[House Hearing, 110 Congress] [From the U.S. Government Publishing Office] ENSURING AMERICA'S SECURITY: CLEANING UP THE NATION'S WATCHLISTS ======================================================================= HEARING before the SUBCOMMITTEE ON TRANSPORTATION SECURITY AND INFRASTRUCTURE PROTECTION of the COMMITTEE ON HOMELAND SECURITY HOUSE OF REPRESENTATIVES ONE HUNDRED TENTH CONGRESS SECOND SESSION __________ SEPTEMBER 9, 2008 __________ Serial No. 110-135 __________ Printed for the use of the Committee on Homeland Security [GRAPHIC] [TIFF OMITTED] Available via the World Wide Web: http://www.gpoaccess.gov/congress/ index.html __________ U.S. GOVERNMENT PRINTING OFFICE 47-173 WASHINGTON : 2009 ----------------------------------------------------------------------- For sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC 20402-0001 COMMITTEE ON HOMELAND SECURITY Bennie G. Thompson, Mississippi, Chairman Loretta Sanchez, California Peter T. King, New York Edward J. Markey, Massachusetts Lamar Smith, Texas Norman D. Dicks, Washington Christopher Shays, Connecticut Jane Harman, California Mark E. Souder, Indiana Peter A. DeFazio, Oregon Tom Davis, Virginia Nita M. Lowey, New York Daniel E. Lungren, California Eleanor Holmes Norton, District of Mike Rogers, Alabama Columbia David G. Reichert, Washington Zoe Lofgren, California Michael T. McCaul, Texas Sheila Jackson Lee, Texas Charles W. Dent, Pennsylvania Donna M. Christensen, U.S. Virgin Ginny Brown-Waite, Florida Islands Gus M. Bilirakis, Florida Bob Etheridge, North Carolina David Davis, Tennessee James R. Langevin, Rhode Island Paul C. Broun, Georgia Henry Cuellar, Texas Candice S. Miller, Michigan Christopher P. Carney, Pennsylvania Yvette D. Clarke, New York Al Green, Texas Ed Perlmutter, Colorado Bill Pascrell, Jr., New Jersey I. Lanier Lavant, Staff Director Rosaline Cohen, Chief Counsel Michael Twinchek, Chief Clerk Robert O'Connor, Minority Staff Director ______ SUBCOMMITTEE ON TRANSPORTATION SECURITY AND INFRASTRUCTURE PROTECTION Sheila Jackson Lee, Texas, Chairwoman Edward J. Markey, Massachusetts Daniel E. Lungren, California Peter A. DeFazio, Oregon Ginny Brown-Waite, Florida Eleanor Holmes Norton, District of Gus M. Bilirakis, Florida Columbia Paul C. Broun, Georgia Yvette D. Clarke, New York Peter T. King, New York (Ex Ed Perlmutter, Colorado Officio) Bennie G. Thompson, Mississippi (Ex Officio) Michael Beland, Director & Counsel Natalie Nixon, Deputy Chief Clerk Coley O'Brien, Minority Senior Counsel (II) C O N T E N T S ---------- Page Statements The Honorable Sheila Jackson Lee, a Representative in Congress From the State of Texas, and Chairwoman, Subcommittee on Transportation Security and Infrastructure Protection.......... 1 The Honorable Daniel E. Lungren, a Representative in Congress From the State of California................................... 4 The Honorable Bennie G. Thompson, a Representative in Congress From the State of Mississippi, and Chairman, Committee on Homeland Security.............................................. 6 Witnesses Panel I Mr. Edmund ``Kip'' Hawley, Assistant Secretary, Transportation Security Administration, Accompanied by Mr. Greg Wellen, Assistant Administrator, Transportation Threat Assessment, Transportation Security Administration: Oral Statement by Mr. Hawley................................... 8 Oral Statement by Mr. Wellen................................... 9 Joint Prepared Statement....................................... 10 Mr. Richard S. Kopel, Principal Deputy Director, Terrorist Screening Center: Oral Statement................................................. 14 Prepared Statement............................................. 15 Ms. Cathleen A. Berrick, Director, Homeland Security and Justice Issues, Government Accountability Office: Oral Statement................................................. 18 Prepared Statement............................................. 19 Panel II Ms. Denise Robinson, Private Citizen: Oral Statement................................................. 41 Prepared Statement............................................. 43 Mr. John M. Meenan, Executive Vice President and Chief Operating Officer, Air Transport Association: Oral Statement................................................. 45 Prepared Statement............................................. 46 Ms. Lillie Coney, Associate Director, Electronic Privacy Information Center: Oral Statement................................................. 47 Prepared Statement............................................. 49 ENSURING AMERICA'S SECURITY: CLEANING UP THE NATION'S WATCHLISTS ---------- Tuesday, September 9, 2008 U.S. House of Representatives, Committee on Homeland Security, Subcommittee on Transportation Security and Infrastructure Protection, Washington, DC. The subcommittee met, pursuant to notice, at 2:17 p.m., in Room 311, Cannon House Office Building, Hon. Sheila Jackson Lee [Chairwoman of the subcommittee] presiding. Present: Representatives Thompson, Jackson Lee, DeFazio, Norton, Clarke, Lungren, and Brown-Waite. Ms. Jackson Lee [presiding]. The subcommittee will come to order. The subcommittee is meeting today to receive testimony on ``Ensuring America's Security: Cleaning up the Nation's Watchlists''. It is appropriate, as we are joined by the Chairman of the full committee, who has been noted as one of the Nation's leading champions of securing this Nation, that we hold this hearing on the day of the issuance of a report by an organization that includes the membership of Lee Hamilton, a member of the 9/11 Commission, that indicates that America is in the line of a terrorist incident involving bioterrorism and, certainly, nuclear products. The reason why I make mention of this is the importance of a secure, reliable watchlist for those who are destined to do us wrong is necessary so that we can provide for the protection of Americans. This should be a primary concern not only of this committee, of this Congress, but also of this Nation. Our witnesses today will testify about the so-called terrorist watchlists and about the steps TSA is taking to improve how passengers are checked against that list. Good afternoon. I am eager to convene today's hearing to evaluate the progress made by the Department of Homeland Security on one of the most important recommendations made by the 9/11 Commission regarding aviation security. Two days from now we will mark the seventh anniversary of the attack on the United States by terrorists using our own commercial airplanes. The 9/11 terrorist hijacking not only scarred the American public by killing thousands of innocent citizens, but also dawned a new era in Government. The policymakers must endeavor to keep the American safe without eroding democratic values and principles. Today's hearing will take a closer look at what the Federal Government is doing to improve intelligence-driven security programs as highlighted in the 9/11 Commission report. Certainly, the practice of watchlisting individuals plays an important role in identifying possible terrorist suspects. It is important to keep in mind that the watchlist is only as good as the information on it. Without accurate or complete and reliable information, the purpose of the watchlist is frustrated, the database becomes unreliable, and misidentifications persist. Just last year the Government Accountability Office and the Department's screening coordination office expressed concerns to the full committee regarding the margin of error that exists in information gathering related to the database that feeds the watchlist. Today I am determined to learn from our witnesses about to what extent these concerns have been addressed. Getting the watchlist fixed and reducing misidentifications is a particularly difficult challenge, but as I started out, it is the underpinnings of the security of this Nation. Get the bad guys; release the innocent. In order to do so, all of the intelligence and law enforcement components that populate the list must come together and work collectively to clean it up. This subcommittee has been advocating such coordination for some time, and I encourage the TSA to move quickly down this path. Let me thank Congresswoman Yvette Clarke for her very thoughtful legislation that added an additional form of relief for those who have been subjected to misidentification on the watchlist. In addition to the watchlist, I remain highly concerned about the TSA's lack of demonstrated progress in implementing the Secure Flight program. Earlier this year Assistant Secretary Hawley told the subcommittee that TSA is approaching its final planning stages for Secure Flight, notwithstanding the troubled history of Secure Flight's $200 million program. Let me suggest that the administrator, Assistant Secretary Hawley, is here today in spite of some difficult security issues and challenges that he is facing. We are glad that he is here. He is also well aware of the concern of this committee, and I am very gratified to indicate that he is willing to work with this committee, recognizing that we have been focusing on Secure Flight and recognizing that there is no final rule. I believe it is important that we legislate this process and work with all of those concerned to ensure that we might move this along effectively, inasmuch as I believe that TSA will be able to move quickly with a legislative initiative that I intend to offer to this committee. We are finding out that the TSA--and I hope it will be affirmed by Assistant Secretary Hawley--has in fact met the criteria to move forward on Secure Flight. I hope that he will affirm that, and that we will be able to address our concerns, our urgent concerns, with the legislative initiative from this committee. Until Secure Flight is operational, redress is the only real recourse for an American who is repeatedly stopped or delayed at airports and border crossings because he or she is misidentified as a terrorist threat. Since April 2008, over 32,000 Americans have sought redress through the DHS Travel and Redress Inquiry Program, also known as DHS TRIP. If we can get a legislative fix of Secure Flight, that will be an answer to many of the concerns we will hear today. That will answer the questions of thousands of Americans and others who are unfairly or misidentified on the watchlist. Unfortunately, the effectiveness of DHS TRIP remains questionable, as individuals who have gone through the redress process continue to experience problems when traveling. Today we will look at TSA's policies and administration of the cleared list, which contains the names of individuals who have completed the redress process and have been subsequently cleared. The use of the cleared list by air carriers when screening the passengers again against the watchlist match must also be thoughtfully reviewed. Again, I reiterate it may be an important time for a legislative initiative on Secure Flight. Again, as I mentioned, I want to thank Congresswoman Yvette Clarke, because on June 18, 2008, the House unanimously passed H.R. 4179, the Fair, Accurate, Secure and Timely Redress Act introduced by my colleague from New York, Congresswoman Yvette Clarke. Under the FAST Redress Act, the cleared list would be shared throughout DHS and with other Federal agencies that use the terrorist watchlist or database. I commend my colleague for her effort to address this issue expeditiously. At this time I would like to acknowledge the presence of two people who flew here from California at their own expense to attend today's hearing. Ms. Denise Robinson and her son, James, came here today so that Ms. Robinson could describe the troubles her 8-year-old son and the rest of her family have encountered because of the watchlist. Every time young James travels, he has to deal with the delays and hassles of being consistently misidentified. Wouldn't it be wonderful if in today's hearing there could be a coming together of the TSA and this committee and the full committee for a legislative fix that would assist in this particular set of circumstances? Remember, our job is to secure America and to protect democracy. Regrettably, James' story is one among many about which we have heard recently. It is imperative that the watchlist is accurate and narrowly tailored so that it only includes individuals who may wish to do our country harm. I cannot imagine that this administration, working with this committee, with both equally concerned about integrity and about the honesty and fairness of the watchlist, cannot find a solution to this issue. As a member of our second panel, it is my hope that Ms. Robinson's testimony will provide some real world perspective to the problems associated with the watchlist. Without objection, James will be allowed to sit with his mother at the witness table during the second panel today, though he will not be testifying or answering questions. Hearing no objection, it is so ordered. Once again, I would like to thank everyone for their participation today, and I look forward to hearing from our witnesses. I am now pleased to recognize the Ranking Member of the subcommittee, a gentleman who has worked closely with us throughout our time in the 110th Congress, and this is the distinguished gentleman from California, Mr. Lungren, for an opening statement. Mr. Lungren. Thank you very much, Madam Chairwoman. Nice to see all of you, after being gone for about 5 weeks. I must say that, having just come back from Minneapolis-St. Paul, I feel much better than I did 5 or 6 weeks ago. As we approach the seventh anniversary of 9/11, that horrific terrorist attack which called 3,000 innocent Americans, it is fitting that we focus, as we are here today, on watchlist matching, which is now one of our first lines of defense for aviation security. A consolidated terrorist watchlist was one of the key recommendations made by the 9/11 Commission, and I agree with the commission's recommendation. I believe that terrorist watchlist matching is a critical first layer of aviation security. Terror watchlists keep legitimate terrorist threats off airplanes every day all over the world. We always have the problem, and we have to confront the problem of having people on that list that ought not to be on the list. I hope that we can solve that. As one who has a new artificial hip, I hope they can solve the problem of the pat-downs I get every time I go through as well. But I understand that there are certain inconveniences and some imperfections in the system, and we need to work to alleviate those problems as best we can. But we also have to understand why we are engaged in these inconveniences. I have to remind myself every time I go through, because I know despite the fact I am going to tell him exactly where the hip is and where it is, I am still going go through that pat-down. Part of the formation of the Terrorist Screening Center, the TSC, watchlists were maintained by a dozen different Federal agencies, I believe. This created inconsistent and disjointed approaches to sharing information on individuals with possible links to terrorism. Combining these multiple terror watchlists into one consolidated list of known or suspected terrorists was to be the mission of the Terrorist Screening Center when it was established in September 2003. I believe it was a major accomplishment. The Terrorist Screening Center is administered by the FBI in collaboration with DHS and the National Counterterrorism Center. This consolidated terror watchlist has approximately 1 million names representing less than 400,000 actual persons due to multiple names, misspellings and aliases. As I understand it, the number of Americans on the watchlist now is less than 13,000. But unfortunately, name matching is not a precise science, to say the least. Even the TSC's consolidated watchlist is only as good as the information contained on the list. If the name is the only information available, then name matching will be problematic. As always, additional information will be necessary to distinguish the innocent from the terrorist with the same name. TSA and their airline partners should share more information and eliminate or significantly reduce the name mismatches. At least that is my hope, but a name and a date of birth could resolve most of these name-matching discrepancies. I do recall the tension that we had a number of years ago when we were trying to deal with this issue. The question was how much information--commercial information--should the Government have in its possession, not to put people on the watchlist, but to match against those that we had on a preliminary watchlist to knock them off because of additional data. There was a question we had of privacy. Do we want to give the Government too much information that they hold in their hands for us? So maybe in the testimony that we are going to hear, we can see how that has been addressed and if we need to address it further and if you need some legislation on it. So I mean I think people need to understand if you are going to take my name off the list, one of the ways you can do it is by going against other data--in most cases, that is commercially available data--run that against that list, be able to ferret out those that don't belong on there, but at the same time how do we protect the privacy interests that have come up? Hopefully, we can deal with that question. The terror watchlist redress procedure also, as we know, needs updating. Representative Clarke addressed this issue of privacy constraints in her legislation, H.R. 4179, the Fast Redress Act of 2008 mentioned earlier by the Chairwoman. It passed this committee and the House of Representatives with bipartisan support. There was nothing partisan about it whatsoever. But I understand it was referred to the Senate Commerce Committee, where it remains today. They could have held it at the desk and dealt with it right away, and we could have gotten that out. So, hopefully, if anybody listens to what we are doing here, they might hear over on the Senate side that we should speed up the redress process. We did it on a bipartisan basis here. I don't see why there should be any problem on the Senate side to get that done as quickly as possible. I think it would help, at least unless I am told differently by our panels here, that it would help in clearing the names of innocent watchlist victims like Denise Robinson's son, as well as Congressman John Lewis. At least that was our intention when we passed it here. I don't know why the Senate doesn't just take our good work once in a while and move so that we can start working on our side. I mean I think really with these witnesses here, we are going to find out where we think they haven't done enough on their side, but on our side we need the Senate to act. The long-awaited Secure Flight program will greatly improve, in my judgment, the existing name-based screening process. TSA will assume the terror watchlist matching responsibility at the beginning of 2009 for passengers on all flights within the United States, and ultimately for international flights departing and arriving in the United States. As the Chairwoman suggested, Secure Flight will provide the additional identifying information necessary to eliminate mismatching innocent passengers to terrorist suspects in the screening process. So, hopefully, with the legislation we passed, and if the Senate would act on, with the Secure Flight and with answering this question as to how much commercial information or how you would query commercial databases in an efficient way so that we can clear up these names that ought not to be on there, we might be able to solve of the problems that we are really legitimately looking at here today. So I am hopeful the final rule for the important program of Secure Flight will be issued shortly by TSA. I join the Chairwoman in thanking our witnesses for being here and look forward to hearing from them. Thank you very much. Ms. Jackson Lee. I thank the Ranking Member for his collaborative statement and hope that we can work together as we look at a way to legislate and hopefully think of that as a vehicle. We will not get into the blame game of who is not moving fast enough. I think it is important that we reach out to the Senate on the legislation of Congresswoman Clarke. If we move as quickly as I expect, and work in a bipartisan manner through this committee on legislation that might expedite Secure Flight, that we move out as fast as we could to the Senate and work with them. September 11 should remind us--all of us--of the need of securing this Nation as we come upon that commemoration. It is now the pleasure of the Chairwoman to recognize the Chairman of the full committee, the gentleman from Mississippi, Mr. Thompson, who I mentioned before, who has become a standard-bearer of securing the homeland. I yield to the distinguished gentleman. Mr. Thompson. Thank you very much, Madam Chairwoman, for convening this important hearing today. When most people hear about the terrorist watchlist, they think of flying and about the No-Fly List they hear about on TV. But the watchlist is much broader than that. It is used by a number of different Federal agencies, including TSA, Customs and Border Protection, the State Department and other Federal, State, local, territorial and tribal law enforcement agencies. Since the Terrorist Screening Center was created, we have seen some real progress in taking multiple watchlists and combining them into one functional list. Now, we will have a question during this hearing, because we understand that there is a problem when you take multiple watchlists, because sometimes it involves a data dump, and you don't know whether you got good stuff or bad. What happens is everything shows up on the list. We will talk a little bit about that. In the process of putting these lists together, we have stopped some really bad people from entering the country, and that is good. Director Boyle and the Terrorist Screening Center and his employees, such as Mr. Kopel, ought to be commended for doing a good job. But we also have seen the pitfalls of maintaining such a list. We continue to see it grow with the addition of the names of thousands of Americans. I am concerned with the quality of the data, privacy concerns and the civil liberties of individuals, whose names are on that list. I look forward to hearing from Ms. Lillie Coney from the Electronic Privacy Information Center, who is here to speak about the privacy concerns related to the watchlist. In the past this committee has explored questions involving the collection and maintenance of the terrorist screening database. Today we will follow up on any progress made by the Federal Government in its efforts to reduce the amount of misidentifications while providing a critical layer of security. Our Ranking Member talked about Congressman John Lewis' continuous saga of being misidentified. One of the problems I want to talk about a little bit is why do we put the burden on airlines? We have a number of airlines, domestic airlines here in the country, and my understanding is each airline has to maintain its own system. So if Congressman Lewis is interested in not being detained, then he has to go to each individual airline in order to get cleared. That is a laborsome process. We have been told that maybe Secure Flight is the answer. We are not sure, but we are going to have to fix it. So I look forward to the witnesses' testimony, and I yield back the balance of my time. Ms. Jackson Lee. We thank the Chairman of the full committee for his statement. Might I acknowledge the presence of Members of the committee--Mr. DeFazio of Oregon, Ms. Clarke of New York, and Ms. Brown-Waite of Florida? Other Members of the subcommittee are reminded that under the committee rules, opening statements may be submitted for the record. I welcome our first panel of witnesses. Our first witness, Greg Wellen. Greg Wellen is the assistant administrator of Transportation Threat Assessment and Credentialing Office at TSA. Mr. Wellen oversees the development and deployment of security programs such as Secure Flight and other threat assessment tools managed at TSA. Our second witness is Mr. Richard Kopel. Mr. Kopel is a terrorist threat tracking officer in the Department of Homeland Security's Office of Intelligence and Analysis. He is currently assigned as the principal deputy director of the Terrorist Screening Center. Mr. Kopel has had an extensive career in public service, as well as experience in the private sector. Our third witness is Ms. Cathleen Berrick from the Government Accountability Office. We welcome Ms. Berrick, who routinely testifies before this subcommittee and full committee, for providing insight that is constructive as relates to their analysis. We are looking forward to her assessment of the progress made by TSA to Secure Flight and related security directives. Without objection, the witnesses' full statements will be inserted into the record. I now ask each witness to summarize his or her statement for 5 minutes. I also ask unanimous consent that, as I indicated, that the assistant secretary is dealing with a number of security issues as we speak, to yield to Mr. Hawley, who is part of Mr. Wellen, for a brief remark, and I know that we will be able to hear from Mr. Wellen. So with unanimous consent, Mr. Hawley, you are recognized. STATEMENT OF EDMUND ``KIP'' HAWLEY, ASSISTANT SECRETARY, TRANSPORTATION SECURITY ADMINISTRATION, ACCOMPANIED BY GREG WELLEN, ASSISTANT ADMINISTRATOR, TRANSPORTATION THREAT ASSESSMENT, TRANSPORTATION SECURITY ADMINISTRATION Mr. Hawley. Thank you very much, Madam Chairwoman, Ranking Member Lungren, Mr. Chairman and Members of the committee. I am pleased to be here with Greg Wellen, who is a 25-year Government executive who is the program manager for these security screening programs such as Secure Flight and TWIC. Greg will identify a lot of the issues that we have discussed here. I just wanted to have a couple of overall comments--one, that I think the partnership is critical and is good, that the committee has been very attentive to this issue and given clear direction on Secure Flight coming fast, that it be effective and that it be secure of protecting privacy. I believe all of those things are now in position to happen. The second thing is that the partnership with the Terrorist Screening Center, who is the custodian of the watchlist, and with the airlines, who are our partners in implementing it, that those are critical relationships, and I believe they work well. The punch-line to the American people is that if someone is identified by an agency of the U.S. Government as being unsafe to have on an aircraft, that we are today effectively preventing that from happening. So that is probably the most important thing, and that is happening. We are all aware of the issues that involve people such as our guests from California, who are not watchlisted, but who, through the process, may somehow end up thinking that they are. I think that is a very right issue for us to evaluate. But as far as what the Chairman was talking about in terms of Secure Flight being the answer, I believe it is. With the four parts of getting that implemented--the authority to do it, the privacy, the technical readiness and our work with the partners--that the authority depends on the rule coming out, which we hope will happen in October or November. The privacy issues I believe have been resolved, which Mr. Wellen will describe. The technical issues have been resolved, which Mr. Wellen will be describing--even working with the partners. So those are the pieces, those are the moving parts of getting Secure in place, and I believe we are in a position where working together we can get that in place in early 2009. And Mr. Wellen, if time permits. Ms. Jackson Lee. Mr. Wellen. Thank you very much, Assistant Secretary. We will have a question or two for you. Mr. Wellen. STATEMENT OF GREG WELLEN Mr. Wellen. Good afternoon, Chairwoman Jackson Lee, Ranking Member---- Ms. Jackson Lee. You are recognized for 5 minutes. Mr. Wellen [continuing]. And Members of the subcommittee. Thank you for the opportunity to appear before you today to discuss TSA's Secure Flight program and our effective use of the TSC watchlist. I first want to introduce myself to the subcommittee. My name is Greg Wellen, and I am the assistant administrator of TSA's Office of Transportation Threat Assessment and Credentialing, which oversees the Secure Flight program. Prior to joining TSA, I worked for more than 25 years as an intelligence community officer for the National Security Agency. I am a career Government service, and