Professional Documents
Culture Documents
No part of this digital document may be reproduced, stored in a retrieval system or transmitted in any form or
by any means. The publisher has taken reasonable care in the preparation of this digital document, but makes no
expressed or implied warranty of any kind and assumes no responsibility for any errors or omissions. No
liability is assumed for incidental or consequential damages in connection with or arising out of information
contained herein. This digital document is sold with the clear understanding that the publisher is not engaged in
rendering legal, medical or any other professional services.
TRANSPORTATION ISSUES,
POLICIES AND R&D
HELLEN E. SPEAR
EDITOR
New York
Copyright © 2015 by Nova Science Publishers, Inc.
All rights reserved. No part of this book may be reproduced, stored in a retrieval system or
transmitted in any form or by any means: electronic, electrostatic, magnetic, tape,
mechanical photocopying, recording or otherwise without the written permission of the
Publisher.
For permission to use material from this book please contact us:
Telephone 631-231-7269; Fax 631-231-8175
Web Site: http://www.novapublishers.com
This publication is designed to provide accurate and authoritative information with regard
to the subject matter covered herein. It is sold with the clear understanding that the
Publisher is not engaged in rendering legal or any other professional services. If legal or any
other expert assistance is required, the services of a competent person should be sought.
FROM A DECLARATION OF PARTICIPANTS JOINTLY ADOPTED BY A
COMMITTEE OF THE AMERICAN BAR ASSOCIATION AND A COMMITTEE OF
PUBLISHERS.
Additional color graphics may be available in the e-book version of this book.
Preface vii
Chapter 1 Risk-Based Approaches to Airline Passenger Screening 1
Bart Elias
Chapter 2 Secure Flight: TSA Should Take Additional Steps to
Determine Program Effectiveness 31
United States Government Accountability Office
Chapter 3 Secure Flight: TSA Could Take Additional Steps to
Strengthen Privacy Oversight Mechanisms 83
United States Government Accountability Office
Chapter 4 The No Fly List: Procedural Due Process and Hurdles
to Litigation 117
Jared P. Cole
Index 147
PREFACE
This book examines changes to the Secure Flight program since 2009;
TSA’s efforts to ensure that Secure Flight’s screening determinations for
passengers are implemented at airport checkpoints; and the extent to which
program performance measures assess progress toward goals.
Chapter 1 – Until recently, the Transportation Security Administration
(TSA) had applied relatively uniform methods to screen airline passengers,
focusing primarily on advances in screening technology to improve security
and efficiency. TSA has recently shifted away from this approach, which
assumes a uniform level of risk among all airline travelers, to one that focuses
more intently on passengers thought to pose elevated security risks. Risk-
based passenger screening includes a number of initiatives that fit within a
broader framework addressing security risks, but specifically emphasizes the
detection and management of potential threats posed by passengers.
Various risk-based approaches to airline passenger screening have been
used since the early 1970s, including the application of rudimentary behavioral
profiles, security questions, and analysis of ticket-purchase data to look for
indicators of heightened risk. Additionally, “no-fly” lists were developed to
prevent known or suspected terrorists from boarding aircraft, but prior to the
terrorist attacks on September 11, 2001, these lists were not robust and proved
ineffective.
Following the 9/11 attacks, TSA’s initial risk-based efforts focused on
integrating checks of passenger name records against the “no fly” list of
individuals to be denied boarding and the “selectee” list of individuals of
elevated risk requiring more thorough secondary screening. These efforts
culminated in the deployment of Secure Flight, which screens each
passenger’s full name and date of birth against terrorist watchlists.
viii Hellen E. Spear
due process are not fixed, and can vary according to relevant factors. When
determining the proper procedural protections in a given situation, courts
employ the balancing test articulated by the Supreme Court in Matthews v.
Eldridge, which weighs the private interests affected against the government’s
interest. Courts applying this balancing test might consider several factors,
including the severity of the deprivation involved in placement on the No Fly
list. In addition, courts may examine the risk of an erroneous deprivation under
the current procedural framework and the potential value of imposing
additional procedures on the process. Finally, courts may inquire into the
government’s interest in preserving the status quo, including the danger of
permitting plaintiffs to access sensitive national security information.
Resolution of the issue is currently pending as at least two federal courts
have ruled that the government’s redress procedures for travelers challenging
placement on the No Fly list violate due process. Litigation is further
complicated by several legal hurdles, such as the state secrets privilege, that
can bar plaintiffs from accessing certain information.
In: Secure Flight Program ISBN: 978-1-63463-643-8
Editor: Hellen E. Spear © 2015 Nova Science Publishers, Inc.
Chapter 1
RISK-BASED APPROACHES
∗
TO AIRLINE PASSENGER SCREENING
Bart Elias
SUMMARY
Until recently, the Transportation Security Administration (TSA) had
applied relatively uniform methods to screen airline passengers, focusing
primarily on advances in screening technology to improve security and
efficiency. TSA has recently shifted away from this approach, which
assumes a uniform level of risk among all airline travelers, to one that
focuses more intently on passengers thought to pose elevated security
risks. Risk-based passenger screening includes a number of initiatives
that fit within a broader framework addressing security risks, but
specifically emphasizes the detection and management of potential threats
posed by passengers.
Various risk-based approaches to airline passenger screening have
been used since the early 1970s, including the application of rudimentary
behavioral profiles, security questions, and analysis of ticket-purchase
data to look for indicators of heightened risk. Additionally, “no-fly” lists
were developed to prevent known or suspected terrorists from boarding
aircraft, but prior to the terrorist attacks on September 11, 2001, these
lists were not robust and proved ineffective.
∗
This is an edited, reformatted and augmented version of a Congressional Research Service
publication R43456, prepared for Members and Committees of Congress, dated March 31,
2014.
2 Bart Elias
excellent job2—and led to sharp criticism from experts such as former TSA
Administrator Kip Hawley, who has argued, “In attempting to eliminate all
risk from flying, we have made air travel an unending nightmare ..., while at
the same time creating a security system that is brittle where it needs to be
supple.”3
TSA has responded to such criticisms by attempting to shift from an
approach that assumes a uniform level of risk among all airline travelers to one
that focuses on passengers thought to pose elevated security risks. Risk-based
screening has itself been controversial; while some initiatives have been
encouraged or even directed by Congress, others have met with considerable
skepticism among some Members of Congress or outside groups. The
controversy derives, in part, from widely divergent views of what constitutes
risk and how risk should be appropriately assessed and mitigated.
WHAT IS RISK?
The dilemma over where to appropriately focus security efforts can be
informed by the advice Frederick the Great offered to his generals: “Little
minds try to defend everything at once, but sensible people look at the main
point only; they parry the worst blows and stand a little hurt if thereby they
avoid a greater one. If you try to hold everything, you hold nothing.”4 That
view was echoed more recently by former Secretary of Homeland Security
Michael Chertoff, who wrote in 2006, “In a free and open society, we simply
cannot protect every person against every risk at every moment in every place.
There is no perfect security.”5
While security is necessarily imperfect, it nonetheless can be configured in
an informed manner designed to minimize risk. The preliminary step in this
process is to reach an understanding of the nature and characteristics of the
security risk, followed by an identification of specific strategies to mitigate or
manage that risk.
writes, “Terrorists love our detection technology because they can trust that it
will not do what it is not designed to do and never did before. In a sense, our
technology gives the terrorist a positive feedback on what to expect.” Ron
claims that there has never been a case in which a planned terrorist attack was
prevented by the detection of threat items alone.11
Comments such as Hawley’s and Ron’s point to an approach that does not
dispense with detection technologies, but integrates detection capabilities with
other measures for assessing threats and minimizing vulnerabilities. Such an
approach might depart from TSA’s historical practice of using relatively rigid
and inflexible measures to screen passengers in a uniform manner. They might
require the agency to be more proactive, as opposed to largely reactive, with
respect to specific threats and incidents, and to emphasize flexibility and
unpredictability.
Advocates of risk-based security frequently point to Israel, which employs
demographic profiling, intelligence and law enforcement databases, and
extensive security interviews to identify passengers deemed to pose high risks.
These individuals are then subject to heightened screening measures and in-
depth inquiries to assess any potential threat before they are allowed to board a
plane. Despite continued threats, Israel has avoided any major terrorist attacks
against its airlines and airports for over 40 years. The exact role that its
methods have played in deterring or preventing such attacks is undetermined.
Regardless, adopting an Israeli-style approach in the United States is
considered to be problematic, both legally and pragmatically. Research by
TSA’s Kenneth Fletcher concluded that a risk-based approach to passenger
screening tailored to meet the specific operational and legal framework of
aviation security in the United States would be more effective, as well as more
politically feasible, socially acceptable, and legally defensible, than the
extensive interviewing and targeted screening carried out under the Israeli
airport security model.12
Table 1 identifies the principal attributes of a comprehensive risk-based
aviation security framework, as described by scholars of the subject.
Risk-based screening should be understood as part of a comprehensive,
multi-layered approach to aviation security rather than as an alternative
approach. Risk-based programs closely interact with physical screening
checkpoint measures to allow TSA to focus physical screening resources on
unknown and elevated risk passengers. They also inform the protocols TSA
utilizes to modify security postures based on known or perceived threats. It is
possible that risk-based programs affect decisions related to the posting of
behavioral detection officers and the deployment of air marshals by identifying
8 Bart Elias
which passengers should be more closely observed and which flights may be
considered high-risk, although details about the interaction of these security
components have not been disclosed publicly.
Attribute Description
Intelligence Driven Intelligence information and analysis including both threat and
vulnerability assessments informs decisions regarding security
policies, procedures, practices, and postures.
Unpredictable Elements of the security system should not be routine, predictable, or
overly rigid, and should maintain some degree of random assignment
to various screening techniques. Procedures attempt to minimize the
opportunity for adversaries to test the system in an effort to uncover
latent vulnerabilities.
Adaptable The security system is not overly rigid and can adapt, sometimes on
very short notice, to a changing threat picture. Moreover,
implementation must adapt to cultural norms, societal constraints, and
legal processes, which may also shift over time.
Evolving The security system is not overly rigid, but rather is capable of
evolving to incorporate new technologies, new approaches, and
changing threat landscapes.
Layered The security system incorporates multiple elements, relatively
independent and isolated from one another, and employs
redundancies implemented in a coordinated manner so that a failure
of one component does not expose the entire system to an
unacceptable level of risk.
Source: CRS analysis, based on Raphael Ron, “Airport Security: A National Security
Challenge,” Policy Brief, International Border Security Forum, Washington, DC:
The German Marshall Fund of the United States, May 2013; Kenneth C. Fletcher,
“Aviation Security: A Case for Risk-Based Passenger Screening,” thesis, Naval
Postgraduate School, Monterey, CA, December 2011; and Bartholomew Elias,
Airport and Aviation Security: U.S. Policy and Strategy in the Age of Global
Terrorism (Boca Raton, FL: CRC Press, 2010), pp. 133-158.
• Has anyone unknown to you asked you to carry any items on this
flight?
• Have any of the items you are traveling with been out of your
immediate control since the time you packed them?
On November 1, 1955, the crash of United Airlines Flight 629 killed all
44 on board shortly after departing Denver, CO. The cause of the crash was
determined to be a dynamite bomb. John Gilbert Graham confessed to
secretly placing the bomb in his mother’s suitcase. He was convicted of
killing his mother and was executed in 1957.
It has been speculated, but never proven, that the crash of National
Airlines Flight 967 on November 16, 1959, was caused by a concealed
explosive device brought aboard unknowingly by an ex-convict who was
carrying a package given him by a friend from prison.
10 Bart Elias
Following the December 21, 1988, bombing of Pan Am Flight 103 over
Lockerbie, Scotland, FAA and the airlines developed the Computer-Assisted
Passenger Pre-Screening (CAPPS) system, which was implemented in the late
1990s. CAPPS resides on airline reservation systems and relies on patterns in
flight reservation data to identify passengers considered to pose potential
security threats. While the specific algorithms used by CAPPS, which is now
overseen by TSA, are security sensitive, it has been reported that indicators
may include purchasing a one-way ticket or paying with cash.15 Separately,
FAA, in coordination with the Federal Bureau of Investigation (FBI),
developed a list of known terrorists who were to be denied boarding: the “no-
fly” list. However, on the day of the 9/11 attacks only 12 names were on the
list, none of them the 9/11 hijackers, even though other government terrorist
watchlists contained tens of thousands of names.16
After the 9/11 attacks, ATSA directed TSA to establish requirements for
trusted traveler programs and to use available technologies to expedite
screening for participating passengers, thereby allowing screening personnel to
focus on those passengers who should be subject to more extensive screening.
The act, along with the subsequent Intelligence Reform and Terrorism
Prevention Act of 2004 (P.L. 108-458), directed TSA to ensure that CAPPS or
any successor system be used to evaluate all passengers prior to boarding, and
to assure adequate screening of passengers selected by such systems as well as
their carry-on and checked baggage. This emphasis on risk-based screening
reflected recommendations made by the Department of Transportation Airport
Security Rapid Response Team, formed in response to the 9/11 attacks.
Specifically, the team found an urgent need to establish a nationwide program
Risk-Based Approaches to Airline Passenger Screening 11
SECURE FLIGHT
Despite missteps in developing CAPPS II, the 9/11 Commission formally
recommended in 2004 that the “no fly” and “automatic selectee” lists be
improved, and that air passengers be screened not only against these lists, but
against the “larger set of watchlists maintained by the federal government.”18
The commission urged that screening be performed by TSA, not by air
carriers, and that carriers be required to supply the information needed to test
the new prescreening system.
If TSA does not identify a potential watchlist match using Secure Flight,
records are to be destroyed within seven days of completion of the travel
itinerary. Potential matches, however, are retained for 7 years and confirmed
watchlist matches may be retained for up to 99 years. Known traveler lists and
lists of individuals disqualified from expedited screening due to past security
incidents are retained until superseded by updated lists.25
SCREENING PASSENGERS BY
OBSERVATIONAL TECHNIQUES (SPOT)
Secure Flight seeks to employ risk-based analysis drawing exclusively on
data compiled by government agencies and the airlines. A separate TSA
program, Screening Passengers by Observational Techniques (SPOT),
attempts to identify passengers who could present threats by observing
behavior at airports. TSA initiated early tests of SPOT in 2003. By FY2012,
the program deployed almost 3,000 BDOs at 176 airports, at an annual cost of
about $200 million. Program costs and continued questions over its scientific
validity and operational utility have been central concerns in the continued
controversy over the program since its inception. TSA asserts that its behavior
detection and analysis program is “based on scientifically validated behaviors
to identify individuals who potentially pose a threat to the nation’s
transportation network.”30
SPOT is rooted in law enforcement techniques that rely on criminal
profiling methods and behavioral assessment strategies, including behavioral
observation. TSA asserts that behavior detection techniques that form the basis
for SPOT have been practiced for many years in the context of law
enforcement, customs and border protection, defense, and security. However,
there are several nuanced differences between SPOT and law enforcement
behavior analysis tools and techniques that set the SPOT program apart.
the applicant must provide certified copies of records supporting the claim
that the initial determination was inappropriate. Since the $85 processing fee
is non-refundable, individuals who have reason to believe they may be
disqualified based on their criminal record or may not meet eligibility
requirements because of other factors, including citizenship or residency
status, may choose not to apply.
In December 2013, TSA opened the first Pre-Check enrollment center for
the general public at the Indianapolis, IN, airport. TSA anticipates that there
will eventually be as many as 300 enrollment centers nationwide as well as an
online application process. Individuals seeking to participate may initiate the
application process by pre-enrolling online, but must visit a physical
enrollment site to provide identification and fingerprints.
Early indications have suggested that frequent travelers are generally
pleased with Pre-Check. A 2012 survey of frequent flyers found that almost
54% of those using Pre-Check were very satisfied or extremely satisfied,
compared to less than 7% of frequent travelers expressing similar opinions of
their most recent TSA screening in general.39
However, rapid expansion of the program could limit some of its benefits.40
TSA has increased availability of Pre-Check’s expedited screening lanes from
40 airports in FY2013 to over 100 airports by January 2014, with a goal of
providing expedited screening to half of all airline passengers by the close of
FY2015. As the Pre-Check program grows in popularity, wait times in Pre-
Check lanes may increase, while non-participating travelers may potentially
stand to save time also as more and more fellow travelers join Pre-Check.
Non-participating travelers may also benefit from possible selection to use a
Pre-Check lane either through occasional selection based on Secure Flight
assessments or under an initiative referred to as managed inclusion.
Managed Inclusion
the officer signals that a passenger is an elevated risk, then he or she may be
randomly selected for managed inclusion in a Pre-Check screening lane. Upon
stepping on a mat in front of the travel document checker’s kiosk the
passenger triggers a lighted directional arrow that will indicate whether to
proceed to regular screening lanes or a Pre-Check expedited screening lane,
based on a random selection.
REDRESS
The Intelligence Reform and Terrorism Prevention Act of 2004 (P.L. 108-
458) required TSA and DHS to establish appeals procedures by which persons
who are identified as security threats based on records in the TSDB may
appeal such determinations and have such records, if warranted, modified to
avoid recurrence. Also, provisions in the Implementing Recommendations of
the 9/11 Commission Act of 2007 (P.L. 110-53) required DHS to establish an
Office of Appeals and Redress to establish a timely and fair process for
individuals who believe they have been delayed or prohibited from boarding a
commercial aircraft because they were wrongly identified as a threat. DHS
must maintain records of passengers and individuals who have been
misidentified and have corrected erroneous information.
To meet these statutory requirements, DHS established the DHS Traveler
Redress Inquiry Program (DHS TRIP) as a mechanism for addressing situations
in which individuals claim to have been inappropriately singled out. The DHS
Risk-Based Approaches to Airline Passenger Screening 23
One broad concern is the extent to which the various risk-based programs
developed by TSA fit into a comprehensive strategy that addresses security
risk. As noted above, most experts in the aviation security field do not
consider risk-based screening to be a stand-alone technique, but rather to
consist of a variety of techniques which, both individually and collectively, fit
within a comprehensive risk-based approach to security such as that presented
in Table 1. There may also be other relevant criteria that would be useful in
assessing the degree to which these programs fit into a broader risk-based
framework.
