Cyber Eye: TSA's no-fly list is broken, so fix it
- By William Jackson
- Sep 09, 2004
The passenger watch lists of the Transportation Security Administration show how useless names can be.
The lists got lots of attention last month when Sen. Edward M. Kennedy (D-Mass.) revealed that he had been stopped several times trying to board flights. But the problems began much earlier, according to Freedom of Information Act material obtained by the Electronic Privacy Information Center of Washington.
TSA took over the watch lists in November 2001 while part of the Federal Aviation Administration and before becoming a Homeland Security Department agency. It maintains two lists: a no-fly list of those who cannot board planes, and a selectee list of persons meriting special scrutiny, chosen by secret intelligence criteria.
Airlines must match passenger names against the lists.
In 2002, the first year TSA managed the lists, it received at least 80 complaints from passengers who were routinely'and wrongly'detained at airports.
The evidence, like Kennedy's, is largely anecdotal, because TSA does not like to talk about the lists. But the agency must know its name-matching technology has serious flaws. It returns too many false positives, fingering innocent passengers, and it is too easy for real terrorists to circumvent. An honest traveler gives the same name over and over, and can be stopped over and over.
A terrorist can just make up a new name.
Kennedy reportedly was stopped because the name T. Kennedy was an alias used by a suspected bad guy. The Washington area phone book turned up 50 T. Kennedys, none of them the senator.
Three bad things happen when a false match is made. An innocent person is penalized for doing something he or she has every right to do. Every minute and every dollar spent scrutinizing the wrong person is a waste of scarce resources. And the public loses confidence in the government's ability to carry out an important job.
The solution is to substitute identities for names on the watch lists. A name is only one component of an identity, one often shared by numerous individuals. An identity requires more information'birth date, ID numbers, physical description and biometric data. Establishing a true identity is not easy. Names alone do not work. Upgrading the watch list system is worth the cost, whatever it is.
For all we know'and we don't know'TSA's lists may already incorporate such information. But the matching appears to rely on name only, and a name can stay on the lists a long time.
It took Sen. Kennedy three weeks to get off the watch lists. Are your political connections as good as his?
William Jackson is a senior writer of GCN and the author of the CyberEye blog.