Feeds

DHS comes clean on CAPPS, lets self off hook

A regrettable mess, but perfectly legal

  • alert
  • submit to reddit

SANS - Survey on application security programs

The US Transportation Security Administration (TSA) has done a bit of institutional soul searching, and concludes that it did nothing wrong in demanding, and later disseminating, passenger data from JetBlue, Delta, and numerous other airlines, or in misleading the public and Congress about the extent of its data-mining activities and snafus.

In a new report released Friday by Homeland Security Department Acting Inspector General Richard Skinner, we learn that between February 2002 and June 2003, TSA was involved in 14 transfers of data involving 12 million passenger records obtained from JetBlue, Delta, American Airlines, Continental, America West, and Frontier.

Much of this information was used by companies competing for a contract to provide the now-defunct CAPPS-2 (computer assisted passenger pre-screening system), to test and debug their prototypes.

Aside from the shenanigans of the various contractors involved, the report also finds that "TSA staff did not follow accepted privacy procedures in obtaining passenger data for internal use."

For example, it failed to execute non-disclosure or confidentiality agreements with JetBlue before receiving its passenger data in May 2003. It also did not ensure that data security measures were in place during the data transfer. "As a result, passenger data was transmitted to TSA in unencrypted files without password protection," the IG notes.

However, TSA got lucky: despite its "intermittent lack of sound privacy practices enforcement among its partners and its own staff, only one inappropriate public disclosure of personal information apparently occurred," the report says.

This happened when Torch Concepts inadvertently revealed, during a conference, sensitive information obtained from JetBlue, enriched with data from privacy invasion outfit Acxiom and related to a particular JetBlue passenger. The information found its way onto the Net, and has proven stubbornly resistant to purging.

The IG contacted all of the CAPPS II contract candidates, identified as: Ascent Technology, Inc.; HNC Software, Inc.; Infoglide Software Corporation; IBM; and the Lockheed Martin. None of these outfits was willing to be interviewed by IG staff, but most condescended to fill out a questionnaire, at least. One outfit, HNC Software/Fair Isaac, did not respond at all, so there is no information pertaining to its use or misuse of data. The company is the target of several class-action lawsuits, and cites this as an excuse for stonewalling.

The parties who received the data report that "in all but three of these transfers," the data has either been destroyed or "is retained in a secured setting."

"In its role in these transfers, however, TSA did not ensure that privacy protections were in place for all of the passenger data transfers. While TSA applied privacy protections in some contexts, shortcomings were also apparent in the agency's related contracting, oversight, and follow-up efforts."

The list of recommendations is basically sensible, but it is also alarming, as it is equally a catalogue of the commonsense precautions that TSA has not been taking. Among the suggestions are a proposed auditing requirement that data be tracked from its source to its final disposition, a recommendation for minimum security requirements, and clarification of lines of authority and responsibility within the agency.

The IG report wiggles out of legal responsibility, however, explaining that because TSA does not have a system of individual identifiers for the data it handles, it does not maintain a "system of records" as defined in the Privacy Act of 1974.

Another problem, and one that TSA is not likely to fix even if it does put its own house in order, is cross-pollination among vendors and contractors. For example, Acxiom provided data from both JetBlue and its own data mining operations directly to HNC. There is little that TSA can do about these side-arrangements, except to disapprove and hint that it might not be inclined to do business with an outfit that doesn't play nice.

It's the private sector that poses the most important problem here. It hardly matters whether a government bureau follows good privacy protection practices or not, when all the information it might ever wish to see is readily available, and for sale, cheap. ®

Related stories

ID theft is inescapable
Uncle Sam demands all air travel records
Airport snoop system thrown in $102m garbage can
Airport security failures justify snoop system

3 Big data security analytics techniques

More from The Register

next story
Dropbox defends fantastically badly timed Condoleezza Rice appointment
'Nothing is going to change with Dr. Rice's appointment,' file sharer promises
Audio fans, prepare yourself for the Second Coming ... of Blu-ray
High Fidelity Pure Audio – is this what your ears have been waiting for?
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Record labels sue Pandora over vintage song royalties
Companies want payout on recordings made before 1972
Zucker punched: Google gobbles Facebook-wooed Titan Aerospace
Up, up and away in my beautiful balloon flying broadband-bot
Apple DOMINATES the Valley, rakes in more profit than Google, HP, Intel, Cisco COMBINED
Cook & Co. also pay more taxes than those four worthies PLUS eBay and Oracle
Number crunching suggests Yahoo! US is worth less than nothing
China and Japan holdings worth more than entire company
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.