- American Airlines' announcement Friday that it shared
more than a million passenger itineraries with four government contractors
reveals that Transportation Security Administration officials have repeatedly
issued false statements about the development of the passenger-profiling
system known as CAPPS II.
-
- American Airlines joins a growing list of carriers that
have come forth in recent months to say that they have shared massive amounts
of information about their passengers with the TSA. For the past eight
months, TSA officials have repeatedly said they were not collecting this
data. But American's disclosure raises questions about why the department
has given false information about its data collection.
-
- The TSA also may have withheld information improperly
from investigators looking into the agency's practices.
-
- Nuala O'Connor Kelly, the Department of Homeland Security's
chief privacy officer, said she has launched a formal review of the American
Airlines transfer. She said she did not know about these transfers when
she issued a report in February about the TSA's role in convincing JetBlue
to share 5 million itineraries with an Army contractor in August 2002.
-
- "My office will issue public findings, hopefully
quickly," O'Connor Kelly said.
-
- CAPPS II, which the TSA hopes to roll out by the end
of the year, will check passenger information such as dates of birth and
home phone numbers against commercial and government databases to help
stop terrorists and those wanted for arrest from boarding planes.
-
- To see if the system could work, the TSA asked American
Airlines to share passenger information to help its contractors. American
agreed and had its database company, Airline Automation, coordinate the
transfer with the TSA. The agency then directed Airline Automation to send
the data dump directly to its contractors. American says it never authorized
that direct transfer, while Airline Automation says that American did.
-
- By helping provide its contractors with private records
on Americans, TSA officials likely violated the Privacy Act, which requires
government agencies or their contractors to publicly disclose the existence
of databases on Americans. Not providing that notice is a misdemeanor,
punishable by up to a $5,000 fine.
-
- According to the criteria set forth in O'Connor Kelly's
JetBlue report, it is likely she will find that the TSA violated the letter
of the law in this instance.
-
- "Existing Privacy Act processes require government
contractors to abide by Privacy Act rules," she wrote in a report
(PDF) that criticized TSA officials for violating the spirit of the Privacy
Act.
-
- After the JetBlue transfer was brought to public attention,
TSA spokesman Brian Turmail told Wired News that the TSA had never used
passenger records for testing CAPPS II, nor had it provided records to
its contractors.
-
- But American Airlines said Friday afternoon that it did
share 1.2 million passenger records in June 2002 with four government contractors
working on CAPPS II. Those companies are HNC Software (now Fair Isaac),
Infoglide Software, Ascent Technology and defense contractor Lockheed Martin.
-
- Each received between $225,000 and $550,000 from the
TSA in 2002 to test computer algorithms they hoped would be able to pinpoint
terrorists' travel plans, according to a 2002 Washington Post story. The
details of the Post story were later confirmed by a TSA spokesman.
-
- American Airlines is the third major domestic airline
to admit sharing vast amounts of customer information to aid government
data-mining efforts, following JetBlue's admission in September 2003 and
Northwest Airlines' admission in January. Both Northwest and American gave
false information to the press in the wake of the JetBlue scandal, saying
they had never turned over information about their passengers.
-
- Like JetBlue and Northwest, American faces class-action
lawsuits from passengers. A suit was already filed Monday in the U.S. District
Court for the Northern District of Texas.
-
- Edward Hasbrouck, the privacy activist who first discovered
evidence of the JetBlue transfer, questioned last fall why the TSA would
help Army contractor Torch Concepts obtain millions of passenger records
for a data-mining study, but not do the same for its own contractors developing
data-mining algorithms.
-
- "The contractors would need passenger data so that
the TSA could evaluate which was the best technology," Hasbrouck said
in September 2003. "So the TSA is either lying or they are incompetent."
-
- Department representatives have said many times in the
past that their contractors never received data.
-
- In September 2003, Wired News asked TSA spokesman Nico
Melendez whether those four contractors had used real passenger records
to test and develop their systems. Melendez denied it, saying, "We
have only used dummy data to this point."
-
- "Our agency was only five months old at the time"
when these four companies were developing their systems, Melendez said.
"We did not need the data at that time."
-
- Mark Hatfield, the TSA's director of communications,
denied that agency spokesmen deceptively gave out incorrect information.
-
- "If Nico Melendez and Brian Turmail were not aware
of it or were not told internally when they asked people closest to those
events who did not know or did not inform them, it is a reach to say they
lied or there was an attempt to deceive because I know both of these individuals
and don't believe either of them would do that," Hatfield said.
-
- When Wired News asked Hatfield in January whether the
contractors had used actual passenger data, he said he did not know and
that he would look into the matter. Hatfield declined to speculate why
Melendez and Turmail denied a transfer took place, saying he was not a
party to that conversation.
-
- Wired News followed up on that inquiry with a Freedom
of Information Act request. The agency denied the request for expedited
processing, which Wired News appealed to Douglas Callen, who heads the
TSA's Office of Security. Callen denied the appeal, writing that Wired
News "failed to demonstrate there exists an 'urgency to inform the
public about an actual or alleged federal government activity.'"
-
- Almost six months after the original request, the TSA
has yet to release any of the requested documents.
-
- The TSA also apparently failed to inform members of Congress
or the General Accounting Office, Congress' investigative arm, about soliciting
airline data for its contractors or testing CAPPS II with real data. The
GAO released a report (PDF) in February about the program. According to
the report, the TSA told the GAO that CAPPS II has only been tested with
32 itineraries provided by agency employees.
-
- It also remains unclear why TSA officials did not publicly
reveal the data transfer in the wake of the JetBlue scandal or inform O'Connor
Kelly of the transfers during her five-month-long JetBlue investigation.
-
- Hatfield said it was too early for him to say why the
TSA never informed O'Connor Kelly or the GAO about the transfer, and that
the agency was working on gathering the relevant information.
-
- Lee Tien, a staff attorney for the Electronic Frontier
Foundation, repeated his organization's call for a congressional investigation
of the travel industry's sharing of passenger data with the government.
-
- "After the Northwest disclosure, we said it was
time for an investigation," said Tien. "Who else is giving your
data to the government? Let's stop this hemorrhaging of passenger data,
and let's see what the full extent of this is."
-
- Tien also questioned American Airlines' assurance that
its passenger data has been returned or destroyed.
-
- "Lockheed Martin is the integrator for the CAPPS
II system," Tien said. "How do we know it destroyed the data?"
-
- © Copyright 2004, Lycos, Inc. All Rights Reserved.
http://www.wired.com/news/print/0,1294,63025,00.html
|