"Secure Flight" Returns, Lacking Privacy Protections
I'm currently tapping into my laptop a few feet away from Michael Chertoff, Secretary of the US Department of Homeland Security. He is giving the keynote at Terra Incognita: the annual conference of Data Protection and Privacy Commissioners, here in Montreal.
His audience has him on the defensive. In the room are the European data protection registrars, the government officials who protested strongly against his department's recent agreement with the EU, which hands over their citizens' passenger name records (PNRs) to the United States government with little oversight.
To protect himself from their threatening demeanours, Chertoff has some fine phrases. He spoke on how the DHS "defends all of [the United States'] values, including privacy," and how he personally seeks to ensure his department "rigorously adheres to the laws pertaining to privacy." And he noted that his department has released large number of privacy-related notes for public examination.
On Monday, EFF filed our comments on two of those notes, on the Transportation Security Administration (TSA)'s intent to exempt key data collection from the protections of the Privacy Act in its Secure Flight program.
Secure Flight is the system that the TSA plans to roll out in 2008 for all air flights. It will allow the DHS to collect the passenger records you are obliged to hand over to airlines when you travel, and then connect that personal data with other government databases, within the DHS and elsewhere.
Secure Flight has had a long and ignoble history, with frequent protests from both Congress and privacy groups, leading to its postponement in 2006.
In these new documents, the DHS still seeks to exempt Secure Flight from the
protections of US privacy law. Individuals will be prevented from discovering what data is kept on them, lack the ability to correct that data, and lack the right to judicial review to force data to be corrected if the DHS refuses.
As we say in our filing:
When it enacted the Privacy Act in 1974, Congress sought to restrict the amount of personal information that federal agencies could collect and, significantly, required agencies to be transparent in their information practices. The Privacy Act is intended "to promote accountability, responsibility, legislative oversight, and open government with respect to the use of computer technology in the personal information systems and data banks of the Federal Government[.]" Adherence to these requirements is critical for a system like Secure Flight.
It seems that in his eagerness to "defend our values", Mr Chertoff would do without the privacy protections afforded by our laws. When the database his department intends to build would include everyone, suspect or innocent, who flies within the United States, our privacy requires more protection, not less.