American Airlines’ announcement Friday that it shared more than a million passenger itineraries with four government contractors reveals that Transportation Security Administration officials have repeatedly issued false statements about the development of the passenger-profiling system known as CAPPS II.
American Airlines joins a growing list of carriers that have come forth in recent months to say that they have shared massive amounts of information about their passengers with the TSA. For the past eight months, TSA officials have repeatedly said they were not collecting this data. But American’s disclosure raises questions about why the department has given false information about its data collection.
The TSA also may have withheld information improperly from investigators looking into the agency’s practices.
Nuala O’Connor Kelly, the Department of Homeland Security’s chief privacy officer, said she has launched a formal review of the American Airlines transfer. She said she did not know about these transfers when she issued a report in February about the TSA’s role in convincing JetBlue to share 5 million itineraries with an Army contractor in August 2002.
“My office will issue public findings, hopefully quickly,” O’Connor Kelly said.
CAPPS II, which the TSA hopes to roll out by the end of the year, will check passenger information such as dates of birth and home phone numbers against commercial and government databases to help stop terrorists and those wanted for arrest from boarding planes.
To see if the system could work, the TSA asked American Airlines to share passenger information to help its contractors. American agreed and had its database company, Airline Automation, coordinate the transfer with the TSA. The agency then directed Airline Automation to send the data dump directly to its contractors. American says it never authorized that direct transfer, while Airline Automation says that American did.
By helping provide its contractors with private records on Americans, TSA officials likely violated the Privacy Act, which requires government agencies or their contractors to publicly disclose the existence of databases on Americans. Not providing that notice is a misdemeanor, punishable by up to a $5,000 fine.
According to the criteria set forth in O’Connor Kelly’s JetBlue report, it is likely she will find that the TSA violated the letter of the law in this instance.
“Existing Privacy Act processes require government contractors to abide by Privacy Act rules,” she wrote in a report (PDF) that criticized TSA officials for violating the spirit of the Privacy Act.
After the JetBlue transfer was brought to public attention, TSA spokesman Brian Turmail told Wired News that the TSA had never used passenger records for testing CAPPS II, nor had it provided records to its contractors.
But American Airlines said Friday afternoon that it did share 1.2 million passenger records in June 2002 with four government contractors working on CAPPS II. Those companies are HNC Software (now Fair Isaac), Infoglide Software, Ascent Technology and defense contractor Lockheed Martin.
Each received between $225,000 and $550,000 from the TSA in 2002 to test computer algorithms they hoped would be able to pinpoint terrorists’ travel plans, according to a 2002 Washington Post story. The details of the Post story were later confirmed by a TSA spokesman.
American Airlines is the third major domestic airline to admit sharing vast amounts of customer information to aid government data-mining efforts, following JetBlue’s admission in September 2003 and Northwest Airlines’ admission in January. Both Northwest and American gave false information to the press in the wake of the JetBlue scandal, saying they had never turned over information about their passengers.
04/12/2004 Ryan Singel, wired.com