[Infowarrior] - Report Says TSA Violated Privacy Law

Thu Dec 21 23:19:15 EST 2006

Report Says TSA Violated Privacy Law
Passengers Weren't Told That Brokers Provided Data to Screening Program in
'04

By Ellen Nakashima and Del Quentin Wilber
Washington Post Staff Writers
Friday, December 22, 2006; A07

http://www.washingtonpost.com/wp-dyn/content/article/2006/12/21/AR2006122101
621_pf.html

Secure Flight, the U.S. government's stalled program to screen domestic air
passengers against terrorism watch lists, violated federal law during a
crucial test phase, according to a report to be issued today by the Homeland
Security Department's privacy office.

The agency found that by gathering passenger data from commercial brokers in
2004 without notifying the passengers, the program violated a 1974 Privacy
Act requirement that the public be made aware of any changes in a federal
program that affects the privacy of U.S. citizens. "As ultimately
implemented, the commercial data test conducted in connection with the
Secure Flight program testing did not match [the Transportation Security
Administration's] public announcements," the report states.

The finding marks the first time that the Homeland Security Department has
acknowledged that the problem-plagued Secure Flight program has violated the
law. It comes at a time when a separate program to screen international
passengers is under attack for officials' failure to disclose until recently
that they were creating passenger profiles that would be stored for 40
years.

The report on Secure Flight says that "the disparity between what TSA
proposed to do and what it actually did in the testing program resulted in
significant privacy concerns being raised. . . . Privacy missteps such as
these undercut an agency's effort to implement a program effectively, even
one that promises to improve security."

Congress has halted Secure Flight, except for testing, until it can allay
privacy and security concerns.

The report notes that TSA eventually revised its public notice about the
program to reflect more closely the program itself. But it also suggests
that Secure Flight will run afoul of the law again unless it follows a set
of recommendations, including being transparent about the program's
collection and use of passengers' personal information.

TSA Administrator Kip Hawley said that he supports the use of Secure Flight
and that his agency is working closely with other government officials to
ensure it protects privacy. "We are working in a transparent way," Hawley
said, adding that the agency's "challenging" goal is to roll out the program
in 2008.

In 2004, the TSA published a Federal Register notice on a data-test phase of
the program, saying that "strict firewalls" would prevent any commercial
data from mixing with government data. However, this was based on the notion
that the Secure Flight contractor, EagleForce Associates Inc. of McLean,
would ensure that no commercial data were used, the report said.

But by the time the EagleForce contract was finalized, "it was clear that
TSA would receive commercial data," the report says. If, for instance, TSA
data for an individual passenger lacked an address or date of birth,
EagleForce would obtain the missing information from commercial data
brokers.

"The fact that EagleForce had access to the commercial data did not create a
firewall," the report says, because under the Privacy Act, in effect,
"EagleForce stands in the shoes of TSA."

Moreover, commercial databases provided Eagle Force with data for some
individuals who were not air passengers. These people were never notified --
a violation of the privacy act, the report says.

TSA spokeswoman Ellen Howe said the agency has "already implemented or is in
the process of implementing" the recommendations contained in the privacy
office report. She said the report's conclusions were not surprising, adding
that they were "very similar" to those reached last year by the General
Accounting Office, the government's auditing arm.

A 2004 probe found that the TSA improperly stored 100 million commercial
data records containing personal information on passengers after the agency
said no data storage would occur.