Language Selection

English French German Italian Portuguese Spanish

TSA Broke Privacy Laws

Filed under
Security

The Transportation Security Administration violated privacy protections by secretly collecting personal information on at least 250,000 people, congressional investigators said Friday.

The Government Accountability Office sent a letter to Congress saying the collection violated the Privacy Act, which prohibits the government from compiling information on people without their knowledge.

The information was collected as the agency tested a program, now called Secure Flight, to conduct computerized checks of airline passengers against terrorist watch lists.

TSA had promised it would only use the limited information about passengers that it had obtained from airlines. Instead, the agency and its contractors compiled files on people using data from commercial brokers and then compared those files with the lists.

The GAO reported that about 100 million records were collected.

The 1974 Privacy Act requires the government to notify the public when it collects information about people. It must say who it's gathering information about, what kinds of information, why it's being collected and how the information is stored.

And to protect people from having misinformation about them in their files, the government must also disclose how they can access and correct the data it has collected.

Before it began testing Secure Flight, the TSA published notices in September and November saying that it would collect from airlines information about people who flew commercially in June 2004.

Instead, the agency actually took 43,000 names of passengers and used about 200,000 variations of those names -- who turned out to be real people who may not have flown that month, the GAO said. A TSA contractor collected 100 million records on those names.

Justin Oberman, the TSA official in charge of Secure Flight, said that was a highly instructive test.

"When you cannot distinguish one John Smith from another, you're going to get records from John Smiths who aren't boarding flights on an order of magnitude we can't handle," Oberman said.

He said the testing is designed to find out what kind of data airlines will need to get -- such as passengers' birthdates --so they can turn it over to the government to check against watch lists.

The GAO letter said that the TSA also said originally that it wouldn't use and store commercial data about airline passengers. It not only did that, it collected and stored information about the people with similar names.

"As a result, an unknown number of individuals whose personal information was collected were not notified as to how they might access or amend their personal data," the letter said.

It was only after meeting with the GAO, which is overseeing the program, that the TSA published a second notice indicating that it would do the things it had earlier said it wouldn't do.
Oberman said it's not unusual to revise such notices.

"We are conducting a test," he said. "I didn't know what the permutations would be."

Oberman also said that the test has no impact on anyone who travels and that the data will be destroyed when the test is over.

Friday's GAO letter shed new light on how the TSA expanded the testing of Secure Flight well beyond its original scope and why it had to publish the second notice.

The letter drew a sharp rebuke from Senate Homeland Security Committee chairman Susan Collins (R-Maine) and the ranking Democrat, Joe Lieberman of Connecticut, in a letter to Homeland Security Secretary Michael Chertoff dated Friday.

"Careless missteps such as this jeopardize the public trust and DHS' ability to deploy a much-needed, new system," the letter said, citing the project's "unfortunate history."

Associated Press

More in Tux Machines

India yet to catch up with FOSS, says Rushabh Mehta of ERPNext

We got a chance to interact with Rushabh Mehta, the founder of Web Notes Technologies, a company based in Mumbai, India. ERPNext is the major product of the company. It is a free and Open Source web based ERP (Enterprise Resource Planning) solution for small and medium sized businesses with its presence in more than 60 countries. In addition to the regular discussions on their Open Source product, strategy, customers etc. we also got a chance to understand how hard it is to thrive in an environment where the “Open Source” philosophy is not a familiar term yet. A software developer by passion and an Industrial Engineer by training, Rushabh also informed us about their imminent product conference in Mumbai he is quite excited about. Read more

Today in Techrights

Mesa 10.3 released

Mesa 10.3 has been released! Mesa 10.3 is a feature release that includes many updates and enhancements. The full list is available in the release notes file in docs/relnotes/10.3.html. The tag in the GIT repository for Mesa 10.3 is 'mesa-10.3'. I have verified that the tag is in the correct place in the tree. Mesa 10.3 is available for download at ftp://freedesktop.org/pub/mesa/10.3/ Read more

Tizen Development Units now available!

The Linux Foundation have today announced the next round of the Tizen development unit program is now available, with the Intel NUC and Samsung RD-PQ hardware devices being available. The Idea behind this program is to put the required hardware in developers hands so they can develop and test their applications on real hardware. It has to be noted that the Samsung RD-PQ device does not have GSM connectivity, and therefore can not be used as a real world device, which is a pity as developers do need real devices so late in the game. Read more