WASHINGTON, DC-Senate Governmental Affairs Committee Chairman Susan Collins (R-ME) and Ranking Member Joe Lieberman (D-CT) today called on the Department of Homeland Security’s Transportation Security Administration (TSA) to fully disclose which airlines it contacted and asked to provide passenger name record (PNR) data. TSA recently acknowledged its role in obtaining sensitive data from JetBlue, and recent press reports indicate that American Airlines and potentially other carriers were asked to provide similar passenger information, possibly in violation of the Privacy Act. In a letter to Under Secretary for Border and Transportation Security Asa Hutchinson, the senators wrote,
“We are concerned by potential Privacy Act and other implications of this reported incident. From initial accounts, it appears that TSA requested PNR data from American Airlines for its own research purposes rather than merely requesting that data be provided to another agency, as occurred in the JetBlue matter. Moreover, TSA told the press, the General Accounting Office (GAO), and Congress that it had not used any real-world data to test CAPPS II. Indeed, a report on CAPPS II issued by GAO in February cited the lack of access to real world passenger data as a reason that testing had been delayed. According to the report, ‘TSA has only used 32 simulated passenger records’ to conduct limited testing. American Airlines has now indicated that it provided over one million passenger itineraries at TSA’s request, which raises the question of why agency officials told GAO that it did not have access to such data. “According to press reports, American Airlines authorized its vendor, Airline Automation, to provide TSA with one week’s worth of PNR data on its customers. The vendor then reportedly provided the data to four companies competing for contracts with TSA-HNC Software, Infoglide Software, Ascent Technology, and Lockheed Martin. As in the JetBlue matter, this raises the question of whether the collection and use of personal information by these companies constituted a ‘system of records’ under the Privacy Act of 1974. If so, then the Act would require the filing of a public notice describing what information the system will contain and how an individual can gain access to any information pertaining to him. We are not aware that any such notice was published. The Act would also prohibit the disclosure of personal information to any other person or entity,” their letter continued. Specifically, Senators Collins and Lieberman are now asking TSA to explain when the four companies became TSA contractors, whether they obtained the PNR data prior to that time, and how the data was used. In addition, the senators asked the Department to disclose whether it requested PNR data from companies other than JetBlue and American Airlines, and “to disclose all instances of which it is aware where other agencies received PNR data from airlines or their vendors.” Last month, in response to a request from the senators, TSA acknowledged that it had asked JetBlue to transfer millions of Passenger Name Records to an Army contractor. TSA provided copies of a memo it had sent to JetBlue in 2002. In October 2003, the Senators also wrote to Secretary of Defense Donald Rumsfeld regarding an Army contractor’s acquisition of private passenger information from JetBlue Airways for a data mining research project. Specifically, they asked Rumsfeld to determine if DOD followed Privacy Act regulations by, among other things, publishing a notice regarding the system of records being created by the contractor and preventing unauthorized disclosures. DOD Inspector General’s office has been investigating the incident since last November, and a report is expected soon. The text of the letter appears below. April 14, 2004 The Honorable Asa Hutchinson Under Secretary for Border and Transportation Security U.S. Department of Homeland Security Washington, D.C. 20528 Dear Under Secretary Hutchinson: Thank you for your recent reply to our letter regarding TSA’s involvement in the transfer of passenger name record (“PNR”) data from JetBlue Airlines to an Army contractor for a data mining research project. We are encouraged that your letter spoke of the Homeland Security Department’s “unparalleled commitment to creating a culture that supports privacy values,” and we certainly agree that “[p]art of that commitment [must be] to provide transparency about the Department’s operations[.]” Accordingly, we write today regarding reports that TSA was also involved in acquiring PNR data from American Airlines. We are concerned by potential Privacy Act and other implications of this reported incident. From initial accounts, it appears that TSA requested PNR data from American Airlines for its own research purposes rather than merely requesting that data be provided to another agency, as occurred in the JetBlue matter. Moreover, TSA told the press, the General Accounting Office (“GAO”), and Congress that it had not used any real world data to test CAPPS II. Indeed, a report on CAPPS II issued by GAO in February cited the lack of access to real world passenger data as a reason that testing had been delayed. According to the report, “TSA has only used 32 simulated passenger records” to conduct limited testing. American Airlines has now indicated that it provided over one million passenger itineraries at TSA’s request, which raises the question of why agency officials told GAO that it did not have access to such data. According to press reports, American Airlines authorized its vendor, Airline Automation, to provide TSA with one week’s worth of PNR data on its customers. The vendor then reportedly provided the data to four companies competing for contracts with TSA – HNC Software, Infoglide Software, Ascent Technology, and Lockheed Martin. As in the JetBlue matter, this raises the question of whether the collection and use of personal information by these companies constituted a “system of records” under the Privacy Act of 1974. If so, then the Act would require the filing of a public notice describing what information the system will contain and how an individual can gain access to any information pertaining to him. We are not aware that any such notice was published. The Act would also prohibit the disclosure of personal information to any other person or entity. In light of these concerns, we ask that you provide the Committee with answers to the following questions: 1. Did any TSA official ask American Airlines or its vendor to provide the PNR data to the agency or to any of the four companies? 2. If so, why did TSA ask that data be provided? 3. How did TSA and/or the companies use the data? 4. Which of the four companies became TSA contractors, on what date, and for what purposes? 5. Which, if any, of the four companies possessed PNR data while performing contract work for TSA? 6. Did TSA or any of the companies create a system of records as defined by the Privacy Act? If not, please explain how the collection and use of the information does not meet the Act’s definition of a system of records. 7. Did TSA comply with the Privacy Act, including requirements for the creation of a system of records such as public notice, allowing individuals to access information pertaining to them, and ensuring that the information is not improperly disclosed? In addition to answering these questions, we ask the Department to disclose whether it requested PNR data from companies other than JetBlue and American Airlines. We also ask the Department to disclose all instances of which it is aware where other agencies received PNR data from airlines or their vendors. We appreciate your ongoing cooperation with the Committee. Thank you for your continued efforts on these important issues. Sincerely, Susan M. Collins, Chairman Joseph Lieberman, Ranking Member