Homeland Security officials said yesterday they would probe whether federal privacy laws were broken when American Airlines released 1.2 million of its passenger records for data-mining research by the Transportation Security Administration (TSA).
“What we need to find out is exactly what role the TSA played in this affair,” said Nuala O’Connor Kelly, the privacy officer for the Department of Homeland Security.
On Friday afternoon, AMR Corp., the owner of American Airlines, issued a statement saying it had “recently learned” that one of its vendors, Airline Automation Inc., gave the records to four companies “vying for contracts” with the Transportation Security Administration in June 2002.
American said it had authorized the release of the data “because of the heightened interest in aviation security” after the September 11 suicide hijackings.
The data were in the form of one week’s worth of passenger-name records — a record created when someone books a flight.
The record can have up to 60 fields and includes such information as name, telephone number and credit-card details, as well as itinerary information and notes of any special religious dietary requirements.
Mrs. Kelly said the Privacy Act of 1974 would have been violated if a “system of records” had been created either by the TSA or by a contractor acting on its behalf, without sufficient notice being given the public, through publication in the Federal Register.
The creation of a database to test data-mining techniques — such as those envisioned by the TSA’s proposed computerized passenger screening system, CAPPS II — almost certainly would constitute such a “system of records,” according to privacy analysts.
However, Mrs. Kelly added, if the companies receiving the data were not TSA contractors, the legal situation becomes “murky.”
“It’s unclear to me at the moment exactly what the relationship is between these four companies and the TSA. That’s one of the things we need to find out,” she said.
The TSA press office did not respond to repeated messages yesterday.
American said the vendor had been authorized to pass the data to the TSA, but not to the four companies — HNC Software Inc., Infoglide Software Corp., Ascent Technology Inc. and Lockheed Martin Corp.
But a lawyer for Airline Automation gave a different account.
“American told my client that they should provide this data and that the TSA would tell them how,” David Coburn, a Washington lawyer with Steptoe and Johnson LLP, said in an interview yesterday.
“It was well-understood by everyone involved that the testing would be done by outside contractors, not by the TSA themselves,” he said.
No one from American Airlines could be reached for comment yesterday.
Airlines Jet Blue and Northwest encountered a firestorm of public outrage after it emerged last year that they had turned over passenger data — in one case to a defense contractor and in the other to NASA — for similar data-mining research, aimed at identifying terrorism suspects by detecting patterns of suspicious behavior.
Please read our comment policy before commenting.