Original URL: http://www.theregister.co.uk/2004/04/13/privacy/
American Airlines data used to test passenger snoop system
TSA to inaugurate frequent liar club?
A third US airline, American, has admitted handing over passenger data to the Transport Security Administration, and this time it has emerged that the TSA promptly shared the information with four private contractors. American had previously denied passing records on, while the TSA had previously told Wired that it hadn't provided records to its contractors, nor had it used passenger records for testing CAPPS II.
So straight zeroes for knowing which way is up. CAPPS II is the US system being developed with the goal of identifying security risks on US flights, and will require large amounts of raw data, quantities of which cannot currently be used without breaching the US Privacy Act. Presumably the TSA must be aware that privacy legislation will require some adjusting prior to CAPPS II going live, and that the use of data in testing prior to this is therefore questionable, but apparently not. The US has actually been using European passenger data for testing of CAPPS II for some time, although we accept that as this doesn't cover US citizens it doesn't count under US privacy legislation.
US negotiators were sufficiently concerned about support for CAPPS II that provision was made for this testing in the deal struck by the European Commission last year, and the Commission itself has committed to "rapid negotiations" over the live version of the system. So currently data from Europe, where legislation is allegedly tougher, is being used in the US in circumstances which would be illegal under US law, and the Commission describes the safeguards over its use as adequate. According to the Commission the agreement prohibits the US from passing this data on to third parties, so the the Commission may now wish to ask the TSA, given that it was unaware that it was passing on American Airlines passenger data to third party CAPPS II contractors, whether it was similarly unaware that it was doing so with EU passenger data.
Given the difficulties inherent in being an independent CAPPS contractor without access to large quantities of test data, one does rather suspect.
Amusingly, the American Airlines press release confessing that it had "recently learned" that it had been handing out the data comes with a legal disclaimer popup which tells us that "information contained in the release may have changed. If you plan to use the information contained herein for any purpose, verification of its continued accuracy is your responsibility." So if we understand that correctly, information contained in the release may not now actually be information at all, and although the statement may have been a statement at time of stating, any it may not be now. Whenever "now" is. We'd have called them up and asked them if it still worked, but then they'd probably have said it was only guaranteed to work at the precise moment they were talking to us. So you're all just going to have to call them yourselves. ®
The wrong stuff: what it takes to be a TSA terror suspect
EFF CAPPS II information
Data on 10m Northwest fliers handed to NASA for 'testing'
US using EU airline data to 'test' CAPPS II snoop system