I transferred to TSA in April of this year. First, to be clear, identification matters. If we believe we have intelligence that may lead us to people who are planning terrorist attacks, we absolutely must use that information. When the TSC intelligence committee identifies someone who meets the criteria for a person who should not fly, we, TSA and the airlines have to make sure that person does not get on a plane. Basic watchlist name matching is something everybody agrees must be done effectively. The problem we face is not an overgrown watchlist with too many names or names that don't matter. The real issue is how to match actual passenger names against those very important names that are on the TSC watchlist. TSA does not control how airlines match names. That is a business decision that each airline must make. Each airline has a different process for using the watchlist to match names. One carrier may have a sophisticated computer system that uses robust filters to clear names. Another carrier may check names manually or use a less advanced software program. The result is inconsistency between airlines and inconvenience to their passengers. The problem is solved when the same method is used to clear a passenger from the list. That answer is Secure Flight. TSA is working in partnership with the airlines to enhance their ability to avoid delays of passengers with names similar to those on the watchlist. Hassles due to misidentification and the need to stand in line at the ticket counter is a consistent complaint by the traveling public, and we share that concern. Thousands of passengers are inconvenienced each day. Secretary Chertoff announced in April the flexibility given to the airlines to create a system to verify and securely score a passenger's date of birth to clear up watchlist misidentification. By voluntarily providing this limited biographical data to an airline, travelers who were previously inconvenienced on every trip now have an opportunity for a better travel experience. More airlines need to take advantage of this process to quickly verify that a passenger is not the person on the terrorist watchlist. TSA has made sure that Secure Flight is the best way possible to match names. Our goal is to stop the people who need to be stopped and let other passengers go through freely. In 2005 GAO and the Secure Flight working group issued reports saying that more needed to be done in terms of privacy and program integrity for Secure Flight. In February 2006 Administrator Hawley testified that we would re-beat baseline Secure Flight to address the concerns expressed in the report. TSA significantly upgraded the design and development of the program, and the implementing rule has received public scrutiny and discussion. The rule is now in the final stages of administrative review. Today I am pleased to announce a significant milestone in the implementation of Secure Flight. Secretary Chertoff has certified that TSA has successfully met the 10 conditions required by Congress as outlined in the 2005 DHS Appropriation Act. This paves the way for Secure Flight to commence operations as planned in January 2009. Administrator Hawley invites all airlines to participate in the test process so that their passengers benefit from the convenience of Secure Flight. I am confident that we have the right team in place to make Secure Flight a success moving forward. While some may say it is difficult to balance increased security while protecting individual rights, TSA is very clear that privacy and security are essential ingredients, and both have been built directly into the Secure Flight program. Secure Flight will result in better security and create a more consistent and uniform pre-screening process for passengers while at the same time reducing misidentifications. Thank you for the opportunity to appear today. I would be happy to answer any questions. [The joint statement of Mr. Hawley and Mr. Wellen follows:] Prepared Statement of Edmund ``Kip'' Hawley and Greg Wellen September 9, 2008 Good afternoon, Chairwoman Jackson Lee, Ranking Member Lungren, and Members of the subcommittee. Thank you for the opportunity to appear before you today on behalf of the Transportation Security Administration (TSA) and the Department of Homeland Security (DHS) to discuss our continuing efforts to improve the aviation security environment through the development of the Secure Flight program and to effectively use intelligence to prevent terrorists from using the transportation system to gain entry to or harm the United States. First, I would like to thank the subcommittee for its significant efforts to support TSA's progress in implementing new security approaches. Over the past 2 years, many of the new strategies we have discussed--behavior detection techniques, Visible Intermodal Prevention and Response (VIPR) teams, travel document checking, Checkpoint Evolution--have matured into important, visible components of our layered security approach. Your sustained, personal attention and oversight have been vital to the success of our security strategy. I would also like to acknowledge the strong working relationship TSA shares with the Terrorist Screening Center (TSC) and the Government Accountability Office (GAO) in carrying out our transportation security mission. I am pleased to appear on the panel today with Mr. Kopel of the TSC and Ms. Berrick of the GAO. The National Commission on Terrorist Attacks Upon the United States (9/11 Commission) placed a strong emphasis on enhancing the use of watchlists as part of a layered aviation security system. The 9/11 Commission's final report recommends that the watchlist matching function should be performed by TSA and that air carriers should be required to supply the information needed to test and implement this new system. TSA's aviation security strategy relies upon an interlocking system of multiple layers of security. Key to this system is the use of intelligence to both develop countermeasures against terrorist threats and to intervene directly when threats become apparent. One of the most important tools in the fight against terrorism is the U.S. Government's consolidated Terrorist Screening Database (TSDB). Prior to 9/11, information about known or suspected terrorists was dispersed throughout the U.S. Government, and no single agency was charged with consolidating it and making it available for use in terrorist screening. Under Homeland Security Presidential Directive (HSPD) 6, the TSC now provides ``one-stop shopping'' so that every Government agency is using the same TSDB--whether it is TSA, a U.S. consular official issuing visas overseas, or a State or local law enforcement officer on the street. The consolidated system allows Government agencies to run name checks against one comprehensive database with the most accurate, up-to-date information about known and suspected terrorists. The consolidated system provides the critical nexus between the work of the intelligence and law enforcement communities and the rest of the counterterrorism community. Our partners in the law enforcement and intelligence communities work tirelessly and in some cases under great physical danger to identify individuals who pose a terror threat. It would be dangerous and negligent not to use this information to our advantage. TSA is constantly adapting to the ever-changing threat environment and improving our people, processes, and technology to detect and deter threats. As important as it is to detect threat objects, it is imperative that we use intelligence to aid in the identification and interception of the people who would do us harm. TSA utilizes subsets of the TSDB--the No-Fly and Selectee lists. A nominating agency can recommend that a known or suspected terrorist be placed on the No-Fly or Selectee list if the individual meets specific criteria for inclusion on that list. Terror watchlists keep legitimate terror threats off airplanes every day, all over the world. There are significantly fewer than 50,000 individuals on the No-Fly and Selectee lists and only a small percentage of those are in the United States. The lists are reserved for known or suspected terrorists who have reached a threshold where they should not be allowed to fly or should receive additional scrutiny before boarding an aircraft. Using the No-Fly and Selectee watchlists, TSA can quickly evaluate passengers to determine if they have a known or suspected link to terrorism or pose a threat to national security and to prevent passengers with known or suspected links to terrorism from boarding aircraft. The No-Fly and Selectee lists are made available for passenger prescreening to air carriers flying into, out of, or within the United States for passenger pre-screening. As part of their shared responsibility for aviation security, air carriers play a critical role in ensuring that individuals on the No-Fly list do not board aircraft. Air carriers must conduct watchlist checks in advance of issuance of boarding passes, and they must notify the TSA of a match to the No-Fly list. TSA then notifies the TSC and the FBI, which coordinate the operational response with law enforcement and other agencies and foreign partners as appropriate. Air carriers must also ensure that a match to the Selectee list is subject to secondary screening prior to boarding an aircraft. Aside from a Selectee match, an individual may be subject to secondary screening based on the Computer-Assisted Passenger Prescreening Systems (CAPPS), as a result of our behavior detection officers, or through other random and unpredictable screening processes we have employed at the checkpoint as part of our layered security system. passenger verification and redress We are all aware of recent news reports about individuals with names similar to those on watchlists who are experiencing delays and inconvenience at the airport. The current prescreening system is effectively catching the people we need to identify, but it is also flagging people with similar names. Recognizing the impact of screening on the public, particularly where only name-based checks are conducted, TSA and other DHS agencies have incorporated redress into their screening programs. DHS has implemented the DHS Traveler Redress Inquiry Program (DHS TRIP), which provides a central gateway for travelers to obtain information about screening and redress as well as a central contact to DHS regarding their adverse screening experiences. Travelers, regardless of their nationality, citizenship, or immigration status, can submit inquiries via the DHS TRIP website, email, or postal mail. The DHS TRIP Program Office, using its redress management system, assigns redress requests to the Department of State or appropriate DHS agencies, ensures coordination of responses, and has instituted performance metrics to track progress. The DHS TRIP Program Office ensures that the cases are then reviewed and resolved, as appropriate, and that travelers receive an official response. DHS TRIP receives approximately 3,600 requests for redress per month. Since DHS TRIP began in February 2007 through August 31, 2008, the DHS TRIP system has logged over 41,000 requests for redress. Over 22,000 applications have been adjudicated and closed with an average response time of just over 60 days. The 60-day response time includes the duration from the date an initial on-line application is submitted through the date the supporting documents are received to the date the inquiry is closed. Once a redress request associated with No-Fly and Selectee List matching is processed, the cleared individual is also added to the TSA Cleared List that is provided to air carriers. The Cleared List is intended to be used by the airlines to distinguish false matches from actual matches as they perform No-Fly and Selectee List matching. TSA has been working collaboratively with airlines to enhance the ability to avoid delays of passengers with names similar to those on watchlists. Hassles due to problems in verification and the resulting necessity to stand in line to check in at the ticket counter is a consistent complaint by the traveling public. Many passengers are inconvenienced each day. In April 2008, DHS provided air carriers with more flexibility to allow passengers to check in remotely on-line or at a kiosk who had previously been unable to do so because they have a name similar to someone on a watchlist. Airlines are now able to create a system to verify and securely store a passenger's date of birth to improve passenger verification. By voluntarily providing this limited biographical data to an airline and verifying that information once at the ticket counter, travelers who were previously inconvenienced on every trip now have an opportunity for a more convenient travel experience. More airlines need to take advantage of this process. With implementation of Secure Flight, TSA soon will take over passenger watchlist matching and resolve many of the inconveniences passengers are experiencing with verification under the current system. Until Secure Flight is implemented, however, TSA believes airlines need to do more to alleviate the inconvenience to passengers, including changing procedures for watchlist filtering and improving communications with passengers concerning their status. The decision to invest in improving their watchlist filtering systems may be basically a business decision for air carriers. For TSA, however, this is a very serious concern. TSA is also concerned that airline employees are misinforming passengers about whether they are on a terrorist watchlist. This practice affects public perception of the watchlists, undercuts the credibility of the security system, and potentially puts at risk sensitive information. TSA has conducted outreach to the air carriers on this issue and has provided guidance as to what to say to a traveler who is a potential match. While TSA wishes to continue to work collaboratively with airlines to solve this problem and penalties are not TSA's preferred approach, TSA has authority to impose penalties up to $25,000 per infraction. secure flight TSA is moving forward aggressively to assume responsibility for watchlist matching for both international and domestic air passengers through Secure Flight. Secure Flight will close a critical aviation security gap and reduce the vulnerabilities associated with watchlist matching performed by the airlines. Under Secure Flight, watchlist matching will be more effective, efficient, and consistent, offering improvements in both security and customer service for the traveling public. Secure Flight will add a vital layer of security to our Nation's commercial air transportation system while maintaining the privacy of passenger information. TSA evaluated and realigned Secure Flight in 2006 to ensure that privacy and security serve as the very foundation for the system. The realignment established the basic infrastructure and fundamentals of a rigorous program including extensive program management elements. The effort ensured privacy practices are built into all areas of the program. Secure Flight will improve aviation security by providing:Early knowledge of potential watchlist matches; Earlier law enforcement notification; Decreased chance of compromised watchlist data because of its limited distribution; Enhanced use of the Redress Process and Cleared List; Consistent watchlist matching process across all aircraft operators; and Privacy protections for individuals. TSA currently plans to begin full operation of Secure Flight in January 2009 with a limited number of aircraft operators. The final schedule for implementation will depend on fiscal year 2009 funding and publication of the Secure Flight Final Rule, which currently is in the final stages of administration review and is anticipated to be published this fall. The Final Rule is the product of extensive consultations with air carriers and other stakeholders, as well as an extended public notice and comment period that resulted in the inclusion of robust privacy protections. In the interim, TSA has conducted extensive systems testing in preparation for Secure Flight's launch and has re-programmed additional funds to accelerate development of the program. DHS is moving swiftly toward achieving another significant Secure Flight milestone, the certification that TSA has completed all ten of the following Secure Flight conditions required by the Department of Homeland Security Appropriations Act, 2005, Pub. L. 108-334: System of due process (redress) established; System error rate will not produce a large number of false positives; Accuracy of the system has been stress-tested; DHS has established internal oversight board; TSA has sufficient operational safeguards to reduce opportunities for abuse; Substantial security measures are in place to prevent hacking; Effective oversight of the use and operation of the system is in place; No specific privacy concerns with system architecture; States with unique transportation needs are accommodated; and Appropriate life-cycle cost estimates and program plans exist. A certification report is currently in final review. TSA also has worked closely with the GAO over the past several years as Secure Flight has progressed, meeting regularly and sharing substantial information and documents on plans and testing, with the goal of keeping GAO well-informed and enhancing GAO's ability to complete its post-certification review. Dedicated office space has been provided for GAO at TSA headquarters to better facilitate their work on this and other programs. Upon completion of the DHS Final Certification Report for Secure Flight, we look forward to providing this report to GAO to begin their review. Extensive consultation with key stakeholder groups, including aircraft operators, aviation associations, privacy advocacy groups, and travel industry associations, has been a critical component of Secure Flight development and has been essential in addressing the issues in the current watchlist matching processes. As a result of this consultation, Secure Flight is designed to address many of the customer service concerns inherent in the current watchlist matching process. Specific customer service benefits include: Integrating DHS TRIP into Secure Flight by using the Cleared List and passenger redress numbers in the automated matching process; Operating a 24-hour, 7-day-per-week Resolution Service Center for aircraft operators to call to resolve potential Secure Flight matches and limit delays for verification of passengers; and Requesting the minimum amount of personal data necessary to conduct effective watchlist matching. Many aircraft operators expressed concerns about the proposed 60- day implementation period. TSA has modified the Secure Flight implementation approach to accommodate the needs for the industry to make changes to systems and processes. TSA has conducted a series of meetings and working sessions on topics including implementation strategy, testing, and outages, and these meetings will continue with the publication of the Final Rule. As we continue to ready Secure Flight for deployment and ensure a smooth transition through parallel testing of the system, we look forward to a continued partnership with the air carrier industry, with whom we share a common goal of keeping dangerous individuals off aircraft while facilitating legitimate passenger travel. conclusion I would once again like to thank this subcommittee for its support for TSA's mission. TSA is making major strides toward implementation of Secure Flight, a step that will enhance transportation security and improve customer service while taking advantage of critical intelligence to prevent a terrorist act against the United States. I look forward to continuing to work together with the subcommittee as we achieve this important goal. Thank you for the opportunity to appear today, and I would be happy to answer any questions. Ms. Jackson Lee. Thank you very much for your testimony. I now recognize Mr. Kopel to summarize his statement for 5 minutes. Mr. Kopel, you might have heard a lot of bells ringing. If you could summarize in under that amount of time, we will recess. Ms. Berrick, we will come back to you, which will give us more time. Then, Mr. Kopel, we will certainly give you ample time with questions. I yield it to you for 5 minutes. STATEMENT OF RICHARD S. KOPEL, PRINCIPAL DEPUTY DIRECTOR, TERRORIST SCREENING CENTER Mr. Kopel. Thank you, Madam Congresswoman, Ranking Member Lungren, Chairman Thompson and the Members of the subcommittee. I thank you for the opportunity to talk about the Terrorist Screening Center and the U.S. Government's watchlisting process. As Congressman Lungren alluded, the TSC is administered by the FBI, but we are truly a multi-agency type task force environment with over 12 different agencies and departments represented at the TSC. Our mission is to consolidate the Government's approach to screening for terrorism. That includes consolidation of the terrorist watchlist, but it also includes setting up a 24x7 call center to aid in the identification support when someone on the watchlist is encountered, coordination with all the encounters through the FBI to ensure that the FBI case agents and individuals are notified of those encounters and can contribute to the encounter process. We also have a formal process for tracking all the encounters to ensure that the appropriate information is collected both on positive encounters when someone does match the watchlist and also for individuals that are not matches or misidentifications to the watchlist. Then another high item on the 9/11 Commission report was the lack of sharing information. The TSC takes all the information collected from encounters with known or suspected terrorists and shares that throughout the U.S. Government counterterrorism efforts. That includes, obviously, the FBI, the originator of the information, and the other departments and agencies doing the CT type work. A big question that seems to be the focus of the hearings are, you know, how does someone get on the watchlist in the first place? Are there significant and sufficient safeguards to keep the people, the innocent person off that doesn't have a connection to terrorism? We have a multi-tiered approach and review process that varies between agencies, but at one point when the originator believes that there is a connection, a reasonable suspicion that there is a connection to terrorism, that nomination, or that name of the individual is submitted to the National Counterterrorism Center for review. The National Counterterrorism Center will review not only the name, but the supporting information on why that person is believed to have a connection to terrorism. If they believe the connection exists, they submit that name to the Terrorist Screening Center. We again reevaluate the supporting information, a third look, if you will, at the supporting data, to determine that that person is indeed the person that we believe should be watchlisted. With all the names on the watchlist are the records in the database. There are times when the wrong person, or a name of a person with a similar name, has issues. We believe that the different screening agencies have processes in place to allow that person to file a redress or ask for help in the watchlisting process. DHS TRIP is a major component of that system. In addition to that, we have put on a full redress team to give our data an independent look when a name comes through the redress process. They will reevaluate all the supporting information to determine if any action has to be taken. For individuals that are unfortunate enough, as our friends from California, to maybe share the name of someone who is on the watchlist, this is the process to go through to help minimize any inconvenience they may experience. In addition to the formal redress that someone may file, we have additionally put on a new program, the Terrorist Encounters Review Process, which proactively looks and determines if a person is on the watchlist or been encountered multiple times and not been the actual person of interest. In those cases we do initiate our own redress process to actually determine if additional action needs to be taken and if we can actually help that person through the cleared process that TSA has, and other agencies. The TSC continues to play a vital role in the war on terrorism. Multiple auditors concur that we have made significant, positive impact on the terrorist screening processes, ensuring that all of our screening agencies have the identifying information they need to identify these persons when they are encountered. We continue to work hard to make our processes better. We understand that everything is not perfect, and we look forward to working those issues with the independent audits that we have had, where we have been able to take that information and actually apply that to making our processes better. Chairwoman Jackson Lee, Ranking Member Lungren and other Members of the subcommittee, I look forward to answering any questions that you may have. [The statement of Mr. Kopel follows:] Prepared Statement of Richard S. Kopel September 9, 2008 Good afternoon Chairwoman Jackson Lee, Ranking Member Lungren, and Members of the subcommittee. Thank you for the opportunity to discuss the Terrorist Screening Database (known as the TSDB or ``terrorist watch list'') and the watchlisting process at large. The Terrorist Screening Center (TSC) is dedicated to consolidating and coordinating the U.S. Government's approach to terrorism screening and facilitating information sharing to protect the Nation and the international community. In addition, the TSC is dedicated to performing its mission while protecting privacy and civil liberties. The dedicated employees at the TSC take their responsibility to these two priorities very seriously. Since it began operations on December 1, 2003, the Terrorist Screening Center (TSC) has assumed a critical role in securing our borders and the safety of the American people by providing to the Nation's entire screening and law enforcement communities the identities of known and suspected terrorists. As directed by Homeland Security Presidential Directive 6 (HSPD-6) Integration and Use of Screening Information, the TSC has combined the numerous terrorist watchlists existing on September 11, 2001 and created the U.S. Government's single consolidated Terrorist Screening Database (TSDB). Every day, the TSC adds, updates and removes records in the TSDB and makes the information available to Federal/State/local entities for terrorist screening. HSPD-6 did not contain any new legal authorities and all screening is performed under the existing legal authority of the screening agency. The TSC also provides: (1) A single coordination point for terrorist screening data; (2) A 24/7 call center to provide identification assistance to screening agencies; (3) Access to a coordinated law enforcement response for any encounter with a watchlisted person; (4) A formal process for tracking all positive encounters; (5) Feedback on all positive encounters with Known and Suspected Terrorists (KST) to the originator, FBI, and other appropriate entities; The Terrorist Screening Center has been the focus of significant attention from Congress and various governmental auditors. The TSC has worked to develop a strong relationship and open communications with Congress and appreciates the support, oversight and constructive criticism it receives from the various committees with which it works. The TSC has taken advantage of the external reviews of its processes and is focused on using the results of these reviews to identify ways to improve its operations. Generally, these auditors have found that the watchlist performs a critical function in securing the Nation from terrorist threats while protecting privacy and civil liberties. Specifically, GAO report 08-110 states, ``[GAO's] analysis of data on outcomes and our interviews with screening agency, law enforcement, and intelligence community officials indicate that the use of the watchlist has enhanced the Government's counterterrorism efforts.'' It also reports that ``[t]he TSC plays a central role in the real-time sharing of information, creating a bridge among screening agencies.'' The TSC has not only assisted in eliminating historical cultural boundaries between and among the intelligence and law enforcement communities but also has provided a physical mechanism to ensure information sharing is done in an efficient manner. The TSC looks forward to continuing the healthy working relationship that it currently has