I’ve been following the developing story surrounding revelations that various airlines and travel agencies have secretly turned over sensitive passenger data to the Transportation Security Administration without the passenger’s knowledge or consent. TSA officials then lied about this to other government agencies and the public. Wired News has an article up about testimony from acting TSA chief David Stone that indicates that five major airlines and two airline reservation companies provided data to the TSA or its contractors in 2002 and 2003. His testimony contradicts numerous statements made by both airline and government officials.
Delta, Continental, America West, JetBlue and Frontier Airlines secretly turned over sensitive passenger data to Transportation Security Administration contractors in the spring and summer of 2002, according to the sworn statement of acting TSA chief David Stone. In addition, two of the four largest airline reservation centers, Galileo International and Sabre, also gave sensitive passenger information, including home phone numbers, credit card numbers and health data, without disclosing the transfers to travelers or asking their permission.
This is the third time in the past nine month that knowledge of the scope of secret information disclosures by airlines has expanded, and now six of the 10 largest airlines are known to have given data to the government secretly. Stone’s disclosure also raises questions about whether TSA officials intentionally withheld information from previous inquiries by the Government Accounting Office, members of Congress and the Department of Homeland Security’s chief privacy officer, Nuala O’Connor Kelly.
In addition, the TSA or its contractors may have violated the Privacy Act, which prohibits the government from compiling secret databases on Americans. Officials could face civil and criminal penalties.
If you recall the folks at the TSA have been working on a passenger screening system known as CAPPS II, which in theory is supposed to help pick out potential terrorists by comparing a passenger’s airline reservation information to various commercial databases, a terrorist watch list and a criminal warrant database. CAPPS II has already been banned from deployment by an act of Congress until it receives GAO approval that it complies with eight privacy and effectiveness criteria and as of a February report the GAO said CAPPS II only met one of those requirements. It’s not even deployed yet and it’s already embroiled in a major privacy issue scandal.
Wired goes on to list off various false statements given by TSA officials including Stone’s predecessor, retired Adm. James Loy, who when questioned by the Senate Governmental Affairs committee in July of 2002 on if any real world data had been used to test CAPPS II replied that only dummy data had been used.
Loy’s sworn written response was, “No. TSA has not used any (passenger) data to test any of the functions of CAPPS II.”
Two TSA spokesmen also made false statements to Wired News about the extent of the transfers.
After the JetBlue transfer was brought to public attention in September 2003, TSA spokesman Brian Turmail told Wired News that the TSA had never used passenger records for testing CAPPS II, nor had it provided records to its contractors. In September 2003, Wired News asked TSA spokesman Nico Melendez whether the TSA’s four contractors had used real passenger records to test and develop their systems. Melendez denied it, saying, “We have only used dummy data to this point.”
“Our agency was only five months old at the time” when these four companies were developing their systems, Melendez said. “We did not need the data at that time.”
The TSA has also not released any information about the JetBlue contractors to Freedom of Information act requesters, even though it granted requests expedited status in the fall.
The data transfer revelations started in the spring of 2003, when privacy activist Bill Scannell launched a boycott of Delta for its role in helping test CAPPS II. But the first real proof of extensive data sharing came in September 2003, when Wired News reported that JetBlue had turned over its entire passenger database to a defense contractor studying passenger profiling algorithms.
There’s more in the article on further false statements and failures to inform the GAO about asking for the data in the first place, but you can go read the rest for yourself. This could blow up into a major mess pretty soon with possible criminal investigations as well as class action lawsuits. With any luck it might even bring about an end to CAPPS II as it’s debatable how effective it would be anyway, but that may be hoping for too much.