Wired reporter Ryan Singel has a must-read piece providing an update on the Transportation Security Administration's (TSA) outrageous behavior in testing the fundamentally flawed "Secure Flight" passenger-surveillance program:

Homeland Security officials who defied Congress and misled the public by creating secret files on American citizens while testing a new passenger screening program may have engaged in multiple counts of criminal conduct, and at least one employee has already lied to cover-up the misdeed.

On Monday, the Transportation Security Administration confirmed allegations that officials running the so-called Secure Flight program violated legally binding promises by secretly sharing and collecting detailed personal data on American citizens from commercial data brokers.

These announced violations of the Privacy Act add yet another chapter to the increasingly repetitive story of the TSA's sloppy data practices, disregard for the nation's privacy laws, and false statements to the American public, Congress and the media.

[...]

TSA officials, including Secure Flight program manager Justin Oberman, are now working furiously behind the scenes, using words like "unsurprising," to downplay the extent of their wrongdoing to Congressional investigators, journalists, and civil liberties groups.

But the misconduct actually pertains to the crux of earlier official notices that promised that the agency would never get a hold of commercial data during the tests, according to Peter Swire, a law professor and the former top Clinton Administration privacy official.

"The use of commercial data was the single biggest issue in this system of records," Swire said. "It was at the center of Congressional debate; it was the topic of extended discussion by the agency, and an intentional, systematic violation of that promise is a big deal."

"This was likely a criminal violation," Swire said. "If the agency can ignore that sort of promise that would undercut the entire Privacy Act."

Indeed it would.

Here's the smoking gun (PDF) -- a revised Privacy Act "systems of records" notice and a revised privacy impact assessment.

The most breathtaking privacy violation: TSA massively expanded the scope of the private information collected for testing Secure Flight.

TSA had initially said, "Individuals subject to the data collection requirements and processes of Secure Flight are persons who traveled within the United States during June 2004, the pre-selected 30-day period."

During actual testing, however, TSA's contractor picked 42,000 names from the list of June air travelers, and for each of those names "created up to twenty variations of a person's first and last names" -- meaning that it submitted an extra 240,000 new names to three commercial data brokers (Acxiom, InsightAmerica, and Qsent).

TSA didn't say how many of these 282,000 names yielded commercial dossiers. But it's clear that personal information about many tens of thousands of people who didn't even fly in June 2004 was turned over.

Moreover, the commercial data brokers handed over people's Social Security numbers without even being asked; the revised SORN/PIA states: "In some cases the commercial data aggregators provided information that [TSA contractor] EagleForce did not request, such as social security numbers, due to the way the commercial data aggregators packaged their product."

All of this violates the Privacy Act, under which agencies must give public advance notice of "the existence and character" of any system of records that stores personal information. 5 U.S.C. ? 552a(e)(4). Failure to do so can, in theory, subject agency officers or employees to criminal penalties. 5 U.S.C. ? 552a(i)(2) ("Any officer or employee of any agency who willfully maintains a system of records without meeting the notice requirements of subsection (e)(4) of this section shall be guilty of a misdemeanor and fined not more than $5,000.")

It should be clear that "commercial data" is the devil's candy for passenger screening true believers, who seem to have vowed that "if only we could get just a few more data points, we'll show them that Secure Flight works."

This should be TSA's last lie -- and the last time a government agency strips us of our privacy for this disastrous program.

Previous relevant Deep Links posts:

Related Issues