Peter Pietra's mission impossible

He's tasked with defending Homeland Security privacy policies--not a job for anyone with a thin skin.

Peter Pietra has what must be an unenviable task: defending the Transportation Security Administration's privacy decisions.

The TSA is the arm of the Homeland Security Department that is charged with protecting air, train and other forms of transportation. It's best known for its occasionally problematic no-fly list and legions of white-shirted screeners at U.S. airports.

In its relatively short history--it took over airport security in February 2002--the TSA has already been embroiled in a series of privacy flaps. Probably the biggest was related to its testing of the Secure Flight program; last summer government auditors said the program violated federal privacy laws. (Secure Flight is supposed to spot whether a passenger is on a watch list.)

"If your name is also Osama bin Laden but you're not the one they're looking for, it's difficult to give you a completely smooth entry, although there are processes in place to get on the clear list."

The TSA has also come under fire for aggressive screeners at checkpoints who allegedly grope women and, according to The New York Times, have required them to take off their shirts. (Some changes to pat downs have since been made.) It's also placed Sen. Edward Kennedy, a Massachusetts Democrat, and Rep. John Lewis, a Georgia Democrat, on lists that have caused them hassles at airports.

Pietra, whose new position as the TSA's director of privacy policy and compliance was announced April 17, is a former U.S. Army field artillery officer and was previously the TSA's assistant chief counsel. He joins Lisa Dean, a TSA privacy officer since 2004.

In his first interview since joining the TSA, Pietra sat down with CNET to discuss what he's going to be doing and whether he thinks the agency is on the right track.

Q: Do you see the purpose of your job as ensuring compliance with the Privacy Act, or defending decisions the agency makes?
Pietra: I don't know yet. I think a big part is going to be compliance. I hope not to spend too much time defending our decisions.

The other part of what I'm going to try to do is come up with good policies. In terms of how it's going to mix, I don't know.

At the Computers, Freedom and Privacy conference, Rep. Joe Barton's chief of staff said the House is drafting a bill to address the "comprehensive privacy rights of American citizens." What advice would you give them?
Pietra: I haven't seen any specific proposals. When I'm asked, I'll give consideration to that.

Homeland Security is currently in the process of coming up with regulations for Real ID cards, which have been the subject of some controversy. What would the TSA like to see happen?
Pietra: It's so early on that I don't know what those proposals are. DHS is heading up that effort on drafting a regulation. It is in the early stages. A lot of it is trying to flesh out what standards have applied (and) whether states have been implementing these.

There are federalism issues; it's been about a month since I've seen anything on that.

Last July, auditors at the Government Accountability Office told Congress that the TSA violated the Privacy Act by obtaining personal information about airline passengers from commercial data brokers while developing the Secure Flight screening program. What procedures does the TSA have in place today to avoid another debacle?
Pietra: That was a very complicated circumstance. What we've been doing in the program is trying to build in ground-level privacy work.... Right now the program has three major business units--each will have a privacy person.

Everything they're doing is legally permissible and follows our privacy policies. That's not going to happen again.

Can you elaborate on what's happened since a Senate hearing in February at which a TSA official testified about Secure Flight?
Pietra: They've stopped everything on the program in terms of testing, use of data, while the re-baselining effort is under way.

What TSA did in that testing was have a contractor try to determine whether there was any utility in using commercial data. When I say "utility," what I mean is trying to reduce false positives, the number of people who would pop up in a match from a watch list. We know that people in the public might needlessly suffer when they're not really the person on the list.

We didn't want any personal data coming into TSA so we had a contractor perform that test. As the test was designed, we built in protections in the contract with that contractor, saying that no commercial data was going to come into TSA.

What kind of commercial data did the TSA obtain?
Pietra: We tried in every way possible to keep commercial records from coming to us. Where a person's address or phone number was missing from a record, commercial data was used to add that phone number and address. That ended up on a disc (that was not given to TSA but kept in a safe).

The only case law out there is contrary to what GAO found. But we didn't dispute that point, we didn't fight that point. We don't dispute it now.

Going forward, embedded deep down in the program is an awareness and sensitivity of privacy matters. At this point TSA is at the forefront of a lot of privacy issues in the federal government.

Featured Video