Secondary Screening

Archives
By Date
April 2006
March 2006
January 2006
December 2005
November 2005
October 2005
September 2005
August 2005
July 2005
June 2005
May 2005
April 2005
March 2005
February 2005
January 2005
December 2004
November 2004
October 2004
September 2004
August 2004
By Category
Airline Security Measures
Bicycles
Book Reviews
Congress
Data Mining
Department of Homeland Security
Freedom of Information
Government Secrecy
Miscellany
Other People's Writing
Privacy
Security Measures
The Courts
The New Web
Threat Level
Recent Entries
Change of Address
Privatized Registered Traveler On Track
Software Bug Shuts Down Nation's Busiest Airport
HostGator Rocks
But some butter is more butter than other butter
TSA Picks Privacy Player
AT&T Loses A Customer Over NSA Lawsuit
Jetsons Video Phone? Deaf Say Yes!
AT&T *69s EFF
Narus Not in the Know
Published articles
Wired News Articles
Links
Wired News
DefenseTech
Practical Nomad
BeSpacific
DHS Privacy Office
Memory Hole Blog
Electronic Privacy Information Center
Privacy Digest
Electronic Frontier Foundation
Homeland Security Institute
Secrecy News
Emergent Chaos
EPIC West's Chris Hoofnagle
Prawfs Blog with Daniel Solove
Ann Harrison
Reuter's Andy Sullivan
Schneier on Security
Talk Left
Reason's Hit & Run
W. David Stephenson
Phillip Carter's Intel Dump
Project on Government Oversight
Technology Liberation Front
Edward Felten's Freedom to Tinker
Contact
Email me
415.375.3150
Subscribe
Feed: Your Reader
Atom
RSS 1.0
RSS 2.0
RSD
About Ryan Singel
I'm a San Francisco-based freelance journalist who covers antiterrorism programs, civil liberties, the Internet and privacy.
« TSA: Said It Wouldn't, Did | Main | I Know Funny »
June 24, 2005 | TSA Lied, Could Face Time Criminal Fine

Homeland Security officials who defied Congress and misled the public by creating secret files on American citizens while testing a new passenger screening program may have engaged in multiple counts of criminal conduct, and at least one employee has already lied to cover-up the misdeed.

On Monday, the Transportation Security Administration confirmed allegations that officials running the so-called Secure Flight program violated legally binding promises by secretly sharing and collecting detailed personal data on American citizens from commercial data brokers.

These announced violations of the Privacy Act add yet another chapter to the increasingly repetitive story of the TSA's sloppy data practices, disregard for the nation's privacy laws, and false statements to the American public, Congress and the media.

Secure Flight is the newest name for the TSA's attempt to replace the current airline passenger screening system that relies on watchlists provided to airlines, with a federally-run system using a consolidated watchlist.

An earlier version called CAPPS II was scrapped after intense criticism of the agency's data practices.

TSA officials, including Secure Flight program manager Justin Oberman, are now working furiously behind the scenes, using words like "unsurprising," to downplay the extent of their wrongdoing to Congressional investigators, journalists, and civil liberties groups.

But the misconduct actually pertains to the crux of earlier official notices that promised that the agency would never get a hold of commercial data during the tests, according to Peter Swire, a law professor and the former top Clinton Administration privacy official.

"The use of commercial data was the single biggest issue in this system of records," Swire said. "It was at the center of Congressional debate; it was the topic of extended discussion by the agency, and an intentional, systematic violation of that promise is a big deal."

"This was likely a criminal violation," Swire said. "If the agency can ignore that sort of promise that would undercut the entire Privacy Act"

The Privacy Act of 1974 makes it a crime to intentionally create databases with information on citizens without first notifying the public.

While Secure Flight's Oberman dissembles when asked tough questions, TSA's chief spokesman Mark Hatfield has already lied in order to protect the program.

After a week of rumors about TSA wrongdoing, an official government notice posted to the TSA's website on Monday revealed the agency had acquired CD-ROMs full of personal information about airline passengers obtained from commercial databases via its contractor, EagleForce Associates.

However, four days prior, Hatfield -- who had already been briefed on the Secure Flight misconduct -- denied this happened when asked by this reporter if the TSA had ever gotten commercial data as part of the test.

"No. The data is all handled by the contractor," Hatfield said. "As publicly discussed, the data was kept at arms length range and was kept by the contractor at its facility."

Monday's documents further revealed that the TSA still had the CD-ROMs and had shared them with another contractor (IBM), as part of extended commercial data testing about which it never told the public about.

