Press Conference Conducted by
Nuala Kelly, Chief Privacy Office of the DHS.
Date: February 12, 2004.
Source: Department of Homeland Security (DHS).
TRANSCRIPT OF MEDIA ROUNDTABLE WITH CHIEF PRIVACY OFFICER NUALA OíCONNOR KELLY
Q: What is the status of the investigation of Jet Blue?
A: Great question. Very close to completion.
Q: Could you define that?
A: I absolutely will not only because I have tried to define it twice before and been wrong and I saw myself chastised in an article recently saying that I had missed two deadlines. Of course those two deadlines were deadlines that I had imposed on myself. The delay is not from lack of interest but rather from having more documents to read that I had imagined that we would have and more people to interview both inside and outside the government.
Q: Were there any lawsuits hinging on the results of your investigation?
A: Well, there are lawsuits involving this incident. There are no lawsuits to my knowledge filed against the Department at this time but there are I believe a number of private-sector class-actions against Jet Blue.
Q: What is the range of actions that you can take? What are your authorities?
Q: Are you doing any investigation of the Northwest/NASA?
A: I looked into it only enough to be sure that there was no nexus to our Department. So we are not involved with that.
A: Thatís a great way to look at it. Well, as you all know I already met with them. It was very interesting to me that my schedule for that day became public and had such interest to so many other people. I have been meeting continually not only with members of the airline industry but members of other industries, other parts of the travel industry, other industries who share information or want to share information with the Department of Homeland Security to encourage all of them to evaluate their privacy policies so that we do not see a continuation of the kinds of events that we have all seen in the airline space. Can I say that there are not more of those revelations that will come forward that emanate from the days and weeks after 9/11? No, I couldnít say for certain that those are the only two or three that have occurred. But, I think what we can say is that going forward, this Department will be having fairly strong rules that we will educate our employees about how to use private sector data and hopefully help inform the private sector about making sure their own customers and clients know what their expectations should be.
Q: If I could go back to Jet Blue- if your authority deals with the conduct or misconduct of Homeland Security employees, what are your options? What is the range of options?
A: The Privacy Act as you know includes civil and criminal penalties for violations so the range of options is everything from finding that there was no wrongdoing to finding a significant and severe violation of one of those statutes. I am still open to what those options are going to be- I havenít made a final decision.
Q: Again that is looking at government employees, not Jet Blue?
A: That is absolutely correct.
Q: What is the issue with the airlines? Is it a matter of them deciding what information they are going to give you or theyíre willing to give you anything you want as long as they can be assured that youíll keep it private?
Q: But I gather that their concerns are going to be somewhat attenuated because youíre going to move up smartly and going to require them to give the information, so what is the nature of your conversations with the airlines now? To pat them on the hand and say, donít worry- weíll keep it safe? What are you supposed to do with their concerns if you are going to require them to give the information anyway?
Q: Whatís PIA?
A: Iím sorry. Privacy Impact Assessment- thatís the requirement under Section 208 of the Electronic Government Act of 2002.
Q: Although they may not be saying it publicly, are a lot of these companies to you privately saying- ďPlease make us give you the information?Ē and take this burden off of our back?
A: Theyíre not saying it to me. You would have to ask TSA about that.
Q: But didnít they issue a statement saying that- that we wonít do it voluntarily but if you make us we will?
Q: The Under Secretary (Hutchinson) today discussed having an external review board for this. Is that a new addition to this CAPPS II thing or has it always been there?
A: Thatís always been there. From my standpoint, there has always been a conversation about having a Privacy Advisory Board and thatís something that my office is working toward. I like Asaís idea though about having a particular CAPPS II external advisory board because weíve seen great success in other programs, particularly the US-VISIT program which has an advisory board and has rolled out a tremendous privacy program. Itís a model that I have also used in the private sector- having an external privacy advisory board to bring in stakeholders, constituents, advocacy community, academia and industry to have that conversation and also to look into ongoing operational concerns.
