Friday, 20 February 2004

DHS Privacy Officer releases report on jetBlue Airways scandal

The Chief Privacy Officer of the USA Department of Homeland Security today released her Report to the Public on Events Surrounding jetBlue Data Transfer of the entire jetBlue Airways reservation archives to a military contractor.

The DHS also released a Transcript of Media Roundtable with Nuala O'Connor Kelly, Chief Privacy Officer, DHS conducted earlier this week. (Should I be surprised that, as the first to have uncovered and reported the jetBlue scandal, I wasn't invited?)

Perhaps the most important thing about the DHS Privacy Officer's report is its narrow focus:

This report is not intended to comment on allegations involving jetBlue's activities or the activities of Department of Defense employees or contractors, which in these circumstances is beyond the statutory purview of the DHS Privacy Office.

So the publication of this report should not be misunderstood to mean that the scandal has been "fully" investigated, much less "laid to rest".

The issues of privacy practices within the travel industry -- by jetBlue, Northwest Airlines, other airlines, CRS's/GDS's, travel agencies, and third-party PNR processing companies -- and of use of airline reservation data for other government programs including "Total Information Awareness", continue to demand a Congressional investigation that would extend well beyond the scope of next month's hearing on CAPPS-II.

Contradicting published reports by myself and other journalists (including the Times of London) that CAPPS-II contractors in 2002 received and used tapes of several million reservations on multiple airlines from the Sabre CRS, the DHS Privacy Officer says that, "At this time, there is no evidence that CAPPS II testing has taken place using passenger data." But no details are given as to what effort the Privacy Officer made to seek out such eveidence, or whether she even asked the members of the four 2002 CAPPS-II proof-of-concept contractor teams what data they used in their tests.

The DHS Privacy Officer's report concludes that:

TSA participation was essential to encourage the data transfer. As several airlines had refused to participate in this program absent TSA's involvement, it appears that, but for the involvement of a few TSA officials in these events, the data would likely not have been shared by jetBlue with the Department of Defense and its contractors.

The DHS report confirms that Torch Concepts received the jetBlue data as a subcontractor to SRS Technologies -- a relationship Torch excised from its Web site just days after I broke the jetBlue story, and SRS has been reluctant to admit.

SRS was the exclusive prime information technology contractor to the military's "Total Information Awareness" (TIA) program, but there's no mention in the DHS report of whether the Torch subcontract was under SRS's contract for TIA (and, once again, no indication that DHS Privacy Officer even asked). The relationship of the jetBlue/Acxiom/Torch/SRS project to the TIA program remains an open question, unlikely to be answered without a Congressional investigation.

The real bombshell in the report is the revelation that Acxiom Corp., a "data aggregator serving as a contractor for jetBlue", already had received all the jetBlue reservation data before it turned it over to military contractor Torch Concepts at the request of the TSA:

The actual transfer of the data, was, in fact, accomplished between Acxiom (acting as a contractor for jetBlue) and Torch Concepts.

In the USA, as the DHS Privacy Officer's report correctly points out, the Privacy Act only regulates the use of data actually held by the Federal government. So it wouldn't have prohibited jetBlue from giving copies of reservations to Acxiom or anyone else, as long as the government wasn't involved.

But this newly-disclosed earlier transfer of jetBlue reservations to Acxiom may have been an independent violation of jetBlue's privacy policy -- and, to the extent that privacy policy is legally binding, may provide an independent basis for legal action against jetBlue.

There's nothing particularly unusual in this sort of wholesale transfer of reservation data, without notice or consent from travellers, to companies travellers have never heard of or dealt with directly. As I've said all along, the only peculiarity of the jetBlue case is that jetBlue hosts its own database -- most airlines outsource hosting of their reservation databases to one of the big four CRS's/GDS's -- and that jetBlue actually has a privacy policy against the things it did.

The first reported tests of passenger profiling from reservation data after 11 September 2003 were conducted with several million reservations from the archives of another third-party PNR processing company that works as a contractor to airlines, Airline Automation, Inc. (now a division of the Amadeus CRS/GDS).

We don't know what Acxiom was already doing with the jetBlue records. (If the DHS Privacy Officer asked, she doesn't say in her report.) jetBlue has tried to excuse its gift of passenger data to a military contractor as a well-intentioned excess of patriotism, but jetBlue's newly-revealed prior "sharing" of passenger records with a data aggregator will be harder to justify. It's only one of a number of more recent signs of increasing efforts by travel reservation companies to "monetize" their archives of passenger data for targeted marketing and other purposes, including by aggregating them with other databases. (More on this in a future story I'm working on.)

But just as the fact that the TSA didn't violate the Privacy Act when they asked jetBlue to turn over their files to a military contractor is a sign of the need to close the loophole in the Privacy Act for commercial databases constructed at the government's behest, so the fact that jetBlue violated no law (except to the extent they violated their self-imposed privacy policy) when they gave their archives to a contractor to "aggregate" with other financial and government data is a sign of the need for a Federal travel privacy law protecting personal travel records in both corporate and government hands.

Link | Posted by Edward on Friday, 20 February 2004, 14:44 ( 2:44 PM) | TrackBack (0)
Comments

Guess what: Total Information Awareness is making a quiet comeback, according to the Associated Press.

Click my name for more info or go to:

www.thecolumbiaunion.com

Posted by: Hudson, 23 February 2004, 17:45 ( 5:45 PM)
Post a comment









Save personal info as cookie?