SECURITY OF RECORDED INFORMATION
Security of recorded information is a highly sensitive issue within the global airline pilot community. This paper emphasizes that adequate security of recorded information is imperative if air safety investigators and other industry professionals are to retain access to recorded data, and other industry professionals are to retain access to recorded data.
Although the Air Line Pilots Association is known primarily as a force to improve wages and working conditions for pilots, many familiar with transportation issues are aware of the contributions of ALPA's safety professionals. Our members are vocal with their safety concerns. What our pilots are telling us - and there are about 52,000 of them in the United States and Canada - is that data recordings, and how they are used or abused, continue to be of paramount importance. This paper will discuss issues such as privacy, fairness, trust, legislation, and the need for pilot participation in the analysis of recorded data.
For these purposes, recorded information includes not just Cockpit Voice Recorder (CVR) and Cockpit Video View Recorder (CVVR) information, but also Digital Flight Data Recorder (DFDR) information, air safety reports that are electronically transmitted, as well as various forms of data-linked information, including ACARS. In this paper, the security of such information means protection against unauthorized or inappropriate use.
The Air Line Pilots Association is by no means against the use of recorded data to advance air safety. In fact ALPA has written policies which accommodate, and even encourage, the use of such devices. With regard to cockpit and cabin sound recorders, policy language almost 40 years old states that, "ALPA representatives shall endeavor to obtain the maximum usefulness for such devices, while providing the greatest possible protection against the abuse and misuse of such devices by any government agency, carrier, or any other group". More recently, ALPA has been a proponent of expanding the number of recorded parameters on DFDR devices and has encouraged the adoption of Flight Operations Quality Assurance (FOQA) programs which analyze recorded data in order to advance flight safety.
From an airline pilot's perspective, the cockpit voice recorder issue is probably the most sensitive. It has certainly been the most controversial. When CVRs were first installed, it was with the understanding that pilots would be sacrificing their rights to privacy to help advance air safety by accommodating a tool that was useful in accident investigation. The quid pro quo was that the recorded information be of a specific duration (30 minutes), be erasable by the flight crew on the ground, and be used only for its intended purpose, that is, accident investigation.
Thus there was a balance between a flight crew's individual right to privacy and the collective benefits for aviation safety. Over time certain of these constraints have become blurred, and the balance has tilted. Some of the newer CVRs - quite legal, and certainly more capable Technologically - have no erase feature, and up to 2 hours of voice data is recorded. Abuses of CVR information, including inappropriate release of the recorded information, and inclusion in transcripts of non-pertinent conversation, have been viewed by many airline pilots as violating the original compact.
Many who are not pilots, including numerous air safety experts, consider that pilots are being unreasonably sensitive in their demands that CVR information be provided the maximum protection. But it is imperative that we understand how much of a gut issue this remains. In the United States airline pilots are subject to various kinds of routine checks plus random drug testing, random alcohol testing, random line checks, as well as frequent security screening. Additionally, every word a pilot says in the cockpit is recorded, as are a host of aircraft performance parameters. This remains tolerable as long as there remains a balance between individual privacy and the benefits that accrue to air safety from such monitoring. Failure to treat CVR data as privileged information and afford it the security it deserves will not just alienate thousands of pilots, but will unquestionably harm the efforts of many air safety professionals. The use of CVR tapes in criminal cases is even more inflammatory, and this development is discussed later in the paper.
Many of us in this forum take for granted that recorded information is worthy of some measure of protection. Within the air transport industry the prevailing international view, evidenced by Chapter 5.12 of ICAO Annex 13 (which governs accident investigations in contracting states), is that the public interest in air safety is enhanced by limiting the disclosure and use of official accident records. However, the application of these protections is uneven at best, and the following discussion highlights some of the violations of this concept of privileged and protected information.
The world has changed greatly since recording devices were first placed on aircraft. In this information age, it is tempting to believe that all we need to solve a given problem is more data. Access to information in our society has been broadened considerably, and legislation such as the Freedom of Information Act has created an information entitlement mentality. Although there may be general areas of aviation safety information that are suitable for public consumption, access to detailed data, which would include most recorded information, would almost certainly be counterproductive. But you can bet that many in the media would like to get their hands on such information all the same. The fact remains that the public, and that includes most of the media, has neither the background knowledge, the analytical skills, nor the incentives to help us much with the painstaking, complex, and often frustrating task of furthering aviation safety.
One of the most powerful drivers of aviation safety initiatives in North America is money, specifically the money derived from civil litigation. The vast sums involved in settling aviation disasters place enormous pressure on access to recorded information. Although we have restrictions on how agencies such as the NTSB, TSBC, Transport Canada, and the FAA may use recorded data and other air safety documents, much of this information is discoverable by civil litigants. Plaintiffs' attorneys will naturally seek any and all information that will augment their case. In the aftermath of the Cali accident, plaintiffs' attorneys sought access to the confidential information contained in the ASAP (Airline Safety Action Program) program at American Airlines. In this instance access was denied by the judge, but future cases could be decided differently. Such disclosure could have sounded the death knell of the ASAP program at American and would likely have killed the efforts of other carriers and pilot groups to adopt similar programs.
