Rosen praises CAPPS II
- By Florence Olsen
- Jun 08, 2004
Privacy law expert Jeffrey Rosen today praised the Computer Assisted Passenger Profiling System (CAPPS) II for balancing public safety and personal privacy.
But he worries that the compromise achieved with the Transportation Security Administration's CAPPS II will be difficult to maintain in other information systems that share public- and private-sector data.
Speaking in Washington, D.C., at the Gartner Information Technology Security Summit, Rosen said that CAPPS II corrected two fundamental flaws of the unpopular Total Information Awareness system, a project of Defense Advanced Research Projects Agency.
First, CAPPS II is designed to verify only that people are who they say they are. "It doesn't presume to pick people out of crowds and say whether they look like a [Sept. 11, 2001] terrorist," Rosen said.
Using terms familiar to information security managers, he said the system does authentication but not identification.
Second, CAPPS II operates with limits on how authorities can use its data. TSA officials forward evidence to law enforcement authorities only if the system uncovers outstanding warrants for violent federal crimes, Rosen said.
Operational controls prevent TSA officials from sharing evidence of low-level, nonviolent crimes that CAPPS II might uncover, a feature of the system that he called "an important victory for privacy."
Rosen, a professor of law at the Georgetown University Law Center and author of "The Naked Crowd: Reclaiming Security and Freedom in an Anxious Age," said he doesn't share the views many privacy critics have of the U.S. Patriot Act. But a part of the law known as Section 215 is overbroad and should be amended, he said.
A bipartisan bill pending in Congress would amend the act by requiring government authorities to certify that a person is a suspected terrorist or spy before officials could engage in broad data mining of shared databases. "This was the arrangement that preceded [Sept. 11] under the Foreign Intelligence Surveillance Act," and it should be part of the Patriot Act, Rosen said.
Amending the law to include those added controls over broad data-mining searches would be desirable in principle, he said. And he challenged the software engineers in the audience to contribute their know-how to designing future systems that would provide broad access to data that is searchable but anonymous, unless there is legal cause to reveal personal identities.
"You have a crucial role in designing these laws and technologies," Rosen said.