TSA shelves plans to monitor you online...for now

You know, I actually like the TSA Pre program. I think the name would have been better suited been named something akin to "treat like a human." No need to take off your shoes or pull your laptop out of the bag. No requirement to entertain the security theatre that we've become accustomed to at airports in North America. 

And naturally it only makes sense that the TSA would want to monitor our online presence as well, right...wait, WHAT?

From Nextgov:

The Transportation Security Administration has called off -- for now -- live tests of technology that would expand background checks on airplane passengers to include analyses of their online presences.


The idea was to have contractors analyze consumer data -- potentially including dating profiles and shopping histories -- on fliers who apply for the voluntary "Pre?” program. Pre?, open to all U.S. citizens, lets passengers breeze through dedicated checkpoints without removing shoes, belts, laptops or TSA-compliant liquids after paying an $85 fee and proving their identities.

While I'm happy to see that this program has been shelved this strikes me as yet another organization overstepping their bounds and collecting data that they really don't require.

Again from Nextgov:

Big brother won't be parsing Web surfing habits of fast lane candidates until at least mid-summer, according to the notice. The Homeland Security Department will conduct more analysis and research "to define standards for future third party solution applications,” TSA officials said.


But officials added they have not made up their minds whether to acquire such a tool in the future. 

I wonder if they speak to the collection of data relating to your online presence in their privacy statement.

From TSA Pre-enrol site:

Principal Purpose(s): This information is needed to verify your identity and to conduct a security threat assessment to evaluate your eligibility for the TSA Pre?™ application program. Furnishing this information, including your SSN or alien registration number, is voluntary; however, all information provided during the enrollment process assists in the timely processing of your security threat assessment. Failure to provide it will delay and may prevent completion of your security threat assessment.

Nothing about online presence there. I wonder how they'll use the information that they do collect. Checking the FAQ page I looked up where does this information go.

The information collected by TSA’s contractor is provided to TSA and used only for the purposes of conducting TSA’s security threat assessment to determine eligibility and use for TSA application/enrollment programs.

TSA may share information outside of the Department of Homeland Security (DHS) in accordance with the Privacy Act, 5 U.S.C. 552a. Principal disclosures include disclosure to:

  • The FBI to retrieve your criminal history record;
  • TSA contractors or other agents who are providing services relating to the security threat assessments;
  • Appropriate governmental agencies for law enforcement, or security purposes, or in the interests of national security;

For additional information regarding disclosures, please see the system of records notice for the relevant enrollment program. For example, for the TSA Pre?™ Application Program, please see DHS/TSA-021, TSA Pre?™ Application Program System of Records.

Pretty standard stuff for determining eligibility. Again, nothing about online presence. All of the information is collected by "TSA’s contracted Universal Enrollment Services provider, MorphoTrust USA, manages the online web pre-enrollment application and the enrollment centers that collect biographic and biometric information for programs...". In turn MorphoTrust is owned by the French defense contractor, Safran Group. The government of France is one of the largest shareholders and it holds a 22% stake in the company.

Interesting. I wonder when/if this will get pulled back off the shelf. Aggregating data like this could lead to profiling. 

(Image used under CC from Grant Wickes)


Copyright © 2014 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline