April 14, 2004
The Honorable Asa Hutchinson
Under Secretary for Border and Transportation Security
U.S. Department of Homeland Security
Washington, D.C. 20528
Dear Under Secretary Hutchinson:
Thank you for your recent reply to our letter regarding TSA's involvement in the transfer of passenger name record ("PNR") data from JetBlue Airlines to an Army contractor for a data mining research project. We are encouraged that your letter spoke of the Homeland Security Department's "unparalleled commitment to creating a culture that supports privacy values," and we certainly agree that "[p]art of that commitment [must be] to provide transparency about the Department's operations[.]" Accordingly, we write today regarding reports that TSA was also involved in acquiring PNR data from American Airlines.
We are concerned by potential Privacy Act and other implications of this reported incident. From initial accounts, it appears that TSA requested PNR data from American Airlines for its own research purposes rather than merely requesting that data be provided to another agency, as occurred in the JetBlue matter. Moreover, TSA told the press, the General Accounting Office ("GAO"), and Congress that it had not used any real world data to test CAPPS II. Indeed, a report on CAPPS II issued by GAO in February cited the lack of access to real world passenger data as a reason that testing had been delayed. According to the report, "TSA has only used 32 simulated passenger records" to conduct limited testing. American Airlines has now indicated that it provided over one million passenger itineraries at TSA's request, which raises the question of why agency officials told GAO that it did not have access to such data.
According to press reports, American Airlines authorized its vendor, Airline Automation, to provide TSA with one week's worth of PNR data on its customers. The vendor then reportedly provided the data to four companies competing for contracts with TSA - HNC Software, Infoglide Software, Ascent Technology, and Lockheed Martin. As in the JetBlue matter, this raises the question of whether the collection and use of personal information by these companies constituted a "system of records" under the Privacy Act of 1974. If so, then the Act would require the filing of a public notice describing what information the system will contain and how an individual can gain access to any information pertaining to him. We are not aware that any such notice was published. The Act would also prohibit the disclosure of personal information to any other person or entity.
In light of these concerns, we ask that you provide the Committee with answers to the following questions:
1. Did any TSA official ask American Airlines or its vendor to provide the PNR data to the agency or to any of the four companies?
2. If so, why did TSA ask that data be provided?
3. How did TSA and/or the companies use the data?
4. Which of the four companies became TSA contractors, on what date, and for what purposes?
5. Which, if any, of the four companies possessed PNR data while performing contract work for TSA?
6. Did TSA or any of the companies create a system of records as defined by the Privacy Act? If not, please explain how the collection and use of the information does not meet the Act's definition of a system of records.
7. Did TSA comply with the Privacy Act, including requirements for the creation of a system of records such as public notice, allowing individuals to access information pertaining to them, and ensuring that the information is not improperly disclosed?
In addition to answering these questions, we ask the Department to disclose whether it requested PNR data from companies other than JetBlue and American Airlines. We also ask the Department to disclose all instances of which it is aware where other agencies received PNR data from airlines or their vendors. We appreciate your ongoing cooperation with the Committee. Thank you for your continued efforts on these important issues.
Susan M. Collins, Chairman
Joseph Lieberman, Ranking Member