IG: TSA let down privacy guard

Transportation Security Administration officials failed to enforce privacy protections when they transferred airline data to the agency's passenger screening system, according to a report by the Homeland Security Department's inspector general.

Between February 2002 and June 2003, TSA transferred more than 12 million passenger records from at least six airlines to other agencies and their contractors working on the Computer Assisted Passenger Prescreening System (CAPPS) II, according to the report.

The information was used for research purposes to develop the system, according to TSA's report, and the IG found no evidence that any individual was harmed.

However, TSA officials did not ensure that contractors involved in the work properly protected the data, the report states. And once information about the transfer was made public, initial explanations from TSA officials were often inaccurate, the IG wrote.

The slips occurred because “early TSA and CAPPS II efforts were pursued in an environment of controlled chaos and crisis mode after the Sept. 11 [2001] attacks,” the report states. “Management changes were frequent and chains of command were blurred.”

But the report also acknowledged that enhanced privacy laws and an increased emphasis on privacy protections within the TSA since then have confirmed the agency’s commitment both to guarding personal privacy and security.

The IG recommended several steps to prevent similar problems in the future. The steps include:

• Agency officials should create clear procedures for acquiring airline passenger data and facilitating the exchange of that data with other parties.

• Privacy protections should be built into documents about acquisition when the programs in question could involve data that identifies specific individuals.

• TSA should file final reports for all programs that use intensive data analysis or impact data security and privacy.

• Companies and other entities that work with TSA should inform the agency how they address data security, privacy and confidentiality protections.

TSA officials decided to stop development of CAPPS II in 2004 because of privacy concerns. The new system, Secure Flight, is slated to start operating in August.

The report is only one case of scrutiny the TSA is receiving for handling airline passenger data. The General Accounting Office is scheduled to release its own report on Monday, March 28.