The US Secure Flight Program has garnered much public concern and disapproval in Canada, where many Canadians are finding themselves subject to the controversial regulations when flying over US airspace. Aviation security is a high priority issue for the Canadian federal Privacy Commissioner, who earlier this year carried out an investigation of airport security scanners being installed in Canadian airports. While security is an issue in the aviation industry, the Privacy Commissioner, along with other privacy watchdogs, insist that security measures must also respect the privacy and personal dignity of travelers in Canadian airports.
US Secure Flight Program
The US Transport Security Administration’s Secure Flight Program was launched in August 2009 and has been phasing in new regulations since. The TSA explains Secure Flight as a “behind the scenes” program, aimed at enhancing security of domestic and international air travel. The program was initially developed by the Department of Homeland Security in response to 9/11 Commission Recommendations.
The Secure Flight program began with the Secure Flight Passenger Data check, which required passengers to provide personal information to their airline when making a reservation. This information included their name as it appears on government-issued identification; date of birth; gender; and redress number, if necessary. The information would then be transmitted to TSA’s Secure Flight and crosschecked with federal government watch lists. The results of this check would then be transmitted to the airline. The TSA has access to all US government databases.
According to the TSA, the goals of watch list matching include:
- Decreasing the chances of compromised watch lists; limiting distribution of watch lists.
- Early identification of potential matches, meaning expedited notification of law enforcement authorities and threat management.
- Developing a fair, equitable and consistent matching process for all airlines.
- Reducing instances of misidentified individuals.
- Consistent application of redress process for misidentified individuals.
Individual privacy has been a prominent concern during the implementation of the Secure Flight program. The TSA has developed a Secure Flight Privacy Program, which includes the following elements:
- Foundation privacy principles
- Privacy organization, including a privacy officer and supporting staff
- Secure Flight privacy policies
- Systems development and security to manage privacy risks throughout the Secure Flight system
- Awareness and training programs
- Monitoring and compliance procedures
- Redress and response processes
- Privacy risk management technique
The TSA set out objectives of checking 100 percent of domestic flight passengers by early 2010. It also states intentions of vetting 100 percent of passengers on all international commercial flights into, out of, or over the US by the end of 2010.
The TSA’s Secure Flight objectives raised public outcry in Canada and Europe. The application of Secure Flight on airlines flying over US airspace was seen as an unprecedented assertion by the TSA. Once the program launches globally in December 2010, the TSA can prevent passengers from boarding flights, even if they are only flying in US airspace. For instance a passenger may be denied boarding an aircraft in Canada, headed to Mexico, if they have not passed the Department of Homeland Security screening. The Secure Flight program applies to flights to, from, or over the US. About eighty percent of Canadian flights to the Caribbean, to other southern points and to Europe fly over the US.
Secure Flight requires that Canadian airlines transfer travelers’ personal information to the Department of Homeland Security at least seventy-two hours before departure. Using Infoglide, a package of fifty identity resolution algorithms, it checks passenger identities. The Department also has access to data collected in Canada, such as police records.
In the case that the search results in “no match,” the airline will be informed and the passenger can be issued a boarding pass. In these situations, the personal information will be purged from the Department of Homeland Security system after seven days. However, a potential match (according to the Department, this is someone who has not been determined as an exact match, but has the potential to match some data elements) can be kept in the system for seven years. Positive, or exact, matches are kept in the Secure Flight system for ninety-nine years. It will take around fifty to sixty days to resolve false positives.
Many privacy watchdogs and advocates are wary of this new program as it requires non-US airlines to release passengers’ personal information to US government departments. It is unacceptable to many, as Canadian Parliament never adopted or even discussed the Secure Flight program. The European Parliament has raised a number of objections to the program.
Most airlines do not host their own passenger name records (PNR). This is often outsourced to a third-party computerized reservation system (CRS). PNR data is entered through travel agencies, tour operators and travel websites and is stored as a master copy in the CRS. It is the CRS that sends the PNR data to the Department of Homeland Security.
However, there is no data protection law for CRSs in the US. Once a CRS has PNR data, they are legally able to use, disclose, transfer or sell that data, without notice or consent. Currently, CRSs in the US share data with data mining and marketing companies, as well as with PNR processing companies. Since the CRS does not keep as access log on who retrieves the PNRs, it is impossible to determine who has seen passenger information.
Security vs. Privacy?
Canadian airlines currently check all flight manifests against the US no-fly list, a watch list compiled by the FBI and distributed amongst airlines worldwide. This no-fly list contains the names of 16,000 people suspected of terrorist involvement by the US government. According to the Canadian Charter of Rights and Freedoms, the Privacy Act and the Personal Information Protection and Electronic Documents Act (PIPEDA), it would be difficult to introduce measures such as Secure Flight without considering the following:
- The right to privacy is a fundamental right. It cannot be infringed unless it is necessary for the public good.
- Collection of personal information can only occur when proven necessary.
- Necessity of collection must be assessed continually.
- Less privacy-invasive alternatives that fulfill the same purpose should always be considered.
From the Canadian Privacy Commissioner’s perspective, shifting responsibility for checking the passenger manifest from the airlines to the Department of Homeland Security brings privacy safeguards as well as privacy risks. After investigating the Secure Flight program, the Commissioner made the following recommendations to the Canadian government:
- Negotiate with US authorities on the collection of minimal personal information.
- Determine if the retention periods (seven days, seven years, ninety-nine years for negative, potential and positive matches, respectively) are necessary.
- Negotiate robust and accessible redress mechanisms in the case of false positive matches.
- Implement measures to support Canadians who must use those redress mechanisms.
- Inform Canadian passengers on the scope of information collected and disclosed under the Secure Flight program.
- Clarify Canadian law regarding the conditions for disclosure of personal information, in order to ensure public debate and legal certainty.
According to the Privacy Commissioner, the issues of privacy and security are not at odds. They can both be supported at the same time, since privacy protection deems the collection of personal information be kept to a minimum, while the efficacy of security depends on the collection of only relevant information.
This article explores the issue of aviation security and privacy protection issues in trans-border data sharing. The US Transport Security Administration (TSA), a branch of the Department of Homeland Security, proposed the Secure Flight program, which collects and crosschecks passenger data for all flights to, from or over the US. While it is currently implemented domestically, the TSA intends to launch the program internationally in December 2010. This stands to significantly impact Canadian travelers. The article examines privacy concerns and objections to the Secure Flight program. The Canadian Privacy Commissioner’s responses and recommendations are also highlighted.
In preparation for the Certified Information Privacy Professional/Canada exam, a privacy professional should be comfortable with topics related to this post, including:
- Co-regulatory model of privacy protection (II.B.a.)
- Regulating activities: processing, transfers, data sharing (II.B.d.)
- Enforcement agencies & powers (II.B.e.i.)