Secure Flight violated privacy law, report finds

DHS privacy agency says TSA program claimed it wasn't using commercial data when it was doing just that.

The Transportation Security Administration violated federal law by gathering passenger information from commercial databases without notifying passengers, a report by the Department of Homeland Security's privacy office concludes.

According to the Washington Post, TSA's Secure Flight program violated the 1974 Privacy Act, which requires that the public be made aware of any changes in a federal program that affects the privacy of U.S. citizens.

"As ultimately implemented, the commercial data test conducted in connection with the Secure Flight program testing did not match [the Transportation Security Administration's] public announcements," the report states."... The disparity between what TSA proposed to do and what it actually did in the testing program resulted in significant privacy concerns being raised. . . . Privacy missteps such as these undercut an agency's effort to implement a program effectively, even one that promises to improve security."

The report comes as DHS faces a firestorm over the recent admission that the department has been using commercial database to create risk assessments of travelers that would be stored for 40 years.

In 2004, the TSA published a Federal Register notice on a data-test phase of the program, saying that "strict firewalls" would prevent any commercial data from mixing with government data. However, this was based on the notion that the Secure Flight contractor, EagleForce Associates Inc. of McLean, would ensure that no commercial data were used, the report said.

But by the time the EagleForce contract was finalized, "it was clear that TSA would receive commercial data," the report says. If, for instance, TSA data for an individual passenger lacked an address or date of birth, EagleForce would obtain the missing information from commercial data brokers. "The fact that EagleForce had access to the commercial data did not create a firewall," the report says, because under the Privacy Act, in effect, "EagleForce stands in the shoes of TSA."

It's all old news, a TSA spokeswoman said. The agency has "already implemented or is in the process of implementing" the report's recommendations. She said the report's conclusions were not surprising, adding that they were "very similar" to those reached last year by the General Accounting Office, the government's auditing arm.