Willfully sharing information from government databases without informing the public is also a criminal violation of the Privacy Act.

Earlier scandals about the mishandling of more than 25 million passenger records prompted Congress to put the screening system under unprecedented scrutiny, requiring the program be certified as useful and non-invasive before it could be deployed.

Critics, including Homeland Security advisory board members, say even Congressional scrutiny can't keep the TSA from acting like a rogue agency.

"It is really clear that Secure Flight is going ahead regardless of rules and laws," said Bruce Schneier, a noted security expert who the TSA named to an internal Secure Flight advisory board in January. "It's clear they don't care what Congress says."

Jim Harper of the libertarian Cato Institute went so far as to formally revise his Congressional testimony from earlier this month in response to the news.

Harper serves on the DHS Data Privacy and Integrity Advisory Committee, which coincidentally held a meeting last Thursday to discuss data mining issues.

In open session that day, Harper asked Secure Flight's Oberman if the program had adhered scrupulously to the Privacy Act.

"[Oberman] said he essentially he had, but with enough wiggle room to wiggle out," Harper said.

"They snuck around behind the GAO and behind our advisory committee as well," Harper said.

"You can't do law enforcement by disregarding the law. They need to get that through their heads."

In March, the Government Accountability Office, Congress's investigative arm, approved the TSA's proposal to start very limited commercial data testing using an outside vendor.

The TSA wanted to see if commercial databases, such as those used by mortgage brokers, could verify that passengers were who they claimed to be.

To jumpstart testing, TSA forced the nation's airlines late last year to turn over their database records from June 2004.

TSA led the public and Congress to believe EagleForce would simply create a system for verifying passenger identification by sending basic passenger information from the June records to a commercial data aggregators.

Those companies – namely Acxiom, InsightAmerica and Qwest -- would check their records for a similar entries and return an answer ranging from "Yes, I've got an exact match" to "No, this person doesn't seem to exist."

Instead, EagleForce also enhanced and "corrected" passenger records with the information from the data aggregators, including fliers' home addresses, phone numbers, previous addresses, spouses' names and dates of birth.

As the testing stretched unannounced beyond its one-month limit into four months, EagleForce sought data on 240,000 names similar to those in the passenger data, thereby creating database records about citizens who had never flown in June 2004 and who had no idea the database existed.

EagleForce then passed enhanced passenger data back to the TSA, which worked on the data and passed it to IBM, which was testing the use of a centralized watchlist.

The agency's data practices have been investigated in the past by the Homeland Security's Inspector General and its Privacy Office.

Homeland Security's chief privacy officer Nuala O'Connor Kelly has already said she is investigating the newest scandal.

Update: The headline has been corrected to reflect that the Privacy Act's criminal misdemeanor is punishable only by a fine up to $5000.

Posted by Ryan Singel at June 24, 2005 10:12 AM

 Trackback Pings

TrackBack URL for this entry:
http://www.secondaryscreening.net/cgi-bin/mt-tb.cgi/203

Listed below are links to weblogs that reference TSA Lied, Could Face Time Criminal Fine:

» TSA Lies, Could Face Time from Emergent Chaos
Homeland Security officials who defied Congress and misled the public by creating secret files on American citizens while testing a new passenger screening program may have engaged in multiple counts of criminal conduct, and at least one employee has... [Read More]

Tracked on June 26, 2005 08:16 AM

» Secure Flight from Schneier on Security
Last Friday the GAO issued a new report on Secure Flight. It’s couched in friendly language, but it’s not good: During the course of our ongoing review of the Secure Flight program, we found that TSA did not fully disclose... [Read More]

Tracked on July 24, 2005 07:18 PM

» TSA gives Americans the finger from Kantor.com
Get this: The Transportation Security Administration (TSA) not only violated the law (specifically the Privacy Act) by collecting personal information about passengers from commercial databases, it also broke the promise it made not to do... [Read More]

Tracked on July 26, 2005 06:36 PM

» Update on "Secure Flight" from The Practical Nomad
This summer there's been both a public sideshow about (relatively) minor privacy and legal violations by the USA Transportation Security Administration (TSA) in its ongoing testing of the "Secure Flight" airline passenger screening and surveillance sch... [Read More]

Tracked on August 19, 2005 02:51 PM

Post a comment

So what can we do about this?

Z.

Posted by: Zwack at July 25, 2005 08:20 AM
Powered by
Movable Type 3.2