December 22, 2006 12:31 PM PST
Feds: Homeland Security project didn't protect privacy
- Related Stories
Homeland Security chief defends Real ID planDecember 14, 2006
Peter Pietra's mission impossibleMay 15, 2006
DHS scores F on cybersecurity report cardMarch 16, 2006
NORAD orders Web deletion of transcriptMarch 9, 2006
GAO: Security agency broke privacy lawsJuly 25, 2005
FAQ: How Real ID will affect youMay 6, 2005
Homeland Security panel picks controversial chiefApril 6, 2005
Feds order airlines to divulge passenger detailsSeptember 21, 2004
The Transportation Security Agency, operating under the auspices of Homeland Security, had publicly pledged two years ago--in official notices describing the Secure Flight program--that it "will not receive" or have access to dossiers on American travelers compiled by a Beltway contractor.
That promise turned out to be untrue, according to a report published Friday by DHS' privacy office. The commercial data "made its way directly to TSA, contrary to the express statements in the fall privacy notices about the Secure Flight program," the report says. (Click on "Secure Flight Report" to view a PDF version.)
The report, and a second one critiquing a government database called Matrix, was released on the last business day before Christmas, a tactic that federal agencies and publicly traded companies sometimes use to avoid drawing attention to critical findings. Neither report appears on the DHS.gov or TSA.gov home pages, or even on the home page of the DHS privacy office, but rather was linked to from a subpage on the DHS privacy site.
Jim Harper, a policy analyst with the free-market Cato Institute who serves on a Homeland Security advisory panel, said the reports show that the department needs to pay far more attention to privacy. "They didn't think ahead. They didn't study. They didn't pay attention to the privacy issues," Harper said. "It may need to be hammered home many more times."
Secure Flight was born in September 2004 when DHS ordered airlines to hand over the complete records of all passengers who traveled on a domestic flight in the month of June--which were in turn linked with information on those passengers drawn from commercial databases. (Secure Flight, which was put on hold in February in large part because of privacy concerns, was the successor to DHS' Computer Assisted Passenger Prescreening System.)
The agency's Secure Flight contractor, a McLean, Va.-based company called EagleForce, bought databases with personal information on Americans from three data-mining firms: Acxiom, Insight America and Qsent. The data included U.S. citizens' names, gender, spouse's names, address, date of birth, and in some cases Social Security numbers.
The report from the Homeland Security privacy office takes pains to say that the privacy compromises over Secure Flight were "not intentional," and includes a list of seven recommendations to avoid similar mishaps in the future. Those include explaining to the public exactly what's going on and creating a "data flow map" to ensure information is handled in compliance with the 1974 Privacy Act.
This isn't the first report to take issue with Secure Flight. Last year, auditors at the U.S. Government Accountability Office reported that the program violated the Privacy Act.
A Matrix post-mortem
The second report released Friday represents a postmortem of a defunct project called the Matrix, or the Multistate Anti-Terrorism Information Exchange. Matrix ended in April 2005. (Click on "Matrix Report" for a PDF version.)
DHS provided most of the funding for Matrix, $8 million in 2003, with the Department of Justice tossing in $4 million. Operated by Seisint, which is now part of LexisNexis, the pilot project involved information sharing between state government, federal government, and commercial databases. At least 13 states participated, including California, Texas and New York.
Also raising questions was the unwillingness of LexisNexis and the participating governments to give a complete list of information accessible through Matrix. But a page captured by Archive.org from the former Matrix-at.org Web site lists records from criminal histories, driver's licenses and motor vehicle registrations, court documents, property ownership, professional licenses, and commercial databases including telephone directories. Other reports have said Social Security numbers, speeding tickets, and family members also are included.
The ACLU had been one of Matrix's most vocal critics. It charged that Matrix was "dangerous and Orwellian" and represented an intrusive data-mining program on innocent Americans.