Accountability and oversight on how the lists are constructed and used are lacking, said Dempsey. "Privacy is not only about secrecy. Privacy is about how information is collected and used. The issue of privacy and the watch list is really a due process issue."
The Markle Foundation Task Force report called for clear policies and guidelines for acquiring, using and retaining data. The Office of Management and Budget told a congressional subcommittee that it will withhold funding for CAPPS II until the TSA develops a business case and a risk-based approach rather than just another watch list.
The TSA did not respond to calls for comment, but the agency's Web site characterized CAPPS II as prescreening, not data mining. The site said the system will not collect any more information than air carriers and reservation systems already collect, and the data will be destroyed shortly after the person's travel itinerary is completed. The site also said a redress process will be established for anyone who thinks they've been incorrectly prescreened.
Watch lists should be based on clear evidence that warrants suspicion, Dempsey said. They shouldn't be compiled based on a combination of factors or behaviors that a computer was programmed to locate and link.
An Islamic lawyer from Oregon was suspected of being connected to the recent bombings in Madrid. The FBI initially said his fingerprint was found at the site, but later confirmed the print belonged to someone else, which begs the question, "How did they come up with the identity of a Muslim living in Oregon with a bum fingerprint?"
"It rings hollow the story, 'We just mixed up the fingerprints,'" Tien said. "Clearly there were other factors. That's the danger of data mining. All of this is deciding who is suspicious or justifying the government saying, 'This person is worthy of investigation."'
The FBI said it was dealing with a poor print in the Oregon incident, and insisted no other information led to the suspect being flagged.
The third part of CAPPS II is the predictive or pattern behavior component, which raises major concern for many critics, including Dempsey. "That's the part that I think, at this point, is very speculative, and I think there's growing recognition even within the administration -- and maybe within the Transportation Security Administration -- that it is both controversial and may actually be holding up the more justifiable parts of the program, namely the use of the watch lists."
CAPPS II testing is scheduled for this summer. A fact sheet on the TSA Web site said CAPPS II will be implemented after testing and after congressional requirements are met. Dempsey said the TSA is re-evaluating CAPPS II and that the task force met with TSA officials several times to offer an assessment. "Right now, I think we're in the worst of all worlds: We have a system, CAPPS I, which is both ineffective in a security sense and troublesome in a privacy and due process sense. We just can't leave this behind. Whether its CAPPS II or CAPPS III, we need an effective screening system."
Tough Road for MATRIX
The task force expressed skepticism about MATRIX, which Dempsey characterized as both an information retrieval system and a profiling or predictive system. Again, it is the latter that sparks worry. Of the 13 states that originally signed on to participate in the project, just four -- Florida, Michigan, Pennsylvania and Ohio -- remain.
The American Civil Liberties Union (ACLU) said it won't rest until that number is zero. "We've learned the hard way that you've got to finish taking your penicillin or the hardiest few will survive," said Jay Stanley, communications director for the ACLU's Technology and Liberty program.