The Federal Aviation Administration is doing a poor job of tracking pilots and the aircraft they fly, creating serious gaps in a system that was supposed to improve aviation security following the terrorist attacks of Sept. 11, 2001, an internal investigation has found.
The Civil Aviation Registry is designed to keep track of 350,000 private and commercial aircraft as well as maintain records on pilots’ licenses, but the Transportation Department inspector general found the database is full of holes.
“FAA’s Civil Aviation Registry lacks accurate and complete information needed for aviation safety and security measures,” the inspector general said. “The Registry lacks information on registered aircraft, owners – including non-U.S. citizens – and their compliance with FAA regulations.”
Investigators found the FAA lacks complete information on many pilot records and certifications, as well as having incomplete registrations for 54 percent of all aircraft owned – at least in part – by non-U.S. citizens, about 5,600 aircraft.
It leaves a serious gap in FAA’s ability to keep the skies safe, investigators said, more than a decade after the 9/11 hijackers were able to receive pilots training in the U.S.
“The Department of Homeland Security’s Inspector General has reported that because FAA does not require unique identifiers—such as photographs or social security numbers—on pilots’ certifications, [the Transportation Security Administration, or TSA,] may not be able to identify pilots who provide false personal information on their certification applications thereby making it easier for individuals using false identities to receive certifications,” the report said.
And the FAA has allowed thousands to receive pilot’s licenses using the addresses of their flight schools or places of work instead of their homes.
“Over 43,000 airmen have received certifications even though they have not provided FAA with accurate permanent personal addresses,” the IG said.
The FAA agreed that improvements to its registry are needed, and said changes are already underway, such as getting addresses for all pilots.
“The FAA continues to update its system to identify addresses that are not acceptable,” a response from the agency said. “The registry utilizes United States Postal Service software to identify and standardize address information in order to ensure the address information provided by an applicant is not a fictitious address.”
FAA officials also said they are looking into the possibility of including biometric identifiers – such as fingerprints – for pilot’s licenses. The inspector general, however, said the actions the FAA was taking weren’t adequate.
“The new policy does not ensure that FAA will have the information it needs for proper safety oversight,” the IG said.
Information recorded in the database includes the make, model and serial number of aircraft, as well as the pilot or owner’s permanent address and title of ownership or bill of sale. An aircraft registration must be renewed every three years to keep the info up-to-date.
Investigators said the FAA relies on aircraft owners to make sure the information is accurate. When registrations are renewed, the agency doesn’t check whether anything has changed and doesn’t check to make sure the info provided is correct, investigators said.
In fact, the IG found 130 aircraft listed in the registry shared identical information with another plane, raising the question of whether the planes were recorded twice.
“While this is a small number of discrepancies, the impact is potentially significant if a serious incident occurs and FAA is unable to identify the aircraft’s owner in a timely manner,” the IG said.
The database, located in Oklahoma City, Okla., does more than fight terrorism. Investigators said it helps insure that people without a pilot’s licenses can’t fly aircraft, and it also provides information for investigations into any aviation accidents.
A number of foreign governments have requested information from the FAA about accidents involving U.S. planes. The agency is required to provide the information under international agreements, but investigators said the FAA is rarely able to comply.
But the database is not only suffering from a lack of information. With the revelations of government surveillance programs still foremost in many citizens’ minds, investigators found that the personal information the FAA did collect wasn’t secure. Much of the information wasn’t encrypted, and the agency didn’t monitor who was accessing the data.
70 percent of the Registry’s computer servers had a “high risk or critical vulnerability” that could be used to access personal information, investigators said.
To cap it all off, investigators said the FAA has no backup and no plan should something go wrong. That means that should the database be wiped somehow, it’s gone – permanently.
“Lack of testing of the Registry’s backup systems at an alternative site creates the risk that FAA will be unable to resume essential operations after a system shut-down,” the IG said.
The IG gave the results of their investigation to the FAA and asked the agency to report how it planned to correct the problems within a month. But investigators noted it took the FAA two-and-a-half months to respond.
The problems, the IG said, must be corrected quickly.
“Until resolved, these weaknesses diminish FAA’s ability to fully carry out its safety mission and provide required services and assistance to the aviation public, airlines, law enforcement, foreign governments and federal agencies responsible for homeland security,” the inspector general said.