The Register checks in with its own story on the TSA report. 12 million passenger records, for which contractors and TSA “did not follow accepted privacy procedures in obtaining passenger data for internal use”.
But this is the part that boggles my mind (and I’ll admit, I haven’t actually read the report yet, so perhaps some unboggling is available there):
The list of recommendations is basically sensible, but it is also alarming, as it is equally a catalogue of the commonsense precautions that TSA has not been taking. The IG report wiggles out of legal responsibility, however, explaining that because TSA does not have a system of individual identifiers for the data it handles, it does not maintain a “system of records” as defined in the Privacy Act of 1974.
I’m not sure how exactly you can even begin to claim that this system is maintained for security purposes when you don’t have a “system of individual identifiers”.