Report: TSA Bent Privacy Rules By Asking For JetBlue Records

The agency's chief privacy officer says the TSA didn't break the 1974 Privacy Act when it asked for passenger records to test a data-mining project but recommends clearer rules for data sharing.
The Transportation Security Administration bent but didn't break the 1974 Privacy Act in 2002 when one or more TSA employees requested that JetBlue Airways provide passenger records to be used in testing an experimental Defense Department data-mining project. This was one of the key findings in a preliminary report issued by Homeland Security Department chief privacy officer Nuala Kelly.

But Kelly's report, which explains the circumstances of the project and JetBlue's involvement, also acknowledges that government agencies, private-sector businesses, and contractors are all entering uncharted territory with regard to data sharing between the private sector and the federal government for security purposes.

While the TSA's actions "may have been well intentioned and without malice, the employees arguably misused the oversight capacity of the TSA to encourage this data sharing," Kelly says in her report, issued Friday.

To help put businesses and government agencies on firmer footing when dealing with private data, Homeland Security's Privacy Office will establish clear rules for voluntary and compulsory data sharing with private-sector businesses. Such rules are designed to ensure that senior officials in Homeland Security agencies keep a watchful eye over data sharing, that agencies review the privacy policies and applicable laws of their private-sector partners, and that they document compliance with the Privacy Act.

Kelly's report recommends that agency employees involved in approving the transfer of JetBlue customer data must attend Privacy Act and privacy policy training. The Privacy Office is also calling for formal privacy education and training across the department.

"The report includes the troubling finding that certain TSA employees acted without appropriate regard for individual privacy interests," Sen. Susan Collins, R-Maine, said Friday in a prepared statement. "In this case, the TSA employees involved compromised the privacy interests of individuals without adequate justification." Collins, who also chairs the Governmental Affairs Committee, had co-signed a letter with committee member Sen. Joseph Lieberman, D-Conn., pressing Kelly to issue her report.

"I support the recommendation for departmentwide privacy policy training," Lieberman said in a prepared statement.

The controversy was set in motion shortly after the Sept. 11, 2001, terrorist attacks when Huntsville, Ala., government contractor Torch Concepts approached the Defense Department with the idea for a data-mining tool that would be able to analyze the personal characteristics of people seeking access to military installations. The proposal found support in the Pentagon, which had seen the terrorist attacks firsthand.

To make sure its proposed Base Security Enhancement Project worked properly, Torch Concepts was convinced that it needed a large, national-level database. Several airlines declined to participate without approval from TSA, which at the time was part of the Transportation Department. According to Kelly's report, JetBlue agreed to participate after a written request from TSA. In September 2002, Acxiom Corp., acting as a contractor for JetBlue, transferred 5 million records for more than 1.5 million passengers to Torch. JetBlue CEO David Neeleman later acknowledged that the data transfer was a violation of his company's privacy policy.

Editor's Choice
Brian T. Horowitz, Contributing Reporter
Samuel Greengard, Contributing Reporter
Nathan Eddy, Freelance Writer
Brandon Taylor, Digital Editorial Program Manager
Jessica Davis, Senior Editor
Cynthia Harvey, Freelance Journalist, InformationWeek
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing