Aviation Security
Efforts to Strengthen International Passenger Prescreening are Under Way, but Planning and Implementation Issues Remain Gao ID: GAO-07-346 May 16, 2007Passenger prescreening--a process that includes matching passengers' identifying information against records extracted from the U.S. government terrorist watch list--is one of several security measures in place to help ensure the safety of commercial flights traveling to or from the United States. DHS has several efforts underway to strengthen international aviation passenger prescreening. This report focuses on certain elements of the passenger prescreening process as well as some of the actions that DHS is taking or has planned to strengthen prescreening procedures. This report is a limited version of the original November 2006 report as various agencies that we reviewed deemed some of the information in the original report to be security sensitive. GAO's work included interviewing officials and assessing relevant documentation from federal agencies, U.S. and foreign air carriers, industry groups, and several foreign countries.
Customs and Border Protection (CBP), the Department of Homeland Security (DHS) agency responsible for international passenger prescreening, has planned or is taking several actions designed to strengthen the aviation passenger prescreening process. One such effort involves CBP stationing U.S. personnel overseas to evaluate the authenticity of the travel documents of certain high-risk passengers prior to boarding U.S.-bound flights. Under this pilot program, called the Immigration Advisory Program (IAP), CBP officers personally interview some passengers deemed to be high-risk and evaluate the authenticity and completeness of these passengers' travel documents. IAP officers also provide technical assistance and training to air carrier staff on the identification of improperly documented passengers destined for the United States. The IAP has been tested at several foreign airports and CBP is negotiating with other countries to expand it elsewhere and to make certain IAP sites permanent. Successful implementation of the IAP rests, in part, on CBP clearly defining the goals and objectives of the program through the development of a strategic plan. A second aviation passenger prescreening effort designed to strengthen the passenger prescreening process is intended to align international passenger prescreening with a similar program (currently under development) for prescreening passengers on domestic flights. The Transportation Security Administration (TSA)--a separate agency within DHS--is developing a domestic passenger prescreening program called Secure Flight. If CBP's international prescreening program and TSA's Secure Flight program are not effectively aligned once Secure Flight becomes operational, this could result in separate implementation requirements for air carriers and increased costs for both air carriers and the government. CBP and TSA officials stated that they are taking steps to coordinate their prescreening efforts, but they have not yet made all key policy decisions. In addition to these efforts to strengthen certain international aviation passenger prescreening procedures, one other issue requires consideration in the context of these efforts. This issue involves DHS providing the traveling public with assurances of privacy protection as required by federal privacy law. Federal privacy law requires agencies to inform the public about how the government uses their personal information. Although CBP officials have stated that they have taken and are continuing to take steps to comply with these requirements, the current prescreening process allows passenger information to be used in multiple prescreening procedures and transferred among various CBP prescreening systems in ways that are not fully explained in CBP's privacy disclosures. If CBP does not issue all appropriate disclosures, the traveling public will not be fully aware of how their personal information is being used during the passenger prescreening process.
GAO-07-346, Aviation Security: Efforts to Strengthen International Passenger Prescreening are Under Way, but Planning and Implementation Issues Remain
This is the accessible text file for GAO report number GAO-07-346
entitled 'Aviation Security: Efforts to Strengthen International
Passenger Prescreening are Under Way, but Planning and Implementation
Issues Remain' which was released on May 16, 2007.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to Congressional Requesters:
United States Government Accountability Office:
GAO:
May 2007:
Aviation Security:
Efforts to Strengthen International Passenger Prescreening are Under
Way, but Planning and Implementation Issues Remain:
GAO-07-346:
GAO Highlights:
Highlights of GAO-07-346, a report to congressional requesters
Why GAO Did This Study:
Passenger prescreening”a process that includes matching passengers‘
identifying information against records extracted from the U.S.
government terrorist watch list”is one of several security measures in
place to help ensure the safety of commercial flights traveling to or
from the United States. DHS has several efforts underway to strengthen
international aviation passenger prescreening. This report focuses on
certain elements of the passenger prescreening process as well as some
of the actions that DHS is taking or has planned to strengthen
prescreening procedures. This report is a limited version of the
original November 2006 report as various agencies that we reviewed
deemed some of the information in the original report to be security
sensitive. GAO‘s work included interviewing officials and assessing
relevant documentation from federal agencies, U.S. and foreign air
carriers, industry groups, and several foreign countries.
What GAO Found:
Customs and Border Protection (CBP), the Department of Homeland
Security (DHS) agency responsible for international passenger
prescreening, has planned or is taking several actions designed to
strengthen the aviation passenger prescreening process. One such effort
involves CBP stationing U.S. personnel overseas to evaluate the
authenticity of the travel documents of certain high-risk passengers
prior to boarding U.S.-bound flights. Under this pilot program, called
the Immigration Advisory Program (IAP), CBP officers personally
interview some passengers deemed to be high-risk and evaluate the
authenticity and completeness of these passengers‘ travel documents.
IAP officers also provide technical assistance and training to air
carrier staff on the identification of improperly documented passengers
destined for the United States. The IAP has been tested at several
foreign airports and CBP is negotiating with other countries to expand
it elsewhere and to make certain IAP sites permanent. Successful
implementation of the IAP rests, in part, on CBP clearly defining the
goals and objectives of the program through the development of a
strategic plan.
A second aviation passenger prescreening effort designed to strengthen
the passenger prescreening process is intended to align international
passenger prescreening with a similar program (currently under
development) for prescreening passengers on domestic flights. The
Transportation Security Administration (TSA)”a separate agency within
DHS”is developing a domestic passenger prescreening program called
Secure Flight. If CBP‘s international prescreening program and TSA‘s
Secure Flight program are not effectively aligned once Secure Flight
becomes operational, this could result in separate implementation
requirements for air carriers and increased costs for both air carriers
and the government. CBP and TSA officials stated that they are taking
steps to coordinate their prescreening efforts, but they have not yet
made all key policy decisions.
In addition to these efforts to strengthen certain international
aviation passenger prescreening procedures, one other issue requires
consideration in the context of these efforts. This issue involves DHS
providing the traveling public with assurances of privacy protection as
required by federal privacy law. Federal privacy law requires agencies
to inform the public about how the government uses their personal
information. Although CBP officials have stated that they have taken
and are continuing to take steps to comply with these requirements, the
current prescreening process allows passenger information to be used in
multiple prescreening procedures and transferred among various CBP
prescreening systems in ways that are not fully explained in CBP‘s
privacy disclosures. If CBP does not issue all appropriate disclosures,
the traveling public will not be fully aware of how their personal
information is being used during the passenger prescreening process.
What GAO Recommends:
GAO recommended in November 2006 that the Department of Homeland
Security (1) complete a strategic plan and develop an evaluation
strategy for one of its prescreening programs, (2) take steps to ensure
that international and domestic prescreening programs are aligned, and
(3) ensure full compliance with applicable privacy laws. DHS generally
concurred with these recommendations.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-07-346].
To view the full product, including the scope and methodology, click on
the link above. For more information, contact Cathy Berrick at (202)
512-3404 or berrickc@gao.gov.
[End of section]
Contents:
Letter:
Results in Brief:
Background:
DHS is Taking Steps to Strengthen the Current International Passenger
Prescreening Process:
CBP Has Not Fully Disclosed its Use of Personal Information during the
Prescreening Process:
Conclusions:
Recommendations for Executive Action:
Agency Comments and Our Evaluation:
Appendix I: Objectives, Scope, and Methodology:
Appendix II: Airline Liaison Officer Programs Implemented In Other
Countries:
Appendix III: APIS Quick Query (AQQ) and APIS Minus 60 Minutes (APIS-
60):
Appendix IV: Comments from the Department of Homeland Security:
Appendix V: GAO Contacts and Staff Acknowledgments:
GAO Related Products:
Table:
Table 1: The Characteristics of Selected ALO Programs:
Figures:
Figure 1: Overview of Current Prescreening Activities for International
Flights:
Figure 2: Overview of Current Differences between the Domestic and
International Prescreening Process:
Figure 3: Immigration Advisory Program Process:
Figure 4: The interaction between CBP Prescreening Systems and Data
Usage:
Abbreviations:
AEA: Association of European Airlines:
ALO: Airline Liaison Officer:
APIS: Advanced Passenger Information System:
APP: Advanced Passenger Processing:
AQQ: APIS Quick Query:
ATA: Air Transport Association of America:
ATS: Automated Targeting System:
CBP: Customs and Border Protection:
CSI: Container Security Initiative:
DHS: Department of Homeland Security:
DIMIA: Department of Immigration and Multicultural and Indigenous
Affairs:
ETA: Electronic Travel Authority:
EU: European Union:
GPRA: Government Performance and Results Act:
IAP: Immigration Advisory Program:
IATA: International Air Transport Association:
ISI: Immigration Security Initiative:
MIO: Migration Integrity Officer:
NPRM: Notice of Proposed Rulemaking:
NTC: National Targeting Center:
PNR: Passenger Name Record:
TDY: Temporary Duty:
TECS: Treasury Enforcement Communications System:
TSA: Transportation Security Administration:
TSC: Terrorist Screening Center:
TSDB: Terrorist Screening Database:
TSOC: Transportation Security Operations Center:
VWP: Visa Waiver Program:
[End of section]
United States Government Accountability Office:
Washington, DC 20548:
May 16, 2007:
The Honorable John Conyers, Jr.
Chairman:
Committee on the Judiciary:
House of Representatives:
The Honorable Bennie G. Thompson:
Chairman:
Committee on Homeland Security:
House of Representatives:
The Honorable Daniel K. Inouye:
Chairman:
The Honorable Ted Stevens:
Vice- Chairman:
Committee on Commerce, Science, and Transportation:
United States Senate:
The Honorable F. James Sensenbrenner, Jr.
House of Representatives:
During 2005, a number of passengers that the U.S. government identified
as a security risk were identified onboard international flights
traveling to or from the United States.[Footnote 1] In certain cases,
the resulting security risk was deemed high enough that the U.S.
government diverted the flight from its intended destination, resulting
in delays for passengers, costs to the air carriers, and government
intervention.
Preventing such high-risk passengers from boarding international
flights traveling to or from the United States is the goal of the
nation's international aviation passenger prescreening
process.[Footnote 2] These efforts include, among other things:
* Identity matching: comparing passengers' identifying information,
such as name and date of birth, against records extracted from the U.S.
government terrorist watch list containing the names of known or
suspected terrorists.[Footnote 3]
* Travel document review: evaluating the authenticity and completeness
of passengers' passports and other travel documents.
* Risk targeting: comparing passenger information against a set of
targeting rules that are indicators of elevated passenger risk in an
attempt to identify possible high-risk passengers who may not be on the
terrorist watch list.
The identity matching component of the international passenger
prescreening process currently involves separate matching activities
conducted by air carriers (prior to a flight's departure) and the
federal government (both before and after a flight's departure). In
2004, Congress mandated that the Department of Homeland Security (DHS)
issue a proposed plan for completing the U.S. government's identity
matching process before the departure of all international flights.
Customs and Border Protection (CBP), the DHS agency charged with
responsibility for conducting international aviation passenger
prescreening, published its proposed plan to strengthen passenger
prescreening in July 2006 in a notice of proposed rulemaking.[Footnote
4] Appendix III provides more detail on the notice of proposed
rulemaking and the two prescreening options that CBP provides to air
carriers in the proposed rulemaking.
