Friday, 20 February 2004
DHS Privacy Officer releases report on jetBlue Airways scandal
The Chief Privacy Officer of the USA Department of Homeland Security today released her Report to the Public on Events Surrounding jetBlue Data Transfer of the entire jetBlue Airways reservation archives to a military contractor.
The DHS also released a Transcript of Media Roundtable with Nuala O'Connor Kelly, Chief Privacy Officer, DHS conducted earlier this week. (Should I be surprised that, as the first to have uncovered and reported the jetBlue scandal, I wasn't invited?)
Perhaps the most important thing about the DHS Privacy Officer's report is its narrow focus:
This report is not intended to comment on allegations involving jetBlue's activities or the activities of Department of Defense employees or contractors, which in these circumstances is beyond the statutory purview of the DHS Privacy Office.
So the publication of this report should not be misunderstood to mean that the scandal has been "fully" investigated, much less "laid to rest".
The issues of privacy practices within the travel industry -- by jetBlue, Northwest Airlines, other airlines, CRS's/GDS's, travel agencies, and third-party PNR processing companies -- and of use of airline reservation data for other government programs including "Total Information Awareness", continue to demand a Congressional investigation that would extend well beyond the scope of next month's hearing on CAPPS-II.
Contradicting published reports by myself and other journalists (including the Times of London) that CAPPS-II contractors in 2002 received and used tapes of several million reservations on multiple airlines from the Sabre CRS, the DHS Privacy Officer says that, "At this time, there is no evidence that CAPPS II testing has taken place using passenger data." But no details are given as to what effort the Privacy Officer made to seek out such eveidence, or whether she even asked the members of the four 2002 CAPPS-II proof-of-concept contractor teams what data they used in their tests.
The DHS Privacy Officer's report concludes that:
TSA participation was essential to encourage the data transfer. As several airlines had refused to participate in this program absent TSA's involvement, it appears that, but for the involvement of a few TSA officials in these events, the data would likely not have been shared by jetBlue with the Department of Defense and its contractors.
The DHS report confirms that Torch Concepts received the jetBlue data as a subcontractor to SRS Technologies -- a relationship Torch excised from its Web site just days after I broke the jetBlue story, and SRS has been reluctant to admit.
SRS was the exclusive prime information technology contractor to the military's "Total Information Awareness" (TIA) program, but there's no mention in the DHS report of whether the Torch subcontract was under SRS's contract for TIA (and, once again, no indication that DHS Privacy Officer even asked). The relationship of the jetBlue/Acxiom/Torch/SRS project to the TIA program remains an open question, unlikely to be answered without a Congressional investigation.
The real bombshell in the report is the revelation that Acxiom Corp., a "data aggregator serving as a contractor for jetBlue", already had received all the jetBlue reservation data before it turned it over to military contractor Torch Concepts at the request of the TSA:
The actual transfer of the data, was, in fact, accomplished between Acxiom (acting as a contractor for jetBlue) and Torch Concepts.
In the USA, as the DHS Privacy Officer's report correctly points out, the Privacy Act only regulates the use of data actually held by the Federal government. So it wouldn't have prohibited jetBlue from giving copies of reservations to Acxiom or anyone else, as long as the government wasn't involved.
The first reported tests of passenger profiling from reservation data after 11 September 2003 were conducted with several million reservations from the archives of another third-party PNR processing company that works as a contractor to airlines, Airline Automation, Inc. (now a division of the Amadeus CRS/GDS).
We don't know what Acxiom was already doing with the jetBlue records. (If the DHS Privacy Officer asked, she doesn't say in her report.) jetBlue has tried to excuse its gift of passenger data to a military contractor as a well-intentioned excess of patriotism, but jetBlue's newly-revealed prior "sharing" of passenger records with a data aggregator will be harder to justify. It's only one of a number of more recent signs of increasing efforts by travel reservation companies to "monetize" their archives of passenger data for targeted marketing and other purposes, including by aggregating them with other databases. (More on this in a future story I'm working on.)