with this and the other committees and subcommittees with which it works. Further, the TSC is working to provide the public with an increased understanding of its mission through the press. The TSC has hosted news reporters and has been engaged with various press outlets to answer questions and clarify the role of the TSC for the American public. It is through this openness that the TSC hopes to rectify many of the misconceptions about its mission, and responsibilities. It is with this in mind that the TSC is reaching out to describe the watchlisting process and to demonstrate its efforts to protect individuals' civil liberties and privacy. Due to the national security nature of TSC's work, however, it is impossible to explain in precise detail how the watchlist is managed. Often, an individual believes he or she is on the watchlist because of an encounter with law enforcement, airport screening or another security-related entity. The actuality is that there are many reasons a person may experience Law Enforcement/Screening delays and only one of these reasons is the watchlist. The TSC works closely with the Department of Homeland Security, the Transportation Security Administration, the FBI, and Federal, State and local law enforcement agencies, and other partners to minimize inconvenience to individuals that are not on the watchlist, but nevertheless have a name that is similar to the name of a known or suspected terrorist. Inclusion on the watchlist is based on specific criteria and a name can be removed from the TSDB by the nominating and investigating agencies reasonably determining the individual is not engaging in terrorism or terrorist activity. It is also critical to understand that the TSC serves to facilitate information sharing on Known or Suspected Terrorists with its partner agencies in the law enforcement, screening and intelligence communities. The watchlist is a tool to assist the screening agency in its legally mandated responsibilities to determine if an individual has a possible connection to terrorist activity. It is a pointer to additional information and is not used to determine if any adverse action should be taken. The TSC, when contacted, will provide identification support and, if the identity is confirmed, will ensure all appropriate information on the individual is supplied to the screening agency to help determine what action, if any, is to be taken. The size of the watchlist is often misreported and there is considerable confusion about the difference between the number of records and individuals. The TSDB reflects sensitive but unclassified identity information concerning individuals reasonably suspected to be engaged in terrorism or terrorist activities. The TSDB is updated daily and contains approximately: Number of Records: 1,000,000 Records; Number of Individuals: 400,000 (3 percent of which are U.S. Persons); Reason for difference: A separate record is created for each name, alias and name variant. A single individual may have multiple records and the TSDB averages just over 2 records for every individual. It is also critical to clarify that the No-Fly List is not synonymous with the TSDB; rather, it is a small subset of the TSDB and pertains specifically to commercial aviation. Inclusion on the No-Fly List requires that an individual meet very specific criteria and are or may be a threat to civil aviation (i.e., the aircraft, its passengers, crew members, and others). As such, not every record in the TSDB would be appropriate for inclusion on the No-Fly List. The TSC works with its screening partners to determine what level of information is required to meet that entity's particular screening needs and is consistent with its legal authorities. This is one manner in which the TSC works to limit any inconvenience the watchlist may have on the innocent traveling public. The U.S. Government (USG) has many controls in place to ensure that only Known or Suspected Terrorists are nominated to the watchlist. The nomination process for including someone on the watchlist is a multi- agency, multi-tiered process. Each International Terrorist (IT) nomination comes through the National Counterterrorism Center (NCTC), and each Domestic Terrorist (DT) nomination comes through the Federal Bureau of Investigation. Nominations are first reviewed at the field level, reviewed again at the NCTC or FBI, and again at the TSC before inclusion in the TSDB. While the TSDB is critical to counterterrorism efforts at the Federal, State and local levels, the TSC is aware that the watchlist has an impact on the traveling public. As such, the TSC takes all steps possible to limit this impact and balance privacy and civil liberties with its critical terrorist screening mission. The TSC strives to reduce the time it takes to resolve encounters with screening agencies. The average encounter currently takes just under eight (8) minutes to resolve. Further, the TSC reviews each nominated record for completeness and the appropriateness of its inclusion on the watchlist. The TSC similarly reviews all nominated change and removal requests to ensure that the watchlist contains the most thorough, accurate and current information possible. The TSC's Redress program also conducts a comprehensive review of records related to requests referred to the TSC by its screening partners through their respective redress programs, including DHS TRIP. This provides a mechanism for persons who feel they are inappropriately watchlisted or misidentified to seek redress. In addition, in April 2008, the TSC initiated the Terrorist Encounter Review Process (TERP) to automatically review the terrorist watchlist records of frequently encountered individuals even if no formal redress requests are filed. TERP provides a guaranteed review of such records to ensure they are thorough, accurate and current. conclusion The TSC continues to play a vital role in the war on terrorism. Multiple auditors all concur that the TSC has made a significant, positive impact in terrorist screening operations, ensuring that Federal, State, and local law enforcement and screening partners have the information they need to identify terrorists abroad, at our borders, and within our country. The TSC will continue to work hard to identify means to increase efficiency and limit the impact on the American public, while effective terrorist screening operations are conducted. This can only be accomplished through a continuous process of internal and external review and unremitting vigilance. Chairwoman Jackson Lee, Ranking Member Lungren, and Members of the committee, thank you again for the opportunity to address this esteemed body, and I look forward to answering your questions. Ms. Jackson Lee. Thank you. The hearing stands in recess. [Recess.] Ms. Jackson Lee. I am reconvening the Transportation Security and Infrastructure Protection Subcommittee hearing on ``Ensuring America's Security, Cleaning up the Nation's Watchlists.'' At this time I will recognize Ms. Berrick to summarize her statement for 5 minutes. STATEMENT OF CATHLEEN A. BERRICK, DIRECTOR, HOMELAND SECURITY AND JUSTICE ISSUES, GOVERNMENT ACCOUNTABILITY OFFICE Ms. Berrick. Thank you, Madam Chairwoman, for inviting me to discuss GAO's work reviewing aviation watchlist matching, or the matching of passenger information against terrorist watchlist records. Domestic and foreign carriers traveling within, to and from the United States are required to conduct watchlist matching in accordance with TSA requirements. TSA has responsibility for overseeing how carriers implement their watchlist matching programs. TSA plans to assume this function from carriers beginning in 2009, as you aware, under Secure Flight. My testimony addresses TSA's watchlist matching requirements for domestic carriers, TSA's oversight of carriers' watchlist matching requirements programs, and TSA's progress in developing and implementing Secure Flight. In conducting watchlist matching, TSA requires that carriers conduct exact name matches against watchlist records and to match name variations, also known as similar name matching. Carriers must conduct similar name matching because watchlists of individuals may travel using name variations and would not be identified if carriers searched only for an exact name match. Although TSA requires carriers to conduct similar name matching, until recently revising some of its requirements, TSA did not specify how many or what types of such name variations carriers should compare. As a result, the 14 carriers we interviewed reported implementing varied approaches, two conducting similar name matching, and not every carrier reported conducting any form of similar name matching. There have been incidents of carriers failing to identify potential matches through watchlist records by not successfully conducting similar name matching. However, in 2008 during my review and following a special inspection conducted by TSA, TSA should have revised security directives to clarify the types of name variations that carriers must compare against the No-Fly List. TSA acknowledges this new capability will not address all vulnerabilities that exist with watchlist matching, but believe that it is the best interim solution pending implementation of Secure Flight, because it strengthens watchlist matching without requiring major system changes for carriers. TSA has taken various actions to assess domestic carriers' compliance with watchlist matching requirements. However, until a special inspection conducted in 2008, TSA conducted limited oversight of carriers' name-matching capability. TSA records for field inspections conducted during 2007 identified the carriers' watchlist matching function was tested during only 5 percent of airport inspections conducted that year. TSA reported that its guidance for inspectors is currently being revised to strengthen oversight of carrier watchlist matching. Since Secure Flight will likely not be fully operational for at least a year for domestic flights, and longer for international flights, it is important that TSA strengthen its oversight of air carrier programs in the interim. Secure Flight, once implemented, is intended to strengthen watchlist matching by conducting more robust name variations than currently conducted by carriers. Secure Flight is also intended to more accurately match passenger information to watchlist records. In February 2008, despite past difficulties in implementing Secure Flight, we reported that TSA had made significant progress in developing the program, including developing key systems development documentation and strengthening privacy protections. However, we reported that challenges remained, including the need to more fully test systems development security requirements and develop more robust cost and schedule estimates. If these challenges are not effectively addressed, the chances of the program performing on schedule and as intended are diminished. We have an on-going review, assessing TSA's efforts in implementing Secure Flight. This concludes my opening statement. I look forward to your questions. [The statement of Ms. Berrick follows:] Prepared Statement of Cathleen A. Berrick September 9, 2008 aviation security: tsa is enhancing its oversight of air carrier efforts to screen passengers against terrorist watch-list records, but expects ultimate solution to be implementation of secure flight gao highlights Highlights of GAO-08-1136T, a testimony before the Subcommittee on Transportation Security and Infrastructure Protection, Committee on Homeland Security, House of Representatives. Why GAO Did This Study Domestic air carriers are responsible for checking passenger names against terrorist watchlist records to identify persons who should be denied boarding (the No-Fly List) or who should undergo additional security scrutiny (the Selectee List). The Transportation Security Administration (TSA) is to assume this function through its Secure Flight program. However, due to program delays, air carriers retain this role. This testimony discusses: (1) TSA's requirements for domestic air carriers to conduct watchlist matching; (2) the extent to which TSA has assessed compliance with watchlist matching requirements; and (3) TSA's progress in developing Secure Flight. This statement is based on GAO's report on air carrier watchlist matching (GAO-08-992) being released today and GAO's previous and ongoing reviews of Secure Flight. In conducting this work, GAO reviewed TSA security directives and TSA inspections guidance and results, and interviewed officials from 14 of 95 domestic air carriers. What GAO Recommends GAO is not making any recommendations related to air carriers' watchlist matching programs because TSA initiated actions in April 2008 to strengthen related requirements and its oversight of air carriers' implementation of these requirements. Regarding Secure Flight, GAO previously made recommendations to strengthen the program's development. TSA generally agreed. what gao found TSA's requirements for domestic air carriers to conduct watchlist matching include a requirement to identify passengers whose names are either identical or similar to those on the No-Fly and Selectee lists. Similar-name matching is important because individuals on the watchlist may try to avoid detection by making travel reservations using name variations. According to TSA, there have been incidents of air carriers failing to identify potential matches by not successfully conducting similar-name matching. However, until revisions were initiated in April 2008, TSA's security directives did not specify what types of similar- name variations were to be considered. Thus, in interviews with 14 air carriers, GAO found inconsistent approaches to conducting similar-name matching, and not every air carrier reported conducting similar-name comparisons. In January 2008, TSA conducted an evaluation of air carriers and found deficiencies in their capability to conduct similar- name matching. Thus, in April 2008, TSA revised the No-Fly List security directive to specify a baseline capability for conducting watchlist matching and reported that it planned to similarly revise the Selectee List security directive. While recognizing that the new baseline capability will not address all vulnerabilities, TSA emphasized that establishing the baseline capability should improve air carriers' performance of watchlist matching and is a good interim solution pending the implementation of Secure Flight. TSA has undertaken various efforts to assess domestic air carriers' compliance with watchlist matching requirements; however, until 2008, TSA had conducted limited testing of air carriers' similar-name- matching capability. In 2005, for instance, TSA evaluated the capability of air carriers to identify names that were identical--but not similar--to those in terrorist watchlist records. Also, TSA's internal guidance did not specifically direct inspectors to test air carriers' similar-name-matching capability, nor did the guidance specify the number or types of name variations to be assessed. Records in TSA's database for regular inspections conducted during 2007 made reference to name-match testing in only 61 of the 1,145 watchlist- related inspections that GAO reviewed. During the course of GAO's review, and prompted by findings of the evaluation conducted in January 2008, TSA reported that its guidance for inspectors would be revised to help ensure air carriers' compliance with security directives. Although TSA has plans to strengthen its oversight efforts, it is too early to determine the extent to which TSA will provide oversight of air carriers' compliance with the revised security directives. In February 2008, GAO reported that TSA has made progress in developing Secure Flight but that challenges remained, including the need to more effectively manage risk and develop more robust cost and schedule estimates (GAO-08-456T). If these challenges are not addressed effectively, the risk of the program not being completed on schedule and within estimated costs is increased, and the chances of it performing as intended are diminished. TSA plans to begin assuming watchlist matching from air carriers in January 2009. Madam Chairwoman and Members of the subcommittee: I am pleased to be here today to discuss GAO's work assessing the Transportation Security Administration (TSA) and domestic air carrier efforts in conducting watchlist matching--or the matching of airline passenger information against terrorist watchlist records--a front-line defense against acts of terrorism that target the Nation's civil aviation system.\1\ Domestic air carriers operating to, from, and within the United States are to conduct watchlist matching in accordance with requirements set forth by TSA. That is, air carriers are to conduct preboarding checks by comparing passenger data--most prominently name and date of birth--against the No-Fly List to identify individuals who should be prevented from boarding an aircraft, and against the Selectee List to identify individuals who must undergo enhanced screening at the checkpoint prior to boarding.\2\ TSA has responsibility for overseeing how air carriers implement the watchlist-matching process, consistent with TSA requirements. Critical to this oversight effort are the agency's inspectors--both the principal security inspectors who oversee implementation efforts at air carriers' corporate security offices and the transportation security inspectors who oversee implementation efforts at airport locations. Beginning in 2009, under a program known as Secure Flight, TSA is to take over from air carriers the function of watchlist matching for domestic and ultimately international flights. Pending Secure Flight's implementation, air carriers continue to have primary responsibility for conducting watchlist matching. In turn, TSA continues to have an important oversight responsibility to ensure that air carriers comply with watchlist-matching requirements. --------------------------------------------------------------------------- \1\ For the purposes of this statement, domestic air carriers are those with operations based in the United States that maintain full security programs in accordance with 49 C.F.R. part 1544. The number of domestic air carriers has varied over time, for example, from 95 in 2005 to about 70 in 2007. \2\ These lists contain applicable records from the Terrorist Screening Center's consolidated database of known or appropriately suspected terrorists. Pursuant to Homeland Security Presidential Directive 6, dated September 16, 2003, the Terrorist Screening Center-- an entity that has been operational since December 2003 under the administration of the Federal Bureau of Investigation--was established to develop and maintain the U.S. Government's consolidated terrorist screening database (the watch list) and to provide for the use of watchlist records during security-related screening processes. See GAO, Terrorist Watch List Screening: Recommendations to Promote a Comprehensive and Coordinated Approach to Terrorist-Related Screening, GAO-08-253T (Washington, DC: Nov. 8, 2007). --------------------------------------------------------------------------- My testimony today addresses: (1) TSA's requirements for domestic air carriers to conduct watchlist matching for domestic flights; (2) the extent to which TSA has assessed domestic air carriers' compliance with watchlist-matching requirements; and, (3) TSA's progress in developing and implementing the Secure Flight program. This statement is based on a report we released today \3\ on air carrier watchlist- matching processes and TSA's oversight of these efforts, as well as work we conducted on the Secure Flight program from August 2007 to January 2008,\4\ with selected updates in September 2008. --------------------------------------------------------------------------- \3\ GAO, Aviation Security: TSA Is Enhancing Its Oversight of Air Carrier Efforts to Identify Passengers on the No-Fly and Selectee Lists, but Expects Ultimate Solution to Be Implementation of Secure Flight, GAO-08-992 (Washington, DC: Sept. 9, 2008). \4\ GAO, Aviation Security: Transportation Security Administration Has Strengthened Planning to Guide Investments in Key Aviation Security Programs, but More Work Remains, GAO-08-456T (Washington, DC: Feb. 28, 2008). --------------------------------------------------------------------------- Regarding air carrier watchlist matching, we reviewed TSA's security directives and related guidance applicable to watchlist matching; interviewed responsible officials at TSA headquarters; conducted interviews (both in-person and via telephone) with officials from domestic air carriers to discuss their implementation of watchlist-matching requirements;\5\ analyzed watchlist-related inspections that TSA conducted during fiscal year 2007 to ensure that air carriers were in compliance with applicable requirements; and reviewed the results from a special emphasis assessment that TSA conducted in 2005 and a special emphasis inspection it conducted in January 2008, both of which addressed air carriers' capability to conduct watchlist matching.\6\ Regarding the Secure Flight program, we reviewed systems development, privacy, and other documentation, and interviewed Department of Homeland Security (DHS), TSA, and contractor officials. We conducted these performance audits from July 2006 to September 2008 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on the audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on the audit objectives. --------------------------------------------------------------------------- \5\ Our selection of the 14 air carriers was based, in part, on operational size with the goal of obtaining a range of sizes. Although the 14 air carriers (selected from a total of 95 air carriers required to perform watchlist matching during calendar year 2005) represent a range in the types of air carriers that conduct watchlist matching, and, according to our calculations, accounted for approximately 70 percent of all passengers that boarded domestic flights in 2005, the results of our interviews are not generalizable to the domestic operations of all domestic air carriers. However, our selection allowed us to understand how watchlist matching was performed for the majority of passengers flying domestically in 2005, although we did not independently verify each air carrier's reported method of implementation. \6\ Special emphasis assessments and special emphasis inspections are nonroutine activities undertaken at the direction of TSA headquarters. According to TSA, a special emphasis assessment addresses a vulnerability that generally is not tied to a regulation, while a special emphasis inspection is tied to a regulatory requirement. --------------------------------------------------------------------------- summary Through its security directives, TSA has issued requirements for watchlist matching, which include identifying passengers with names similar to those on the No-Fly and Selectee lists. Before undertaking revisions of the relevant security directives in 2008, TSA expected air carriers to conduct similar-name matching but TSA's security directives did not specify how many and what types of such name variations air carriers should compare. Consequently, in interviews with 14 air carriers, we found inconsistent approaches to conducting similar-name matching. Some carriers compared more name variations than others; in addition, not every air carrier reported conducting similar-name comparisons. Air carriers that conduct only exact-name comparisons and carriers that conduct relatively limited similar-name comparisons are less effective in identifying watchlisted individuals who travel under name variations. Also, due to inconsistent air carrier processes, a passenger could be identified as a match to the watch list by one carrier and not by another. In April 2008, during the course of our review, TSA revised and issued the No-Fly List security directive to specify a baseline capability for similar-name matching to which all air carriers must conform. Also, in August 2008, TSA officials reported that the agency was in the process of similarly revising the Selectee List security directive to require the same baseline capability.\7\ TSA officials acknowledged that the new baseline capability will not address all vulnerabilities identified by TSA. However, the officials stated that the new baseline capability was a good interim approach for improving air carriers' matching efforts because, among other reasons, it will strengthen watchlist matching without requiring investment in a solution that will be replaced when Secure Flight is implemented. --------------------------------------------------------------------------- \7\ TSA officials did not provide us a targeted issuance date for the revised Selectee List security directive. --------------------------------------------------------------------------- Although TSA assessed air carriers' compliance with watchlist- matching requirements through a special emphasis assessment conducted in 2005 and through planned inspections conducted in conjunction with annual inspection cycles, the agency had tested similar-name matching to only a limited extent until 2008. For instance, the 2005 special emphasis assessment focused on air carriers' capability to identify passenger names that were exact matches with names on the No-Fly List, but did not address the capability to conduct similar-name matching. Also, during the most recent annual inspection cycle (fiscal year 2007), although some TSA inspectors tested air carriers' effectiveness in conducting similar-name matching, the inspectors did so at their own discretion and without specific evaluation criteria. However, during a special emphasis inspection conducted in January 2008, TSA found deficiencies in the capability of air carriers to conduct similar-name matching.\8\ Thereafter, following TSA's revision of the No-Fly List security directive in April 2008, officials planned to issue new guidance for inspectors to better ensure compliance by air carriers with requirements in the new security directive. Further, in September 2008, TSA updated us on the status of its efforts with watchlist matching. Specifically, TSA provided us with the results of a May 2008 special emphasis assessment of seven air carriers' compliance with the revised No-Fly List security directive. TSA generally characterized the results of the May 2008 special emphasis assessment as positive. Further, TSA officials noted that the agency's internal handbook, which provides guidance to transportation security inspectors on how to inspect air carriers' compliance with requirements, including watchlist-matching requirements, was being revised, and was expected to be released later this year. Officials indicated that the new inspection guidance would be used in conjunction with TSA's Nation-wide regulatory activities plan for fiscal year 2009. While these actions and plans are positive developments, it is too early to determine the extent to which air carriers' compliance with watchlist-matching requirements will be assessed based on the new security directives since these efforts are still underway and have not been completed. --------------------------------------------------------------------------- \8\ TSA reported that the January 2008 special emphasis inspection covered 52 domestic air carriers and 31 foreign air carriers. --------------------------------------------------------------------------- Moreover, in February 2008, we reported that TSA has made significant progress in developing Secure Flight, but that challenges remained in a number of areas, including the need to more effectively manage risk and develop more robust cost and schedule estimates. We made a number of recommendations to strengthen TSA's efforts in these areas, to which TSA agreed and has begun to take corrective actions. We will continue to evaluate TSA's efforts to develop and implement Secure Flight and its progress in addressing these recommendations as part of our on-going review.