To follow up on a few issues, I came across a TSA form entitled
"Certification of Identity" that I had for when someone does not have ID to show and they have to provide their name and address, sign it and date it. It does have the Privacy Act Notice:
This information is being collected in accordance with 49 U.S.C. § 114(f) and 49 C.F.R. § § 1540.105(a)(2), 1540.107 in order to verify your identity and complete the passenger screening process. This information may be shared with the Department of Justice or other Federal agency in the review, settlement, defense, and prosecution of claims, complaints, and lawsuits over matters in which TSA exercises jurisdiction, or for routine uses identified in TSA’s systems of records, DHS/TSA 001 Transportation Security Enforcement Record System (TSERS) or DHS/TSA 002 Transportation Security Threat Assessment System (TSTAS). Disclosure of this information is voluntary; however, failure to furnish the requested information may result in an inability to complete the security screening process and, consequently, an inability to grant you access to the sterile area.
False statements may be punishable under the provisions of 18 U.S.C. Section 1001 by fine, imprisonment or both.
So at the time this form was created, the CFR sections that were used to obtain personal information were no more than what was discussed above, so TSA's analysis to use those sections as authority fails unless you use Francine and her Google searches to create a tortured reasoning.
Secondly, the form has the 18 U.S.C. Section 1001 language, which may mean that the TSA views false statements made to the TSA as punishable thereunder.