Feeds

DHS comes clean on CAPPS, lets self off hook

A regrettable mess, but perfectly legal

  • alert
  • submit to reddit

Application security programs and practises

The US Transportation Security Administration (TSA) has done a bit of institutional soul searching, and concludes that it did nothing wrong in demanding, and later disseminating, passenger data from JetBlue, Delta, and numerous other airlines, or in misleading the public and Congress about the extent of its data-mining activities and snafus.

In a new report released Friday by Homeland Security Department Acting Inspector General Richard Skinner, we learn that between February 2002 and June 2003, TSA was involved in 14 transfers of data involving 12 million passenger records obtained from JetBlue, Delta, American Airlines, Continental, America West, and Frontier.

Much of this information was used by companies competing for a contract to provide the now-defunct CAPPS-2 (computer assisted passenger pre-screening system), to test and debug their prototypes.

Aside from the shenanigans of the various contractors involved, the report also finds that "TSA staff did not follow accepted privacy procedures in obtaining passenger data for internal use."

For example, it failed to execute non-disclosure or confidentiality agreements with JetBlue before receiving its passenger data in May 2003. It also did not ensure that data security measures were in place during the data transfer. "As a result, passenger data was transmitted to TSA in unencrypted files without password protection," the IG notes.

However, TSA got lucky: despite its "intermittent lack of sound privacy practices enforcement among its partners and its own staff, only one inappropriate public disclosure of personal information apparently occurred," the report says.

This happened when Torch Concepts inadvertently revealed, during a conference, sensitive information obtained from JetBlue, enriched with data from privacy invasion outfit Acxiom and related to a particular JetBlue passenger. The information found its way onto the Net, and has proven stubbornly resistant to purging.

The IG contacted all of the CAPPS II contract candidates, identified as: Ascent Technology, Inc.; HNC Software, Inc.; Infoglide Software Corporation; IBM; and the Lockheed Martin. None of these outfits was willing to be interviewed by IG staff, but most condescended to fill out a questionnaire, at least. One outfit, HNC Software/Fair Isaac, did not respond at all, so there is no information pertaining to its use or misuse of data. The company is the target of several class-action lawsuits, and cites this as an excuse for stonewalling.

The parties who received the data report that "in all but three of these transfers," the data has either been destroyed or "is retained in a secured setting."

"In its role in these transfers, however, TSA did not ensure that privacy protections were in place for all of the passenger data transfers. While TSA applied privacy protections in some contexts, shortcomings were also apparent in the agency's related contracting, oversight, and follow-up efforts."

The list of recommendations is basically sensible, but it is also alarming, as it is equally a catalogue of the commonsense precautions that TSA has not been taking. Among the suggestions are a proposed auditing requirement that data be tracked from its source to its final disposition, a recommendation for minimum security requirements, and clarification of lines of authority and responsibility within the agency.

The IG report wiggles out of legal responsibility, however, explaining that because TSA does not have a system of individual identifiers for the data it handles, it does not maintain a "system of records" as defined in the Privacy Act of 1974.

Another problem, and one that TSA is not likely to fix even if it does put its own house in order, is cross-pollination among vendors and contractors. For example, Acxiom provided data from both JetBlue and its own data mining operations directly to HNC. There is little that TSA can do about these side-arrangements, except to disapprove and hint that it might not be inclined to do business with an outfit that doesn't play nice.

It's the private sector that poses the most important problem here. It hardly matters whether a government bureau follows good privacy protection practices or not, when all the information it might ever wish to see is readily available, and for sale, cheap. ®

Related stories

ID theft is inescapable
Uncle Sam demands all air travel records
Airport snoop system thrown in $102m garbage can
Airport security failures justify snoop system

The Power of One eBook: Top reasons to choose HP BladeSystem

More from The Register

next story
BBC goes offline in MASSIVE COCKUP: Stephen Fry partly muzzled
Auntie tight-lipped as major outage rolls on
You! Pirate! Stop pirating, or we shall admonish you politely. Repeatedly, if necessary
And we shall go about telling people you smell. No, not really
Airbus promises Wi-Fi – yay – and 3D movies (meh) in new A330
If the person in front reclines their seat, this could get interesting
UK Parliament rubber-stamps EMERGENCY data grab 'n' keep bill
Just 49 MPs oppose Drip's rushed timetable
There's NOTHING on TV in Europe – American video DOMINATES
Even France's mega subsidies don't stop US content onslaught
Samsung threatens to cut ties with supplier over child labour allegations
Vows to uphold 'zero tolerance' policy on underage workers
Dude, you're getting a Dell – with BITCOIN: IT giant slurps cryptocash
1. Buy PC with Bitcoin. 2. Mine more coins. 3. Goto step 1
ITC: Seagate and LSI can infringe Realtek patents because Realtek isn't in the US
Land of the (get off scot) free, when it's a foreign owner
prev story

Whitepapers

Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.