This report is a limited version of the original report that we
provided to you on November 20, 2006. The various agencies we reviewed
deemed some of the information in that report as Sensitive Security
Information or Law Enforcement Sensitive. Therefore, this report omits
our findings associated with vulnerabilities we identified in the
existing passenger prescreening process and measures that could be
taken to address those vulnerabilities. This report also omits key
details regarding certain procedures, timeframes and locations
associated with the passenger prescreening process. The objectives of
the original report addressed:
* the main factors affecting the international passenger prescreening
process, and the potential impact of these factors, and:
* the status of efforts to address these factors, and the issues, if
any, that could affect efforts to strengthen the international
passenger prescreening process.
This version of the report focuses on certain elements of the current
international aviation passenger prescreening process as well as some
of the actions that DHS is taking or has planned to strengthen
prescreening procedures. More specifically this report's content
addresses:
* the implementation of the Immigration Advisory Program (IAP), a CBP
program that assesses risk levels for certain passengers in limited
overseas locations;
* the alignment of international and domestic passenger prescreening
processes; and:
* compliance with privacy laws with respect to information collected to
conduct international passenger prescreening.
Although the information provided in this version of the report is more
limited in scope, the overall methodology used for our initial report
is relevant to this report as well because the information contained in
this report was derived from the initial sensitive report. To address
the objectives of our initial report we interviewed officials and
obtained and analyzed relevant documents from CBP, including the
National Targeting Center (NTC); the Transportation Security
Administration (TSA), including the Transportation Security Operations
Center (TSOC); and the Terrorist Screening Center (TSC). To obtain a
cross section of both domestic and foreign air carriers' views about
the international passenger prescreening process, including the impact
of current U.S. prescreening requirements and the potential impact of
future requirements, we interviewed officials from 13 air carriers that
fly passengers to and from the United States.[Footnote 5] We also
interviewed officials from two domestic air carrier and passenger
travel associations and three international air carrier associations
that represent the interests of air carriers and travelers to discuss
the impact of current and potential future U.S. international
prescreening requirements on their members. We met with foreign
government officials in the Netherlands, Poland, the United Kingdom,
Australia, and New Zealand to discuss the impact of current and
potential future U.S. international prescreening requirements and
obtain information about aviation prescreening programs in place in
these countries. We also met with officials from the European Union to
discuss the impact of U.S. prescreening requirements on air carriers
with operations in Europe. Additionally, we interviewed and obtained
documents from private sector companies that facilitate the electronic
transmission of passenger data between air carriers and government
agencies to determine their role, if any, in future international
aviation passenger prescreening initiatives. We conducted our work,
which took place from April 2005 through October 2006, in accordance
with generally accepted government auditing standards. Appendix I
contains more detail about our scope and methodology.
Results in Brief:
DHS has several efforts underway to strengthen international aviation
passenger prescreening. Two of these efforts include:
* Conducting overseas review of some high-risk passengers' travel
documents. One prescreening effort that CBP has under way is designed
to increase the level of scrutiny given to the travel documents of
certain high-risk passengers before they board international flights
traveling to the United States. Under this pilot program, called the
Immigration Advisory Program (IAP), CBP assigns officers to selected
foreign airports where they utilize an automated risk-targeting system
that identifies passengers as potentially high-risk--including
passengers who do not need a visa to travel to the United States. CBP
officers then personally interview some of these passengers and
evaluate the authenticity and completeness of these passengers' travel
documents. Successful implementation of the IAP rests, in part, on CBP
clearly defining the goals and objectives of the program.
* Aligning international and domestic prescreening programs. A second
prescreening effort under way is designed to align international
passenger prescreening with a similar program under development for
prescreening passengers on domestic flights. The Transportation
Security Administration--a separate agency within DHS--is developing a
domestic passenger prescreening program called Secure Flight. Once
Secure Flight is operational, TSA will be operating a domestic
passenger prescreening system, and CBP will be operating an
international passenger prescreening system. As currently envisioned,
both programs will screen passengers whose itinerary includes both an
international flight and a domestic connection within the United
States. If the two programs are not effectively aligned, each program
could result in separate implementation requirements for air carriers.
This could result in additional costs to the air carriers and the U.S.
government, and cause confusion and inconvenience to passengers. CBP
and TSA officials stated that they are taking some steps to coordinate
their prescreening efforts, but they have not yet made all key policy
decisions.
In addition to these efforts to strengthen certain international
passenger prescreening procedures, one other issue, while not aimed at
strengthening the capabilities of international aviation passenger
prescreening, nonetheless requires consideration in the context of
these efforts. This issue is:
* Providing assurances of privacy protection as required by federal
privacy law. Federal privacy law requires agencies to inform the public
about how the government uses their personal information. Although CBP
officials have stated that they have taken and are continuing to take
steps to comply with these requirements, the current prescreening
process allows passenger information to be used in multiple
prescreening procedures and transferred among various CBP prescreening
systems in ways that are not fully explained in CBP's privacy
disclosures. Although CBP recently published additional privacy
disclosures related to its use of passenger data during the
prescreening process, CBP's current public disclosures do not fully
explain its uses of personal information during the entire prescreening
process. If CBP does not issue all appropriate disclosures, the
traveling public will not be fully aware of how their personal
information is being used during the passenger prescreening process.
To help DHS ensure progress on efforts to strengthen the international
passenger prescreening process, we recommended in our November 2006
report that the Secretary of the Department of Homeland Security and
the Commissioner of Customs and Border Protection take the following
steps: (1) complete a strategic plan and develop an evaluation strategy
for the Immigration Advisory Program pilot, (2) further align domestic
and international passenger prescreening processes and coordinate
prescreening efforts, and (3) ensure that international passenger
prescreening programs are in full compliance with federal privacy laws.
We provided a draft of this report to DHS and DOJ for their review and
comment. DHS, in its written comments, generally concurred with the
recommendations in the report. DHS and DOJ both provided technical
comments that we incorporated as appropriate. In its written comments,
DHS outlined the status of various efforts that it has in progress or
planned to address the recommendations. For example, DHS stated that
CBP has efforts under way to capture additional data in order to
properly evaluate the IAP's performance, and that there are ongoing
efforts by CBP and TSA to align procedures, systems and functional
requirements for their respective passenger prescreening programs. DHS
also noted in its comments the recent and planned efforts to publish
new privacy disclosure documents, such as the November 2006 system of
records for its automated targeting system, which would supplement its
other existing public disclosure documents. The full text of DHS's
comments is provided in appendix IV.
Background:
Passenger prescreening is one security measure among many implemented
both before and after the terrorist attacks of September 11 designed to
strengthen the security of U.S. commercial aviation. Together, these
various measures combine to form a multi-layered aviation security
approach. Although the prescreening of passengers on international
flights traveling to or from the United States predated the September
11, 2001 terrorist attacks, this process was strengthened after the
attacks.
Current International Passenger Prescreening Process Relies on Two
Different Sets of Passenger Data and Involves Multiple Steps:
The current international passenger prescreening process relies on two
different sets of passenger data and involves multiple prescreening
steps carried out by air carriers and CBP. The two sets of passenger
data include:
Passenger Name Record (PNR) data, such as name, address, and billing
information that passengers provide to air carriers, travel agents, or
online travel companies when making a flight reservation.
Advance Passenger Information System (APIS) data, such as name, date
and location of birth, and country of citizenship, which is derived
from passports and other government-issued documents, such as visas,
that most passengers must present to air carriers when checking in for
international flights.
A central prescreening activity involves matching identifying
information about passengers--including name and date of birth--against
the No Fly and Selectee Lists that are extracted from the TSC's
Terrorist Screening Database (TSDB) to identify potential security
threats in a process often called identity matching. The identity
matching step is conducted by both air carriers and the U.S.
government. Federal requirements state that air carriers must transmit
APIS data to CBP no later than 15 minutes before flight departure for
international flights originating in the United States and no later
than 15 minutes after flight departure for international flights bound
for the United States. In addition to these data, CBP occasionally uses
commercial data or data from other government databases during this
process to help confirm a passenger's identity.
A second prescreening activity, separate from identity matching,
involves using risk assessment tools to analyze passenger data to
assess the security risk that a passenger might pose. This constitutes
an effort to identify high-risk passengers that may not be on the No
Fly or Selectee Lists. Specifically, CBP uses an automated system,
called the Automated Targeting System-Passenger (ATS-P), that uses
available passenger data to apply a set of CBP-generated targeting
"rules" that CBP has determined are associated with increased passenger
risk. CBP uses both PNR and APIS data to apply the ATS-P rules. This
comparison results in a risk assessment for each passenger indicating
the passenger's relative security risk.
A third prescreening activity involves the review of passengers' travel
documents for evidence of forgery or fraudulent use. Depending on the
passenger, this document review can occur at three separate time frames
during the process of flying internationally, as follows: (1) the State
Department reviews the travel documents in advance of travel for
passengers who are required to obtain a visa in advance of their
travel, (2) air carrier personnel review passengers' travel documents
for authenticity upon check-in for flights, and (3) CBP officers review
passenger travel documents either upon the passengers' arrival in the
United States or, in some cases, prior to their departure for the
United States. Figure 1 provides an overview of the current passenger
prescreening activities as set against the basic steps typically taken
to fly internationally--including obtaining a flight reservation and
ticket, checking in for a flight, departing from one country, and
arriving in another.
Figure 1: Overview of Current Prescreening Activities for International
Flights:
[See PDF for image]
Source: GAO.
[A] An additional prescreening step occurs for those passengers
traveling to the United States from non-visa waiver program countries.
For these passengers this additional step involves State Department
officers reviewing the authenticity of their passports prior to issuing
a travel visa.
[B] In several overseas locations, CBP also reviews the travel
documents of selected high-risk passengers through a pilot program. See
page 14 for more details on the pilot program.
[End of figure]
Air Carriers Use Passenger Data Obtained during Reservation Process to
Conduct a Comparison against the No Fly and Selectee Lists:
Before a passenger receives a boarding pass, the air carriers conduct
an initial identity match, which (along with CBP's identity matching
process) constitutes the first step of the international passenger
prescreening process. To complete this prescreening step, air carriers
compare PNR data (information that is self-reported by passengers when
they make a flight reservation) against the No Fly and Selectee Lists
to determine if there are any identity matches. This prescreening step
is required to occur prior to flight departure. The No Fly and Selectee
Lists are extracted from the TSC's TSDB, the consolidated federal
government terrorist watch list (which contains the names of known or
suspected terrorists). Persons on the No Fly List are deemed to be a
threat to civil aviation and are therefore to be precluded from
boarding an aircraft traveling to, from, or within the United States.
Being on the Selectee List does not mean that the person will not be
allowed to board an aircraft or enter the United States. Instead,
persons on this list receive additional security screening prior to
being permitted to board an aircraft--this screening may involve a
physical inspection of the person and a hand-search of their luggage.
Examples of PNR data that may be collected at the time a reservation is
made include a passenger's name, home address, telephone number,
frequent flyer information, and e-mail address. If an air carrier
determines that a passenger's identity matches an identity on the No
Fly List, TSA requires the carrier to contact the TSA Office of
Intelligence so U.S. authorities can further verify whether the
passenger's identity matches the watch-listed identity.[Footnote 6]
CBP Uses Passenger Data Obtained during Passenger Check-in to Conduct
an Identity-matching Procedure:
CBP also conducts an identity matching process after air carriers
conduct their identity matching, but CBP's process utilizes APIS data.
