TSA Work Sloppy, but Not Illegal By Ryan Singel Story location: http://www.wired.com/news/privacy/0,1848,67031,00.html
02:00 AM Mar. 26, 2005 PT Homeland Security officials failed to keep millions of airline passenger records secure and repeatedly made false denials of their involvement in data transfers to the media and Congress, but they did not violate federal law, according to a report released Friday. The report (.pdf) by acting Department of Homeland Security Inspector General Richard Skinner found that the Transportation Security Administration was involved in 14 different data transfers totaling more than 20 million records in 2002 and 2003. The report describes an array of data dumps from airlines to TSA contractors and paints a picture of an agency unable to keep track of its own operations, leading to false denials of data transfers to the media and inaccurate sworn testimony to the Senate. However, the department did not violate the Privacy Act, which prohibits secret databases on Americans, since the agency used the records in bulk and did not look up individuals by name, according to the report. Delta Air Lines, JetBlue Airways and American, Frontier, Continental and America West airlines -- along with three airline record processing firms, all secretly turned over data directly to the TSA and government contractors. The data included names, addresses, dates of birth, itineraries and credit card numbers. The data dumps first came to light after Wired News reported in September 2003 that JetBlue had violated its privacy policy by turning over 5 million records to an Army subcontractor. Those records were augmented with personal records from Acxiom, one of the country's largest data-aggregation companies. That information included incomes, occupations, vehicle ownership information and Social Security numbers. Friday's report shows that JetBlue and Acxiom's participation did not stop there. Acxiom provided, in violation of JetBlue's privacy policy, 2.75 million JetBlue records directly to HNC Software, a company hired by the TSA to build a prototype of an airline passenger-screening system. Acxiom also separately provided HNC with sensitive personal information from its databases on more than 1 million American Airlines passengers. The goal of almost all the data transfers was to test a system called CAPPS II, which intended to use computer algorithms to detect terrorist threats to airplanes by comparing itineraries to government watch lists and commercial data. That system was eventually scrapped in July 2004. The TSA is now testing a similar system, dubbed Secure Flight, using reservations it publicly demanded from the airlines in November and commercial data records from Acxiom. But civil libertarians, including Electronic Frontier Foundation attorney Lee Tien, argue this report shows that the TSA cannot be trusted with such personal information. "This is worse than ChoicePoint," Tien said. "It reflects an attitude toward the privacy of Americans that falls well below what people are up in arms about in the commercial data industry. "Obvious bad security and data-privacy practices were allowed to fester because there is no public scrutiny," Tien said. "They never had to tell anyone that they were asking for or getting passenger data. Combine that with the secretiveness of the Homeland Security Department, and you have a recipe for a privacy disaster." Ari Schwartz, associate director of the Center for Democracy and Technology -- a group known for working closely with government officials -- says it is clear that the TSA did break the law. "If these were not Privacy Act systems of records, then why were they merging commercial and airline data at all?" Schwartz asked. "What is the purpose if you are not going to pull people out by name and find potential terrorists?" Sen. Joe Lieberman, the top Democrat on the Senate Homeland Security and Governmental Affairs Committee, echoed those concerns. "The Inspector General's report demonstrates that TSA should have enforced better privacy practices," Lieberman said in a written statement. "I also question whether several of the risk-assessment programs developed at TSA's request using passenger data violated the Privacy Act. "Finally, TSA took months to disclose to Congress and the public its role in the transfers of passenger data, and some of its disclosures were inaccurate. TSA will need to do better -- the American public must know their personal information is well-protected, or they will distrust the new systems we need to keep our nation safe." TSA spokeswoman Amy Von Walter defended the agency, pointing out that the report found no evidence of harm to any individual's privacy and that the TSA is working on official interagency procedures for handling passenger data. "Our actions corroborated our dedication to balancing privacy and security," she said. Von Walter also indicated the agency is working to make sure that the public and Congress are better informed about the agency's actions. "Throughout the development of the Secure Flight program, we have worked very closely with ... the industry and with the privacy community. So it's a much more open and transparent process," Von Walter said. This will not likely be the end of this issue for the TSA, however, as Nuala O'Connor Kelly, the chief privacy officer for Homeland Security, is still working on a report on whether the transfers violated the Privacy Act. End of story You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