An issue of potential significance is the extent to which the risk-based
approach, as implemented, is able to effectively adapt and evolve to address
shifting threats and to incorporate new methods and capabilities. It is difficult to
assess whether the risk-based approach to passenger screening is adequately
adaptive and evolving, in part because some elements like the Pre-Check
program are relatively new and, in part, because details necessary to make such
assessments regarding terrorist watchlists and behavioral profiling techniques
are not publicly divulged. The evolution of processes to consolidate and
disseminate terrorist watchlist information has been a key issue for the
intelligence community since the attempted bombing of Northwest Flight 253
on December 25, 2009. However, specific changes made in response have not
been publicly acknowledged. Similarly, information regarding any evolution or
adaptation of behavioral detection methods since the inception of TSA’s
behavioral detection program has not been publicly disclosed. How TSA’s risk-
based strategy and the underlying intelligence practices informing risk-based
decisions have adapted to shifting threat landscapes, potential changes in
resources, and the introduction of new procedures and technologies may be an
issue of interest for congressional oversight.
The selection of appropriate metrics appears to be a key issue in assessing
the effectiveness of TSA’s risk-based strategies. Suitable metrics have been
difficult to identify, again, in part because of the necessary secrecy
surrounding security. Defining suitable metrics may also prove difficult as a
result of relatively limited numbers of encounters with individuals having ties
to terrorism, and even fewer still with those seeking to carry out attacks
against civil aviation. With regard to behavioral detection programs, TSA’s
choice of metrics has been questioned. For other programs, such as Pre-Check,
TSA has emphasized efficiency metrics rather than metrics that specifically
address security effectiveness, at least publicly.
As a practical matter, the limited number of terrorist encounters raises
concerns over the prevalence and implications of false alarms, singling out
26 Bart Elias
individuals as potential threats who in fact pose no threat. Since the number of
suspected terrorists is small relative to the number of airline passengers, false
alarms occur with far greater frequency than valid threat detections. Efforts to
reduce false positives could leave gaps in threat detection capabilities.
Nonetheless, high false alarm rates may lead to potentially significant
consequences by misdirecting limited screening resources and by creating
complications for individuals mistakenly targeted as potential threats. In the
past, initiatives to reduce false alarms associated with Secure Flight have
focused on systematic culling and parsing of terrorist databases to ensure that
information is thorough, accurate, and up to date. Additionally, a
congressionally mandated redress process has been put in place to provide a
mechanism for falsely targeted individuals to seek remediation. The
effectiveness of these steps in reducing false alarm rates in aviation passenger
pre-screening has not been disclosed publicly.
In addition to measuring effectiveness, assessing anticipated efficiency
gains related to risk-based screening initiatives appears to have important
implications for oversight of TSA operations and appropriations. TSA
anticipates that risk-based security efficiencies will result in savings of about
$120 million, and allow staffing reductions of more than 1,500 full-time
equivalent positions in FY2015.50 Congressional oversight may examine
whether these efficiency gains can be realized without compromising security
effectiveness.
Finally, privacy and appropriate data protections are matters of
considerable interest to Congress. Through its various systems of records of
data maintained on individuals, DHS has established practices to protect
personal data and comport with Privacy Act requirements. The extent to which
these various privacy protections and data security measures are being
appropriately implemented in practice may also be a matter of concern.
In summary, as TSA moves forward in its implementation of a risk-based
approach to passenger screening, questions persist as to whether this approach
End Notes
1
See, e.g., P.L. 113-6, which prohibited FY2013 recruiting or hiring that would result in TSA
exceeding a staffing level of 46,000 full-time equivalent screeners.
2
Frank Newport and Steve Ander, Americans’ Views of TSA More Positive Than Negative,
Gallup, Princeton, NJ, August 8, 2012, http://www.gallup.com/poll/156491/Americans-
Views-TSA-Positive-Negative.aspx.
3
Kip Hawley, “Why Airport Security Is Broken – And How To Fix It,” Wall Street Journal,
April 15, 2012.
4
Frederick the Great, as quoted in Peter G. Tsouras (Ed.), The Greenhill Dictionary of Military
Quotations, Greenhill Books (London, 2000).
5
Michael Chertoff, “There is No Perfect Security,” Wall Street Journal, February 14, 2006.
6
U.S. Department of Homeland Security, Risk Management Fundamentals: Homeland Security
Risk Management Doctrine, April 2011.
7
Although this is generally termed “passenger risk assessment” rather than “passenger threat
assessment,” the technique focuses exclusively on the potential threat posed by an
individual passenger. The terms are interchangeable in this context given an assumption that
other aspects of risk besides threat (i.e., vulnerability and severity of consequences) are held
constant.
8
See, e.g., U.S. Government Accountability Office, Aviation Security: TSA Should Limit Future
Funding for Behavior Detection Activities, GAO-14-159, November 2013.
9
Bart Jansen, “TSA Drops Efforts to Allow Small Knives on Planes,” USA Today, June 5, 2013.
10
Kip Hawley, “Why Airport Security Is Broken – And How To Fix It,” Wall Street Journal,
April 15, 2012.
11
Raphael Ron, “Airport Security: A National Security Challenge,” Policy Brief, International
Border Security Forum, Washington, DC: The German Marshall Fund of the United States,
May 2013.
28 Bart Elias
12
Kenneth C. Fletcher, “Aviation Security: A Case for Risk-Based Passenger Screening,” Thesis,
Naval Postgraduate School, Monterey, CA, December 2011.
13
Bartholomew Elias, Airport and Aviation Security: U.S. Policy and Strategy in the Age of
Global Terrorism (Boca Raton, FL: CRC Press, 2010).
14
ABC News, “Airline Security Questions Scrapped,” January 7, 2006, available at
http://abcnews.go.com/US/story? id=91316&page=1.
15
Ryan Singel, “Life After Death for CAPPS II?” Wired, July 16, 2004.
16
National Commission on Terrorist Attacks Upon the United States, The 9/11 Commission
Report, Authorized ed. (New York: W.W. Norton & Co., 2004), p. 393.
17
U. S. Department of Transportation, Meeting the Airport Security Challenge: Report of the
Secretary’s Rapid Response Team on Airport Security, October 1, 2001
18
National Commission on Terrorist Attacks Upon the United States, The 9/11 Commission
Report, Authorized ed. (New York: W.W Norton & Co., 2004), p. 393.
19
See, e.g., P.L. 109-90, §518.
20
U.S. Department of Homeland Security, Transportation Security Administration, “Secure
Flight Program; Final Rule,” 72 Federal Register 64018-64066, October 28, 2008.
21
Transportation Security Administration, “Myth Buster: TSA’s Watch List is More Than One
Million People Strong.” The TSA Blog, July 14, 2008, available at http://blog.tsa.gov/
2008/07/myth-buster-tsas-watch-list-is-more.html.
22
Mark Hosenball, “Number of Names on U.S. Counter-Terrorism Database Jumps,” Reuters,
May 2, 2013.
23
U.S. Department of Justice, Office of the Inspector General, Audit of the Federal Bureau of
Investigation’s Management of Terrorist Watchlist Nominations, Audit Report 14-16,
March 2014.
24
The public health Do Not Board (DNB) list includes the names of individuals with
communicable diseases who pose a serious threat to the public. The Centers for Disease
Control and Prevention reviews all requests to place a name on the list to verify that the
individual meets the appropriate medical criteria for inclusion. In the first year following
creation of the list in 2007, 42 names were submitted and 33 names were placed on the list,
all referencing individuals thought to have infectious pulmonary tuberculosis.
25
Transportation Security Administration, “Privacy Act of 1974: System of Records; Secure
Flight Records,” 77 Federal Register 69491-69496, November 19, 2012.
26
Department of Homeland Security, “Privacy Act of 1974; U.S. Customs and Border Protection,
DHS/CBP-006— Automated Targeting System, System of Records,” 77 Federal Register
30297-30304, May 22, 2012.
27
See CRS Report RS22030, U.S.-EU Cooperation Against Terrorism, by Kristin Archick.
28
See http://travel.state.gov/content/visas/english/visit/visa-waiver-program.html
29
For more information see CRS Report RL32221, Visa Waiver Program, by Alison Siskin.
30
Transportation Security Administration, Statement of Administrator John S. Pistole, Before the
United States House of Representatives, Committee on Homeland Security, Subcommittee
on Transportation Security, November 13, 2013.
31
U.S. Government Accountability Office, Aviation Security: TSA Should Limit Future Funding
for Behavior Detection Activities, GAO-14-159, November 2013.
32
U.S. Government Accountability Office, Aviation Security: Efforts to Validate TSA’s
Passenger Screening Behavior Detection Program Underway, but Opportunities Exist to
Strengthen Validation and Address Operational Challenges, GAO-10-763, May 2010.
Risk-Based Approaches to Airline Passenger Screening 29
33
Transportation Security Administration, Statement of Administrator John S. Pistole, Before the
United States House of Representatives, Committee on Homeland Security, Subcommittee
on Transportation Security, November 13, 2013.
34
U.S. Government Accountability Office, Aviation Security: TSA Should Limit Future Funding
for Behavior Detection Activities, GAO-14-159, November 2013.
35
Department of Homeland Security, Office of Inspector General, Transportation Security
Administration’s Screening of Passengers by Observation Techniques (Redacted), OIG-13-
91, Washington, DC, May 29, 2013; Department of Homeland Security, Statement of
Charles K. Edwards, Deputy Inspector General, Before the United States House of
Representatives, Committee on Homeland Security, Subcommittee on Transportation
Security, November 13, 2013.
36
See Rep. John Carter, “Department of Homeland Security Appropriations Act, 2014,” House
of Representatives, Congressional Record, Vol. 159, Issue 78 (June 5, 2013), p. H3194.
37
Transportation Security Administration, “TSA Lifts Cap and Eliminates Fee on Registered
Traveler,” Press Release, July 24, 2008; see also Transportation Security Administration,
“Registered Traveler Interoperability Pilot Program,” 73 Federal Register 44275-44278.
38
U.S. Government Accountability Office, Aviation Security: Status of TSA’s Acquisition of
Technology for Screening Passenger Identification and Boarding Passes, GAO-12-826T,
June 19, 2012.
39
Dan Collins, “Poll: 90% of Frequent Flyers Give TSA Fair or Poor Rating,” Frequent Business
Traveler, September 10, 2012.
40
Bart Jansen, “Privacy Concerns Swirl Around TSA Pre-Check Program,” USA Today,
February 24, 2014.
41
Josh Hicks, “TSA’s expedited screening lanes soon open to DOD and Coast Guard civilians,”
Washington Post, March 27, 2014.
42
See 49 CFR §1544.229 and §1544.230.
43
See, e.g., Christian Davenport, “Pentagon considers retaking control of security clearance
checks,” Washington Post, March 20, 2014.
44
Complete instructions for filing complaints under the DHS TRIP program can be found at
http://www.dhs.gov/onestop-travelers-redress-process.
45
Department of Homeland Security, “Privacy Act of 1974; Department of Homeland Security
Transportation Security Administration- DHS/TSA-019 Secure Flight System of Records,”
78 Federal Register 55270-55274, September 10, 2013.
46
Transportation Security Administration, Market Research Announcement: TSA Third Part Pre-
screening, HSTS02- 13-RFI-0001, January 8, 2013.
47
Transportation Security Administration, Market Research Announcement: TSA Third Part Pre-
screening, HSTS02- 13-RFI-0001, Amendment 3, February, 6, 2013.
48
Susan Stellin, “Security Check Now Starts Long Before You Fly,” New York Times, October
21, 2013.
49
See, e.g., P.L. 109-90, §518.
50
Department of Homeland Security, Transportation Security Administration, Aviation Security:
Fiscal Year 2015 Congressional Justification; Department of Homeland Security, Budget-
in-Brief, Fiscal Year 2015.
In: Secure Flight Program ISBN: 978-1-63463-643-8
Editor: Hellen E. Spear © 2015 Nova Science Publishers, Inc.
Chapter 2
*
This is an edited, reformatted and augmented version of a United States Government
Accountability Office publication, No. GAO-14-531, dated September 2014.
32 United States Government Accountability Office
ABBREVIATIONS
ATS-P Automated Targeting System-Passenger
BPSS boarding pass scanning system
CAT Credential Authentication Technology
CBP U.S. Customs and Border Protection
CDC Centers for Disease Control and Prevention
DHS Department of Homeland Security
FBI Federal Bureau of Investigation
GPRA Government Performance and Results Act
IVCC Identity Verification Call Center
OMB Office of Management and Budget
OSO Office of Security Operations
SFPD Secure Flight Passenger Data
SOC Secure Flight Operations Center
TDC Travel Document Checker
TRIP Traveler Redress Inquiry Program
TSA Transportation Security Administration
34 United States Government Accountability Office
***
September 9, 2014
interviewed relevant TSA officials about the fiscal year 2013 performance
measures for the Secure Flight program and the adequacy of these measures in
assessing TSA’s progress in achieving program goals. In addition, to
understand how TSA uses Secure Flight-related performance data, we
reviewed documentation related to all meetings that TSA identified of the
Secure Flight Match Review Board—a multidepartmental organization
established to, among other things, review performance measures and
recommend changes to improve system performance—from the time the board
was initiated, in March 2010, through August 2013, a total of 51 meetings. To
identify the extent to which TSA monitors and evaluates the reasons for
Secure Flight matching errors, we analyzed a list that TSA compiled at our
request of missed passengers on two high-risk lists (including the reasons for
these matching errors) that occurred from November 2010 through July 2013.
We evaluated TSA’s efforts to track cases in which TSA discovered a Secure
Flight system matching error against Standards for Internal Control in the
Federal Government.13
We conducted this performance audit from March 2013 to September
2014, in accordance with generally accepted government auditing standards.
Those standards require that we plan and perform the audit to obtain sufficient,
appropriate evidence to provide a reasonable basis for our findings and
conclusions based on our audit objectives. We believe that the evidence
obtained provides a reasonable basis for our findings and conclusions.
Additional details on our scope and methodology are contained in appendix I.
BACKGROUND
Responsibility for Secure Flight Operations
and manual screening processes (including the airport resolution process) air
carriers may not issue a boarding pass to a passenger until they receive from
Secure Flight a final screening determination. These determinations include a
“cleared” message, for passengers found not to match a watchlist, and a
“selectee” message, for matches to the Selectee List who are to be to be
designated by air carriers for enhanced screening. For passengers matching the
No Fly List, Secure Flight’s initial “passenger inhibited” message is the final
determination, and the air carrier may not issue a boarding pass (see fig. 1).
Since January 2009, TSA has been using new high-risk lists for screening,
including two lists to identify passengers who may not be known or suspected
terrorists, but who—based on TSA’s application of threat criteria—should
receive enhanced screening, and an expanded list of known or suspected
terrorists in the TSDB. As initially implemented under the October 2008
Secure Flight Final Rule, the program matched the names of passengers
against the No Fly and Selectee List components of the TSDB. According to
the rule, comparing passenger information against the No Fly and Selectee
components of the TSDB (versus the entire TSDB) would be generally
satisfactory during normal security circumstances to counter the security
threat. The rule also provides that TSA may use the larger set of watchlists
maintained by the federal government as warranted by security considerations,
for example, if TSA learns that flights on a particular route may be subject to
an increased security risk.24 In such circumstances, TSA may decide to
compare passenger information on some or all flights on that route against the
full TSDB or other government databases, such as intelligence or law
enforcement databases.
Rules-Based Watchlists
After the December 25, 2009, attempt to detonate a concealed explosive
on board a U.S.-bound flight by an individual who was not a known or
suspected terrorist in the TSDB, TSA sought to identify ways to mitigate
unknown threats—individuals not in the TSDB for whom TSA has determined
enhanced screening would be prudent. To that end, TSA worked with CBP to
develop new lists for Secure Flight screening, and in April 2010, began using
the lists to identify and designate for enhanced screening passengers who may
represent unknown threats.25 To create these lists, TSA leveraged CBP’s
access to additional data submitted by passengers traveling internationally and
the capabilities of CBP’s Automated Targeting System-Passenger (ATS-P)—a
tool originally created and used by CBP that targets passengers arriving at or
departing the United States by comparing their information against law
enforcement, intelligence, and other enforcement data using risk-based
targeting scenarios and assessments.26 Specifically, analysts within the
Intelligence and Analysis Division of TSA’s Office of Intelligence and
Analysis review current intelligence to identify factors that may indicate an
Secure Flight 43
elevated risk for a passenger. TSA creates rules based on these factors and
provides them to CBP.27 CBP then uses ATS-P to identify passengers who
correspond with the rules and provides TSA information on them in the form
of a list.28 Upon receiving the list, TSA creates another rules-based list—a
subset of the larger rules-based list—based on additional criteria. Through
Secure Flight screening, TSA designates passengers matching either rules-
based list as selectees for enhanced screening.29
May 2014, TSA officials stated the goal had been revised to identify 50
percent of airline passengers as eligible for expedited screening by the end of
calendar year 2014.34 According to officials within TSA’s Office of Chief
Counsel, TSA’s efforts to identify low-risk travelers also fulfill a stated goal of
the 2008 Secure Flight rule to implement a “known traveler” concept that
would allow the federal government to assign a unique number to known
travelers for whom the federal government had conducted a threat assessment
and determined did not pose a security threat.
However, TSA officials stated the agency has no immediate plans to use
the assessments to identify high-risk passengers beyond those already included
on watchlists.
