- A top homeland security official told Congress that five
major domestic airlines turned over sensitive passenger data to the agency
or its contractors in 2002 and 2003, contradicting numerous statements
by airline and government officials and confirming some of the worst fears
of privacy advocates.
-
- Delta, Continental, America West, JetBlue and Frontier
Airlines secretly turned over sensitive passenger data to Transportation
Security Administration contractors in the spring and summer of 2002, according
to the sworn statement of acting TSA chief David Stone. In addition, two
of the four largest airline reservation centers, Galileo International
and Sabre, also gave sensitive passenger information, including home phone
numbers, credit card numbers and health data, without disclosing the transfers
to travelers or asking their permission.
-
- This is the third time in the past nine month that knowledge
of the scope of secret information disclosures by airlines has expanded,
and now six of the 10 largest airlines are known to have given data to
the government secretly. Stone's disclosure also raises questions about
whether TSA officials intentionally withheld information from previous
inquiries by the Government Accounting Office, members of Congress and
the Department of Homeland Security's chief privacy officer, Nuala O'Connor
Kelly.
-
- In addition, the TSA or its contractors may have violated
the Privacy Act, which prohibits the government from compiling secret databases
on Americans. Officials could face civil and criminal penalties.
-
- The TSA and its contractors sought the data because they
were working on an airline passenger screening system known as CAPPS II.
They needed the data to test whether their computer programs could detect
terrorists out of the million and half people who fly daily.
-
- Under CAPPS II, the government would check passenger's
airline reservation information against commercial databases, a terrorist
watch list and a criminal warrant database to ferret out terrorists and
criminals.
-
- Critics say the system is not only invasive but probably
ineffective. The TSA is also being sued by several Alaskans who say the
system will prevent them from traveling in their remote state.
-
- In his statement, Stone said the agency's officials didn't
believe the transfers violated the Privacy Act, since the contractors did
not look up passengers by name. But O'Connor Kelly has made clear in her
statements and investigations that she considers transfers of data themselves
serious violations of privacy.
-
- "Existing Privacy Act processes require government
contractors to abide by Privacy Act rules," she wrote in a report
(PDF) that criticized TSA officials for violating the spirit of the Privacy
Act in helping the Army get passenger data.
-
- The revelation will also likely widen the scope of an
ongoing investigation into TSA data transfers by the Department of Homeland
Security's Inspector General's office, which has the authority to fire
negligent employees.
-
- Airlines and reservation companies may also face class-action
lawsuits if the disclosures violated their privacy policies.
-
- Stone, who is facing his confirmation hearing in the
Senate Wednesday, disclosed the transfers as part of his sworn written
testimony submitted to the Senate Governmental Affairs committee. That
committee has oversight over both the Privacy Act and the Department of
Homeland Security, and must approve any political appointees to the department.
-
- Over the past eight months, chairwoman Sen. Susan Collins
(R-Maine) and ranking member Joe Lieberman (D-Connecticut) have aggressively
pushed for the Army and TSA to clarify their roles in receiving passenger
data.
-
- However, the TSA did not tell the senators about the
extent of the transfers and the Army has yet to make the results of its
investigation public.
-
- In November 2003, the senators also asked Stone's predecessor,
retired Adm. James Loy, whether "any contractors working on CAPPS
II used any real-world data for testing purposes." Loy led the TSA
from July 2002 until he was promoted to the second-highest position in
the Department of Homeland Security in October 2003.
-
- Loy's sworn written response was, "No. TSA has not
used any (passenger) data to test any of the functions of CAPPS II."
-
- Two TSA spokesmen also made false statements to Wired
News about the extent of the transfers.
-
- After the JetBlue transfer was brought to public attention
in September 2003, TSA spokesman Brian Turmail told Wired News that the
TSA had never used passenger records for testing CAPPS II, nor had it provided
records to its contractors. In September 2003, Wired News asked TSA spokesman
Nico Melendez whether the TSA's four contractors had used real passenger
records to test and develop their systems. Melendez denied it, saying,
"We have only used dummy data to this point."
-
- "Our agency was only five months old at the time"
when these four companies were developing their systems, Melendez said.
"We did not need the data at that time."
-
- The TSA has also not released any information about the
JetBlue contractors to Freedom of Information act requesters, even though
it granted requests expedited status in the fall.
-
- The data transfer revelations started in the spring of
2003, when privacy activist Bill Scannell launched a boycott of Delta for
its role in helping test CAPPS II. But the first real proof of extensive
data sharing came in September 2003, when Wired News reported that JetBlue
had turned over its entire passenger database to a defense contractor studying
passenger profiling algorithms.
-
- JetBlue apologized for the violation of its privacy policy,
describing it as a one-time mistake. But it wasn't a one-time event. The
upstart airline transferred passenger data not one but three times, according
to Stone's statement.
-
- JetBlue also gave records in the spring of 2003 directly
to the TSA, which used the data to tweak the current passenger profiling
system, Stone revealed. JetBlue also gave records to at least one of the
proof-of-concept CAPPS II contractors.
-
- JetBlue's data transfers were facilitated by Acxiom,
a database marketing company in Arkansas that handles JetBlue reservations
and has since landed a CAPPS II subcontract.
-
- The TSA's prototype contractors are HNC Software (now
Fair Isaac), Infoglide Software, Ascent Technology and defense contractor
Lockheed Martin. Each received between $225,000 and $550,000 from the TSA
in 2002 to test computer algorithms they hoped would be able to pinpoint
terrorists' travel plans, according to a 2002 Washington Post story. The
details of the Post story were later confirmed by a TSA spokesman.
-
- In 2003, Lockheed won the TSA contract to build out CAPPS
II and was paid for $12.8 million in the first year of its five year CAPPS
II contract.
-
- Stone's statement, however, refrains from calling the
companies contractors, referring to them as "cooperative agreement
recipients," and makes no mention of the payments to the companies.
-
- The TSA also apparently failed to inform the General
Accounting Office, Congress' investigative arm, about soliciting airline
data for its contractors. The GAO released a report in February about the
program. According to the report, the TSA told the GAO that CAPPS II has
only been tested with 32 itineraries provided by agency employees. Stone
did not indicate how many passenger records were turned over by the companies
and the TSA, but said all records had been destroyed or returned.
-
- Congress has already stepped in to register it concerns
about CAPPS II and has banned it from being deployed until the GAO certifies
it meets eight privacy and effectiveness criteria. The GAO certified the
program met only one of these criteria in its February report.
-
- © Copyright 2004, Lycos, Inc. All Rights Reserved.
http://wired.com/news/politics/0,1283,63958,00.html?tw=wn_tophead_1
|