Q: I guess Iím trying to find out where in this timeline or where in this process that sort of entered the picture when it comes to CAPPS II? Is it something that developed once the airlines said weíre not giving you the information?
A: Itís certainly something weíve been discussing but I think itís something that Asa has made a firm decision in recent weeks on that. I couldnít tell you the exact dates though- Iím sorry.
Q: It seems apparent but donít know it to be a fact that this is in response to all of the privacy concerns and the airlines opposition.
A: Well, weíve had an informal and even before I started working on the program at DHS, there were certainly informal contacts to the advocacy community. There were a number ofÖ Mark (referring to Mark Hatfield- Acting Director of Communications- TSA) you werenít here then either, Iím trying to remember what they called them- sort of stakeholder retreats and meetings and there were a series of them when both the program was at the Department of Transportation and when it was in its early days at the Department of Homeland Security. I think this formalizes that process and I think itís a good thing to have formal process thatís both open and transparent and available to be applied for by whoever wants to be a part of it.
Q: As the privacy officer, are there any concerns you have with the GAO report?
A: For the most part, I think the GAO Report is quite fair and I think itís accurate and I think itís a fair statement to say that there is good work that has been done and a great deal of work that still remains to be done on my issues and on other parts of the program as well.
Q: Iím sorry, maybe this has been out there but has the decision been made about how long data will be retained? Is that finalized yet?
A: We do say in the privacy act notice from last August that the data will come into the system a certain number of hours before the flight departs and will be discarded for the majority of people within, I canít remember if itÖ itís a matter of hours. Itís fewer than a number of days but I donít remember the exact hour.
Q: So itís less than a day, though?
A: Itís after the completion of the itinerary and it may say ďin a matter of days.Ē I think weíre talking in reality a number of hours before the flight leaves and a matter of hours after the last flight of your itinerary ends. The big distinction to me is that came down from 50 hours. I couldnít tell you for sure the exact number of hours but when weíre talking about the difference between the initial proposal which was 50 years and a matter of hours or days.
Q: Now let me ask you about that. If you get these names a few hours before a flight is that really enough time to run it through the system? Are the privacy concerns limiting the effective use of the system, potentially?
A: I donít feel the privacy concerns are limiting the effectiveness of the system. I believe that the proposal as it stands now allows TSA to take affirmative and preventative action if they find information. You certainly want to limit it to a certain number of hours before the flight because you donít want to have keep re-running the system every time a change is made in an itinerary so you are looking at issues more of efficiency and cost-effectiveness versus what is the minimum amount of hours that we need in order to take preventative rather than privacy concerns.
Q: Let me ask you a very basic question that probably everyone here knows the answer to except me. Where is the data? Is it with the airlines? If I call to make a reservation two weeks ahead of time, theyíll still check me out at that point rather than waiting until a few hours before the flight?
A: Actually, no.
Q: OK, so where is the data that is going to be saved for a matter of hours rather than days.
A: Let me walk you through as I understand it. When you make a reservation with an airline or a website or on the telephone, wherever, the information is housed in any one of a number of places- computer reservation systems, global distribution systems, the various chain players in the airlines program. From the TSA standpoint, they plan to take the data in, again in a certain number of hours and when I say a certain number of hours, it may be 48 or 72- may not be three or four so it may be enough hours to- we may be talking about less than a week but more than a day and I couldnít tell you- Mark do you know an exact hour figure?
A: Mark Hatfield- Theyíre still refining that.
A: Nuala OíConnor Kelly- OK. So to answer your question, I think it is adequate to do the investigations that they want to do. That comes into the TSA database, server, whatever you want to call it and at that point, then the process starts- the analysis, the authentication of identity. That sort of thing.
Q: And thatís the data that will be saved?
A: Length of itinerary plus a little buffer zone on the front and back end.
Q: And you have to decide what all you want the airlines to fork over when they do that?
A: And the proposal that has been on the table for some time has been a minimum of feel legal name, full home address, telephone number and date of birth.
Q: I donít understand how it will work for foreigners, though?
A: Great question.
Q: Because if you have commercial database here but I am from a small village in Latvia?
A: I couldnít agree with you more that is one of a number of outstanding questions that I still have from my office and thatís why- what are your reactions to the GAO Report? I would say they are right to point out that there are a number of unanswered questions- that is not to say that these are unanswerable questions but simply they have yet to be answered. That to me is one of the primary questions, I want to look at issues of disparate impact and not just the classic civil liberties disparate impact that people have concerns about but the unintentional or unexpected disparate impact of the kinds of concerns that you probably have heard- people that have moved recently or people who have changed their names since they got married or divorced that sort of thing. I want to make sure that this system is truly going to work for the people we are trying to pinpoint and not going to disadvantage any other particular group based on behavior, or category or whatever. Until we see that in operations or internal testing, it is hard to answer and you have hit on a key one. As you know we have been involved in tremendous negotiations with the European Union and we are very cognizant of their concerns, as well.
Q: Can I ask another question? Secretary Hutchinson said there was a possibility if this thing is working right- it may be able to flag someone who has stolen someoneís identity- at what point would that happen? When you get the data? When the person shows up at the airport and has to give the magic password? And what do you do then.
A: Thatís a good question. To overly and grossly simplify CAPPS II versus CAPPS I- CAPPS I as I understand it is a static, rules-based system that involves ďDid you buy a one-way ticket, did you pay with cash, are you the last person to check in for your flight, did you buy the ticket within one hour of the flight?Ē Those are very static rules- the same for every passenger plus the obviously name-based- ďAre you a person that is a known terrorist or affiliated with a known terrorist on a watch list?Ē This is a simple two-part process and that analysis is happening today. We all need to remember that there is a CAPPS I and itís not working beautifully so what is the alternative? We can not simply do away with the system and say OK- weíre not going to have anything. We have to have some kind of security so the question is what is that going to look like? The proposed CAPPS II system, as I see it, a three-part system. The first part is the authentication piece that to me coming into the Department was an area of concern because that is the proposal to use private-sector databases, private-sector data aggregators to validate and authenticate the identity that is given to the airline- John Doe at this address or phone number. The purpose of that is to again verify the identity, make sure we have a person who exists in the real world in front of us and thereby when we go to step two and three and we figure out if you are a known terrorist or affiliate of a known terrorist, that we actually have a real identity in front of us. That is where I believe where you would see the issues of identity theft where people who engage in identity theft very frequently get something wrong- a middle initial, a digit in a phone number, or match an address with a telephone number incorrectly those sorts of things. Again, I believe with the multiplicity of databases that they are considering using you would weed out the issues of ďIíve moved recently or changed my telephone numberĒ because you would have more accurate, more up-to-date data. Having done privacy in both the public and private sector, I am actually quite confident that there is good intelligent use of technology and use of data in the private sector if we can leverage it in an extremely limited fashion and again, the proposal is to query those databases but not to bring that data into the government space- not to bring and permanently hold that date in a government database but merely to match it, to verify it, to say, ďDo we have someone in the real world who exists who has this name, address and telephone number?Ē
Q: Why havenít you finalized the privacy plans especially given all of the criticism from a very active privacy advocacy group?
A: We have been working side-by-side- personally I have been spent more hours on this program than most anything else at the Department- but as the technology changes, as the proposal changes, as we learn more about how the system will work things like a privacy impact statement are revised. Itís not like we havenít had one but we have to keep re-writing it as the program evolves and moves forward and development continues. I see that as an evolutionary process just like the building of new technology so it is not something that should come either before or after but should be evolving side-by-side with the development of a new program.
