NY Times - June 22, 2005
Air travelers who have been concerned about the government collecting their personal information from airlines now have a second source to worry about: commercial data aggregators. The federal agency in charge of aviation security revealed that it bought and is storing commercial data about some passengers - even though officials said they wouldn't do it and Congress told them not to. The Transportation Security Administration is testing a terrorist screening program called Secure Flight that uses information about U.S. citizens who flew on commercial airlines in June 2004. "This is like a secret file that's been compiled," said Tim Sparapani, a privacy lawyer with the American Civil Liberties Union. The TSA hopes that successful testing of Secure Flight will allow it to take over from the airlines the responsibility for checking passenger names against terrorist watch lists. But Secure Flight and its predecessor, CAPPS II, have been criticized for secretly obtaining personal information about airline passengers, not doing enough to protect it and then misleading the public about its role in acquiring the data.
The Chapell View
Congress needs to completely deconstruct the TSA - and I mean completely. Take apart the TSA office buildings a la the Abu Grave prison. Salt the earth like the Ancient Greeks used to do. Let's just take a mulligan on this one - and start over.
Adding to their list of questionable decisions, the TSA has engaged data aggregators to help...
Ahh yes, the data aggregators. The same group that disenfranchised votes in Florida a few years ago. The same groups which have come under fire recently for their role in many of the data breaches.
Anyway - I have a brand spankin new data aggregator story for you. Bear with me - I going somewhere with this.
A friend of mine works at a large Ivy League Medical Research lab. Her office engaged one of the data aggregators to compile updated information on study subjects. (Ensuring HIPAA compliance, of course.)
As you probably know, some of the large data aggregators have recently undergone some significant changes to their methods and procedures in light of the ChoicePoint scandal. About a year ago, ChoicePoint was bamboozled by a group of Nigerian credit card scammers. The scoundrels (the Nigerians, not Choicepoint) had posed as legitimate businesses in order to obtain access to ChoicePoints' data products.
In order to ensure that their company doesn't succumb to a similar fate, the data aggregator put the Ivy League Research Lab through three months of hoops - requesting copies of the university's charter, photos of the building, etc. - in order to ascertain that the university is, in fact, a legitimate entity. Seems like a bit much for me given that the University is pretty much a household name, but whatever - rules are rules. And ensuring privacy is a priority, right?
Once satisfied, the data aggregator accepts the University's data file, and begins work. After a few weeks, the data aggregator returns a file that "they're pretty sure was encrypted." Again - great idea - ensuring privacy is a priority, right? Unfortunately, the data company must have done too good a job encrypting the data, as it was completely unreadable to the University staff.
When the University complained, the data company sent over another file to the University. The good news is that the file was completely readable. The bad news is that it was the wrong file. The new file included some other company's data - including names, addresses, phone #, and private health information.
By now you're probably wondering - is there a point to this story? I have two:
1. All the planning and due diligence in the world can sometimes be undone by one careless mistake.
2. Data is becoming more burdensome to obtain. And it will only get more bureaucratic as additional privacy legislation is ushered in.