Homeland Security Officials Release Findings In
Self-Investigation
The TSA didn't break the letter of the law when it asked JetBlue
for access to passenger records. DHS wanted to turn them over to a
contractor working on the development of the Base Security
Enhancement program, designed to assess the terror risk to military
facilities worldwide. But the Department of Homeland Security says
the TSA pushed the edge of the envelope when it asked for the
records and didn't notify the public.
The investigation centered on a company called Torch Concepts,
based in Huntsville (AL). Executives there sent a proposal to the
Defense Department, suggesting the use of personal data to profile
those seeking access to military bases. It wanted to use passenger
information for developing and testing the concept.
If that sounds suspiciously like
CAPPS II, DHS says it's very much the same concept. In fact, CAPPS
II, the controversial project to profile passengers and assign them
color-coded risk labels, was being developed at the same time,
shortly after the 9/11 attacks. But DHS says TSA wanted to keep the
two projects separate.
The DHS investigation report says, on July 30, 2002, a
"relatively new" employee at TSA sent a letter to JetBlue, asking
for archived passenger records. The airline ended up turning over
more than five million individual passenger records based on the
request. That, DHS suspected when it began the investigation, might
have violated the Privacy Act of 1974, which requires public notice
whenever a new records system is created.
But Wired News, which broke the JetBlue story five months ago,
reports DHS Chief Privacy Officer Nuala O'Conner decided the
request wasn't illegal. Why? While she says the TSA worker "acted
without appropriate regard for individual privacy interests or the
spirit of the Privacy Act" and "arguably misused" the TSA's
oversight authority over JetBlue to encourage data sharing, the
Torch Concepts project wasn't directly related to TSA's mandate and
didn't directly involve CAPPS II.
"No Privacy Act violation by TSA
employees occurred in connection with this incident," said the DHS
finding. "There is no evidence that any data were provided directly
to TSA or its parent agency at the time, DOT. On the contrary, the
evidence demonstrates that passenger data were transferred directly
by jetBlue’s contractor, Acxiom, to Torch Concepts. As a
result, the Privacy Act of 1974, which regulates the Federal
Government’s collection and maintenance of personally
identifiable data on citizens and legal permanent residents, does
not appear to have been violated by TSA actions. Because TSA did
not receive passenger data, no new system of records under the
Privacy Act was established within TSA, nor was any
individual’s personal data used or disclosed by TSA, its
employees or contractors, in violation of the Privacy Act."
That's not to say that the Defense Department in general and the
Army in particular didn't violate the Privacy Act. The DHS strongly
implies the Army did indeed violate that law.
"The TSA employees involved acted without appropriate regard for
individual privacy interests or the spirit of the Privacy Act of
1974. In doing so, it appears that their actions were outside
normal processes to facilitate a data transfer, with the primary
purpose of the transfer being other than transportation security.
Such sharing exceeds the principle of the Privacy Act which limits
data collection by an agency to such information as is necessary
for a federal agency to carry out its own mission. While these
actions may have been well intentioned and without malice, the
employees arguably misused the oversight capacity of the TSA to
encourage this data sharing."
"The department must seek to strike
the right balance between security and privacy interests," said
Senator Sue Collins (R-ME). "In this case, the TSA employees
involved compromised the privacy interests of individuals without
adequate justification."
The Army is now conducting its own investigation. But what about
the TSA "new guy" who apparently skirted the Privacy Act by
obtaining JetBlue records for DoD? It would appear that employee
will receive a relatively minor slap on the wrist.
"The TSA employees involved, must, at a minimum, attend
substantial Privacy Act and privacy policy training and must
certify such training to the satisfaction of the DHS Privacy
Office," according to the report.