Secure Flight increases privacy protections

TSA admits passenger screening program violated privacy regulations

The Transportation Security Administration's passenger screening system, Secure Flight, violated the privacy of potentially millions of people, a Government Accountability Office audit found last month. In response, TSA has bolstered Secure Flight's privacy protections.

"Specifically, a TSA contractor, acting on behalf of the agency, collected more than 100 million commercial data records containing personal information, such as name, date of birth and telephone number, without informing the public," wrote Cathleen Berrick, GAO's director of homeland security and justice issues, in a July 22 letter to TSA.

TSA supplemented its passenger data with the commercial data to help reduce mistakes when comparing travelers' data to national terrorist watch lists, Berrick wrote.

In September and November 2004, TSA officials published privacy notices about the agency's use of Secure Flight data. They lack legally required details about how TSA and its contractors would collect, use and store commercial data, Berrick wrote. TSA also did not say what the full scope of the data collection would be, she added.

"It paints a very different picture from what they actually did," Berrick said in a phone interview. "Clearly, they violated the Privacy Act," because the public did not know about and could not comment on the use of personal information.

TSA did not intend to violate privacy rules, said Justin Oberman, assistant administrator for the Secure Flight and Registered Traveler programs. Between the time when TSA published the initial notices and finished Secure Flight's tests, program developers had a better idea of how to improve the system, Oberman said. It is common to update privacy notices and other documents to reflect such changes, he said.

After hearing GAO's concerns about the program in June, TSA officials agreed that they were valid and acted to correct the problems, wrote Steven Pecinovsky, director of DHS' GAO/Office of Inspector General Liaison, in a letter responding to GAO's letter.

TSA officials published updated privacy notices to better describe how Secure Flight used commercial data, Pecinovsky wrote. They also vowed to ensure that TSA's chief privacy officer and general counsel would decide whether more changes in data use would warrant another update, he wrote. DHS' chief privacy officer, Nuala O'Connor Kelly, is reviewing Secure Flight's use of passenger data and may recommend additional privacy protections, he added.

TSA officials promised not to use commercial data in the start-up period for Secure Flight, scheduled to begin by early 2006, Pecinovsky wrote.

Too ambitious for its own good?

The Transportation Security Administration has ambitious programs for screening passengers to find terrorists. But flaws constantly derail those programs, said James Dempsey, executive director of the nonprofit Center for Democracy and Technology.

Both Secure Flight and its predecessor, the Computer Assisted Passenger Prescreening System (CAPPS) II, analyze passenger data from airlines to identify suspicious individuals, Dempsey said.

"How that would work has never been described," Dempsey said. "I just think that there is no evidence to support passenger screening systems like that."

TSA violated many privacy regulations while collecting data, seriously weakening public trust in the programs, Dempsey said. Public and congressional outrage forced TSA to scrap CAPPS II in 2004 and replace it with Secure Flight.

Ironically, CAPPS I, CAPPS II's predecessor, was a much more effective system, Dempsey said. Airlines keep the data they collect and follow confidential rules that analyze passenger behavior, such as buying one-way tickets, he said.

Still in use, CAPPS I flagged nine of the 19 Sept. 11, 2001, hijackers without any privacy breaches, Dempsey said.

Despite the problems of Secure Flight and CAPPS II, checking passengers against watch lists of known criminals and terrorists is a legitimate security measure, Dempsey said. To be effective, however, the lists must contain passengers' names and a few other specific categories of information to prevent false positives, he said.

— Michael Arnone

The Fed 100

Save the date for 28th annual Federal 100 Awards Gala.

Featured

  • computer network

    How Einstein changes the way government does business

    The Department of Commerce is revising its confidentiality agreement for statistical data survey respondents to reflect the fact that the Department of Homeland Security could see some of that data if it is captured by the Einstein system.

  • Defense Secretary Jim Mattis. Army photo by Monica King. Jan. 26, 2017.

    Mattis mulls consolidation in IT, cyber

    In a Feb. 17 memo, Defense Secretary Jim Mattis told senior leadership to establish teams to look for duplication across the armed services in business operations, including in IT and cybersecurity.

  • Image from Shutterstock.com

    DHS vague on rules for election aid, say states

    State election officials had more questions than answers after a Department of Homeland Security presentation on the designation of election systems as critical U.S. infrastructure.

  • Org Chart Stock Art - Shutterstock

    How the hiring freeze targets millennials

    The government desperately needs younger talent to replace an aging workforce, and experts say that a freeze on hiring doesn't help.

  • Shutterstock image: healthcare digital interface.

    VA moves ahead with homegrown scheduling IT

    The Department of Veterans Affairs will test an internally developed scheduling module at primary care sites nationwide to see if it's ready to service the entire agency.

  • Shutterstock images (honglouwawa & 0beron): Bitcoin image overlay replaced with a dollar sign on a hardware circuit.

    MGT Act poised for a comeback

    After missing in the last Congress, drafters of a bill to encourage cloud adoption are looking for a new plan.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group