TSA data collection attacked, fliers urged to request records
Last week, four Alaskans filed suit against the Transportation Security Administration (TSA) to stop the agency from destroying records collected during a test of Secure Flight in June 2004. Today, the Electronic Frontier Foundation is encouraging people to file their own records requests to further slow the destruction of records. Under the Privacy Act of 1974, federal agencies must allow citizen access to records about them so they can correct any errors.
The TSA collected 100 million records - including names, addresses and phone numbers - from airlines about 43,000 people who flew in June 2004 and 200,000 people with similar names. In May, attorney Jim Harrison, on behalf of the four, sued for access to the records, but TSA said they couldn't find any. TSA told Wired it destroyed 3 million records in April and would eventually destroy all the files.
Last month, the Government Accountability Office issued a memo (PDF) taking TSA to task for privacy violations.TSA did not fully disclose to the public its use of personal information in its fall 2004 privacy notices as required by the Privacy Act. In particular, the public was not made fully aware of, nor had the opportunity to comment on, TSA’s use of personal information drawn from commercial sources to test aspects of the Secure Flight program. In September 2004 and November 2004, TSA issued privacy notices in the Federal Register 3 that included descriptions of how such information would be used. However, these notices did not fully inform the public before testing began about the procedures that TSA and its contractors would follow for collecting, using, and storing commercial data. In addition, the scope of the data used during commercial data testing was not fully disclosed in the notices. Specifically, a TSA contractor, acting on behalf of the agency, collected more than 100 million commercial data records containing personal information such as name, date of birth, and telephone number without informing the public. As a result of TSA’s actions, the public did not receive the full protections of the Privacy Act.
The Dept. of Homeland Security responded that the Federal Register notice was compliant as far as the plan had been created, that TSA has taken steps to secure personal information, and is committed to protecting privacy.