The U.S. Transportation Security Administration (TSA) broke privacy rules by secretly collecting information on at least 240,000 people, according to a letter sent by the Governmental Accountability Office (GAO) to congress.

The GAO said that during its review of the program it found that "TSA did not fully disclose to the public its use of personal information in its fall 2004 privacy notices as required by the Privacy Act."

The TSA collected the information while testing its airline passenger screening program Secure Flight from commercial data brokers and not just from lists supplied by airlines as the TSA originally promised. The GAO said that as many as 100 million records were collected by contractors working on behalf of the agency.

"In particular, the public was not made fully aware of, nor had the opportunity to comment on, TSA's use of personal information drawn from commercial sources to test aspects of the Secure Flight program," the letter added.

Counterpane founder and CTO Bruce Schneier, who also sits on the working group looking at the security and privacy implications of Secure Flight, said the program "a disaster in every way."

"The TSA has been operating with complete disregard for the law or Congress. It has lied to pretty much everyone," he said.

He added that the administration was turning Secure Flight from a simple program to match airline passengers against terrorist watch lists into "a complex program that compiles dossiers on passengers in order to give them some kind of score indicating the likelihood that they are a terrorist."

Earlier this month, SC Magazine reported on the GAO's report on the DHS infosec weaknesses.

GAO report