\9\ --------------------------------------------------------------------------- \9\ Our review of TSA's progress with Secure Flight is being conducted in response to requests from the U.S. Senate (Committee on Commerce, Science, and Transportation, and its Subcommittee on Aviation Operations, Safety, and Security; Committee on Appropriations, Subcommittee on Homeland Security; Committee on Homeland Security and Governmental Affairs; and Committee on the Judiciary) and the U.S. House of Representatives (Committee on Transportation and Infrastructure, Committee on Homeland Security, and Committee on Oversight and Government Reform). In addition, the Consolidated Appropriations Act, 2008, requires that we report to the Committees on Appropriations of the Senate and House of Representatives on DHS's certification of 10 conditions outlined in section 522(a) of the Department of Homeland Security Appropriations Act, 2005, related to the development and implementation of the Secure Flight program. See Pub. L. No. 110-161, Div. E, 513, 121 Stat. 1844, 2072-73 (2007). --------------------------------------------------------------------------- background TSA is responsible for ensuring air carriers' compliance with regulatory requirements, including requirements reflected in TSA security directives. Related to watchlist matching, TSA outlines air carrier requirements in the No-Fly List Procedures security directive, requiring domestic air carriers to conduct checks of passenger information against the No-Fly List to identify individuals who should be precluded from boarding flights, and the Selectee List Procedures security directive, directing domestic air carriers to conduct checks of passenger information against the Selectee List to identify individuals who should receive enhanced screening (e.g., additional physical screening or a hand-search of carry-on baggage) before proceeding through the security checkpoint. Since 2002, TSA has issued numerous revisions to the No-Fly and Selectee list security directives to strengthen and clarify requirements, and has issued guidance to assist air carriers in implementing their watchlist-matching processes. TSA conducts inspections of air carriers throughout the year as part of regular inspection cycles based on annual inspection plans to determine the extent to which air carriers are complying with TSA security requirements. These inspections are based on inspection guidelines known as PARIS prompts,\10\ which address a broad range of regulatory requirements (including airport perimeter security and cargo security, as well as screening of employees, baggage, and passengers). With respect to watchlist matching, inspection guidelines instruct inspectors regarding the aspects of air carrier watchlist matching that should be tested, such as whether air carriers are comparing the names of all passengers against names on the most current No-Fly and Selectee lists in accordance with the procedures outlined in TSA's security directives. --------------------------------------------------------------------------- \10\ PARIS is the acronym for the Performance and Results Information System, which is TSA's inspections database. This database assists TSA management by providing factual and analytical information on the compliance of TSA-regulated entities. There are approximately 1,700 PARIS prompts, which serve as guidelines for TSA inspectors. --------------------------------------------------------------------------- TSA conducts watchlist-related inspections at air carriers' corporate security offices (where policies and procedures are established on how watchlist matching is to be performed) and at airports (where policies and procedures for responding to a potential match are implemented). TSA's principal security inspectors are responsible for conducting inspections at domestic air carriers' corporate headquarters. These inspectors assess air carriers' compliance with security requirements and provide direct oversight of air carriers' implementation of and compliance with TSA-approved security programs. Field inspectors--known as transportation security inspectors--conduct watchlist-related inspections at airports. They are responsible for a multitude of TSA-related activities, including conducting inspections and investigations of airports and air carriers, monitoring compliance with applicable civil aviation security policies and regulations, resolving routine situations that may be encountered during the assessment of airport security, participating in testing of security systems in connection with compliance inspections, identifying when enforcement actions should be initiated, and providing input on the type of action and level of penalty commensurate with the nature and severity of a violation that is ultimately recommended to TSA's Office of Chief Counsel. To further enhance commercial aviation security and as required by the Intelligence Reform and Terrorism Prevention Act of 2004, TSA is developing an advanced passenger prescreening program known as Secure Flight to assume from air carriers the function of matching passenger information against Government-supplied terrorist watchlists for domestic, and ultimately international, flights.\11\ Through assumption of the watchlist-matching function from the air carriers, Secure Flight is intended to ensure a higher level of consistency than current air carrier watchlist matching and also help remedy possible misidentifications if a passenger's name is similar to one found on a watch list. According to TSA plans, Secure Flight's benefits, once the program becomes operational, will include: --------------------------------------------------------------------------- \11\ See Pub. L. No. 108-458, 4012(a), 118 Stat. 3638, 3714-18 (2004) (codified at 49 U.S.C. 44903(j)(2)(C)). --------------------------------------------------------------------------- eliminating inconsistencies in current air carrier watchlist matching procedures; decreasing the risk of unauthorized disclosure of sensitive watchlist information; reducing the number of individuals who are misidentified as being on the No-Fly or Selectee lists, and; integrating the redress process so that individuals are less likely to be improperly or unfairly delayed or prohibited from boarding an aircraft. TSA expects to begin assuming from air carriers the watchlist matching function for domestic flights in January 2009, and to assume this function from U.S. Customs and Border Protection for flights departing from and to the United States by fiscal year 2010. prior to april 2008, tsa watch-list-matching requirements were broad and allowed air carriers discretion in comparing name variations, which resulted in less effective processes Since the terrorist attacks of September 11, 2001, TSA has imposed, through security directives, requirements for watchlist matching, which include identifying passengers with names similar to those on the No- Fly and Selectee lists--a process TSA refers to as similar-name matching. Identifying passengers with names similar to those on the No- Fly and Selectee lists is a critical component of watchlist matching because individuals may travel using abbreviated name forms or other variations of their names. Therefore, searching for only an exact match of the passenger's name may not result in identifying all watchlisted individuals. Before undertaking revisions of the relevant security directives in 2008, TSA expected air carriers to conduct similar-name matching, but TSA's security directives did not specify how many and what types of such name variations air carriers should compare. Consequently, the 14 air carriers we interviewed reported implementing varied approaches to similar-name matching. Some carriers reported comparing more name variations than others, and not every air carrier reported conducting similar-name comparisons. Air carriers that conduct only exact-name comparisons and carriers that conduct relatively limited similar-name comparisons are less effective in identifying watchlisted individuals who travel under name variations. Also, due to inconsistent air carrier processes, a passenger could be identified as a match to a watchlist record by one carrier and not by another, which results in uneven effectiveness of watchlist matching. Moreover, there have been incidents, based on information provided by TSA's Office of Intelligence, of air carriers failing to identify potential matches by not successfully conducting similar-name matching. Generally, TSA had been aware that air carriers were not using equivalent processes to compare passenger names with names on the No- Fly and Selectee lists. However, in early 2008 the significance of such differences was crystallized during the course of our review and following TSA's special emphasis inspection of air carriers' watchlist- matching capability. On the basis of these inspection results, in April 2008, TSA issued a revised security directive governing the use of the No-Fly List to establish a baseline capability for similar-name matching to which all air carriers must conform. Also, TSA announced that it planned to similarly revise the Selectee List security directive to require the new baseline capability.\12\ --------------------------------------------------------------------------- \12\ In August 2008, TSA informed us that the revised Selectee List security directive was still in the agency's internal clearance process, and did not provide us a targeted issuance date. --------------------------------------------------------------------------- According to TSA officials, the new baseline capability is intended to improve the effectiveness of watchlist matching, particularly for those air carriers that had been using less-thorough approaches for identifying similar-name matches and those air carriers that did not conduct any similar-name comparisons. However, because the baseline capability requires that air carriers compare only the types of name variations specified in the security directive, TSA officials noted that the new baseline established in the No-Fly List security directive is not intended to address all possible types of name variations and related security vulnerabilities. Agency officials explained that based on their analysis of the No-Fly and Selectee lists and interviews with intelligence community officials, the newly-established baseline covers the types of name variations air carriers are most likely to encounter. TSA officials further stated that these revised requirements were a good interim solution because, among other reasons, they will strengthen security while not requiring air carriers to invest in significant modifications to their watchlist matching processes, given TSA's expected implementation of Secure Flight beginning in 2009. If implemented as intended, Secure Flight is expected to better enable the use of passenger names and other identifying information to more accurately match passengers to the subjects of watchlist records. until a 2008 special emphasis inspection, tsa had conducted limited testing of air carriers' capability to perform similar-name matching Until 2008, TSA had conducted limited testing of air carriers' similar-name-matching capability, although the agency had undertaken various efforts to assess domestic air carriers' compliance with watchlist matching requirements in the No-Fly and Selectee list security directives. These efforts included a special emphasis assessment conducted in 2005 and regular inspections conducted in conjunction with annual inspection cycles. However, the 2005 special emphasis assessment focused on air carriers' capability to prescreen passengers for exact-name matches with the No-Fly List, but did not address the air carriers' capability to conduct similar-name comparisons. Regarding inspections conducted as part of regular inspection cycles, TSA's guidance establishes that regulatory requirements encompassing critical layers of security need intensive oversight, and that testing is the preferred method for validating compliance. However, before being revised in 2008, TSA's inspection guidelines for watchlist-related inspections were broadly stated and did not specifically direct inspectors to test air carriers' similar- name-matching capability. Moreover, TSA's guidance provided no baseline criteria or standards regarding the number or types of such variations that must be assessed. Thus, although some TSA inspectors tested air carriers' effectiveness in conducting similar-name matching, the inspectors did so at their own discretion and without specific evaluation criteria. In response to our inquiry, six of TSA's nine principal security inspectors told us that their assessments during annual inspection cycles have not included examining air carriers' capability to conduct certain basic types of similar-name comparisons. Also, in reviewing documentation of the results of the most recent inspection cycle (fiscal year 2007), we found that available records in TSA's database made references to name-matching tests in only 6 of the 36 watchlist- related inspections that principal security inspectors conducted, and in only 55 of the 1,109 inspections that transportation security inspectors conducted.\13\ Without baseline criteria or standards for air carriers to follow in conducting similar-name comparisons, TSA has not had a uniform basis for assessing compliance. Further, without routinely and uniformly testing how effectively air carriers are conducting similar-name matching, TSA may not have had an accurate understanding of the quality of air carriers' watchlist-matching processes. --------------------------------------------------------------------------- \13\ According to TSA data, these 1,145 watchlist-related inspections (36 plus 1,109) covered 60 domestic air carriers, and most of the air carriers were inspected multiple times. --------------------------------------------------------------------------- However, TSA began taking corrective actions during the course of our review and after it found deficiencies in the capability of air carriers to conduct similar-name matching during the January 2008 special emphasis inspection.\14\ More specifically, following the January 2008 inspection, TSA officials reported that TSA began working with individual air carriers to address identified deficiencies. Also, officials reported that, following the issuance of TSA's revised No-Fly List security directive in April 2008, the agency had plans to assess air carriers' progress in meeting the baseline capability specified in the new security directive after 30 days, and that the agency's internal guidance for inspectors would be revised to help ensure compliance by air carriers with requirements in the new security directive. Further, in September 2008, TSA updated us on the status of its efforts with watchlist matching. Specifically, TSA provided us with the results of a May 2008 special emphasis assessment of seven air carriers' compliance with the revised No-Fly List security directive. Although the details of this special emphasis assessment are classified, TSA generally characterized the results as positive. Also, the TSA noted that it plans to work with individual air carriers, as applicable, to analyze specific failures, improve system performance, and conduct follow-up testing as needed. Further, officials noted that the agency's internal handbook, which provides guidance to transportation security inspectors on how to inspect air carriers' compliance with requirements, including watchlist-matching requirements, was being revised and was expected to be released later this year. Officials stated that the new inspection guidance would be used in conjunction with TSA's Nation-wide regulatory activities plan for fiscal year 2009. However, while these actions and plans are positive developments, it is too early to determine the extent to which TSA will assess air carriers' compliance with watchlist-matching requirements based on the new security directives since these efforts are still underway and have not been completed. --------------------------------------------------------------------------- \14\ According to TSA officials, the January 2008 special emphasis inspection covered 52 domestic air carriers and 31 foreign air carriers. --------------------------------------------------------------------------- dhs has made progress in developing and implementing the secure flight program, but challenges remain that may hinder the program moving forward Over the last 4 years, we have reported that the Secure Flight program (and its predecessor known as the Computer Assisted Passenger Prescreening System II or CAPPS II) had not met key milestones or finalized its goals, objectives, and requirements, and faced significant development and implementation challenges.\15\ Acknowledging the challenges it faced with the program, in February 2006, TSA suspended the development of Secure Flight and initiated a reassessment, or rebaselining, of the program, which was completed in January 2007. In February 2008, we reported that TSA had made substantial progress in instilling more discipline and rigor into Secure Flight's development and implementation, including preparing key systems development documentation and strengthening privacy protections.\16\ However, we reported that challenges remain that may hinder the program's progress moving forward. Specifically, TSA had not: (1) Developed program cost and schedule estimates consistent with best practices; (2) fully implemented its risk management plan; (3) planned for system end-to-end testing in test plans; and, (4) ensured that information-security requirements are fully implemented. If these challenges are not addressed effectively, the risk of the program not being completed on schedule and within estimated costs is increased, and the chances of it performing as intended are diminished. --------------------------------------------------------------------------- \15\ See GAO, Aviation Security: Progress Made in Systematic Planning to Guide Key Investment Decisions, but More Work Remains, GAO- 07-448T (Washington, DC: Feb. 13, 2007). \16\ See GAO, Aviation Security: Transportation Security Administration Has Strengthened Planning to Guide Investments in Key Aviation Security Programs, but More Work Remains, GAO-08-456T (Washington, DC: Feb. 28, 2008). --------------------------------------------------------------------------- To address these challenges, we made several recommendations to DHS and TSA to incorporate best practices in Secure Flight's cost and schedule estimates and to fully implement the program's risk- management, testing, and information-security requirements. DHS and TSA officials generally agreed to implement the recommendations and reported that they are making progress doing so. According to TSA officials, the ``initial cutover'' or assumption of the watchlist matching function from one or more air carriers for domestic flights is scheduled to begin in January 2009. However, as of July 2008, TSA had not developed detailed plans or time frames for assuming watchlist matching from all air carriers for domestic flights. We will continue to evaluate TSA's efforts to develop and implement Secure Flight and its progress in addressing our prior recommendations as part of our on- going review. concluding observations Until the Secure Flight program is implemented, TSA's oversight of air carriers' compliance with watchlist-matching requirements remains an important responsibility. In this regard, TSA's April 2008 revision of the No-Fly List security directive--and a similar revision planned for the Selectee List security directive--are significant developments. The April 2008 revision establishes a baseline name-matching capability applicable to all domestic air carriers. Effective implementation of the baseline capability should strengthen watchlist-matching processes, especially for those air carriers that had been using less-thorough approaches for identifying similar-name matches. Concurrently, revised internal guidance for TSA's inspectors can help ensure that compliance inspections of air carriers are conducted using the standards specified within the security directives as evaluation criteria. At the time of our review, TSA was in the initial stage of revising the internal guidance for inspectors. As a result, it is too early to determine the extent to which updated guidance for principal security inspectors and transportation security inspectors will strengthen oversight of air carriers' compliance with the security directive requirements. Going forward, TSA officials acknowledge that the baseline capability specified in the revised No-Fly List security directive and the similar revision planned for the Selectee List security directive--while an improvement--does not address all vulnerabilities identified by TSA and does not provide the level of risk mitigation that is expected to be achieved from Secure Flight. Thus, TSA officials recognize the importance of--and the challenges to--ensuring continued progress in developing and deploying the Secure Flight program as soon as possible. Madam Chairwoman, this concludes my statement. I would be pleased to answer any questions that you or other Members have at this time. Ms. Jackson Lee. Let me thank you very much for your, again, important analysis. As well, let me thank all of the witnesses for their presence here today. I want it to be known that this persistent pursuit is a serious effort on behalf of this subcommittee and the full committee really to penetrate into the essence of security to make it real, consistent and effective. I have appreciated the polite talk of the witnesses. I have also appreciated the collaborative efforts. My questions will be pointed, because I don't think we can have hearing after hearing after hearing after hearing without finding a solution to what seems to be a complex question with a simple answer. So I would first of all like to pose a question to Mr. Wellen. I want to congratulate TSA for getting the final certification that seems to have come with the signoff of Secretary Chertoff. This certification report confirms that Secure Flight meets all 10 certifications mandated in the 2005 appropriations language, which many of us worked together on. There are many of us who have been on the Homeland Security Committee since its origins after 9/11 and its first beginnings as a select committee, first as a team of Members to decide how we were going to move forward. So we want to make sure that the recommendations can be asked and answered. One of the recommendations--we physically asked that you develop an appropriate lifecycle cost estimate. I would like to know how have you verified that the estimates you have constructed are reasonable and achievable, first of all? As you answer that, I would like you to make a commitment to provide the subcommittee with a copy of that report. Mr. Wellen. Mr. Wellen. Thank you, Ms. Chairwoman. The lifecycle cost estimates we are in the process of providing were based on April's estimates for the first 5 years of the program. Those can be made available. We are also in the process of updating the lifecycle cost estimates to abide by additional GAO and DHS guidance. When those are complete, we can provide those as well. Ms. Jackson Lee. Assistant Secretary, do you want add a little? Expand on that for us, please. I just think it is important. Mr. Hawley. The 10-year cost is in the billion dollar range, and it ranges probably per year $80 million, and perhaps going up above that to get to around a billion over 10 years. As part of a review of the Department, and also the engagement that we have with GAO, we have had a lot of back and forth, and there are some different ways of framing the questions, and therefore the answers that we are referring to. So I believe the first 5 years are ready to go now and would provide the additional when that is available. Ms. Jackson Lee. So the first 5 years--a half a billion dollars? Mr. Wellen. Yes, ma'am. The approximations are anywhere between $85 and $93 million per year. Ms. Jackson Lee. Good. Is that a Government cost? Or is that shared with the industry? Mr. Wellen. That is Government cost, ma'am. Ms. Jackson Lee. Do we have any estimates of the industry's participation and any cost on their part? Mr. Wellen. I don't have their cost estimates. Ms. Jackson Lee. But we would expect that there would be some. Mr. Wellen. Yes, ma'am. Ms. Jackson Lee. Can I ask you to engage--and I am going to yield to you, Mr. Secretary--with the industry to give us some ballpark on those figures, please? Assistant Secretary. Mr. Hawley. Yes, ma'am. Ms. Jackson Lee. You heard the discussion that we had, and I offered my congratulations for the certification announcement to back a question of their participation in it. But I indicated that I am not holding these hearings I guess for what most might perceive would be a continuous reciting of the problem. I know that there are issues with legislation, but there are also issues with administration rulemaking. My question to you is could we have a collaborative effort as we proceed to write legislation to expedite this process for what we all want: relief to the American people. Now, what that would mean is that we could not point fingers at each other for what the delay might be. It would have to move through this House, which I feel confident that we have the ability to work collaboratively, but it would have to move in the Senate. So the question is would that be something that you, DHS, the administration would be open to? Can you work with this committee, work with me on legislation that could be put the energy in that we need to secure the American people? Mr. Hawley. Yes. I would like to comment that this subcommittee has been very consistently into the detail of this program, and I appreciate the legislation from Ms. Clarke. Mr. Lungren referred to it, and bipartisan nature of it. We would certainly work with you and the committee to see if there are additional ways to strengthen that process, but to get to the point where it will be implemented just as soon as it is ready. Having said that, our rule is in its final stages of administration clearance, so our hope is that that will go the course, and should Congress or you wish to pursue legislative remedies, we would be very open to working with you. Ms. Jackson Lee. I think that is a very important first step, and I think we will move expeditiously, but we will also be monitoring the rulemaking. What we want to do is that we will both be holding hands in success not for ourselves, but for the American people. Let me ask Ms. Berrick, are you just listening to costs? I am concerned that the 10 items that have been certified need themselves to be reviewed by GAO. Will you all assess them to determine their reasonableness and also their costs? How long do you think it will take you to review these certifications that have now been made? Ms. Berrick. Yes. We will be. We have been reviewing. We will continue to review the Secure Flight. There is legislation in the--2 years ago the appropriations legislation requires GAO to review the program and report within 90 days of certification. So our report will be due around December 10 of this year. Related to the 10 conditions, GAO has done a lot of work already, and there are two areas where we have identified some concerns that we are working with TSA on right now. One has to do with cost and schedule estimates--lifecycle cost estimates, for example, that you asked about. We have not yet full lifecycle cost estimates for Secure Flight. The estimates that we got just went up to 2012, and it was based on an older version of the program. So we are waiting to get updated lifecycle cost estimates. We will be looking at that to see to what extent it was developed consistent with best practices for these estimates. Another area has to do with testing, making sure that TSA is fully testing security and systems requirements before they go operational. So we will continue to review those areas, as well as the other 10, and report to this committee and others in December. Ms. Jackson Lee. So let me ask you just to repeat that. Do you think you will begin the review process now and expect to finish in December, of the 10 certification? Ms. Berrick. Right. We have 90 days to complete the work, which would be December. Ms. Jackson Lee. So our legislation could track your review. But we need to be concerned, then, if your review is not finished until December, that we want to be more expedited. So let me ask that you be in dialog with this committee and let us, even though you do have the time frame, let us look very carefully and keenly at how we can work together on moving that up. Ms. Berrick. Okay. We will. Ms. Jackson Lee. I appreciate it very much. Let me just try to quickly finish my own questioning. Time seems to go more quickly than we would like. Mr. Kopel, let me thank you for the work that you do, and let me also indicate that the resourcefulness of which I am about to begin is appreciation for the work that you do. But here is a