PNR Data Targeted for Air Security

Revised plan limits information gathering; industry groups still question access controls.

By: R. Scott Macintosh

The Transportation Security Administration intends to access the airline ticketing technology used by travel agents to obtain passenger information for its security screening system.

New details of the TSA’s controversial Computer Assisted Passenger Prescreen-ing System, otherwise known as CAPPS II, were published recently in the Federal Register.

The system, as it now is envisioned, will use an airline’s passenger reservation system or a global distribution system to access a traveler’s Passenger Name Record.

The TSA notes that a passenger’s name, home address, home phone number and date of birth are the main pieces of information needed for the CAPPS II program, but it plans to use all of the information entered into the PNR.

The TSA has reduced the information it intends to collect and the length of time that information will be kept.

However, the new proposal now leaves questions about the ability of travel agents and corporate travel managers to protect sensitive client information that is often used when booking airline tickets.

“We’re certainly concerned about it,” said Mark Williams, president of the Association of Corporate Travel Executives. “Again, the concerns are about who is going to have access to that data. There are still a lot of unknowns.” Once PNR data is collected, it will be analyzed in commercial databases in order to confirm a passenger’s identity.

The agency has not said which commercial databases will be used.

The TSA, which is part of the Department of Homeland Security, is responsible for developing a new security system for the commercial airline industry.

Privacy activists and members of Congress criticized the original CAPPS II system, introduced last January, as too intrusive, prompting the TSA to refine its scope.

The original proposal sought to access credit history and medical records and to hold the data for 50 years.

Once CAPPS II has a passenger’s data, it will run an internal risk assessment using national security information provided by the federal government. Based on the outcome, a “risk score” will be assigned to each passenger. The revised system still “will enable TSA to have a reasonable degree of confidence that each passenger is who he or she claims to be,” the notice states.

The TSA, which can adopt its own regulations after following review procedures, has said it will not keep information on law -abiding U.S. citizens any longer than a few days after the completion of their trips. It has said it intends to have the system in place by January 2004.

The TSA has been testing the CAPPS II system since it first was proposed, but it has not been using real passenger data.

Limited testing with personal data will be done, but is still several months off, according to the TSA.

The notice does not mention by name any airlines or GDS companies that will be involved in future tests.

However, Galileo has said it held limited discussions with the TSA and it will cooperate with testing.