Untitled Document
WASHINGTON -- The federal agency in charge of aviation security collected extensive
personal information about airline passengers even though Congress forbade it
and officials said they wouldn't do it, according to documents obtained Monday
by The Associated Press.
The Transportation Security Administration is buying and storing detailed personal
information about U.S. citizens who flew on commercial airlines in June 2004
as part of a test of a terrorist screening program called Secure Flight, according
to documents that will be published in the Federal Register this week.
"TSA is losing the public's trust," said Tim Sparapani, a privacy
lawyer with the American Civil Liberties Union. "They have a repeated,
consistent problem with doing one thing and then saying they did another."
Secure Flight and its predecessor, CAPPS II, have been criticized for secretly
obtaining personal information about airline passengers and failing to do enough
to protect it.
The TSA and several airlines were embarrassed last year when it was revealed
that personal information on 12 million passengers was given to the government
without the permission or knowledge of the travelers. An inspector general's
report found that the TSA misled the public about its role in acquiring the
data.
Class-action lawsuits have been brought against airlines and government contractors
for sharing their passengers' information. As a result, airlines agreed to turn
over passenger data for testing only after they were ordered to do so by the
government in November.
According to the documents, the TSA gave the data, known as passenger name
records, to its contractor, Virginia-based EagleForce Associates. Passenger
name records can include a variety of information, including name, address,
phone number and credit card information.
EagleForce then compared the passenger name records with commercial data from
three contractors that included first, last and middle names, home address and
phone number, birth date, name suffix, second surname, spouse first name, gender,
second address, third address, ZIP code and latitude and longitude of address.
The reason for the comparison was to find out if the passenger name record data
was inaccurate, according to the TSA.
EagleForce then produced CD-ROMs containing the information _ except for latitude
and longitude and spouse's first name _ "and provided those CD-ROMs to
TSA for use in watch list match testing," the documents said. TSA now stores
that data.
According to previous official notices, TSA had said it would not store commercial
data about airline passengers.
The Privacy Act of 1974 prohibits the government from keeping a secret database.
It also requires agencies to make official statements on the impact of their
record keeping on privacy.
The TSA revealed its use of commercial data in a revised Privacy Act statement
to be published in the Federal Register on Wednesday.
"This is like creating an FBI file, not just some simple check, and then
they're storing the data," Sparapani said.
TSA spokesman Mark Hatfield said the program was being developed with a commitment
to privacy, and that it was routine to change Privacy Act statements during
testing.
"Secure Flight is built on an airtight privacy platform, and the GAO (Government
Accountability Office) and Congress are providing close oversight every step
of the way," he said. "The purpose of the testing is to define what
the program will ultimately look like."
The TSA said that it is protecting the data from theft and carefully restricting
access to it.
Congress said that no money could be spent to test such an identity verification
system "until TSA has developed measures to determine the impact of such
verification on aviation security and the Government Accountability Office has
reported on its evaluation of the measures." That language was part of
the Homeland Security Department spending bill, which became law on Oct. 18.
The GAO didn't issue its report on Secure Flight testing until March 28.
Hatfield said appropriate congressional committees were briefed on the contract
_ awarded to EagleForce on Feb. 22 _ in December.
But Bruce Schneier, a security expert who serves on the TSA-appointed oversight
panel for Secure Flight, said the agency was explicitly told not to try to verify
passengers' identity with commercial data.
"They're doing what they want and they're working around any rules that
exist," Schneier said.
Last week, the Homeland Security Department's chief privacy officer, Nuala
O'Connor Kelly, announced that she's conducting an investigation of the TSA's
use of commercial data for Secure Flight testing.