Feeds

DHS comes clean on CAPPS, lets self off hook

A regrettable mess, but perfectly legal

  • alert
  • submit to reddit

The essential guide to IT transformation

The US Transportation Security Administration (TSA) has done a bit of institutional soul searching, and concludes that it did nothing wrong in demanding, and later disseminating, passenger data from JetBlue, Delta, and numerous other airlines, or in misleading the public and Congress about the extent of its data-mining activities and snafus.

In a new report released Friday by Homeland Security Department Acting Inspector General Richard Skinner, we learn that between February 2002 and June 2003, TSA was involved in 14 transfers of data involving 12 million passenger records obtained from JetBlue, Delta, American Airlines, Continental, America West, and Frontier.

Much of this information was used by companies competing for a contract to provide the now-defunct CAPPS-2 (computer assisted passenger pre-screening system), to test and debug their prototypes.

Aside from the shenanigans of the various contractors involved, the report also finds that "TSA staff did not follow accepted privacy procedures in obtaining passenger data for internal use."

For example, it failed to execute non-disclosure or confidentiality agreements with JetBlue before receiving its passenger data in May 2003. It also did not ensure that data security measures were in place during the data transfer. "As a result, passenger data was transmitted to TSA in unencrypted files without password protection," the IG notes.

However, TSA got lucky: despite its "intermittent lack of sound privacy practices enforcement among its partners and its own staff, only one inappropriate public disclosure of personal information apparently occurred," the report says.

This happened when Torch Concepts inadvertently revealed, during a conference, sensitive information obtained from JetBlue, enriched with data from privacy invasion outfit Acxiom and related to a particular JetBlue passenger. The information found its way onto the Net, and has proven stubbornly resistant to purging.

The IG contacted all of the CAPPS II contract candidates, identified as: Ascent Technology, Inc.; HNC Software, Inc.; Infoglide Software Corporation; IBM; and the Lockheed Martin. None of these outfits was willing to be interviewed by IG staff, but most condescended to fill out a questionnaire, at least. One outfit, HNC Software/Fair Isaac, did not respond at all, so there is no information pertaining to its use or misuse of data. The company is the target of several class-action lawsuits, and cites this as an excuse for stonewalling.

The parties who received the data report that "in all but three of these transfers," the data has either been destroyed or "is retained in a secured setting."

"In its role in these transfers, however, TSA did not ensure that privacy protections were in place for all of the passenger data transfers. While TSA applied privacy protections in some contexts, shortcomings were also apparent in the agency's related contracting, oversight, and follow-up efforts."

The list of recommendations is basically sensible, but it is also alarming, as it is equally a catalogue of the commonsense precautions that TSA has not been taking. Among the suggestions are a proposed auditing requirement that data be tracked from its source to its final disposition, a recommendation for minimum security requirements, and clarification of lines of authority and responsibility within the agency.

The IG report wiggles out of legal responsibility, however, explaining that because TSA does not have a system of individual identifiers for the data it handles, it does not maintain a "system of records" as defined in the Privacy Act of 1974.

Another problem, and one that TSA is not likely to fix even if it does put its own house in order, is cross-pollination among vendors and contractors. For example, Acxiom provided data from both JetBlue and its own data mining operations directly to HNC. There is little that TSA can do about these side-arrangements, except to disapprove and hint that it might not be inclined to do business with an outfit that doesn't play nice.

It's the private sector that poses the most important problem here. It hardly matters whether a government bureau follows good privacy protection practices or not, when all the information it might ever wish to see is readily available, and for sale, cheap. ®

Related stories

ID theft is inescapable
Uncle Sam demands all air travel records
Airport snoop system thrown in $102m garbage can
Airport security failures justify snoop system

Secure remote control for conventional and virtual desktops

More from The Register

next story
6 Obvious Reasons Why Facebook Will Ban This Article (Thank God)
Clampdown on clickbait ... and El Reg is OK with this
No, thank you. I will not code for the Caliphate
Some assignments, even the Bongster decline must
Caught red-handed: UK cops, PCSOs, specials behaving badly… on social media
No Mr Fuzz, don't ask a crime victim to be your pal on Facebook
Barnes & Noble: Swallow a Samsung Nook tablet, please ... pretty please
Novelslab finally on sale with ($199 - $20) price tag
Ballmer leaves Microsoft board to spend more time with his b-balls
From Clippy to Clippers: Hi, I see you're running an NBA team now ...
Banking apps: Handy, can grab all your money... and RIDDLED with coding flaws
Yep, that one place you'd hoped you wouldn't find 'em
Video of US journalist 'beheading' pulled from social media
Yanked footage featured British-accented attacker and US journo James Foley
Call of Duty daddy considers launching own movie studio
Activision Blizzard might like quality control of a CoD film
Primetime precrime? Minority Report TV series 'being developed'
I have to know. I have to find out what happened to my life
prev story

Whitepapers

A new approach to endpoint data protection
What is the best way to ensure comprehensive visibility, management, and control of information on both company-owned and employee-owned devices?
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.