The Last Lie for TSA?
Wired reporter Ryan Singel has a must-read piece providing an update on the Transportation Security Administration's (TSA) outrageous behavior in testing the fundamentally flawed "Secure Flight" passenger-surveillance program:
Homeland Security officials who defied Congress and misled the public by creating secret files on American citizens while testing a new passenger screening program may have engaged in multiple counts of criminal conduct, and at least one employee has already lied to cover-up the misdeed.
On Monday, the Transportation Security Administration confirmed allegations that officials running the so-called Secure Flight program violated legally binding promises by secretly sharing and collecting detailed personal data on American citizens from commercial data brokers.
These announced violations of the Privacy Act add yet another chapter to the increasingly repetitive story of the TSA's sloppy data practices, disregard for the nation's privacy laws, and false statements to the American public, Congress and the media.
TSA officials, including Secure Flight program manager Justin Oberman, are now working furiously behind the scenes, using words like "unsurprising," to downplay the extent of their wrongdoing to Congressional investigators, journalists, and civil liberties groups.
But the misconduct actually pertains to the crux of earlier official notices that promised that the agency would never get a hold of commercial data during the tests, according to Peter Swire, a law professor and the former top Clinton Administration privacy official.
"The use of commercial data was the single biggest issue in this system of records," Swire said. "It was at the center of Congressional debate; it was the topic of extended discussion by the agency, and an intentional, systematic violation of that promise is a big deal."
"This was likely a criminal violation," Swire said. "If the agency can ignore that sort of promise that would undercut the entire Privacy Act."
Indeed it would.
Here's the smoking gun (PDF) -- a revised Privacy Act "systems of records" notice and a revised privacy impact assessment.
The most breathtaking privacy violation: TSA massively expanded the scope of the private information collected for testing Secure Flight.
TSA had initially said, "Individuals subject to the data collection requirements and processes of Secure Flight are persons who traveled within the United States during June 2004, the pre-selected 30-day period."
During actual testing, however, TSA's contractor picked 42,000 names from the list of June air travelers, and for each of those names "created up to twenty variations of a person's first and last names" -- meaning that it submitted an extra 240,000 new names to three commercial data brokers (Acxiom, InsightAmerica, and Qsent).
TSA didn't say how many of these 282,000 names yielded commercial dossiers. But it's clear that personal information about many tens of thousands of people who didn't even fly in June 2004 was turned over.
Moreover, the commercial data brokers handed over people's Social Security numbers without even being asked; the revised SORN/PIA states: "In some cases the commercial data aggregators provided information that [TSA contractor] EagleForce did not request, such as social security numbers, due to the way the commercial data aggregators packaged their product."
All of this violates the Privacy Act, under which agencies must give public advance notice of "the existence and character" of any system of records that stores personal information. 5 U.S.C. ? 552a(e)(4). Failure to do so can, in theory, subject agency officers or employees to criminal penalties. 5 U.S.C. ? 552a(i)(2) ("Any officer or employee of any agency who willfully maintains a system of records without meeting the notice requirements of subsection (e)(4) of this section shall be guilty of a misdemeanor and fined not more than $5,000.")
It should be clear that "commercial data" is the devil's candy for passenger screening true believers, who seem to have vowed that "if only we could get just a few more data points, we'll show them that Secure Flight works."
This should be TSA's last lie -- and the last time a government agency strips us of our privacy for this disastrous program.
Previous relevant Deep Links posts:
Recent DeepLinks Posts
Aug 26, 2016
Aug 25, 2016
Aug 24, 2016
Aug 23, 2016
Aug 22, 2016
- Abortion Reporting
- Analog Hole
- Anti-Counterfeiting Trade Agreement
- Artificial Intelligence & Machine Learning
- Bloggers' Rights
- Border Searches
- Broadcast Flag
- Broadcasting Treaty
- Cell Tracking
- Coders' Rights Project
- Computer Fraud And Abuse Act Reform
- Content Blocking
- Copyright Trolls
- Council of Europe
- Cyber Security Legislation
- Defend Your Right to Repair!
- Development Agenda
- Digital Books
- Digital Radio
- Digital Video
- DMCA Rulemaking
- Do Not Track
- E-Voting Rights
- EFF Europe
- Electronic Frontier Alliance
- Encrypting the Web
- Export Controls
- Fair Use and Intellectual Property: Defending the Balance
- FAQs for Lodsys Targets
- File Sharing
- Fixing Copyright? The 2013-2016 Copyright Review Process
- Free Speech
- Genetic Information Privacy
- Government Hacking and Subversion of Digital Security
- Hollywood v. DVD
- How Patents Hinder Innovation (Graphic)
- International Privacy Standards
- Internet Governance Forum
- Know Your Rights
- Law Enforcement Access
- Legislative Solutions for Patent Reform
- Locational Privacy
- Mandatory Data Retention
- Mandatory National IDs and Biometric Databases
- Mass Surveillance Technologies
- Medical Privacy
- Mobile devices
- National Security and Medical Information
- National Security Letters
- Net Neutrality
- No Downtime for Free Speech
- NSA Spying
- Offline : Imprisoned Bloggers and Technologists
- Online Behavioral Tracking
- Open Access
- Open Wireless
- Patent Busting Project
- Patent Trolls
- PATRIOT Act
- Pen Trap
- Policy Analysis
- Public Health Reporting and Hospital Discharge Data
- Reading Accessibility
- Real ID
- Reclaim Invention
- Search Engines
- Search Incident to Arrest
- Section 230 of the Communications Decency Act
- Social Networks
- SOPA/PIPA: Internet Blacklist Legislation
- State-Sponsored Malware
- Student Privacy
- Stupid Patent of the Month
- Surveillance and Human Rights
- Surveillance Drones
- Terms Of (Ab)Use
- Test Your ISP
- The "Six Strikes" Copyright Surveillance Machine
- The Global Network Initiative
- The Law and Medical Privacy
- TPP's Copyright Trap
- Trade Agreements and Digital Rights
- Trans-Pacific Partnership Agreement
- Travel Screening
- Trusted Computing
- UK Investigatory Powers Bill
- Video Games