Sunday, 2 May 2004

More fallout from American Airlines' CAPPS-II testing scandal

Since American Airlines' late-afternoon, Good Friday confirmation of my reports that they had given millions of passenger reservation records to 4 teams of CAPPS-II contractors in 2002, I've had no response to my requests for comment from Amadeus, the EU-based CRS and parent company of Airline Automation, which I'd previously asked specifically about Airline Automation's privacy policies, use of PNR's from their archives for passenger profiling tests, and EU privacy law. But Airline Automation's statement has continued the finger-pointing begun by American Airlines as to who was responsible.

And the same law firm that is representing passengers in some of the lawsuits against both jetBlue Airways and Northwest Airlines has already filed a similar lawsuit against American Airlines in its home town of Dallas, TX. The lawsuit also names as defendants Airline Automation, Inc. -- the first time any of the CRS's or their subsidiaries have been sued for privacy violations, so far as I can tell, although Air Auto wasn't yet an Amadeus division in 2002 when it turned over the data at issue in the suit -- and all four of the lead companies in the teams of CAPPS-II contractors.

Meanwhile, Ryan Singel's articles in Wired News here (see especially page 2 of the article) and here chronicle exactly how:

American Airlines' announcement Friday that it shared more than a million passenger itineraries with four government contractors reveals that Transportation Security Administration officials have repeatedly issued false statements about the development of the passenger-profiling system known as CAPPS II.

Singel recounts statements to him by two different TSA spokespeople (now known to be have been false, albeit not necessarily knowingly false), as well as the categorical statement, also false, by the TSA's then administrator, Admiral Loy, in a written response to questions raised during his Senate confirmation hearing as Deputy Secretary of Homeland Security:

No. TSA has not used any (passenger) data to test any of the functions of CAPPS II.

(Word to the wise: if you're going to lie, don't do it in writing to Congress or the Senate.)

The TSA and DHS apparently made the same (false) claim to investigators from the General Accounting Office, who reported it in their assessment of CAPPS-II. And DHS Chief Privacy Apologist (as she has been dubbed by DontSpyOn.US) Nuala O'Connor Kelly, who has promised yet another "investigation" (whitewash?) by her office, made the same (false) claim to me when I asked her in November 2003 about the millions of PNR's given to the 4 teams of CAPPS-II contractors in 2002.

Senators, not surprisingly, aren't amused, and Senate Governmental Affairs Committee Chairman Susan Collins (R-ME) and Ranking Minority Member Joe Lieberman (D-CT) have requested answers from the DHS to a long list of questions about what happened, why the Senate and the GAO were misinformed, and what USA laws and regulations may have been violated.

It's possible that the Chief Privacy Officer of the DHS, the Administrator of the TSA, the official spokespeople for the TSA, and the GAO investigators and/or those they interviewed, (1) knew that what they were saying was false, and lied about it, or (2) were deliberately deceived by others, and lacked the oversight authority, competence, or diligence to discover the deception.

Electronic Frontier Foundation staff attorney Kevin Bankston makes the same point in an article last week, TSA and CAPPS II -- Anatomy of a Cover Up :

Our conclusion: Either TSA has been lying to us about CAPPS II, or its officers are incompetent.

We'll be charitable to the officers and assume that TSA lied....

TSA flatly denied possessing real passenger data or using it to test CAPPS II....

TSA made these denials to the press; to its bosses at the Department of Homeland Security (DHS) when the department was investigating the JetBlue scandal; to the General Accounting Office (GAO) when it was investigating CAPPS II. It even told Congress directly that it never used real passenger records for CAPPS II testing.

Yet now we can draw no other conclusion than that TSA lied....

Despite all of this, we are expected to trust TSA with a comprehensive database of all our personal travel details....

We're not buying it, and we don't think you should, either.

Regardless of whether they were lying or simply incompetent, the fact that the highest officials within the TSA and DHS, as well as Congress and its investigators in the GAO, could be deceived about the wholesale transfer to the TSA and multiple contractors of reservation records on millions of travellers and tens of thousands of travel agents strongly contradicts the DHS/TSA claims that their agencies are capable of policing their ownb privacy and data protection practices.

Members of the European Parliament (MEP's), as well as officials in Canada and other countries, are likely to see confirmation in the latest revelations of the need -- as their laws require, and as they have been insisting on all along -- for the USA to enact privacy protections for travel data into Federal law, enforcable by judicial process and authority independent of the agencies themselves, before they agree to allow their citizens' data to be sent to commercial or government entities in the USA.

I would have liked to ask Ms. O'Connor Kelly about this at CFP 2004 , where she participated by telephone in the panel on profiling and CAPPS-II. But the phone connection was dropped (a genuine coincidence, I think) just as I got to the microphone, and restored only after I sat down.

Ms. O'Connor Kelly focused her remarks at CFP on the solicitation of applications for a new DHS Data Integrity, Privacy, and Interoperability Advisory Committee; applications and the committee charter are on the DHS Privacy Officer's Web site. The original deadline for applications was 30 April 2004, but that has new been extended until 15 May 2004. (I've applied, of course.)

Ms. O'Connor Kelly repeated a number of other false claims -- that she should by now know are false -- in her presentation and her responses to questions form others at the CFP session.

Specifically, she continued to claim that all airline passengers already have reservations containing their full names, individual home addresses, and home phone numbers, when everyone the TSA has ever spoken with from the airline reservations industry has told them none of these items are necessarily included.

This was detailed in my comments on the CAPPS-II Privacy Act notices, which she had in front of her and assured me she had read carefully when we met in November 2003.

I'm not sure whether she was lying then when she told me she had read my comments, didn't understand them (but claimed she did), didn't believe them and thought she knew more about reservations than an experienced travel consultant (despite, so she herself claimed, never having seen the contents of an actual PNR), or was lying when she claimed at CFP 2004 that all passengers already have reservations containing each of these items.

She also assured John Gilmore in the CFP session that all the comments filed with her office on the CAPPS-II Privacy Act notice had been posted on her Web site. But I keep finding additional comments, posted by their authors, that haven't showed up on the DHS Web site.

Among others that I've turned up recently are those of the Association of Corporate Travel Executives (ACTE), which more recently submitted written testimony to Congress against CAPPS-II, and the extremely interesting comments of the National Center for Transgender Equality on identification and discrimination porblems inherent in profiling based on historical records of attributes that may have changed, as well as the privacy and safety of those singled out for more intrusive searches.

Link | Posted by Edward on Sunday, 2 May 2004, 23:23 (11:23 PM) | TrackBack (0)
Comments
Post a comment









Save personal info as cookie?