These data are generally gathered from the passenger's passport--a
document required of almost all passengers flying into and out of the
United States.[Footnote 7] In most instances, these data are recorded
electronically from the traveler's machine-readable passport. This
process records information from the passport directly into the air
carrier's computer systems, thereby avoiding potential errors that
could occur by key-stroking the data. CBP uses the APIS data to conduct
identity matching using its automated systems including its law
enforcement databases and the No Fly and Selectee Lists, which CBP
transfers to its Treasury Enforcement Communications System
(TECS).[Footnote 8] If this review produces a positive match to the No
Fly List, the TSA Office of Intelligence is contacted to confirm the
match.
CBP Identifies Passengers Not on the No Fly and Selectee Lists Who May
Present Security Risks:
While the above prescreening activities focus on determining whether
any passengers are on the No Fly and Selectee Lists, CBP also conducts
a second prescreening step to identify other passengers, not on the No
Fly and Selectee Lists, but who may nonetheless present a potential
security risk. This step is a risk targeting process that occurs for
international flights traveling to or from the United States. CBP
conducts this risk-targeting using a computer-based system called the
Automated Targeting System-Passenger. This system compares passenger
data (both PNR and APIS data), along with data from government
databases (including the TSDB), against a set of targeting rules.
According to CBP officials, this risk-targeting process reflects CBP's
experience with indicators of possible illegal or other activities that
CBP is responsible for monitoring. This comparison results in a risk
assessment for each passenger that CBP uses to determine if the
passenger requires additional CBP contact--either before the passenger
boards a U.S.-bound aircraft or upon the passenger's arrival in the
United States. If a passenger's risk assessment indicates an elevated
security risk, CBP may decide to take additional security actions to
gather more information about the passenger. Additionally, CBP can also
decide that a passenger's risk level is sufficiently elevated that the
passenger should be prevented from boarding a flight. If the flight is
abroad, CBP officials stated that they can coordinate with State
Department Officers to contact U.S. Embassy Legal Attaché officials
assigned abroad at foreign embassies and consular offices. These Legal
Attaché officers coordinate with foreign law enforcement personnel to
identify, interview, or inspect the passenger before allowing the
passenger to board the flight.
Air Carriers and CBP Evaluate the Authenticity of Passenger Travel
Documents:
A third prescreening step involves air carriers and CBP determining the
authenticity of passenger travel documents. Before issuing boarding
passes on flights departing from or arriving in the United States, air
carriers are required to review each passenger's travel documents,
including passports and visas, to verify that the passenger is properly
documented for the intended destination. For U.S.-bound passengers, air
carriers are also required to validate that the passenger's passport
information matches the APIS data that the air carriers electronically
submit to CBP. CBP provides periodic training to air carrier personnel
to help them determine the authenticity and completeness of passenger
travel documents. CBP's review of passenger documentation can occur in
multiple locations. For example, CBP is always required to inspect
travel documents for passengers on international flights arriving in
the United States. However, in some overseas locations, CBP officials
also review passenger documents prior to the passenger boarding a U.S.-
bound international flight.
Federal Law Mandated That CBP Publish a Plan to Alter Its Prescreening
Process:
The current prescreening process is under revision and under a proposed
plan, the U.S. government will take over the process of identity
matching passengers against the No Fly and Selectee Lists from the air
carriers prior to flight departures. As part of the Intelligence Reform
and Terrorism Prevention Act of 2004,[Footnote 9] Congress mandated
that DHS issue a notice of proposed rulemaking (NPRM) by February 16,
2005, that would allow CBP to conduct its comparison of passenger
information against the No Fly and Selectee Lists before the departure
of all international flights traveling to or from the United States.
CBP issued its NPRM on July 14, 2006, and provided for a public comment
period.[Footnote 10]
Prescreening Passengers on Domestic Flights Involves a Different
Process:
Concurrent to the changes that are being considered for conducting
international passenger prescreening, TSA, the agency charged with
ensuring the security of all modes of transportation, is in the process
of modifying domestic passenger prescreening procedures. TSA is
required, by the Intelligence Reform and Terrorism Prevention Act of
2004, to develop a prescreening program through which TSA would assume
the domestic watch list matching function currently conducted by air
carriers prior to domestic flight departures. TSA has named this
prospective prescreening program Secure Flight.
As we have reported in our prior work on Secure Flight, currently only
air carriers--and not the U.S. government--match passenger information
against the No Fly and Selectee Lists to prescreen passengers on
domestic flights. [Footnote 11] We have also reported that TSA has
faced significant management challenges in the past in developing the
Secure Flight program, and that key policy decisions that would affect
the effectiveness of the program had not yet been made. In 2006, TSA
announced that it was delaying the development of Secure Flight in
order to reassess the program's goals, requirements, and capabilities.
The current domestic prescreening process also requires that air
carriers operate the Computer-Assisted Passenger Prescreening System
(CAPPS), which identifies passengers for secondary screening based on
certain travel behaviors reflected in their reservation information
that are associated with threats to aviation security, as well as
through a random selection of passengers.[Footnote 12] Figure 2
highlights the main steps of, and differences between, the prescreening
of passengers on domestic and international flights.
Figure 2: Overview of Current Differences between the Domestic and
International Prescreening Process:
[See PDF for image]
Source: GAO, MapArt (map).
[A] International flights departing from the United States that are
operated by U.S. air carriers are required to also operate CAPPS to
identify passengers for secondary screening. This occurs in addition to
the risk assessments being conducted by CBP.
[End of figure]
DHS is Taking Steps to Strengthen the Current International Passenger
Prescreening Process:
CBP has several efforts under way to strengthen certain international
passenger prescreening processes. One such effort involves the
placement of CBP personnel overseas to interview some high-risk
passengers and inspect their travel documents in advance of their
departure to the United States. This program also incorporates a
mechanism to provide air carrier personnel with additional training on
identifying fraudulent travel documents. As it revises the
international passenger prescreening process, CBP is also attempting to
align its process with the prospective program to prescreen passengers
on domestic flights, which will be administered by the TSA.
Immigration Advisory Program Developed to Increase Review of Travel
Documents for Some High-Risk Passengers at Foreign Airports:
One program, currently in place but supplemental to the primary
international passenger prescreening processes, is a program that
provides additional scrutiny to passengers and their travel documents
at foreign airports prior to their departure for the United States.
This program, called the IAP,[Footnote 13] is a pilot program that
began in 2004 and was designed to identify and target potential high-
risk passengers. Under the IAP pilot, CBP has assigned trained officers
to foreign airports where they personally interview pre-identified high-
risk passengers, conduct behavioral assessments, and evaluate the
authenticity of travel documents prior to the passenger's departure to
the United States. The pilot program has been tested in several foreign
airports, and CBP is negotiating with other countries to expand it
elsewhere and to make certain IAP sites permanent.
The IAP pilot serves both national security and immigration functions.
According to CBP, the purpose of the IAP is to (1) prevent passengers
identified as security threats from boarding international flights
bound for the United States, (2) provide no board recommendations to
the air carriers for passengers who are not properly documented for
entry into the United States, (3) provide training to air carrier
personnel on how to detect fraudulent travel documents, (4) provide
advance notice to U.S. authorities of passengers that warrant closer
inspection upon their arrival in the United States, (5) collect law
enforcement information on known or suspected criminal aliens and
smugglers, and (6) share information with foreign government and law
enforcement officials regarding trends in illegal travel. CBP officials
and others have also stated that a secondary benefit of the IAP pilot
is to help facilitate the legitimate travel of passengers, particularly
U.S. citizens. Figure 3 depicts how the IAP works at international
airports.
Figure 3: Immigration Advisory Program Process:
[See PDF for image]
Source: GAO.
[End of figure]
Perceived Successes of IAP Led CBP to Expand the Program:
The IAP pilot began at several sites in 2004. Each site consists of a
group of IAP officers and a team leader. Team leaders are typically
assigned to longer posts as compared to other IAP officers. Expansion
of the pilot program to other locations has already begun. The
Intelligence Reform and Terrorism Prevention Act of 2004 requires that
CBP identify 50 foreign airports for further expansion of the IAP, and
CBP has subsequently completed this list.[Footnote 14]
CBP has reported several successes through the IAP pilot. According to
CBP documents, from the start of the IAP pilot in June 2004 through
February 2006, IAP teams made more than 700 no-board recommendations
for inadmissible passengers and intercepted approximately 70 fraudulent
travel documents. CBP estimated that these accomplishments equate to
about $1.1 million in cost avoidance for the U.S. government associated
with detaining and removing passengers who would have been turned away
after their flights landed, and $1.5 million in air carrier savings in
avoided fines and passenger return costs.[Footnote 15] According to
CBP, these monetary savings have defrayed the costs of implementing the
program. However, it is not yet clear whether CBP anticipates, or
expects, that the IAP will pay for itself through its government and
air carrier cost savings, as it previously asserted.[Footnote 16]
CBP officials said that they have also expanded a related program for
training air carrier staff to better identify fraudulent identity
documents and placed this program within IAP. This program, known as
the Carrier Liaison Program, officially began in February 2006.
According to CBP officials, CLP's purpose is to enhance border security
by providing technical assistance and training to air carrier staff on
the identification of improperly documented passengers destined for the
United States.
To continue to strengthen and successfully expand the IAP, CBP is faced
with concerns expressed by host government and IAP officials about the
duration of its IAP officer rotations. CBP officials said that they
were aware of these concerns and are taking steps to address the
matter.
CBP's IAP Is Similar to Programs in Other Countries:
Several other countries, such as the United Kingdom, Canada, Australia,
and New Zealand, also operate programs similar to IAP. Known as airline
liaison officer (ALO) programs, these programs have in some cases been
operating since the late 1980s. Like IAP, these countries also
generally post officers overseas at airports in an attempt to intercept
improperly documented passengers from traveling to their country. CBP
officials are aware of these programs but believe that the IAP is
different in some key respects. Most notably, CBP officials stated that
IAP's focus is on terrorism, while ALO programs focus primarily on
illegal immigration. However, valuable lessons can be gained from the
experiences of these other countries in implementing similar programs
as CBP continues to develop its IAP pilot. For example, officials from
one ALO program stated that their country incorporated a Web-based
system that allows its ALO officers to record improperly documented and
other suspect travelers. These data can then be instantly accessed and
analyzed at headquarters so that the information can be used to make
changes to improve all of the country's ALO locations. Another ALO
program utilizes PNR data to identify trends in document fraud,
allowing its ALO network to quickly transmit alert information into its
passenger screening system so that identified passengers can be
screened further at check in prior to boarding an aircraft. CBP,
however, relies upon each IAP site to send aggregate reporting
statistics to CBP headquarters--potentially limiting the program's
ability to rapidly analyze and act on trends in document fraud since
there is a time delay in CBP headquarters receiving the data.
Additionally, a United Kingdom official stated that their ALO program
benefited from expanding the program slowly during the initial stages
of the program to allow the United Kingdom government to learn
important lessons from its early ALO sites. Appendix II contains a
summary of information and potential lessons to be learned from the ALO
programs of other countries.