The family rights (victims' relatives) movement has also gained tremendous strength in recent years, as evidenced by the ValuJet and TWA 800 investigations. This issue appears to be driven by politics as well as compassion, and plaintiffs' attorneys may also be fanning the flames. And always we must contend with the media. Replaying the last words of a crew, along with a video recreation of an accident, makes compelling entertainment and can be deceptively convincing. Over the years ALPA has had to lobby forcefully to prevent indiscriminate use of CVR information by the news media for sensationalist purposes.
Although civil litigation might keep insurance companies and their clients up at night, from the perspective of pilots - other than those called to testify - this is not the biggest threat. Most airline labor agreements indemnify pilots from financial liability. What is far more troubling is the realization that pilots throughout the world may be much more exposed to criminal litigation than we had previously supposed. This threatens to directly impact our access to recorded information.
The case that brought this issue to the fore was a 1995 accident in New Zealand. An aircraft experienced a landing gear problem while conducting a non-precision approach, and the aircraft impacted a hill on the extended runway centerline - a classic CFIT (controlled flight into terrain) accident. A few passengers were killed and the pilots survived. Although the technical aspects of the investigation were relatively straightforward, the legal wrangles have been anything but. The Police demanded access to the CVR - not just a transcript, but the actual tape - in order to discharge their responsibilities. The dictates of ICAO Annex 13 notwithstanding, the Court held that the Police did indeed have the right to obtain the actual CVR tape as part of a criminal inquiry. Incidentally, at the time of this accident, New Zealand, like many other states covered by the Chicago Convention, had no legislation mandating installation of cockpit voice recorders in air transport aircraft.
Many states, such as New Zealand, Canada, and the United States, have legal systems which have evolved from English Common Law, although each country has implemented different legislation to address the intent of the data protection provisions of ICAO Annex 13. For countries in which disclosure safeguards are not explicit or enforced it is reasonable to assume that police could access recorded information in order to criminally prosecute pilots. In fact numerous European, African, and Asian countries have a history of criminally prosecuting pilots, and recorded data has been used to aid the prosecution. The point here is not that airline pilots should be immune from prosecution, but that certain forms of recorded information (especially the CVR) have been used, in our view improperly and unwisely, to aid the prosecution. It is worth reiterating that the only argument ever advanced for the mandatory installation and use of cockpit voice recorders is to assist accident investigation for aviation safety purposes.
Although we in North America are not accustomed to criminal prosecution of pilots in the wake of accidents, our attorneys tell us that we are not immune. In fact after the USAir 5050 runway overrun accident at La Guardia, the District Attorney, for a time, intended to prosecute the flight crew. It is theoretically possible that the police, in building a criminal case, would seek access to recorded data, which could include CVR, DFDR, radar data, ACARS messages, electronically filed "confidential" safety reports, and more. In the United States, such a development would surely be met with strong opposition by pilot groups. Interestingly, and it is encouraging for both pilots and air safety investigators, the Canadians recently upgraded their legislation on recorded data. Section 28 of the Canadian Safety Board Act states that every on-board recording is privileged and, with very limited exception, no person shall knowingly communicate or be required to produce an on-board recording or give evidence relating to it in any legal, disciplinary or other proceeding. In the view of the Air Line Pilots Association, this is model legislation, and complies fully with the intent of ICAO Annex 13. We are hopeful that New Zealand and other countries will follow suit and enact legislation that provides a similar level of recorded data protection.
For the present, how has access to recorded data been impeded? We understand that of the aircraft in New Zealand with Cockpit Voice Recorders installed, many are no longer recording anything. The same goes for numerous foreign aircraft entering New Zealand's airspace. Obviously, this does not help the cause of air safety investigators, but it does reflect the volatility of the CVR issue and highlight the need for us to do what we can to ensure that recorded data is there when we need it. The fact that this is occurring in a distant country should give us no solace. Air transportation is a global enterprise - there are no "domestic" accidents. An unresolved accident, no matter where on the face of the earth it occurs, has consequences for all of us who have a concern with transportation safety. For this reason ALPA strongly advocates the installation of cockpit voice recorders and continues to lobby worldwide for the enactment of adequate data protection legislation.
Line pilots are probably most sensitive to CVR recordings, but they are also leery of routine monitoring of flight operations through digital flight data recorders. As many of you are aware, DFDR monitoring has been commonplace with many non-US carriers for many years. The reluctance of US carriers to embrace such programs has been based partly on the punitive and litigious environment. There has also been a healthy measure of skepticism and distrust amongst the pilots, along with an uneasiness with "big brother watching". In 1980 the ALPA Board of Directors (BOD) authorized a suspension of service as an expression of opposition to FAA plans to monitor cockpit voice recorder and flight data recorder tapes for the purpose of human factors research. This Notice of Proposed Rulemaking was stillborn, but the ALPA policy letter remains in place. Today's FOQA programs benefit from much more sophisticated technology than was hitherto available, but where digital flight data analysis has been implemented, it is the human elements of trust and cooperation, rather than the advances in hardware and software, which have made these programs workable.
