DHS Privacy Office Says Secure Flight Violated Privacy ActDHS Privacy Office Says Secure Flight Violated Privacy Act

The Department of Homeland Security's privacy office concluded that the Transportation Security Administration violated the Privacy Act of 1974 by collecting commercial data on passengers without proper notification for Secure Flight.

The department released a report Friday stating that authorities failed to publicize changes to the program, which included the collection of commercial data in 2004 and 2005. The privacy office report (pdf) said contractors failed to live up to DHS statements promising a firewall and collected information from data brokers on people who were not traveling by air. Its criticisms reflect those in a Government Accountability Office report released last year.

Congress stopped the TSA from continuing Secure Flight because of questions about security and privacy. The news comes as Homeland Security is under fire for the Automated Targeting System, another traveler-screening program for assigning risks to all travelers entering and leaving the country by land, sea, or air.

The report said that TSA made securing data a high priority, prohibited commercial entities involved from using the information for other purposes, and instituted real-time auditing for access to the data. However, it added that disparities between publicly released information about the program and the actual practices used could have been due to deadline and resource constraints, but "the end result was that TSA announced one testing program, but conducted an entirely different one."

"Whatever the causes, however, the disparity between what TSA proposed to do and what it actually did in the testing program resulted in significant privacy concerns being raised about the information collected to support the commercial data test as well as about the Secure Flight program," the report stated. "Privacy missteps such as these undercut an agency's effort to implement a program effectively, even one that promises to improve security."

The report included several recommendations and said they could serve as guidelines for any Homeland Security program involving the collection, use, and maintenance of personally identifiable information.

It advocated privacy controls before designing and implementing a program and the creation of a detailed data flow map for the information system's life cycle, which would help ensure compliance with the Privacy Act of 1974.

It also recommended effective communication and collaboration between operation personal, policy, privacy, and legal advisers to make sure all documents explaining information programs are accurate, fully descriptive, and transparent. It said that privacy notices should be written and published only after a program has been decided on by authorized officials and revised when plans change or new phases are scheduled for launch.

"Programs that use personal information succeed best if the public believes that information to be collected is for a necessary purpose, will be used appropriately, will be kept secure and will be accessible for them to review," the report stated.

Several members of Congress and European Union leaders are demanding answers about the latest publicized traveler-screening program, ATS, which would not allow people information about their risk assessments. Critics also complain that the government has not fully described the program or provided people with a means of disputing or correcting inaccurate information.

Homeland Security published a notice about that program in recent weeks, saying it would create profiles on all people traveling in and out of the country, assign risks, and store that information for years. Then, Homeland Security Secretary Michael Chertoff acknowledged that the screening had already been under way.