GAO: TSA fixing Secure Flight privacy violations

The Transportation Security Administration has taken steps to fix privacy violations it committed in the Secure Flight passenger screening program, the Government Accountability Office reported Friday.

After hearing GAO's concerns about the program in June, TSA published updated privacy notices that better describe how Secure Flight used an expanded set of commercial data, Cathleen Berrick, GAO’s director of homeland security and justice issues, wrote.

TSA also vowed to ensure that its chief privacy officer and general counsel would decide whether any further changes in data use would warrant new updates, Berrick wrote.

Controversy about Secure Flight erupted this spring. “TSA collected and stored commercial data records even though TSA stated in its privacy notices that it would not do so,” she wrote.

As a result of TSA’s actions, the public did not know and could not comment on the agency's use of their data, Berrick wrote.

“Specifically, a TSA contractor, acting on behalf of the agency, collected more than 100 million commercial data records containing personal information such as name, date of birth and telephone number without informing the public,” Berrick wrote.

TSA used the commercial data to supplement the passenger data to see if it would lower the number of false positives in national terrorist watch lists, Berrick wrote.

In September and November 2004, TSA published privacy notices about how it would use Secure Flight data. The notices lack legally required details on how TSA and its contractors would collect, use and store commercial data, Berrick wrote. TSA also did not say what the full scope of the data collection would be, she wrote.

GAO laid out its concerns to TSA in June, Berrick wrote. TSA agreed that the concerns were valid and acted immediately to correct the problems, Steven Pecinovsky, director of DHS' GAO/Office of Inspector General Liaison, wrote in a response letter.

TSA tried to ensure the security of the data it used by hiding the identities of the passengers whose personal data it used in the tests, for example, Pecinovsky wrote. GAO hasn’t evaluated the quality of TSA’s security controls, Berrick wrote.

The privacy breach did not adversely affect passengers because the data was never used in decision-making, Pecinovsky wrote.

TSA promised not to use commercial data in the start-up period for Secure Flight, scheduled to begin by early 2006, he wrote. The agency left open the option to use the data later if it proved to enhance Secure Flight’s effectiveness, he wrote.

DHS is committed to protecting privacy, Pecinovsky wrote. DHS’ chief privacy officer, Nuala O’Connor Kelly, is reviewing Secure Flight’s use of passenger data and may recommend additional privacy protections, he wrote.