dilemma that we face, and you laid it out. Nominating agencies or nominating individuals because they have--originators of the nomination think that this is a person we need to watch. We have a lot of backtalk going on. The backtalk is that there is a watchlist. I do expect in another committee, or possibly this committee, since we invited Director Mueller to be here--and I know that you work for the Department of Homeland Security--but I believe we should indicate on the record that we are giving resources to the FBI to have the kind of a four-star A-plus-plus watchlist, because it may seem insignificant to have thousands of Americans on the list that are wrongly named, or five on the list, but any American on the list wrongly named is unacceptable. So I have a concern that the confusion about the watchlist, and I think though you at DHS, let me pointedly suggest that it works unfortunately in the direction of the FBI, because what the TSA gets, it is in the custodial hands of the FBI. People believe, and civilians believe, and airlines believe, and the have said it, which they are inappropriate to say it, but they have, that someone is on the watchlist. James Robinson, an 8-year-old, is on the watchlist. That is unfair, untoward, and it does not help the American people. So I am a little confused as to what DHS is doing in your shop to try to get the most accurate watchlist possible. This seems to be the pass the buck situation. You talk to the FBI; they are moving paper around. I am not sure what role you may play in trying to give the best assistance, though I know that you are committed. So you are in the hot seat. I am frankly not very happy with what I think is an uneven watchlist that then results in what we have to work with for Secure Flight, but more importantly results in the misidentity of individuals, who innocently come to use the airlines and to visit Grandma, to go on a family vacation, to try to make deadlines to go to a funeral, and whatever else the airlines are used for. People miss flights, because they are intimidated by this process. Meantime, some of the great work that needs to be done to secure America is not being done. Mr. Kopel. Mr. Kopel. Thank you, Madam Chairwoman. First, let me explain that although I am a DHS employee, and I work for Charlie Allen in information analysis. I am also the No. 2 person at the Terrorist Screening Center--a direct line. Our director is currently an FBI employee. Our previous director was a DHS employee. Actually, a senior member of TSA was our original director for the first 3 years of the TSC. The TSC, when I referenced a multi-agency task force type environment, I have about 45--a commitment from DHS for 45--and have about between 30 and 40 DHS employees at any time permanently assigned to the TSC. So it isn't like we really work for the FBI. We work for the Terrorist Screening Center and the watchlisting process for the USG. Ms. Jackson Lee. What you are doing with the watchlist that is in the custodial hands of the FBI, and you are dealing with a situation where people are on a No-Fly List because they are matched against the watchlist--it is very confusing, and it doesn't work. So tell me what you are doing to clear it up? What are you doing to coordinate? I appreciate the coordination and the various people that are working in your shop, but what are you doing to ensure a cleaned-up watchlist? Mr. Kopel. Well, let me start by saying based on some of our preliminary audits--and we have had many where we tend to think we have live-ins from GAO and the IG working with us continuously--but part of that process. In March 2006, we initiated some information technology changes to our process that allowed us to, or actually requires us to, review every nomination that comes to the TSC and review the supporting information behind that actual record, so that we just don't take a name, and because an originator thought there was a reasonable suspicion of a connection to terrorism, that doesn't automatically get you on the watchlist. It goes through the National Counterterrorism Center. They are going to review that nomination, along with all the supporting information, whether that comes from the FBI in their case management files or whether it is with the CIA in the TIDE system. So between the difference, they are going to review the information, and they are going to say that they believe there is also a connection to terrorism, a reasonable suspicion of that. Then that record is transmitted to the Terrorist Screening Center. We have a group of subject matter experts that review each and every one of those records to also ensure by looking at the supporting information that there is sufficient information that a reasonable suspicion can be determined that this person may have a connection to terrorism. Ms. Jackson Lee. Are you suggesting to me that there is your own separate analysis from the separate watchlist that the FBI is custodian over? Mr. Kopel. The FBI is a custodian of the U.S. Government's list, and that list is reviewed at the Terrorist Screening Center. We do our own independent review, as does the National Counterterrorism Center, and as do the nominating agencies and the originators of that information. Ms. Jackson Lee. What we might take from that is that there are names on it that are names of individuals in the United States who are innocent, but that you have done all the screening that you could do to assure that if that name is on there, there is a basis for such. Mr. Kopel. Madam Chairwoman, I believe that almost all the names, and we are in the process to finish a complete review of the entire database to ensure that every record has been reviewed and had that supporting information. Ms. Jackson Lee. So we find a gap in that translation to the Nation's airlines. As the Chairman said, there are other nodes or other agencies that use watchlists, and then it captures an 8-year-old by the name of James Robinson. Mr. Kopel. Madam Chairwoman, I believe that every name that we have on the No-Fly List is appropriately watchlisted for the No-Fly List. Ms. Jackson Lee. But not an 8-year-old by the name that may be the same. Mr. Kopel. We supply the airlines with what we believe is sufficient information to make some preliminary identification from that. Their actual processes would probably be best described by TSA on how the airlines evaluate the information that is supplied to them. Ms. Jackson Lee. Well, let me now--and I thank you for your answer. We will just have to have a second round to pursue it. But let me now yield to the distinguished gentlelady from New York. Congresswoman Clarke. Ms. Clarke. Thank you very much, Madam Chairwoman. I want to thank you for your labor and commitment to really addressing and resolving this issue. I would like to also thank you for your support on the FAST Redress Act. It is really at the heart of the issue that we are talking about today. You know I think it is not really an issue of the names as such. It is the misidentification. It is the ability for people to be able to feel reassured that our Nation has the capability of clearing those who may be misidentified. There is a difference between having a terrorist watchlist, which we know is a necessity, and having so many false positives, if we may. So at the end of the day, it is up to us to really come up with a system that really enables people to provide to an entity all pertinent information required to get them off that list. If an 8-year-old, who was basically born around the time that the incident occurred, can't travel, something is wrong. I mean we don't want our airline using discretion to the extent that it becomes a vulnerability. But when an 8-year-old comes to purchase, or their parent comes to purchase a ticket, and they would just basically blow a horn like the day before this incident took place, someone has got to say I am going to take it upon myself to get this child cleared. That is where I believe part of the challenge lies for us right now--bringing that common sense, the intelligence community together to come up with a remedy. I just wanted to put that out there, because I think we kind of lose that in the conversation about the list. It is not the list. I think all Americans are glad that we have got that level of intelligence. It is the misuse of the list and it is the misidentifications of individuals with similar names that has become you know a real sticking point for most Americans, because after the third incident, it becomes just a violation of our humanity. We don't want to continue to experience that. Director Hawley, I am appreciative of your comments that you have made regarding the FAST Redress Act, and I hope that you will express your interest as you interface with our colleagues on the other side in the Senate. I know that the final rule for Secure Flight is being reviewed by OMB. Do you have a sort of a date when you expect that the rule would be approved? This is with regard to Secure Flight. Mr. Hawley. Yes, we are anticipating November is when the rule would be cleared and then be made final. Ms. Clarke. You think it would be the earlier part of November, or the end of November? Mr. Hawley. I thought it was going to be in the summer, so---- Ms. Clarke. I got you. I got you. If you had the authority to move on implementation today, how ready would you be to put the program into place? Mr. Hawley. I think today it is a different answer, because the certification is done. That is the first step to make sure the privacy and security pieces are done, and so having an appropriate GAO review of those I think would be the next step there. But technically, and Mr. Wellen can describe it, the system is operational and that part is ready. Our partners need to be ready, meaning the airlines need to be ready to give us the data. Then the legal authorities have to be there, which is something either would come legislatively or by rule. Ms. Clarke. With regard to the airlines, because they play such a crucial role here, would you say the capacity to stand them up in this process in a fairly short period of time, Mr. Wellen? Mr. Wellen. Yes, ma'am. We have six airlines that have expressed a willingness and a desire to be early adapters for Secure Flight. We encourage other airlines to express a similar desire, and that went to my oral statement. But yes, ma'am. Ms. Clarke. But Mr. Wellen, let me ask you something. Is there anything that we could do to compel all airlines to be a part of this process? Because again you know it is also the inconsistency amongst the airlines in terms of their protocols that has created a part of the problem as well. Mr. Wellen. Yes, ma'am. You are absolutely right. The rule is what we were using for compulsion. Ms. Clarke. Okay. Mr. Wellen. But legislation I believe probably could have the same authority. Ms. Clarke. Okay. Thank you very much. I yield back, Madam Chairwoman. Ms. Jackson Lee. Let me thank the gentlelady for her leadership. I know that we are going to partnership on this committee. It is our mutual commitment and the commitment of this entire committee to get this right, because I don't believe, as we honor the dead this coming Thursday, as we all will do, that we will have truly honored them if we cannot find a way to do what originally was a horrific act of those untoward and evil persons getting on the airplane and doing the wrong thing and a dangerous thing, and separate them from the travels of Americans and others, who are innocent. Let me yield for a second round and quickly ask to Assistant Secretary Hawley two issues. Since revising the No- Fly List security directive in April 2008, has TSA observed an increase in the number of true matches, meaning passengers correctly matched? Do you have a way of the air transport industry reporting back to the No-Fly List, meaning true matches to the No-Fly List? On the other hand, have air carriers reported an increase in the number of passengers misidentified as matches to the No- Fly List, which is what Congresswoman Clarke indicated that there is a watchlist, which I believe should be continuously surveyed to make sure that it is accurate, but then as that is accessed by the appropriate people, are they still doing misidentifications? Using the term, and I would like you to respond to that, ``you are on the watchlist,'' which many of our constituents come back and tell us that that is what is being said over the counter while the grandma is trying to get on the plane or while a young Mr. Robinson or military Mr. Robinson or former U.S. Attorney Mr. Robinson is trying to get on a plane? So if you can share that with us. Mr. Hawley. Yes. We have begun to collect the data from the airlines as to the number of people going to the counters. So we will begin next month having some trend analysis of that. But just anecdotally, a number of the airlines were experiencing about a thousand people a day coming to the counter, and our hope is that as they adopt measures, and we working with them, that those numbers will decrease. I think it is important to note all the airlines agree with all of us in terms of not saying, ``You are on the watchlist.'' That is their policy. It is our policy. We all have distributed operations where employees are all over the world and sometimes say things they shouldn't. So we all have the same interest in not saying to somebody, ``You are on a watchlist.'' Ms. Jackson Lee. But what kind of oversight do we have over that? You are right. We do have employees all over the world. I am sure they have good intentions. But I can assure you that we have heard from individuals, who at a counter in a public setting, who were told that you are on a watchlist. Mr. Hawley. Yes. We are interested to learn about that, as I am sure the airlines are, if there are employees doing that. One point I think is very interesting is that from our redress, the DHS TRIP, of the people who come to TSA and say, ``I would like redress,'' 99.75 percent of them are misidentification. I think Ms. Clarke has it exactly right, that the precautions in the process in making sure that the people on the watchlist belong on the watchlist, my experience is that is done excellently. The problem comes in taking those lists and then matching the passenger manifest. That is where the problems come in the data. As I said, less than a quarter of 1 percent end up being about whether they should be on the watchlist. Most are misidentified. Ms. Jackson Lee. Let me then quickly ask Mr. Kopel. I know that we have called him the name of the news anchor, so we will try to continue to correct his name, which is Kopel, and we appreciate the distinction. But in any event, it is a good person to be confused with. Let me ask you this. Building on that, there is considerable confusion between the terrorist screening database and the Selectee and No-Fly List. Please clarify the difference between the entire TSCD and the Selectee and No-Fly List, which are used by TSA. To the greatest extent possible, please discuss the other Government agencies that use the TSCD or are provided information by the TSCD. If you can quickly answer that, we want to move to our second panel. Then I want to ask you a redress question. Mr. Kopel. Yes, ma'am. The entire watchlist, the terrorist screening database, contains all the names and identifiers of everyone that the U.S. Government believes has a reasonable suspicion of a connection to terrorism. Ms. Jackson Lee. Well, it is important to note for the American people that the watchlist is legitimate, we should have it, and it is not out to attack Americans. Mr. Kopel. Absolutely, ma'am. That is why the supporting information for every nomination on the list is reviewed at not only the TSC, but in multi-layers by multi-agency participation. Ms. Jackson Lee. All right. Well, when we go to the No-Fly List, Selectee, the TSCD, the Selectee No-Fly List. Mr. Kopel. Yes, ma'am. The No-Fly and Selectee List have a higher level of I guess--the criteria for actually being placed on the No-Fly and Selectee List is about two or three notches above the reasonable suspicion of a connection to terrorism. In both those cases, without getting into the actual specifics of the criteria---- Ms. Jackson Lee. So that is even higher. Mr. Kopel. That is higher. Those lists have been what we call scrubs, where we will periodically go in and reevaluate, pull every record and determine that the information is still valid and accurate and that all of those people we believe have a potential for a danger to the aircraft. Ms. Jackson Lee. So what is the airline counterperson looking at, and their computer looking at, when someone comes, who, as has been indicated by my colleague, may be misidentified? Mr. Kopel. There is a subset of the terrorist screening database, the No-Fly and Selectee List. The appropriate identifying information, Madam Chairwoman, and I can't actually say what that this in this forum, but I would be glad to discuss that with you in a classified environment. Ms. Jackson Lee. We will have you do so. Thank you. Mr. Kopel. But at those cases, the airlines are given some specific information that should help them make at least a preliminary determination whether or not that is a match to the No-Fly and Selectee List. Ms. Jackson Lee. So when they are speaking to the multiple Robinsons, who are innocent---- Mr. Kopel. Yes, ma'am. Ms. Jackson Lee [continuing]. What is it that they are supposed to be doing? Mr. Kopel. Well, we would believe that they would do a preliminary review of the information that they have available to them to determine, matching that against the person at the counter, whether or not that is the same person. Ms. Jackson Lee. Do you believe the information that they have has been scrubbed and accurate so they can make a determination? Mr. Kopel. I believe that the information they have is accurate and has been scrubbed. Yes, ma'am. Ms. Jackson Lee. Let me indicate that we want to pass the legislation of Ms. Clarke, and we are going to be moving and working on that. What we hear from constituents--and last question to you--one of the chief complaints about the redress process is that individuals are never told that their name was actually removed from the watchlist. Why can the TSA neither confirm or deny an individual's watchlist status? Now, this is in the backdrop of recognizing that we are not trying to inform terrorists of anything. But what mechanism could we use? Mr. Kopel. Well, and I think that has been something that certainly DHS, as probably the largest user of the watchlist between TSA and the U.S. Customs and Border Protection, has been struggling with. The key to that, though, is from an investigative standpoint, if we were to inform an individual they are or not on the watchlist, that would be kind of like an open door to use a name that they know that they could kind of get through the security and skirt the security that has been put in place. That is a policy that we have had, and we stand by it. I think it worked for us, because there have been times when we believe people are phishing, you know, the system to look and see if this name is good or they can use this. Ms. Jackson Lee. Right. Well, let me indicate that I think we are better than a country that is not able to end the misidentification. We are also a country that should recognize that a scrubbed and clean and effective watchlist is protecting all of us. We are going to get to that in this committee. Let me thank you for your testimony. We ask---- Gentlelady, you have another question? Let me yield to the gentlelady. Ms. Clarke. Thank you, Madam Chairwoman. I guess for me--and this question is for Mr. Kopel. It is clear to me that there are going to be cases where the name does not come off the list. It is the misidentified individual that needs to be cleared, because the name remains the same. It is just that multiple people have either a similar name or the same name. So that is really the technicality, because we are asking for some of these end up whose name comes off, but we know that the name doesn't come off, because the name remains the name of a bad actor out there. It is the individual that may have a similar or same name that has to be cleared. Is there a process for that individual that begins to whittle down the pool of individuals that could be trapped by having the same or similar name? Because that name doesn't come off the list. Mr. Kopel. If the name on the list belongs to someone that is reasonably suspected of having a nexus to or a connection to terrorism, that name is going to remain on the list. Yes, ma'am. Ms. Clarke. That is right. Mr. Kopel. The process for working through that today at TSA is the cleared list. At Customs it is their primary lookout override system of the TSC, when a name is referred to us in our redress program, we work closely with both the offices in TSA for redress and with Customs and Border Protection to address those, to get those names not only to determine whether or not this is not the individual, but to help that individual. We actually have a process to get that person placed on the cleared list and to work with Customs and Border Protection for their primary lookout override. Ms. Clarke. You create sort of I guess an indicator that differentiates that individual with that name versus the individual with the name, which is the bad actor. Mr. Kopel. Absolutely. For Secure Flight we will really aid that for an automated function---- Ms. Clarke. Okay. Mr. Kopel [continuing]. For TSA. For Customs and Border Protection, that is a fully automated process that the person is not flagged at the customs inspection when they come through just wanting a passport. It is automatically overridden, because we know that is not the person. Ms. Clarke. Okay. Mr. Wellen, since DHS started the TRIP program, has there been a significant increase in referrals to TSC of potential cases for names and records to be removed? Mr. Wellen. First, TSA has worked with TSC to do a complete scrub. I am sorry. Excuse me, ma'am. TSA and TSC have worked together to do a complete scrub of the No-Fly and the Selectee watchlist. So we have employed that process. Second of all, the people that have requested redress through the DHS TRIP system do go through a process in which it is determined that in fact they are not the person on the terrorist watchlist. That name does go into a cleared list. That cleared list is provided daily---- Ms. Clarke. Can you just stick right there, because you said ``that name.'' I think that is where we are having--is there another indicator of the difference in the name? Mr. Wellen. Yes, ma'am. In addition to the name, there is a redress number. Ms. Clarke. Okay. Mr. Wellen. What happens is this is supplied to the airlines daily. It is updated daily. With varying degrees of consistency, the airlines apply those names when a person does their boarding pass--excuse me. Some airlines do it quite well. They made the investment in the IT infrastructure to make that happen. Others not so well. What the ultimate solution will be is Secure Flight, because as part of the process, an automatic process, those names will automatically--anybody that is a hit on the match would automatically--then the next step is to look. Is there a redress number and are they on the cleared list? So that is actually built in as an automated piece of the Secure Flight engine. Ms. Clarke. Thank you. Madam Chairwoman, just one final question. Last April with the terrorist screening database approaching the 1 million record mark, the Terrorist Screening Center implemented the Terrorist Encounter Review Process, which started in April, to help reduce the number of unnecessary records. Director Kopel, now that this program has been under way for several months, do you have any early results on its level of effectiveness? Have many records been flagged for review? If so, how many of these have been acted upon and actually removed from the system? Do you have any statistics available? Mr. Kopel. Madam Chairwoman, we do have some statistics. I did not bring those with me today, but I can tell you that the overall I think success of the program--it is really reaping some benefits for everyone. What the program does for us is when a person is misidentified, that person that has gone through the process I think three times, they are automatically referred to our redress team for a redress referral of that record. If that is determined that they are not the individual, which at the time of the redress submittal we know that, then we go through the process and we will actually work to get them added to the cleared list or the customs list, the primary lookout override, without the person ever having to actually file a redress complaint. Ms. Clarke. I would like to get Ms. Berrick's response, Madam Chairwoman. It is a little---- Ms. Jackson Lee. Yield to the gentlelady. Ms. Clarke. Thank you. Ms. Berrick. have you looked into the TERP program at all? Do you have any thoughts on it? I am sorry--the TSC's TERP program. Ms. Berrick. No, we haven't looked at that specific program. If I could, I would like to make a point about the cleared list--two points, actually. One is that even if an individual goes through the process and is added to the cleared list, they still may be inconvenienced, because they may not be able to remotely check in for their flight. They will have to go to the ticket counter, unless the carriers have some other pre-clearance system in place. So that is point No. 1. Even if you are on a cleared list, you may still be inconvenienced is one thing that they need to consider. The other point just slipped my mind, but I am sure it will come back to me. Oh, it was that the carrier--we interviewed 14 carriers and talked about their use of the cleared list. Actually only 10 of the 14 were using the cleared list. The reason that they gave was they felt it could identify a lot more additional people that would have to come to the ticket counter and be cleared, and it caused long lines and passenger frustration. Now, some of those carriers had alternative clearance systems, but not all of the carriers were even using the cleared list. So that is why TSA oversight over this process is so important. Even though Secure Flight is going to begin operations in January, that is going to be a phased schedule, so they will not be screening all domestic passengers for probably another year. After that, they will be screening international passengers. So in the interim the oversight is very key to make sure carriers are following TSA requirements and are using the cleared list appropriately. Ms. Clarke. Thank you very much, Madam Chairwoman. Ms. Jackson Lee. Thank you. Our second panel has been enormously patient, and we appreciate it very much. I do want to recognize, and ask if she wants to ask questions of the first panel, the distinguished gentlelady from the District of Columbia. Ms. Norton. Thank you, Madam Chairwoman. I want to thank you for having this hearing. I stopped by for nothing more than to say this. I must say just hearing the last few minutes, I am struck by whether we ought to give this to some high school nerds, because I really do think the notion that we can't figure out how to keep from going each time to get another list and going to the counter really speaks so poorly of Department of Homeland Security that they haven't been able to figure it out, that we continue to get complaints. I don't think they know how. I think they are thinking through how to solve this puzzle. That is what I regard it as. It does take more than bureaucrats sitting around saying, ``Now, how do we do things like this?'' The way we do things like this is to make sure that this person is still the right person. Then we got to create another list. That is the kind of bureaucratic thinking that has--you may have heard that some of these cleared lists don't even exist in some of the airlines. But assuming even the airlines that they do exist, surely there is some experience around the world that by now we could have copied. For example, there--Latin America. I have noted all my life how many Latin Americans' names are the same. I just wonder if we have looked beyond our shores to see if somebody has figured out a way to do this. I don't think it is beyond our intellectual capacity, but what I have heard in this room, just sitting down here for 5 minutes makes me believe that it is beyond the capacity of this agency. Have you looked at how other nations, some of which will have the same problem, have very large populations, deal with this issue of similar names? Or are you talking to