The news that the Transportation Security Administration violated the Privacy Act by collecting data on 250,000 Americans as part of a "study" for its new "Secure Flight" program is the latest in a string of incidents detailing how government agencies are using commercial data brokers to sidestep privacy laws, setting the stage for more problems in the future.
The Government Accountability Office (GAO) issued a report to Congress stating that "a TSA contractor, acting on behalf of the agency, collected more than 100 million commercial data records containing personal information such as name, date of birth, and telephone number without informing the public."
Although the contractor is not identified in the GAO report or the TSA's admission that it collected the data after promising not to do so, the scandal bears a striking resemblance to the JetBlue incident, wherein the data clearinghouse Acxiomsold thousands of its data records to another TSA contractor in order to test the reliability of "CAPPS II," the predecessor to the "Secure Flight" screening system.
Several laws mandating the creation of nationwide requirements for issuing state driver's licenses may require the usage of commercial data brokers such as ChoicePoint and LexisNexis to effectively implement.
This has aroused concerns among privacy advocates and opponents of the "Real ID" Act who believe that entrusting such a complex enterprise to companies that have already proven incapable of protecting the data they collect may lead to even more instances of identity theft.
The "Real ID" Act was passed in May 2005, attached to a bill authorizing funding for U.S. forces in Iraq. The act requires state governments to establish "minimum security standards" for issuing or re-issuing driver's licenses, including verification of Social Security Numbers and birth certificates.
The law is an "unfunded mandate," meaning that states will have to come up with the money to implement the new procedures themselves, which may lead to private data screening agencies offering technology and information databases to aid in the law's enforcement.
The Senate passed the Transportation Security Improvement Act as part of an extensive highway spending bill, on May 17th. The bill includes language authorizing the TSA to mandate that state motor vehicle authorities conduct background checks as "stringent" as Federal background checks for commercial driver's licenses. The bill is currently being reconciled in joint Congressional committee.
Opponents of these provisions maintain that additional security requirements are not only burdensome to implement and unnecessarily invasive, but offer a dangerous opportunity for "information broker" companies to hoard even more data.
Timothy Sparapani, associate legal counsel for the American Civil Liberties Union ), told The Washington Post that he "worried about the government expanding their use of background checks."
Although none of the major commercial data brokers have publicly admitted to lobbying for these laws, they also have been embroiled in recent scandals and may be actively looking for more government business.
ChoicePoint's loss of over 100,000 individual records to identity thieves in February 2005 opened the door to a flood of reports of identity theft and data loss. LexisNexis lost 32,000 data records to thieves in March 2005.
Acxiom itself was ahead of the identity-theft curve, as its servers were hacked by employees not once, but twice - first in March 2003 and again in July 2004. Both times, millions of aggregated data records were stolen and put up for sale on the "gray market" of identity theft rings.