But what about the means used to identify people for screening (CAPPS and pre-screening were in place prior to 9/11). Then in 2003, they tried to do CAPPS II, which involved the acquisition of data from private providers (e.g., JetBlue).
Now we've got Secure Flight: trying to standardize/normalize pre-flight security data.
Any data that the government gathers about you, you're entitled to see and correct, and disclosure is prohibited except in certain cases. That's the Privacy Act.
So can TSA farm out the data collection to private contractors? There's also the Computer Data Matching Protection Act: protecting against massive information synthesis (matching government records with non-government records, or even use of government records for purposes other than what they were collected for).
It's not clear how these acts constrain what TSA can do.
Plus, of course, this only defends against intentional (and well-intentioned) acts. Accidents or malice can leak info, obviously.
Anyway, is SecureFlight any worse than all the other searching that gets done?
By the way: a US citizen doesn't have 4A protections of the home, if the home is abroad. And phone surveillance isn't overly intrusive either. That's a more modern case, though.
For now, we can just note that there's a need to balance national security and privacy.
Basically, though, the media can do what it wants as long as someone else is breaking the law, and it's a matter of public concern.
Does this have a chilling effect on speech? Perhaps not, but maybe it does create a moral hazard for the media.
Anyway, at the end of the day, all the language about chilling effects gives way to the 1A interest in the free press. But what's a "public concern?" That standard sure is broad.