TSA Is Enhancing Its Oversight of Air Carrier Efforts to Identify Passengers on the No Fly and Selectee Lists, but Expects Ultimate Solution to Be Implementation of Secure Flight
GAO-08-992, Sep 9, 2008
Air carriers remain a front-line defense against acts of terrorism that target the nation's civil aviation system. A key responsibility of air carriers is to check passengers' names against terrorist watch-list records to identify persons who should be prevented from boarding (the No Fly List) or who should undergo additional security scrutiny (the Selectee List). Eventually, the Transportation Security Administration (TSA) is to assume this responsibility through its Secure Flight program. However, due to program delays, air carriers retain this role. You asked GAO to review domestic air carriers' watch-list-matching processes. GAO examined (1) the watch-list-matching requirements air carriers must follow that have been established by TSA, and (2) the extent to which TSA has assessed air carriers' compliance with these requirements. GAO reviewed TSA's security directives, internal guidance used by TSA's inspectors to assess air carriers' compliance with requirements, and inspection results, as well as interviewed staff from 14 of 95 domestic air carriers (selected to reflect a range in operational sizes). This report is the public version of a restricted report (GAO-08-453SU) issued in July 2008.
TSA's requirements for domestic air carriers to conduct watch-list matching include a requirement to identify passengers whose names are either identical or similar to those on the No Fly and Selectee lists. Similar-name matching is important because individuals on the watch list may try to avoid detection by making travel reservations using name variations. According to TSA's Office of Intelligence, there have been incidents of air carriers failing to identify potential matches by not successfully conducting similar-name matching. However, until revisions were initiated in April 2008, TSA's security directives did not specify what types of similar-name variations were to be considered by air carriers. Thus, in interviews with 14 air carriers GAO found inconsistent approaches to conducting similar-name matching. Due to such inconsistency, a passenger could be identified as a match by one air carrier and not by another. In addition, not every air carrier reported conducting similar name comparisons. Further, in January 2008, TSA conducted an evaluation of air carriers and found deficiencies in their capability to conduct similar-name matching. Shortly thereafter, in April 2008, TSA revised the No Fly List security directive to specify a baseline capability for conducting watch-list matching, and TSA reported that it planned to similarly revise the Selectee List security directive. Because the baseline capability requires that air carriers compare only the types of name variations specified in the directive, TSA recognizes that the new baseline capability will not address all vulnerabilities. However, TSA emphasized that establishing the baseline capability should improve air carriers' performance of watch-list matching and, in TSA's view, is the best interim solution pending the implementation of Secure Flight. TSA has undertaken various efforts to assess domestic air carriers' compliance with watch-list matching requirements; however, until 2008, TSA had conducted limited testing of air carriers' similar-name-matching capability. In 2005, for instance, TSA conducted an evaluation to determine whether air carriers had the capability to identify names that were identical--but not similar--to those on the No Fly List. Also, regarding regularly conducted inspections, TSA's guidance did not specifically direct inspectors to test air carriers' similar-name-matching capability, nor did the guidance specify the number or types of name variations to be assessed. Records in TSA's database for regular inspections conducted during 2007 made reference to name-match testing in 61 of the 1,145 watch-list-related inspections that GAO reviewed. Without criteria or standards for air carriers to follow in comparing name variations, TSA did not have a uniform basis for assessing compliance and addressing deficiencies. However, during the course of GAO's review and prompted by findings of the evaluation conducted in January 2008, TSA reported that its guidance for inspectors would be revised to help ensure air carriers' compliance with security directives. Although TSA has plans to strengthen its oversight of air carriers' compliance with the revised security directives, it is too early to assess the extent of such oversight since TSA's efforts are ongoing and not completed.