TSA has developed processes to help ensure that individuals and their
accessible property receive a level of screening at airport checkpoints that
corresponds to the level of risk determined by Secure Flight.48 TDCs are
primarily responsible for ensuring that passengers receive the appropriate level
of screening because they are to verify passengers’ identities and identify
passengers’ screening designations. TSA requires passengers to present photo
identification and a boarding pass at the screening checkpoint.49 Using lights
and magnifiers, which allow the TDC to examine security features on the
passenger’s identification documents, the TDC is to examine the identification
and boarding pass to confirm that they appear genuine and pertain to the
passenger. The TDC is also to confirm that the data included on the boarding
pass and in the identity document match one another. According to TSA
standard operating procedures, TDCs may accept minor name variations
between the passenger’s boarding pass and identification.50 If the TDC finds
that the information on the identification varies significantly from the boarding
pass, the TDC is to refer the passenger to another TSA representative for
identity verification through TSA’s Identity Verification Call Center (IVCC).
If the passenger’s information varies from the SFPD submitted to Secure
Flight, the IVCC is to contact Secure Flight to vet the new information. If the
48 United States Government Accountability Office
Our analysis of TSA information from May 2012 through February 2014
found that TSOs have made errors in implementing Secure Flight risk
determinations at the screening checkpoint.51 By evaluating the root causes of
these errors and implementing corrective measures to address those root
causes, TSA could reduce the risk posed by TSO error at the screening
checkpoint. TSA officials we spoke with at five of the nine airports conduct
after-action reviews of screening errors at the checkpoint and have used these
reviews to take action to address the root causes of those errors. However,
TSA does not have a systematic process for evaluating the root causes of
screening errors at the checkpoint across airports, which could allow TSA to
identify trends across airports and target nationwide efforts to address these
issues.
TSA OSO officials told us that evaluating the root causes of screening
errors would be helpful and could allow them to better target TSO training
efforts. In January 2014, TSA OSO officials stated that they are in the early
stages of forming a group to discuss these errors. However, TSA was not able
to provide documentation of the group’s membership, purpose, goals, time
frames, or methodology. Standards for Internal Control in the Federal
Government states that managers should compare actual performance with
expected results and analyze significant differences.52 As TSA moves forward
with its plans to form this group, it will be important for TSA to develop a
process for evaluating the root causes of screening errors at the checkpoint and
identify and implement corrective measures, as needed, to address these root
causes. Uncovering and addressing the root causes of screening errors could
help TSA reduce the number of these errors at the checkpoint.
Secure Flight has six program goals that are relevant to the results of
screening performed by the Secure Flight computer system and the program
analysts who review computer-generated matches, including the following:
To assess progress with respect to these goals, the program has nine
performance measures that it reports on externally (see app. III for the nine
Secure Flight performance measures and performance results for fiscal years
2012 and 2013).60 In addition, Secure Flight has measures for a number of
other program activities that it reports internally to program managers to keep
them apprised of program performance with respect to the goals (such as the
number of confirmed matches identified to the No Fly and Selectee Lists).61
However, Secure Flight’s performance measures do not fully assess
progress toward achieving its six program goals. For goals 1 through 4 and
goal 6, we found that while TSA measured some aspects of performance
related to these goals, it did not measure aspects of performance necessary to
determine overall progress toward the goals. In addition, for goal 5, we could
Secure Flight 53
not identify any program measures that represented the type of performance
required to make progress toward achieving the goal, in part because the goal
itself did not specify how performance toward the goal should be measured.
GPRA establishes a framework for strategic planning and performance
measurement in the federal government. 62 Part of that framework involves
agencies establishing quantifiable performance measures to demonstrate how
they intend to achieve their program goals and measure the extent to which
they have done so. These measures should adequately indicate progress toward
performance goals so that agencies can compare their programs’ actual results
with desired results.63 Our prior body of work has shown that measures
adequately indicate progress toward performance goals when they represent
the important dimensions of their performance goals and reflect the core
functions of their related programs or activities.64 Further, when performance
goals are not self-measuring, performance measures should translate those
goals into concrete conditions that determine what data to collect in order to
learn whether the program has made progress in achieving its goal.65
In addition, with respect to low-risk lists, TSA could measure the extent to
which the Secure Flight system correctly identifies passengers submitting
valid known traveler numbers (i.e., an actual number on a TSA Pre9TM list)
and designates them for expedited screening.69 TSA officials have stated that
variations in the way passengers enter information when making a reservation
with a valid known traveler number can cause the system to fail to identify
them as TSA Pre9TM eligible. For example, TSA Match Review Board
56 United States Government Accountability Office
documentation from December 2012 identified that the Secure Flight system
had failed to identify participants on one TSA Pre9TM list because they used
honorific titles (e.g., the Honorable and Senator) when making reservations,
and, as a result, they were not eligible for expedited screening.TSA has a
process in place to review and resolve inquiries from passengers who believe
they should have received TSA Pre9TM but did not during a recent travel
experience.70 Although helpful for addressing some TSA Pre9TM-related
problems, the process does not provide information on the extent to which
TSA is correctly identifying passengers on low-risk lists, because some
passengers may not report problems.
TSA’s fourth goal (to minimize the number of passengers misidentified as
threats on high-risk lists) also addresses system accuracy. The program’s
related performance measure, its false positive rate, accounts for the number of
passengers who have been misidentified as matches to some, but not all, high-
risk lists and, thus does not fully assess performance toward the related goal
(as shown above, in table 1). TSA’s false positive rate does not account for all
misidentifications, because, under the current Secure Flight process, TSA has
information on passengers misidentified to the No Fly and Selectee Lists, but
does not have information on passengers misidentified to the Expanded
Selectee or rules-based lists.71 TSA is currently implementing changes that
will allow it to collect more information about passengers misidentified to
other high-risk lists.72 This information, if factored into Secure Flight’s false
positive measure, would allow TSA to more fully assess the program’s ability
to minimize the misidentification of individuals as potential threats to aviation
security.
progress toward its goals. For example, the extent to which the Secure Flight
system is missing individuals on the No Fly, Selectee, and other high- and
low-risk lists is an important dimension of performance related to each of the
accuracy-related goals and speaks to a core function of the Secure Flight
program—namely to accurately identify passengers on lists. Without measures
that provide a more complete understanding of Secure Flight’s performance,
TSA cannot compare actual with desired results to understand how well the
system is achieving these goals. Similarly, without a measure that reflects
misidentifications to all high-risk lists, TSA cannot appropriately gauge its
performance with respect to its goal of limiting such misidentifications.
Likewise, with respect to its privacy-related goal, additional measures that
address other key points in the Secure Flight process in which passenger
records could be inappropriately accessed would allow Secure Flight to more
fully assess the extent to which it is meeting its goal of protecting passenger
information. Finally, establishing measures that clearly represent the
performance necessary to achieve the program’s goal that addresses risk-based
security capabilities (goal 5) will allow Secure Flight to determine the extent
to which it is meeting its goal of adapting the Secure Flight system for
different risk-based screening activities.
TSA does not have timely and reliable information on past Secure Flight
system matching errors. As previously discussed, preventing individuals on
the No Fly List from boarding an aircraft and identifying individuals on the
Selectee List for enhanced screening are key goals of the Secure Flight
program. Standards for Internal Control in the Federal Government states that
agencies must have relevant, reliable, and timely information to determine
whether their operations are performing as expected, and that such information
can assist agencies in taking any necessary corrective actions to achieve
relevant goals.75 According to TSA officials, when TSA receives information
related to matching errors of the Secure Flight system (i.e., the computerized
matching and manual reviews conducted to identify matches of passenger and
watchlist data), the Match Review Board reviews this information to
determine if any actions could be taken to prevent similar errors from
happening again. We reviewed meeting minutes and associated documentation
for the 51 Match Review Board meetings held from March 2010 through
Secure Flight 59
August 2013, and found 16 meetings in which the Match Review Board
discussed system matching errors; investigated possible actions to address
these errors; and, when possible, implemented changes to strengthen system
performance.76
However, when we asked TSA for complete information on the extent and
causes of system matching errors, we found that TSA does not have readily
available or complete information. It took TSA over 6 months to compile a list
of such errors, a process that, according to TSA officials, required a significant
amount of manual investigation and review.77 Further, we found that the list
was not complete because it did not reflect all system errors that were
discussed at the Match Review Board meetings.78 In addition, we identified in
the list TSA provided us discussion of a system error that was not included in
the Match Review Board documentation. We also found that, for many
incidents on the list, TSA’s description of the cause of the error was not
sufficiently detailed to understand whether the Secure Flight system was at
fault.
Developing a mechanism to systematically document the number and
causes of the Secure Flight system’s matching errors would provide Secure
Flight more timely and reliable information on the extent to which the Secure
Flight system is performing as intended. TSA Match Review Board
documentation from February, 2012 confirmed the importance of such
information, citing the need for more detailed information on instances when
the Secure Flight system has not performed as intended. A mechanism to
ensure that the results of Match Review Board investigations are
systematically documented would be one way to provide such information.
Furthermore, without timely and reliable information on system matching
errors, TSA is not in the best position to determine whether Secure Flight is
achieving relevant goals, investigate all potential causes of these errors, and
identify and implement sufficient corrective actions.
CONCLUSION
The Secure Flight program is one of TSA’s key tools for defending civil
aviation against terrorist threats. Since TSA began implementing the program,
in January 2009, Secure Flight has expanded from a system that matches
airline passengers against watchlists of known or suspected terrorists to a
system that uses additional high-risk lists and conducts risk-based screening
assessments of passengers. Specifically, through the use of new high-risk
60 United States Government Accountability Office
concurred. DHS stated that TSA OSO’s Operations Performance Division will
evaluate the data gathered from airports through SIRT to identify root causes
of checkpoint screening errors and on the basis of the root cause, work with
the appropriate TSA program office to implement corrective measures. Such
actions could help to reduce the likelihood that TSA will fail to appropriately
screen passengers at the screening checkpoint. Additionally, DHS concurred
with our third recommendation, that TSA develop additional measures to
address key performance aspects related to each program goal and ensure
these measures clearly identify the activities necessary to achieve progress
toward the goal. DHS stated that TSA's Office of Intelligence and Analysis
will evaluate its current Secure Flight performance goals and measures and
develop new performance measures as necessary. DHS further stated that TSA
will explore the possibility of implementing analyses to measure match
effectiveness through the use of test data sets. Such actions could help TSA
better monitor the performance of the Secure Flight program.
DHS also concurred with our fourth recommendation, that TSA develop a
mechanism to systematically document the number and causes of cases in
which TSA learns that the Secure Flight system has made a matching error.
DHS stated that TSA's Office of Intelligence and Analysis will develop a more
robust process to track all known cases in which the Secure Flight system has
made a matching error, and that the Secure Flight Match Review Board will
conduct reviews to identify potential system improvement measures on a
quarterly basis. TSA plans to implement these efforts by December 31, 2014.
These actions, if implemented effectively, should address the intent of our
recommendation. We will continue to monitor DHS’s efforts.
The Department of Justice did not have formal comments on our draft
report, but provided technical comments, which we incorporated as
appropriate.
monthly basis, and for each measure, we have provided the range of the
performance measurement results for each fiscal year.
those passengers identified as high risk receive enhanced screening and those
identified as low risk are eligible for expedited screening.8
Table 2. (Continued)
used, and stored. Specifically, the requirements allow Secure Flight to store results
for passengers not identified as a match to a government watchlist for up to 7
days, potential matches for up to 7 years, and confirmed matches for 99 years,
after which they must be purged from the system. According to Secure Flight
documentation, records for passengers identified as low risk are treated the same
as nonmatches and must be purged within 7 days. Records for passengers who
match the Expanded Selectee and rules-based lists are treated as potential matches
and must be purged within 7 years.
d
Performance results were 100 percent throughout the fiscal year.
e
Secure Flight also tracks service availability as one of its Key Performance
Parameters (see table 2).
f
Secure Flight did not meet its performance target for service availability for 2 months
during the fiscal year.
g
Performance results were 100 percent throughout fiscal year 2013.
h
Secure Flight did not meet its performance target for any month during this fiscal
year. Secure Flight officials stated that this metric is outside of the program’s
control because Secure Flight relies on air carriers to submit these data. According
to TSA officials, to improve air carrier compliance, TSA monitors carrier
submissions and works with carriers to inform them about Secure Flight data
requirements.
End Notes
1
See Pub. L. No. 108-458, § 4012(a), 118 Stat. 3638, 3714-18 (2004) (codified at 49 U.S.C. §
44903(j)(2)(C)). The 9/11 Commission, The 9/11 Commission Report: Final Report of the
National Commission on Terrorist Attacks upon the United States, (Washington, D.C.: July
2004). TSA efforts to develop a computer-assisted passenger prescreening system predated
the Intelligence Reform and Terrorism Prevention Act and the report of the 9/11
Commission.
2
The No Fly and Selectee Lists are subsets of the Terrorist Screening Database (TSDB)— the
U.S. government’s consolidated watchlist of known or suspected terrorists. Not all identities
within the TSDB are included on the No Fly and Selectee Lists; rather, to be included on
either list, individuals must meet certain criteria specific to the list.
3
In addition to passengers, Secure Flight screens certain nontraveling individuals, such as escorts
for minor, elderly, and disabled passengers; airport and aircraft operator employees; and law
enforcement officers who are authorized to access the airport’s sterile area—the portion of
an airport beyond the security screening checkpoint that provides passengers access to
boarding aircraft and to which access is generally controlled through the screening of
persons and property. See 49 C.F.R. § 1540.5. Also, Secure Flight began screening
passengers on certain flights operated by foreign air carriers overflying United States
airspace on October 24, 2012. Specifically, this includes flights over the continental United
States, which includes the contiguous lower 48 states and excludes Hawaii and Alaska, and
flights transiting the continental United States between two airports or locations in the same
country where that country is Canada or Mexico. In addition, on October 31, 2013, Secure
Secure Flight 75
Flight began screening passengers traveling on certain Department of Defense flights. For
purposes of this report, the terms “commercial flight” and “commercial aircraft operators”
include the passenger operations of U.S. and foreign-flagged air carriers operating in
accordance with 49 C.F.R. §§ 1544.101(a) and 1546.101(a)-(b), respectively. These terms
correspond to “covered flight” and “covered aircraft operator,” respectively as those terms
are defined in the Secure Flight Final Rule. See 49 C.F.R. § 1560.3.
4
In 2003, TSA initiated work on developing a passenger prescreening system operated by the
federal government. At the time, passenger prescreening involved U.S. and foreign air
carriers matching passenger information against watchlists to identify passengers who
should undergo additional security scrutiny. We performed this work in accordance with
statutory mandates, beginning with the Department of Homeland Security Appropriations
Act, 2004, Pub. L. No. 108-90, § 519, 117 Stat. 1137, 1155-56 (2003), and, most recently,
the Department of Homeland Security Appropriations Act, 2009, Pub. L. No. 110-329, Div.
D, § 512, 122 Stat. 3574, 3682-83 (2008), and pursuant to the requests of various
congressional committees.
5
GAO, Aviation Security: TSA Has Completed Key Activities Associated with Implementing
Secure Flight, but Additional Actions Are Needed to Mitigate Risks, GAO-09-292
(Washington, D.C.: May 13, 2009).
6
GAO, Terrorist Watchlist: Routinely Assessing Impacts of Agency Actions since the December
25, 2009, Attempted Attack Could Help Inform Future Efforts, GAO-12-476 (Washington,
D.C.: May 31, 2012).
7
GAO-12-476. These actions addressed our 2009 recommendation.
8
GAO-09-292.
9
For purposes of this report, and unless otherwise noted, references to TSOs, which include
TDCs, include both TSA-employed screening personnel and screening personnel employed
by a private sector company contracted with TSA to perform screening services at airports
participating in TSA’s Screening Partnership Program. See 49 U.S.C. § 44920.
10
We did not evaluate the extent to which Secure Flight screening determinations for low-risk
passengers are implemented at airport security checkpoints.
11
GAO, Internal Control: Standards for Internal Control in the Federal Government,
GAO/AIMD-00-21.3.1 (Washington, D.C.: Nov. 1, 1999).
12
See generally Government Performance and Results Act of 1993 (GPRA), Pub. L. No. 103-62,
107 Stat. 285 (1993). GPRA was updated by the GPRA Modernization Act of 2010, Pub. L.
No. 111-352, 124 Stat. 3866 (2011). Although GPRA’s requirements apply at the agency
level, on the basis of our review of related GAO products, Office of Management and
Budget (OMB) guidance, and studies by the National Academy of Public Administration
and the Urban Institute, we have previously reported that these requirements can serve as
leading practices in lower levels within an organization, such as with individual programs or
initiatives. See GAO, Pipeline Safety: Management of the Office of Pipeline Safety’s
Enforcement Program Needs Further Strengthening, GAO-04-801 (Washington D.C.: Jul.
23, 2004).
13
GAO/AIMD-00-21.3.1.
14
Secure Flight Program, 73 Fed. Reg. 64,018 (Oct. 28, 2008) (codified at 49 C.F.R. pt. 1560).
15
See 49 C.F.R. § 1560.3. Aircraft operators must transmit available SFPD to Secure Flight
approximately 72 hours prior to scheduled flight departure. For reservations created within
72 hours of flight departure, covered aircraft operators must submit passenger data as soon
as they become available.
76 United States Government Accountability Office
16
Secure Flight also matches passenger data against the Centers for Disease Control and
Prevention (CDC) Do Not Board List, which includes individuals who pose a significant
health risk to other travelers and are not allowed to fly. The Do Not Board List is managed
by CDC. See app. II for information on all the lists Secure Flight uses for screening.
17
The DHS Traveler Redress Inquiry Program (DHS TRIP) administers the TSA Cleared List.
DHS established DHS TRIP in February 2007 to provide individuals, including those who
believe they have been delayed or inconvenienced during travel because they have been
wrongly identified as the subject of a watchlist record, an opportunity to be cleared. We
have ongoing work on the extent to which DHS TRIP addresses delays and inconveniences
associated with Secure Flight screening and expect to report on this work in September
2014.
18
Because of the application of other TSA security measures, such as random selection, an
individual’s presence on the Cleared List will diminish, but not preclude, the possibility of
being selected for enhanced screening. The technical term for redress number is “redress
control number.”
