TSA appoints its first privacy officer

Ryan Singel of Wired News reports this morning that Lisa Dean, since mid-2003 the Washington, DC representative of the Electronic Frontier Foundation, has been appointed as the first Chief Privacy Officer of the USA Transportation Security Administration.

In her previous job as director of the Free Congress Foundation’s Center for Technology Policy, Dean worked with Stephen Thayer — now deputy and acting director of the TSA’s Office of National Risk Assessment — while Thayer was executive director of the American Conservative Union.

Let’s hope Dean’s established relationships with Thayer and with DHS Chief Privacy Officer Nuala O’Connor Kelly enhance her ability to stand up for the privacy rights of travellers, travel and transportation workers, those who arrange or pay for travel for others, prospective passengers who make reservations but don’t actually travel, and other individuals whose personally identifiable information is included in travel records.

A sincerely committed privacy officer at the TSA will certainly have their work cut out for them: the TSA and DHS have pledged to issue a new Privacy Act notice before deploying their planned CAPPS-II airline passenger profiling and monitoring system. But many of the comments received in response to the previous Privacy Act notice (the largest number of public comments ever on a Privacy Act notice) have yet to be made public by the DHS, much less considered, responded to, or acted on.

The DHS’s purported “analysis” of the first round of comments failed even to acknowledge most of the issues they raised, including whether the CAPPS-II proposal is constitutional, whether it exceeds the statutory authority of the TSA and DHS (particularly with respect to the proposed new mandates for reservations, information, and identification documents), or whether the reservations accessed by the government would include personally identifiable information on other categories of individuals beside those who actually travel (as they would, and which, in and of itself, would be sufficient to ensure that any attempt to implement CAPPS-II without a much-expanded notice would be blocked in court for failure to comply with the requirement of notice to all those whose data would be given to the government).

Even the CAPPS-II notice currently proposed to be given to travellers is legally insufficient: at last week’s House subcommitteee hearing, the TSA said that notice would be given at the time reservations are made, but that the TSA plans to order airlines to start turning over data within a few months. Taken together, those two statements evince an intent to flout the Privacy Act requirement of prior notice, since some people have already made reservations and/or bought tickets for flights up to a year form now.

If notice is to be given at the time of making reservations and/or buying tickets, the Privacy Act prohibition on use of information provided without notice would preclude any use of pre-existing reservations until at least a year after the notice-at-the-time of reservations system is fully in place.

And CAPPS-II is, of course, only one of a wide range of potentially privacy-invasive proposals on the table at the TSA as it attempts — in much the same manner as the attempts under the Communications Assistance to Law Enforcement Act (CALEA) to mandate the conversion of commercial communications systems into an infrastructure of communications surveillance — to mandate the conversion of existing travel reservation systems into an infrastructure of surveillance of travellers.

It won’t be an easy job being Chief Privacy Officer for such an agency, the less so the more sincere the office-holder’s commitment to privacy protection.