Homeland Security Officials Release Findings In Self-Investigation

The TSA didn't break the letter of the law when it asked JetBlue for access to passenger records. DHS wanted to turn them over to a contractor working on the development of the Base Security Enhancement program, designed to assess the terror risk to military facilities worldwide. But the Department of Homeland Security says the TSA pushed the edge of the envelope when it asked for the records and didn't notify the public.

The investigation centered on a company called Torch Concepts, based in Huntsville (AL). Executives there sent a proposal to the Defense Department, suggesting the use of personal data to profile those seeking access to military bases. It wanted to use passenger information for developing and testing the concept.

If that sounds suspiciously like CAPPS II, DHS says it's very much the same concept. In fact, CAPPS II, the controversial project to profile passengers and assign them color-coded risk labels, was being developed at the same time, shortly after the 9/11 attacks. But DHS says TSA wanted to keep the two projects separate.

The DHS investigation report says, on July 30, 2002, a "relatively new" employee at TSA sent a letter to JetBlue, asking for archived passenger records. The airline ended up turning over more than five million individual passenger records based on the request. That, DHS suspected when it began the investigation, might have violated the Privacy Act of 1974, which requires public notice whenever a new records system is created.

But Wired News, which broke the JetBlue story five months ago, reports DHS Chief Privacy Officer Nuala O'Conner decided the request wasn't illegal. Why? While she says the TSA worker "acted without appropriate regard for individual privacy interests or the spirit of the Privacy Act" and "arguably misused" the TSA's oversight authority over JetBlue to encourage data sharing, the Torch Concepts project wasn't directly related to TSA's mandate and didn't directly involve CAPPS II.

"No Privacy Act violation by TSA employees occurred in connection with this incident," said the DHS finding. "There is no evidence that any data were provided directly to TSA or its parent agency at the time, DOT. On the contrary, the evidence demonstrates that passenger data were transferred directly by jetBlue’s contractor, Acxiom, to Torch Concepts. As a result, the Privacy Act of 1974, which regulates the Federal Government’s collection and maintenance of personally identifiable data on citizens and legal permanent residents, does not appear to have been violated by TSA actions. Because TSA did not receive passenger data, no new system of records under the Privacy Act was established within TSA, nor was any individual’s personal data used or disclosed by TSA, its employees or contractors, in violation of the Privacy Act."

That's not to say that the Defense Department in general and the Army in particular didn't violate the Privacy Act. The DHS strongly implies the Army did indeed violate that law.

"The TSA employees involved acted without appropriate regard for individual privacy interests or the spirit of the Privacy Act of 1974. In doing so, it appears that their actions were outside normal processes to facilitate a data transfer, with the primary purpose of the transfer being other than transportation security. Such sharing exceeds the principle of the Privacy Act which limits data collection by an agency to such information as is necessary for a federal agency to carry out its own mission. While these actions may have been well intentioned and without malice, the employees arguably misused the oversight capacity of the TSA to encourage this data sharing."

"The department must seek to strike the right balance between security and privacy interests," said Senator Sue Collins (R-ME). "In this case, the TSA employees involved compromised the privacy interests of individuals without adequate justification."

The Army is now conducting its own investigation. But what about the TSA "new guy" who apparently skirted the Privacy Act by obtaining JetBlue records for DoD? It would appear that employee will receive a relatively minor slap on the wrist.

"The TSA employees involved, must, at a minimum, attend substantial Privacy Act and privacy policy training and must certify such training to the satisfaction of the DHS Privacy Office," according to the report.

FMI: www.dhs.gov/interweb/assetlibrary/PrivacyOffice_jetBlueFINAL.pdf