19
This process may also involve the Secure Flight analyst contacting the Terrorist Screening
Center for assistance in confirming or ruling out the match.
20
This section describes checkpoint screening activities as of May 2014. When Secure Flight
implementation began, in 2009, TSA did not have a program in place to identify low-risk
passengers eligible for expedited screening. We discuss more recent activities of TSA and
the Secure Flight program to identify low-risk passengers for expedited screening later in
this report.
21
Passengers who are to receive standard screening could receive expedited screening as part of
Managed Inclusion at the screening checkpoint. Under Managed Inclusion, TSA randomly
directs a certain percentage of passengers not otherwise designated that day as eligible for
expedited screening to the expedited screening lane. Additionally, passengers designated for
expedited screening may receive standard screening as part of random and unpredictable
security measures. We expect to issue a report on expedited screening, including managed
inclusion, later this year.
22
The level of screening for a passenger may change from flight to flight based on the particulars
of a flight or the individual.
23
Passengers matched to the No Fly and CDC Do Not Board Lists are considered highest risk,
and thus are not to receive boarding passes, and should not be allowed entry at airport
checkpoints.
24
Pursuant to the Intelligence Reform and Terrorism Prevention Act of 2004, TSA was to assume
performance of the passenger prescreening function of comparing passenger information
against the No Fly and Selectee Lists and utilize all appropriate records in the consolidated
and integrated terrorist watchlist maintained by the federal government in performing that
function. See 49 U.S.C. § 44903(j)(2)(C).
25
TSA uses two separate lists to address vulnerabilities exposed by the 2009 attempted attack.
Further detail about these lists has been designated sensitive information, and thus cannot be
included in a public report.
26
CBP collects additional passenger information in order to fulfill its mission of securing the
U.S. border while facilitating lawful travel and trade. See 19 C.F.R. § 122.49a(b)(3).
27
These rules are criteria used by ATS-P to create the rules-based watchlists. The Department of
Homeland Security’s Office for Civil Rights and Civil Liberties, Privacy Office, and Office
of the General Counsel are responsible for conducting quarterly reviews of these rules. The
reviews are intended to ensure the rules are based on current intelligence identifying
Secure Flight 77
specific potential threats; are deactivated when no longer necessary to address those threats;
are appropriately tailored to minimize the impact upon bona fide travelers’ civil rights, civil
liberties, and privacy; and are in compliance with relevant legal authorities, regulations, and
DHS policies.
28
According to TSA officials, individuals remain on the list for the time required to cover the
scheduled travel.
29
According to officials within TSA’s Office of Chief Counsel, Secure Flight’s use of rules-
based watchlists is consistent with conducting watchlist matching under the “larger set of
watchlists maintained by the Federal government as warranted by security considerations”
as explained in the Secure Flight Final Rule, and nothing in statute or regulation prevents
TSA from using non-TSDB-derived watchlists citing, among other provisions, 49 U.S.C. §§
114 and 44903(j)(2)(C).
30
According to TSA officials, the entire TSDB is not used for Secure Flight screening because
records with partial data (i.e., without first name, surname, and date of birth) could result in
a significant increase in the number of passengers misidentified as being on the watchlist
and cause unwarranted delay or inconvenience to travelers.
31
All TSDB-based watchlists utilized by the Secure Flight program contain records determined
to have met the reasonable suspicion standard. In general, to meet the reasonable suspicion
standard, the agency nominating an individual for inclusion in the TSDB must consider the
totality of information available that, taken together with rational inferences from that
information, reasonably warrants a determination that an individual is known or suspected
to be or have been knowingly engaged in conduct constituting, in preparation for, in aid of,
or related to terrorism or terrorist activities. As previously discussed, to be included on the
No Fly and Selectee Lists, individuals must meet criteria specific to these lists. The TSDB,
which is the U.S. government’s consolidated watchlist of known or suspected terrorists, also
contains records on additional populations of individuals that do not meet the reasonable
suspicion standard articulated above that other federal agencies utilize to support their
border and immigration screening missions.
32
Secure Flight also randomly identifies passengers as selectees for enhanced screening.
33
When TSA, through Secure Flight, determines that a passenger is eligible for expedited
screening, the passenger’s boarding pass is encoded so that he or she is routed to the proper
screening lane.
34
TSA also tracks the number of passengers who receive expedited screening.
35
We expect to issue a report on TSA’s Pre9TM program later this year.
36
I ndividuals on the TSA Pre9TM lists receive Known Traveler Numbers that they must submit
when making travel reservations to be identified as low-risk. See 49 C.F.R. § 1560.3
(defining “Known Traveler Number”). TSA also refers to these lists as Known Traveler
lists.
37
The three CBP Trusted Traveler programs are NEXUS, SENTRI, and Global Entry. See GAO,
Trusted Travelers: Programs Provide Benefits but Enrollment Processes Could Be
Strengthened, GAO-14-483 (Washington, D.C.: May 30, 2014).
38
As of March 2014, the TSA Pre9TM list for the U.S. armed forces included eligible members of
the Army, Navy, Marine Corps, Air Force, and Coast Guard.
39
According to TSA officials, per these agreements, agencies are to maintain the lists by ensuring
that individuals continue to meet the criteria for inclusion and to update the lists as needed.
We did not review the extent to which agencies are maintaining the lists.
40
TSA leveraged existing federal capabilities to both enroll and conduct background checks for
program applicants. For example, for the TSA Pre9TM Application Program, TSA is using
78 United States Government Accountability Office
49
In November 2007, in addition to allowing paper boarding passes, TSA began allowing air
carriers to issue mobile boarding passes, which, for example, passengers may download to
their cell phones.
50
These variations are identified in the TDC standard operating procedures.
51
The details of these screening errors are considered sensitive information.
52
GAO/AIMD-00-21.3.1.
53
Statement of Kelly Hoggan, Assistant Administrator, TSA Office of Security Capabilities,
before the House Committee on Homeland Security, Subcommittee on Transportation
Security, June 19, 2012.
54
See, e.g., 49 C.F.R. § 1540.107(c) (prohibiting, in general, an individual from entering a sterile
area or boarding an aircraft if the individual does not present a verifying identity document
when requested for purposes of watchlist matching).
55
GAO-09-292.
56
GAO, Aviation Security: Status of TSA’s Acquisition of Technology for Screening Passenger
Identification and Boarding Passes, GAO-12-826T (Washington, D.C.: June 19, 2012).
57
Boarding pass scanners also indicate when a passenger is eligible for expedited screening
through TSA Pre9TM.
58
TSA initially used boarding pass scanners provided and owned by airlines to scan TSA Pre9TM
and mobile boarding passes. According to TSA officials, as these airline-owned scanners
become inoperable, TSA plans to phase them out and replace them with TSAowned
scanners.
59
GAO-12-826T.
60
Secure Flight program management reports externally (to DHS and the Office of Management
and Budget (OMB)) on nine measures. Specifically, Secure Flight reports to DHS on six
Key Performance Parameters, which are key system capabilities that must be met for a
system to meet its operational goals. In addition, Secure Flight reports on five measures to
OMB as part of its yearly exhibit 300, also called the Capital Asset Plan and Business
Case—a document that agencies submit to OMB to justify resource requests for major
information technology (IT) investments. Two of the Key Performance Parameters and
OMB measures are the same; therefore, the program reports externally on nine distinct
measures.
61
The measures are contained on the Secure Flight Executive Dashboard, a compilation of data
capturing various aspects of Secure Flight’s operations on a weekly, monthly, and year-to-
date basis.
62
Government Performance and Results Act of 1993, Pub. L. No. 103-62, 107 Stat. 285 (1993).
GPRA was updated by the GPRA Modernization Act of 2010. Pub. L. No. 111- 352, 124
stat. 3866 (2011).
63
GAO, Agencies’ Annual Performance Plans under the Results Act: An Assessment Guide to
Facilitate Congressional Decisionmaking, GAO/GGD/AIMD,10.1.18 (Washington, D.C.:
February 1998), and The Results Act: An Evaluator’s Guide to Assessing Agency Annual
Performance Plans, GAO/GGD-10.1.20 (Washington, D.C.: April 1998).
64
GAO/GGD-10.1.20.
65
GAO/GGD-10.1.20.
66
Further details on the challenges TSA faces in identifying when Secure Flight may miss
individuals on lists is sensitive information and therefore could not be included in a public
report.
67
GAO-09-292.
80 United States Government Accountability Office
68
These passenger data are available to Secure Flight for testing purposes because the system
retains passenger data and the results of Secure Flight matches in the system for up to 7
days after completion of the passenger’s directional travel. After 7 days, all data for
passengers not identified as matches to a high-risk watchlist must be expunged from the
system.
69
Valid Known Traveler Numbers are those that appear on TSA Pre9TM program lists of
passengers eligible for expedited screening.
70
The process involves TSA’s Contact Center, which is staffed with personnel to answer
passenger questions or accept passenger feedback about travel-related security screening.
Specifically, when passengers submit oral or written feedback that involves failure to
receive TSA Pre9TM screening, a Contact Center representative is to forward this
information to Secure Flight. Secure Flight staff investigate these cases to identify and, if
necessary, address factors that caused the passenger not to receive TSA Pre9TM status, such
as, for example, mistyping the known travel number or other personal information when
making a reservation.
71
A more detailed explanation of why Secure Flight does not have this information is considered
sensitive information and therefore could not be included in a public report.
72
According to TSA officials, as of June 2014, Secure Flight had not obtained authorization for
additional staff that would be necessary to obtain additional information on
misidentifications; therefore, officials were unable to provide a time frame for when these
requirements would be implemented.
73
The Secure Flight system availability measure—a Key Performance Parameter and an OMB
300 Measure—tracks the total amount of time the Secure Flight system (within Secure
Flight bounds) is available for matching activities. Secure Flight’s false positive measure
was discussed previously. All Secure Flight measures are defined in app. III.
74
These requirements allow Secure Flight to retain Secure Flight matching results for passengers
not identified as a match to a government watchlist for up to 7 days, potential matches for
up to 7 years, and confirmed matches for up to 99 years, after which they must be purged
from the system. According to Secure Flight documentation, records for passengers
identified as low risk (either because they match one of the low-risk TSA Pre9TM Lists or
because they were identified as low risk through Secure Flight’s flight-byflight
assessments) are treated the same as nonmatches and must be purged within 7 days.
Records for passengers who match other watchlists are treated as potential matches and
must be purged within 7 years.
75
GAO/AIMD-00-21.3.1.
76
We requested documentation for all meetings of the Match Review Board since its
implementation in March 2010 through fiscal year 2013, and TSA provided documentation
pertaining to 51 meetings. The documentation distributed for meetings included meeting
minutes and Power Point slides. The Power Point slides contained detailed information
(such as the results of analyses or the status of ongoing work) pertaining to meeting agenda
items. More detailed information on performance issues discussed in the meetings is
considered sensitive information and cannot be included in a public report.
77
Information on the time frames of our request and the number of system matching errors TSA
identified is considered sensitive information and cannot be included in a public report.
78
These cases were ones in which the Match Review Board documentation contained sufficient
identifying information about Secure Flight system matching errors to allow us to determine
it was not included on the list TSA provided us.
Secure Flight 81
2
See 49 C.F.R. § 1560.3. Aircraft operators must transmit available SFPD to Secure Flight
approximately 72 hours prior to scheduled flight departure. For reservations created within
72 hours of flight departure, covered aircraft operators must submit passenger data as soon
as they become available.
3
The lists Secure Flight uses to identify high-risk passengers include the No Fly, Selectee, and
Expanded Selectee Lists, which are subsets derived from the Terrorist Screening Database,
the U.S. government’s consolidated watchlist of known or suspected terrorists that is
maintained by the Terrorist Screening Center, a multiagency organization administered by
the Federal Bureau of Investigation. The lists Secure Flight uses to identify low-risk
passengers are associated with the TSA Pre9TM Program, a 2011 initiative that allows TSA
to designate preapproved passengers as low risk. In addition, the system uses passenger data
to perform TSA Pre9TM risk assessments to identify travelers as low risk for a specific
flight.
4
The DHS Traveler Redress Inquiry Program (DHS TRIP) administers the TSA Cleared List.
DHS established DHS TRIP in February 2007 to provide individuals, including those who
believe they have been delayed or inconvenienced during travel because they have been
wrongly identified as the subject of a watchlist record, an opportunity to be cleared. We
plan to report later this year on Secure Flight-related redress issues.
5
Because of the application of other TSA security measures, such as random selection, an
individual’s presence on the Cleared List will likely diminish, but not preclude, the
possibility of being selected for enhanced screening. The technical term for redress number
is “redress control number.”
6
This process may also involve the Secure Flight analyst contacting the Terrorist Screening
Center for assistance in confirming or ruling out the match. The Secure Flight Operations
Center (SOC) serves as a centralized point for handling the manual review of potential
matches, resolving potential matches at the airport, and answering general air carrier
questions.
7
See 49 C.F.R. § 1560.105(b).
8
Standard screening typically includes a walk-through metal detector or Advanced Imaging
Technology screening, which identifies objects or anomalies concealed under clothing, and
X-ray screening for the passenger’s accessible property. In the event a walk-through metal
detector triggers an alarm or the Advanced Imaging Technology identifies an anomaly or
suspicious item, additional security measures—such as pat-downs, explosives trace
detection searches (which involve a device certified by TSA to detect explosive particles),
or additional physical searches—may ensue as part of the resolution process. Enhanced
screening includes, in addition to the procedures applied during a typical standard screening
experience, a pat-down and an explosives trace detection search or physical search of the
interior of the passenger’s accessible property, electronics, and footwear. Expedited
screening typically includes walk-through metal detector screening and X-ray screening of
the passenger’s accessible property, but unlike in standard screening, travelers do not have
to, among other things, remove their belts, shoes, or light outerwear. Passengers with
boarding passes that are not marked for enhanced or expedited screening receive standard
screening, unless otherwise identified by TSA for enhanced or expedited screening through
the application of random and unpredictable security measures at the screening checkpoint.
In: Secure Flight Program ISBN: 978-1-63463-643-8
Editor: Hellen E. Spear © 2015 Nova Science Publishers, Inc.
Chapter 3
*
This is an edited, reformatted and augmented version of a United States Government
Accountability Office publication, No. GAO-14-647, dated September 2014.
84 United States Government Accountability Office
ABBREVIATIONS
CBP U.S. Customs and Border Protection
CDC Centers for Disease Control and Prevention
DHS Department of Homeland Security
FBI Federal Bureau of Investigation
FIPPs Fair Information Practices Principles
OIA Office of Intelligence and Analysis
OMB Office of Management and Budget
PIA Privacy Impact Assessment
PII personally identifiable information
RMS Redress Management System
SFPD Secure Flight Passenger Data
86 United States Government Accountability Office
***
September 9, 2014
among other things, ensure that PII maintained by the Secure Flight system
(such as passenger name and date of birth) is properly collected, used, and
stored. We also reported that TSA planned to use the redress process managed
by DHS TRIP to assist passengers who may have been adversely affected by
Secure Flight screening.8
In light of our prior work, you asked us to report upon the effectiveness of
TSA’s efforts to address Secure Flight system performance, privacy
protections, and redress.
In July 2014, we issued a sensitive security information/law enforcement
sensitive report on the performance of the Secure Flight program, including
how the program has changed since implementation began in 2009, the extent
to which Secure Flight vetting results are fully implemented at airport security
checkpoints, and the extent to which TSA’s performance measures
appropriately assess progress toward achieving the Secure Flight program
goals.9
This report addresses the following two questions:
April 2014, and Secure Flight’s Privacy Issue Tracker. We assessed these
documents against Standards for Internal Control in the Federal
Government.12 To clarify our understanding of Secure Flight’s privacy
requirements and the mechanisms for monitoring compliance with these
requirements, we reviewed key TSA documents that provide information on
Secure Flight privacy requirements, such as management directives, the
Secure Flight Privacy Rules of Behavior, and Secure Flight System of Records
Notices and Privacy Impact Assessments, and interviewed Secure Flight
privacy officials and a representative of the contract staff who are responsible
for monitoring compliance with these requirements.
To answer our second question, we reviewed DHS TRIP standard
operating procedures and other documentation related to the redress process,
such as the standard letters DHS sends to redress applicants. To identify the
outcomes of the DHS TRIP redress process, we reviewed relevant DHS TRIP
data for fiscal years 2011 through 2013 on the number of travelers who
applied for redress and the number of redress cases DHS TRIP forwarded to
the Terrorist Screening Center (TSC)—a multi-agency organization
administered by the Federal Bureau of Investigation (FBI)—for review. We
also reviewed TSC data on the extent to which redress applications resulted in
individuals being delisted from certain watchlists, meaning that they were
removed from a watchlist because TSC determined that they did not meet
current criteria for inclusion on that watchlist. To determine the extent to
which DHS TRIP is meeting performance goals for the redress process, we
reviewed DHS TRIP performance data. Additionally, to determine the extent
to which DHS TRIP is meeting its performance goal for processing appeals
cases, we calculated the average processing time for 49 closed appeals cases
DHS TRIP received during fiscal years 2011 through 2013, using DHS TRIP
data, and compared this average with the goal. To assess the reliability of DHS
TRIP redress and appeals data, we examined documentation about these data,
interviewed knowledgeable officials, and reviewed the data for obvious errors
and inconsistencies. To further assess the reliability of the appeals data used to
calculate average processing times, we compared the DHS TRIP data with
data on appeals cases maintained by TSC, which reviews and makes
recommendations on appeals, and followed up on any discrepancies. Although
there were some discrepancies, we determined that the data were sufficiently
reliable for the purpose of comparison to the performance goal. To better
understand redress and appeals procedures and DHS TRIP’s efforts to reduce
processing time, we interviewed DHS TRIP and TSC officials. To better
understand TSA’s attempts to assist individuals for whom the DHS TRIP
90 United States Government Accountability Office
BACKGROUND
The Secure Flight program, as implemented pursuant to the 2008 Secure
Flight Final Rule, requires commercial aircraft operators traveling to, from,
within, or overflying the United States to collect information from passengers
and transmit that information electronically to TSA.13 This information,
known collectively as Secure Flight Passenger Data (SFPD), includes PII,
including full name, gender, date of birth, passport information, and certain
non-personally identifiable information provided by the airline, such as
itinerary information and the unique number associated with a travel record
(record number locator).14
The Secure Flight program uses SFPD to screen passengers and assign
them a risk category: high risk, low risk, or unknown risk. Table 1 describes
Secure Flight’s primary screening activities.
