This story can only support what I already know. The TSA is CORRUPT and MORALLY BANKRUPT.(Management and Administration, that is)
By Bruce Schneier, Schneier.com. Posted July 27, 2005.
Last Friday, the GAO issued a new report [PDF link] on Secure Flight. It's couched in friendly language, but it's not good:
During the course of our ongoing review of the Secure Flight program, we found that TSA did not fully disclose to the public its use of personal information in its fall 2004 privacy notices as required by the Privacy Act. In particular, the public was not made fully aware of, nor had the opportunity to comment on, TSA's use of personal information drawn from commercial sources to test aspects of the Secure Flight program. In September 2004 and November 2004, TSA issued privacy notices in the Federal Register that included descriptions of how such information would be used. However, these notices did not fully inform the public before testing began about the procedures that TSA and its contractors would follow for collecting, using, and storing commercial data. In addition, the scope of the data used during commercial data testing was not fully disclosed in the notices. Specifically, a TSA contractor, acting on behalf of the agency, collected more than 100 million commercial data records containing personal information such as name, date of birth, and telephone number without informing the public. As a result of TSA's actions, the public did not receive the full protections of the Privacy Act.
Get that? The TSA violated federal law when it secretly expanded Secure Flight's use of commercial data about passengers. It also lied to Congress and the public about it.
Much of this isn't new. Last month we learned that "the federal agency in charge of aviation security revealed that it bought and is storing commercial data about some passengers -- even though officials said they wouldn't do it and Congress told them not to."
Secure Flight is a disaster in every way. The TSA has been operating with complete disregard for the law or Congress. It has lied to pretty much everyone. And it is turning Secure Flight from a simple program to match airline passengers against terrorist watch lists into a complex program that compiles dossiers on passengers in order to give them some kind of score indicating the likelihood that they are a terrorist.
Which is exactly what it was not supposed to do in the first place.
My fear is that TSA has already decided that they're going to use commercial data, regardless of any test results. And once you have commercial data, why not build a dossier on every passenger and give them a risk score? So we're back to CAPPS-II, the very system Congress killed last summer. Actually, we're very close to TIA (Total/Terrorism Information Awareness), that vast spy-on-everyone data-mining program that Congress killed in 2003 because it was just too invasive.
Secure Flight is a mess in lots of other ways, too. A March GAO report[PDF link] said that Secure Flight had not met nine out of the ten conditions mandated by Congress before TSA could spend money on implementing the program. (If you haven't read this report, it's pretty scathing.) The redress problem -- helping people who cannot fly because they share a name with a terrorist -- is not getting any better. And Secure Flight is behind schedule and over budget.
It's also a rogue program that is operating in flagrant disregard for the law. It can't be killed completely; the Intelligence Reform and Terrorism Prevention Act of 2004 mandates that TSA implement a program of passenger prescreening. And until we have Secure Flight, airlines will still be matching passenger names with terrorist watch lists under the CAPPS-I program. But it needs some serious public scrutiny.
Security technologist and expert Bruce Schneier is the founder and CTO of Counterpane Internet Security, Inc.