Q: Can we go back to the previous question? I asked in the other room and I am confused by the answer- supposed somebody shows up with my name, Matthew Wald, but he has the middle initial wrong or a digit wrong, etc., so your first responsibility is that you put him through secondary screening to see if he going to go to cockpit with a box cutter. Is it possible you would and another privacy issue which your more conversant than I am- is under what circumstances youíd use this airport security system to arrest people who are wanted for jaywalking in the District, murdering someone, whatever. So someone shows up with my information but something is wrong, how does this result in making the world a better place other than making sure he doesnít hijack the airplane?
A: Thatís a brilliant question because I have not thought about what happens when we see a clear case of identity theft. Do we arrest them on the spot? I do not know the answer to that- I have to honest with you. I think itís a terrific question. I think the theory behind the authentication piece has simply been to inform the second and third pieces of the program and let me go to those which are the literal watch list- are you a known terrorist, are you someone who is wanted on a violent crime? It will clearly affect their score but do I know if there will be any law enforcement action taken, if any, I do not know.
Q: OK, can you compare that to what the Department has talked about previously which are, what are the legitimate law enforcement uses of airport security beyond securing the airport?
A: Absolutely, it is very clearly delineated in the Privacy Act notice of August of last year and that is- there is a misperception that we have grown that part of the program- it is more correct to say that we have significantly narrowed the proposal from January of last year. The language says that the program may be used to find persons who are on outstanding warrants for crimes of violence under a federal or state warrant.
Q: Which probably doesnít include identity theft?
A: No, identity theft is not a crime of violence.
A: Mark Hatfield: I want to try to clarify something because I think it is a great question. The first piece which we know and there has been a lot of discussion on is what type of criminal warrant will flag action and we know that that has been narrowed significantly to an outstanding state or federal warrant for a violent felony. It would not be an outstanding warrant for credit card fraud. However, what youíre discussing- your scenario is a crime in progress and it would be very similar to someone presenting a stolen credit card at Macyís- what are the options? They can call security, they can seize the credit card, the computer tells them something because something is wrong. I think we do need to come up with a policy how we deal with a crime in progress.
Q: Under that scenario, could he say his privacy was violated because CAPPS II was used in ways it wasnít specified to be used?
A: Mark Hatfield- I think that aspect of this needs to be looked at and again it happens at the department store when you go to use a stolen credit card.
Q: But would you let them on the plane? At Macyís you canít buy the undies if they try to use someoneís credit card- would you let them on the plane? But what if there was a deadbeat dad that shouldnít be crossing state line?
A: Nuala OíConnor Kelly- That is clearly addressed that a deadbeat dad does not qualify as a crime of violence under the federal criminal statute.
Q: But the government would be identifying people who are committing crimes?
A: Who have outstanding warrants- weíre actually not identifying them at all. The only people we are identifying are those who have outstanding warrants who actively evading a warrant for a crime of violence which is a defined term in the federal criminal statute. But your point is still an incredibly good one because you have also pinpointed a similarity that this is essentially off-the-shelf technology, this is extremely similar to the kinds of technology used to do risk analyses for credit card use or fraud detection that most Americans are quite comfortable with in that context but we need to make sure we have good rules to use, that kind of analysis in the security context. I think the answer is we do not have a fully developed process for law enforcement interdiction of identity theft. We certainly do have those processes for crimes of violence and weíd know which agency would be called.
Q: Thatís my next question. I would assume that this is not exactly a privacy issue but everyday in the course of everyday security work at an airport, you find guns, drugs, huge volumes of cash, other things. What do you do- do you arrest those people?
A: Mark Hatfield- Our enforcement power is through the local law enforcement agency of jurisdiction in a given airport.
Q: And they are there? If you find a gun in a checked bag or cash?
A: Mark Hatfield- Thatís our standard operating procedure to call law enforcement.
A: Nuala OíConnor Kelly- So itís likely to follow a similar procedure where theyíll be referred to local law enforcement and law enforcement makes the decision whether they are going to take action.
