According to a report released today by the Department of Homeland Security Privacy Office, the Transportation Security Administration publicly misrepresented how it handled commercial data while testing the controversial Secure Flight program. "As ultimately implemented, the commercial data test conducted in connection with the Secure Flight program testing did not match TSA's public announcements," the Privacy Office said.
The Privacy Act of 1974 requires an agency to give public notice when it establishes or changes a system of records. The Privacy Office stopped short of explicitly saying that TSA violated the law during the testing, though did note, "However well-meaning, material changes in a federal program's design that have an impact on the collection, use, and maintenance of personally identifiable information of American citizens are required to be announced in Privacy Act system notices and privacy impact assessments."
When TSA announced plans in September 2004 to launch the Secure Flight program, it published a system of records notice and privacy impact assessment in the Federal Register. These documents explained that the program would compare personal information in passenger name records against the Terrorist Screening Center's consolidated watch list. Furthermore, TSA would test whether commercial data could be used to verify the accuracy of passenger information, though not inappropriately single out certain categories of people. TSA assured the public that it would not actually access or keep the commercial data, and that testing would be "governed by strict privacy and data security protections."
Two months later, TSA published a "final" order in the Federal Register, which addressed more than 500 public comments made in response to the earlier descriptions of the Secure Flight proposal. This notice brushed off the public's calls for better privacy protections, explaining that TSA would instead develop the program transparently "to prevent so-called 'mission creep.'" The order also repeated TSA's guarantee that it would not have access to commercial data.
In June 2005, however, the Government Accountability Office learned that TSA had not performed the commercial data test as described in the Federal Register notices. When confronted with the GAO's findings, TSA backpedaled and published a notice to "supplement and amend" its earlier public statements.
Now, more than a year and a half after learning that TSA may have violated the law, the Privacy Office says it's unimpressed that TSA told the public one thing, did something else, and then tried to "supplement and amend" its representations after the fact. Unfortunately, it looks like this may be a pattern for DHS. Last month, we learned that the Automated Targeting System assigns risk scores to travelers entering and leaving the country, and that it has been doing so for years without our knowledge. (Read EFF's formal comments on the system here.) Let's hope it doesn't take the Privacy Office a year and a half to decide whether this violates the Privacy Act.