Glass cockpits and advances in video recording technology have spurred interest in the use of cockpit view video recorders (CVVRs). This may help us determine what the crew actually saw or could have seen. Because digital recordings from signal generators may be too far upstream to accurately reflect the information presented to the flight crew, video recorders could preserve information that would otherwise not be recorded. Not surprisingly, given our experience with CVRs, ALPA has insisted that protective provisions be in place prior to installation of CVVR’s. Such protective provisions must preclude the release of information obtained from the CVVR to anyone outside the accident investigation and must ensure that information obtained from the CVVR cannot be used as a basis for punitive action against a flight crew member by the airline or government agency. In addition, ALPA believes that the statutory protections in place for the CVR should be strengthened in terms of access of information to litigants, and that these strengthened protections should also apply to the CVVR. The ALPA provisions policy further states that cockpit video recorders should focus on and record only the instrument panel of the cockpit and not record flight crew activity.
With respect to video recorders, the NTSB and others would prefer a more liberal approach, with the goal of recording the complete cockpit environment, including the behavior of the occupants. Again, we need to balance what is technologically feasible and what investigators would like with the fundamental privacy issues. Nowhere is it written that pilots, when they close the cockpit door, should forfeit all rights to privacy. As with many potential advances in aviation safety, the technological challenges of CVVRs will be much more easily solved than the regulatory issues.
ACARS and other forms of data link are less controversial than the other recording devices mentioned, but they too present security challenges. It is not just the pilots who are exposed; recently a selection of ACARS messages from an air carrier were apparently intercepted and published on the Internet. One would assume that this method of data and text transmission would be slightly more secure than open VHF voice communication, but we must work on the presumption that if a system is vulnerable to hackers, the information is likely to be compromised. In some instances, ACARS messages may contain operationally sensitive information that need not be made public. Could encryption of ACARS messages be on the horizon?
An intangible but crucial aspect of recorded information security is that of trust. Most aviation safety experts agree that if we are to reach the holy grail which is the next level of safety, then there needs to be information sharing and trust among those who are directly involved with flight operations. This network would include manufacturers, operators, regulators, air traffic controllers, mechanics, and pilots. ALPA and other pilot groups endorse wholeheartedly the premise of working together to advance safety within the industry. Programs built on trust, such as American's Airline Safety Action Partnership (ASAP) and the FOQA programs such as those at United and US Airways have already shown that objective assessment of aircraft and crew performance in line operations can indeed improve aviation safety. A characteristic of these partnership programs is that pilot representatives play an equal role in evaluating the information and deciding on the appropriate course of action. The knowledge that their interests are being protected is of overwhelming importance to line pilots.
Encouragingly, the present FAA Administrator has advocated safety partnership programs. Regrettably, and typically, these initiatives seem to have stalled in Washington. The aborted "quick-ticket program" and the painful birth of legislation to enable partnership programs which incorporate data protective provisions demonstrates the gulf that separates the regulatory and punitive side of the FAA from those in the Agency dedicated to advancing aviation safety. As if we needed reminding, it is unrealistic for us to expect that the regulators can bring us to the next level of safety. This means that the rest of the air transport industry - which includes pilot groups along with manufacturers and air carriers - will have to take up the challenge.
To reiterate, pilots do not consider themselves above the law, or expect to be held blameless when they make mistakes. Pilots are not only self-critical, but also tend to be very harsh with their peers who have not measured up. But they do expect to be treated fairly. When pilots do make errors, they expect that the system will balance their shortcomings against the myriad other factors that came into play that particular day. Pilots have no problem with accountability, and are willing to be judged by peers (who have a gut feel for the issues, because they have been there and done that) or by those air safety professionals who accept the challenge of performing a thorough investigation. Justice demands accountability, but fairness dictates that not all recorded information will be available to aid the prosecution. Remember, the only rationale ever advocated for the mandatory installation of cockpit voice recorders was to aid in accident investigation for air safety purposes.
In conclusion, adequate security for recorded information is essential if air safety investigators are to have access to the tools necessary to craft the next level of safety. We can not take this security for granted - assaults on sensitive and privileged information are inevitable. Because air transportation is a global enterprise, we must make it our business to see that the intent of the recorded data protective provisions of ICAO Annex 13 are applied not just in North America but universally.
By suitably protecting recorded data it will be readily available to those who really can make a difference. Pilots are a crucial component of our air safety system, the robustness of which depends on cooperation and trust. Pilots ask that their rights as individuals not be neglected as technology makes even more extensive monitoring and recording feasible. Because if we lose the trust of line pilots it will not easily be regained; the tasks of air safety investigators will be made much more difficult and the traveling public will be done a disservice.