From the July 2005 Idaho Observer:

DHS to investigate itself for possible data collection laws violations

WASHINGTON, D.C.—The Department of Homeland Security (DHS) is investigating itself to determine whether the agency violated privacy laws while failing to admit hacking into commercial databases to enhance its airline passenger screening program.

The investigation also will test to see if its own database security system "Secure Flight" can be hacked into, said DHS security officer Nuala O’Connor-Kelly.

Some commercial data vendors have had security breaches by entities other than DHS. "We need to give a hard look at any program that collects information on Americans," said O’Connor-Kelly.

The Privacy Act of 1974 prohibits the government from keeping secret databases and requires that it publicly disclose its use of privately-collected information.

The official in charge of Secure Flight told reporters that the government will update its description of records kept for the program. Transportation Security Administration spokesman Justin Oberman claimed information from private databases will not be fed into a central repository and will be deleted from DHS records within a day or two, he said in early July.

Though the DHS has publicly stated it will not pursue the "Total Information Awareness" program wherein it would be amassing comprehensive electronic dossiers on everyone known to be alive, it is hard to believe that it would just "delete" information it has accumulated for domestic security purposes.

In November, the TSA published a rule change in the Federal Register noting that it would not access or use commercial data.

Tim Sparapani, a privacy rights lawyer for the American Civil Liberties Union, said,

"The great question about this program is whether the program is effective, number one, but also whether TSA and commercial data brokers can be trusted to safeguard passengers’ most sensitive personal information. TSA has shown a repeated, consistent failure to act with appropriate care and concern for that data."

Under Secure Flight, the government automatically would check every airline passenger’s name against terrorist watch lists. But efforts to develop Secure Flight have been slowed by revelations that airlines gave the government information about passengers without their permission or knowledge.

Class-action laws suits have been brought against airlines and government contractors for sharing passenger information. As a result, airlines only agreed to turn over passenger data for testing after they were ordered to do so by the government.

One of the TSA’s subcontractors that is now providing commercial data for testing of Secure Flight is Arkansas-based Acxiom Corp. The company shared information about JetBlue Airways’ passengers with a defense contractor in 2002.

Oberman said the TSA is testing passenger information against commercial data to see if that would improve the agency’s ability to match names against watch lists by confirming people’s identity.

In March, a separate government investigation found that the TSA misled the public about its role in getting detailed information on 12 million airline passengers to test its airline screening software.