September 25, 2003



WASHINGTON, DC -- In response to a lawsuit filed by the Electronic Privacy Information Center (EPIC), the Transportation Security Administration (TSA) today refused to make public its "Privacy Impact Assessment" for the controversial CAPPS II air passenger screening system. Despite the fact that privacy concerns have surrounded the system for almost two years, TSA says that the privacy assessment has "not yet been finalized."

EPIC requested release of the document after TSA published a Privacy Act notice for CAPPS II and requested public comments no later than September 30. The agency initially refused to expedite its processing of EPIC's Freedom of Information Act request, despite the pending deadline for public comments. One day after EPIC sought an emergency court order requiring TSA to process its request, the agency agreed to complete its processing by today.

In addition to the Privacy Impact Assessment, EPIC also requested TSA's "Capital Asset Plan and Business Case" for the CAPPS II project. Both of these documents are required by the E-Government Act and Office of Management and Budget regulations. The General Accounting Office (GAO) recently criticized another Department of Homeland Security information system (the INS entry exit system) for its lack of a Privacy Impact Assessment (PIA). The GAO noted that agencies are required to prepare a PIA "so that relevant privacy issues and needs are understood and appropriately addressed early and continuously in the system life cycle."

TSA's admission that it has not finalized a privacy assessment for CAPPS II comes in the wake of the disclosure that JetBlue shared information about millions of passengers with a government contractor for "national security" reasons. According to EPIC General Counsel David Sobel, "The public understandably wants to know if CAPPS II is going to require all airlines to disclose, on a regular basis, the kind of information that JetBlue disclosed. It is not reassuring to learn that TSA, after almost two years, has not yet assessed the privacy impact of this system."

The TSA admission comes as Congress, in the Homeland Security appropriations bill, has blocked deployment of CAPPS II until the GAO studies its privacy implications. The GAO report must be completed by February 15, 2004. "It's clearly appropriate for Congress and GAO to explore the privacy implications, since TSA has failed to do so," said Sobel.

TSA's response to EPIC's FOIA request is available at: