An Army investigation has concluded that the release of customer
data by US airline JetBlue Airways to a contractor for the US
Department of Defence was not in breach of privacy rules, according
to a Wired News report.
An Army investigation has concluded that the release of customer
data by US airline JetBlue Airways to a contractor for the US
Department of Defence was not in breach of privacy rules, according
to a Wired News report.
In September 2002, at the request of the Transportation Security
Administration (TSA), JetBlue released personal details – names,
addresses and phone numbers – of over one million of its passengers
to contractor Torch Concepts so that the contractor could study its
ability to assess the terrorist risk of passengers.
The test involved checking the passenger information against
other databases to which the contractor had access.
A data company called Acxiom provided the additional information
– which included social security numbers and income levels – even
though both Acxiom and JetBlue had visible privacy policies stating
that personal information would not be given out to third
parties.
In September last year, customers of the airline filed a class
action against the company over the alleged breach of privacy,
while civil liberties group the Electronic Privacy Information
Center (EPIC) filed a complaint with the Federal Trade Commission
against JetBlue and Acxiom.
The US Army ordered its own investigation into the affair,
looking for violations of the US Privacy Act. This Act is designed
to ensure that there are no secret government systems for gathering
personal data, and that any data collected is restricted to that
which is strictly necessary.
The Act also requires that individuals can see what information
is kept about them, and can challenge the accuracy of that
information; that personal data collected for one purpose cannot
then be used for another purpose without consent; and that if any
data is disclosed the individuals involved will be able to find out
to whom, when and why it was disclosed.
The Army's inspector general has now published a report
exonerating the contractor from any privacy breaches.
Torch, states the report, did not breach the US Privacy Act
because it did not maintain a system of records that is covered by
the Act. In effect the contractor did not actually retrieve
individual files from the database "by name or by any other
identifying particular at any time in the course of the study."
Torch simply sorted passengers into separate risk groups by
looking at aspects of the data, such as age and income.
The report was actually published in June, but not made widely
available. Wired News was able to obtain a censored copy after
making a Freedom of Information request.
In a statement, Senator Patrick Leahy, who has seen the full
report, criticised the Army finding. According to Wired News he
said, "Neither the Army nor its subcontractor considered informing
customers that their data would be used".
