Secure Flight Privacy/IT Working Group

I am participating in a working group to help evaluate the effectiveness and privacy implications of the TSA’s Secure Flight program. We’ve had one meeting so far, and it looks like it will be an interesting exercise.

For those who have not been following along, Secure Flight is the follow-on to CAPPS-I. (CAPPS stands for Computer Assisted Passenger Pre-Screening.) CAPPS-I has been in place since 1997, and is a simple system to match airplane passengers to a terrorist watch list. A follow-on system, CAPPS-II, was proposed last year. That complicated system would have given every traveler a risk score based on information in government and commercial databases. There was a huge public outcry over the invasiveness of the system, and it was cancelled over the summer. Secure Flight is the new follow-on system to CAPPS-I.

Many of us believe that Secure Flight is just CAPPS-II with a new name. I hope to learn whether or not that is true.

I hope to learn a lot of things about Secure Flight and airline passenger profiling in general, but I probably won’t be able to write about it. In order to be a member of this working group, I was required to apply for a U.S. government SECRET security clearance and sign an NDA, promising that I would not disclose something called “Sensitive Security Information.”

SSI is one of three new categories of secret information, all of I think have no reason to exist. There is already a classification scheme—CONFIDENTIAL, SECRET, TOP SECRET, etc.—and information should either fit into that scheme or be public. A new scheme is just confusing. The NDA we were supposed to sign was very general, and included such provisions as allowing the government to conduct warrantless searches of our residences. (Two federal unions have threatened to sue the government over several provisions in that NDA, which applies to many DHS employees. And just recently, the DHS backed down.)

After push-back by myself and several others, we were given a much less onerous NDA to sign.

I am not happy about the secrecy surrounding the working group. NDAs and classified briefings raise serious ethical issues for government oversight committees. My suspicion is that I will be wowed with secret, unverifiable assertions that I will either have to accept or (more likely) question, but not be able to discuss with others. In general, secret deliberations favor the interests of those who impose the rules. They really run against the spirit of the Federal Advisory Committee Act (FACA).

Moreover, I’m not sure why this working group is not in violation of FACA. FACA is a 1972 law intended to govern how the Executive branch uses groups of advisors outside the federal government. Among other rules, it requires that advisory committees announce their meetings, hold them in public, and take minutes that are available to the public. The DHS was given a specific exemption from FACA when it was established: the Secretary of Homeland Security has the authority to exempt any advisory committee from FACA; the only requirement is that the Secretary publish notice of the committee in the Federal Register. I looked, and have not seen any such announcement.

Because of the NDA and the failure to follow FACA, I will not be able to fully exercise my First Amendment rights. That means that the government can stop me from saying things that may be important for the public to know. For example, if I learn that the old CAPPS program failed to identify actual terrorists, or that a lot of people who were not terrorists were wrongfully pulled off planes and the government has tried to keep this quiet—I’m just making these up—I can’t tell you. The government could prosecute me under the NDA because they might claim these facts are SSI and the public would never know this information, because there would be no open meeting obligations as there are for FACA committees.

In other words, the secrecy of this committee could have a real impact on the public understanding of whether or not air passenger screening really works.

In any case, I hope I can help make Secure Flight an effective security tool. I hope I can help minimize the privacy invasions on the program if it continues, and help kill it if it is ineffective. I’m not optimistic, but I’m hopeful.

I’m not hopeful that you will ever learn the results of this working group. We’re preparing our report for the Aviation Security Advisory Committee, and I very much doubt that they will release the report to the public.

Original NDA

Story about unions objecting to the NDA

And a recent development that may or may not affect this group

Posted on January 13, 2005 at 9:08 AM19 Comments


Tony January 13, 2005 9:37 AM

You act like not being able to speak out about these things is a hypothetical, based on having to keep other things quiet or over-generous confidentiality codes. It’s probable that the very subject “whether CAPPS works” is something that could be labelled a security risk for the public, and terrorists to know.

Which should strike fear into the heart of any computer-security expert, but just to let you know what you should expect. I’ll be really surprised if you’ll be able to say anything useful about the program (costs, positive and negative rates, civil rights violations reported) afterwards.

It’s frustrating, since there’s clearly no cost-benefit analysis or theoretical understanding with these people going on. The one benefit to keep anything confidential (“a terrorist could find that out”) precludes any public knowledge, no matter how important to the policy making process.

piglet January 13, 2005 10:14 AM

I hope you have at least the right to resign from the group. This will probably be the only possibility for you to legally transmit any information and thus have an impact. Your hope that you might be able to “help kill it if it is ineffective” seems far-fetched.

Davi Ottenheimer January 13, 2005 10:28 AM

Ah, the age-old debate of whether “national security” is more important than the public’s right to know.

I’d like to argue information is the foundation of democracy and bad governments have historically required secrecy to survive. You might even say the same about bad/proprietary software.

The Nobel Laureate (Economics) Amartya Sen has written that a major famine has never occured in a democratic country with freedom of the press. So we have reason to believe that at least the quality of life is better with more disclosure, and perhaps that means safety and security as well.

Good luck.

Axel January 13, 2005 11:23 AM

@Davi: Actually, this is not the main point here. The main point in my eyes as a foreigner is how much you trust your government not to make things up and lie outright. I don’t want to get into the whole political discussion about the Iraq war and the phony arguments that started it, but it really is a good example.
The Bush… government… is big in FUD and it shows definitely in what Bruce mentions here. He’s very careful in his phrasing (which I don’t have to be), but I think it’s pretty safe to extrapolate from other (unrelated) examples and from what has been said here.

The US have a very special constitution – I don’t know of any other country (which doesn’t necessarily mean there is none) that puts such a high value on Free Speech. Over here it’s different and we don’t generally feel oppressed. However, given the context of importance the US puts on Free Speech the many tries of Bush, Rumsfeld and Ashcroft to silence information, to introduce secrecy and a culture of closedness, it is a scary era at the moment.

@Bruce: Thumbs up and my best wishes to you. If possible, please take a peek at the requirements the US government imposed on foreign airlines, the amount of data that is collected about the passengers (even if they only stopover in the US) and how useful that data actually is. Thanks.

Robert January 13, 2005 11:35 AM

Congratulations! You have clearance & NDA.

Lets assume that you found some (very embarassing) security problems in an area not related to the working group. Now someone in the group can take the information stamp “SECRET” on it … and now you can write “SECRET” memos to some officials but you can no longer contribute to solving the problem.

Good luck…

Francois Kashy January 13, 2005 12:57 PM

Bruce, you have always said there is no such thing as security by obscurity. You are a well-known and respected public expert on security and full disclosure. I would hate to see your public voice quieted due to myopic scrutiny on it.

Filias Cupio January 13, 2005 3:37 PM

So where are the boundaries of the NDA? Consider the following sequence of hypothetical criticisms:

1 “The system gives undue weight to whether a ticket was bought with cash – it is easy and obvious for terrorists to avoid this.”

2 “The system is ineffective because looks for features which are easy for terrorists to avoid, and terrorists are likely to do so.”

3 “The system is ineffective because terrorists will be able to deduce the criteria by taking flights and observing whether they are searched.”

4 “In my opinion, the system is ineffective.”

5 “In my opinion, the system is not worth its cost.”

Where, if anywhere, do the criticisms become sufficiently general to avoid the NDA?

If you can’t make statements like 3 to 5, what happens if a reporter asks such a question?

JethroBob January 13, 2005 5:52 PM

Signing the NDA is a calculated risk that doesn’t seem to pay off. The reward for signing the NDA is participation in designing/assessing a security scheme that seems to go counter to your own security advice regarding public vetting of security mechanisms. The NDA would seem to indicate that certain aspects such as how one gets on and off a no-fly list are destined to remain secret barring successful court challenge.

The downside of signing the NDA is that it can be wielded against you as an instrument of harassment or persecution if you write, say, or do something the government doesn’t like. Past events (such as the outing of CIA NOC Valerie Plame) would seem to indicate there are at least some in government that operate in such a manner as to make this scenario quite feasible.

Davi Ottenheimer January 13, 2005 5:59 PM

@Axel: I think we agree. I believe history indicates that human suffering increases in direct proportion to a rise in secrecy. Lying is the mechanism used to deal with resistance to secrecy.

What comes accross in Bruce’s message is that he is looking for clarity and some reason/rationale behind security measures, such as how/why the government has exceptions to laws meant to protect the public and why their methods need to be opaque and complex.

So, all I can say is good luck. Bruce, I’m happy to know that they’ve invited you to participate.

Perhaps it is easier not to dwell on unknown motives in government as much as work towards avoiding potentially undesirable consequences.

It’s fairly clear that Bush’s Administration prefers not having any dissent. This is actually a fairly risky style of executive leadership in America today, as evidenced by Enron and WorldCom. Another consequence was the recent NASA Shuttle disasters, which seems to have been blamed on a culture where people were afraid to dissent and report risks. (see Waltzing With Bears: Managing Risk on Software Projects by Tom Demarco, Timothy Lister for this and other disasters).

But back to the issue of secrecy, the Reporters Committee for Freedom of the Press seem to think that we should review the Attorney General nominee Gonzales’ history carefully:

Arik January 13, 2005 6:59 PM

Like many other things, this is a compromise. Bruce is giving up his ability to speak freely but gains the ability to affect the committee’s results.

I hope you made the right choice, Bruce.

— Arik

Matt Reynolds January 14, 2005 5:00 PM

Not that I’m this paranoid, but it does seem like this would be an effective strategy to quell dissent about the system being studied.

Involve those who have the means and inclination to speak out against the system in question keeps them from mounting effective discussion in a public forum.

Although, it does seem that you could still say general things about Secure Flight, like “It sucks”, without violating the terms of your agreement by explaining why.

This seems similar to some copyright protection schemes in software. Let one team reverse engineer a particular item, write a spec on it, then throw it over the wall to another team to implement to prevent tainting the code.

Well, minus the spec in this case.

Chris Walsh January 15, 2005 9:35 AM

If a security expert points out flaws in a system to people who don’t want to pay attention anyway, and nobody else is allowed to hear him, has he actually said anything?

Possible ways out:

  1. There are no flaws — problem averted.
  2. The people he speaks to DO want to hear him.

I think we can safely say there will be flaws. Therefore, this all depends on the good faith of Bruce’s fellow working group members, and the influence he may have on them.

Bruce Schneier January 15, 2005 1:30 PM

“Lets assume that you found some (very embarassing) security problems in an area not related to the working group. Now someone in the group can take the information stamp “SECRET” on it … and now you can write “SECRET” memos to some officials but you can no longer contribute to solving the problem.”

That is the problem. I’m trading access for the ability to speak about what I learn.

Bill January 15, 2005 10:10 PM

From the government perspective, makes sense- silence one of the most respected critics. Especially, one who could “see” through the smoke and mirrors.

We, the citizens of this Bush (wacked) country, are diminished by the loss of a significant voice for reason, logic and freedom.

Would Ben Franklin have made this deal?

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.