[IP] JetBlue Shared Passenger Data

To: ip@xxxxxxxxxxxxxx
Subject: [IP] JetBlue Shared Passenger Data
From: Dave Farber <dave@xxxxxxxxxx>
Date: Thu, 18 Sep 2003 11:02:17 -0400
List-help: <http://v2.listbox.com/doc/help_sub?list_name=ip@v2.listbox.com>
List-id: <ip@xxxxxxxxxxxxxx>
List-software: listbox.com v2.0
List-subscribe: <mailto:subscribe-ip@v2.listbox.com>, <http://v2.listbox.com/subscribe/?listname=ip@v2.listbox.com>
List-unsubscribe: <mailto:unsubscribe-ip@v2.listbox.com>, <http://v2.listbox.com/member/unsubscribe/?listname=ip@v2.listbox.com>
Reply-to: dave@xxxxxxxxxx
Sender: owner-ip@xxxxxxxxxxxxxx



JetBlue Shared Passenger Data

By<http://www.wired.com/news/print//news/feedback/mail/1,2330,742,00.html>RyanSingel<http://www.wired.com/news/print//news/feedback/mail/1,2330,742,00.html>

[]

Story location:<http://www.wired.com/news/privacy/0,1848,60489,00.html>http://www.wired.com/news/privacy/0,1848,60489,00.html


02:00 AM Sep. 18, 2003 PT

JetBlue Airways confirmed on Thursday that in September 2002, it provided 5million passenger itineraries to a defense contractor for proof-of-concepttesting of a Pentagon project unrelated to airline security -- with helpfrom the Transportation Security Administration.

The contractor, <http://www.torchconcepts.com>Torch Concepts, thenaugmented that data with Social Security numbers and other sensitivepersonal information, including income level, to develop what looks to be astudy of whether passenger-profiling systems such as CAPPS II are feasible.<http://ln.doubleclick.net/jump/wn.ln/print;h=news;!category=adult;sz=300x250;ptile=2;pos=1ord=377444090target=>provisionswhen it "provides by a contract for the operation by or on behalf of theagency of a system of records."

JetBlue clearly violated its own<http://www.jetblue.com/privacy.html>privacy policy by transferring itspassenger data. Such a violation could be grounds for an investigation ofunfair business practices by the Federal Trade Commission, which has theauthority to fine companies and issue injunctions.

"We made a special exemption for this one exceptional case," said GarethEdmundson-Jones, a spokesman for JetBlue. "We clearly have to reviewinternally the decision and reconsider our policies."

The TSA, which is in charge of developing a new airline passenger-screeningsystem called CAPPS II, adamantly denied receiving or reviewing the JetBluedata in the transfer. Turmail also said that the data was not used to testCAPPS II or CAPPS II prototypes.

Torch Concept's presentation, unearthed on a conference website by travelprivacy activist and travel agent <http://www.hasbrouck.org/>EdwardHasbrouck, shows that upon receiving the data, Torch Concepts purchasedmatching personal records from Acxiom, one of the country's largestdata-aggregation companies.

That information included incomes, occupations, vehicle ownershipinformation, number of children and Social Security numbers.

The company then used the data to create profiles of groups of travelers,dividing them into three specific groups: young middle-income homeowners,older upper-income homeowners and a group of passengers with anomalousrecords, which the presentation attributes to "erroneous entry, fraud ormischief."

Under the proposed CAPPS II system, passengers like those in Torch's thirdgroup would likely be assigned a yellow code by the system's algorithms,resulting in increased screening at the gate. Those whose identifyinginformation is verified and who do not match a watch list of terrorists orwanted felons would get a green and face minimal scrutiny. Those whosenames show up on the watch list would face arrest or be barred from flying.

The company's presentation concluded that "known airline terrorists appearreadily distinguishable from the normal JetBlue passenger patterns," butsaid differentiation would be enhanced if the system had access to apassenger's annual, as well as lifetime, traveling history.

Torch Concept's work does not seem to be a prototype of CAPPS II, butinstead an attempt to measure the viability of verifying and scoringpassengers by checking them against data-aggregation companies' files. Thisis the same mechanism that will be used in CAPPS II, but TSA officials areadamant this study was not part of the CAPPS II program.

After a reporter made inquiries to the TSA, JetBlue and Torch Concepts, thepresentation and all references to it were removed from the conferencewebsite, which is run by the Tennessee Valley Chapter of the NationalDefense Industrial Association.

The chapter's president, Joel Thomas of Elmco, said he received an internale-mail Wednesday morning requesting its removal. Scannell has sincemirrored the original document.

JetBlue's revelation came after two days of inquiry from Wired News, whichreported Tuesday that TSA officials had told privacy activists that JetBluegave assurances it would help in the testing of the agency's controversialnew passenger-screening system, CAPPS II.

The presentation document also says the company first met with Jim Yeagerat the Department of Transportation, who worked for the inspector general'soffice at the DOT.

Yeager was described as the "aviation security project manager" in a Jan.4, 2002, document that announced the inspector general would conduct areview of proposed technologies to enhance aviation security. That audit,which is classified, was published in February 2003 and furnished to Congress.

Yeager, who now works at the Border and Transportation Security branch ofthe Department of Homeland Security's inspector general's office, did notrespond to messages left for him.

Rick Toliver, a researcher for <http://www.sri.com/>SRI who has worked onhomeland security projects, chaired the session at the February conference.Toliver confirmed that Torch Concepts' then-CEO Bill Roark delivered thepaper and that the session was well-attended.

Roark, who has a 15-year history of working on Pentagon projects, now worksas the CEO of <http://www.torchtechnologies.com/>Torch Technologies, aTorch Concepts spin-off designed to focus on defense contracts.

On Wednesday, JetBlue issued a carefully worded statement and sent e-mailsto customers. "Contrary to reports, JetBlue has not entered into anagreement to implement the CAPPS II program with the TransportationSecurity Administration. Further, no JetBlue customer information has beenprovided for purposes of testing the CAPPS II program currently under design."

David Sobel, an attorney with the Electronic Privacy Information Center,said it should not matter who received JetBlue's data in the transfer.

"A third party is a third party, whether that is the DOT, TSA or acontractor," said Sobel.

Hasbrouck called the presentation a "smoking gun" that proves that realpassenger data has been used in the development of CAPPS II withoutattempting to get consent from passengers.

"Data from a number of different sources -- airlines, computer reservationsystems, and third-party data warehouses -- (has) been provided to variouscontractors at various stages," said Hasbrouck.

Hasbrouck said the TSA has no authority to compel any airline to providedata, but even if JetBlue was ordered to provide data, the company shouldhave told its customers.

"The ethical thing would be to reveal the transfer to passengers, so theycan make a decision whether or not to fly JetBlue," said Hasbrouck."Instead the company turned over what appears to be every reservationthey've ever made."


It is unknown if the data has been destroyed or returned to JetBlue.

-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/

Prev by Date: [IP] My new Administrative Assistant
Next by Date: [IP] BBC E-mail: Camera specs take candid snaps
Previous by thread: [IP] My new Administrative Assistant
Next by thread: [IP] BBC E-mail: Camera specs take candid snaps
Index(es):
- Date
- Thread