TSA Lied About Protecting Passenger Data

TSA Lied About Protecting Passenger Data.

According to the AP:

The Transportation Security Administration misled the
public about its role in obtaining personal information about 12
million airline passengers to test a new computerized system that
screens for terrorists, according to a government investigation.

The report, released Friday by Homeland Security Department Acting
Inspector General Richard Skinner, said the agency misinformed
individuals, the press and Congress in 2003 and 2004. It stopped short
of saying TSA lied.

I'll say it: the TSA lied.

Here's the report.
It's worth reading. And when you read it, keep in mind that it's
written by the DHS's own Inspector General. I presume a more
independent investigator would be even more severe. Not that the report
isn't severe, mind you.

Another AP article has more details:

The report cites several occasions where TSA officials made inaccurate statements about passenger data:

  • In September 2003, the agency's Freedom of Information
    Act staff received hundreds of requests from Jet Blue passengers asking
    if the TSA had their records. After a cursory search, the FOIA staff
    posted a notice on the TSA Web site that it had no JetBlue passenger
    data. Though the FOIA staff found JetBlue passenger records in TSA's
    possession in May, the notice stayed on the Web site for more than a
    year.

  • In November 2003, TSA chief James Loy incorrectly told
    the Governmental Affairs Committee that certain kinds of passenger data
    were not being used to test passenger prescreening.

  • In September 2003, a technology magazine reporter asked
    a TSA spokesman whether real data were used to test the passenger
    prescreening system. The spokesman said only fake data were used; the
    responses “were not accurate,” the report said.

There's much more. The report reveals that TSA ordered Delta Air
Lines to turn over passenger data in February 2002 to help the Secret
Service determine whether terrorists or their associates were traveling
in the vicinity of the Salt Lake City Olympics.

It also reveals that TSA used passenger data from JetBlue in the
spring of 2003 to figure out how to change the number of people who
would be selected for more screening under the existing system.

The report says that one of the TSA's contractors working on
passenger prescreening, Lockheed Martin, used a data sample from
ChoicePoint.

The report also details how outside contractors used the data for
their own purposes. And that “the agency neglected to inquire whether
airline passenger data used by the vendors had been returned or
destroyed.” And that “TSA did not consistently apply privacy
protections in the course of its involvement in airline passenger data
transfers.”

This is major stuff. It shows that the TSA lied to the public about its use of personal data again and again and again.

Right now the TSA is in a bit of a bind. It is prohibited by
Congress from fielding Secure Flight until it meets a series of
criteria. The Government Accounting Office is expected to release a report this week that details how the TSA has not met these criteria.

I'm not sure the TSA cares. It's already announced plans to roll out Secure Flight.

With little fanfare, the Transportation Security
Administration late last month announced plans to roll out in August
its highly contentious Secure Flight program. Considered by some travel
industry experts a foray into operational testing, rather than a viable
implementation, the program will begin, in limited release, with two
airlines not yet named by TSA.

My own opinions of Secure Flight are well-known. I am participating
in a Working Group to help evaluate the privacy of Secure Flight. (I've
blogged about it here and here.)
We've met three times, and it's unclear if we'll ever meet again or if
we'll ever produce the report we're supposed to. Near as I can tell,
it's all a big mess right now  [Schneier on Security]

Leave a comment