CBP Could More Fully Incorporate Risk Management Principles in the IAP
Pilot:
CBP has not taken all of the steps necessary to fully learn from its
pilot sites in order to determine whether the program should be made
permanent and the number of sites that should exist. These steps are
part of a risk management approach to developing and evaluating
homeland security programs. Risk management is a continuous process of
assessing risks, determining the best available actions to mitigate
these risks, implementing actions to reduce risks, and evaluating these
actions to determine their level of benefit. Managing homeland security
efforts on the basis of risk has received widespread support from
Congress, the President, and others as a way to help set priorities
effectively and to allocate limited resources. A risk management
framework includes such elements as formally outlining the goals of the
program, setting measurable performance measures, and evaluating
program effectiveness.[Footnote 17]
Although CBP is currently taking steps to make its IAP sites permanent
and to expand the program to other foreign locations, CBP has not
finalized a strategic plan for the program that delineates program
goals, objectives, constraints, and evaluative criteria. We have
reported in the past that high-performing organizations have a focus on
achieving results and outcomes and foster a results-oriented
organizational culture to reinforce this focus. Key to developing this
focus is strategic planning, which involves having a mission that
employees, clients, customers, partners, and other stakeholders
understand and find compelling; setting goals to achieve the mission;
and aligning the organization's activities, core processes, and
resources with those goals.[Footnote 18] CBP officials told us that
they have drafted a strategic plan for the IAP, which contains program
goals and performance measures, but CBP stated that the plan has not
yet been finalized.
DHS Intends to Align International and Domestic Prescreening Programs,
but DHS Has Not Yet Made All Key Policy Decisions:
A second effort that CBP has under way to strengthen the international
passenger prescreening process involves the alignment of the U.S.
government's international and domestic aviation prescreening programs,
which are being developed separately by CBP and TSA, respectively.
Aligning these two programs is particularly important because many
passengers in the United States who are traveling to or from foreign
destinations have a domestic flight in addition to their international
flight. Passengers traveling on these types of flights are currently
subjected to two different prescreening processes.
The air carrier community has asked CBP and TSA to coordinate their
efforts to ensure that the programs are compatible and are developed as
a single approach to avoid the need for air carriers to implement two
separate screening systems to meet CBP and TSA requirements. Without
such coordination, air carriers might have to implement different
information connections, communications, and programming for each
prescreening program, as well as ensure that their data are compatible
with each program. In a joint letter to the Secretary of DHS, the Air
Transport Association of America (ATA) and the Association of European
Airlines (AEA) urged DHS to coordinate international and domestic
aviation passenger prescreening programs so that air carriers are not
unduly burdened by the costs and inefficiencies posed by working with
two different prescreening programs. The letter also stated that ATA
and AEA believed that there had been a lack of full coordination
between CBP and TSA in aligning their respective passenger prescreening
programs. Further, as we have previously reported, since both agencies
are developing and implementing passenger prescreening programs, CBP
and TSA could mutually benefit from the sharing of technical testing
results and the coordination of other developmental efforts.[Footnote
19] Coordination and planning in the development of these two programs
would also enhance program integration and interoperability and
potentially limit redundancies.
In 2004, CBP and TSA officials stated that they recognized the
similarities between the international passenger prescreening and the
proposed domestic prescreening programs, and acknowledged the need to
coordinate the two programs. According to CBP officials, DHS has
expressed its intention to align international and domestic passenger
prescreening efforts, and decided to develop one "portal" through which
carriers will transmit passenger data to the government for domestic
and international flights. CBP officials further stated that
interagency discussions with TSA have resulted in a decision to create
a single communication point for the submission of the passenger data
for both domestic and international flights, one of the main concerns
of air carriers.
Despite these coordination efforts and DHS's commitment to align the
processes, CBP and TSA have not yet made all of the policy decisions to
complete the alignment between the CBP international prescreening
program and the prospective Secure Flight program, including the use of
different data elements, documentation, and identity matching
technologies to conduct prescreening.[Footnote 20] CBP officials stated
that many of these policy and technical decisions have not been made
because TSA is in a process of "rebaselining" its Secure Flight
program, which involves TSA reassessing program goals, requirements,
and capabilities. In discussions with us, CBP and TSA officials stated
that these coordination efforts were continuing, but they did not
provide any documentation of how such matters were being resolved or
when they planned for the programs to be aligned.
CBP Has Not Fully Disclosed its Use of Personal Information during the
Prescreening Process:
One additional issue requires consideration, as well, in the context of
DHS's efforts to strengthen the passenger prescreening process. Despite
recent efforts by CBP to provide more detailed information to the
public about its use of passenger data during the international
passenger prescreening process, CBP has not fully disclosed or assessed
the privacy impacts of its use of personal information during
international passenger prescreening as required by law. The Privacy
Act of 1974 and the E-Government Act of 2002 require federal agencies
to protect personal privacy by, among other things, limiting the
disclosure of personal information and informing the public about how
personal data are being used and protected. Federal agencies inform the
public of their use of personal information by issuing two types of
documents:
System of records notices: The Privacy Act requires that agencies
publish a notification in the Federal Register that informs the public
when they establish or make changes to a system of records.
Privacy impact assessment: The E-Government Act requires that agencies
analyze how information is handled to (1) ensure handling conforms to
applicable legal, regulatory, and policy requirements regarding
privacy; (2) determine the risks and effects of collecting,
maintaining, and disseminating information in identifiable form in an
electronic information system; and (3) examine and evaluate protections
and alternative processes for handling information to mitigate
potential privacy risks.[Footnote 21]
Although CBP has taken certain actions to meet the requirements of the
Privacy and E-Government Acts, including the recent publication of
additional privacy disclosures, these actions have not fully informed
the public about how personal information is being used, as required by
law. Specifically, CBP has published public notices and reports that
describe certain elements of its international prescreening process,
but these documents do not fully or accurately describe CBP's use of
personal data throughout the passenger prescreening process. It is
important for CBP's documentation to describe all of the steps of the
prescreening process because the interrelationship of various steps of
the process allows data to be transferred and used in ways that have
not been fully disclosed.
CBP's international prescreening process involves a wide range of
procedures and data sources that CBP utilizes to determine passenger
risk levels. According to a CBP official, to help make these
prescreening decisions, CBP collects personal data from multiple
sources (including passengers and government databases), and uses the
data for several purposes, including identity matching against the
government watch list, risk targeting, and passenger document
validation. According to CBP, its officers also use commercial data, to
a limited degree, to assist them in confirming a passenger's identity
when needed. CBP's public disclosures about APIS and ATS do not
describe all of the data inputs or the extent to which the data are
combined and used in making prescreening decisions.[Footnote 22] As
shown in Figure 4, CBP's passenger prescreening involves more data
inputs and uses of data than are described in CBP's current privacy
disclosures.
Figure 4: The interaction between CBP Prescreening Systems and Data
Usage:
[See PDF for image]
Source: GAO.
[A] CBP officers can utilize TECS and ATS-P databases to enter
"lookout" alert flags. Not all CBP officers have access to all of the
databases listed.
[B] In the APIS privacy impact assessment, CBP defined APIS as a
system. However, CBP officials later stated that APIS is not a system
but rather data that are sent to the TECS to conduct identity matching.
[C] CBP officials stated that commercial data are only used in rare
situations when a passenger's identity cannot be verified against other
information.
[D] CBP officers use data from the TSC as needed to help confirm a
passenger's identity.
[End of figure]
CBP has stated that its public reporting on its use of APIS data
complies with the Privacy Act through references to previously
published Privacy Act notices about systems used during the
prescreening process. However, these references are not sufficient
because they do not fully disclose CBP's use of personal information
during the prescreening process. Specifically, CBP stated that because
APIS is a system within the Treasury Enforcement Communications System,
it is described in the TECS system of records notice, which was
published in October 2001. CBP also referenced a 2003 system of records
notice for the DHS Arrival and Departure Information System (ADIS),
which interfaces with TECS, but which CBP officials stated separately
is not used by CBP in the passenger prescreening process. However,
neither of these notices specifically describes CBP's passenger
prescreening or the use of APIS or PNR data.
Although CBP has stated that its previous privacy disclosures
sufficiently complied with federal privacy law, on November 2, 2006,
DHS published a Privacy Act system of records notice for ATS. In
addition, on November 22, 2006, DHS published a privacy impact
assessment for ATS. Both of these documents refer to the ATS-P system
used in CBP's aviation passenger prescreening process. These
disclosures --released after CBP received an earlier version of this
report--provide much more detailed information on ATS-P as compared
with prior privacy disclosures. Nevertheless, CBP has still not
published a system of records notice or a privacy impact assessment
that comprehensively describes the entire prescreening process. For
example, although CBP has published a privacy impact assessment for
APIS and ATS, neither disclosure describes the combined use of APIS and
PNR data in passenger prescreening decision-making. The disclosures
also do not describe that during the prescreening process CBP officers
are able to access personal data obtained from commercial providers.
Because CBP's development and operation of its international passenger
prescreening process has not been accompanied by the publication of
Privacy Act notices or E-Government Act privacy impact assessments that
fully describe the use of personal data and the steps taken to protect
privacy, the public may not be aware of the different ways that their
information is being used or protected, as required by law. Although
maintaining that their prior privacy disclosures were fully compliant
with federal privacy law, CBP stated in May 2006, and DHS reiterated in
its official comments to this report in January 2007, that CBP plans to
revise the APIS privacy impact assessment and issue a system of records
notice for APIS. However, no deadline has been given for when these
steps will be completed. As CBP moves forward with future modifications
to its prescreening process, it will be important for CBP to fully
assess and disclose data privacy protections used in these prescreening
programs as well.
Conclusions:
Since the terrorist hijackings of aircraft on September 11, the United
States and the rest of the world have uncovered new attempts to
threaten the security of the commercial aviation system. These threats
underscore the importance of continually reassessing the numerous
security measures put into place to secure commercial aviation. One key
security measure is the prescreening of passengers on international
flights--an important step to ensure that high-risk passengers do not
board international flights traveling to or from the United States.
Another important effort involves ensuring that international and
domestic prescreening programs are fully aligned to maximize their
effectiveness and cost efficiency for the government, airline industry
and passengers. In conjunction with conducting these important
prescreening activities, DHS must also be vigilant about ensuring that
it is in full compliance with public privacy requirements.
CBP is currently taking various and important steps to strengthen the
international aviation passenger prescreening process. CBP's recent
publication of a proposed rule for changing the procedures and timing
for conducting passenger identity matching is an important step.
Another important effort to strengthen the international aviation
passenger prescreening process is aligning the process with TSA's new
domestic prescreening program. Efforts to significantly expand the IAP
may also strengthen the prescreening process, although CBP will need to
ensure that sufficient data are collected to allow for appropriate risk
assessments and evaluations.
While CBP recognizes and is taking steps to address many of the
challenges it faces in implementing its various planned prescreening
programs, there are three areas, in particular, that require further
planning and monitoring. These areas include:
* More fully incorporating risk management principles in the IAP pilot.
CBP is not benefiting from all of the information that could be learned
from the pilot program and remains at risk of expanding the program or
making IAP sites permanent without establishing a clear vision of what
the program is intended to accomplish and how its success will be
evaluated and measured. Without completing a strategic plan for the
IAP, the program may not realize its full potential security benefits
and could require substantial revisions after implementation.
* Aligning international and domestic passenger prescreening programs.
