Feeds

DHS comes clean on CAPPS, lets self off hook

A regrettable mess, but perfectly legal

  • alert
  • submit to reddit

Boost IT visibility and business value

The US Transportation Security Administration (TSA) has done a bit of institutional soul searching, and concludes that it did nothing wrong in demanding, and later disseminating, passenger data from JetBlue, Delta, and numerous other airlines, or in misleading the public and Congress about the extent of its data-mining activities and snafus.

In a new report released Friday by Homeland Security Department Acting Inspector General Richard Skinner, we learn that between February 2002 and June 2003, TSA was involved in 14 transfers of data involving 12 million passenger records obtained from JetBlue, Delta, American Airlines, Continental, America West, and Frontier.

Much of this information was used by companies competing for a contract to provide the now-defunct CAPPS-2 (computer assisted passenger pre-screening system), to test and debug their prototypes.

Aside from the shenanigans of the various contractors involved, the report also finds that "TSA staff did not follow accepted privacy procedures in obtaining passenger data for internal use."

For example, it failed to execute non-disclosure or confidentiality agreements with JetBlue before receiving its passenger data in May 2003. It also did not ensure that data security measures were in place during the data transfer. "As a result, passenger data was transmitted to TSA in unencrypted files without password protection," the IG notes.

However, TSA got lucky: despite its "intermittent lack of sound privacy practices enforcement among its partners and its own staff, only one inappropriate public disclosure of personal information apparently occurred," the report says.

This happened when Torch Concepts inadvertently revealed, during a conference, sensitive information obtained from JetBlue, enriched with data from privacy invasion outfit Acxiom and related to a particular JetBlue passenger. The information found its way onto the Net, and has proven stubbornly resistant to purging.

The IG contacted all of the CAPPS II contract candidates, identified as: Ascent Technology, Inc.; HNC Software, Inc.; Infoglide Software Corporation; IBM; and the Lockheed Martin. None of these outfits was willing to be interviewed by IG staff, but most condescended to fill out a questionnaire, at least. One outfit, HNC Software/Fair Isaac, did not respond at all, so there is no information pertaining to its use or misuse of data. The company is the target of several class-action lawsuits, and cites this as an excuse for stonewalling.

The parties who received the data report that "in all but three of these transfers," the data has either been destroyed or "is retained in a secured setting."

"In its role in these transfers, however, TSA did not ensure that privacy protections were in place for all of the passenger data transfers. While TSA applied privacy protections in some contexts, shortcomings were also apparent in the agency's related contracting, oversight, and follow-up efforts."

The list of recommendations is basically sensible, but it is also alarming, as it is equally a catalogue of the commonsense precautions that TSA has not been taking. Among the suggestions are a proposed auditing requirement that data be tracked from its source to its final disposition, a recommendation for minimum security requirements, and clarification of lines of authority and responsibility within the agency.

The IG report wiggles out of legal responsibility, however, explaining that because TSA does not have a system of individual identifiers for the data it handles, it does not maintain a "system of records" as defined in the Privacy Act of 1974.

Another problem, and one that TSA is not likely to fix even if it does put its own house in order, is cross-pollination among vendors and contractors. For example, Acxiom provided data from both JetBlue and its own data mining operations directly to HNC. There is little that TSA can do about these side-arrangements, except to disapprove and hint that it might not be inclined to do business with an outfit that doesn't play nice.

It's the private sector that poses the most important problem here. It hardly matters whether a government bureau follows good privacy protection practices or not, when all the information it might ever wish to see is readily available, and for sale, cheap. ®

Related stories

ID theft is inescapable
Uncle Sam demands all air travel records
Airport snoop system thrown in $102m garbage can
Airport security failures justify snoop system

The Essential Guide to IT Transformation

More from The Register

next story
BBC goes offline in MASSIVE COCKUP: Stephen Fry partly muzzled
Auntie tight-lipped as major outage rolls on
iPad? More like iFAD: We reveal why Apple fell into IBM's arms
But never fear fanbois, you're still lapping up iPhones, Macs
Sonos AXES support for Apple's iOS4 and 5
Want to use your iThing? You can't - it's too old
Stick a 4K in them: Super high-res TVs are DONE
4,000 pixels is niche now... Don't say we didn't warn you
Philip K Dick 'Nazi alternate reality' story to be made into TV series
Amazon Studios, Ridley Scott firm to produce The Man in the High Castle
There's NOTHING on TV in Europe – American video DOMINATES
Even France's mega subsidies don't stop US content onslaught
You! Pirate! Stop pirating, or we shall admonish you politely. Repeatedly, if necessary
And we shall go about telling people you smell. No, not really
Too many IT conferences to cover? MICROSOFT to the RESCUE!
Yet more word of cuts emerges from Redmond
Joe Average isn't worth $10 a year to Mark Zuckerberg
The Social Network deflates the PC resurgence with mobile-only usage prediction
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.