yourselves? Ms. Jackson Lee. Well, let me ask--I don't want to overstep the gentlelady's bounds, and I appreciate if Assistant Secretary Hawley---- If you don't mind, Congresswoman Holmes Norton, if Mr. Kopel could answer that. Then we will move to the second panel. Ms. Norton. Whoever is qualified to answer. Ms. Jackson Lee. Whoever feels competent, but those two individuals can jump in and be as pointed as they possibly can. Mr. Kopel. Yes, ma'am. One of the missions from the TSC is to share terrorist screening information with foreign governments. We have been very active in going worldwide and meeting with many governments, not only to share our terrorist watchlist and get information from them, but to learn how they use the list, how we can kind of do a build-off of that and how they can build off of our system. So I think that the answer to your question is that we talk to many different countries. Ms. Norton. Yes, but I have asked you a very specific question. Do countries who also--we are not the only country in the world where people have similar names--have they found a quick and easy way to do what I think seems to me--again, I am serious. Put some nerds together at a table. They will figure it out. Have any of them found a way to do it without the processes that I have described here, and have you sat down with them to find that out? Not sharing your list, but how do you do it? How long does it take to figure out, to keep coming back, answering the questions that you hear from this committee? Mr. Hawley. I would like to answer that in the sense that we have built the system. One of the things that we said at the beginning of the hearing--we had a major announcement that we have met the 10 privacy requirements of certification. That has occurred from Secretary Chertoff so that the privacy piece is in place, the technology is in place, the system is built, the matching is done. It is operational, and now the next stages are for the authorities to go to require the information we need to come in, as well as work with our partners so that the airlines can get the information to it. So the system is now built. The privacy protections are in place. GAO is going to review that over the next 90 days. We should be good to go starting in January. Ms. Norton. One-stop system? Mr. Hawley. One-stop. Yes, ma'am. Ms. Norton. I want to thank the gentlelady for what I think was an instructive line of thought today. We are going to take it one step further. Both of my colleagues have highlighted part of the concern that we have. One, Mr. Kopel, we are going to have the security briefing for our committee so that we can get the oranges and apples together. I think that is the concern that I have. Certainly a shocking statement by Ms. Berrick that our airlines--less of them are using the secured list. I would appreciate it if I could get a fuller explanation of that, Ms. Berrick, in writing for the committee. It will help us as we move forward. I am going to ask Assistant Secretary Hawley if he could give a response in writing as to what he perceives a fully operational Secure Flight will look like, because I am concerned that we will now have or should have all the participants knowing their obligations. Do not give leeway to who can look at a list and who doesn't look at a list, because that, if you will, speaks to the inconsistencies. Our second panel will have representatives from the public and as well our technological community and transport to answer those questions. I would be remiss if I did not thank TSA for meeting their certification, and Secretary Chertoff for certifying. I will say this one comment, and that is it is important to note--and I have mentioned his name before--Drew Griffin, who is a reporter for CNN. I don't think the answer of calling the inspector general of DHS is an answer, which was given by Secretary Chertoff-- maybe well-meaning--that work for those Americans and others that are on a list inappropriately to call up the inspector general of the DHS. So what we have here are the partners--Assistant Secretary Hawley, Mr. Wellen, Mr. Kopel, and certainly GAO's Ms. Berrick--to get this done. I am going to hopefully leave you with the instruction we have to get this done. We will be writing legislation. I thank this panel very much. I understand there being no further questions for our first panel, I thank the witnesses for appearing before the subcommittee today for this very important hearing. Members of the subcommittee may have additional questions for you. We ask that you respond to them expeditiously in writing. We now welcome our second panel to the witness table. Again, we thank all of you for your participation. Let me welcome our second panel of witnesses. Our first witness is Ms. Denise Robinson. Ms. Robinson lives in Sunnyvale, California, with her husband and two sons, James and Tyler. Since 2005, when James was 5 years old, the Robinson family has had to deal with the delays and hassles of having a son who has been consistently misidentified when traveling. Every time the family travels, they have to deal with long waits for the ticket counter, or at the ticket counter, close calls at missing flights, the inability to use curbside check- in, and embarrassment. Let me note for the record again that Ms. Robinson and her son traveled here to Washington, DC, at their own cost. I do want to acknowledge as well that even though Ms. Robinson is in Sunnyvale, California, she is with strong roots from the great State of Texas. I am delighted that she has that kind of stamina that comes from the great State of Texas. But I think as we listen, my colleagues will recognize that the consternation of this committee, the commitment to get this right is reflected in a young man, who is 8 years old, who has been stupendous by being at this hearing starting 2 p.m., and we will reflect what time it is now. So we are commending Mr. James Robinson, because he has a great future in front of him, and it might be that he will be sitting in a chairpersonship, if he desires proceeding and governing a hearing, as he has been very able in his presence here today. Our second witness is Ms. Lillie Coney, who is an associate director with the Electronic Privacy Information Center. I did not construct this to be such, but she also hails from the great State of Texas. We thank her for her leadership. Additionally, she serves in an advisory capacity to several organizations, which include Verified Voting, Accurate Voting System Performance Rating, and Open Voting Consortium. Our third witness is Mr. John Meenan, who is the executive president, chief operating officer of the Air Transport Association. Mr. Meenan is responsible for all aspects of ATA operations, with a particular focus on technical, safety, security, environmental, economic and legal policy issues impacting the airline industry. Without objection, the witnesses' full statements will be inserted in the record. I now ask each witness to summarize his or her statement for 5 minutes, beginning with Ms. Robinson. We are going to adhere to the rule, and that is that we have laid down a compromise that Mr. Robinson at his age will communicate through his mom. All of us believe that Mr. Robinson--James--could speak for himself, just as he is confronted individually as he tries to visit Grandma and others when he goes to an airline counter. He should be able to address his own grievance and his own particular embarrassment, if that is something that occurs to the family, but we are going to let Ms. Robinson do so. I hope in her statement that she will answer the question--and maybe she will consult with James--if he knows what a terrorist happens to be. So now, however, we recognize Ms. Robinson for 5 minutes, with her son, James Robinson, sitting alongside of her. I yield to the witness. STATEMENT OF DENISE ROBINSON, PRIVATE CITIZEN Ms. Robinson. Thank you, Madam Chairwoman. Thank you to the committee for the information to come and speak to you today. The purpose of my testimony really is to sort of give the perspective of a common citizen and dealing with somebody who is on the watchlist. But before I get to the specifics of our experience, I would like to state that I am a strong proponent of the watchlist. I believe that in our country we as citizens are going to have to accept some inconveniences and be flexible with some of the liberties that we have come to expect in order to provide the security against terrorism. So I am a proponent of it, but I do think that it has been mismanaged or not executed to the quality that we in our country can do. So I share with you our specific experience with James. When he was 5, we went to the airport to check in on a flight. We were at curbside told that we were not able to check in and we must proceed to the ticket counter. We did that. The ticket agent took a very long time on the phone, on the computer system, not able to answer questions that we were asking about why it was taking so long. He kept saying, ``I don't know. I mean I can't tell you what is going on.'' We kept saying, ``Well, but why is it taking so long?'' Finally, he would ask, ``Who is James?'' Obviously, we pointed to our son. Then he asked, ``How old is he?'' I said, ``He is 5.'' You know he said, ``I cannot tell you what is going on, but I am going to provide you with information, printed information that you need to follow.'' He said, ``I suggest that you follow it for your entire family, because I can't tell you any more information.'' I know there has been a lot of talk today about the airlines using the term ``watchlist'' or not. We have never had the airlines use the term ``watchlist'' with us over the last 3\1/2\ years. So we were able to make the flight. In hindsight I now know that this ticket agent was very confounded with the situation. It was probably his first opportunity to come across someone who was listed that was so young. So anyway, we did make the flight. The printout that he gave me was the TSA directions to follow the redress process. I did that. It took almost a year to get a response from the TSA. I did do the redress process for our entire family. However, what was interesting was the only response I got from the TSA was a letter for James Robinson. There was no communication about any of the other family members. Further, the letter was very vague. It stated that a review of records was conducted, and where it has been determined that a correction to records is warranted, these records have been modified. That is very vague from a citizen's perspective. To further frustrate me, it said this letter constitutes TSA's final agency decision, which is reviewable by a U.S. Court of Appeals. So you are faced with no further action. I understand that the redress process has been revised. I haven't gone through it again. But that was our experience. So, based on that background, you know my point is that-- and I agree that it can't just be based on the name. The system can be a good system, but it can't just be based on the name. It has to have other information with it. You know the list is only going to grow unless we do something to solve this. With James in particular I have encountered this problem on every airline. We have frequent flyer programs for him on every airline. When I go to the airport, I am the one who approaches them and says, ``My son is on the watchlist.'' Then the airline then is able to help us manipulate--not manipulate, but get through the system, get our boarding passes so that we can get on the plane. But you know James at his young age is embarrassed by that, because all of a sudden he is in the spotlight. James, I will ask you now and ask you to answer to me, ``Do you know what a terrorist is?'' His answer is no. He doesn't understand why this problem persists with him. The other thing that I have done is that I applied for a passport for him. When I went through the passport application process, I did it with both of my sons. I expected that I would have further inquiry in getting James' passport. I did not. I used the paperwork. The passport came back. Yet when I flew with him yesterday, with his passport, he was still on the watchlist. So if we are issuing citizens passports without further inquiry, and they are on the watchlist, you know it just completely erodes the confidence of the citizens in you know the TSA, Homeland Security, everything. It erodes our confidence. The other thing that has been talked about today is the ability to use name variations to circumvent the system. That further erodes the confidence, you know because we as citizens don't really care, to be honest, whether the watchlist, or the application of the watchlist by the airlines--we want the system to work. That is my expectation is that I am hopeful that this new process that will roll out in January 2009 will solve these problems and will bring the airlines and the TSA together and get all of these extraneous names off the list. So, finally, why am I here? I am here for two reasons. First, I am obviously here to get my son off the list, whether it is the airlines or the TSA, whatever, I want him off the list. I have been able to manage the process thus far, but as he grows up and he begins to travel on his own--it is obvious he is not a security threat now, but when he is a teenager or in his early 20's and he is traveling on his own domestically, and particularly internationally, he could encounter problems. So I am here to get him off now. The other thing is that, again, I feel very strongly that the watchlist is a good tool. I feel very strongly about national security for our country. I think we can do a better job. Thank you. [The statement of Ms. Robinson follows:] Prepared Statement of Denise Robinson September 9, 2008 Dear Committee Members: Thank you for the invitation to testify before your committee on behalf of my son, James Robinson. The purpose of this testimony is to highlight key weaknesses, from my perspective, in the implementation of the Transportation Safety Administration's (TSA) ``Terrorist Watch List''. Before I get to the specifics of our situation, I would like to state that I am a strong proponent of effective actions by our Government to ensure safe travel in the United States. I also believe that citizens of this country will have to accept some inconveniences and be flexible with some of the liberties that we have come to expect in order to gain that additional security. However, I do believe it's incumbent on our Government to, very simply, be effective. My son, James, has been on the watchlist since 2005 when he was 5 years old. How do we know this? We know this only through experience every time we travel by air. Our first introduction to this situation was in 2005 when we were traveling on American Airlines from San Francisco to New York JFK Airport to visit his grandmother. Upon arriving at curbside check-in, our normal travel procedure, we were told by the skycaps that we had to go to the ticket counter to check in and receive boarding passes. Once at the ticket counter, the American ticket agent spent a significant amount of time on the phone and on the computer terminal, so much time that we were concerned about missing our flight. When asked what was going on, we were told, ``I can't tell you anything''. Obviously, we were concerned. Finally, the ticket agent asked which one of us was James and we identified our 5-year old son. More time went by on the phone and computer, and he finally asks, ``How old is he?'' I replied, ``He's 5''. Growing more concerned, we questioned further what the issue was. Again we were told that he could not tell us anything but that he would print some information and we should follow the directions on that printout for every member of our family even though James was the only one he called out specifically. The printout included instructions to contact the TSA and provided contact information by mail. I contacted the TSA and received a letter requesting us to complete the Passenger Identity Verification (PIV) form. I completed the forms for all members of our family and mailed them to the TSA in April 2005. In February 2006, I received communication back from the TSA but it was only one letter addressed to James Robinson. There was no communication about the status of the rest of the family. The letter to James states that a review of records was conducted and ``where it has been determined that a correction to records is warranted, these records have been modified . . . ''. To date based on our experience at airports, there has been no correction to James' records. Additionally, the letter states that ``this letter constitutes TSA's final agency decision, which is reviewable by a U.S. Court of Appeals . . . ''. Based on that background, my main point is, very simply, that the watchlist is completely mismanaged. The list is too big and too flawed with extraneous names, and the current process for getting off is totally ineffective. The list only grows. Secretary Chertoff has said that there is a ``simple solution'' for getting off. In a press conference, Chertoff said that ``if the innocent John Smiths provide information such as a date of birth to the TSA . . . then when they show identification of that date of birth at the airport they are immediately taken out of the system''. I provided just that information to the TSA in 2005 and provided just that information at the airport; James is still on the list. So, if a 5-year old can't get off the watchlist, who can? With new people being added to the list and without an effective process for getting off, the list is an unwieldy and ineffective tool. Divisions of our Government don't cross-reference, creating opportunities for the terrorists and frustrations for the rest of us. In late 2007, I applied for a U.S. passport for James. The passport was issued in January 2008 without any further inquiry, and James remains on the watchlist. The irony is clear and perplexing. The list is not hard to circumvent. In a CNN investigation about the watchlist, which aired on August 19 and included interviews of three different James Robinsons including my 8-year-old son, there are numerous examples of using variations of the name to avoid the watchlist at the airport. For example, one James Robinson who is a commercial pilot and licensed to carry a weapon in the cockpit uses Jim Robinson to circumvent the hassle. We have used J. Pierce Robinson for the same reason. In both cases, just that small change works. Drew Griffin, the CNN reporter who is also on the list, has sidestepped the list by combining his first and middle name into one. The list is not well managed. So, why am I here? Why did I take my son out of school and bear the expense of traveling to the District of Columbia to testify before you? First and foremost for me personally, I am here to get my son, James Robinson, off the watchlist. But equally important, I'm here to do my part to make it an effective tool in the fight against terrorism. I feel very strongly that our country can beat the terrorists. I believe that we have the will, resources, intelligence and fortitude in this country to prevent them from their main goal, to ruin our way of life. I believe the watchlist can be an effective tool if managed; it is currently not. I'm hopeful that the new Secure Flight Program that the TSA is scheduled to implement in January 2009 will be more effective, but I'm not optimistic based on my personal experience. Thank you for your invitation to speak before you and your consideration of this issue. Ms. Jackson Lee. Let me thank you for your testimony. I can tell you that you are before a committee that is very strongly committed to a cleaned-up watchlist, very strongly committed to national security. That is our reason for being. So we thank you so very much for your testimony. I would now recognize Mr. Meenan. I recognize you to summarize your statement for 5 minutes. STATEMENT OF JOHN M. MEENAN, EXECUTIVE VICE PRESIDENT AND CHIEF OPERATING OFFICER, AIR TRANSPORT ASSOCIATION Mr. Meenan. Madam Chairwoman, thank you very much. Members, I appreciate the opportunity to appear here today. At the outset I would like to say that we certainly regret hearing this story, and I know that our managing director of security has offered to work with the Robinsons to try to sort this out. I thought it would be useful to give the committee a chronology of what we are dealing with here. In October 2001, FAA, and subsequently succeeded by TSA, created the first watchlist with just a handful of names that were given to the airlines, and we were told not to let them board flights. Later in 2001 that morphed into the Selectee List, which were people to be handled in a particular process, and a No-Fly List. At the time the carriers asked for a script as to what they should tell these passengers when they arrived, and they were respectfully--that request was respectfully declined by FAA and TSA. We received no script. We also asked how the process should work. They said, ``Use your best judgment as to how you design it.'' The list began to grow through 2002 and 2003. The carriers found themselves devoting more and more resources to handling these lists largely in a manual process, so they began investing in significant changes to their information systems to try to automate this. Again, that was done based on their own judgment as to how that should proceed, using very different information systems across the industry. There were no standards provided. So we ended up with a variable system that quite honestly in hindsight is where the problems really started cropping up. Let me be frank with you. The industry economics have not contributed to this situation. The fact is that the airlines were among the first users of information systems, but to an extent we are still using some of those first systems. So they are cumbersome. They involve writing of code that really isn't done anymore. It is very difficult to find the people to do this. It is expensive. As we have gone through the process for the last 7 years, we get constant requests and requirements from the Government that require modification of these systems. All of those go into a queue to be taken care of, and honestly, it has not been a very neat process. It isn't working as smoothly as we would like, and obviously, if the economics of the industry were different, we think that situation would be handled differently. Throughout 2002 and 2003, TSA promised that CAPS II was going to come on-line, and it was going to take care of this problem. 2003 moved into 2004. CAPS II remained a promise. The carriers began receiving frequent modifications of the format. The lists that they received from TSA--the formats changed, which required constant renovation of the information systems, adding further confusion and, honestly, I think probably producing some of the problems we are continuing to see today. You know before CAPS II sort of stopped in its tracks, morphed into Secure Flight, that was to be the successor system. Again, investments continued to be made, but we were awaiting this promise of a Secure Flight system that was going to remove this responsibility from the airlines completely and put it in the hands of the Government, where they could have access to all of the information they need to resolve these issues that they can't share with us today. So as that process has gone forward, we have done everything we can to try to advance it. We are pleased to hear from the Government witnesses today that the plans are in place to hopefully get that up and running early next year. We are doing everything we can to try to expedite that process. Obviously, we are looking to this committee for its support. We hope that by this time next year that all of these issues can be looked at through the rear view mirror, rather than coming at us. With that, we would be happy to respond to your questions in due course. [The statement of Mr. Meenan follows:] Prepared Statement of John M. Meenan September 9, 2008 Thank you, Madame Chairwoman. The Air Transport Association and its member airlines welcome the opportunity to appear before you today to discuss the critical issues associated with aviation security ``watchlists.'' In order to provide the committee with a complete picture, it may be helpful to begin with a chronology of the lists during the past 7 years. In October 2001, prior to the creation of the Transportation Security Administration (TSA), the Federal Aviation Administration (FAA) issued the first ``watchlist'' (containing a handful of names) of individuals identified by the FBI. These individuals were not to be allowed to board flights. Late in 2001, the list was divided by Security Directive into separate ``No-Fly'' and ``Selectee'' components. As the name implies, No-Fly listees were not to be permitted to board while selectees were to be subject to additional screening. Carrier requests for scripts as to what these individuals should be told were declined, first by the FAA and later by TSA. As the lists began to grow in 2002 and 2003, carriers were devoting more and more manpower to this effort. Consequently, many carriers began investing significant resources in information system modifications to automate this process. Two relevant asides are worth mention: The carriers were required to use their best judgment in designing those systems, incorporating name variability programs to be certain they found similar names--but without Government guidance or standards. Looking back, problems really began to compound themselves at this point when, absent Government engagement, carriers began to develop highly variable systems, capabilities and procedures. Point two, let me be frank: Due to the economics of the airline industry, the legacy information systems we are working with, while reliable, are cumbersome and expensive to modify. They are generally old technology, which adds complexity to the situation. While many carriers would, no doubt, welcome new systems, economic realities control new investment decisions. In 2003, many carriers went to work to develop ``preclearance systems''--essentially reviewing each day's anticipated passenger lists against the Government's lists, and pre-resolving any matches to the greatest extent possible. One carrier had approximately 35 full-time employees engaged in this process. Again, as more and more names were added, more efforts were made to automate this process. As a result, carriers incorporated their frequent flyer lists (which provided more detailed identification information) and therefore helped resolve uncertainties. These lists, of course, are highly proprietary and, as a result, being a frequent flyer on one carrier does not help clear a passenger traveling on another airline. Throughout 2002 and 2003, TSA indicated that its Computer Assisted Passenger Pre-Screening program (CAPPS II) was moving forward and would soon replace the carrier programs with a TSA risk-assessment and passenger-authentication program. As 2003 moved on to 2004, CAPPS II remained a promise. At the same time, TSA began modifying procedures and list formats, usually without industry consultation, resulting in frequent and redundant reprogramming in order to enable the loading of the modified lists. By 2004, CAPPS II had morphed into the newly promised Secure Flight--and TSA's renewed commitment to take over the watchlist matching function. The carriers have made every effort to support this initiative, noting only their concern that Secure Flight be thoroughly vetted and tested to avoid further complications. Throughout this period, the lists had continued to grow--the No-Fly and Selectee lists alone exceeded 145,000 names. Added to that, we now have a so-called ``cleared list,'' which TSA developed to respond to passengers who had been inconvenienced. Unfortunately again, with wide variations among carrier's processing capabilities, passenger delays were inevitable. Given of the absence of TSA/industry consultation, the investments to develop robust carrier preclearance systems, the cleared list are next to useless. Over the past 7 years we have worked with no fewer than five--TSA CAPPS II/Secure Flight program directors. Carriers have, as for 2007 (the last time we updated the data) spent some $44 million maintaining, developing and operating screening systems. (We acknowledge this figure is imprecise, since these expenses are not tracked more closely.) We have participated in numerous teleconferences and provided personnel for literally dozens of meeting with the TSA, particularly seeking to advance first, CAPPS II, and then Secure