLIED

Risk-based approaches to airline passenger screening have been used since

rudimentary passenger profiles to determine whether to screen particular

The questions served for years as rudimentary security screening

Unwitting Bomb Carriers

The suspect is thought to have talked his friend into traveling on a

for voluntarily submitting information for vetting passengers in order to

Reflecting the recommendations of the 9/11 Commission, the

Reflecting the recommendations of the 9/11 Commission, the Intelligence

established a way to utilize the greater set of watchlists integrated in the

PRE-SCREENING INTERNATIONAL PASSENGERS

flight.29 That information is checked against law enforcement databases,

TSA’s SPOT program stands out as unique in its extensive use of

Law enforcement agencies generally apply behavioral analysis in the

proceedings. Moreover, whereas behavioral detection as practiced in the TSA

the program—principally, the number of referrals to law enforcement that

While TSA has championed the SPOT program as a cornerstone of its

While TSA has championed the SPOT program as a cornerstone of its

THE PRE-CHECK PROGRAM

The exclusive reliance on boarding passes for Pre-Check authentication

The exclusive reliance on boarding passes for Pre-Check authentication

Managed inclusion refers to a TSA initiative exploring real-time threat

Military Members, Department of Defense Civilians, and Known

In addition to Pre-Check members and those selected by Secure Flight

TSA considers individuals in these specific sub-populations to be lower

COLLECTION AND RETENTION OF PASSENGER DATA

management agencies, and federal contractors performing work that requires

Table 2. TSA and CBP Systems of Records

Document Identification/ Federal

TRIP program allows passengers seeking redress, or their representatives, to

ANALYZING NON-GOVERNMENTAL DATA

government and private databases may already be taking place, although

ISSUES FOR CONGRESS

In addition to specific concerns raised regarding the use of commercial

• appropriately integrates various programs and elements of the

• risk-based programs against specific mission goals tied to detecting

Despite elaborate security measures implemented in the years since the

ISBN: (eBook)