Secondary Screening

Archives
By Date
April 2006
March 2006
January 2006
December 2005
November 2005
October 2005
September 2005
August 2005
July 2005
June 2005
May 2005
April 2005
March 2005
February 2005
January 2005
December 2004
November 2004
October 2004
September 2004
August 2004
By Category
Airline Security Measures
Bicycles
Book Reviews
Congress
Data Mining
Department of Homeland Security
Freedom of Information
Government Secrecy
Miscellany
Other People's Writing
Privacy
Security Measures
The Courts
The New Web
Threat Level
Recent Entries
Change of Address
Privatized Registered Traveler On Track
Software Bug Shuts Down Nation's Busiest Airport
HostGator Rocks
But some butter is more butter than other butter
TSA Picks Privacy Player
AT&T Loses A Customer Over NSA Lawsuit
Jetsons Video Phone? Deaf Say Yes!
AT&T *69s EFF
Narus Not in the Know
Published articles
Wired News Articles
Links
Wired News
DefenseTech
Practical Nomad
BeSpacific
DHS Privacy Office
Memory Hole Blog
Electronic Privacy Information Center
Privacy Digest
Electronic Frontier Foundation
Homeland Security Institute
Secrecy News
Emergent Chaos
EPIC West's Chris Hoofnagle
Prawfs Blog with Daniel Solove
Ann Harrison
Reuter's Andy Sullivan
Schneier on Security
Talk Left
Reason's Hit & Run
W. David Stephenson
Phillip Carter's Intel Dump
Project on Government Oversight
Technology Liberation Front
Edward Felten's Freedom to Tinker
Contact
Email me
415.375.3150
Subscribe
Feed: Your Reader
Atom
RSS 1.0
RSS 2.0
RSD
About Ryan Singel
I'm a San Francisco-based freelance journalist who covers antiterrorism programs, civil liberties, the Internet and privacy.
« Hitchens Torches TSA | Main | Special Agent Sally Struthers Visits Your ISP »
June 15, 2005 | More Questions about TSA and Privacy

D.C. privacy circles and Capitol Hill have been swirling with rumors all this week about a possible scandal surrounding Secure Flight and commercial data testing.

It's still quite unclear what exactly the TSA did or did not do.

There was nothing quite reportable until today when Homeland Security privacy czarina Nuala O'Connor Kelly let it be known that she is conducting an official investigation:

Homeland Security's privacy czar is investigating whether government officials in charge of an airline passenger screening program violated federal privacy laws by expanding testing of commercial data beyond the scope of official statements.

Transportation Security Administration officials acknowledge that tests of Secure Flight went further than expected and plan to retroactively expand and clarify its earlier notices to reflect the true scope of its commercial data testing.

TSA declined to specify what changes it will make to its Privacy Act notices, which initially said the agency intended to use commercial data only for identity verification.

But they say the changes aren't as significant as the program's detractors believe them to be.

Secure Flight's program director Justin Oberman told Wired News on Tuesday that the planned revisions were "technical" and "unsurprising."

Oberman said testing by contractor EagleForce Associates had been fruitful, even though the test had lengthened from one month to four.

Neither Nuala O'Connor Kelly, Homeland Security's privacy czar, nor the privacy community seem inclined to give the TSA a pass even if the agency's oversteps did not violate the law, given the TSA's history of secret data tests.

Link

Leslie Miller of the Associated Press has also been running down the rumors (was that you Leslie I glimpsed running by in the dark alley by the other night?)

Here's her take (in part):

The review also will cover the security of the system, known as Secure Flight, said Nuala O'Connor Kelly. Some commercial data vendors have had security breaches.

``We need to give a hard look at any program that collects information on Americans,'' she said in an interview. ``The scrutiny is appropriate.''

She spoke on the sidelines of a public hearing at Harvard Law School by the department's data-privacy advisory committee.