If these two prescreening efforts are not effectively coordinated with
each other, air carriers and other stakeholders could be unnecessarily
inconvenienced and experience potentially avoidable costs. The U.S.
government could incur avoidable costs as well, if the programs are not
properly coordinated and aligned. So far, CBP and TSA have taken some
steps to coordinate their efforts--for example, they have announced
their intention to develop a single portal for prescreening passengers
on domestic and international flights. However, CBP and TSA have not
yet made all of the key decisions necessary to align the two processes
nor have they completed a timetable for completing this process.
* Attaining full compliance with privacy laws. It is important that CBP
completes reports that fully describe the agency's use and protection
of personal data during the international passenger prescreening
process to ensure that it is complying with all applicable privacy
laws. CBP's current disclosures do not fully inform the public about
all of its systems for prescreening aviation passenger information nor
do they explain how CBP combines data in the prescreening process, as
required by law. As a result, passengers are not assured that their
privacy is protected during the international passenger prescreening
process.
Recommendations for Executive Action:
To strengthen CBP's international aviation passenger prescreening
process, in our November 2006 report we recommended that the Secretary
of the Department of Homeland Security take or direct the Commissioner
of Customs and Border Protection to take the following three actions:
* To more fully incorporate risk management principles into the
planning, implementation, and evaluation of the IAP pilot, CBP should
(1) prepare a strategic plan that identifies the risks, goals,
objectives, and performance measures for the IAP pilot, and (2) conduct
program evaluations that measure the performance of the pilot IAP sites
against predetermined goals and performance measures.
* To more fully align CBP's international aviation passenger
prescreening program with TSA's prospective domestic aviation passenger
prescreening program, take additional steps necessary to identify the
remaining impediments to alignment, make the key policy and technical
decisions needed to more fully coordinate these programs (including a
determination of the data and identity matching technologies that will
be used), and set time frames for when these efforts will be completed.
* To fully inform the public of possible uses of their personal
information, ensure that all required public data privacy disclosures,
including system of record notices and privacy impact assessments, are
completed to adequately cover each element of the international
passenger prescreening process. The privacy disclosures should fully
describe the use and handling of personal information within the
prescreening process and all of CBP's systems for conducting
international passenger prescreening.
Agency Comments and Our Evaluation:
We provided a draft of the security sensitive version of this report,
and related updates, to DHS and DOJ. On January 31, 2007, we received
written comments from DHS which are reproduced in full in Appendix IV.
DHS generally concurred with the three report recommendations and
provided technical comments, which we incorporated where appropriate.
DOJ also provided technical comments, which we incorporated where
appropriate.
Regarding the actions DHS reported taking to address the
recommendations, DHS stated that it has completed an IAP Strategic Plan
and that the plan has been sent for Departmental review. DHS provided a
copy of the draft IAP Strategic Plan to GAO. While DHS stated that the
draft strategic plan outlines the measures that CBP intends to use to
assess the IAP's performance, it is not yet clear from the draft
strategic plan how challenges as well as successes of the program will
be measured at each IAP site. This appears to be the case since all of
the performance measures outlined in the draft strategic plan are
likely to improve following the deployment of IAP officers, without
addressing program impediments. DHS also noted that CBP is developing
system enhancements that will permit simple input, extraction, and
analysis of empirical data necessary for baseline and current data. We
are encouraged by these efforts and believe that they will help CBP to
better evaluate the effectiveness of this pilot program. Moreover,
given CBP's intention to transition this pilot program into a permanent
one and expand the program to additional locations, it is important
that IAP officers and those managing the IAP have the sufficient data
necessary to make sound decisions.
Regarding the recommendation that steps be taken to more fully align
CBP's international passenger prescreening program with TSA's domestic
passenger prescreening program, DHS stated that its Screening
Coordination Office has directed CBP and TSA to align these programs.
DHS further stated that CBP has been working with TSA to align
procedures and systems and functional requirements, and that both CBP
and TSA will work with the Centers for Disease Control and Prevention
to harmonize data requirements and present a single face to the travel
industry. DHS also noted that CBP recognizes that air carriers have
invested significant resources to reprogram systems to comply with
CBP's regulations, and that CBP will continue to work to allow for the
submission of various passenger data through one transmission process.
Given the potential costs to air carriers and the government of having
prescreening procedures and requirements that are not aligned, we
encourage DHS to complete these efforts and make associated policy
decisions in a timely manner.
Regarding the recommendation that the public be fully informed of the
possible uses of its personal information and that all required public
data privacy disclosures are completed to adequately address each
element of the international passenger prescreening process, DHS
responded with several statements. CBP stated in its comments on the
draft report that it is and has been in compliance with both the
Privacy Act regarding System of Records Notices (SORNs) and section 208
of the E-Government Act of 2002 regarding Privacy Impact Assessments
(PIAs). CBP bases its compliance with the Privacy Act on the 2001
publication of a SORN for the Treasury Enforcement Communications
System (TECS). To the extent that all uses of personal information in
CBP international passenger prescreening can be associated with the
statements made in that notice, we would agree that CBP is in
compliance with the law. That notice, however, states that TECS
contains "[e]very possible type of information from a variety of
Federal, state, and local sources, which contribute to effective law
enforcement." This statement does not identify the categories of
records maintained in the system, as required by the Act, let alone
APIS and ATS, which CBP now describes as separate systems. It also does
not disclose that the system includes personal information collected
directly from individuals (i.e., passport data) and indirectly through
air carriers (i.e., PNR data). The TECS SORN does not "facilitate the
exercise of the rights of individuals" under the Act, as required by
OMB's Privacy Act guidance.[Footnote 23] While OMB guidance states that
agencies are granted considerable discretion in preparing SORNS, the
guidance stresses the importance of appropriately identifying the
purpose(s) of a system and ensuring that any associated notices have
"information value to the public." According to OMB, a major purpose of
the Act is "the publicizing of what those systems are and how they are
used." The TECS SORN has virtually no information value to the public
and cannot be said to meet the requirements of the Act.
CBP also stated in its comments that no PIA is required for its
prescreening process because the March 2005 APIS PIA addressed changes
to APIS, and there have been no changes to ATS since the E-Government
Act went into effect.[Footnote 24] This is incorrect for at least two
reasons. First, CBP's handling of personal information was
significantly altered on the basis of its July 2004 agreement with the
EU regarding handling PNR data from flights between the US and EU
member countries.[Footnote 25] The DHS Privacy Office's September 2005
report on the handling of EU PNR describes a number of changes made to
CBP systems and processes to better safeguard such data. These changes
are not addressed in any new or revised PIA or SORN. Second, the
privacy documents that CBP has published do not fully describe the use
of personal information in the CBP international passenger prescreening
process, even accepting CBP's statutory authority to limit public
disclosures under certain circumstances.[Footnote 26] Contrary to CBP's
characterization of CBP officers as merely conducting an "act of
physical inspection," the CBP international passenger prescreening
process involves decisions made by CBP officers on the basis of
information obtained from multiple sources. As described in our report,
CBP officers can retrieve identity matching information conducted with
APIS data, identity matching and risk targeting information performed
by ATS with PNR and APIS data, as well as information from other
government databases. They can also access commercial data sources,
although reportedly on a limited basis for confirming passenger
identities. Finally, they can also enter information about individuals
back into a number of government systems.[Footnote 27] These multiple
uses of information are not described in any CBP privacy documents.
Despite CBP's statement to the contrary, there are no legal limitations
to the Privacy Act or the E-Government Act that constrain the agency's
ability to provide the public with meaningful notice on the use and
protection of personal information.[Footnote 28] Furthermore, given
that the handling of personal information in the CBP prescreening
process has been significantly changed multiple times in the last
several years, including changes to address the EU PNR agreement and
changes to the collection of passenger manifest information via APIS,
the separate publication of APIS and ATS privacy documents satisfy the
requirements of neither the Privacy Act nor the E-Government Act.
Upon its issuance, we will provide copies of this report to the
Secretary of the Department of Homeland Security, the Commissioner of
Customs and Border Protection, the Administrator of the Transportation
Security Administration, and interested congressional committees.
If you have any questions about this report, please contact me at
BerrickC@gao.gov or (202) 512-3404. Key contributors to this report are
listed in appendix V.
Signed by:
Cathleen A. Berrick:
Director, Homeland Security and Justice Issues:
[End of section]
Appendix I: Objectives, Scope, and Methodology:
The information contained in this public report is narrower in scope
and detail than the original report and examines only limited aspects
of international passenger prescreening procedures. It focuses on only
certain elements of the current international aviation passenger
prescreening process as well as only some of the actions that DHS is
taking or has planned to strengthen prescreening procedures. More
specifically the report's content is limited to certain issues related
to:
* the implementation of the Immigration Advisory Program (IAP), a CBP
program that assesses risk levels for certain passengers in overseas
locations;
* aligning international and domestic passenger prescreening programs;
* ensuring that compliance with privacy laws is fully achieved with
respect to information collected to conduct international passenger
prescreening.
Although the information provided in this report is more limited in
scope, the overall methodology used for our initial report is relevant
to this report as well because the information contained in this report
was derived from the initial sensitive report. We addressed the
following objectives in our initial November 2006 report:
* the main factors affecting the international passenger prescreening
process, and the potential impact of these factors, and:
* the status of efforts to address these factors, and the issues, if
any, that could affect efforts to strengthen the international
prescreening process.
To address our first objective from the November 2006 report--the
factors that affect the international passenger prescreening process
and their potential impacts--we interviewed officials from Customs and
Border Protection (CBP), including staff at CBP's National Targeting
Center (NTC); the Terrorist Screening Center (TSC); and the
Transportation Security Administration (TSA) to understand the current
international passenger prescreening process and the data that are used
during this process. We obtained and analyzed relevant documents from
these agencies including statistics from the Immigration Advisory
Program pilot, documentation on CBP's use of data systems to conduct
international passenger prescreening, and a CBP summary memorandum
documenting the agency's decision not to pursue the Advanced Passenger
Prescreening (APP) system that currently operates in other countries
such as Australia and New Zealand. To obtain a cross section of air
carriers' views about the process, we selected air carriers that fly
large, medium, and small numbers of passengers annually into the United
States. For the purposes of this review, we defined the transport of a
large number of passengers as more than 1 million passengers annually,
we defined a medium number as between 500,000 and 1 million passengers
annually, and a small number as less than 500,000 passengers annually.
These criteria generally reflect the distribution of the incoming
passenger volume being flown into the United States between 2000 and
2004 as shown in Department of Transportation statistical reports.
Using these criteria, we interviewed officials from seven large air
carriers, four medium air carriers, and two small air carriers, both
domestic and foreign, that conduct international flights into and out
of the United States to discuss the impact of current U.S.
international passenger prescreening requirements on their operations.
