A History Of Falsehood After Falsehood
The Department of Homeland Security's Inspector General, in a
report released late on Good Friday, admitted that the TSA
systematically misled almost everybody. Some of the specifics in
the report are listed below.
JetBlue
In September 2003, news reports indicated that TSA had acquired
millions of passenger records from JetBlue. The agency's FOIA staff
was deluged with press and passenger inquiries, which they answered
by denying that the agency had any JetBlue records -- at first,
briefly, in good faith, but by May 2004 they discovered that the
reports were true. In fact, by that time the FOIA staff had a
complete copy of the records, and "locked them in the office
document room, where they remain" [Report, p. 44.] FOIA and PR
staff maintained their denials, now deliberately falsely, until
release of this report; and as the IG report hit print their denial
was still on the TSA website; they hastily pulled it down, their
one substantive response to the report's recommendations.
CAPPS II
Also in September 2003, a TSA spokesman told a Wired News
reporter, in answer to a direct question, that fake data, not real
passenger data, were used in development and testing of the CAPPS
II system. The reporter and spokesman were not identified in the
report, but were Ryan Singel of the technology news site Wired, and
Brian Turmail of TSA. Turmail's statement was not true. Turmail
also told Singel that the release of data was, in Singel's
paraphrase, "for a Pentagon proof-of-concept program related to
improving security on military bases." This statement was also
false. Turmail, says the IG report, "denied that four contractors
had used real passenger records...." This statement was false. In
fact, the contractors had received that data; there may have been
more than four contractors involved. As the IG report sums up the
whole sad case of Turmail, "the responses that the TSA spokesmen
provided to Wired News were not accurate."
The data Torch Concepts secured included 5 million passenger
itineraries and matching credit information from JetBlue, plus
social security numbers and credit-reporting database information.
Torch had individual income information, but apparently did not
succeed in getting complete IRS data. Privacy activist Bill
Scannell said at the time, ""Anyone who flew JetBlue before
September 2002 should be aware and very scared that there is a
dossier on them."
Loy Misleads
On November 18, 2003, TSA director Admiral James Loy testified
under oath to the US Senate Governmental Affairs Committee that TSA
did not provide JetBlue passenger data to a contractor, Torch
Concepts, which had leaked some of the data onto the Internet. Loy
swore that "TSA provided assistance '...only in the form of an
introduction for DOD to JetBlue Airlines [sic]." [Report, p.44]
This statement was false. The reason that Torch had the data, the
report recounts, is that TSA told JetBlue to hand it over.
The report is silent on
whether Loy knew he was feeding the Senate a lie, or was himself
misled by subordinates, who are only identified in the report as
"TSA employees [who] assisted in preparing responses to a ...
questionnaire." [ibid]. In 2004, Loy did correct the record with a
terse note to the Senate committee: "In a July 30, 2002 memorandum,
TSA requested that JetBlue provide archived passenger data to the
DOD." [Report, p. 45] Even this corrected statement was false,
because, as recounted above, the airline had been directed to give
the data not to DOD but to a non-government firm, a non-secure
contractor.
Why these repeated falsehoods? If Loy wasn't in on it, why were
underlings feeding him repeated doses of false information? Was it
bad faith, or just bad management? The IG was not able to get an
answer: "TSA staff did not provide a clear explanation." [p.
45]
Loy... Again
In the same November 18, 2003, testimony, Loy told the Senate
that TSA was using data from volunteers, not the involuntarily
gathered "PNR data," to test CAPPS II. Loy: "TSA has not used any
PNR data to test any of the functions of CAPPS II. TSA is using
certain information provided by volunteers, many are DHS
employees," -- according to the report, "including senior DHS
officials." The problem with this statement was that it was also
false. Along with the JetBlue data recounted above, sensitive PNR
data involuntarily collected from tens of thousands of Delta
passengers was provided to IBM, Infoglide, and some eight
unidentified "RAE (Risk Assessment Engine) Prototype Vendors."
[p.45, 46]
GAO Questions
When the GAO testified in February, 2004, that "TSA has only
used 32 simulated passenger records -- created by TSA from the
itineraries of its employees and contractor staff who volunteered
to provide the data -- to conduct [passenger risk assessment]
testing," they were going on what the TSA's Office of National Risk
Assessment (ONRA) had told them. The statement was wildly,
enormously, false. The carefully worded IG report says that, "we
have found no evidence that TSA provided misleading or inaccurate
information to the GAO." But if you read the evidence that the
report based this conclusion on, you might not reach the same
conclusion. "GAO specifically asked about ONRA's access to airline
passenger data," but the ONRA folks just didn't tell them that they
had and were using millions of individuals' data. Yes, viewed as a
narrow technicality, they did not provide misleading information.
Unless you call a blanket denial of having information they had
misleading. Maybe you need to work in Washington to understand the
IG's conclusions on this one.
GAO is not blameless, however, because records show that ONRA
did admit to GAO that they had data from Delta Airlines and were
trying to get data from the multi-airline Sabre reservations
system.
Deny Everything?
When The DHS Chief Privacy Officer requested documents about the
Jet Blue/Torch Concepts data leak for a report to the public
(issued Feb 20, 2004), the TSA provided some documents but sat on
others for six weeks, until Feb. 17th. "The CPO said that... gave
the impression that TSA had withheld the documents." Further, the
CPO said that she requested information about any other airline
data transfer and "TSA responded that the JetBlue matter was unique
and suggested that TSA did not have a role in any other airline
data transfers." If TSA made this statement, it was both false, and
consistent with the false information TSA was retailing elsewhere.
However, the report does its best to whitewash the TSA: "We have
been unable to find documentation that unequivocally corroborates
this account and TSA staff..." of course, deny everything.
New Revelations Of TSA Data Mining
The report also contains pointers to some of the other data
mining the TSA has been doing, which is far greater than even the
old revelations that the TSA so vigorously, and falsely, denied.
The report traces some 14 transfers of data involving at least 12
million records. In no case were passengers asked or even informed
that their data was being used by government agencies or, more
often, unsupervised contractors.
Airlines that gave or sold sensitive passenger data to the TSA
or its contractors included:
- American Airlines
- America West
- Continental
- Delta
- Frontier, and
- JetBlue
Data was furnished to the US Secret Service, various in-house
TSA constituencies, and a laundry list of contractors: Ascent, HNC
Software, IBM, Infoglide, Lockheed Martin, Torch Concepts, and
possibly their subcontractors. Some of the data was furnished with
confidentiality agreements, some without. Ironically, the data that
Torch Concepts mishandled and compromised was subject to such an
agreement. Some data is reported destroyed, some is still held by
the contractors or TSA, and the disposition of some is unknown.
To Be Continued...