The Chicago Sun Times reported in article on June 24th 2004 regarding the airline industry’s disclosure of passenger information records to the the Transportation Security Administration and its contractors.

This is hardly a new story. It originally broke in September 2003 when JetBlue admitted it had handed over the information of over 5 million passengers, in direct violation of it’s stated privacy policy. Since then, more and more airlines have sheepishly admitted to having done so also. According to the Sun-Times article, 4 major airlines and 2 major reservation systems have admitted to doing the same thing.

The thing that’s new about this story has to do with the claim that this activity is in direct violation of Federal law.

Up to this point, discussion about this fiasco has been limited to the fact that these disclosures are in violation of the airline’s publicly stated privacy policy. As a result the FTC has been investigating these acts as “deceptive trade practices” based on complaints from the Electronic Privacy Information Center and others.

Check out the full complaint at:
http://www.epic.org/privacy/airtravel/jetblue/ftccomplaint.html

The Sun-Times article quotes Sentor Joe Lieberman of Connecticut, top Democrat on the Senate Governmental Affairs Committee as saying that the Transportation Security Administration ”may have violated” the “Privacy Act”.

The Sun-Times article is not specific about which “Privacy Act” Senator Lieberman was referring to. But I believe it’s a safe bet that he was referring to The Privacy Act of 1974 (http://www.usdoj.gov/foia/privstat.htm).

Senator Liberman specifically mentions a failure to notify the data subjects that their information had been collected. But in my opinion, the more interesting requirements in the Privacy Act of 1974 is the requirment that agencies who collect information about individuals must:

“publish in the Federal Register upon establishment or revision a notice of the existence and character of the system of records, which notice shall include–

(A) the name and location of the system;
(B) the categories of individuals on whom records are maintained in the system;
(C) the categories of records maintained in the system;
(D) each routine use of the records contained in the system, including the categories of users and the purpose of such use;
(E) the policies and practices of the agency regarding storage, retrievability, access controls, retention, and disposal of the records;
(F) the title and business address of the agency official who is responsible for the system of records;
(G) the agency procedures whereby an individual can be notified at his request if the system of records contains a record pertaining to him;
(H) the agency procedures whereby an individual can be notified at his request how he can gain access to any record pertaining to him contained in the system of records, and how he can contest its content; and
(I) the categories of sources of records in the system;”

One can’t help but wonder if the TSA, and by extension, the Homeland Security Department, has even considered these requirements, much less complied with them. The Sun-Times article reports that an official from the Homeland Security Department said that the agency is investigating.

I think this will be an interesting test of the Homeland Security Departmnents commitment to privacy and look forward to seeing how they respond to Lieberman’s challenge.

H.R. 2929, the Safeguard Against Privacy Invasions Act, is a bill that was introduced in 2003 by Rep. Mary Bono, a republican from California. It has been approved for a full vote on the house floor.

According to this article from ZDNet, “The Spy Act includes 21 pages of dense regulations that specify what software can and can’t do and under what circumstances it must seek explicit permission from the user to proceed.”

As noted in this PC World article, this is not the only piece of legislation being considered regarding the fight against spyware. Utah has already passed some legislation to combat the technology, as discussed here.