Agency admits violating privacy

WASHINGTON -- The Homeland Security Department conceded yesterday that it violated the Privacy Act two years ago by obtaining more commercial data about US airline passengers than it had announced it would.

Seventeen months ago, the Government Accountability Office, the auditing arm of Congress, reached the same conclusion: The department's Transportation Security Administration "did not fully disclose to the public its use of personal information in its fall 2004 privacy notices as required by the Privacy Act."

In a report yesterday on the testing of TSA's Secure Flight domestic air passenger screening program, the Homeland Security department's privacy office acknowledged that the TSA didn't comply with the law.

But the privacy office couldn't bring itself to use the word "violate."

Instead, the privacy office said, "TSA announced one testing program, but conducted an entirely different one." The report noted that federal programs that collect personal data that can identify Americans "are required to be announced in Privacy Act system notices and privacy impact assessments."

Spokesman Christopher White said the agency has begun to implement the Homeland Security privacy office recommendations.

Congress has been unhappy with the agency's domestic airline screening program for years -- since it was called CAPPS II before it was tweaked and renamed Secure Flight.

Federal law now bars the TSA from implementing a domestic screening system until the accountability office is satisfied it can meet 10 standards of privacy protection, accuracy, and security.

Secure Flight has never passed all those tests, and White said there is no target date for implementing it.

"We are more concerned with getting it right," White said.

Yesterday's report reinforced concerns on Capitol Hill.

"This further documents the cavalier way the Bush administration treats Americans' privacy," said Senator Patrick J. Leahy, Democrat of Vermont, who is set to become Senate Judiciary Committee chairman in January. "With this database program, first they ignored the Privacy Act, and now, two years later, they still have a hard time admitting it."

Leahy promised that the new Congress will try to learn more about how the administration uses such databases.

"Data-mining technology has great potential , but history shows that without adequate checks and balances and oversight, misuse and abuse of the public's personal information will be inevitable ," Leahy said .

Characterizing the Secure Flight problems as "largely unintentional," the privacy office attributed them to TSA's failure to revise the public announcement after the test changed.

The privacy office said TSA announced in fall 2004 it would acquire passenger name records of people who flew domestically in June 2004. Those records include the flier's name, address, itinerary, form of payment, history of one-way travel, phone number, seating location, and even requests for special meals.

The public notices said TSA would try to match the passenger names with names on watch lists of terrorists and criminals.

The passenger records also were to be compared with unspecified commercial records to see whether the passenger information was accurate.