Following a request under the US Freedom of Information Act,
EPIC obtained documents from NASA that showed that that Northwest
Airlines had given the agency personal data about millions of its
passengers. The data was retained by NASA for two years before
being returned in September last year – just after JetBlue Airways
was severely criticised for making similar disclosures to a defence
agency.
The data, for July, August and September 2001, was sent to NASA
shortly after the September 11th atrocities, when the agency
requested data in order to test various schemes for identifying
terrorists.
The transfer, says the US civil liberties group, was in clear
breach of Northwest's own privacy policy, which states that
passengers will control "the use of information [they] provide to
Northwest Airlines." The airline further assures customers that it
has "put in place safeguards to ... prevent unauthorized access or
disclosure" of the information it collects.
NASA retained the details for two years but then returned the
CDs on which the records were kept. A NASA researcher noted in an
e-mail message to the airline that, "you may have heard about the
problems that JetBlue is now having after providing passenger data
for a project similar to ours."
JetBlue Airways was sued by customers in September last year
after admitting that it had released customer data to Torch
Concepts, a contractor for the US Department of Defence, for a
security risk assessment project.
EPIC has now filed a complaint with the US Department of
Transportation, alleging that Northwest's disclosure constitutes an
unfair and deceptive trade practice, and requesting a formal
investigation.
EPIC has also confirmed that it will file suit against NASA to
seek release of other material still held by the agency.
"The airline industry has been at the centre of several recent
privacy controversies," said EPIC General Counsel David Sobel. "The
improper disclosures of personal data all involve government
efforts to 'screen' passengers for security risks. The security
benefits of these efforts are questionable, and there is a great
deal of scepticism within Congress and the general public."
Northwest's disclosure is likely to fuel concerns about
passenger data privacy that have long been expressed by the
European Union.
The European Commission gave approval in December to
controversial privacy protections that aim to safeguard the
personal details of US-bound air passengers. In terms of the deal
airlines operating passenger flights to, from or through the US,
will provide the US Customs Border Protection Bureau, upon request,
with electronic access to passenger data contained in their
reservation and departure control systems.
However it was established last week by rights group European
Digital Rights, that the deal agreed by the Commission did not rule
out the use of EU passenger data in the testing process for the US
Computer Assisted Passenger Pre-Screening System (CAPPS II) – the
proposed domestic airline passenger screening system.
According to EPIC Staff Counsel Marcia Hofmann: "The Department
of Transportation has previously assured the EU that airline
privacy practices would be closely monitored. DOT's response to the
complaint we will submit this week will be the first test of those
assurances."
