Date: Thu, 31 Jul 2003 22:42:44 -0400 (EDT) From: belmonte@MIT.EDU (Matthew Belmonte) To: privacy@dhs.gov Subject: DHS/TSA-2003-1 TSA's request for further comments regarding CAPPS II sidesteps the issue of inaccuracies in the private-sector databases that will be used to authenticate passengers' identities. It is all very well to assert generally that "the CAPPS II system must allow for and compensate for such inaccuracies" in commercial databases (pages 4-5), but the effectiveness of these allowances and compensations will depend on the ability of individuals to examine and to correct potentially inaccurate information. The request for further comments specifies a method by which individuals can examine and correct records maintained by the TSA; however, most of the information used in making CAPPS II's threat assessments will reside not in TSA's records but rather in the commercial databases that TSA consults. TSA should therefore establish a policy that CAPPS II will not make use of any databases that do not allow individuals to view and to correct any and all records pertaining to them. Furthermore, a complete list of the databases used by CAPPS II should be published, and this publication should be regularly updated. The request for further comments admits that "in a small percentage of cases, passengers may be found to present an... 'unknown risk' of terrorism" (page 6). Because authentication will rely on the presence of passengers' identifying information in commercial databases, the people identified as "unknown risks" will likely include those people who particularly value their privacy and have therefore purposefully kept their information out of such databases -- for example, people like me who refuse to hold credit cards. This system of identification risks creating a permanent underclass of travellers who will receive intrusive scrutiny every time they travel, even if they travel very frequently on business. The elimination of the fifty-year period of data retention for United States persons is an improvement. The same courtesy should be extended to international visitors, or at least to visitors from low-risk countries such as those countries that participate in the Visa Waiver Program. I have family in Europe and I don't want them getting stuck in some shadowy database for half a century simply because they came to visit the United States once. Matthew Belmonte [address]