Monday, July 25, 2005

Secure Flight program a mess

Bruce Schneier has an excellent post today on the state of the Secure Flight program. Secure Flight is part of the TSA, which itself is part of the Department of Fatherland Security. Secure Flight is supposed to run airline passenger's names against a check list of known or suspected terrorists. There has been a tendency to expand the data that is collected for this program and make it a much more complicated piece of software that looks at not only names but data from commercial sources such as date of birth, addresses, phone numbers, and, potentially, other bits such as credit scores, job title, how often people moved, etc. Congress has twice passed bills that killed or curtailed this program from collecting this outside data amidst privacy concerns. As Schneier points out, the TSA has ignored this and continued on it's own path. Choice quotes:

Secure Flight is a disaster in every way. The TSA has been operating with complete disregard for the law or Congress. It has lied to pretty much everyone. And it is turning Secure Flight from a simple program to match airline passengers against terrorist watch lists into a complex program that compiles dossiers on passengers in order to give them some kind of score indicating the likelihood that they are a terrorist.

...But using commercial data has serious privacy implications, which is why Congress mandated all sorts of rules surrounding the TSA testing of commercial data -- and more rules before it could deploy a final system -- rules that the TSA has decided it can ignore completely.

...My fear is that TSA has already decided that they’re going to use commercial data, regardless of any test results. And once you have commercial data, why not build a dossier on every passenger and give them a risk score? So we're back to CAPPS-II, the very system Congress killed last summer. Actually, we're very close to TIA (Total/Terrorism Information Awareness), that vast spy-on-everyone data-mining program that Congress killed in 2003 because it was just too invasive.

If you're interested in privacy concerns, especially involving government entities, please read the complete text of Schneier's post. I also urge you to read the links to the report(s) her recommends in that post. It's good information and it should give everyone a reason to pause and think about where this is heading. Your officials in office have been implementing this program. While some of it makes a great deal of sense, the debate about the efficacy of such programs or how they are implemented has, largely, been beneath the radar screen of most people.

No comments: