DHS Privacy Office Says Secure Flight Violated Privacy Act - InformationWeek
01:57 PM

DHS Privacy Office Says Secure Flight Violated Privacy Act

Reportedly, authorities failed to publicize changes to the program, which included the collection of commercial data in 2004 and 2005.

The Department of Homeland Security's privacy office concluded that the Transportation Security Administration violated the Privacy Act of 1974 by collecting commercial data on passengers without proper notification for Secure Flight.

The department released a report Friday stating that authorities failed to publicize changes to the program, which included the collection of commercial data in 2004 and 2005. The privacy office report (pdf) said contractors failed to live up to DHS statements promising a firewall and collected information from data brokers on people who were not traveling by air. Its criticisms reflect those in a Government Accountability Office report released last year.

Congress stopped the TSA from continuing Secure Flight because of questions about security and privacy. The news comes as Homeland Security is under fire for the Automated Targeting System, another traveler-screening program for assigning risks to all travelers entering and leaving the country by land, sea, or air.

The report said that TSA made securing data a high priority, prohibited commercial entities involved from using the information for other purposes, and instituted real-time auditing for access to the data. However, it added that disparities between publicly released information about the program and the actual practices used could have been due to deadline and resource constraints, but "the end result was that TSA announced one testing program, but conducted an entirely different one."

"Whatever the causes, however, the disparity between what TSA proposed to do and what it actually did in the testing program resulted in significant privacy concerns being raised about the information collected to support the commercial data test as well as about the Secure Flight program," the report stated. "Privacy missteps such as these undercut an agency's effort to implement a program effectively, even one that promises to improve security."

The report included several recommendations and said they could serve as guidelines for any Homeland Security program involving the collection, use, and maintenance of personally identifiable information.

It advocated privacy controls before designing and implementing a program and the creation of a detailed data flow map for the information system's life cycle, which would help ensure compliance with the Privacy Act of 1974.

It also recommended effective communication and collaboration between operation personal, policy, privacy, and legal advisers to make sure all documents explaining information programs are accurate, fully descriptive, and transparent. It said that privacy notices should be written and published only after a program has been decided on by authorized officials and revised when plans change or new phases are scheduled for launch.

"Programs that use personal information succeed best if the public believes that information to be collected is for a necessary purpose, will be used appropriately, will be kept secure and will be accessible for them to review," the report stated.

Several members of Congress and European Union leaders are demanding answers about the latest publicized traveler-screening program, ATS, which would not allow people information about their risk assessments. Critics also complain that the government has not fully described the program or provided people with a means of disputing or correcting inaccurate information.

Homeland Security published a notice about that program in recent weeks, saying it would create profiles on all people traveling in and out of the country, assign risks, and store that information for years. Then, Homeland Security Secretary Michael Chertoff acknowledged that the screening had already been under way.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
IT Success = Storage & Data Center Performance
Balancing legacy infrastructure with emerging technologies requires laying a solid foundation that delivers flexibility, scalability, and efficiency. Learn what the most pressing issues are, how to incorporate advances like software-defined storage, and strategies for streamlining the data center.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of November 6, 2016. We'll be talking with the InformationWeek.com editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll