[IP] JetBlue Shared Passenger Data
JetBlue Shared Passenger Data
By
<http://www.wired.com/news/print//news/feedback/mail/1,2330,742,00.html>Ryan
Singel<http://www.wired.com/news/print//news/feedback/mail/1,2330,742,00.html>
[]
Story location:
<http://www.wired.com/news/privacy/0,1848,60489,00.html>http://www.wired.com/news/privacy/0,1848,60489,00.html
02:00 AM Sep. 18, 2003 PT
JetBlue Airways confirmed on Thursday that in September 2002, it provided 5
million passenger itineraries to a defense contractor for proof-of-concept
testing of a Pentagon project unrelated to airline security -- with help
from the Transportation Security Administration.
The contractor, <http://www.torchconcepts.com>Torch Concepts, then
augmented that data with Social Security numbers and other sensitive
personal information, including income level, to develop what looks to be a
study of whether passenger-profiling systems such as CAPPS II are feasible.
<http://ln.doubleclick.net/jump/wn.ln/print;h=news;!category=adult;sz=300x250;ptile=2;pos=1ord=377444090target=>provisions
when it "provides by a contract for the operation by or on behalf of the
agency of a system of records."
JetBlue clearly violated its own
<http://www.jetblue.com/privacy.html>privacy policy by transferring its
passenger data. Such a violation could be grounds for an investigation of
unfair business practices by the Federal Trade Commission, which has the
authority to fine companies and issue injunctions.
"We made a special exemption for this one exceptional case," said Gareth
Edmundson-Jones, a spokesman for JetBlue. "We clearly have to review
internally the decision and reconsider our policies."
The TSA, which is in charge of developing a new airline passenger-screening
system called CAPPS II, adamantly denied receiving or reviewing the JetBlue
data in the transfer. Turmail also said that the data was not used to test
CAPPS II or CAPPS II prototypes.
Torch Concept's presentation, unearthed on a conference website by travel
privacy activist and travel agent <http://www.hasbrouck.org/>Edward
Hasbrouck, shows that upon receiving the data, Torch Concepts purchased
matching personal records from Acxiom, one of the country's largest
data-aggregation companies.
That information included incomes, occupations, vehicle ownership
information, number of children and Social Security numbers.
The company then used the data to create profiles of groups of travelers,
dividing them into three specific groups: young middle-income homeowners,
older upper-income homeowners and a group of passengers with anomalous
records, which the presentation attributes to "erroneous entry, fraud or
mischief."
Under the proposed CAPPS II system, passengers like those in Torch's third
group would likely be assigned a yellow code by the system's algorithms,
resulting in increased screening at the gate. Those whose identifying
information is verified and who do not match a watch list of terrorists or
wanted felons would get a green and face minimal scrutiny. Those whose
names show up on the watch list would face arrest or be barred from flying.
The company's presentation concluded that "known airline terrorists appear
readily distinguishable from the normal JetBlue passenger patterns," but
said differentiation would be enhanced if the system had access to a
passenger's annual, as well as lifetime, traveling history.
Torch Concept's work does not seem to be a prototype of CAPPS II, but
instead an attempt to measure the viability of verifying and scoring
passengers by checking them against data-aggregation companies' files. This
is the same mechanism that will be used in CAPPS II, but TSA officials are
adamant this study was not part of the CAPPS II program.
After a reporter made inquiries to the TSA, JetBlue and Torch Concepts, the
presentation and all references to it were removed from the conference
website, which is run by the Tennessee Valley Chapter of the National
Defense Industrial Association.
The chapter's president, Joel Thomas of Elmco, said he received an internal
e-mail Wednesday morning requesting its removal. Scannell has since
mirrored the original document.
JetBlue's revelation came after two days of inquiry from Wired News, which
reported Tuesday that TSA officials had told privacy activists that JetBlue
gave assurances it would help in the testing of the agency's controversial
new passenger-screening system, CAPPS II.
The presentation document also says the company first met with Jim Yeager
at the Department of Transportation, who worked for the inspector general's
office at the DOT.
Yeager was described as the "aviation security project manager" in a Jan.
4, 2002, document that announced the inspector general would conduct a
review of proposed technologies to enhance aviation security. That audit,
which is classified, was published in February 2003 and furnished to Congress.
Yeager, who now works at the Border and Transportation Security branch of
the Department of Homeland Security's inspector general's office, did not
respond to messages left for him.
Rick Toliver, a researcher for <http://www.sri.com/>SRI who has worked on
homeland security projects, chaired the session at the February conference.
Toliver confirmed that Torch Concepts' then-CEO Bill Roark delivered the
paper and that the session was well-attended.
Roark, who has a 15-year history of working on Pentagon projects, now works
as the CEO of <http://www.torchtechnologies.com/>Torch Technologies, a
Torch Concepts spin-off designed to focus on defense contracts.
On Wednesday, JetBlue issued a carefully worded statement and sent e-mails
to customers. "Contrary to reports, JetBlue has not entered into an
agreement to implement the CAPPS II program with the Transportation
Security Administration. Further, no JetBlue customer information has been
provided for purposes of testing the CAPPS II program currently under design."
David Sobel, an attorney with the Electronic Privacy Information Center,
said it should not matter who received JetBlue's data in the transfer.
"A third party is a third party, whether that is the DOT, TSA or a
contractor," said Sobel.
Hasbrouck called the presentation a "smoking gun" that proves that real
passenger data has been used in the development of CAPPS II without
attempting to get consent from passengers.
"Data from a number of different sources -- airlines, computer reservation
systems, and third-party data warehouses -- (has) been provided to various
contractors at various stages," said Hasbrouck.
Hasbrouck said the TSA has no authority to compel any airline to provide
data, but even if JetBlue was ordered to provide data, the company should
have told its customers.
"The ethical thing would be to reveal the transfer to passengers, so they
can make a decision whether or not to fly JetBlue," said Hasbrouck.
"Instead the company turned over what appears to be every reservation
they've ever made."
It is unknown if the data has been destroyed or returned to JetBlue.
-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting-people/