WASHINGTON_An ambitious program to check every domestic airline passenger's name against government terrorist watch lists may not be immune from hackers, a congressional investigator said Thursday.
And because of security concerns, the government is going back to the drawing board with the program called Secure Flight after spending nearly four years and $150 million on it, the Senate Commerce Committee was told.
Transportation Security Administration chief Kip Hawley did not say whether any security breaches had been discovered. An agency spokeswoman, Amy von Valter, told reporters, "We don't believe any passenger information has been compromised."
Cathleen Berrick, the investigator for the Government Accountability Office, said in written testimony that "TSA may not have proper controls in place to protect sensitive information."
Currently, airlines check the names of passengers against watch lists that the government gives them. Under Secure Flight the government would take over from the airlines the task of checking names against watch lists.
According to the GAO testimony, Secure Flight was given formal authority to go live in September, but a government team found that the system software and hardware had 82 security vulnerabilities.
Hawley told the committee that he has directed TSA's information technology staff to conduct a comprehensive audit of the program before developing it further.
"In view of our need to establish trust with all of our stakeholders on the security and privacy of our systems and data, my priority is to ensure that we do it right, not just that we do it quickly," Hawley said.
The audit began several weeks ago and there is no deadline for completion, von Walter said.
Secure Flight has been troubled from the start.
It is strongly opposed by civil libertarians who fear the program would grow into a massive domestic surveillance system in which the government tracks people whenever they travel.
Government auditors gave the project failing grades - twice - and rebuked its authors for secretly obtaining personal information about airline passengers.
Hawley said last month - and the GAO agreed in its testimony Thursday - that the agency hadn't yet determined precisely how Secure Flight would work.
Commerce Committee Chairman Ted Stevens, R-Alaska, told reporters he didn't think that Secure Flight should be held up by the GAO.
"I'm not really pleased," Stevens said. "They ought to stand back and give advice."
The Sept. 11 commission has urged the administration to expedite the development of the program because, it said, the watch lists currently used by airlines aren't complete.
But checking names against watch lists hasn't been as easy as it sounds, partly because airlines collect only limited information about passengers.
Also, the number of names on the watch lists increased into the tens of thousands since the Sept. 11 attacks. That problem has resulted in passengers from infants to Sen. Edward M. Kennedy being mistakenly told they couldn't fly because they have the same name as someone on the watch list.
The project has also drawn protests from privacy advocates and civil libertarians because its stated purpose has changed, often expanding.
Project managers once said that it would be used to track down violent criminals, and then backed down. They've also proposed using commercial data, such as that supplied by Choicepoint, to locate members of terrorist sleeper cells among people who buy airline tickets.
Bill Scannell, a privacy advocate who manages the Web site UnSecureFlight.com, welcomed Hawley's announcement.
"Once again the vampire's been driven back into its coffin," he said. "Whether the administration is willing to shoot it with a silver bullet is another question."
On the Net:
Transportation Security Administration: http://www.tsa.gov