Language Selection

English French German Italian Portuguese Spanish

TSA Broke Privacy Laws

Filed under
Security

The Transportation Security Administration violated privacy protections by secretly collecting personal information on at least 250,000 people, congressional investigators said Friday.

The Government Accountability Office sent a letter to Congress saying the collection violated the Privacy Act, which prohibits the government from compiling information on people without their knowledge.

The information was collected as the agency tested a program, now called Secure Flight, to conduct computerized checks of airline passengers against terrorist watch lists.

TSA had promised it would only use the limited information about passengers that it had obtained from airlines. Instead, the agency and its contractors compiled files on people using data from commercial brokers and then compared those files with the lists.

The GAO reported that about 100 million records were collected.

The 1974 Privacy Act requires the government to notify the public when it collects information about people. It must say who it's gathering information about, what kinds of information, why it's being collected and how the information is stored.

And to protect people from having misinformation about them in their files, the government must also disclose how they can access and correct the data it has collected.

Before it began testing Secure Flight, the TSA published notices in September and November saying that it would collect from airlines information about people who flew commercially in June 2004.

Instead, the agency actually took 43,000 names of passengers and used about 200,000 variations of those names -- who turned out to be real people who may not have flown that month, the GAO said. A TSA contractor collected 100 million records on those names.

Justin Oberman, the TSA official in charge of Secure Flight, said that was a highly instructive test.

"When you cannot distinguish one John Smith from another, you're going to get records from John Smiths who aren't boarding flights on an order of magnitude we can't handle," Oberman said.

He said the testing is designed to find out what kind of data airlines will need to get -- such as passengers' birthdates --so they can turn it over to the government to check against watch lists.

The GAO letter said that the TSA also said originally that it wouldn't use and store commercial data about airline passengers. It not only did that, it collected and stored information about the people with similar names.

"As a result, an unknown number of individuals whose personal information was collected were not notified as to how they might access or amend their personal data," the letter said.

It was only after meeting with the GAO, which is overseeing the program, that the TSA published a second notice indicating that it would do the things it had earlier said it wouldn't do.
Oberman said it's not unusual to revise such notices.

"We are conducting a test," he said. "I didn't know what the permutations would be."

Oberman also said that the test has no impact on anyone who travels and that the data will be destroyed when the test is over.

Friday's GAO letter shed new light on how the TSA expanded the testing of Secure Flight well beyond its original scope and why it had to publish the second notice.

The letter drew a sharp rebuke from Senate Homeland Security Committee chairman Susan Collins (R-Maine) and the ranking Democrat, Joe Lieberman of Connecticut, in a letter to Homeland Security Secretary Michael Chertoff dated Friday.

"Careless missteps such as this jeopardize the public trust and DHS' ability to deploy a much-needed, new system," the letter said, citing the project's "unfortunate history."

Associated Press

More in Tux Machines

Microsoft EEE

  • Why the Windows Subsystem for Linux Matters to You – Even if You Don’t Use it [Ed: Microsoft pulling an EEE on GNU/Linux matters. Sure it does... while suing GNU/Linux with software patents Microsoft says it "loves Linux".]
  • Canonical Teams Up with Microsoft to Enable New Azure Tailored Ubuntu Kernel
    In a joint collaboration with Microsoft's Azure team, Canonical managed to enable a new Azure tailored Ubuntu kernel in the Ubuntu Cloud Images for Ubuntu 16.04 LTS on Azure starting today, September 21, 2017. The Azure tailored Ubuntu kernel is now enabled by default for the Ubuntu Cloud images running the Ubuntu 16.04 LTS (Xenial Xerus) operating system on Microsoft's Azure cloud computing platform, and Canonical vows to offer the same level of support as the rest of its Ubuntu kernels until the operating system reaches end of life.

Servers: Kubernetes, Cloud Native Computing Foundation (CNCF), and Sysadmin 101

  • Kubernetes Snaps: The Quick Version
    When we built the Canonical Distribution of Kubernetes (CDK), one of our goals was to provide snap packages for the various Kubernetes clients and services: kubectl, kube-apiserver, kubelet, etc. While we mainly built the snaps for use in CDK, they are freely available to use for other purposes as well. Let’s have a quick look at how to install and configure the Kubernetes snaps directly.
  • Kubernetes is Transforming Operations in the Enterprise
    At many organizations, managing containerized applications at scale is the order of the day (or soon will be). And few open source projects are having the impact in this arena that Kubernetes is. Above all, Kubernetes is ushering in “operations transformation” and helping organizations make the transition to cloud-native computing, says Craig McLuckie co-founder and CEO of Heptio and a co-founder of Kubernetes at Google, in a recent free webinar, ‘Getting to Know Kubernetes.’ Kubernetes was created at Google, which donated the open source project to the Cloud Native Computing Foundation.
  • Kubernetes gains momentum as big-name vendors flock to Cloud Native Computing Foundation
    Like a train gaining speed as it leaves the station, the Cloud Native Computing Foundation is quickly gathering momentum, attracting some of the biggest names in tech. In the last month and a half alone AWS, Oracle, Microsoft, VMware and Pivotal have all joined. It’s not every day you see this group of companies agree on anything, but as Kubernetes has developed into an essential industry tool, each of these companies sees it as a necessity to join the CNCF and support its mission. This is partly driven by customer demand and partly by the desire to simply have a say in how Kubernetes and other related cloud-native technologies are developed.
  • The Cloud-Native Architecture: One Stack, Many Options
    As the chief technology officer of a company specialized in cloud native storage, I have a first hand view of the massive transformation happening right now in enterprise IT. In short, two things are happening in parallel right now that make it radically simpler to build, deploy and run sophisticated applications. The first is the move to the cloud. This topic has been discussed so much that I won’t try to add anything new. We all know it’s happening, and we all know that its impact is huge.
  • Sysadmin 101: Leveling Up
    I hope this description of levels in systems administration has been helpful as you plan your own career. When it comes to gaining experience, nothing quite beats making your own mistakes and having to recover from them yourself. At the same time, it sure is a lot easier to invite battle-hardened senior sysadmins to beers and learn from their war stories. I hope this series in Sysadmin 101 fundamentals has been helpful for those of you new to the sysadmin trenches, and also I hope it helps save you from having to learn from your own mistakes as you move forward in your career.

Databases: PostgreSQL 10 RC1 and Greenplum

  • PostgreSQL 10 RC1 Released
    The PostgreSQL Global Development Group announces today that the first release candidate of version 10 is available for download. As a release candidate, 10 RC 1 should be identical to the final release of the new version. It contains fixes for all known issues found during testing, so users should test and report any issues that they find.
  • PostgreSQL 10 Release Candidate 1 Arrives
    PostgreSQL 10 has been queuing up improvements to declarative partitioning, logical replication support, an improved parallel query system, SCRAM authentication, performance speed-ups, hash indexes are now WAL, extended statistics, new integrity checking tools, smart connection handling, and many other promising improvements. Our earlier performance tests of Postgre 10 during its beta phase showed some speed-ups over PostgreSQL 9.
  • Pivotal Greenplum Analytic Database Adds Multicloud Support
    Pivotal’s latest release of its Greenplum analytic database includes multicloud support and, for the first time, is based entirely on open source code. In 2015, the company open sourced the core of Pivotal Greenplum as the Greenplum Database project. “This is the first commercially available release that we are shipping with the open source project truly at its core,” said Elisabeth Hendrickson, VP of data research and development at Pivotal.

Graphics: NVIDIA Progress, VC4/VC5, Intel's Linux Driver & Mesa

  • NVIDIA 384.90 Linux Driver Brings Fixes, Quadro P5200 Support
    One day after releasing updated GeForce Linux legacy drivers, NVIDIA is now out with an update to their long-lived 384 branch. The NVIDIA 384 Linux series is the current latest series for their proprietary driver. Coming out today is the 384.90 update that is primarily comprised of bug fixes but also includes Quadro P5200 support.
  • NVIDIA Continues Prepping The Linux Desktop Stack For HDR Display Support
    Besides working on the new Unix device memory allocator project, they have also been engaged with upstream open-source Linux developers over preparing the Linux desktop for HDR display support. Alex Goins of the NVIDIA Linux team presented on their HDR ambitions for the Linux desktop and the work they are still doing for prepping the X.Org stack for dealing with these next-generation computer displays. This is a project they have also been looking at for more than one year: NVIDIA Is Working Towards HDR Display Support For Linux, But The Desktop Isn't Ready.
  • The State Of The VC4 Driver Stack, Early Work On VC5
    ric Anholt of Broadcom just finished presenting at XDC2017 Mountain View on the state of the VC4 driver stack most notably used by the Raspberry Pi devices. Additionally, he also shared about his early work on the VC5 driver for next-generation Broadcom graphics.
  • Intel's Linux Driver & Mesa Have Hit Amazing Milestones This Year
    Kaveh Nasri, the manager of Intel's Mesa driver team within the Open-Source Technology Center since 2011, spoke this morning at XDC2017 about the accomplishments of his team and more broadly the Mesa community. Particularly over the past year there has been amazing milestones accomplished for this open-source driver stack.