Secure Flight screening against watchlists involves the automated
comparison of SFPD and list data and a manual review process by Secure
Flight analysts of all passengers identified by the system as potential matches.
Air carriers may not issue a boarding pass to a passenger who is a potential
match to the No Fly or Selectee lists until they receive from Secure Flight a
final determination on how the passenger will be screened at the checkpoint if
provided a boarding pass.
These determinations include a “TSA Pre9TM eligible” message for
passengers who may receive expedited screening; a “cleared” message for
passengers found not to match any high or low-risk list and who, therefore,
will receive standard screening; and a “selectee” message for passengers who
are to be selected for additional screening.15 For passengers matching the No
Fly List, the air carrier may not issue a boarding pass.
Secure Flight 91
Table 1. (Continued)
inclusion in the TSDB must consider the totality of information available that,
taken together with rational inferences from that information, reasonably warrants
a determination that an individual is known or suspected to be or have been
knowingly engaged in conduct constituting, in preparation for, in aid of, or related
to terrorism or terrorist activities. As previously discussed, to be included on the
No Fly and Selectee Lists, individuals must meet criteria specific to these lists.
The TSDB, which is the U.S. government’s consolidated watchlist of known or
suspected terrorists, also contains records on additional populations of individuals
that do not meet the reasonable suspicion standard articulated above, but that other
federal agencies utilize to support their border and immigration screening
missions. In addition, according to TSA officials, Secure Flight does not utilize all
terrorist records in the TSDB because records with partial data (i.e., without first
name, surname, and date of birth) could result in a significant increase in the
number of passengers misidentified as being on the watchlist and potentially cause
unwarranted delay or inconvenience to travelers.
c
Individuals on all low-risk lists receive a Known Traveler Number that they must
submit when making travel reservations to be identified as low-risk. See 49 C.F.R.
§ 1560.3 (defining “Known Traveler Number”). TSA also refers to these lists as
Known Traveler lists.
Since our May 2009 report, TSA has made progress in implementing
some of these privacy oversight mechanisms, although more work remains to
fully implement them. Overall, the Secure Flight privacy team, composed of
TSA’s Privacy Officer, the designated Secure Flight program privacy officer,
TSA’s Office of the Chief Counsel, and dedicated contract staff, has worked
closely with the DHS Privacy Office to ensure periodic consultation on
96 United States Government Accountability Office
program plans and operations that may have privacy implications.23 The
publication of revised PIAs and SORNs to address the changes in the Secure
Flight program, such as the use of rules-based high-risk lists and TSA Pre9 TM
risk assessments, is evidence of this consultation process. TSA issued Secure
Flight Privacy Rules of Behavior in September 2008 that set forth the practices
staff (including federal employees, contractors, and other persons authorized
to access or use SFPD) should follow in accessing, using, maintaining or
collecting Secure Flight PII. According to TSA officials, in 2013, TSA
initiated a review of the rules of behavior to ensure that they still align with
current Secure Flight directives and practices, which have changed since the
rules of behavior were first issued in 2008. In May 2014, TSA officials stated
that they are in the final stages of developing an updated version of the Privacy
Rules of Behavior. In December 2013, TSA also issued a management
directive discussing TSA’s policy for responding to requests for Secure Flight
data by TSA employees and other agencies. Secure Flight also maintains audit
logs of Secure Flight system and user events, as it planned to do in 2009.
Specifically, TSA maintains logs of
TSA has developed and implemented basic and advanced privacy training
that, according to TSA officials, is required for all new Secure Flight staff.24 In
addition, all DHS staff are required to complete annual DHS privacy training,
which discusses the importance of safeguarding PII. However, Secure Flight
staff do not receive job-specific privacy refresher training after they complete
the initial Secure Flight training. OMB requires agencies to train employees on
their privacy and security responsibilities before permitting access to agency
information and information systems, and thereafter to provide at least annual
refresher training to ensure employees continue to understand their
responsibilities.25 The OMB memorandum also states that this refresher
training must be job-specific and commensurate with the employee’s
responsibilities. TSA officials stated that the annual DHS privacy training
serves as refresher training for Secure Flight staff. However, DHS’s annual
refresher training is not job-specific and does not reflect the unique privacy
requirements of the Secure Flight program. For example, the DHS training
provides a general overview of privacy requirements Department-wide, but
does not provide information on the unique privacy risks of the Secure Flight
program, such as the potential misuse or unauthorized disclosure of airline
passenger data.
Furthermore, the Secure Flight program has expanded from a program that
solely identifies high-risk passengers on the No Fly and Selectee Lists to one
that also identifies additional high-risk passengers using other records in the
TSDB and through rules-based high-risk lists, as well as low-risk passengers.
TSA’s PIAs for these new screening activities discuss new privacy risks
unique to these activities. For example, Secure Flight’s September 2013 PIA
update discusses the importance of restricting the use and dissemination of
TSA Pre√TM lists in order to mitigate the risk associated with collecting and
storing information on low-risk travelers. TSA officials told us that TSA
updated its privacy training for new Secure Flight staff in December 2013 to
reflect Secure Flight’s updated PIAs and SORNs. However, because the DHS
privacy refresher training is not job-specific, staff who joined Secure Flight
prior to December 2013, when TSA updated its privacy training for new staff,
may not have received privacy training specific to Secure Flight’s new
screening activities. Our assessment guide for reviewing training and
development efforts in the federal government states that changes, such as new
initiatives, technological innovations, or reorganizations and restructuring, will
likely require agencies to develop new or revised training programs, and that
98 United States Government Accountability Office
agencies should have a formal process for incorporating these strategic and
tactical changes to ensure that new and revised training efforts are quickly
brought on line.26 Providing at least annual job-specific privacy refresher
training, consistent with OMB requirements, could further strengthen Secure
Flight’s protection of PII.
passengers from screening against the lists. These procedures could assist
those misidentified as a result of Secure Flight screening and may result in
TSA removing passengers from the lists.39 By removing individuals from
rules-based lists, TSA ensures that passengers who are misidentified to those
individuals will no longer be identified as a match, and thus delayed or
inconvenienced as a result. In certain circumstances, TSA also reviews
questionable matches to the rules-based lists to determine whether individuals
on the list should be removed. According to TSA officials, starting in 2012,
TSA’s Office of Intelligence and Analysis (OIA) began monitoring the
number of questionable matches to the list. According to TSA officials, the
rate of questionable matches is less than 1 percent of all matches to the list for
April 2012 through May 2014. TSA officials stated that the TSA Intelligence
Analysis Division manually reviews these questionable matches and removes
individuals from the list who have been erroneously included on the list. By
removing these individuals from the list, TSA ensures that passengers will no
longer be erroneously matched to them, and thus delayed or inconvenienced as
a result. However, according to TSA officials, TSA’s effort to identify and
remove questionable matches does not address all possible misidentifications
to the rules-based list. For example, TSA officials stated they do not review
some matches because TSA does not have additional information about those
passengers—beyond that included in the SFPD—that would be necessary to
determine whether the passenger was actually misidentified to the rules-based
high-risk list.
In fiscal year 2013, DHS TRIP officials began working to reduce overall
processing time and the backlog of redress and appeals cases. As described
previously, the DHS TRIP redress process involves adding applicants found
not to be individuals on a TSDB-based list to the TSA Cleared List. At the
conclusion of the redress process, certain individuals who apply to DHS TRIP
receive a letter informing them there has been no change to their record and
providing instructions on how to appeal the decision.40 This additional
process—known as the appeals process— involves an additional set of
activities carried out by the appellant (the redress applicant submitting the
appeal), DHS TRIP, and TSC. The process begins when the appellant files the
104 United States Government Accountability Office
appeal, and DHS TRIP forwards all completed appeals paperwork to TSC, as
shown in figure 1. Once TSC receives the documentation, TSC analysts are to
review all derogatory information maintained on the appellant to make a
written recommendation to TSA on the appeal.41 TSA then reviews TSC’s
recommendation through its own internal process, which can include going
back to TSC for additional information, before the TSA Administrator makes
the final determination to uphold the appellant’s status, recommend that TSC
downgrade the appellant to another TSDBbased list, or recommend that TSC
remove the appellant from the list.42
Redress Process
With respect to the redress process, DHS TRIP officials took several steps
in fiscal year 2013 to reduce the overall processing time and a backlog of
redress cases. First, in fiscal year 2013, DHS automated its response to DHS
TRIP applicants, a step that, according to DHS TRIP, should reduce the initial
response time from 3 days to 1 day. Second, DHS hired additional staff for
DHS TRIP, achieving its authorized staffing level of 11 full-time positions.
Third, in January 2013, DHS TRIP implemented and began training staff on a
Secure Flight 105
Appeals Process
DHS also took action in fiscal year 2013 to address timeframes associated
with the appeals process. Appeals applicants receive a letter stating that DHS
will provide a final agency decision on the appeal within 60 days of receipt of
the appeal. However, the average total processing time for the appeals process
for fiscal years 2011 through 2013 was 276 days, as shown in table 2.
In fiscal year 2013, DHS TRIP began taking several actions to make the
appeals process more structured and reduce the overall review time. To
provide a more structured appeals process, DHS TRIP took the following
steps:
CONCLUSION
The Secure Flight program is one of TSA’s key tools for defending
commercial flights against terrorist threats. However, because the program
relies on sensitive information, including personally identifiable information
108 United States Government Accountability Office
from the approximately 2 million people Secure Flight screens each day,
privacy incidents and inappropriate disclosures could have significant negative
impacts on the traveling public. Since TSA began implementing Secure Flight,
in 2009, the program has made significant progress in addressing privacy
protections. TSA could further strengthen these protections by providing job-
specific privacy refresher training consistent with OMB requirements.
Furthermore, developing a mechanism to comprehensively document and
track key Secure Flight privacy-related issues and decisions could help TSA
ensure that its oversight of privacy protections is effective and that the
decisions that have allowed it to successfully avoid privacy incidents to date
are carried into the future. DHS TRIP and TSC have also made progress in
addressing Secure Flight misidentifications to TSDB-based lists, and their
planned actions for reducing redress and appeals case-processing time could
further improve the redress process. It will be important for DHS TRIP to
conduct its assessments of performance data as planned to determine whether
further changes to the appeals process, such as changes to the time frames
presented in DHS’s appeals letter, are warranted.
AGENCY COMMENTS
We provided a draft of this report to DHS and the Department of Justice
for their review and comment. DHS provided written comments on July 17,
2014, which are summarized below. DHS concurred with both of our two
Secure Flight 109
Jennifer A. Grover
Director
Homeland Security and Justice Issues
End Notes
1
PII is any information that permits the identity of an individual to be directly or indirectly
inferred, including other information that is linked or linkable to an individual. See
Department of Homeland Security, Privacy Policy and Compliance, DHS Instruction 047-
01-001 (Washington, D.C.: July 25, 2011).
2
See Pub. L. No. 108-458, § 4012(a), 118 Stat. 3638, 3714-18 (2004) (codified at 49 U.S.C. §
44903(j)(2)(C)). The 9/11 Commission, The 9/11 Commission Report: Final Report of the
Secure Flight 111
National Commission on Terrorist Attacks upon the United States, July 2004. TSA efforts
to develop a computer-assisted passenger prescreening system predated the Intelligence
Reform and Terrorism Prevention Act and the report of the 9/11 Commission.
3
TSA began implementing Secure Flight pursuant to the Secure Flight Program Final Rule,
issued in October 2008. See 73 Fed. Reg. 64,018 (Oct. 28, 2008).
4
Secure Flight screens certain non-traveling individuals, such as escorts for minor, elderly, and
disabled passengers, who are authorized to access the airport’s sterile area—the portion of
an airport defined in the airport security program that provides passengers access to
boarding aircraft and to which access is generally controlled through the screening of
persons and property. See 49 C.F.R. § 1540.5. Secure Flight began screening passengers on
certain flights operated by foreign air carriers overflying the continental United States
(excluding Alaska and Hawaii) on October 24, 2012. For purposes of this report, the term
“commercial flight” encompasses all air carrier operations covered by and subject to the
Secure Flight Final Rule. See 49 C.F.R. § 1560.3 (defining “covered flight” for purposes of
the Secure Flight Program).
5
GAO has performed this work in accordance with statutory mandates, beginning with the
Department of Homeland Security Appropriations Act, 2004, Pub. L. No. 108-90, § 519,
117 Stat. 1137, 1155-56 (2003), and, most recently, the Department of Homeland Security
Appropriations Act, 2009, Pub. L. No. 110-329, Div. D, § 512, 122 Stat. 3574, 3682-83
(2008), and pursuant to the requests of various congressional committees.
6
GAO, Aviation Security: Secure Flight Development and Testing Under Way, but Risks Should
Be Managed as System Is Further Developed, GAO-05-356 (Washington, D.C.: Mar. 28,
2005); Aviation Security: Significant Management Challenges May Adversely Affect
Implementation of the Transportation Security Administration’s Secure Flight Program,
GAO-06-374T (Washington, D.C.: Feb. 9, 2006); Aviation Security: Management
Challenges Remain for the Transportation Security Administration’s Secure Flight
Program, GAO-06-864T (Washington, D.C.: June 14, 2006); Aviation Security:
Transportation Security Administration Has Strengthened Planning to Guide Investments in
Key Aviation Security Programs, but More Work Remains, GAO-08-456T (Washington,
D.C.: Feb. 28, 2008).
7
GAO, Aviation Security: TSA Has Completed Key Activities Associated with Implementing
Secure Flight, but Additional Actions Are Needed to Mitigate Risks, GAO-09-292
(Washington, D.C.: May 13, 2009).
8
DHS TRIP is a single point of contact for individuals who have inquiries or seek resolution
regarding difficulties they experienced during their travel screening at transportation hubs—
like airports and train stations—or crossing U.S. borders, including inspection problems at
ports of entry and situations where travelers believe they have been unfairly or incorrectly
delayed, denied boarding, or identified for additional screening or inspection at our nation’s
transportation hubs. While serving as the point of contact for the receipt, tracking, and
response to redress applications, DHS TRIP refers cases to the appropriate agency for
review and adjudication.
9
We did not assess the extent to which Secure Flight vetting results for low-risk passengers are
implemented at checkpoints.
10
GAO-09-292.
11
GAO, Human Capital: A Guide for Assessing Strategic Training and Development Efforts in
the Federal Government, GAO-04-546G (Washington, D.C.: March 2004). The guide
summarizes elements of effective training programs and presents related questions on the
components of the training and development process in four broad, interrelated components:
112 United States Government Accountability Office
23
According to TSA officials, the Secure Flight program privacy officer also currently serves as
the Secure Flight program manager, and is therefore well-informed about Secure Flight
operations and well-positioned to implement privacy decisions.
24
The basic training course covers practices for the collection, use, and safeguarding of PII. The
advanced training addresses the additional privacy responsibilities required of Secure Flight
Operations Center analysts—who work independently and with air carriers to resolve
system matching results and thus deal extensively with passenger PII—and information
technology staff for the use, sharing, protection, retention, and destruction of PII.
25
Office of Management and Budget, Safeguarding Against and Responding to the Breach of
Personally Identifiable Information, OMB Memorandum M-07-16 (Washington, D.C.:
2007).
26
GAO-04-546G.
27
There was a 2-month period in 2012 when the automated purge reports were inoperable
because the generation of these reports was slowing overall Secure Flight system
performance and causing instability in the Secure Flight system. During this period, TSA
was unable to validate that purges of passenger PII were occurring in accordance with the
agreed-upon schedules. Once a fix was implemented, TSA was able to review the purge
reports retroactively and confirm that there were no purge violations.
28
Both reports concluded that upon approval and publication of the updated privacy impact
assessment and system of records notice, there would be no privacy concerns with the
release of the new software.
29
DHS defines “privacy incident” as “the loss of control, compromise, unauthorized disclosure,
unauthorized acquisition, unauthorized access, or any similar term referring to situations
where persons other than authorized users, have access or potential access to PII in usable
form, whether physical or electronic, or where authorized users access PII for an
unauthorized purpose. The term encompasses both suspected and confirmed incidents
involving PII which raise a reasonable risk of harm.”
30
TSA Secure Flight and privacy officials also stated that there has not been any unauthorized
access of PII, unauthorized PII collection, breaches of data-sharing agreements, or phishing
or social engineering.
31
GAO/AIMD-00-21.3.1.
32
Because of the application of other TSA security measures, such as random selection, an
individual’s presence on the Cleared List may diminish, but will not preclude, the
possibility of being selected for enhanced screening.
33
During the pendency of this review, various courts have issued decisions relating to the No Fly
List and DHS TRIP. For example, in January 2014, a judge of the U.S. District Court for the
Northern District of California issued a findings of fact, conclusions of law, and order for
relief in the case of Ibrahim v. Dep’t of Homeland Security, No. C 06-00545 WHA (N.D.
