Department of Homeland Security violated privacy

AP

The Department of Homeland Security (DHS) admitted it violated the Privacy Act two years ago by obtaining more commercial data about US airline passengers than it had announced it would.

Seventeen months ago, the government accountability office (GAO), Congress' auditing arm, reached the same conclusion -- the department's transportation security administration (TSA) "did not fully disclose to the public its use of personal information in its fall 2004 privacy notices as required by the Privacy Act."

Even so, in a report on Friday on the testing of TSA's Secure Flight domestic air passenger screening program, the DHS privacy office acknowledged TSA did not comply with the law.

Instead, the privacy office said: "TSA announced one testing program, but conducted an entirely different one."

In a 40-word, separate sentence, the report noted that federal programs that collect personal data that can identify Americans "are required to be announced in Privacy Act system notices and privacy impact assessments."

TSA spokesman Christopher White noted the GAO's earlier conclusions and said: "TSA has already implemented or is in the process of implementing each of the DHS privacy office recommendations."

Friday's report reinforced concerns on Capitol Hill.

"This further documents the cavalier way the Bush administration treats Americans' privacy," said Senator Patrick Leahy, the democrat who is set to become Senate Judiciary Committee chairman next month.

"With this database program, first they ignored the Privacy Act, and now, two years later, they still have a hard time admitting it," he said.

The privacy office said TSA announced in fall 2004 it would acquire passenger name records of people who flew domestically in June 2004. Airline passenger name records include the flyer's name, address, itinerary, form of payment, history of one-way travel, contact phone number, seating location and even requests for special meals.

The public notices said TSA would try to match the passenger names with names on watch lists of terrorists and criminals.

But they also said the passenger records would be compared with unspecified commercial data about Americans in an effort to see if the passenger data was accurate. It assured the public that TSA would not receive commercial data used by contractors to conduct that part of the tests.

But the contractor, EagleForce, used data obtained from commercial data collection companies Acxiom, Insight America and Qsent to fill in missing information in the passenger records and then sent the enhanced records back to TSA on CDs for comparison with watch lists.

Eventually, the three companies supplied EagleForce with 191 million records, though many were duplicates.

This was "contrary to the express statements in the fall privacy notices about the Secure Flight program," the privacy office concluded.

"EagleForce's access to the commercial data amounted to access of the data by TSA," it said.