I wrote in April about how the Transportation Security Administration (TSA) had been caught in several lies about its use of real-world passenger data to test the new passenger screening system, CAPPS II. In that article I described how the TSA had denied such activities took place while airlines were coming forward to admit they had indeed shared real traveler data with the agency. Now we discover from the TSA itself that the disclosures have been far more extensive than has been reported to date.
Originally thought to have been only three major airlines, sworn testimony from acting TSA chief David Stone indicates that five airlines provided passenger data to the TSA in 2002 and 2003. Delta, Continental, America West, JetBlue, Frontier Airlines all secretly provided passenger data to the TSA and/or its contractors working on CAPPS II. When we add Northwest Airlines into the mix for their disclosure in 2001, a total of six of the 10 largest airlines have provided confidential passenger data to the TSA, data which included travel itineraries, credit card types and/or numbers, home address and phone numbers, and other information we normally wouldn't want floating around freely and without our knowledge.
Offended? We're not done yet.
The testimony also shows that two of the largest travel reservation companies, Sabre and Galileo International, both provided passenger data to the TSA as well, and this disclosure included home phone numbers, credit card numbers and health data.
Amazingly all of these disclosures of private information were performed in secret with no notification to the American citizens whose information was being handed over to the government.
All of this information comes after the TSA has repeatedly denied to Congress, the General Accounting Office (GAO, Congress' investigative arm) and the media that any disclosures took place. We can now see that the TSA has a problem telling the truth — a very serious problem.
It is a violation of the Privacy Act for any federal entity to create a system of records for tracking American citizens without prior public disclosure. It is also a violation of law for any company to disclose personal information if they have promised not to do so in writing (such as a privacy policy). Both of these activities have occurred in this case.
In response to the continuing news about disclosures of this type, the Department of Homeland Security's Inspector General, who has the right to terminate negligent employees, is conducting an investigation into the matter.
Well, that's not good enough for me.
You see, the TSA has repeatedly denied it received any such real-world data. Stone's predecessor, retired Adm. James Loy, was specifically asked by Congress whether "any contractors working on CAPPS II used any real-world data for testing purposes."
Loy's response?
"No. TSA has not used any (passenger) data to test any of the functions of CAPPS II."
But it didn't end there.
Two TSA spokesmen also made false statements to the media about the extent of the transfers.
After the JetBlue transfer was brought to public attention in September 2003, TSA spokesman Brian Turmail told Wired News that the TSA had never used passenger records for testing CAPPS II, nor had it provided records to its contractors.
In September 2003, Wired News asked TSA spokesman Nico Melendez whether the TSA's four contractors had used real passenger records to test and develop their systems. Melendez denied it, saying, "We have only used dummy data to this point."
"Our agency was only five months old at the time" when these four companies were developing their systems, Melendez said. "We did not need the data at that time."
In the spirit of fairness, the government isn't the only problem here. The airlines and travel agencies are equally at fault.
The whole news story broke in the September of 2003 when it was discovered that JetBlue had turned over its entire passenger database to the TSA.
This was a direct violation of JetBlue's own privacy policy, so the airline promptly apologized for the violation and described it as a one-time error in judgment.
Unfortunately we believed them.
According to Stone's sworn testimony, JetBlue was lying when it said the mistake was a one-time event. Apparently the upstart airline transferred passenger data not once, not twice, but three separate times.
Does that sound like a one-time mistake?
At what point do we as American's put our collective foot down and make clear that a government conspiracy of this magnitude — fully documented and even testified to by the government's own personnel and by the third-parties involved — is not acceptable?
It's time for this nonsense to stop.
The ongoing investigation by Congress isn't enough. The ongoing investigation by the DHS Inspector General isn't enough.
CAPPS II must be ended immediately and all related contracts terminated. That would be a start.
The Department of Justice (via the FBI) should begin an immediate investigation into whether the Privacy Act has been violated by the TSA and its contractors as well as by the airlines and travel agencies.
Each of the airlines who had a privacy policy in place at the time which indicated they would not share passenger data needs to be taken to court for breach of contract and invasion of privacy.
A boycott of all of the companies involved (the airlines, the travel agencies, and the contractors working on CAPPS II) could also make it clear that such behavior is not acceptable nor will it be tolerated.
It's imperative that "heads roll" at the airlines, the travel agencies, and within the TSA. It's equally imperative that all of the people and organizations involved find themselves on the receiving end of one or more lawsuits.
I do not accept this kind of behavior and deception on the part of our government nor the companies involved (those who gave data and those who received it).