We also spoke with officials from two domestic air carrier and
passenger travel associations and three international air carrier
associations to discuss the impact on their members of current
international passenger prescreening requirements. We also reviewed
documents from an international aviation association that evaluated the
potential impact on its membership of CBP's proposed passenger
prescreening reforms. To determine the number of No Fly and improperly
prescreened Selectee passengers who traveled on flights to or from the
United States during 2005, we obtained and analyzed TSA security
incident reports from January 1, 2005 to December 31, 2005.[Footnote
29]
To address our second objective from the November 2006 report--the
status of CBP's efforts to address these factors and the issues, if
any, that could affect efforts to strengthen the prescreening process-
-we interviewed officials from CBP and reviewed relevant documents. We
also interviewed officials from the seven large air carriers, three
medium air carriers, and two small air carriers, both domestic and
foreign, that conduct international flights into and out of the United
States to obtain their views on the potential impact of future U.S.
international prescreening requirements. We also spoke with officials
from two domestic air carrier and passenger travel associations, three
international air carrier associations, and a travel association that
represent the interests of air carriers and travelers to obtain their
views on the potential impact of future U.S. international prescreening
requirements including APIS-60 and AQQ. We visited two Immigration
Advisory Program (IAP) pilot sites and met with the IAP teams to
discuss the current status of the program and observe the prescreening
process at their respective locations. We discussed potential benefits
and challenges of the program with the IAP teams. We also reviewed and
assessed CBP's evaluations of IAP pilot sites. Furthermore, we met with
government officials from the United Kingdom and Canada to learn
details about their respective airline liaison officer (ALO) programs
and to obtain their views on how the IAP pilot compares with their ALO
programs. One foreign government provided documents that summarize the
functions of its ALO program. We also met with foreign government
officials in the Netherlands, Poland, the United Kingdom, Australia,
and New Zealand to discuss U.S. efforts to strengthen international
passenger prescreening and the potential impact of these programs.
Officials from Australia and New Zealand also provided documents
related to their respective APP prescreening systems. We met with
officials from the European Union to discuss the impact of U.S.
international prescreening requirements (including the advanced
transmission of passenger name record data) on air carriers originating
from Europe. Additionally, we interviewed and obtained documents from
private companies that facilitate the electronic transmission of
passenger data between air carriers and government agencies, including
CBP, to determine their role, if any, in future international aviation
passenger prescreening initiatives. To assess CBP's July 2006 Notice of
Proposed Rulemaking (NPRM), we obtained and analyzed documents
associated with the NPRM, including CBP's regulatory assessment for the
rulemaking. To assess whether CBP disclosed, as required by law, its
use of passenger information during the prescreening process, we
reviewed CBP's published privacy impact assessments and system of
records notices. We also met with CBP and DHS officials regarding their
current and draft privacy documents related to passenger prescreening.
To determine the extent to which CBP has utilized risk management
principles to guide decisions on passenger prescreening, we used a risk
management framework developed and tested by GAO over several
years.[Footnote 30] The risk management framework was developed by GAO
after a review of government and private sector documents on risk
management and interviews with recognized experts in risk management
and terrorism prevention. We used elements of the risk management
framework as criteria to analyze CBP's actions in developing and
implementing its existing international passenger prescreening process,
as well as CBP's proposed and planned actions to modify the
international passenger prescreening process. We conducted our work,
which included updates to our version of the report that contains
sensitive security information, from April 2005 through November 2006
in accordance with generally accepted government auditing standards.
[End of section]
Appendix II: Airline Liaison Officer Programs Implemented In Other
Countries:
Several countries have created airline liaison officer (ALO) programs
and placed officers in foreign countries to reduce the number of
improperly documented passengers traveling into their respective
countries. These officers also assist air carrier staff in establishing
whether individual passengers who may appear to be improperly
documented are actually eligible to fly without resulting in fines to
the air carrier. According to the International Air Transport
Association Code of Conduct for Immigration Liaison Officers, the
liaison officers' primary responsibilities include:
* Establishing and maintaining a good working relationship with the
airlines, local immigration, police, other appropriate authorities, and
other liaison officers posted to that country and with consular staff
of other missions. Additionally, liaison officers assist local
immigration and police authorities in gathering and sharing information
related to the movement of improperly documented passengers.
* Training airline staff in the general principles of passport and visa
requirements, passenger assessment, and awareness of fraud and forgery,
and advising airline staff on whether travel documents and visas are
genuine, forged or fraudulently obtained.
Table 1 shows a side-by-side comparison of the characteristics of ALO
programs from four countries.
Table 1: The Characteristics of Selected ALO Programs:
Characteristics: Initiation date;
U.K. Airline Liaison Officer Program: 1993;
Canadian Migration Integrity Program: 1989;
Australian Airline Liaison Officer Program: 1989;
New Zealand Airline Liaison Officer Program: 1991.
Characteristics: Number of locations;
U.K. Airline Liaison Officer Program: 32;
Canadian Migration Integrity Program: 39;
Australian Airline Liaison Officer Program: 14;
New Zealand Airline Liaison Officer Program: 9.
Characteristics: Approximate number of staff;
U.K. Airline Liaison Officer Program: 34;
Canadian Migration Integrity Program: 45;
Australian Airline Liaison Officer Program: 20;
New Zealand Airline Liaison Officer Program: 9.
Characteristics: Number of officers at each location;
U.K. Airline Liaison Officer Program: 1-2;
Canadian Migration Integrity Program: 1- 2;
Australian Airline Liaison Officer Program: 1-2;
New Zealand Airline Liaison Officer Program: 1.
Characteristics: Physical location of staff;
U.K. Airline Liaison Officer Program: At nearest embassy;
Canadian Migration Integrity Program: At nearest embassy;
Australian Airline Liaison Officer Program: At airport;
New Zealand Airline Liaison Officer Program: At nearest embassy or with
an air carrier.
Characteristics: Mission;
U.K. Airline Liaison Officer Program: Reduce travel document fraud;
Canadian Migration Integrity Program: Reduce travel document fraud;
Australian Airline Liaison Officer Program: Reduce travel document
fraud;
New Zealand Airline Liaison Officer Program: Reduce number of refugee
cases.
Source: GAO analysis of ALO programs.
[End of table]
These ALO programs have incorporated various approaches regarding data
collection, program expansion, and staffing to allow for continuous
improvement and measurement of their liaison programs. For example, the
Canadian Migration Integrity Officers (MIO) program developed a system
that regularly collects data on improperly documented arrivals in
Canada and other suspect travelers and records this information in a
Web database to develop trend and other analyses. These data are also
used to measure the success of the Canadian MIO program. Canadian
officials stated that this web-based database allows Canada to
immediately inform air carriers of violations, has assisted in reducing
the number of violations and fines, and has allowed air carriers to
take corrective action in a timely manner. Similarly, officials from
the United Kingdom ALO program stated that they also collect statistics
and intelligence to develop profiles and trends on particular flights
for use in their program. The New Zealand ALO program utilizes
passenger name record (PNR) data to identify the trends of travelers
utilizing fraudulent passports to travel to their country. New Zealand
officials stated that accessing and using PNR data in real time has
allowed their ALO network to immediately load alert or referral
information into its passenger-screening system so that identified
passengers can be screened further at check-in prior to boarding. New
Zealand officials also stated that they utilize data to conduct
assessments and intensive reviews of the highest risk countries and
passengers, which they then use to determine the location of airline
liaison sites. Some New Zealand ALO sites also have direct access to
the immigration application system, which allows their liaison officers
to directly input alerts as necessary. The New Zealand government is
also currently considering providing ALO officers with handheld
computers to facilitate more efficient communications. Australian
officials stated that at several of their ALO sites the liaison
officers work under a particular air carrier versus going through the
typical approval process needed to establish an overseas program, which
may take a long time to complete. According to these officials, this
type of arrangement provides them with the advantage of being able to
quickly move liaison officers from location to location when needed to
keep up with trends in illegal passenger travel. Both the United
Kingdom and the Canadian ALO programs expanded gradually. A United
Kingdom ALO program official validated this approach by suggesting that
limited growth of ALO programs during the initial stages allowed
countries to fully learn from the pilot program before expanding to
other countries.
[End of section]
Appendix III: APIS Quick Query (AQQ) and APIS Minus 60 Minutes (APIS-
60):
In July 2006, CBP released a notice of proposed rulemaking that would
require air carriers to transmit APIS data to CBP prior to the
departure of all international flights departing from or bound for the
United States. The notice of proposed rulemaking provided air carriers
with two main options for prescreening passengers on international
flights prior to departure. One option under the proposed rule would
require air carriers to send APIS data on all passengers to CBP 60
minutes before a flight's departure. The other option would allow air
carriers to transmit APIS data on a passenger-by-passenger basis, up to
15 minutes prior to a flight's departure. The two options are designed
to accommodate air carriers with different types of
operations.[Footnote 31]
Under both options, CBP has broadly outlined the procedures for air
carriers to receive a "not-cleared" response which would identify that
a passenger is prohibited from boarding an aircraft. CBP would provide
this response to the air carrier prior to the passenger boarding the
aircraft. In addition to satisfying requirements under the Intelligence
Reform and Terrorism Prevention Act, both options would strengthen the
prescreening process.
First Prescreening Option: Transmitting APIS Data 60 Minutes Prior to
Departure:
The first option under the proposed rule would require air carriers to
transmit APIS data to CBP for all passengers on a flight 60 minutes
prior to the flight's departure. This approach is known as APIS-60. The
APIS-60 option will require an air carrier to transmit a manifest to
CBP with APIS information for all passengers on the flight 60 minutes
before the flight departs. This option gives CBP staff approximately 60
minutes before flight departures to match the APIS information against
the lists and notify the carrier if any passengers should not be
allowed to travel. Under this option, a passenger would be issued a
boarding pass, but if a "not cleared" response is later received from
CBP, the air carrier would be responsible for denying boarding, or for
removing the passenger and his or her baggage from the aircraft, if the
passenger had already boarded the aircraft. This option, according to
CBP officials, is likely to be preferred by smaller air carriers that
are not dependent on having passengers transfer from connecting flights
(and therefore whose passengers would not likely have difficulty
checking in at least 60 minutes before flight departure). According to
CBP officials, these air carriers might prefer APIS-60 because it would
not require technical changes in how they transmit APIS data to CBP,
although it would require that carriers develop the technical means to
receive a screening response from CBP. In the fall of 2004, CBP
initially proposed APIS-60 as the sole approach for conducting
international prescreening. However, the International Air Transport
Association (IATA), the Air Transport Association of America
(ATA),[Footnote 32] and individual air carriers raised concerns about
the economic impacts they believed would be associated with
implementing APIS-60 across the industry. For example, they told CBP
that network flight schedules would have to change to expand the
minimum connection times between flights because all passengers would
be required to check in at the airport at least 1 hour in advance of
the flight so that information could be collected and sent to CBP on
time. Air carriers that carry passengers arriving on connecting
flights, which are known to operate on "hub-and spoke"
networks,[Footnote 33] said that they would be particularly affected
because their passengers could arrive on a variety of connecting
flights from many other airports, and some would not arrive 60 minutes
in advance of their connecting flight, making them ineligible to board
their scheduled flights. In addition, according to some air carriers,
the trend in the air carrier industry of moving toward self-service
check-in by some passengers has shortened the time between check-in and
scheduled flight departure times, further exacerbating the impact of
this type of approach. In response to industry concerns that the APIS-
60 approach would create serious problems for some carriers'
operations, CBP offered a second option for air carriers to consider
adopting to conduct passenger prescreening in advance of flight
departures.
Second Prescreening Option: Transmitting APIS Data as Each Passenger
Checks In for a Flight:
The second option under the proposed rule would require air carriers to
send APIS data to CBP as each passenger checks in for a flight. CBP
would then complete its identity match against the No Fly and Selectee
Lists and send a response to the air carrier--generally within 4
seconds--identifying that the passenger is either cleared or not-
cleared for boarding. Since this approach would utilize a nearly
instantaneous data transmission between air carriers and CBP, it is
known as a real-time prescreening option.[Footnote 34] For those
passengers found to be eligible to board, the response message from CBP
would identify that the air carrier is permitted to issue a boarding
pass and receive checked-in luggage from the passenger.[Footnote 35]
Known as APIS Quick Query (AQQ), this approach would represent a
significant change to the current prescreening process in that CBP
would complete its identity matching for each passenger separately,
instead of conducting identity matching for all passengers on a flight
at the same time.
CBP officials believe that larger carriers with hub-and-spoke
operations are the most likely to choose the AQQ option, in part
because larger carriers are more likely to have the communications
infrastructure needed to develop and install the new interactive
system. Some air carriers have expressed the desirability of receiving
a real-time cleared/not cleared response from CBP earlier in the
prescreening process such as what AQQ would provide. This timing would
allow them to know almost immediately if an identified passenger
represents a potential security risk.
CBP officials are already in the process of developing the AQQ system.
Under this approach, the federal government would bear the costs
associated with the actual prescreening of passengers. However, air
carriers would be responsible for any changes needed to their internal
information technology systems and the transmission of APIS data. This
type of real-time interactive prescreening approach is currently in use
in several countries, including Australia, New Zealand, and Bahrain,
through a system called Advance Passenger Processing (APP). The APP
system was initially used by Australia's Customs Service and Department
of Immigration and Multicultural and Indigenous Affairs, and was first
implemented in 1995.
AQQ and APP are both real-time interactive concepts but are different
systems. CBP officials stated that they considered APP when determining
which prescreening options to pursue but, in an August 2005 memorandum,
identified a number of reasons for not adopting it.[Footnote 36]
Nonetheless, the experience of these other countries with APP may be of
value to CBP as it continues to develop the AQQ program. For example,
Australian government officials told us that the successful deployment
of the APP program was dependent upon working closely with air carriers
to ensure system functionality upon implementation. This will be
particularly important with regard to the AQQ given that almost 200 air
carriers fly international routes into and out of the United States,
assuming that a number of these air carriers decide to participate in
AQQ.[Footnote 37] Officials from Australia and New Zealand said that
they were willing to continue to share relevant lessons learned as CBP
works to develop its AQQ program.
[End of section]
Appendix IV: Comments from the Department of Homeland Security:
U.S. Department of Homeland Security:
Washington, DC 20528:
January 31, 2007:
Ms. Cathleen A. Berrick:
Director, Homeland Security and Justice Issues:
U.S. Government Accountability Office:
Washington, D. C. 20548:
Thank you for the opportunity to comment on draft report GAO-07-55,
"Aviation Security: Efforts to Strengthen International Passenger
Prescreening are Underway, but Planning and Implementation Issues
Remain." The Department of Homeland Security (DHS) concurs with the
recommendations.
Our specific approaches for addressing the recommendations are
reflected below.
Recommendation 1: Complete a strategic plan for the Immigration
Advisory Program (IAP) and conduct program evaluations that measure the
performance of the pilot IAP sites against predetermined goals and
performance measures.
Response: Concur. The IAP Strategic Plan has been completed and was
sent for Departmental review. CBP provided a copy of the plan to GAO.
The IAP Strategic Plan outlines the measures CBP intends to use to
assess the performance of IAP.
With regard to conducting program evaluations that measure the
performance of the pilot IAP sites against predetermined goals and
performance measures, CBP is developing systems enhancements that will
permit simple input, extraction and analysis of empirical data
necessary for baseline and current data. These systems enhancements
known as Secured Integrated Government Mainframe Access (SIGMA) are
currently in production and slated for introduction to multiple US
ports in January 2007. SIGMA will be used to collect and analyze the
relevant data in order to properly evaluate IAP performance. It is
expected that SIGMA will be phased to additional ports and utilized by
June 2007.
Recommendation 2: Further align the Transportation Security
Administration's (TSA) domestic and CBP's international aviation
passenger prescreening processes and coordinate prescreening efforts.
Response: Concur. CBP and TSA are working cooperatively to align the
Advance Passenger Information System (APIS) Quick Query (AQQ process
with the Secure Flight (SF) program. CBP and TSA will align the
procedures, systems and functional requirements necessary to complete
passenger pre-screening using one external process.
Both CBP and TSA will work with the Center for Disease Control to
harmonize data requirements and present a single face to the travel
industry. It is estimated that processes and the coordination of
prescreening efforts will be implemented by December 2007.
Recommendation 3: Ensure that international aviation passenger
prescreening programs are in full compliance with federal privacy laws.
Response: Concur In Part. CBP would like to reemphasize that it is and
has been in compliance with both the Privacy Act regarding System of
Records Notices (SORNs) and section 208 of the E-Government Act of 2002
regarding Privacy Impact Assessments (PIAs). At all times during the
GAO review the Treasury Enforcement Communications System (SORN last
published in the Federal Register on October 18, 2001) covered the
collection of information from all persons traveling across the U.S.
border and the APIS PIA (published in the Federal Register on March 21,
2005) covered the change requiring mandatory submission of Advance
Passenger Information. GAO contends that these documents are not
legally sufficient, this position is incorrect and without merit.
The subsequent publication by DHS and CBP on November 2 and 24, 2006,
of a SORN and PIA for the Automated Targeting System does not change
the fact that the collection of information in ATS-P (the Passenger
module of ATS) and the functionality possessed in the screening and
targeting capabilities of ATS remain unchanged in their scope since
they were previously covered by the TECS SORN (a PIA was not required
for ATS originally because the system, its functionality, and the
information collected and maintained in it were all collected through
TECS prior to December 17, 2002, and therefore grandfathered under the
E-Government Act). Once DHS and CBP chose to create the ATS SORN to
break out that collection from TECS and provide greater transparency to
the privacy implications of its screening and targeting activities, it
became necessary to create a PIA as a companion to the ATS SORN-this
was done.
DHS and CBP similarly intend to issue a new SORN for the Advance
Passenger Information System (APIS) within the next 60 days and will be
updating the existing APIS PIA to reflect this change in SORN. This
separate creation of an APIS SORN, however, is not intended to address
a privacy shortcoming as alleged by GAO, rather it is part of DHS and
CBP's continuing efforts to provide greater transparency with regard to
the privacy implications of DHS's evolving traveler screening efforts.
DHS and CBP recognize that as new rules are issued, such as the APIS
final rule, updates to existing PIA's may become necessary and the
creation of new SORNs may be warranted to afford greater privacy
protection, but none of these efforts can rightly be construed as an
indictment of the U.S. Government's past or present compliance with its
Privacy Laws. DHS and CBP were in compliance and as changes were
contemplated and implemented new notices (such as those for APIS) were
created, or are being created in the case of changes under
contemplation.
GAO's stated desire of a full discussion of the Passenger pre-screening
and screening efforts of DHS and CBP ignores the legal limitations and
scope of the Privacy Act and the E-Government Act-CBP cannot create a
SORN to address the act of a physical inspection where no personally
identifiable information is collected to be maintained, nor is a PIA
warranted if no new information or technology is acquired or employed
in the conduct of such an examination.
Under its border search authority and predecessor legacy authority, CBP
has collected the same type of identity information, method of travel,
and trip details for all its history and that of its predecessor
agencies the Immigration and Naturalization Service, the U.S. Border
Patrol, and the United States Customs Service. The choice of DHS and
CBP to provide a greater notice and privacy protection should not be
mistakenly assumed to represent an admission of non-compliance; no such
admission is being made and, lastly, no such non-compliance exists.
Thank you for the opportunity to provide comments to the draft report.
Sincerely,
Signed by:
Steven J. Pecinovsky:
Director:
Departmental GAO/OIG Liaison Office:
[End of section]
Appendix V: GAO Contacts and Staff Acknowledgments:
GAO Contacts:
Cathleen A. Berrick, Director, Homeland Security and Justice Issues,
(202) 512-3404:
Staff Acknowledgments:
In addition to the individual named above, key contributors to the
report include Mark Abraham, Charles Bausell, Dawn Hoff, David Hooper,
Michele Fejfar, James Madar, Jan Montgomery, Hugh Paquette, David
Plocher, Neetha Rao, Brian Sklar, and Stan Stenersen.
[End of section]
GAO Related Products:
Aviation Security: Progress Made in Systematic Planning to Guide Key
Investment Decisions, but More Work Remains. GAO-07-448T. Washington,
D.C.: February 13, 2007.
Homeland Security: Progress Has Been Made to Address the
Vulnerabilities Exposed by 9/11, but Continued Federal Action Is Needed
to Further Mitigate Security Risks. GAO-07-375. Washington, D.C.:
January 2007.
Transportation Security Administration's Office of Intelligence:
Responses to Post Hearing Questions on Secure Flight. GAO-06-1051R.
Washington D.C.: August 4, 2006.
Terrorist Watch List Screening: Efforts to Help Reduce Adverse Effects
on the Public. GAO-06-1031. Washington, D.C.: Sept. 29, 2006.
Border Security: Stronger Actions Needed to Assess and Mitigate Risks
of the Visa Waiver Program. GAO-06-1090T. Washington, D.C.: September
7, 2006.
Border Security: Stronger Actions Needed to Assess and Mitigate Risks
of the Visa Waiver Program. GAO-06-084. Washington, D.C.: July 2006.
Process for Admitting Additional Countries into the Visa Waiver
Program. GAO-06-835R Washington, D.C.: July 2006.
Aviation Security: TSA Oversight of Checked Baggage Screening
Procedures Could Be Strengthened. GAO-06-869.Washington, D.C.: July 28,
2006.
Aviation Security: Management Challenges Remain for the Transportation
Security Administration's Secure Flight Program. GAO-06-864T.
Washington D.C.: June 14, 2006.
Aviation Security: Significant Management Challenges May Adversely
Affect Implementation of the Transportation Security Administration's
Secure Flight Program. GAO-06-374T. Washington, D.C.: Feb. 9, 2006.
Aviation Security: Transportation Security Administration Did Not Fully
Disclose Uses of Personal Information During Secure Flight Program
Testing in Initial Privacy Notes, but Has Recently Taken Steps to More
Fully Inform the Public. GAO-05-864R. Washington, D.C.: July 22, 2005.
Aviation Security: Secure Flight Development and Testing Under Way, but
Risks Should Be Managed as System Is Further Developed. GAO-05-356.
Washington, D.C.: March 28, 2005.
Aviation Security: Measures for Testing the Effect of Using Commercial
Data for the Secure Flight Program. GAO-05-324. Washington, D.C.: Feb.
23, 2005.
Transportation Security: Systematic Planning Needed to Prioritize
Resources. GAO-05-357T. Washington, D.C.: February 15, 2005.
General Aviation Security: Increased Federal Oversight is Needed, but
Continued Partnership with the Private Sector is Critical to Long-Term
Success. GAO-05-144. Washington, D.C.: November 10, 2004.
Aviation Security: Challenges in Using Biometric Technologies. GAO-04-
785T. Washington, D.C.: May 19, 2004.
Aviation Security: Improvement Still Needed in Federal Aviation
Security Efforts. GAO-04-592T. Washington, D.C.: March 30, 2004.
Aviation Security: Challenges Delay Implementation of Computer-
Assisted Passenger Prescreening System. GAO-04-504T. Washington, D.C.:
March 17, 2004.
