Continuing Privacy Concerns Lead to Revamping of Secure Flight Program
Posted by Lance Koonce
Earlier today, the Transportation Security Administration (TSA) told Congress that it would be sending the Secure Flight program back for re-certification, citing privacy concerns raised by an internal audit. A transcript of the testimony of Assistant Secretary Kip Hawley before the Senate's Committee on Commerce, Science and Transportation can be found here.
The Secure Flight program is the Department of Homeland Security's proposed passenger prescreening system. As envisioned, Secure Flight would be used by the government to compare passenger name records against information compiled by the Terrorist Screening Center, including "no fly" lists.
As we reported previously, last summer the Government Accountability Office (GAO) released a report criticizing the Transportation Security Administration because it found that the Secure Flight Program was in violation of the Privacy Act. For instance, the GAO found that a TSA contractor had collected millions of commercial data records containing individuals' personal information without informing the public. While the TSA responded by issuing revised privacy notices to more fully disclose the nature of Secure Flight Program tests and address privacy issues, as we further reported that TSA simultaneously began pressing aggressively for funding in the 2006 homeland security appropriations bill that would have allowed Secure Flight to use background checks and profiling to help determine if an airline passenger was a terrorist.
In September, in advance of a confidential report by working group of experts appointed by the TSA that further criticized the program's privacy efforts, the TSA scrapped a plan to use information collected in commercial databases (e.g., drivers and credit history) to verify the accuracy of information provided by travelers.
The recent internal IT system security audits of all TSA credentialing and vetting programs, performed by TSA's Information Technology Office, apparently revealed similar problems to those identified by the GAO report. As a result, Assistant Secretary Kip Hawley told Congress:
Rather than address each identified weakness on its own, I have directed that the Secure Flight IT systems go through the comprehensive recertification process, pursuant to Federal Information Security Management Act (FISMA) requirements. This action and the others we are taking, I believe is compatible with GAO's suggestion that we re-baseline the program and insure that we use technology development best-practices in management, security, and operations. While the Secure Flight regulation is being developed, this is the time to ensure that Secure Flight's security, operational and privacy foundation is solid.
We will move forward with the Secure Flight program as expeditiously as possible, but in view of our need to establish trust with all of our stakeholders on the security and privacy of our systems and data, my priority is to ensure that we do it right...not just that we do it quickly.When I appeared before this Committee during the confirmation process, I said that I believe programs like Secure Flight should be built from a strong privacy foundation as a starting point as opposed to building it and then adding privacy. The approach I just outlined will accomplish that.
Security and privacy are necessary ingredients of each other and are not opposite ends of the spectrum. TSA will approach all of its programs with that in mind.
News report on TSA's decision here.