TSA Lied About Protecting Passenger Data
According to the AP:
The Transportation Security Administration misled the public about its role in obtaining personal information about 12 million airline passengers to test a new computerized system that screens for terrorists, according to a government investigation.
The report, released Friday by Homeland Security Department Acting Inspector General Richard Skinner, said the agency misinformed individuals, the press and Congress in 2003 and 2004. It stopped short of saying TSA lied.
I'll say it: the TSA lied.
Here's the report. It's worth reading. And when you read it, keep in mind that it's written by the DHS's own Inspector General. I presume a more independent investigator would be even more severe. Not that the report isn't severe, mind you.
Another AP article has more details:
The report cites several occasions where TSA officials made inaccurate statements about passenger data:
- In September 2003, the agency's Freedom of Information Act staff received hundreds of requests from Jet Blue passengers asking if the TSA had their records. After a cursory search, the FOIA staff posted a notice on the TSA Web site that it had no JetBlue passenger data. Though the FOIA staff found JetBlue passenger records in TSA's possession in May, the notice stayed on the Web site for more than a year.
- In November 2003, TSA chief James Loy incorrectly told the Governmental Affairs Committee that certain kinds of passenger data were not being used to test passenger prescreening.
- In September 2003, a technology magazine reporter asked a TSA spokesman whether real data were used to test the passenger prescreening system. The spokesman said only fake data were used; the responses "were not accurate," the report said.
There's much more. The report reveals that TSA ordered Delta Air Lines to turn over passenger data in February 2002 to help the Secret Service determine whether terrorists or their associates were traveling in the vicinity of the Salt Lake City Olympics.
It also reveals that TSA used passenger data from JetBlue in the spring of 2003 to figure out how to change the number of people who would be selected for more screening under the existing system.
The report says that one of the TSA's contractors working on passenger prescreening, Lockheed Martin, used a data sample from ChoicePoint.
The report also details how outside contractors used the data for their own purposes. And that "the agency neglected to inquire whether airline passenger data used by the vendors had been returned or destroyed." And that "TSA did not consistently apply privacy protections in the course of its involvement in airline passenger data transfers."
This is major stuff. It shows that the TSA lied to the public about its use of personal data again and again and again.
Right now the TSA is in a bit of a bind. It is prohibited by Congress from fielding Secure Flight until it meets a series of criteria. The Government Accountability Office is expected to release a report this week that details how the TSA has not met these criteria.
I'm not sure the TSA cares. It's already announced plans to roll out Secure Flight.
With little fanfare, the Transportation Security Administration late last month announced plans to roll out in August its highly contentious Secure Flight program. Considered by some travel industry experts a foray into operational testing, rather than a viable implementation, the program will begin, in limited release, with two airlines not yet named by TSA.
My own opinions of Secure Flight are well-known. I am participating in a Working Group to help evaluate the privacy of Secure Flight. (I've blogged about it here and here.) We've met three times, and it's unclear if we'll ever meet again or if we'll ever produce the report we're supposed to. Near as I can tell, it's all a big mess right now.
Edited to add: The GAO report is online (PDF format).
Posted on March 27, 2005 at 12:34 PM • 31 Comments