Flight. I am pleased to report that in recent months, TSA and airlines have been working closely to further reduce the number of passengers misidentified through the Watch List process. We know this is a difficult assignment for the TSA and for the airlines--and we are committed to ensuring that it is effective. The Department of Homeland Security (DHS) and TSA have now provided more detailed guidance as to functional system requirements; carriers have been authorized to incorporate date of birth information into their records to help address misidentifications; carriers have also redoubled their efforts to encourage customers to join their frequent flyer programs--which, for the most part, provides the optimal use of existing technology to avoid misidentification; TSA has provided a script for carrier use to advise passengers why they may not be able to check in on-line or at a kiosk. Taken together these initiatives should help to further reduce passenger inconvenience. We know too that TSA plans to begin to roll out Secure Flight, which may ultimately resolve the problem of watchlist misidentification by early 2009. We are fully supportive of this effort--subject only to the caveat that it be fully vetted prior to implementation to assure that passenger pre-screening is truly improved. We urge this committee's full and active engagement in the development and deployment of Secure Flight and thank you for the opportunity to appear today. Ms. Jackson Lee. Mr. Meenan, I thank you for your testimony. I would now like to yield 5 minutes to Ms. Coney---- STATEMENT OF LILLIE CONEY, ASSOCIATE DIRECTOR, ELECTRONIC PRIVACY INFORMATION CENTER Ms. Coney. Thank you, Congresswoman. Ms. Jackson Lee [continuing]. To summarize her statement. Ms. Coney. Congresswoman Jackson Lee, Ranking Member Daniel Lungren, Congresswoman Norton and Congresswoman Clarke, thank you for the opportunity to appear before you today. EPIC is a nonpartisan public interest research organization established in 1994 to focus public attention on emerging civil liberties issues. We are very pleased that the committee is holding this hearing on ensuring America's security, cleaning up the Nation's watchlist. There are three primary problems with the security watchlist. First, the databases in the system are not subject to the full safeguards of the Privacy Act of 1974. The Transportation Security Administration has sought wide-ranging exemptions from the record system, and private companies engaged by the agency are not subject to the Privacy Act. As a result, legal safeguards that help ensure accuracy and accountability and other Federal databases are absent from the watchlist system. Second, the security watchlist on which the system is based are riddled with inaccurate and obsolete data. In September 2005 documents obtained by EPIC under the Freedom of Information Act revealed travelers' struggles with watchlist errors. The situation has not changed materially, and recently continues to reveal more incidents of false positives and harrowing experiences of legitimate travelers. Third, the existence of the Registered Traveler Program may become a textbook example of security failure. The Privacy Act requires that data collected should be limited to only what is relevant and necessary. However, the TRIP program does not perform a critical process to determine if the collection of information is necessary. Second, the data collected should be specific to the kind of problem the traveler may have experienced. Third, the information collected must only be used to resolve the problem. TRIP does not distinguish between frequent air travelers and infrequent air travelers. All air traveler travel experiences are not equal. Some, like Members of Congress, may travel on average 30 or 40 weeks out of the year. Very infrequent air travelers may travel once over several years. One of the principal protections offered by the Privacy Act and Fair Information Practices is transparency. Transparency is a key component of a functioning, healthy democracy. Efforts to provide due process by DHS must remove ambiguity that may currently exist in the minds of agency administrators regarding their obligation to make public information related to watchlists and prohibitions on travel. The FBI Terrorist Screening Center manages watchlists used by DHS to screen air travelers. The inspector general of the U.S. Department of Justice found that the Terrorist Screening Center is relying on two interconnected versions of the watchlist database. The inspector general found that the methodology adopted by the FBI to nominate new names as flawed. The inspector general concluded that this procedure resulted in the TSC being unable to ensure that consistent, accurate and complete terrorist information is disseminated to frontline screening agents in a timely manner. Further, there must also be a clear statutory definition of the words ``terrorism'' and ``terrorists,'' as well as the phrase ``terrorist organization.'' Without clear definitions, these designations could be misused, such as in the past, when the word ``subversive'' was used to justify actions taken against some civil rights activists, civil liberties groups and others who engaged in lawful pursuit. In order to ensure American air travel security, the watchlist must not only be cleaned up of errors. The Government must also ensure that an inaccurate data is not entered into the database in the first place. Further, it must be transparent to the general public by providing information on the existence of watchlists, disclosing the penalties for being listed, publicizing the redress procedure, ensuring effective due process rights for travelers, and cleaning up the appeals process for agency decisions. Finally, each traveler denied the right to travel should have access to the courts. It is our hope that the work set forth by this committee will lead to a more just, fair, privacy-centric and transparent watchlist program. Thank you. [The statement of Ms. Coney follows:] Prepared Statement of Lillie Coney September 9, 2008 Chairwoman Sheila Jackson Lee and Ranking Member Daniel E. Lungren, thank you for the opportunity to appear before you today. My name is Lillie Coney and I am Associate Director of the Electronic Privacy Information Center in Washington, DC. EPIC is a non-partisan public interest research organization established in 1994 to focus public attention on emerging civil liberties issues. We are very pleased that the committee is holding this hearing on ``Ensuring America's Security: Cleaning Up the Nation's Watchlists.'' The watchlist program is dysfunctional because it is a black box system. Information goes into the process, but not very much escapes, including when errors are made. Poor list creation and management not only cost taxpayers money, they may also deny individuals a fundamental constitutional right to travel.\1\ I ask that my complete statement and our summary of the on- going problems with watchlist errors be entered into the hearing record. --------------------------------------------------------------------------- \1\ Saenz v. Roe, 526 U.S. 489 (1999). --------------------------------------------------------------------------- In my statement today, I wish to call your attention to three primary problems with the security watchlists. First, the databases in the system are not subject to the full safeguards of the Privacy Act of 1974,\2\ as the Transportation Security Administration (TSA) has sought wide-ranging exemptions for the record system and private companies engaged by the agency are not subject to the Privacy Act.\3\ As a result, legal safeguards that help ensure accuracy and accountability in other databases are absent from the watchlist system. --------------------------------------------------------------------------- \2\ 28 CFR 16.96(r)(1). \3\ Privacy Act Amendments 2005, EPIC, available at http:// epic.org/privacy/laws/privacy_act.html. --------------------------------------------------------------------------- The second flaw of the program aggravates the issue further--the security watchlists on which the system is based are riddled with inaccurate and obsolete data.\4\ In September 2005, documents obtained by EPIC under the Freedom of Information Act revealed travelers' struggles with watchlist errors.\5\ The situation has not changed materially and recent news continues to reveal more incidents of false positives and harrowing experiences of legitimate travelers.\6\ --------------------------------------------------------------------------- \4\ Watchlist FOIA Documents, available at http://epic.org/privacy/ airtravel/foia/watchlist_foia_analysis.html/. \5\ EPIC FOIA Notes No. 8, available at http://epic.org/foia_notes/ note8.html/. \6\ Drew Griffin and Kathleen Johnston, ``Airline captain, lawyer, child on terror `watchlist' '', CNN, Aug. 19, 2008 available at http:// www.cnn.com/2008/US/08/19/tsa.watch.list/. See also ``Formal calls for probe into reporter's name on no-fly list'', CNN, July 17, 2008 available at http://www.cnn.com/2008/US/07/17/watchlist.chertoff/ index.html. --------------------------------------------------------------------------- Third, the existence of the Registered Traveler program may become a textbook example of ``Security Theater.''\7\ Further, the approach is triggering typical hallmarks of ``mission creep''--the databases of personal information collected by private sector companies will be used for purposes other than originally intended--aviation security. The TSA has outsourced the vetting of bona fide air-travelers to Verified Identity Pass, Inc. (Verified ID), a privately held company running The Clear Registered Traveler program (Clear). --------------------------------------------------------------------------- \7\ Bruce Schneier, ``The Feeling and Reality of Security'', Apr. 8, 2008 at http://www.schneier.com/blog/archives/2008/04/ the_feeling_and_1.html (describing security countermeasures intended to provide the feeling of improved security while doing little or nothing to actually improve security). --------------------------------------------------------------------------- For a year, San Francisco air travelers have been offered the option of enrollment in the Clear Registered Traveler Program at a cost of $128. Those who registered were given a biometric ID card that could be used to bypass regular security lines. In August of this year, Verified ID reported the theft of a laptop containing registration information from its San Francisco office. The agency is now prohibiting Verified ID from registering new customers into the Registered Traveler program. Registered traveler schemes are all vulnerable to several serious flaws, including the example presented in this news item. Travelers who registered for the program may find themselves waiting in lines once again. Later, it was reported that the laptop was returned to the office it was stolen from.\8\ --------------------------------------------------------------------------- \8\ ``Laptop with traveler info likely stolen, returned,'' Marcus Wholsen, Business Week, August 2008, available at http:// www.businessweek.com/ap/financialnews/D92GO1A00.htm. --------------------------------------------------------------------------- In order to ensure America's air travel security, the watchlist must not only be cleaned up of errors, the Government must also ensure that inaccurate data is not entered into the database in the first place. Further, it must be transparent to the general public by: providing information on the existence of the watchlists; disclosing the penalties for being listed; publicizing the redress procedures; ensuring effective due process rights for travelers, and cleaning up the appeals process for agency decisions. Finally, each traveler denied the right to travel should have access to the courts. the privacy act 1974 The protection of privacy is hardly a new problem. An 1890 journal article written by American lawyers Samuel Warren and Louis Brandies entitled the ``Right to Privacy,'' captured the attention of law scholars, legislators, and the public. This law journal article has been cited and debated for over a century, and has guided the establishment of laws and international norms that restrain the power of technology and human curiosity to encroach on an individual's ``right to be let alone.''\9\ --------------------------------------------------------------------------- \9\ Samuel Warren & Louis Brandies, The Right to Privacy, 4 Harvard Law Review 193 (1890). --------------------------------------------------------------------------- In 1948, the right of privacy found a place in international law through its adoption into the Universal Declaration of Human Rights.\10\ Article 12 states: --------------------------------------------------------------------------- \10\ Universal Declaration of Human Rights, adopted and proclaimed by General Assembly resolution 217 A(III) on December 10, 1948, available at http://www.un.org/Overview/rights.html. No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against --------------------------------------------------------------------------- such interference or attacks. The ``Digital Information Age,'' ushered in a much-needed expansion of the fundamental human right of privacy. During the 1960s and 1970s, interest in the protection of privacy rights increased with the arrival of the information technology revolution. Congress in its wisdom acted not in the wake of disaster, but prospectively to address the real threats posed by powerful computer systems. The Federal Privacy Act established the right of citizens to be free from Government abuse and misuse of personal information, and the right to be informed of the actions taken by the Federal Government on their behalf. The Privacy Act of 1974 was passed in response to concerns about how the creation and use of computerized databases might impact individuals' privacy rights. However, its scope was limited to Federal Government agencies. It safeguards privacy of Federal Government-held records through the creation of four procedural and substantive rights in personal data. First, the Privacy Act requires Government agencies to show an individual any records kept on him or her. Second, it requires agencies to follow certain principles, called ``fair information practices,'' when gathering and handling personal data.\11\ Third, it places restrictions on how agencies can share an individual's data with other people and agencies. Fourth and finally, it allows individuals to sue the Government for violating the provisions of the Act. --------------------------------------------------------------------------- \11\ Fair Information Practices, EPIC, http://epic.org/privacy/ consumer/code_fair_info.html. --------------------------------------------------------------------------- There are, however, several exceptions to the Privacy Act. For example, Government agencies that are engaged in law enforcement can excuse themselves from the Act's rules. Agencies have also circumvented information sharing rules by exploiting a ``routine use'' exemption. In addition, the Act applies only to certain Federal Government agencies (except for Section 7's limits on the Social Security Number (SSN) that applies to Federal, State, and local governments). Aside from Section 7, the Privacy Act does not cover State and local governments, though individual States may have their own laws regarding record keeping on individuals. In August 2007, The Department of Homeland Security published in the Federal Register its ``Privacy Act of 1974; Implementation of Exemptions; Security Flight Records''.\12\ The Federal Register notice states that the agency is claiming the exemption agency conduct under the Privacy Act, which include the statue's core privacy protections. DHS is exempting itself from Privacy Act requirements that its records on individuals are accurate; that the data collect is limited to only information that is relevant, and that U.S. citizens be afforded due process rights to appeal agency decisions. --------------------------------------------------------------------------- \12\ Federal Register, Department of Homeland Security, TSA 49 CFR Part 1507, Privacy Act of 1974: Implementation of Exemptions; Secure Flight Records, pg. 48397-48400, August 23, 2007, available at http:// edocket.access.gpo.gov/2007/E7-15963.htm. --------------------------------------------------------------------------- The agency message on privacy for those visiting the TRIP web site is published on a page titled ``DHS TRIP and Your Privacy.'' The information provided does not disclose that the agency is claiming a wide range of exemptions from the Privacy Act. It states:\13\ --------------------------------------------------------------------------- \13\ Department of Homeland Security, How to Use DHS TRIP, Section: DHS TRIP and Your Privacy, available at http://www.dhs.gov/xtrvlsec/ programs/gc_1169826536380.shtm. The Department of Homeland Security safeguards the privacy of any personal information that you provide in your inquiry to DHS TRIP. This information will be protected and will only be shared in accordance with the provisions of the Privacy Act of 1974 (5 U.S.C. 552a) and as --------------------------------------------------------------------------- provided in the Privacy Impact Assessment published for DHS TRIP. There is a fundamental failure to adhere to the Privacy Act in the current system used by the DHS's online Traveler Redress Inquiry Program (TRIP). TRIP is a one-stop voluntary program to provide a means for individuals to request redress who believe they have been: (1) Denied or delayed boarding transportation due to DHS screening programs; (2) denied or delayed entry into or departure from the United States at a port of entry; or, (3) identified for additional (secondary) screening at our Nation's transportation facilities, including airports and seaports.\14\ --------------------------------------------------------------------------- \14\ Transportation Security Administration, Department of Homeland Security, DHS Traveler Redress Inquiry Program (DHS TRIP), Contact: James Kennedy, January 18, 2007. --------------------------------------------------------------------------- First, the Privacy Act requires that data collection be limited to only what is ``relevant and necessary.'' However, the TRIP program does not perform a critical process to determine if the collection of information is necessary.\15\ Second, the data collected should be specific to the kind of problem the traveler may have experienced. Third, the information collected must only be used to resolve the problem. Once the travel issue is identified, and if necessary investigated data not needed should be discarded from the system. TRIP does not distinguish between frequent travelers and infrequent travelers. All air travel experiences are not equal--some like Members of Congress may travel on average 30-40 weeks out of the year. Very infrequent air travelers may travel once over several years. --------------------------------------------------------------------------- \15\ Lillie Coney, This Testimony, Attachment A, House Committee on Homeland Security, Subcommittee on Transportation, Security, and Infrastructure Protection, September 9, 2008, also see: http:// www.dhs.gov/xtrvlsec/programs/gc_1169673653081.shtm. --------------------------------------------------------------------------- Prior to collecting personally identifiable information from travelers DHS's TRIP process should first separate the subjective from objective travel experience of the respondent. Second, there are several points in airport traveler processing that passengers may experience problems: the ticket counter or ticket kiosk, the security screening to enter gate areas, and the boarding process to enter a airplane. A series of questions could help navigate inquiries to relevant information such as why repeated request to re-enter a magnetometer might happen, why fluid containers above a certain size will prompt secondary screening, why laptops left in carry-on luggage will promote a secondary screening process. There is no link on the DHS homepage to the One-Stop Travelers' Redress web page. Further the on-line process does include an automated routing method to guide the respondent through the process. The program page has three options ``Should I Use DHS TRIP,'' ``How to use DHS TRIP'' and ``After your inquiry.''\16\ The actual on-line application starts with a series of questions that include ``Do you feel you were discriminated against; Do you believe that the U.S. Government's record of your personal information is inaccurate; You were unfairly detained; You could not print a boarding pass; You were delayed or detained; You were told: your fingerprints were incorrect, your photo did not match, your information was incomplete or inaccurate, you are on a No-Fly list; You want to amend a travel record or Ensure your biometric record created by US-VISIT is removed.''\17\ --------------------------------------------------------------------------- \16\ Department of Homeland Security, One-Stop Travelers' Redress, available at http://www.dhs.gov/xtrvlsec/programs/ gc_1169673653081.shtm. \17\ Department of Homeland Security, Traveler Inquiry Form, available at http://www.dhs.gov/xlibrary/assets/ DHSTRIP_Traveler_Inquiry_Form.pdf. --------------------------------------------------------------------------- The series of questions conflates the US-VISIT process with the typical U.S. citizen's experience with domestic air travel. The United States Visitor and Immigrant Status Indicator Technology (US-VISIT) is an integrated Government-wide program intended to improve the Nation's capability to collect information about foreign nationals who travel to the United States, as well as control the pre-entry, entry, status, and exit of these travelers. The US-VISIT system of data collection does not include U.S. citizens. If DHS has access to biometric data on U.S. citizens, or dossiers then that should be disclosed to Congress and to the traveling public. In any case it is important that to convey incorrect information to travelers by conflating the two programs and to appropriately eliminate respondents from the data collection process based on objective negative travel experiences. [Footnote exhibit] dhs must increase watchlist transparency One of the principle protections offered by the Privacy Act and fair information practices is transparency. Transparency is a key component of a functioning healthy democracy. It can be translated into public policy decisions that allow citizens, policymakers, and the media to assure themselves that a local, State or Federal Government agency is functioning as intended.\18\ --------------------------------------------------------------------------- \18\ EPIC, Litigation Under the Federal Open Government Laws (FOIA) 2006, web page, available at http://www.epic.org/bookstore/foia2006/. --------------------------------------------------------------------------- Efforts to provide due process by DHS must remove ambiguity that may currently exist in the minds of agency administrators regarding their obligations to make public information related to watchlists and prohibitions on travel. EPIC filed a court challenge to an attempt by the Transportation Security Administration to withhold a Privacy Impact Assessment from the public, which was in violation of Federal law.\19\ EPIC requested the Privacy Impact Assessments from the TSA under the Freedom of Information Act, and received heavily redacted documents from the agency in its reply.\20\ EPIC sued the agency for full disclosure of the documents as required by the E-Government Act. The TSA argued that the Federal Privacy Act and the E-Government Act, which requires publication of Privacy Impact Assessments, were segregated. --------------------------------------------------------------------------- \19\ EPIC v. US Transportation Security Administration, Civil Action No. 03-1846 (CKK), available at http://www.epic.org/privacy/ airtravel/pia_order.pdf, August 2, 2004. \20\ EPIC, Alert e-Newsletter, Volume 11.18, available at http:// legalminds.lp.findlaw.com/list/epic-news/msg00164.html, September 24, 2004. --------------------------------------------------------------------------- watchlist errors The watchlists are comprised of entries derived from multiple sources.\21\ However, as the process of compiling the lists is unknown, methods of quality control at this stage are unclear and unknown. Senators Ted Kennedy and Don Young, for instance, have both been improperly placed on the lists in error. Catherine Stevens, wife of Alaska Sen. Ted Stevens have also faced difficulties. --------------------------------------------------------------------------- \21\ ``Follow-up Audit of the Terrorist Screening Center'' Audit Report 07-41, Sept. 2007, U.S. Dept. of Justice, Office of the Inspector General, Audit Division available at http://www.usdoj.gov/ oig/reports/FBI/a0741/final.pdf. --------------------------------------------------------------------------- The Inspector General of the U.S. Dept. of Justice found that the Terrorist Screening Center (``TSC'') is relying on two interconnected versions of the watchlist database. As a result, not only were names missing from the frontline personnels' computers, but also the numbers of duplicate records have significantly increased since the last review.\22\ Further, the TSC had not taken adequate steps to ensure that the content of the two databases was identical. In brief, the Inspector General found that the methodology adopted by the FBI to nominate new names was flawed.\23\ The Inspector General concluded that this procedure resulted in the TSC being ``unable to ensure that consistent, accurate, and complete terrorist information is disseminated to frontline screening agents in a timely manner. Moreover, the TSC determined that the Terrorist Screening Database contained over 2,000 watchlist records that did not belong in the database''\24\ in the first place and included some records that were inappropriately maintained without any watchlist designation.\25\ The Inspector General's report details deterioration in the quality of the database arising from and perpetuated by the fact that the database grew from 150,000 in April 2004 to 724,442 in April 2007. With such a high rate of increase, and poor algorithms, the record-by-record review could not be completed within the time frame.\26\ --------------------------------------------------------------------------- \22\ Id. \23\ Id at page 12. \24\ Id. \25\ Id. at page 13. \26\ Id. at page 41. --------------------------------------------------------------------------- Even with such official reports, the database continues to be plagued with problems. The United States Government Accountability Office also concluded that ``lacking clearly articulable principles, milestones, and outcome measures, the federal government is not easily able to provide accountability and have a basis for monitoring to ensure (1) the intended goals for, and expected results of, terrorist screening are being achieved and (2) use of the list is consistent with privacy and civil liberties.''\27\ In recent glaring examples, a lawyer, an airline captain and a child were found to be on the terror watchlist.\28\ In another case, an investigative reporter for CNN found his name on the TSA watchlist after he completed his investigation of the TSA.\29\ --------------------------------------------------------------------------- \27\ United States Government Accountability Office, ``TERRORIST WATCHLIST SCREENING: Opportunities Exist to Enhance Management Oversight, Reduce Vulnerabilities in Agency Screening Processes, and Expand Use of the List'', Oct. 2007, available http://www.gao.gov/ new.items/d08110.pdf. \28\ See supra note 5. \29\ ``Formal calls for probe into reporter's name on no-fly list'', CNN, July 17, 2008 available at http://www.cnn.com/2008/US/07/ 17/watchlist.chertoff/index.html. --------------------------------------------------------------------------- There must be a clear statutory definition of the words ``terrorism,'' and ``terrorist,'' as well as the phrase ``terrorist organization.''\30\ Without clear definitions, these designations could be misused, such as in the past when the word ``subversive'' was used to justify actions taken against some civil rights activists, civil liberty groups and others who were engaged in lawful pursuits. Currently, each agency uses its own definitions for these terms, which means a moving bar exists for inclusion of names on watchlists. --------------------------------------------------------------------------- \30\ GAO, Terrorist Watchlist Screening, GAO-08110, October 2007. --------------------------------------------------------------------------- It is therefore respectfully urged that methods of nomination of names into the database be scrutinized, people be given further information about the processes involved instead of filling out lengthy questionnaires providing personal information, and additional steps be taken to ensure the information in the database is accurate, timely and amenable to correction. recommendations DHS should employ the expertise of a human factors expert to revamp the TRIP query process to help eliminate the data collection process to only those affected by watchlist issues. The agency should be prohibited from exempting itself from Privacy Act enforcement obligations. The process for citizens and non-citizens should be clear and governed by a series of questions. The information presented should make it clear if it is intended for a citizen or non-citizen. The information collected should only apply to that category. Respondents should be told their rights and protections afforded to them. Over-collection of data should be prohibited. Agency personnel, airlines, and contractors should be held accountable by Privacy Act civil and criminal penalties or held to contract obligations with the equivalent effect. conclusion It is necessary to first analyze at what points travelers are stopped by the watchlist. The first point of interaction is at the check-in or obtaining of a boarding pass. If the passenger is on the so-called ``Selectee'' list, she will be subjected to additional screening. However, the collection of a ticket or boarding pass may be disassociated with the actual screening process. The next point where her identification is checked is at the entry to the security screening area. Boarding passes are taken or checked at the gate prior to boarding. When a traveler experiences difficulty in the airport screening, baggage check-in, security screening, or during the flight boarding process, it is important to differentiate between something they are asked to do that is different from other passengers. Further, it is vital that all other possible explanations for the different treatment be eliminated before asking the respondent for personally identifiable information. It is our hope that the work set forth by this committee will lead to a more just, fair, privacy centric, and transparent watchlist program. Thank you. Ms. Jackson Lee. Let me thank our witnesses for framing this question for the second panel. I will yield myself 5 minutes to begin the questioning. I want to thank Congresswoman Eleanor Holmes Norton for her contribution to this important discussion. It is not difficult to in this instance give the challenges and not providing the solution. I am very glad that Ms. Robinson made it very clear that she has flown across the country, wanting to reaffirm her commitment to the security of this Nation. I am glad to hear that from just as she said, as we have described her, a public citizen, a citizen of America, and that she agrees with the concept, if you will, of a watchlist that works. I thank Ms. Clarke for her service. But at the same time she asks the question: Why we can't get it right? So I am going to allow you, and I would like you to really espouse and feel free to recall some pointed incidences that in your testimony you were not able to detail. Do it in the framework that we have highlighted, that we are talking about misidentity. So we have a watchlist, and I, certainly in a secured briefing, will ask the hard questions and making sure that is a scrubbed watchlist, meaning that it is accurate from that perspective. But we have had the media bring to our attention three James Robinsons with impeccable credentials, to our knowledge, from the United States military, Department of Justice, and I can't imagine that that does not fit James Robinson, who is 8 years old. So what happens is that we have misidentification. I am glad that we have not had someone indicate he is on the watchlist, but you have also had them indicate silence or inability to explain your situation. Would you share with us, maybe in a little bit more detail, the breadth and depth of embarrassment or confusion or delay that comes about that really needs to push this committee and our good friends in the airline industry to work together to find a solution? We could be here 5 years from now, speaking about the same issue. Why? Because 9/11 will keep us in this mode. We are in a new sphere, a new era of American history and culture. That is all right. We are Americans. We know how to deal with it. But the question is, tell us what is really confronting Americans who confront this on a regular basis. Ms. Robinson. Thank you. I would be happy to. So again, our experiences when we go to the airport, you know we are faced with having to go to the ticket counter, stand in the lines. At the ticket counter, we are there for a long period of time. They are searching. You know we all have to show identification. I don't always have identification for the children. I don't typically travel with their birth certificates. Sometimes the children are questioned about what their name is, who they are, et cetera. You know that is embarrassing for them, because that is not typical. It is also you know they will ask them how old they are, what their birthrate is, et cetera. It just puts them on the spot in a situation where, when they are so young, they don't need to be put in a spotlight like that. Then you know this process at the ticker counter can take 30 minutes, 45 minutes, et cetera. Even if we arrive at the airport early, which we do, because travel with this situation is always uncertain you know. Given the length of security lines, et cetera, and not knowing which airline is going to respond in what way. It is just very stressful to travel. It is very stressful, whether we are actually going to make the flight or not. I just think that these situations are unnecessary. As I have said before, I have used variations of his name in order to try to circumvent it so that it is not so stressful to travel. We have, you know, hesitated taking trips because of this, which I think is sort of a sad commentary on the security of our Nation that you know, because in that way we are altering our lifestyle, which is exactly what the terrorists want us to do. So you know it is these sorts of experiences that we encounter when we travel that I think are unnecessary. Ms. Jackson Lee. While we are going to other questions, I am going to ask you to consult with James if he can in his own words tell us--does he know why he is here? If he in his own words can share any thoughts--in his own words meaning through you--so that we have a reflection of him, because he has been, as I said, I know this is going to late hours, but we want to make sure that we can hear from him, if you can explain to him, and I know that you can, as we go on to the other witnesses. So thank you for your testimony. Mr. Meenan, let me ask you a question. What are some of the impacts of air carriers using different watchlist matching systems to pre-screen passengers? Mr. Meenan. It has led to a lot of inconsistency in the system. Just within the last few months, however, a lot of changes have been made. We have now gotten much more detailed guidance from the TSA as to how these systems are to work, how the name matching is to occur. That didn't take place until very recently. We also now have a script that the Government has provided for us by customer service representatives that I think will give the public a better message and a better understanding of how to resolve these things. From our perspective the cleared list has not been particularly helpful. It was really developed by the Government without consultation with the industry. While we have tried to--various carriers have tried to use it in different ways. It doesn't fit well with the screening systems that we have in place. Ms. Jackson Lee. Mr. Meenan, if I might, it is shocking to me to know that some airlines use it and some airlines don't. That is a very poor response. I don't know if you have made that known to the Government, but certainly the Congress is now aware of this sort of haphazard inconsistency that impacts the traveling public negatively. Mr. Meenan. The watchlist is used consistently and with increasing consistency across the industry. As you will recall, I noted at the beginning we were told simply use your best judgment as to how to develop these systems. Each carrier did things differently. The watchlist, or the cleared list, rather, was just announced last April without any pre-consultation with the industry. Many carriers are using it, but in some cases it doesn't fit well. It is better for the customer to continue to use the screening systems that we have got in place while the carriers try to figure out ways to better use the cleared list. The fact is that Secure Flight will resolve all of these issues, once it is up and running. That is where we believe the greatest emphasis needs to be put. We need to get the Secure Flight program. Remember, for 7 years we have been engaged in efforts with the Government to try to do what they want done to clear these passenger lists effectively. I think we are pretty good at that. Unfortunately, it has inconvenienced a lot of people. On the plus side, obviously, we are very good at catching the people that we don't want on these airplanes or who are required to receive special clearance. But the fact is we do want to eliminate this problem as well. The best way that we have identified to accomplish that, and I am not quite sure why it hasn't worked in the case we have heard about today, is for people to enroll in frequent flyer programs, because then the carriers have additional data elements that they collect on their own, which they can use to help clear individuals for whom there are questions as to whether or not--the problem right now is that if you have got a name identified and an age, you need to resolve that in some way. So you may actually have to physically look at this individual and try to determine how old they really are, other characteristics, and so forth. We don't want to be doing that anymore. Secure Flight will take care of that once and for all. That is where we believe the Government needs to put the strongest emphasis. Ms. Jackson Lee. Well, I think we have already conceded the fact that we are all accepting of inconvenience. I think what Ms. Robinson's testimony has indicated is that it is more than inconvenience. It is long stays at the counter, where the person cannot distinguish from the information that the airline has between an 8-year-old and someone who happens to have the same name. That I think is egregious. That is not precise information that would give them the judgment and the comfort to be able to note that this is the wrong person. I think the very use of an 8-year-old for this hearing is that we wanted to show there are some things that can be done more quickly than what I imagine the Robinsons are facing. So I ask you what kind of financial commitment under Secure Flight are the airlines collectively prepared to make? Mr. Meenan. Well, the airlines have already expended many, many millions of dollars in developing the systems that are in place today. Secure Flight is actually a process through which the Government will take over the screening system completely. We will be providing them information. There will be costs associated with that. I don't at this point know what those will be, because we haven't seen the rule that Mr. Hawley had mentioned earlier this afternoon. So we will have to determine what those costs will be as the rule unfolds, and as we determine how we are going to comply with it. But our commitment is, as it has been since 9/11, we want to do whatever the Government believes is necessary to resolve security concerns in a way that also protects the privacy of our customers. We have been trying to do that since day one. We will continue to do that, and we look forward to your leadership to get Secure Flight out there, because we do think that that offers the best solution for everybody concerned. Ms. Jackson Lee. Are you prepared to go the extra financial mile to ensure that this is a working process? Because you are right--it will require, at least on the side of the airlines, some technical revamp and training on how to utilize the system. Are the airlines--can you represent the association that represents them, that this is going to be a serious effort on their part, which includes the issues concerning privacy? Mr. Meenan. It is already a serious effort on our part. We are expending many millions of dollars today. Obviously, I can't tell you that we are going to commit to any amount of money that the Government believes is necessary. We are dealing with a number of programs right now, for example, where the Government has proposed adding an additional billion dollars a year to the cost of the airline industry, which we think in a related security area, which we think is misguided. We are seeking better ways of doing that. I don't anticipate we will be doing that kind of thing with Secure Flight, but we certainly are looking forward to seeing the rule and making it work as effectively as we possibly can. Ms. Jackson Lee. Let me ask Ms. Coney. We appreciate your comments, and I think a lot of your statement was shocking. We hope to engage with your organization as we craft the legislation dealing with Secure Flight. Let me ask you with regard to this program of Secure Flight, what are your privacy-related concerns? Ms. Coney. Well, EPIC's privacy concerns begins with the August 23, 2007, Federal Register Notice of Proposed Rule published by the Transportation Security Administration titled ``Privacy Act 1974 Implementation of Exemption Secure Flight Record.'' In this exemption they point out that they want to exempt 5 U.S. Code 552(a)(c)(3)(m)(4)(d)(1)(2)-(d)(1) and Section 2, Section 3, Section 4, Section (e)(1), Section 2, Section 3, Section (4)(g) through (i), Section 5 and Section 8 and Section (f) and (g). We went through the code, and I just want to show you how much of the code they are exempting themselves from the Privacy Act, based on what they are requesting in this proposed rule change. Privacy sounds good when you use the word, but there are statutory protections in Federal law that in fact establish privacy. These protections take into consideration after criminal investigations, those who may be suspected of having ill intent toward the U.S. Government or its persons or its interests. They are regularly used exemptions for those types of issues. The fact that this agency wants to take away the transparency obligation--in fact telling you that you are in fact on a watchlist, and not in a public setting--that is inappropriate, but in some kind of communication that yes, your name matches someone, and this is what the issues are. Allowing you to have due process through the redress program, which is called a TRIP program, and allowing you to have some kind of way to do an effective due process so that you have a right, you have ability to have an advocate work on your behalf, and not get a letter in the mail and say, ``Sorry, unless you have the money to go take us to court, we won't allow that.'' Even in the problem of the exemptions, they take away your right to sue--the civil protections that are part of the Privacy Act, should a Government agency or an employee of the Government agency abuse access to your records, your personal information. So there are a number of problems with what the agency is doing, and its self-definition of itself, affirmation of its meeting the requirements of privacy, it just doesn't satisfy us. When we look at what the agency is actually doing, they are in effect doing something that undermines your right to privacy. There are a couple of things I would like to get to, and if you have the time, I would like to point out on the TRIP application itself, there is a question about whether you are a registered voter and asking you for your voter ID number and the location where you registered to vote. I mean that question alone raises alarm bells in our minds about what in fact is going on with the redress program, not just the watchlist program. It is a black box. It is a process that cannot be satisfied, but the agency's saying they are meeting the privacy requirements. Thank you. Ms. Jackson Lee. I yield myself an additional 5 minutes on the second round, and we will conclude on that. Let me go right to you to just quickly as to what degree has DHS reached out stakeholders such as EPIC to ensure that its policies with respect to redress and Secure Flight account for privacy rights and related concerns? I just need a--and have you--have they reached out to you? Ms. Coney. Congresswoman, they have reached out to EPIC. EPIC coordinates a program, a project called the Privacy Coalition. We hold regularly scheduled meetings. They have come to our meetings. The things I am saying to you on the record here are things they have heard in these meetings. So meeting with us--yes, they are willing to do that. But are they listening? That is yet a question we haven't seen evidence of. Ms. Jackson Lee. So the reach out including the stakeholders is not translated into response. Let me just be clear on the record that I think it is important that your testimony be taken in the right context, which is that I understand that you have said that you are fully conversant and fully appreciate that there are limitations with respect to what the DHS can adhere to. But those exemptions of individuals who are to do us harm or criminal aspects are exempted already. It is not as if we want to give blanket protection. But you are saying they have gone beyond that---- Ms. Coney. Exactly. Ms. Jackson Lee [continuing]. And denying citizens their right to information, which speaks to Ms. Robinson's point about young James growing to a teenager, to a college student who will seek to travel internationally. Ms. Coney, what problems do you think Mr. Robinson might face as he grows up? Ms. Coney. The same problems he is experiencing right now. There are very fundamental rules for what is going to work, an identification system that is completely remote and it is computer-based. Name-recognition-only identifications fail. We see this in a lot of different cities, not just national security-related cities. For example, sell them voter-roll purge lists that only use the name of the person who is listed on the roll to purge voter rolls. You have one person that you are talking about, but you may have 2,000 individuals within a State that share the same name. They all get purged. We see that, and it is more prominent when there are-- because there are thousands of people who are showing up on Election Day to vote. You are going to see the problem. In James' situation, it is him and his family that see the problem. There is a lack of transparency, because they are not going to seize your letter to tell you you are on this list. We know you are not the right person from the exchange that we have had from the person who screened you, but we want to make you aware of what the situation is. The lack of transparency is pernicious, because it perpetuates the errors within the process that they have established. Ms. Jackson Lee. I can't imagine, but we have certainly had the first panel. They are not here to answer the question, Mr. Meenan. But I can't imagine that transparency would be a problem in the Secure Flight program. Do you think that would be a problem for the airlines? Mr. Meenan. It is our understanding that the Secure Flight program will basically resolve the kinds of problems that the Robinsons have experienced, because it will enable TSA to know with a much greater degree of certainty. Then they are able to let us know who this particular individual is, not just what this name is, so that they will be able to pre-resolve and determine that in fact it is this James Robinson, not the James Robinson whose name is on the watchlist. That is why Secure Flight is so important, because it will clear up these problems, rather than compound them. Ms. Jackson Lee. Well, I think we should also have some transparency that can impact or have access, or be accessed by the traveling public as well. I think Ms. Coney's point is is that the guard, the breadth of elimination of privacy rights, seem to be unacceptable, and I agree with her. Mr. Meenan. And I---- Ms. Jackson Lee. A transparent system in Secure Flight should not be something that we should object to. Mr. Meenan. I fully expect that TSA anticipates that same type of approach to the Secure Flight program. I am not an expert on what they have got in mind, but I would be very surprised if they weren't seeking transparency. Ms. Jackson Lee. Let me ask you this. Although the first panel indicated that these mistakes are made, and it is not often made, I do know that there have been constituents who have come up, who have checked in at the counter, often told by airline representatives that it is because they are on a watchlist, when in fact this may or may not be the case. Do you know if TSA is working with you all to take any steps to address this misinformation? What do you do with worldwide employees, as many of you have in the industry? I do recognize that the airlines have been a good partner in this whole question of security. But what is going on with respect to those confronted with the question or the issue you are on a watchlist, which, of course, are two separate entities--the watchlist and misidentification? Mr. Meenan. There are a number of different pieces of confusion here. But I think, as Assistant Secretary Hawley said earlier, we are working to try to eliminate that problem among a fairly widely dispersed population of employees. I think part of the source of that problem was the absence of a script for the first 7 years we were engaged in this process. It really left it up to the carriers, and often to individual employees, to try to come up with, you know: What do I say to this person while they are standing in front of them? Unfortunately, some people, without the direction of their employer, migrated to the idea that well, you must be on the watchlist, because they saw that on television or they heard that from a colleague. Ms. Jackson Lee. Meaning an airline employee? Mr. Meenan. An airline employee. We have no doubt that has been said to passengers. Ms. Jackson Lee. How is TSA is working with you to avoid that? Mr. Meenan. TSA and the carriers have both made it clear to our employees that that is not the case. We now, as of August of this year, have a very detailed script that says if you have a selectee, you can say A, B or C. If you have someone who is on the No-Fly List, you can say C, D or E. So that is now working its way into the system, and we are confident that over time it will replace what is probably a bad habit in some employees of saying, ``Well, you must be on the watchlist if you are being delayed.'' We are working to eliminate that problem, and TSA has been an effective partner in encouraging that. Ms. Jackson Lee. Well, Mr. Meenan, I want you to work extra hard. Our committee will be working with you. We would like to have, if we could, in writing possibly, the various procedures that the airline industry has put in place, generally speaking, that we would like to have submitted into the record to this committee that has pointed to those discrepancies that we have seen. I thank you for that. I would also be interested in any estimates that you can make as we move forward into the Secure Flight program, generally speaking, so that we can begin to see the commitment of the airlines. I would also like to have in writing--I think I asked you on the record; I am going to do yes or no for you--the willingness of the airlines to commit, recognizing the industry sort of constraints. I understand the finances. But am I to understand that Air Transport Association within the airlines is committed to working as hard as they can with the TSA and DHS, Department of Homeland Security to make this work, and work right? Mr. Meenan. No question about it. Ms. Jackson Lee. Let me thank you, Ms. Robinson. We have heard intertwining words--No-Fly, the Secure or Selectee, and the watchlist, all having to do with the security of this Nation. Yet if, as one of our Members said, the most sophisticated nation in the world with technology, appreciation for our Constitution, can't get it right, who can? Your presence here today has really offered to us a roadmap. One of the extreme cases, because I imagine as individuals are listening, there may be parents of other youngsters. In 2001, and correct me if I am wrong, and I did not get James' actual birthdate, but he was certainly a toddler, an infant, being 8 now, and therefore was certainly having no ability, I imagine, to be that creative to be involved in any untoward activity. He is now full steam ahead, growing to be a young man, and a very important young man to us, because he symbolizes the complexity and the foolishness of this process. I indicated to you, and I thought you were being polite. You didn't want to talk to James as others were talking. Let me allow you just to talk to him for a moment about his feeling of being here. Mommy knows how to ask a question, because I see the coming to the end--that might excite him--of this hearing in process. But I am going to let you just bend down and ask him. Then you can share with us his thoughts, because you only asked him one question, and we will yield just for a moment so that you can get some words out of him. Tell him he will be heard on this record. Ms. Robinson. So James says that he is nervous about being here, because again it is putting him in the spotlight, which is a bit uncomfortable. But he is also excited about being here, because he does feel, and he and I have discussed this, but he does feel that it is sort of the opportunity to get him off. Because we have tried all the other things, and it hasn't worked. So he is excited about the prospect that he will get off. Ms. Jackson Lee. Well, maybe the bug has touched him about solving problems at the Federal Government level. I know that the James Robinson name sounds like a good Presidential name for some decades to come. So I want to make a commitment that this committee, as Assistant Secretary Hawley indicated, would work with us on a quick fix through legislation. We will use the testimony, Ms. Robinson, that you have given us, and the words that James has given to you, as an instructive roadmap to move quickly. I think a legislative fix may be important, as long as it does not cause delay, because Ms. Coney's comment of privacy are shocking to me, shocking to Members of the committee, I know, that will read her statement. We want to be assured that a rulemaking doesn't diminish any more of the privacy rights and the transparency than is necessary that can parallel and complement the necessity of a watchlist, along with the importance of protecting the Constitution. Mr. Meenan, we have always been friends of the airline industry. We helped them in 2001 in the serious and tragic incident of 9/11, in, as you well know, a major bailout. So we want to count ourselves as friends to the airline industry. But we also have to count them as friends to fix this problem. The hearing was entitled, ``Clean Up the Watchlist.'' I think the witnesses collectively, the first panel and the second panel, have given us our marching orders, but they have also given us a framework for saying we cannot continue this on our watch. So we will look to all of the witnesses that have participated to give us the, if you will, the details that will generate into a solution and a respect of a watchlist that is respectable. That will include the problem Homeland Security and the Federal Bureau of Investigation, Secretary Chertoff in these waning months and Director Mueller to help us fix this problem. So let me again thank the witnesses for their valuable testimony and the Members for their questions. The Members of the subcommittee may have additional questions for the witnesses, and we ask that you respond to them expeditiously in writing. Hearing no further business, the subcommittee thanks all of you again, and the committee is adjourned. [Whereupon, at 5:13 p.m., the subcommittee was adjourned.]