Cal. Jan 14, 2014) (redacted). Specifically, the court found that in this matter, which
involved facts dating back to 2004, the plaintiff had been placed on the No Fly List as a
result of an FBI agent’s human error and that, among other things, the redress response
letter provided to plaintiff by the redress program in place prior the establishment of DHS
TRIP was inadequate at the time because the response was vague and “fell short of
providing any assurance to [the Plaintiff]...that the mistake had been traced down in all its
forms and venues and corrected.” In June 2014, a judge of the U.S. District Court for the
District of Oregon issued an opinion and order concluding, among other things, that because
DHS TRIP procedures do not afford individuals the requirements of due process in so much
as it does not provide them with notice regarding their status on the No Fly List and the
114 United States Government Accountability Office
reasons for placement on the list, “the absence of any meaningful procedures to afford
Plaintiffs the opportunity to contest their placement on the No Fly List violates Plaintiffs’
rights to procedural due process.” See Latif v. Holder, No. 3:10-cv-00750-BR (D. Or. June
24, 2014). Our review focused on the procedures and data relating to implementation of the
DHS TRIP redress and appeals processes and did not evaluate DHS TRIP on sufficiency of
procedural due process grounds.
34
As of February 2014, Secure Flight officials were not aware of any passengers who have been
misidentified to the CDC Do Not Board List. DHS TRIP officials stated that any inquiries
related to the CDC Do Not Board List are forwarded to CDC for adjudication. Secure Flight
officials were also unaware of any misidentifications to the TSA Pre√TM Disqualification
List. A person misidentified to the TSA Pre√TM Disqualification List would be precluded
from receiving the benefit of expedited screening, but would not be subjected to enhanced
screening as a result of this misidentification. According to Secure Flight officials, Secure
Flight is not developing a redress process for the TSA Pre√TM Disqualification List because
the matching algorithm for the list was designed in such a way as to ensure minimal risk of
misidentification. According to TSA officials, TSA also has a process for responding to
individuals who have questions about their TSA Pre√TM status and individuals who TSA has
disqualified from TSA Pre√TM eligibility who want to request that TSA reconsider its
decision.
35
To experience the benefit of being on the TSA Cleared List, passengers must submit their full
name and date of birth, as provided to DHS TRIP, in addition to their redress control
number when making a reservation.
36
TSC conducts the review to determine whether the individual meets the criteria for inclusion
on a TSDB-derived watchlist in accordance with TSC’s standard operating procedures for
redress.
37
DHS TRIP forwards all redress applicants matching the No Fly, Selectee, or Expanded
Selectee List to TSC, on behalf of TSA (the screening agency). Other federal entities with a
redress function, such as the Department of State or U.S. Customs and Border Protection,
conduct their own investigations of DHS TRIP applications involving their screening
activities.
38
TSC does not keep data on the number of DHS TRIP applications it reviews by agency;
therefore, the 2,058 DHS TRIP applications TSC reviewed over fiscal years 2011 through
2013 could include applications forwarded to TSC from other screening agencies.
Furthermore, according to TSC, because of the time frames associated with TSC’s review
process, the total number of TSA-related cases TSC reviewed during fiscal years 2011
through 2013 is less than the number of those forwarded to it by TSA.
39
The details of these procedures are considered sensitive security information.
40
These individuals then have 30 days from the receipt of the decision to submit an appeal, after
which, failure to file an appeal will result in the decision becoming a final agency decision.
41
According to TSC officials, analysts within TSC’s Redress Unit conduct the initial review for a
redress application; analysts within TSC’s Office of Intelligence and Analysis conduct
reviews for all appeals. According to TSC officials, analysts in both offices follow the same
procedures to conduct these reviews.
42
TSC, in the course of its review, may also find the appellant was misidentified to a TSDB-
based list.
43
DHS TRIP is also planning to implement two customer feedback surveys. The first survey,
which will be administered at the time an individual is applying for redress, will solicit
applicants’ views on their experience during the DHS TRIP process. The second survey,
Secure Flight 115
which will be administered 90 days after the final agency decision letter is provided, will
gather information on passenger experiences using the redress control number. As of July
2014, both surveys were under review by OMB. According to DHS officials, the program
plans to begin administering the survey as soon as OMB completes its review.
44
This performance target is used to measure DHS’s progress in meeting one of the department’s
three priority goals—to strengthen aviation security counterterrorism capabilities by using
intelligence-driven information and risk-based decisions. DHS TRIP revised the
performance target for TSA-only redress cases, that is, cases that do not involve any other
DHS components, from an average total processing time of 43 days to 20 days.
45
The Functional Roles and Responsibilities Document was finalized in January 2014.
Chapter 4
Jared P. Cole
SUMMARY
In order to protect national security, the government maintains
various terrorist watchlists, including the “No Fly” list, which contains
the names of individuals to be denied boarding on commercial airline
flights. Travelers on the No Fly list are not permitted to board an
American airline or any flight on a foreign air carrier that lands or departs
from U.S. territory or flies over U.S. airspace. Some persons have
claimed that their alleged placement on the list was the result of an
erroneous determination by the government that they posed a national
security threat. In some cases, it has been reported that persons have been
prevented from boarding an aircraft because they were mistakenly
believed to be on the No Fly list, sometimes on account of having a name
similar to another person who was actually on the list. As a result, various
legal challenges to placement on the list have been brought in court.
The Department of Homeland Security operates a redress process for
people who encounter difficulties while traveling. The government’s
policy, however, is never to confirm or deny whether someone is on the
No Fly list; and the redress process does not provide travelers with an
∗
This is an edited, reformatted and augmented version of a Congressional Research Service
publication R43730, prepared for Members and Committees of Congress, dated September
18, 2014.
118 Jared P. Cole
INTRODUCTION
The safety of air travel, particularly after the terrorist attacks of September
11, 2001, is an important priority for the U.S. government. The Aviation and
Transportation Security Act of 2001 created the Transportation Security
Administration (TSA) and charged it with ensuring the security of all modes of
transportation, including civil aviation.1 The TSA is responsible for
prescreening all potential commercial airline travelers before they board an
aircraft.2 Pursuant to this responsibility, TSA uses the “No Fly” list to identify
individuals who pose a threat to aviation safety. Persons attempting to board
an aircraft who are matched to an identity on the No Fly list are not allowed to
The No Fly List: Procedural due Process and Hurdles to Litigation 119
board. Recent news reports claim that 47,000 people are currently on the No
Fly list, including 800 Americans.3
However, some persons have claimed that their alleged placement on the
list was the result of an erroneous determination by the government that they
posed a national security threat. In some cases, it has been reported that
persons have been prevented from boarding an aircraft because they were
mistakenly believed to be on the No Fly list, sometimes on account of having a
name similar to another person who was actually on the list.4 The Department
of Homeland Security (DHS) operates a redress process for travelers who wish
to contest their right to board an aircraft, but this procedure has been
challenged in federal court as violating the Fifth Amendment right to due
process.5 After an adverse ruling in a recent federal district court,6 the
executive branch is apparently revising the process.7 This report will provide
an overview of the operation of the government’s watchlists, examine some of
the legal issues implicated by challenges to the No Fly list, and describe recent
case law on the matter.
with the agency’s mission(s) and statutory authorities.31 For the purposes of
monitoring flights, TSA receives two such lists: the No Fly list and the
Selectee list. People on the first are prohibited from boarding an American
airline or any flight that comes in contact with U.S. territory or airspace. Those
on the second are subject to enhanced screening procedures when they attempt
to do so.32 The No Fly and Selectee lists have their own substantive
requirements for inclusion, which executive officials have stated are more
stringent than the reasonable suspicion standard for placement on the TSDB.33
TSC requires “sufficient biographical information and sufficient derogatory
information” for inclusion on the No Fly and Selectee List.34 When a person is
placed on the list, they will not receive notice; instead, they will simply be
denied boarding or subjected to enhanced screening procedures if they attempt
to board a plane.35
However, in a departure from the traditional requirements for inclusion on
the No Fly list, after the failed terrorist attack of the so called “underwear
bomber,” who attempted to destroy a commercial plane traveling from
Amsterdam to Detroit on Christmas Day 2009, the NCTC and TSC were
ordered to add a number of individuals from the TIDE database to the No Fly
list.36 This included a number of “individuals without any information indicating
a personal involvement in terrorism.”37 Accordingly, a number of individuals
were placed on the No Fly list who may not have met the normal standards for
inclusion. Subsequently, TSC, in coordination with the FBI and other
intelligence agencies, conducted a review of all the individuals who had been
upgraded. This review was completed more than two years after the original
upgrading.38 A recent Department of Justice (DOJ) Office of Inspector
General audit expressed “concerns about the TSC’s ability to ensure that all
watchlist records that were modified as a result of the attempted attack were
reviewed and returned to the appropriate individualized status.”39
The precise guidelines and particular factors the government relies on to
place individuals on terrorist watchlists are not made public. The criteria for
placement on the No Fly list, as well as whether a person is on the No Fly list,
are considered “Sensitive Security Information” (SSI) and have not been
publicly released by the federal government.40
Secure Flight
Redress Process
this process in federal courts, challenging both their alleged placement on the
No Fly list and the adequacy of the government’s redress procedures.68
Some travelers who challenge their placement on the No Fly list and the
government’s redress process have alleged that their right to international
travel has been deprived without due process of law. Courts assessing
procedural due process claims first ask “whether the plaintiff has been
deprived of a [constitutionally] protected interest.”75 If so, courts next
“consider whether the procedures used by the government in effecting the
deprivation ‘comport with due process.’”76
The No Fly List: Procedural due Process and Hurdles to Litigation 125
place, and circumstances.”103 Instead, the concept is “flexible and calls for
such procedural protections as the particular situation demands.”104
Consequently, the precise type of notice, the manner and time of a hearing,
and the identity of the decision maker can vary according to the situation.
When determining the proper procedural protections in a given situation,
courts will weigh the private interests affected against the government’s
interest. In Matthews v. Eldridge, the Supreme Court articulated the
balancing test for deciding what procedural protections are required when the
government deprives someone of life, liberty, or property.105 A court must
examine three broad factors:
First, the private interest that will be affected by the official action;
second, the risk of an erroneous deprivation of such interest through the
procedures used, and the probable value, if any, of additional or substitute
procedural safeguards; and finally, the Government’s interest, including
the function involved and the fiscal and administrative burdens that the
additional or substitute procedural requirement would entail.106
Plaintiff’s Interest
As explained above, the right to international travel is a constitutionally
protected liberty interest that some courts have found to be infringed by
placement on the No Fly list.107 In assessing a procedural due process
challenge to the governmental procedures when a person’s liberty is infringed,
courts will first weigh the private interest affected by the government’s action.
In assessing the significance of the deprivation, the Supreme Court has
examined a number of different factors, including the severity, length, and the
finality of a deprivation.108 For example, the Court has found the termination
of welfare benefits—which are based on financial need—to be more severe
than the termination of disability benefits, which are not.109 In the latter case,
the Court has ruled, less procedural protections are required.110 Similarly, the
Court has noted the difference between absolute termination and a temporary
suspension from one’s employment.111 Again, the latter requires less
procedural protections.112
128 Jared P. Cole
Government’s Interest
Finally, a court would examine the government’s interest in the matter and
the cost of imposing additional procedures. The government has a strong
interest in preventing terrorism, which includes ensuring the safety of air
travel.132 The operation of the No Fly list arguably is an important tool to do
130 Jared P. Cole
Hurdles to Litigation
terrorist database and the policies and procedures used for determining how an
individual’s name is placed in such a database.”183
Similarly, the deliberative process privilege has been invoked by the
executive branch in challenges to placement on the No Fly list.184 The privilege
allows the government to withhold material that “reflect[] advisory opinions,
recommendations and deliberations comprising part of a process by which
governmental decisions and policies are formulated.”185 In order to qualify,
documents must be “predecisional” and “deliberative.”186 A document qualifies
as the former if it “was prepared in order to assist an agency decisionmaker in
arriving at his decision,” and the latter if its release would “expose an agency’s
decisionmaking process in such a way as to discourage candid discussion
within the agency and thereby undermine the agency’s ability to perform its
functions.”187 As with the other privileges, however, its invocation by the
government is not absolute. A plaintiff “may obtain deliberative materials if his
or her need for the materials and the need for accurate fact-finding over-ride the
government’s interest in non-disclosure.”188 In the No Fly list context, this
privilege might be invoked in an attempt to withhold documents used in certain
decision-making processes, such as whether to place an individual on the No
Fly list.
Finally, TSA has statutory discretion to designate certain material as
“sensitive security information,” or “information obtained ... in the conduct of
security activities ... the disclosure of which TSA has determined would ... [b]e
detrimental to the security of transportation.”189 Such information is “not
available for public inspection,”190 and the government has claimed exemptions
from disclosure at trial on this basis.191 Nonetheless, as with the privileges
discussed above, plaintiffs and their counsel can access information in certain
circumstances.192
CONCLUSION
Properly balancing the important national security interest of preventing
terrorist attacks with the civil liberties of travelers prevented from boarding a
plane is a complicated and delicate matter. Operation of the government’s No
Fly list implicates a wide variety of statutory and constitutional issues. As
more challenges to the No Fly list are adjudicated in courts, the redress process
for travelers might change considerably. Ultimately, if federal courts reach
disparate rulings on the due process requirements of placement on the No Fly
list, federal agencies will receive conflicting directives on how to proceed.
The No Fly List: Procedural due Process and Hurdles to Litigation 135
End Notes
1
See 49 U.S.C. § 114 (a), (d). The Homeland Security Act of 2002 transferred TSA to the
Department of Homeland Security. See 6 U.S.C. § 203.
2
See DEPARTMENT OF HOMELAND SECURITY, OFFICE OF INSPECTOR GENERAL,
ROLE OF THE NO FLY AND SELECTEE LISTS IN SECURING COMMERCIAL
AVIATION 3 (2009).
3
See Adam Goldman, More Than 1 Million People Are Listed in U.S. Terrorism Database,
WASHINGTON POST (Aug. 5, 2014) available at http://www.washingtonpost.com/world/
national-security/more-than-1-million-people-are-listedin-us-terrorism-
database/2014/08/05/a66de30c-1ccc-11e4-ab7b-696c295ddfd1_story.html.
4
See, e.g., Mike McIntire, Ensnared by Error on Growing U.S. Watch List, NEW YORK TIMES
(April 6, 2010) available at http://www.nytimes.com/2010/04/07/us/07 watch.html?
pagewanted=all; U.S. DEPARTMENT OF JUSTICE, OFFICE OF THE INSPECTOR
GENERAL, REPORT TO CONGRESS ON IMPLEMENTATION OF SECTION 1001 OF
THE USA PATRIOT ACT 13 (2009).
5
See U.S. CONST. amend. V. Another challenge alleges that Federal Bureau of Investigation
(FBI) agents used placement on the list to coerce Muslims to spy on their communities. See
First Amended Complaint, Tanvir v. Holder, No. 1:13-cv-06951-RA (S.D.N.Y. April 22,
2014) available at http://www.ccrjustice.org/files/ Tanvir%20v%20Comey%2013-cv-
6951%20First%20Amended%20Complaint%202014_04_22%20— %20AS%20FILED.pdf.
The plaintiffs alleged violations of their right to due process under the Fifth Amendment,
and violations of the First Amendment, the Religious Freedom Restoration Act, and the
Administrative Procedure Act. The alleged utilization of the No Fly list as a coercive tool is,
however, beyond the scope of this report. Instead, this report focuses on the operation of the
No Fly list and legal challenges to placement on the list under the Due Process Clause of the
U.S. Constitution.
6
See Latif v. Holder, 3:10-CV-00750-BR, 2014 WL 2871346 (D. Or. June 24, 2014).
7
See Joint Status Report, Latif v. Holder, 3:10-CV-00750-BR (D. Or. August 4, 2014).
8
DEPARTMENT OF HOMELAND SECURITY, OFFICE OF INSPECTOR GENERAL,
IMPLEMENTATION AND COORDINATION OF TSA’S SECURE FLIGHT PROGRAM
4 (2012) [hereinafter 2012 IG REPORT].
9
50 U.S.C. § 3056.
10
See 2012 IG REPORT, supra note 8, at 4.
11
The Intelligence Community includes the Office of the Director of National Intelligence, the
Central Intelligence Agency, the National Security Agency, the Defense Intelligence
Agency, the National Geospatial-Intelligence Agency, the National Reconnaissance Office,
other Department of Defense offices, intelligence units of the Armed Forces, the FBI, the
DEA, and DHS, the Bureau of Intelligence and Research of the Department of State, and
the Office of Intelligence and Analysis at the Department of the Treasury. 50 U.S.C. §
30003.
12
See 2012 IG REPORT, supra note 8, at 4.
13
Some examples of conduct that merits entry into TIDE include persons who: engage in, plan,
or prepare international terrorist activity; collect information on targets for terrorist activity;
solicit funds for or membership in a terrorist organization; provide material support for
terrorism. GOVERNMENT ACCOUNTABILITY OFFICE, GAO-12-476, TERRORIST
WATCHLIST, ROUTINELY ASSESSING IMPACTS OF AGENCY ACTIONS SINCE
THE DECEMBER 25, 2009, ATTEMPTED ATTACK COULD HELP INFORM FUTURE
136 Jared P. Cole
AGENTS 17-18 (2012) [hereinafter 2012 GAO REPORT]; see Secure Flight Program;
Final Rule, 73 Fed. Reg. 64018-64066 (Oct. 28, 2008).
14
National Counterterrorism Center, Terrorist Identities Datamart Environment Fact Sheet
available at http://www.nctc.gov/docs/tidefactsheet_Aug12014.pdf [hereinafter NCTC Fact
Sheet].
15
Id.
16
2012 IG REPORT, supra note 8, at 4.
17
See NCTC FACT SHEET, supra note 14; DEPARTMENT OF HOMELAND SECURITY,
OFFICE OF INSPECTOR GENERAL, ROLE OF THE NO FLY AND SELECTEE LISTS
IN SECURING COMMERCIAL AVIATION 5-9 (2009).
18
Mohamed v. Holder, 995 F. Supp. 2d 520, 526 n.8 (E.D. Va. 2014) (E.D. Va. Jan. 22, 2014)
(quotations omitted).
19
Id.
20
See Homeland Security Presidential Directive—6, Integration and Use of Screening
Information to Protect Against Terrorism (Sept. 16, 2003). See also Homeland Security
Presidential Directive—11, Comprehensive Terrorist-Related Screening Procedures (Aug.
