A report released Friday by Richard Skinner, acting inspector general of the Homeland Security Department, said the TSA had misinformed individuals, the media and Congress in 2003 and 2004. It stopped short of saying TSA lied.
"TSA officials made inaccurate statements regarding these transfers that undermined public trust in the agency," the report said. "These misstatements were apparently not meant to mischaracterize known facts. Instead, they were premised on an incomplete understanding of the underlying facts."
Sen. Joe Lieberman, D-Conn., said the agency took months to disclose its role in getting the data.
"The American public must know their personal information is well protected, or they will distrust the new systems we need to keep our nation safe," he said in a statement.
The report comes at a sensitive time for the TSA, which is using airline passenger data — which can include credit card information, phone number and address — to test a computerized system for screening passengers, called Secure Flight.
Congress has said that TSA can't proceed with Secure Flight unless the Government Accountability Office reports that the technology ensures privacy and that the data is protected. That report is due Monday.
Friday's report concluded that the TSA was inconsistent in protecting passengers' privacy as it developed a passenger prescreening system. It did acknowledge that the agency's environment for privacy has improved substantially.
TSA spokesman Mark Hatfield said the agency is committed to privacy of personal information.
"The core of our mission is preserving our freedoms, and that means doing the utmost to protect every American's privacy," Hatfield said.
The report cites several occasions where TSA officials made inaccurate statements about passenger data:
In September 2003, the agency's Freedom of Information Act staff received hundreds of requests from JetBlue passengers asking if the TSA had their records. After a cursory search, the FOIA staff posted a notice on the TSA Web site that it had no JetBlue passenger data. Though the FOIA staff found JetBlue passenger records in TSA's possession in May, the notice stayed on the Web site for more than a year.
In November 2003, TSA chief James Loy incorrectly told the Senate Governmental Affairs Committee that certain kinds of passenger data were not being used to test passenger prescreening.
In September 2003, a technology magazine reporter asked a TSA spokesman whether real data were used to test the passenger prescreening system. The spokesman said only fake data were used; the responses "were not accurate," the report said.
The report also disclosed that the TSA had a much broader role in getting and using passenger data than had been previously disclosed.
Between February 2002 and June 2003, TSA had a role in 14 transfers of data involving at least 12 million records obtained without passengers' knowledge or permission from America West, American Airlines, Continental, Delta, Frontier and JetBlue.
However, the report concluded, in only one case was a passenger's data inappropriately revealed to the public.