April 13, 2005 | Putting Chief in Chief Privacy Officer

Nuala O'Connor Kelly, Homeland Security's chief privacy officer, needs some better tools in her tool box -- at least according to News.com's Declan McCullagh.

McCullagh makes a convincing argument that Congress needs to give O'Connor Kelly the power to subpoena Homeland Security officials to turn over documents so she can investigate appropriately.

When politicians were concocting the massive bureaucracy a few years ago, they handed the privacy officer impressive-sounding tasks such as "assuring" that new technologies do not erode privacy and "evaluating" the impact of new government programs.

But Congress also neglected to give the job holder the power to twist arms and actually investigate privacy violations.

Nuala O'Connor Kelly, who got the post in April 2003, seems to be honestly trying to report on the sprawling bureaucracy's privacy performance.

O'Connor Kelly started looking into the TSA's role in convincing JetBlue to turn over its entire passenger database -- in total violation of its privacy promises to its customers -- to an Army contractor working on a data mining project, a story I broke for Wired News in September 2003.

For those keeping score at home, the TSA denied to me, the public and Congress that it had any role in that secret transfer or that any of its own contractors got data. That house of outright falsities fell little by little, as O'Connor Kelly finally reported that the TSA actually did ask JetBlue to help and almost a year later, the TSA admitted to Congress that 6 of the nation's largest airlines and a number of airline reservation companies had given data to the agency and its contractors.

Another internal DHS document (PDF)--obtained by the Electronic Privacy Information Center--reveals the difficulties that Kelly has encountered when asking recalcitrant bureaucrats to disgorge potentially embarrassing information.

Kelly was looking into how the Transportation Security Administration was involved with the transfer of passenger data from JetBlue Airways to the Defense Department. She started asking questions. She was rebuffed.

"I had sent my first inquiry to TSA public affairs, my second to (the agency's risk assessment office), but information has not been forthcoming," Kelly said in e-mail to Carol DiBattiste, the transportation security agency's deputy administrator, in November 2003. "This is particularly disturbing...We're getting better information from outside then we have from our own folks at this time."

DiBattiste sounded like she was replying to a pesky reporter when she wrote back: "TSA Public Affairs has no information in response to your request."

How fitting, then, that DiBattiste landed a plum $500,000-a-year job last month with privacy-impaired company ChoicePoint.

In a uncharacteristic fit of generosity, Declan omits the fact that on top of the half million salary, DiBattiste also gets a minimum bonus of $350,000 for 2005 and another $100,000 if she manages to stick around for a year.

At the same time, DiBattiste had no answers for O'Connor Kelly, she had only false ones for Congress. She was then the chief of staff for then-TSA boss Admiral James Loy, who was up for a promotion. He had to get through Senate confirmation and privacy conscious Senators Joe Lieberman and Susan Collins asked Loy about the TSA and JetBlue and its contractors.

His sworn answers to their written questions were flat out false.

Don't take my word for it -- look at page 44 of the Homeland Security Inspector General's cautious and overly redacted report (.pdf) on the data transfers.

TSA employees assisted in preparing responses to a pre-hearing questionnaire for the DHS Deputy Secretary’s November 18, 2003, confirmation hearing before the U.S. Senate Committee on Governmental Affairs.55 One question sought information about TSA’s role in the transfer of JetBlue passenger information to Torch Concepts. The November 18, 2003, response to the question stated that TSA provided assistance "…only in the form of an introduction for DOD to JetBlue Airlines [sic]."

In late November or early December 2003, TSA staff located a July 30, 2002, memorandum from the CAPPS II program manager to JetBlue’s security director requesting that the airline provide PNR data to Torch Concepts. Because this memo contradicted the Deputy Secretary’s November 18, 2003, response to the Committee on Governmental Affairs, on February 23, 2004, the Deputy Secretary sent a letter to the Chairman of the Committee amending his prior statement. His statement was amended to read, “In a July 30, 2002 memorandum, TSA requested that JetBlue provide archived passenger data to the DOD.” TSA staff did not provide a clear explanation as to why this memorandum was not brought to the Deputy Secretary’s attention before the November 18, 2003, hearing.

In another confirmation pre-hearing question, the U.S. Senate Committee on Governmental Affairs asked whether contractors working on CAPPS II had used any real world data for testing purposes. The Deputy Secretary’s response was that “TSA has not used any PNR data to test any of the functions of
CAPPS II. TSA is using certain information provided by volunteers, many are DHS employees,” including senior DHS officials. TSA did use volunteered information to test CAPPS II; however, PNR data also was used to test some of the system’s functions.

Now, I reported on these false statements, here and here.

But note, two very interesting things about the defanged IG report, one of the first after Inspector General Clark Kent Ervin was kicked to the curb by the Bush Administration.

One, to preserve the "privacy" of Admiral Loy and his staff, the report omits all names from its report.

Two, note that the report says that one of the statements was corrected. It mentions the other false statement, but neglects to point out or criticize the department for not correcting false sworn testimony to Congress. Neither Loy nor the TSA can claim they don't know about the statement since I reported it in April of 2004, almost a full year before the IG report. I tried to call Loy for clarification, but his office did not deign to respond to my phone call.

And, finally, to come full circle, ChoicePoint's Derek Smith should be very happy to have DiBattiste as his privacy overseer.

She was then Loy's chief of staff. Nothing that went for his signature, especially something that would be signed under penalty of perjury, could have gotten to Loy without her seeing and vetting it first.

But still, it seems her desire to protect her employer and her organization trumped her commitment to the truth and the rule of law.

Nowadays, that seems to be a laudable quality in any high level employee of an organization dogged by questions of impropriety, bad faith communications with the public, and sloppy and invasive information practices. Or it least its one that will get you a million dollar a year paycheck.

Posted by Ryan Singel at April 13, 2005 12:02 AM

Trackback Pings

TrackBack URL for this entry:
http://www.secondaryscreening.net/cgi-bin/mt-tb.cgi/160

Listed below are links to weblogs that reference Putting Chief in Chief Privacy Officer:

» Putting Chief in Chief Privacy Officer. from Privacy Digest: Privacy News (Civil Rights, Encryption, Free Speech, Cryptography)
Putting Chief in Chief Privacy Officer . [Read More]

Tracked on April 13, 2005 10:08 AM