Privacy Protection

February 23, 2007
Blog
The Oversight committee has requested documents from the Transportation Security Administration (TSA) amid recent reports that the TSA web site collected personal information without basic security measures to ensure privacy protection. Chairman Waxman writes:

There have been many problems with individuals incorrectly identified on the no-fly list. Persons with names similar or identical to names on the no-fly list -- including senior Members of Congress such as Representative Don Young and Senator Edward Kennedy -- have been prevented from boarding flights or otherwise detained and questioned because their names come up in no-fly list checks.

According to media reports, on February 13, 2007, TSA tried to address these problems by launching a new web page to allow travelers whose names are identical to the names of persons on TSA's "no-fly list" to establish they are not the persons of concern. This new site, which was linked from TSA's "Our Travelers" page, announced a "Travel Verification Identity Program," which in turn asked travelers to submit sensitive personal information, such as their Social Security number, date of birth, height, weight, and eye color.

As soon as the site was launched, several web security experts alleged that this site lacked basic security measures to ensure that the submitted personal information would not end up in the hands of third parties. For example, these experts claimed that the site was not protected with a "secure sockets layer" (SSL), which would have ensured the secure transfer of the data to TSA. They also claimed that this failure to encrypt the data could have allowed a third party -- including a terrorist -- to obtain this sensitive personal information.

According to these experts, the site was not operating out of the TSA web domain, but instead was operating out of the following commercial domain: http://rms.desyne.com. This domain appears to belong to Desyne Web Services, Inc., a web design company whose mailing address is a post office box located in Boston, Virginia. In addition, security experts pointed out that the website text had numerous spelling errors and that the attached form did not have an OMB number, which all federal government forms are required to have. In fact, the overall appearance of the site was so poor that web experts first assumed it was a so-called "phishing" site, a site internet hackers had created to look like a TSA website page.

The site also appears to have been launched prematurely. A notice in the Federal Register on January 18, 2007, announced that, in compliance with the Privacy Act of 1974, the Department of Homeland Security would be creating a new system of records. This system, called the Traveler Redress Inquiry Program (TRIP) would support travelers' ability to redress complaints that they have been incorrectly placed on no-fly lists. The comment submission period for this notice was open until February 20, 2007. If TSA's traveler identity verification website is part of the TRIP system, it was launched while the comment period for this notice was still open.

Click here to read the full letter to Edmund Hawley, the Assistant Secretary of the Transportation Security Administration.