IG: TSA misstatements undermine public trust

Transportation Security Administration officials made misleading statements in 2003 and 2004 about their collection and transfer of personal information on 12 million airline passengers in order to test a new screening system, according to a new report from the Homeland Security Department's Acting Inspector General Richard Skinner.

"Transportation Security Administration officials made inaccurate statements regarding these transfers that undermined public trust in the agency," the March 25 report said. "These misstatements were apparently not meant to mischaracterize known facts. Instead, they were premised on an incomplete understanding of the underlying facts."

TSA did not adequately enforce privacy protections when in 2002 and 2003 it collected and transferred the passenger data from six airlines, including names, addresses, dates of birth and credit card numbers in some cases, the report said.

The agency transferred the information to contractors that were developing the agency's Computer Assisted Passenger Prescreening System (CAPPS) II, according to the report. The passenger information was being used for research and there was no evidence that any passenger was harmed by a release of personal information, the report said.

"Of the more than 12 million records transferred, a passenger's data was inappropriately disclosed to the public in only one instance. In this instance, a government contractor's inappropriate disclosure of information was inadvertent," the report said. It did not name the contractor.

Furthermore, TSA officials gave incorrect information to Congress and to the public about what was happening, the inspector general said. He cited TSA's missteps in providing information in response to Freedom of Information Requests, the U.S. Senate and media requests.

"These cases illustrate weaknesses and a lack of reliability in the way that TSA processes requests for information," Skinner wrote in the report. "Although we found no evidence of deliberate deception, the evidence of faulty processes is substantial."

To fix the problems, the inspector recommends development of "clear protocols" for exchanging airline passenger data; incorporation of privacy protections into acquisition documents; adoption of procedures to respond to requests for information; and requirements for TSA contractors to report to the agency "on how they are addressing data security, privacy protections, and confidentiality," among other advice.

To prepare the report, the inspector general interviewed CAPPS II program contractors, data aggregators and other relevant parties, including Acxiom, Airline Automation Inc., Ascent Technology Inc., Delta Air Lines Inc., Galileo International Inc., HNC Software Inc., Infoglide Software Corp., IBM Corp., JetBlue Airways Corp., Lockheed Martin Corp., Sabre Holdings Corp. and Torch Concepts Inc.