Q: Sounds like this could happen but you donít have it quite flushed out? But I thought the whole point was that the right people are getting on the airplane- I thought if you find out that this isnít Matthew Wald, presumably you wonít let him get on the plane, right- if someone hasnít stolen his identity?
A: Nuala OíConnor Kelly- I think if we canít verify the true identity of the person standing in front of us- youíre likely right that the person wonít fly.
Q: I thought that was the whole purpose of the program? But they assign a risk level and that person is sent to secondary screening because of that risk level and they may or may not know- it wonít come up positive for Matt Wald or negative for Matt Wald?
Q: Could I take the questioning about identity theft a little further- I understand that there are about 50 airports that have no law enforcement presence at all- these are very, very small airports and the regional airlines are very concerned because they have to fly people but there are maybe four TSA screeners in Klamath Falls and a violent killer or terrorist shows up- I mean what are they going to do- hit them with their wands?
A: Mark Hatfield- No, they send in law enforcement at each of those airports- it has actually been looked at each of those airports because you are correct because there are some that donít have resident law enforcement. They have to be within a certain response time and in fact we have actually gone back and made special arrangements at some- there are a couple in upstate New York- where the response time was outside of an acceptable range so we have actually provided funding to bring an officer back to have a stationed duty at the airport.
Q: Do you know if you canít verify someoneís identity- does that make them a red or does that make them a yellow?
A: Nuala OíConnor Kelly - As I understand it right now, it sends them to secondary screening.
Q: And if it still canít be identified that Joe Smith is Joe Smith, are they still allowed to fly?
A: Nuala OíConnor Kelly - I donít know.
Q: But I thought the whole purpose of the CAPPS II program was to confirm that the person who was flying was the person who was flying? If that canít be confirmed, can that person fly?
A: Nuala OíConnor Kelly - Number one purpose of the program is to prevent known terrorists and affiliates of known terrorist and those with outstanding criminal warrants from getting on the airplane. The secondary purpose is to prevent identity theft and prevent people from flying who are using someone elseís identity and if we absolutely can not confirm an identity, I think then you would bring in law enforcement through the same procedures you would bring in for any other ongoing crime that is happening in front of you. Ultimately, the law enforcement piece is in the discretion of the law enforcement agency whether it is federal, state or local agency they decide what action is taken if there is an ongoing crime in front of them.
A: Dennis Murphy, Communications Director, Border and Transportation Security, Department of Homeland Security - I think itís important- what Asa was talking about was that there are varying degrees- there are identity questions and then identity theft. What he was saying was that there are varying degrees that if after the checks there is a question that the system has raised, clearly then that person needs to be screened to make sure that they are not a threat to the plane but if all of a sudden there is a total disconnect with the identity of that person we donít know that that person is Matthew Wald- then that becomes a potential threat to the plane and that person is assuming a different identity, we need to validate that before we let that person on the plane. Now how you do that, the protocols you follow and then what happens when you have a person with a complete set of identity but is not that person then that has to be the law enforcement protocol at that point but the first step is- you see that major disconnect then that becomes the question of whether or not that person is who say they are and should they or should they not be allowed to fly so there are varying degrees as he was pointing out.
Q: Can I be a nattering nabob of negativism here but it seems to me that there are a lot of questions that no one knows the answers to? Weíre pretty far down the path- let alone the part that we donít have consolidated watch lists yet to even figure out at the second and third stage that if we have someone how reliable is it going to be that weíre going to know who is at the other end? It seems to me that itís really still pre-testing stage still?
A: Dennis Murphy - Well, we havenít tested.
Q: But the whole point is you want to get to testing- thatís my point is this really even ready for testing?
