News
News
2/23/2004
06:10 PM
Connect Directly
RSS
E-Mail
50%
50%

Report: TSA Bent Privacy Rules By Asking For JetBlue Records

The agency's chief privacy officer says the TSA didn't break the 1974 Privacy Act when it asked for passenger records to test a data-mining project but recommends clearer rules for data sharing.

The Transportation Security Administration bent but didn't break the 1974 Privacy Act in 2002 when one or more TSA employees requested that JetBlue Airways provide passenger records to be used in testing an experimental Defense Department data-mining project. This was one of the key findings in a preliminary report issued by Homeland Security Department chief privacy officer Nuala Kelly.

But Kelly's report, which explains the circumstances of the project and JetBlue's involvement, also acknowledges that government agencies, private-sector businesses, and contractors are all entering uncharted territory with regard to data sharing between the private sector and the federal government for security purposes.

While the TSA's actions "may have been well intentioned and without malice, the employees arguably misused the oversight capacity of the TSA to encourage this data sharing," Kelly says in her report, issued Friday.

To help put businesses and government agencies on firmer footing when dealing with private data, Homeland Security's Privacy Office will establish clear rules for voluntary and compulsory data sharing with private-sector businesses. Such rules are designed to ensure that senior officials in Homeland Security agencies keep a watchful eye over data sharing, that agencies review the privacy policies and applicable laws of their private-sector partners, and that they document compliance with the Privacy Act.

Kelly's report recommends that agency employees involved in approving the transfer of JetBlue customer data must attend Privacy Act and privacy policy training. The Privacy Office is also calling for formal privacy education and training across the department.

"The report includes the troubling finding that certain TSA employees acted without appropriate regard for individual privacy interests," Sen. Susan Collins, R-Maine, said Friday in a prepared statement. "In this case, the TSA employees involved compromised the privacy interests of individuals without adequate justification." Collins, who also chairs the Governmental Affairs Committee, had co-signed a letter with committee member Sen. Joseph Lieberman, D-Conn., pressing Kelly to issue her report.

"I support the recommendation for departmentwide privacy policy training," Lieberman said in a prepared statement.

The controversy was set in motion shortly after the Sept. 11, 2001, terrorist attacks when Huntsville, Ala., government contractor Torch Concepts approached the Defense Department with the idea for a data-mining tool that would be able to analyze the personal characteristics of people seeking access to military installations. The proposal found support in the Pentagon, which had seen the terrorist attacks firsthand.

To make sure its proposed Base Security Enhancement Project worked properly, Torch Concepts was convinced that it needed a large, national-level database. Several airlines declined to participate without approval from TSA, which at the time was part of the Transportation Department. According to Kelly's report, JetBlue agreed to participate after a written request from TSA. In September 2002, Acxiom Corp., acting as a contractor for JetBlue, transferred 5 million records for more than 1.5 million passengers to Torch. JetBlue CEO David Neeleman later acknowledged that the data transfer was a violation of his company's privacy policy.

Comment  | 
Print  | 
More Insights
The Business of Going Digital
The Business of Going Digital
Digital business isn't about changing code; it's about changing what legacy sales, distribution, customer service, and product groups do in the new digital age. It's about bringing big data analytics, mobile, social, marketing automation, cloud computing, and the app economy together to launch new products and services. We're seeing new titles in this digital revolution, new responsibilities, new business models, and major shifts in technology spending.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - September 10, 2014
A high-scale relational database? NoSQL database? Hadoop? Event-processing technology? When it comes to big data, one size doesn't fit all. Here's how to decide.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.