Travel Privacy Probe Spins Wheels
from Wired

When the government wanted millions of passenger records to test antiterrorism data-mining projects, it simply asked for and received the data from JetBlue Airlines and Northwest Airlines, which were both eager to help out.

But when government watchdogs subsequently asked the government about the purpose and legality of one of those transfers, government agencies -- from the Transportation Security Administration to the Pentagon -- responded with a wall of silence and a series of delays.

The Transportation Security Administration, or TSA, which asked JetBlue to hand over millions of passenger records to a defense contractor, originally seemed open to revealing its role in the scandal.

Nuala O'Connor Kelly, the chief privacy officer for the TSA's parent agency, the Department of Homeland Security, announced an investigation into what role the TSA played in the transfer in September, just days after JetBlue admitted it had violated its privacy policy by turning over 4.9 million passenger records to Torch Concepts, a Pentagon contractor.

Torch, with the approval of JetBlue, then enriched the data with sensitive personal information, such as Social Security numbers and income levels, which it purchased from Acxiom, a huge data-marketing firm based in Arkansas. Torch, ostensibly under contract with the Army to study ways to increase base security, then investigated the feasibility of using its data-mining algorithms to develop a profiling system that could identify terrorists before they board airplanes.

The TSA has maintained it never actually possessed the records and that the study was unconnected to CAPPS II, its ongoing effort to create an airline passenger-screening system that uses commercial records to vet travelers before they fly.

O'Connor Kelly promised to make her report available to Congress and the public within weeks, then later revised that goal to Christmas.

Now, having missed two deadlines, O'Connor Kelly says her organization still has documents to pore over.

"We are continuing to review the documents and hope to have a report out very soon," O'Connor Kelly said.

More

When the government wanted millions of passenger records to test antiterrorism data-mining projects, it simply asked for and received the data from JetBlue Airlines and Northwest Airlines, which were both eager to help out.

But when government watchdogs subsequently asked the government about the purpose and legality of one of those transfers, government agencies -- from the Transportation Security Administration to the Pentagon -- responded with a wall of silence and a series of delays.

The Transportation Security Administration, or TSA, which asked JetBlue to hand over millions of passenger records to a defense contractor, originally seemed open to revealing its role in the scandal.

Nuala O'Connor Kelly, the chief privacy officer for the TSA's parent agency, the Department of Homeland Security, announced an investigation into what role the TSA played in the transfer in September, just days after JetBlue admitted it had violated its privacy policy by turning over 4.9 million passenger records to Torch Concepts, a Pentagon contractor.

Torch, with the approval of JetBlue, then enriched the data with sensitive personal information, such as Social Security numbers and income levels, which it purchased from Acxiom, a huge data-marketing firm based in Arkansas. Torch, ostensibly under contract with the Army to study ways to increase base security, then investigated the feasibility of using its data-mining algorithms to develop a profiling system that could identify terrorists before they board airplanes.

The TSA has maintained it never actually possessed the records and that the study was unconnected to CAPPS II, its ongoing effort to create an airline passenger-screening system that uses commercial records to vet travelers before they fly.

O'Connor Kelly promised to make her report available to Congress and the public within weeks, then later revised that goal to Christmas.

Now, having missed two deadlines, O'Connor Kelly says her organization still has documents to pore over.

"We are continuing to review the documents and hope to have a report out very soon," O'Connor Kelly said.

O'Connor Kelly, who was not employed by the government at the time of the JetBlue transfer, said she intends for her report to lay out what procedures Homeland Security officials should follow when requesting data from corporations in the future.

In late September, the TSA agreed the JetBlue transfer raised questions about government misbehavior, and granted expedited processing to a freedom of information, or FOIA, request from the Electronic Privacy Information Center.

But four months later, the agency has yet to release a single document.

Even though EPIC worked with the TSA to narrow its request in order to simplify processing, the group has not heard from the TSA since its request was granted Sept. 30, according to Marcia Hofmann, an EPIC lawyer.

"Apparently the TSA isn't being very forthcoming," Hofmann said.

An official at the FOIA office blamed the delay on the Office of National Risk Assessment (PDF), a little-known component of the TSA.

That office, which is deeply involved in the development of CAPPS II, has not responded to the Freedom of Information Office's repeated requests for documents, according to one Freedom of Information employee.

Transportation Security Administration spokesman Mark Hatfield did not respond to several requests for comment on the delay.

Privacy groups also have been pressing the Army to understand why it funded a study into airline passenger-screening technology.

The Pentagon responded to FOIA requests about its involvement by bouncing the requests from office to office, finally transferring responsibility for the requests to the Office of the Chief Attorney at the Pentagon.

Since gaining jurisdiction in November, the Office of the Chief Attorney has failed to respond to requests for expedited processing, a violation of the Freedom of Information Act.

The American Civil Liberties Union, which is trying to determine if the Army's project had any links to the Total Information Awareness program, has yet to get any response from the Pentagon, according to Barry Steinhardt, who heads the group's Technology and Liberty Program.

"We don't know who authorized the project or who else got their hands on the data," Steinhardt said. "This study would have occurred at the time the Total Information Awareness program was at its glory. We want to know if the fine hand of the TIA was here or not."

An employee in the chief attorney's office left a voicemail for Wired News saying the delay stems from the number of documents involved.

The chief attorney's office is not the only part of the Pentagon reluctant to share information.

The Army's Office of the Inspector General launched an internal investigation into the study in November, following a letter sent to Defense Secretary Donald Rumsfeld by Sens. Susan Collins (R-Maine), Joe Lieberman (D-Connecticut) and Carl Levin (D-Michigan).

In that letter, the three senators questioned whether the Pentagon complied with the Privacy Act, which requires that government agencies and their contractors notify the public when a system of records is created.

The scope, depth and progress of the investigation are unknown at this time, as the office has not responded to Wired News' multiple requests for information.

The office also has not yet briefed the Senate Governmental Affairs Committee, though a briefing has been requested, according to Leslie Phillips, a Lieberman spokeswoman.

For their part, regulators at the Federal Trade Commission still may be looking into whether JetBlue and Acxiom's actions constituted deceptive business practices for which they could be fined. The FTC, as standard practice, does not comment on investigations until they are completed. As of Jan. 15, however, the commission had not issued a closing letter to either company, which means the commission either never launched investigations or its investigations are ongoing.

One federal office, however, has been timely about responding to requests for information. In late October, the inspector general's office at the Department of Transportation (the parent agency of the TSA before the creation of the Department of Homeland Security) said it identified 18 pages of documents relating to Torch.

The office found a one-page audit work paper, which it withheld from release as being "predecisional."

The other 17 pages, according to the office, contain sensitive information about Torch's business and, in accordance with federal law, will be released only if Torch allows it.

posted by prof_booty | 10:13 AM