A: Nuala OíConnor Kelly - I would actually challenge what you just said- these are the types of questions that will need to be answered through testing. That is exactly right. These are the same questions that I have, these are the same questions that the advocates have. What is the system really going to mean for passengers? Is it going to improve wait times? Is it going to improve their airport experience? Is it going to be more accurate. As I was saying before, the primary purpose, obviously, is to prevent persons who are a threat to the airplane from getting on the airplane. The secondary purpose is to hopefully make a better experience for everybody else who is flying- the 99.99% of good people who are just trying to get to their daughterís wedding or their business meeting or whatever. Do I know the answers to all the protocols? No, they have not been built yet. The GAO Report is right- there are lots of questions that are unanswered- that does not mean they are unanswerable. It is absolutely an incomplete status right now but that does not mean it is necessarily a good or bad program- it simply means it is a program that is evolving like any technology development like any program development- this program is at a stage that certainly is not ready for deployment in active live airports but that does not necessarily mean that it shouldnít be tested or studied or considered further to answer these questions. If this program does work as those who believe it can work, it is going to be a good thing for all traveling Americans. If it does not work as promised, then we need to sit back and consider other alternatives but we have to find an answer. We can not keep having airplanes not fly. We canít keep having people considered about their security of themselves and their children. We will continue to work on the issues of privacy and the issue of civil liberties impacts and my office will continue to study them and continue to have the same questions that you have and thatís the role that my office plays in the development.
Q: Related question- If my identity is stolen and then, I myself, the real me goes to the airport- is that one of the disadvantaged groups that you have to look out for?
A: Nuala OíConnor Kelly - The unexpected, the inadvertent is absolutely the kind of thing that needs to be tested.
Q: Because there are in fact hundreds of thousands of new cases of identity theft each year?
A: Nuala OíConnor Kelly - Absolutely.
Q: You went through one and two- is three, the red, yellow, green?
A: Nuala OíConnor Kelly - The third stage of the program that I think would set CAPPS II head and shoulders above a CAPPS I and that is the ability because this is technologically superior development, we hope, to infuse real-time intelligence data into the system immediately. So that you can alert screeners, essentially electronically or through changing the algorithms in the system on a certain day for a certain airport that there is a particular threat against a particular airport or a threat against a particular airline or a threat against a particular itinerary or agenda based on intelligence chatter.
Q: So youíre saying this system will give you better means to notify about intelligence concerns?
A: Nuala OíConnor Kelly - Can actually infuse them into the algorithms that score passengers that send them to first or secondary screening or prevent them from getting on the airline.
Q: When will the screening be turned over, transferred to the TSA officials? At what time will the TSA official see it after it has been collected?
A: Nuala OíConnor Kelly - I think at the time the initial algorithm is run, when the data is collected. So there will be some time obviously before the initial screening of the passenger to see that and analyze that- thatís why we come in a certain number of hours before the flight instead of just at the flight.
Q: One privacy advocate says and Iíll let you knock it down- he says that what CAPPS II does is that for the very first time the U.S. government is telling travelers whether or not they can travel- thatís never happened in the history of this country. Do you see it as that?
A: Nuala OíConnor Kelly - I do not see it as the government canít travel. I think itís the government trying to secure a form of transportation that has been the focus of an on-going terrorist attention. I think the government would be not diligent in its efforts and would be failing the American people to not be thinking about the most superior technological and human innovation to make airlines safety and security better. But it is absolutely not true that we are telling people that they canít fly- in fact what we are doing by strengthening the air system is telling people that they should fly and that they should be confident when they are flying. When you suggest that I am going to knock down what the privacy advocates say thatís actually a faulty assumption- I talk to privacy advocates probably than I work with at Homeland Security. I think there is a great deal of misinformation about the program. I think we do need to continue a responsible debate about the scope of the program, about the impact of the program on innocent travelers but I also think we need to have a conversation about how we are addressing security in this mode of transportation. As you all know, didnít British Airways cancel another flight today? It is an on-going focus of risk and of threat in this country and elsewhere and I think we owe it to the citizens to get this right.
Q: I donít think Congress was real happy with the report because a lot of them want CAPPS II- do you think this will undermine Congressional support?
A: Nuala OíConnor Kelly - I will say itís a fair report.