27, 2004); Homeland Security Presidential Directive—24: Biometrics for Identification and
Screening to Enhance National Security (Jun. 5, 2008).
21
“[I]nternational terrorism” means activities that—
(A) involve violent acts or acts dangerous to human life that are a violation of the criminal
laws of the United States or of any State, or that would be a criminal violation if committed
within the jurisdiction of the United States or of any State;
(B) appear to be intended—
i. to intimidate or coerce a civilian population;
ii. to influence the policy of a government by intimidation or coercion; or
iii. to affect the conduct of a government by mass destruction, assassination, or
kidnapping; and
(C) occur primarily outside the territorial jurisdiction of the United States, or transcend
national
boundaries in terms of the means by which they are accomplished, the persons they appear
intended to intimidate or coerce, or the locale in which their perpetrators operate or seek
asylum. 50 U.S.C. § 2331(1).
22
“[D]omestic terrorism means activities that—
(A) involve acts dangerous to human life that are a violation of the criminal laws of the
United States or of any State;
(B) appear to be intended—(i) to intimidate or coerce a civilian population; (ii) to
influence the policy of a government by intimidation or coercion; or (iii) to affect the
conduct of a government by mass destruction, assassination, or kidnapping; and
(C) occur primarily within the territorial jurisdiction of the United States. 50 U.S.C. §
2331(5).
23
2012 IG REPORT, supra note 8, at 6.
24
Statement of Timothy J. Healy, Director, Terrorist Screening Center, Federal Bureau of
Investigation, before the Committee on Homeland Security and Governmental Affairs, U.S.
Senate, The Lessons and Implications of the Christmas Day Attack: Watchlisting and Pre-
screening (Mar. 10, 2010) [hereinafter Healy Statement] available at http://www.fbi.gov
/news/testimony/the-lessons-and-implications-of-the-christmas-day-attack-watchlisting-
and-prescreening.
25
Id. at 2.
The No Fly List: Procedural due Process and Hurdles to Litigation 137
26
Id.
27
Ibrahim v. Department of Homeland Security, No. C 06-00545 WHA, slip op. at 12 (N.D. Cal.
Jan. 14, 2014).
28
Id. at 12.
29
Id. at 19.
30
2012 IG REPORT, supra note 8, at 5.
31
The TSC compiles a number of such lists for frontline agencies. These include the Department
of State’s Consular Lookout and Support System (CLASS) for screening of passports and
visas, the U.S. Customs and Border Protection TECS system, the No Fly and Selectee list,
the FBI’s National Crime and Information Center’s Known or Suspected Terrorist File, and
the Interagency Border Inspection System.
32
Placement on the Selectee list, which can result in enhanced screening procedures at an airport,
may also present an impediment to travel; however, the legal issues raised by the Selectee
list are beyond the scope of this report, which focuses instead on placement on the No Fly
list.
33
Healy Statement, supra note 24, at 4.
34
Id. at 5.
35
See Ibrahim v. Dep’t of Homeland Sec., No. C 06-00545 WHA, slip op. at 13 (N.D. Cal. Jan.
14, 2014).
36
See U.S. DEPARTMENT OF JUSTICE, OFFICE OF THE INSPECTOR GENERAL, AUDIT
DIVISION, AUDIT OF THE FEDERAL BUREAU OF INVESTIGATION’S
MANAGEMENT OF TERRORIST WATCHLIST NOMINATIONS (March 2014).
37
Id. at 19.
38
Id. at 23.
39
Id. at 28.
40
News sources report that “Watchlisting Guidance” reportedly used by the government, dated
March 2013, has been published by The Intercept, an online magazine that has published
documents it says have been obtained from Edward Snowden. Spencer Ackerman, How the
US’s Terrorism Watchlists Work – And How You Could End Up on One,
THEGUARDIAN.COM (July 24, 2014); Charlie Savage, Over Government Objections,
Rules on No-Fly List are Made Public, NYTIMES.COM (July 23, 2014).
41
Prior to 9/11, aviation security was handled by the Federal Aviation Administration (FAA).
The FAA ordered air carriers not to board certain individuals who were deemed a threat to
aviation safety. On 9/11, this “no fly” list contained 12 names. See NAT’L COMM’N ON
TERRORIST ATTACKS UPON THE U.S., THE 9/11 COMMISSION REPORT 83
(2004).
42
P.L. 108-458, 118 Stat. 3638, Dec. 17, 2004 Sec. 4012.
43
Id.
44
Secure Flight Program; Final Rule, 73 Fed. Reg. 64018-64066 (Oct. 28, 2008).
45
2012 IG Report, supra note 8, at 10.
46
Id.
47
See 2012 GAO Report, supra note 13, at 17-18; see also Secure Flight Program; Final Rule, 73
Fed. Reg. 64018- 64066 (Oct. 28, 2008).
48
See 2012 IG REPORT, supra note 8, at 11. Secure Flight screens TSDB records that have a
“full name and date of birth that are not already on the No Fly or Selectee Lists” for this
purpose. Id. at 11. See also 2012 GAO REPORT, supra note 13, at 17-18.
138 Jared P. Cole
49
See 2012 IG REPORT, supra note 8, at 17-18. For a more thorough examination of the process
used to conduct matching, which may include searching other government databases, see
2012 IG REPORT, supra note 8, at 20-26.
50
Id. at 9-11. For a more complete explanation of how uncertainties are resolved in the matching
process, see 2012 IG REPORT, supra note 8, at 20-26.
51
Id. at 22.
52
2012 GAO REPORT, supra note 13, at 42.
53
See, e.g., Latif v. Holder, 3:10-CV-00750-BR, 2014 WL 2871346 (D. Or. June 24, 2014)
(challenge brought by thirteen plaintiffs denied boarding on flight).
54
P.L. 110-53; codified at 49 U.S.C. § 44926(a). The Intelligence Reform and Terrorism
Prevention Act of 2004 required TSA to establish procedures for persons identified as
security threats to appeal such determinations. P.L. 108- 458; codified at 49 U.S.C. §
44926(a)(j)(2)(G) & 44909(c)(6)(B).
55
See Department of Homeland Security, One-Stop Travelers’ Redress Process, https://
www.dhs.gov/one-stoptravelers-redress-process; see generally DEPARTMENT OF
HOMELAND SECURITY, OFFICE OF INSPECTOR GENERAL, EFFECTIVENESS OF
THE DEPARTMENT OF HOMELAND SECURITY TRAVELLER REDRESS INQUIRY
PROGRAM 7-9 (2009).
56
2012 IG REPORT, supra note 8, at 18. DHS TRIP is a department-wide redress process that
covers any of the “department’s component agencies,” including TSA programs as well as
Customs and Border Protection. See NCTC FACT SHEET, supra note 14.
57
Instructions for filing a complaint can be found at https://www.dhs.gov/one-stop-travelers-
redress-process.
58
Ibrahim v. Department of Homeland Security, No. C 06-00545 WHA, slip op. at 14 (N.D. Cal.
Jan. 14, 2014).
59
2012 IG REPORT, supra note 8, at 18.
60
Id.
61
See Latif v. Holder, 969 F. Supp. 2d 1293, 1297 (D. Or. 2013); Mohamed v. Holder, 995 F.
Supp. 2d 520, 527 (E.D. Va. 2014). The government has asserted that its practice of neither
confirming nor denying a person’s watchlist status is conducted pursuant to its “Glomar”
policy, see Phillippi v. CIA, 546 F.2d 1009, 1013 (D.C. Cir. 1976), a judicially recognized
exception to FOIA requests seeking national security information. See Defendant’s
Memorandum of Law in Support of Motion for Partial Summary Judgment at 15, Latif v.
Holder, No. 3:10-cv-00750-BR (D.Or. Feb. 13, 2013).
62
See Latif v. Holder, 969 F. Supp. 2d 1293, 1297 (D. Or. 2013); Mohamed v. Holder, 995 F.
Supp. 2d 520, 527 (E.D. Va. 2014). A letter will sometimes notify the traveler that he or she
may seek further administrative review with DHS. Id. In that case, the final determination
letter will notify the traveler that he or she may seek review in a United States court of
appeals. These letters also do not confirm or deny whether the traveler is or was on a
watchlist. See Third Joint Statement of Stipulated Facts, Latif v. Holder, No. 3:10-cv-
00750-BR (D.Or. 2013).
63
Defendants’ Supplemental Brief at 9-10, Latif v. Holder, No. 3:10-cv-00750-BR (D.Or. Oct.
25, 2013).
64
Id. at 7-8.
65
Latif v. Holder, 969 F. Supp. 2d 1293, 1297 (D. Or. 2013).
66
Id. at 1298.
67
Id. at 1305. Exceptions to this policy have been made in rare circumstances. See Federal
Bureau of Investigation, Press Release, International Government Officials not on No Fly
The No Fly List: Procedural due Process and Hurdles to Litigation 139
List, Oct. 6, 2006 (announcing that two foreign elected officials were not on the No Fly
list).
68
See e.g., Ibrahim v. Department of Homeland Security, 669 F.3d 983 (9th Cir. 2012) (claim
brought by foreign national barred from flying seeking an injunction requiring the
government to remove her name from its terrorist watchlists); Latif v. Holder, 969 F. Supp.
2d 1293, 1296 (D. Or. 2013) (claim brought by citizens and lawful permanent residents who
were not allowed to board an aircraft alleging a violation of their right to procedural due
process because the government failed to deliver post-deprivation notice or a meaningful
opportunity to contest inclusion on the No Fly list).
69
U.S. Const. amend. V. The No Fly list and airport screening procedures might raise equal
protection issues as well, but these issues are beyond the scope of this report.
70
See Verdugo-Urquidez v. United States, 494 U.S. 259, 270-71 (1990) (“[A]liens receive
constitutional protections when they have come within the territory of the United States and
developed substantial connections with this country.”). Aliens outside the country generally
lack constitutional protection. Id. at 269 (“[W]e have rejected the claim that aliens are
entitled to Fifth Amendment rights outside the sovereign territory of the United States.”)
But see Ibrahim v. Department of Homeland Security, 669 F.3d 983, 997 (9th Cir. 2012)
(holding that an alien not currently in the country, but had been lawfully present in the
United States for four years before departing the country and being prevented from
returning, had established a “significant voluntary connection” to the United States
sufficient to assert claims under the First and Fifth Amendments).
71
Mathews v. Eldridge, 424 U.S. 319, 332 (1976).
72
The Fourteenth Amendment provides that no state shall “deprive any person of life, liberty, or
property, without due process of law.” U.S. Const. amend. XIV, § 1.
73
Washington v. Glucksberg, 521 U.S. 702, 720 (1997).
74
See infra, notes 86-99 and accompanying text.
75
Am. Mfrs. Mut. Ins. Co. v. Sullivan, 526 U.S. 40, 59 (1999). See Board of Regents v. Roth,
408 U.S. 564, 570-71 (1972) (“But, to determine whether due process requirements apply in
the first place, we must look not to the ‘weight’ but to the nature of the interest at stake. We
must look to see if the interest is within the Fourteenth Amendment’s protection of liberty
and property.”) (citations omitted).
76
Ralls Corp. v. Comm. on Foreign Inv. in U.S., 758 F.3d 296, 315 (D.C. Cir. 2014) (quoting
Am. Mfrs,. 526 U.S. at 59). But see Latif v. Holder, 3:10-CV-00750-BR, 2014 WL
2871346 (D. Or. June 24, 2014) (appearing to include the recognition of a liberty interest
within Matthews’ first step, rather than as a preliminary finding).
77
Kent v. Dulles, 357 U.S. 116, 125 (1958).
78
Califano v. Aznavorian, 439 U.S. 170, 176 (1978) (citations omitted) (italics added).
79
Id. See Aptheker v. Secretary of State, 378 U.S. 500, 505–508 (1964).
80
Haig v. Agee, 453 U.S. 280, 306-07 (1981) (citation omitted).
81
See Mackey v. Montrym, 443 U.S. 1 (1979) (states may exercise regulatory powers to deter
drunk driving); Miller v. Reed, 176 F.3d 1202, 1205–1206 (9th Cir. 1999); Cramer v.
Skinner, 931 F.2d 1020, 1031 (5th Cir. 1991).
82
See, e.g., Gilmore v. Gonzales, 435 F.3d 1125 (9th Cir. 2006).
83
Id.
84
Id. at 1136.
85
Id. at 1137.
86
See, e.g., Mohamed v. Holder, 995 F. Supp. 2d 520, 522 (E.D. Va. 2014); Ibrahim v. Dep't of
Homeland Sec., C 06- 00545 WHA, 2012 WL 6652362 (N.D. Cal. Dec. 20, 2012).
140 Jared P. Cole
87
Latif v. Holder, 969 F. Supp. 2d 1293, 1303 (D. Or. 2013).
88
Id.
89
Id.
90
See Paul v. Davis, 424 U.S. 693, 709 (1976). Closely related to a liberty interest in
international travel, but legally distinct, is a citizen’s right to reenter the United States.
Some federal courts have found that the right of an American citizen to return to the United
States from abroad is a substantive due process right. See Fikre v. F.B.I., 3:13-CV00899-
BR, 2014 WL 2335343 (D. Or. May 29, 2014); Tarhuni v. Holder, 3:13-CV-00001-BR,
2014 WL 1269655 (D. Or. Mar. 26, 2014); see also Nguyen v. Immigration and
Naturalization Serv., 533 U.S. 53, 67 (2001) (discussing privileges of U.S. citizenship,
including “the absolute right to enter [the] borders” of the United States). Placement on the
No Fly list, under this theory, can infringe upon this right. For example, one district court
has ruled that a U.S. citizen, allegedly placed on the No Fly list while abroad, raised a
colorable substantive due process claim related to his right to reenter the United States.
Mohamed v. Holder, 995 F. Supp. 2d 520, 536-37 (E.D. Va. 2014). In that case, the
government argued that the right of reentry applies only to citizens who present themselves
at the border, and does not apply to impediments preventing one’s ability to actually reach
the United States. Id. The government asserted that the plaintiff had never actually been
denied entry into the United States, and would be permitted to enter if he found an
alternative mode of transportation (other than flying) that enabled the plaintiff to present
himself at a port of entry. The district court rejected these arguments, concluding that the
right of reentry “entails more than simply the right to step over the border after having
arrived there.” Government actions to prevent a citizen from reaching the border, the court
explained, can “infringe” upon the right to reentry. Id.
The outcome of a substantive due process challenge often turns on the level of scrutiny a
court uses to examine the government’s action. See ERWIN CHEMERINSKY,
CONSTITUTIONAL LAW, PRINCIPLES AND POLICIES 546-47 (2006). However,
substantive due process challenges to placement on the No Fly list are less developed in
federal courts than claims under procedural due process, as no court appears to have fully
adjudicated the issue. One court recognized a substantive due process right to return to the
United States, but ultimately dismissed the claim because the plaintiff had alternative means
to return. See Fikre v. F.B.I., 3:13-CV-00899-BR, 2014 WL 2335343 (D. Or. May 29,
2014). Another recognized the same right and denied the government’s motion to dismiss.
See Tarhuni v. Holder, 3:13-CV00001-BR, 2014 WL 1269655 (D. Or. Mar. 26, 2014).
Because it is unclear what the proper level of scrutiny is in a substantive due process
challenge to placement on the No Fly list, resolution of the matter is uncertain at this time.
91
See Mead v. Independence Ass'n, 684 F.3d 226, 233 (1st Cir. 2012); Miller v. California, 355
F.3d 1172, 1178 (9th Cir. 2004).
92
Ulrich v. City & Cnty. of San Francisco, 308 F.3d 968, 982 (9th Cir. 2002) (quoting Paul, 424
U.S. at 701).
93
Green v. Transportation Security Admin., 351 F.Supp.2d 1119, 1129 (W.D. Wa. 2005),
94
Id. at 1130.
95
Id.
96
Latif v. Holder, No. 3:10-cv-00750-BR, 2014 WL 2871346 (D.Or. Jun. 24, 2014).
97
Id. at *12.
98
Id.
99
See Tarhuni v. Holder, 3:13-CV-00001-BR, 2014 WL 1269655 at *14 (D. Or. Mar. 26, 2014).
100
Cleveland Bd. of Ed. v. Loudermill, 470 U.S. 532, 542 (1985).
The No Fly List: Procedural due Process and Hurdles to Litigation 141
101
Goldberg v. Kelly, 397 U.S. 254, 263-64 (1970).
102
Hamdi v. Rumsfeld, 542 U.S. 507, 533 (2004).
103
Cafeteria Workers v. McElroy, 367 U.S. 886, 895 (1961).
104
Morrissey v. Brewer, 408 U.S. 471, 481 (1972).
105
Matthews v. Eldridge, 424 U.S. 319, 334 (1976).
106
Id. at 335.
107
Challenges to No Fly list placements that only burden the right to interstate travel – rather
than international – might be less likely to raise a due process issue because of the
availability of alternative modes of transportation for interstate travel. See Tarhuni v.
Holder, 3:13-CV-00001-BR, 2014 WL 1269655 at *12 (D. Or. Mar. 26, 2014); Gilmore v.
Gonzales, 435 F.3d 1125, 1137 (9th Cir. 2006).
108
See Gilbert v. Homar, 520 U.S. 924, 932 (1997) (“But while our opinions have recognized the
severity of depriving someone of the means of his livelihood ... they have also emphasized
that in determining what process is due, account must be taken of ‘the length’ and ‘finality
of the deprivation.’”) (quoting Logan v. Zimmerman Brush Co., 455 U.S. 422, 434 (1982)).
109
Compare Goldberg v. Kelly, 397 U.S. 254 (1970) (welfare benefits) with Matthews v.
Eldridge, 424 U.S. 319 (1976) (disability benefits).
110
Matthews, 424 U.S. at 340.
111
Compare Gilbert v. Homar 520 U.S. 924 (1997) (temporary suspension) with Cleveland Bd.
of Educ. v. Loudermill, 470 U.S. 532 (1985) (termination).
112
Loudermill, 470 U.S. at 932.
113
See, e.g., Tarhuni v. Holder, 3:13-CV-00001-BR, 2014 WL 1269655 at *11 (D. Or. Mar. 26,
2014); Latif v. Holder, 969 F. Supp. 2d 1293, 1303 (D. Or. 2013).
114
See Tarhuni v. Holder, 3:13-CV-00001-BR, 2014 WL 1269655 at *11 (D. Or. Mar. 26, 2014).
115
Reply Memorandum in Support of Defendants’ Motion for Partial Summary Judgment at 12,
Latif v. Holder, No. 3:10-cv-00750-BR (D. Ore. Mar. 26, 2013).
116
Id. at 11.
117
Matthews, 424 U.S. at 335.
118
See Latif v. Holder, 3:10-CV-00750-BR, 2014 WL 2871346 at *13-16 (D. Or. June 24, 2014).
119
Compare Goldberg v. Kelly, 397 U.S. 254, 269 (1970) with Matthews v. Eldridge, 424 U.S.
319, 343-44 (1976). 120Matthews, 424 U.S. at 343-45.
121
Santosky v. Kramer, 455 U.S. 745, 761-64 (1982).
122
In Nat'l Council of Resistance of Iran v. Dep't of State, 251 F.3d 192 (D.C. Cir. 2001), the
D.C. Circuit examined the Secretary of State’s designation of an entity to be a Foreign
Terrorist Organization under the Anti-Terrorism and Effective Death Penalty Act. The
relevant judicial review provision did not permit the entity to “access, comment on, or
contest the critical material.” Id. at 197. The court ruled that this review was not sufficient
to satisfy due process. The court required the Secretary to provide the entity with the
unclassified material to be used to make the designation and “the opportunity to present, at
least in written form, such evidence as those entities may be able to produce to rebut the
administrative record or otherwise negate the proposition that they are foreign terrorist
organizations.” Id. at 208- 209. See People’s Mojahedin Organization of Iran v. U.S. Dep’t
of State, 613 F.3d 220, 227-28 (D.C. Cir. 2010) (similar holding). In Al Haramain Islamic
Foundation, Inc. v. U.S. Dep’t of Treasury, 686 F.3d 965, 983 (9th Cir. 2011), the Ninth
Circuit examined the procedures used when the Office of Foreign Assets Control designated
an entity to be a “specially designated global terrorist.” Id. at 970. The court noted the high
risk of error when the government relies upon classified information without disclosure and
held that the government must, at least when it does not implicate national security, provide
142 Jared P. Cole
140
United States v. Daoud, 755 F.3d 479, 484 (7th Cir. 2014) supplemented, 14-1284, 2014 WL
3734136 (7th Cir. July 14, 2014). See United States v. El-Mezain, 664 F.3d 467, 468 (5th
Cir. 2011).
141
See Al Haramain Islamic Foundation, Inc. v. U.S. Dep’t of Treasury, 686 F.3d 965, 983 (9th
Cir. 2011); KindHearts for Charitable Humanitarian Dev., Inc. v. Geithner, 710 F. Supp. 2d
637, 660 (N.D. Ohio 2010) (“If declassification or summarization of classified information
is insufficient or impossible, then KindHearts’ counsel will obtain an adequate security
clearance to view the necessary documents, and will then view these documents in camera,
under protective order, and without disclosing the contents to KindHearts.”).
142
See Al Haramain Islamic Foundation, Inc. v. U.S. Dep’t of Treasury, 686 F.3d 965, 982-83
(9th Cir. 2011). In the criminal context, this procedure is authorized under the Classified
Information Procedure Act. See 18 U.S.C.A. § 4 (“The court, upon a sufficient showing,
may authorize the United States to delete specified items of classified information from
documents to be made available to the defendant through discovery under the Federal Rules
of Criminal Procedure, to substitute a summary of the information for such classified
documents, or to substitute a statement admitting relevant facts that the classified
information would tend to prove.”).
143
Ibrahim v. Dep’t of Homeland Sec., slip op. at 29, No. 3:06-cv-00545-WHA (N.D. Ca. Jan.
14, 2014).
144
Haig v. Agee, 453 U.S. 280, 309 (1981); see also Palestine Information Office v. Shultz, 853
F.2d 932, 942-43 (D.C. Cir.1988); Global Relief Found., Inc. v. O'Neill, 315 F.3d 748, 754
(7th Cir. 2002).
145
Mackey v. Montrym, 443 U.S. 1, 19 (1979).
146
49 U.S.C. § 46110 provides that a person challenging a TSA order may petition a United
States court of appeals for review. Some courts have determined that challenges to the No
Fly list may nonetheless be brought in federal district court. See Ibrahim v. Dep't of
Homeland Sec., 538 F.3d 1250 (9th Cir. 2008); Mohamed v. Holder, No. 1:11-cv-00050-
AJT-TRJ (4th Cir. May 28, 2013). Others have concluded that challenges are proper in the
United States courts of appeals. See Scherfen v. United States Dep't of Homeland Sec.,
2010 U.S. Dist. LEXIS 8336 (M.D. Penn 2010) (distinguishing Ibrahim as “focused solely
on the question of whether placement on the No Fly List fell within § 46110,” while the
case at hand followed the receipt of a TRIP determination letter); Tooley v. Bush, CIV.A.
06-306, 2006 WL 3783142 (D.D.C. Dec. 21, 2006) rev'd in part sub nom. Tooley v.
Napolitano, 556 F.3d 836 on reh'g, 586 F.3d 1006 (D.C. Cir. 2009) and aff'd sub nom.
Tooley v. Napolitano, 586 F.3d 1006 (D.C. Cir. 2009).
147
Ibrahim v. Dep’t of Homeland Sec., Case3:06-cv-005450WHA, slip op. at 2 (N.D. Ca. Jan 14,
2014) (summary of order).
148
Id.
149
Ibrahim v. Dep’t of Homeland Sec., Case3:06-cv-00545-WHA, slip op. at 31 (N.D. Ca. Jan.
14, 2014).
150
Id. at 30.
151
Latif v. Holder, 3:10-CV-00750-BR, 2014 WL 2871346 (D. Or. June 24, 2014).
152
Id. at *11.
153
Id. at *9-24. The district court described the first Matthews step as including (1) a recognition
of a liberty interest and (2) a weighing of that interest “against the other factors.” Id. at *11.
154
Id. at *12. In addition, the court concluded that the injury to the plaintiffs’ reputations from
being placed on the list—though somewhat limited in scope because disclosure was limited
144 Jared P. Cole
to those individuals near the traveler in the airport—implicated the plaintiffs’ “interests in
their reputations.” Id. at *12-13.
155
Id. at *15.
156
Id.
157
Id. at *16.
158
Id.
159
Id. at *23-24.
160
Id. at *24.
161
Id.
162
Id.
163
Id.
164
Id. In a filing with the court on September 4, 2014, the DOJ indicated that it did “not intend to
seek an appeal” of this order “at this time.” Supplemental Joint Status Report at 3, Latif v.
Holder, No. CV 10-00750-BR (D. Or. Sept. 4, 2014).
165
These privileges would not be invoked within the DHS TRIP process itself because that
review mechanism never reveals information to the traveler beyond the status of the review
process.
166
See, e.g., Ibrahim v. Dep't of Homeland Sec., C 06-00545 WHA, 2014 WL 1493561 at *2
(N.D. Cal. Apr. 16, 2014).
167
See U.S. v. Reynolds, 345 U.S. 1, 10 (1953); see also CRS Report R41741, The State Secrets
Privilege: Preventing the Disclosure of Sensitive National Security Information During
Civil Litigation, by Todd Garvey and Edward C. Liu.
168
See Reynolds, 345 U.S. at 8.
169
See id. at 9.
170
See Defendant’s Memorandum in Support of Their Motion to Dismiss Plaintiff’s Complaint as
a Result of the Assertion of the State Secrets Privilege, Mohamed v. Holder, No. 1:11-cv-
0050 (E.D. Va. May 28, 2014).
171
Id. at 11.
172
Id.
173
Id. at 12.
174
Id.
175
Id. at 14.
176
Id. The case is currently pending in the district court.
177
See, e.g., Ibrahim v. Dep't of Homeland Sec., C 06-00545 WHA, 2014 WL 1493561 (N.D.
Cal. Apr. 16, 2014).
178
In re Dep't of Investigation of City of New York, 856 F.2d 481, 484 (2d Cir. 1988). See also
Aspin v. Dep't of Defense, 491 F.2d 24, 29-30 (D.C.Cir.1973); Frankel v. Securities and
Exchange Commission, 460 F.2d 813, 817 (2d Cir. 1972); Ibrahim v. Dep't of Homeland
Sec., C 06-00545 WHA, 2014 WL 1493561 (N.D. Cal. Apr. 16, 2014).
179
See In re The City of New York, 607 F.3d 923, 944 (2d Cir. 2010); see also Nat'l Congress for
P.R. Rights ex rel. Perez v. City of N.Y., 194 F.R.D. 88, 95 (S.D.N.Y.2000); Halpern v.
FBI, 181 F.3d 279, 294 (2d Cir.1999).
180
In re Sealed Case, 856 F.2d 268, 272 (D.C. Cir. 1988); see also In re The City of New York,
607 F.3d 923, 945 (2d Cir. 2010).
181
One district court summarized the law as follows:
In deciding whether the privilege should apply, courts typically balance the following
factors:
The No Fly List: Procedural due Process and Hurdles to Litigation 145
“(1) the extent to which disclosure will thwart governmental processes by discouraging
citizens from giving the government information; (2) the impact upon persons who have
given information of having their identities disclosed; (3) the degree to which governmental
self-evaluation and consequent program improvement will be chilled by disclosure; (4)
whether the information sought is factual data or evaluative summary; (5) whether the party
seeking the discovery is an actual or potential defendant in any criminal proceeding either
pending or reasonably likely to follow from the incident in question; (6) whether the police
investigation has been completed; (7) whether any intradepartmental disciplinary
proceedings have arisen or may arise from the investigation; (8) whether the plaintiff’s suit
is non-frivolous and brought in good faith; (9) whether the information sought is available
through other discovery or from other sources; and (10) the importance of the information
sought to the plaintiff’s case.’”
S.E.C. v. Gowrish, C 09-05883 SI, 2010 WL 1929498 (N.D. Cal. May 12, 2010) (quoting
Frankenhauser v. Rizzo, 59 F.R.D. 339, 344 (E.D.Pa.1973), overruled on other grounds,
Startzell v. City of Phila., No. 05– 05287, 2006 WL 2945226 (E.D.Pa. Oct.13, 2006)). See
also Friedman v. Bache Halsey Stuart Shields, Inc., 738 F.2d 1336, 1342 (D.C. Cir. 1984)
(invoking the same factors).
182
See, e.g., In re The City of New York, 607 F.3d 923, 948 (2d Cir. 2010).
183
See, e.g., Ibrahim v. Dep't of Homeland Sec., C 06-00545 WHA, 2009 WL 5069133 at *6
(N.D. Cal. Dec. 17, 2009) vacated and remanded, 669 F.3d 983 (9th Cir. 2012).
184
See, e.g., Ibrahim v. Dep't of Homeland Sec., C 06-00545 WHA, 2013 WL 1703367 at *5-6
(N.D. Cal. Apr. 19, 2013).
185
N. L. R. B. v. Sears, Roebuck & Co., 421 U.S. 132, 150 (1975) (citation omitted).
186
Hongsermeier v. C.I.R., 621 F.3d 890, 904 (9th Cir. 2010).
187
Id. (citations and quotations omitted).
188
Ibrahim v. Dep't of Homeland Sec., C 06-00545 WHA, 2013 WL 1703367 at *2 (N.D. Cal.
Apr. 19, 2013) (quoting Cal. State Foster Parent Ass'n v. Wagner, No. 07–05086 WHA,
2008 WL 2872775 at *4 (N.D.Cal. July 23, 2008)).
189
49 C.F.R. § 1520.5.
190
49 C.F.R. § 1520.15.
191
See, e.g., Ibrahim v. Dep't of Homeland Sec., C 06-00545 WHA, 2009 WL 5069133 at *6
(N.D. Cal. Dec. 17, 2009) vacated and remanded, 669 F.3d 983 (9th Cir. 2012).
192
See, e.g., id.; see also Department of Homeland Security Appropriations Act of 2007, P.L.
109-295, 120 Stat. 1355 (Oct. 4, 2006).
INDEX
D E
majority, 11
O
Malaysia, 131
man, 50
Office of Management and Budget (OMB),
managed inclusion, viii, 2, 19, 20, 76
33, 64, 69, 72, 73, 75, 79, 80, 84, 85, 88,
management, vii, 1, 5, 15, 22, 64, 69, 79,
97, 98, 108, 113, 115
81, 89, 95, 96, 99, 100, 105
Office of the Inspector General, 28
Marine Corps, 77
operations, viii, 26, 36, 37, 38, 58, 60, 61,
marketing, 23
63, 75, 78, 79, 83, 84, 96, 99, 111, 112,
mass, 136
113
materials, ix, 84, 88, 130, 133, 134, 142
opportunities, 106, 128, 130
matter, 25, 26, 94, 113, 119, 129, 134, 140
Matthews v. Eldridge, x, 118, 127, 141
152 Index
oversight, viii, ix, 21, 24, 25, 26, 27, 83, 84,
88, 95, 98, 99, 108, 109
R
questioning, 9
questionnaire, 23 S
scent, 19
scientific validity, 14
T
scope, 17, 36, 38, 99, 125, 131, 135, 137,
tactics, 133
139, 143
target, 9, 23, 34, 49, 73, 74, 85, 86, 105, 115
Screening Passengers by Observational
teams, viii, 2, 19
Techniques, viii, 2, 14
technical comments, 61, 62, 109
screening technology, vii, 1
techniques, 5, 8, 9, 14, 15, 24, 25, 133
Secretary of Homeland Security, 4, 72
technology(s), vii, 1, 3, 5, 6, 10, 25, 37, 38,
Secure Flight program, vii, viii, 23, 31, 34,
47, 50, 51, 64, 69, 79, 81, 113
36, 38, 39, 41, 53, 57, 58, 59, 60, 61, 62,
territorial, 136
63, 64, 65, 66, 69, 70, 76, 77, 79, 83, 84,
territory, ix, 117, 121, 139
86, 87, 88, 90, 92, 95, 97, 99, 100, 107,
terrorism, 6, 16, 25, 27, 34, 66, 77, 86, 93,
109, 113, 122, 129
119, 120, 121, 122, 126, 129, 135, 136,
security questions, vii, 1, 9
142
security risks, vii, 1, 4, 34, 65, 86
terrorist activities, 66, 77, 93, 120
security threats, 9, 10, 22, 138
terrorist acts, 16
Selectee List, viii, 31, 32, 34, 35, 39, 40, 41,
terrorist attack, vii, 1, 2, 6, 7, 27, 72, 118,
42, 43, 48, 52, 54, 55, 56, 58, 66, 70, 74,
121, 134
76, 77, 82, 91, 93, 97, 101, 102, 114,
terrorist groups, 119
121, 137
terrorist organization, 135, 141
Senate, 136, 142
terrorist watchlist, vii, ix, 2, 3, 10, 11, 12,
September 11, vii, 1, 118
13, 17, 18, 24, 25, 35, 76, 117, 121, 139
services, 23, 75, 81
terrorists, vii, viii, 1, 10, 15, 26, 31, 39, 41,
showing, 126, 143
42, 43, 59, 63, 66, 74, 77, 82, 85, 91, 93,
signals, 20
119, 120, 130
signs, 50
test data, 62
society, 4
testing, 35, 54, 80
software, 98, 99, 113
The Homeland Security Act, 135
solution, 51
threat assessment, 11, 18, 19, 20, 24, 27, 44
SPOT, viii, 2, 14, 15, 16, 22
threats, vii, 1, 4, 5, 7, 9, 10, 14, 17, 21, 22,
SSI, 121
25, 26, 27, 42, 52, 55, 56, 59, 77, 96,
staff members, 98
107, 138
staffing, 26, 27, 104
ticket-purchase data, vii, 1
stakeholders, 87, 105
time frame, 49, 80, 106, 107, 108, 114
state(s), x, 5, 21, 28, 49, 58, 74, 97, 118,
time periods, 18
120, 126, 128, 132, 133, 139
tracks, 72, 73, 74, 77, 80
sterile, 50, 74, 79, 81, 91, 92, 111
trade, 76
stigma, 126
training, ix, 9, 16, 48, 49, 84, 88, 95, 96, 97,
storage, 17
104, 108, 109, 110, 111, 113
strategic planning, 53
training programs, 97, 111
style, 7
transformations, 2
supervision, 48, 78
transmission, 106
Supreme Court, x, 118, 124, 125, 126, 127,
transportation, 14, 23, 72, 78, 91, 92, 111,
128, 130
118, 125, 134, 140, 141
suspicious passengers, viii, 2
154 Index
Transportation Security Administration, vii, 126, 129, 131, 136, 138, 139, 140, 142,
1, 2, 28, 29, 32, 33, 34, 55, 60, 63, 65, 143
69, 72, 73, 84, 86, 91, 108, 111, 118 Urban Institute, 64, 75
Treasury, 135, 141, 142, 143 USA, 27, 29, 135, 142
trial, 131, 134
triggers, 20, 40, 82
trusted traveler program, viii, 2, 3, 10, 17, V
20, 44
validation, 15, 88, 98, 99
TSDB, viii, 11, 12, 14, 22, 31, 32, 39, 42,
valuation, 5
43, 63, 66, 74, 77, 83, 85, 86, 91, 92, 94,
variations, 47, 50, 55, 79
97, 100, 101, 102, 103, 108, 114, 120,
Verdugo-Urquidez, 139
122, 123, 130, 137
Visa Waiver Program, 13, 28
tuberculosis, 28
vote, 16
vulnerability, 5, 8, 27, 36, 47, 49, 50, 51
U