http://www.wired.com/news/privacy/0,1848,65699,00.html?tw=3Dwn_tophead_3
http://www.wired.com/news/print/0,1294,65699,00.html
By Ryan Singel
Story location:
http://www.wired.com/news/privacy/0,1848,65699,00.html
Homeland security officials accidentally revealed on Friday that the
Transportation Security Administration will soon officially order
America's airlines to turn over a month of passenger data to test a
new passenger screening system.
The final rule ordering the airlines to provide data on all June 2004
domestic flights will be issued formally on Monday by the
Transportation Security Administration. The airlines must comply by
Nov. 23.
The TSA announced in late September its intention to order all 72
domestic airlines to turn over the passenger records -- which can
include credit card numbers, phone numbers, addresses and health
conditions -- in order to stress-test a centralized passenger
screening system called "Secure Flight."
Currently, passengers are screened by the airlines, which check
itineraries against a set of watch lists provided by the government.
The TSA hopes to reduce the number of people flagged incorrectly by
performing the checks itself using data fed to it by the airlines and
a centralized terrorist watch list.
Over 500 citizens and organizations commented on the order, most
expressing opposition to the planned test and the system itself. Civil
liberties advocates strongly opposed the order, citing privacy
concerns and the proposed use of commercial credit databases to verify
passengers' identification.
The airline industry's response, published after the comment period
officially ended, was less visible, but was not much more supportive
than most of the other comments. The airlines prefaced their criticism
by saying they wanted to work with the TSA, but went on to contend
that the order would be expensive and would force them to choose
between complying with an American anti-terrorism program or rejecting
European privacy laws -- which could potentially prevent them from
flying there.
The airlines' trade and lobbying organization, the Air Transport
Association, initially expressed concerns that the order was
technically inadequate and its legal status unclear.
The airlines also questioned whether the government had clearance from
European Union officials to use data about European citizens.
"Our concern is understandable: Airlines cannot be subject to the
potentially conflicting demands of TSA's Secure Flight test program
and European (or other nations') data protection requirements," wrote
ATA Deputy General Counsel James L. Casey. "This clarification is
indispensable because U.S. airlines are subject to severe civil and
criminal penalties in EU member states if we violate the EU data
privacy directive."
The final order specifies that airlines can exclude flight records
that include segments between the European Union and the United
States. But that may not be enough to protect the airlines from
European enforcement actions since the law also covers any European on
a domestic flight, if that person made the reservation from a computer
in the EU.
The TSA has briefed the European Commission about the exclusion of
international flights and the testing of Secure Flight, according to a
TSA official.
However, the agency has not received written permission to use
European data, as it did when it wanted to formally test CAPPS II, an
earlier version of the pre-screening system.
That version was scrapped after months of intense criticism of the
system by privacy advocates and successive revelations that airlines
had secretly turned over data to the agency and its contractors to
build the system. Those transfers may have violated the Privacy Act
and are the subject of two yet-unpublished Department of Homeland
Security investigations.
The airlines are not the only segment of the travel industry objecting
to the Secure Flight test and the program's development. The Business
Travel Coalition, an advocacy group for large corporate travel
purchasers, takes issue with the lack of notification to passengers.
"We agree with several of (the) privacy groups that these passengers
had no knowledge nor were given any ability to approve in advance that
their data would be used down the road," said BTC chairman Kevin
Mitchell. "In fact the expectation would have been the opposite of
what is happening."
The lack of notification shows the TSA's lack of transparency and
inclusiveness, according to Mitchell.
The TSA has been open, said spokeswoman Amy Von Walter, who points to
the TSA's notice and comment period for the test order, which were not
necessary by law. The TSA systematically responded to many criticisms
in the document published today, seeking to assure citizens and
interest groups that it was listening to their criticisms.
"TSA is aware of, and sensitive to, the need to preserve Americans'
freedom while pursuing better security," the agency wrote. "In
implementing a new security measure that affects these interests, it
is necessary to move deliberately and cautiously."
But Mitchell said outreach is not enough and that when the TSA decided
to brief his group on Secure Flight, it called on a Friday at 2
p.m. to inform him of a meeting at 3 p.m..
"Give me a break," Mitchell said. "That's not process, that's window
dressing."
Copyright 2004, Lycos, Inc. All Rights Reserved.
*** FAIR USE NOTICE. This message contains copyrighted material the use of
which has not been specifically authorized by the copyright owner. This
Internet discussion group is making it available without profit to group
members who have expressed a prior interest in receiving the included
information in their efforts to advance the understanding of literary,
educational, political, and economic issues, for non-profit research and
educational purposes only. I believe that this constitutes a 'fair use' of
the copyrighted material as provided for in section 107 of the U.S.
Copyright Law. If you wish to use this copyrighted material for purposes of
your own that go beyond 'fair use,' you must obtain permission from the
copyright owner, in this instance, Lycos, Inc.
For more information go to:
http://www.law.cornell.edu/uscode/17/107.shtml