The programme, known as Secure Flight, is a security measure
brought in under the Transportation Security Act to check the names
of airline passengers against lists of terrorist suspects. The
first version of the screening programme, CAPPS II, was cancelled
last year amid growing concerns that it would not protect
Americans’ privacy or security.
The latest controversy was unearthed by the Government
Accountability Office (GAO), which on Friday reported to Congress
that the TSA had obtained over 100 million records from databases
legitimately held by three commercial data companies, covering
details such as names, addresses and phone numbers.
However, the TSA requested records not only in relation to
43,000 names obtained from airline data records, but also in
relation to 200,000 other versions of those names. This meant that
the 100 million records returned on the 243,000 names
related to a large number of people who had not actually flown in
June 2004 – the month advertised by the TSA as the one in which it
would be collecting data.
In addition, while the TSA had advised the public that it would
be collecting data on travellers flying in June 2004, the report
said it was in violation of the US Privacy Act because it also
collected and stored commercial data records, even though the
agency had said in its privacy notices that it would not do so.
The Privacy Act is designed to ensure that there are no secret
government systems for gathering personal data, and that any data
collected is restricted to that which is strictly necessary.
The Act also requires: that individuals can see what information
is kept about them, and can challenge the accuracy of that
information; that personal data collected for one purpose cannot
then be used for another purpose without consent; and that if any
data are disclosed, the individuals involved will be able to find
out to whom, when and why they were disclosed.
According to the GAO report, the agency’s privacy notices, which
were meant to inform travellers of how their information is used,
did not state what data would be collected, whose data would be
collected or how the public could access and amend their data.
When it was revealed in June that the TSA had collected these
personal records, the agency took steps to retrospectively amend
its privacy notices to inform the public of what happened.
According to the American Civil Liberties Union, these steps
represented too little, too late.
"Lawmakers must undertake a full investigation into TSA's data
mismanagement," Timothy Sparapani, an ACLU lawyer said on Friday.
"TSA has shown it cannot securely, and honestly, manage sensitive
personal information for proposed screening programs. If the agency
is allowed to move forward with Secure Flight, Americans’ private
information will be at risk."
Senators Susan Collins (Republican) and Joseph Lieberman
(Democrat) of the Senate Committee on Homeland Security and
Governmental Affairs also criticised the TSA, sending a letter to
the head of the Department of Homeland Security, Michael Chertoff,
to express their concerns.
“We understand that, in response to GAO’s assertions, TSA took
corrective actions to inform the public of its actual test
protocols through updated privacy notices," wrote Senators Collins
and Lieberman. "However, that action does not excuse TSA’s failure
to meet basic Privacy Act requirements in carrying out this
program.”
The letter continued: “Given fundamental concerns surrounding
the government’s use of personal information and the unfortunate
history of TSA’s passenger prescreening program, careless missteps
such as this jeopardise the public trust and DHS’ ability to deploy
a much-needed, new system.”
It will also be of little comfort to European legislators who,
in December 2003, after lengthy negotiations, finally approved an
agreement formalising the transfer of US-bound airline passenger
data to US Customs.
The agreement was made in the face of strong opposition from the
European Parliament, which was concerned both with the terms of the
agreement and the fact that US laws do not meet general EU data
protection requirements.
The agreement is already the subject of a referral to the
European Court of Justice.
