JetBlue privacy--under federal wings?

CNET's Declan McCullagh says the privacy boondoggle at JetBlue underscores why current anti-intrusion law is in dire need of an update.

Ever since its launch, I've been an unabashed fan of JetBlue Airways, the brash start-up that offers comfortable seats, satellite-linked TVs and beat-the-competition prices.

Until last week, that is, when I found out that JetBlue secretly turned over my personal information and details on some 5 million other passengers to a private contractor that's working on a data-mining project for the Bush administration.

A presentation prepared by contractor, Torch Concepts of Huntsville, Ala., describes how it merged the JetBlue database with U.S. Social Security numbers, home addresses, income levels and vehicle ownership information it purchased from Acxiom, a company that sells consumer data. Not all the details are clear, but the presentation discusses how Torch, on behalf of Uncle Sam, tried to rate each passenger's security risk level by analyzing the merged databases.

That kind of disgraceful privacy intrusion demonstrates that it's high time to amend the Privacy Act of 1974, which restricts databases that the U.S. government compiles but does not regulate how agencies access databases the private sector runs.

Enacted largely as a result of a federal report on automated data systems, the Privacy Act covers any "system of records" the government operates with personal information on American citizens. It limits the use and disclosure of those records and requires that the databases be protected with "appropriate administrative, technical and physical safeguards" to preserve their security and confidentiality. Government employees who disclose records in violation of the law's procedures can be fined and imprisoned on misdemeanor charges.

In today's world, the venerable Privacy Act doesn't go far enough. It worked when computers could be defined as "automated data systems,"

In today's world, the venerable Privacy Act doesn't go far enough.
but Moore's Law has exploded early 1970s-era notions of computing speed, and hard drive capacity has increased even more dramatically. The law fails to address the "databasification" of modern life.

To give this a historical perspective, the Privacy Act was enacted just a few years after Intel introduced the 4004, the first single-chip microprocessor and the 1103 dynamic RAM chip, which replaced magnetic core-type memory.

It was a product of the same era in which E.F. Codd began publishing papers that described the then-novel relational database, and it was enacted before the introduction of the personal computer and today's massively networked society.

The U.S. Congress could never have envisioned the tremendous--and tremendously intrusive--outsourcing of databases that's taken place during the last three decades.

Under the Privacy Act, if the federal government wants to assemble the kind of tera-scale data collection JetBlue happily divulged to a private contractor, at the very least it would have to disclose what it was doing and take steps to limit the information's misuse. But because the full database apparently remained in the hands of contractor Torch, the entire shoddy deal was exempt from the law.

The necessary change to the Privacy Act is a modest one. Currently, the law covers "a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual."

More modern language would regulate agencies' use of commercial data sources for data mining and require them to disclose which private-sector databases they have purchased. It would not have to impose any additional requirements on businesses.

Naturally, the amended Privacy Act should permit reasonable, limited police access to private-sector databases. When hunting a fugitive, the FBI may have a legitimate need, for instance, to peruse Lexis-Nexis' "Nationwide Person Tracker," a database of 324 million people. But the government has no legitimate need to outsource the secret creation of massive databases on millions of Americans outside the purview of federal law, constitutional privacy protections and the oversight of Congress.

Other examples
The JetBlue fiasco is only the most recent example of how federal agencies have routinely exploited loopholes in the Privacy Act.

Image Data signed a contract with the Secret Service in 1997 to create a national identity database for the federal government, according to documents that the Washington, D.C.-based Electronic Privacy Information Center obtained through the Freedom of Information Act.

EPIC also found that the Immigration and Naturalization Service--now part of the U.S. Department of Homeland Security--queries private-sector databases 20,000 times a month.

The JetBlue fiasco is only the most recent example of how federal agencies have routinely exploited loopholes in the Privacy Act.
In fiscal year 2002, the U.S. Department of Justice inked an $11 million contract for access to databases held by ChoicePoint--a self-described "leading provider of identification and credential verification services for business and government"--including Americans' names, addresses, previous addresses, places of employment, spouses' name and Social Security numbers. The FBI now insists, improbably, that the bureau's arrangement with ChoicePoint is so secret that even the contract number may not be disclosed.

Both JetBlue and Torch seem suitably embarrassed by disclosure of their complicity in this massive privacy invasion. JetBlue CEO David Neeleman circulated an e-mail note that confessed: "We responded to an exceptional request from the Department of Defense to assist their contractor, Torch Concepts...We provided limited historical customer data including names, addresses and phone numbers."

Neeleman added: "We deeply regret that this happened and have taken steps to fix the situation and make sure that it never happens again." (Missing from Neeleman's apologia was an acknowledgement that JetBlue likely violated its own privacy policy, at least for tickets bought online, which says "financial and personal information collected on this site is not shared with any third parties.")

Torch, on the other hand, is calling in the lawyers. Its law firm, Lanier, Ford, Shaver & Payne, on Friday sent a cease-and-desist nastygram to a Web site that's hosting a copy of Torch's 23-page "Homeland Security: Airline Passenger Risk Assessment" study, which described how the data-mining project worked. (John Young, who runs the archive, has mirrored the study here.)

If, like me, you've been a JetBlue customer and are somewhat less than delighted by the company's cozy relationship with the Feds, CEO Neeleman is only an e-mail click away. Then follow up with a call to your representative in Congress to make sure this sort of arrangement does not get repeated.