Aviation Security: Computer-Assisted Passenger Prescreening System
Faces Significant Implementation Challenges. GAO-04-385. Washington,
D.C.: Feb. 13, 2004.
Forum on High Performing Organizations: Metrics, Means, and Mechanisms
for Achieving High Performance in the 21st Century Public Management
Environment, GAO-04-343SP. Washington, D.C.: Feb. 13, 2004.
Aviation Security: Efforts to Measure Effectiveness and Strengthen
Security Programs. GAO-04-285T. Washington, D.C.: Nov. 20, 2003.
Aviation Security: Efforts to Measure Effectiveness and Address
Challenges. GAO-04-232T. Washington, D.C.: Nov. 5, 2003.
Aviation Security: Progress Since September 11, 2001, and the
Challenges Ahead. GAO-03-1150T. Washington, D.C.: Sept. 9, 2003.
Airport Finance: Past Funding Levels May Not Be Sufficient to Cover
Airports' Planned Capital Development. GAO-03-497T. Washington, D.C.:
Feb. 25, 2003.
Commercial Aviation: Financial Condition and Industry Responses Affect
Competition. GAO-03-171T. Washington, D.C.: Oct. 2, 2002.
[End of section]
(440403):
FOOTNOTES
[1] The specific number of passengers identified by the U.S. government
as a security risk is sensitive security information.
[2] A separate process exists for prescreening passengers on U.S.
domestic flights.
[3] The U.S. government maintains a single consolidated terrorist watch
list. Records are extracted from this consolidated list to conduct
various screening activities including aviation passenger prescreening.
Additional information about the watch list can be found on pages 7 and
9.
[4] 71 Fed. Reg. 40035, July 14, 2006. A notice of proposed rulemaking
(NPRM) is an announcement published in the Federal Register of proposed
new regulations or modifications to existing regulations, the first
stage in the process of creating or modifying regulations. A notice of
proposed rulemaking is intended to give the public an opportunity to
comment on a proposed rule.
[5] To help ensure the information we obtained was representative of
air carriers that fly different volumes of passengers to the United
States, we selected seven carriers that fly more than 1 million
passengers annually into the United States, four carriers that fly
between 500,000 and 1 million passengers annually into the United
States, and two carriers that fly less than 500,000 passengers annually
into the United States.
[6] For example, in some cases a passenger may have the same name as a
person listed on the No Fly or Selectee Lists, and an air carrier may
require assistance from TSA to verify whether the person is, in fact,
the same person.
[7] Prior to January 23, 2007, an exception to this rule existed for
citizens of the United States, and visiting citizens of Canada, Mexico,
and Bermuda when entering the United States from most countries in the
Western Hemisphere. However, under a plan required by the Intelligence
Reform and Terrorism Prevention Act of 2004, as amended, all U.S.
citizens, and citizens of Canada, Bermuda, and Mexico traveling to the
United States as nonimmigrant visitors, generally must present a valid
passport at air ports-of-entry.
[8] TECS is the principal law enforcement system supporting CBP's
counter-terrorism and regulatory compliance missions. TECS consists of
multiple databases that maintain investigative case information, border-
crossing information, passenger information, and other information
provided by other government agencies related to the inspection of
persons crossing the border. CBP uses automated systems to screen large
amounts of data against information in the TSDB, including names on the
No Fly and Selectee Lists.
[9] Intelligence Reform and Terrorism Prevention Act of 2004, Pub. L.
No. 108-458, 118 Stat. 3638, Section 4012.
[10] 71 Fed. Reg. 40035, July 14, 2006. CBP granted an extension to the
comment period in response to a request by the aviation industry. As a
result of the extension, comments on the proposed rule were due by
October 12, 2006.
[11] GAO, Aviation Security: Significant Management Challenges May
Adversely Affect Implementation of the Transportation Security
Administration's Secure Flight Program, GAO-06-374T (Washington, D.C.:
Feb. 9, 2006). GAO, Aviation Security: Secure Flight Development and
Testing Under Way, but Risk Should Be Managed as System Is Further
Developed, GAO-05-356 (Washington, D.C.: Mar. 28, 2005).
[12] Although the air carriers currently conduct the watch list
matching and CAPPS prescreening functions, these processes are required
and overseen by TSA.
[13] IAP, or the Immigration Advisory Program, was initially referred
to as the Immigration Security Initiative (ISI). Prior to the
development of IAP, the legacy Immigration and Naturalization Service
operated the Immigration Control Officers program, which was similar to
IAP in that it stationed U.S. immigration officers abroad to screen
U.S.-bound passengers in order to validate travel documents.
[14] CBP was directed in the Conference Report accompanying its FY 2007
Appropriations Act to report to the Congress on the performance of the
IAP no later than January 23, 2007. According to CBP, they submitted
the report to Congress prior to this deadline.
[15] We did not independently assess these costs estimates or other
reported program benefits.
[16] IAP cost savings are derived from a CBP estimate based on the
average costs to detain and remove an individual from the United States
who is found not eligible to be admitted.
[17] These steps are part of an overall risk management framework for
developing and evaluating homeland security programs. In 2004, we
developed a risk management framework that brought together recognized
risk management practices from public and private sector reports, as
well as through interviews with terrorism experts. This framework was
reviewed by academic experts in risk management, field-tested on
several GAO reviews, and applied in analyzing a variety of homeland
security applications. For further discussion of this risk management
framework, see GAO, Risk Management: Further Refinements Needed to
Assess Risks and Prioritize Protective Measures at Ports and Other
Critical Infrastructure, GAO-06-91 (Washington, D.C.: Dec. 15, 2005).
[18] GAO, Forum on High Performing Organizations: Metrics, Means, and
Mechanisms for Achieving High Performance in the 21st Century Public
Management Environment, GAO-04-343SP (Washington, D.C.: Feb. 13, 2004).
[19] GAO-06-374T and GAO-05-356.
[20] GAO-06-374T.
[21] The Privacy Act places limitations on agencies' collection, use,
and disclosure of personal information maintained in systems of
records, which are groups of personal information that are maintained
by an agency from which personal information is retrieved by an
individual's name or identifier. Among the act's provisions are
requirements for agencies to give notice to the public about the use of
their personal information. Also, when agencies establish or make
changes to a system of records, they must notify the public by a notice
in the Federal Register about the type of data collected; the types of
individuals about whom information is collected; the intended "routine"
uses of the data; the policies and practices regarding data storage,
retrievability, access controls, retention, and disposal; and
procedures that individuals can use to review and correct personal
information. The E-Government Act of 2002 requires agencies to conduct
a privacy impact assessment when using information technology to
process personal information.
[22] The degree to which an agency must disclose its use of personal
information may be limited by exemptions permitted by the Privacy Act.
To claim such exemptions, an agency must issue a rule, with an
opportunity for public comment, identifying their exemptions and the
reasons for taking the exemptions. 69 Fed. Reg. 41543, July 9, 2004 and
68 Fed. Reg. 69412, 69413, Dec. 12, 2003.
[23] 40 Fed. Reg. 28948, 28952, July 9, 1975.
[24] CBP states that the ATS PIA was conducted merely to satisfy a DHS
requirement that new SORNs be accompanied by PIAs, again, not because
of any change to ATS that would require a PIA under the terms of the E-
Gov Act.
[25] 69 Fed. Reg. 41543, July 9, 2004.
[26] The extent of an agency's public description of a system of
records can be limited by exemptions permitted by the Privacy Act,
e.g., an agency can claim an exemption from the requirement to describe
the categories of sources of records for investigative material
compiled for law enforcement purposes. 5 U.S.C. § 552a(k).
[27] As noted in DHS Privacy Office's PIA guidance, privacy concerns
can be raised where technology may only collect personal information
for a moment.
[28] For example, under these laws and their implementing guidance,
CBP's modification of its systems and processes to comply with the 2004
EU agreement on the use of European PNR data should have led CBP to
issue a revised SORN and conduct a PIA.
[29] We did not report on the details of this passenger information as
it is sensitive security information.
[30] GAO, Homeland Security: Summary of Challenges Faced in Targeting
Oceangoing Cargo Containers for Inspection, GAO-04-557T (Washington,
D.C.: Mar. 31, 2004).
GAO, Risk Management: Further Refinements Needed to Asses Risks and
Prioritize Protective Measures at Ports and Other Critical
Infrastructure, GAO-06-91 (Washington, D.C.: Dec. 15, 2005).
[31] Under the current international passenger prescreening process,
CBP has identified some air carriers whose reservation systems do not
allow them to send passenger APIS data to CBP through a batched
electronic transmission. These air carriers include seasonal charters,
air taxis, and air ambulances. CBP allows these air carriers to
transmit passenger data through other means, such as through e-mail, in
a program called eAPIS. In its NPRM, CBP noted that such air carriers
are not likely to be able to adopt either the APIS-60 or AQQ
prescreening options. Consequently, these air carriers will be
permitted to continue to send passenger data through eAPIS, but they
will still be bound by the requirement to transmit APIS data 60 minutes
prior to departure and they must be able to receive CBP's identity
matching results through e-mail or telephone.
[32] IATA represents the airline industry and comprises 260 passenger
and cargo air carriers, representing 94 percent of international
scheduled air traffic. ATA is the nation's largest airline trade
association and its stated purpose is to foster a business and
regulatory environment that ensures safe and secure air transportation.
[33] With a hub-and-spoke network, air carriers can combine local
passengers (those passengers originating at or destined for the hub),
with connecting passengers (those not originating at or destined for
the hub but traveling via the hub) on the same flight. In this manner,
carriers can serve more cities and offer greater frequency of service
with their fleet of aircraft than is possible with point-to-point
service, which is service from one city to another without this
connecting network.
[34] It is also known as an interactive approach, because CBP transmits
a response message back to air carriers informing them whether a
passenger can board or not board.
[35] Passengers whose identities matched the No Fly List from this
initial screening would not be issued a boarding pass by the air
carrier until CBP and other agencies completed their identity vetting
procedures and returned a message to the air carrier identifying that
it was okay to board the passenger. If this identity verification
process is not completed prior to the flight's departure, the passenger
would not be permitted to travel on the flight.
[36] Some of the reasons CBP cited for not adopting APP included high
infrastructure and transaction costs to both air carriers and
government, and the system's inability to adjudicate possible matches
and allow for human intervention and response. Although CBP's memo
refers to an evaluation of APP conducted by its Office of Field
Operations and Office of Information Technology, CBP did not provide us
with the supporting documentation of this evaluation despite a request
for relevant documentation in its considerations of implementing APP.
[37] CBP estimated that 1,280 foreign and domestic air carriers will be
affected by its proposed rulemaking related to AQQ and APIS-60.
GAO's Mission:
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site (www.gao.gov). Each weekday, GAO posts
newly released reports, testimony, and correspondence on its Web site.
To have GAO e-mail you a list of newly posted products every afternoon,
go to www.gao.gov and select "Subscribe to Updates."
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. Government Accountability Office 441 G Street NW, Room LM
Washington, D.C. 20548:
To order by Phone: Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202)
512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Gloria Jarmon, Managing Director, JarmonG@gao.gov (202) 512-4400 U.S.
Government Accountability Office, 441 G Street NW, Room 7125
Washington, D.C. 20548:
Public Affairs:
Paul Anderson, Managing Director, AndersonP1@gao.gov (202) 512-4800
U.S. Government Accountability Office, 441 G Street NW, Room 7149
Washington, D.C. 20548:
