Report: TSA Bent Privacy Rules By Asking For JetBlue Records - InformationWeek
06:10 PM
Out of the Black Box: Selling Security to your C-suite
Jul 20, 2017
To maximize the return on cloud security investments, CISOs need a seat at the table. Unfortunatel ...Read More>>

Report: TSA Bent Privacy Rules By Asking For JetBlue Records

The agency's chief privacy officer says the TSA didn't break the 1974 Privacy Act when it asked for passenger records to test a data-mining project but recommends clearer rules for data sharing.

The Transportation Security Administration bent but didn't break the 1974 Privacy Act in 2002 when one or more TSA employees requested that JetBlue Airways provide passenger records to be used in testing an experimental Defense Department data-mining project. This was one of the key findings in a preliminary report issued by Homeland Security Department chief privacy officer Nuala Kelly.

But Kelly's report, which explains the circumstances of the project and JetBlue's involvement, also acknowledges that government agencies, private-sector businesses, and contractors are all entering uncharted territory with regard to data sharing between the private sector and the federal government for security purposes.

While the TSA's actions "may have been well intentioned and without malice, the employees arguably misused the oversight capacity of the TSA to encourage this data sharing," Kelly says in her report, issued Friday.

To help put businesses and government agencies on firmer footing when dealing with private data, Homeland Security's Privacy Office will establish clear rules for voluntary and compulsory data sharing with private-sector businesses. Such rules are designed to ensure that senior officials in Homeland Security agencies keep a watchful eye over data sharing, that agencies review the privacy policies and applicable laws of their private-sector partners, and that they document compliance with the Privacy Act.

Kelly's report recommends that agency employees involved in approving the transfer of JetBlue customer data must attend Privacy Act and privacy policy training. The Privacy Office is also calling for formal privacy education and training across the department.

"The report includes the troubling finding that certain TSA employees acted without appropriate regard for individual privacy interests," Sen. Susan Collins, R-Maine, said Friday in a prepared statement. "In this case, the TSA employees involved compromised the privacy interests of individuals without adequate justification." Collins, who also chairs the Governmental Affairs Committee, had co-signed a letter with committee member Sen. Joseph Lieberman, D-Conn., pressing Kelly to issue her report.

"I support the recommendation for departmentwide privacy policy training," Lieberman said in a prepared statement.

The controversy was set in motion shortly after the Sept. 11, 2001, terrorist attacks when Huntsville, Ala., government contractor Torch Concepts approached the Defense Department with the idea for a data-mining tool that would be able to analyze the personal characteristics of people seeking access to military installations. The proposal found support in the Pentagon, which had seen the terrorist attacks firsthand.

To make sure its proposed Base Security Enhancement Project worked properly, Torch Concepts was convinced that it needed a large, national-level database. Several airlines declined to participate without approval from TSA, which at the time was part of the Transportation Department. According to Kelly's report, JetBlue agreed to participate after a written request from TSA. In September 2002, Acxiom Corp., acting as a contractor for JetBlue, transferred 5 million records for more than 1.5 million passengers to Torch. JetBlue CEO David Neeleman later acknowledged that the data transfer was a violation of his company's privacy policy.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
IT Strategies to Conquer the Cloud
Chances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of November 6, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll