Wednesday, January 10, 2007

Secure Flight Privacy Report

The Privacy Office of the US Department for Homeland Security released a report on the Secure Flight air passenger monitoring program just before Christmas. Summary:

"The Department of Homeland Security (DHS) Privacy Office conducted a review of the Transportation Security Administration's (TSA) collection and use of commercial data during initial testing for the Secure Flight program that occurred in the fall 2004 through spring 2005. The Privacy Office review was undertaken following notice by the TSA Privacy Officer of preliminary concerns raised by the Government Accountability Office (GAO) that, contrary to published privacy notices and public statements, TSA may have accessed and stored personally identifying data from commercial sources as part of its efforts to fashion a passenger prescreening program.

These new concerns followed much earlier public complaints that TSA collected passenger name record data from airlines to test the developmental passenger prescreening program without giving adequate notice to the public.1 Thus, the Privacy Office’s review of the Secure Flight commercial data testing also sought to determine whether the data collection from air carriers and commercial data brokers about U.S. persons was consistent with published privacy documents.

The Privacy Office appreciates the cooperation in this review by TSA management, staff, and contractors involved in the commercial data testing. The Privacy Office wishes to recognize that, with the best intentions, TSA undertook considerable efforts to address information privacy and security in the development of the Secure Flight Program. Notwithstanding these efforts, we are concerned that shortcomings identified in this report reflect what appear to be largely unintentional, yet significant privacy missteps that merit the careful attention and privacy leadership that TSA Administrator Kip Hawley is giving to the development of the Secure Flight program and, in support of which, the DHS Acting Chief Privacy Officer has committed to provide Privacy Office staff resources and privacy guidance."

Findings:

"As ultimately implemented, the commercial data test conducted in connection with the Secure Flight program testing did not match TSA's public announcements. Part of the reason for this discrepancy is the fact that the Fall Privacy Notices were drafted before the testing program had been designed fully. However well-meaning, material changes in a federal program's design that have an impact on the collection, use, and maintenance of personally identifiable information of American citizens are required to be announced in Privacy Act system notices and privacy impact assessments. In addition, not meeting these requirements can significantly impair a program's credibility.

The creation of an effective program requires contributions from operational personnel as well as policy and legal advisors. To be most successful, all groups must have effective communications and coordination. Given the disparity between the published Fall Privacy Notices that explained the commercial data test for Secure Flight and the actual testing program that was conducted, it seems readily apparent that closer consultation and better coordination at key decision points between the Secure Flight program office and TSA legal, policy, and privacy offices was needed. While this may have been due to short deadlines and resource constraints, the end result was that TSA announced one testing program, but conducted an entirely different one.

To TSA’s credit, after being informed of this significant discrepancy, TSA revised and reissued the SORN and PIA to reflect more closely the testing program’s conduct. Additionally, throughout the commercial data test, TSA made the security of the commercial data a high priority. TSA expressly prohibited the commercial entities
involved in testing from maintaining or using the PNR for any purpose other than Secure Flight testing, and it instituted real-time auditing procedures and strict rules for TSA access to the data. This was certainly challenging given the complex and changing nature of the program.

Whatever the causes, however, the disparity between what TSA proposed to do and what it actually did in the testing program resulted in significant privacy concerns being raised about the information collected to support the commercial data test as well as about the Secure Flight program. Privacy missteps such as these undercut an agency's effort to implement a program effectively, even one that promises to improve security."

Recommendations:

"Based on its extensive review of the commercial data test, the Privacy Office offers the following recommendations for Secure Flight. These can also serve as guideposts for any Departmental initiative that involves the collection, use, and maintenance of personally identifiable information:

1. Privacy expertise should be embedded into a program from the beginning so that program design and implementation will reflect privacy-sensitive information handling practices.

2. Programs should create a detailed "data flow map" to capture every aspect of their data collection and information system life cycle. Such an exercise will help produce accurate public documents explaining program compliance with the fair information practices principles of the Privacy Act of 1974, which must guide collection and use of personally identifiable data in the government space.

3. Good communications and collaborative coordination between operational personnel and policy, privacy, and legal advisors are essential in order to ensure that key documents explaining an information collection program are accurate and fully descriptive.

4. Programs that use personal information succeed best if the public believes that information to be collected is for a necessary purpose, will be used appropriately, will be kept secure, and will be accessible for them to review. To obtain such public trust requires the transparency and accountability that can be reflected in careful drafting of publicly available SORNs and PIAs.

5. Privacy notices should be written and published only after the design of a program or a program phase has been fully described in writing and decided upon by authorized program officials;

6. Privacy notices should be revised and republished when program design plans change materially or a new program phase is going to be launched; and

7. Program use of commercial data must be made as transparent as possible and explained in as much detail as is feasible."

It's an important report especially given the recent formal agreement between the EU and US re-introding the transfer of EU airline passenger name records to the US security authorities, though sadly it will probably only register on the radar of PNR or civil liberties geeks.

No comments: