Feeds

DHS comes clean on CAPPS, lets self off hook

A regrettable mess, but perfectly legal

  • alert
  • submit to reddit

Security for virtualized datacentres

The US Transportation Security Administration (TSA) has done a bit of institutional soul searching, and concludes that it did nothing wrong in demanding, and later disseminating, passenger data from JetBlue, Delta, and numerous other airlines, or in misleading the public and Congress about the extent of its data-mining activities and snafus.

In a new report released Friday by Homeland Security Department Acting Inspector General Richard Skinner, we learn that between February 2002 and June 2003, TSA was involved in 14 transfers of data involving 12 million passenger records obtained from JetBlue, Delta, American Airlines, Continental, America West, and Frontier.

Much of this information was used by companies competing for a contract to provide the now-defunct CAPPS-2 (computer assisted passenger pre-screening system), to test and debug their prototypes.

Aside from the shenanigans of the various contractors involved, the report also finds that "TSA staff did not follow accepted privacy procedures in obtaining passenger data for internal use."

For example, it failed to execute non-disclosure or confidentiality agreements with JetBlue before receiving its passenger data in May 2003. It also did not ensure that data security measures were in place during the data transfer. "As a result, passenger data was transmitted to TSA in unencrypted files without password protection," the IG notes.

However, TSA got lucky: despite its "intermittent lack of sound privacy practices enforcement among its partners and its own staff, only one inappropriate public disclosure of personal information apparently occurred," the report says.

This happened when Torch Concepts inadvertently revealed, during a conference, sensitive information obtained from JetBlue, enriched with data from privacy invasion outfit Acxiom and related to a particular JetBlue passenger. The information found its way onto the Net, and has proven stubbornly resistant to purging.

The IG contacted all of the CAPPS II contract candidates, identified as: Ascent Technology, Inc.; HNC Software, Inc.; Infoglide Software Corporation; IBM; and the Lockheed Martin. None of these outfits was willing to be interviewed by IG staff, but most condescended to fill out a questionnaire, at least. One outfit, HNC Software/Fair Isaac, did not respond at all, so there is no information pertaining to its use or misuse of data. The company is the target of several class-action lawsuits, and cites this as an excuse for stonewalling.

The parties who received the data report that "in all but three of these transfers," the data has either been destroyed or "is retained in a secured setting."

"In its role in these transfers, however, TSA did not ensure that privacy protections were in place for all of the passenger data transfers. While TSA applied privacy protections in some contexts, shortcomings were also apparent in the agency's related contracting, oversight, and follow-up efforts."

The list of recommendations is basically sensible, but it is also alarming, as it is equally a catalogue of the commonsense precautions that TSA has not been taking. Among the suggestions are a proposed auditing requirement that data be tracked from its source to its final disposition, a recommendation for minimum security requirements, and clarification of lines of authority and responsibility within the agency.

The IG report wiggles out of legal responsibility, however, explaining that because TSA does not have a system of individual identifiers for the data it handles, it does not maintain a "system of records" as defined in the Privacy Act of 1974.

Another problem, and one that TSA is not likely to fix even if it does put its own house in order, is cross-pollination among vendors and contractors. For example, Acxiom provided data from both JetBlue and its own data mining operations directly to HNC. There is little that TSA can do about these side-arrangements, except to disapprove and hint that it might not be inclined to do business with an outfit that doesn't play nice.

It's the private sector that poses the most important problem here. It hardly matters whether a government bureau follows good privacy protection practices or not, when all the information it might ever wish to see is readily available, and for sale, cheap. ®

Related stories

ID theft is inescapable
Uncle Sam demands all air travel records
Airport snoop system thrown in $102m garbage can
Airport security failures justify snoop system

Business security measures using SSL

More from The Register

next story
Phones 4u slips into administration after EE cuts ties with Brit mobe retailer
More than 5,500 jobs could be axed if rescue mission fails
JINGS! Microsoft Bing called Scots indyref RIGHT!
Redmond sporran metrics get one in the ten ring
Driving with an Apple Watch could land you with a £100 FINE
Bad news for tech-addicted fanbois behind the wheel
Murdoch to Europe: Inflict MORE PAIN on Google, please
'Platform for piracy' must be punished, or it'll kill us in FIVE YEARS
Phones 4u website DIES as wounded mobe retailer struggles to stay above water
Founder blames 'ruthless network partners' for implosion
Found inside ISIS terror chap's laptop: CELINE DION tunes
REPORT: Stash of terrorist material found in Syria Dell box
Sony says year's losses will be FOUR TIMES DEEPER than thought
Losses of more than $2 BILLION loom over troubled Japanese corp
Show us your Five-Eyes SECRETS says Privacy International
Refusal to disclose GCHQ canteen menus and prices triggers Euro Human Rights Court action
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.