No-Fly Fail Fault?

Matt Drudge wants us to blame “Big Sis” because “SECURITY LET SUSPECT ON PLANE.”  And the AP has a similar take, leading with, ” The no-fly list failed to keep the Times Square suspect off the plane.”  Is there a fail here?  And if so, whose fault is it?

To catch everyone up, judging from AP reports,  my initial guess was probably right:  The government put Shahzad on its terror watchlists, including the no-fly list, and DHS recognized his name when Emirates airline gave its passenger manifest to DHS.  This of course was just before takeoff, so the plane had already pulled back the jetway when Customs and Border Protection stopped the flight:  “By the time [DHS/CBP] officials spotted Shahzad’s name on the passenger list and recognized him as the bombing suspect they were looking for,” AP says, ” he was in his seat and the plane was preparing to leave the gate.”

I thought that was impressively fast work — roughly 8 hours from identification through designation, population to the computer system, and identification before takeoff.  But not so fast that it can’t be secondguessed, apparently.  The implicit criticism is that the no-fly list didn’t work, that Shahzad should not have been able to buy a ticket at all.

Well, if the system had worked perfectly, that’s true.  Shahzad would have been stopped at the gate.  So why didn’t it work perfectly?  It appears that Emirates was running the no-fly list — that is, the airline itself was checking passenger names against the no-fly list that it got from TSA.  But Emirates apparently didn’t update its version of the no-fly list between the time TSA added Shahzad and the time of its JFK flight.  Maybe it’s not a complete surprise that an airline take eight hours or more to update its list.  But if that was a failure, it seems as though the blame should fall on Emirates, not TSA.

Now, you might ask (unless you’re Ron Paul) why we would choose to rely on under-incentivized and under-financed private companies to run a major national security program?  This looks like a job that government can and does do better than the private sector.  After all, CBP, which is a government agency, managed to update its list in that 8 hours, and then to catch Shahzad with what was probably as little as half an hour of review time.  Why were we relying on dozens of airlines and computer systems to run the no-fly list instead of a single government computer system?

Ah, here it gets interesting.  TSA has been trying to take over administration of the no-fly list since 2003.  It’s in the process of doing that, finally, this year.  Why the delay?

Simple: Privacy campaigners, left and right.  Privacy groups claimed that TSA could not be trusted with data about who was checking in and what their reservations said.  They in turn persuaded Sen. Ron Wyden (D-OR) to put a provision in the DHS appropriations bill that stalled the transfer of responsibility for the no-fly list from airlines to TSA for years.  (I tell the story in Skating on Stilts.)

In fact, it looks as though the transfer still hasn’t happened in the case of Emirates.  So if you want to blame someone for the design of the no-fly system, you might want to point the finger at the privacy lobby and their supporters in Congress and media.  Which, by the way, certainly seem to have included one Matt Drudge (See, for example, this heart-pounding headline from March 18, 2004:  “TSA To Require Airlines To Divulge Passenger Records …” Or this from November 29, 2007:  “TSA wants to require birthdate, gender to purchase airline tickets; background checks… “)

So, Matt Drudge, if you’re looking for someone to blame the “No-Fly Fail” on, well, you just might want to glance in the mirror.