Government agencies are required by law to state publicly how they will use and store records about people. The Privacy Act of 1974 prohibits the government from keeping a secret database.

The official in change of Secure Flight said the government will update its description of records kept for the program.

Justin Oberman of the Transportation Security Administration said information from private databases will not be fed into a central repository. It will be deleted from Homeland Security records within a day or two, he said.

In November, the TSA said in the Federal Register that it would not access or use commercial data.

Tim Sparapani, a privacy rights lawyer for the American Civil Liberties Union, said the agency should not be allowed retroactively to change the description of the Secure Flight database.

``The great question about this program is whether the program is effective, number one, but whether TSA and commercial data brokers can be trusted to safeguard passengers' most sensitive personal information,'' Sparapini said.

``TSA has shown a repeated, consistent failure to act with appropriate care and concern for that data,'' he said.

Link

Here's some extra stuff that didn't make my final story:


Timothy D. Sparapani, the ACLU's legislative counsel on privacy issues, questioned whether the TSA should be allowed to use commercial databases, given the agency's history of using data secretly.

"I don't think people who treat sensitive data like this should be given the keys to the kingdom," Sparapani said.
[...]

The original testing was slated to last a little more than a month, but has continued for several months longer than expected.

Part of the extended test have included explorations into whether a passenger's potential risk can be inferred using geographic data about a passenger's home address, presumably in relation to the airport they are flying out of.

TSA spokesman Mark Hatfield denied that the agency itself ever possessed any of the commercial data used in testing.

[...]
Congress has already been keeping the program on a short leash, following a string of revelations in 2003 and 2004 about the secret involvement of the TSA in 14 different transfers of passenger records from airlines to government contractors, totaling more than 20 million records.

TSA officials misled the public and Congress about the data transfers and that its program, then known as CAPPS II, had been tested using the passenger records.

Congress now mandates that its investigative arm, the Government Accountability Office, certify that Secure Flight will be both effective and non-intrusive before it is deployed.

But in February, the GAO said the Secure Flight had not satisfied nine of ten requirements.

GAO is also tasked with overseeing Secure Flight's commercial data testing.

After reviewing plans submitted by the TSA, the GAO signed off on the testing in March and is currently beginning to review the TSA test results as part of a planned report for a number of Congressional committees.

The privacy office's investigation comes at a critical time for the agency and the program, as both the House and Senate are working on funding for programs within Homeland Security and the TSA hopes to begin a limited rollout of the Secure Flight to two airlines in mid-August.

Much of what got left out is inside-Beltway baseball (though important to understand how this investigation or even the public acknowledgment of it might play out in Congress).

And while many questions remain, what is known drives to the forefront a very perplexing question:

What is the purpose of chief privacy officers?

Are they supposed to work like an Inspector General, ferreting out mismanagement and wrongdoing?

Or are they mostly about helping a department to craft appropriate data handling rules and writing Privacy Act notices to be in line with privacy laws?

And if, as currently created, they are supposed to do both, can anyone actually be expected to do that competently?

Posted by Ryan Singel at June 15, 2005 05:13 PM

 Trackback Pings

TrackBack URL for this entry:
http://www.secondaryscreening.net/cgi-bin/mt-tb.cgi/199

Listed below are links to weblogs that reference More Questions about TSA and Privacy:

» More Questions about TSA and Privacy from Global Security Watch
[Source: Secondary Screening] quoted: There was nothing quite reportable until today when Homeland Security privacy czarina Nuala O'Connor Kelly let it be known that she is conducting an official investigation: Homeland Security's privacy czar is inves... [Read More]

Tracked on June 16, 2005 02:10 AM

» More Questions about TSA and Privacy. from Privacy Digest: Privacy News (Civil Rights, Encryption, Free Speech, Cryptography)
More Questions about TSA and Privacy . [Read More]

Tracked on June 16, 2005 06:05 AM
Powered by
Movable Type 3.2