Airline Passenger Profiling Based on Private Sector Data:
Why It Raises Serious Privacy Concerns

By ANITA RAMASASTRY

Wednesday, Oct. 01, 2003

Recently, JetBlue Airways confirmed reports that, in 2002, it had provided 5 million passenger itineraries to a private defense contractor, Torch Concepts - without passengers' consent.

The data transfer may well have violated the federal Privacy Act of 1974 - but not necessarily. That Act governs databases that the U.S. government compiles. But it does not regulate how government agencies and their contractors access private sector databases. The Act should be amended to do all these things.

Meanwhile, the government's privacy-violating conduct with respect to the Torch Concepts study does not bode well for the future of another, similar program. The program is the proposed Enhanced Computer Assisted Passenger Pre-screening System (CAPPS II), which seeks to enhance airline security.

Soon, the Transportation Security Administration (TSA) - which was involved in the JetBlue data transfer - will begin to implement CAPPS II. CAPPS II will attempt to update and revamp the existing federal no-fly list program by employing the same kind of private sector data that JetBlue provided to Torch Concepts.

Disturbingly, however, CAPPS II currently lacks meaningful privacy and due process safeguards. Thus, not only should the Privacy Act be amended, but so should the CAPPS II proposal.

Otherwise, consumers may find that data that they have provided to companies in the private sector is now being used to target them for the same scrutiny would-be terrorists receive.

Torch Concepts' Study and Its Conclusions

To understand the privacy harm here, it's useful to look at what Torch Concepts did, specifically.

As the New York Times reported, Torch Concepts had been hired by the Army "to determine how information from public and private records might be analyzed to help defend military bases from attack by terrorists and other adversaries."

In connection with this study, Torch Concepts contacted the TSA. And, according to a TSA spokesperson, the TSA facilitated the transfer of the JetBlue passenger data to Torch Concepts.

Then, separately, Torch Concepts purchased demographic data from Axicom, a large data aggregating company. The data related to about 40% of the passengers with the JetBlue itineraries. (As with JetBlue itself, reports suggest Axicom did not notify individuals before turning over individuals' data to Torch Concepts.)

The demographic data Axicom provider for each passenger included gender; whether the passenger owned or rented his or her residence, and how long he or she had lived there; economic status, including income; number of children; Social Security number; occupation; and vehicle information.

Torch Concepts matched the itineraries from JetBlue with the new data form Axicom, and used the data as part of a study, "Homeland Security - Airline Passenger Risk Assessment." That study was presented in February 2003 at a conference sponsored by the Tennessee Valley Chapter of the National Defense Industries Association. The Association then posted the presentation on its website, where it remained available until September 16, 2003.

In the study, Torch Concepts created profiles of three groups of travelers: (1) Young Middle Income Home Owners with Short Length-of-Residence; (2) Older Upper Income Home Owners with Longer Length-of-Residence; and (3) travellers with "anomalous records."

The third category, by definition, might potentially include renters, students with both home and school addresses, older persons who have moved recently, and persons with low incomes. Of course, such persons are in some senses the norm in America. Yet the program may have deemed them "anomalous" - and, thus a risk from a security standpoint.

Possible Legal Violations Connected to the Data Transfer

With its nonconsensual transfer of passenger data, JetBlue appears to have violated its own privacy policy. Its website, which allows online ticketing, says that "[t]he financial and personal information collected on this site is not shared with any third parties [.]" But in fact, it was - it was shared with Torch Concepts, and perhaps with the TSA as well.

By transferring the data, JetBlue may have engaged in unfair or deceptive trade practices. Indeed, the Electronic Privacy Information Clearinghouse (EPIC) has filed a complaint with the Federal Trade Commission (FTC) that makes this very argument.

According to the EPIC complaint, potential passengers were not the only ones misled by JetBlue's privacy policy. EPIC alleges that ConsumerReports.org relied on this privacy policy in August 2003 when it awarded JetBlue a favorable e-rating for Privacy and Security and Customer Service.

Meanwhile, not only the "unfair and deceptive trade practices" statute, but also he federal Privacy Act may have been violated here. The Act requires official notice whenever a government agency "provides by a contract for the operation by or on behalf of the agency of a system of records."

Arguably, the Act applies here, because Torch Concepts was a defense contractor, and indeed, worked directly with the TSA to get the JetBlue information. And, arguably, the Act was violated - for, as noted above, no notice was given to the passengers whose data was transferred. People want to know when the government is retaining data concerning them, and for how the long the data will be kept and for what purpose.

To make sure the Act is applicable to this and similar violations, however, Congress should amend it to make clear it applies in situations where, as here, government agencies (such as the TSA) and their contractors (such as Torch Concepts) access private sector databases (such as JetBlue's and Axicom's).

Even If Notice Is Given, CAPPS II May Still Seriously Invade Privacy

If the Privacy Act is thus amended - or if it is held to apply to the JetBlue situation in its current form - that ought to ensure that notice is given when individuals' personal data is accessed. That would be, at least, some progress.

But there is another problem: What if the data is misused, or contains serious errors?

Misuse of data could be disastrous - hampering an individual's ability to travel, and possibly falsely implicating the individual in criminal activity. Once data has left its private sector home, it may be hard to trace, and may end up in improper places.

Consider this question, for instance: How many personnel at Torch Concepts have now seen personal data on passengers from JetBlue? And if they were to misuse it, could the misuse be traced, given that personnel at TSA, Axicom, and JetBlue have probably also seen the same data?

Meanwhile, errors have already been discovered relating to the security screening lists employed as part of airport security programs.

Under the current system, the government maintains "watch lists" or "no fly" lists. The lists are used by the airlines to expose certain persons to additional screening, or even to ban them from flying.

Many of the details of the lists remain unclear, however: How many people are on them, and how many of those are American citizens or legal permanent residents? Who is responsible for oversight of the lists? Who verifies that the names are selected appropriately and whether the information accurate?

These questions linger, and are all the more important because these lists are far from infallible, and when they contain errors, those errors have proven difficult or impossible to correct.

For example, one woman's name was flagged because it was similar to that of a wanted Australian man. She had to go to Congressman Bill Pascrell, and he had to go to the FBI, who wrote to the TSA in August 2002 to ask it to take her off the list.

Irate passengers claiming that they were incorrectly identified for additional security, or simply banned from boarding at all, have sought remedies - sometimes with the aid of EPIC or other organizations. But these remedies have not materialized.

As a result, passengers who believe they are wrongly listed still confront a bureaucratic maze, in which buck-passing seems to be the norm. In one case, the TSA is alleged to have directed the complaining passenger to contact the airline. Yet in another case, the airline may have sent the passenger to the TSA. In other words, there are no clear cut procedures for getting your name off of a security list once it has been put there.

When and if private sector data is incorporated into the no-fly lists - with CAPPS II - even more serious inaccuracies in the lists may inevitably be introduced. According to an August 2003 Federal Register notice, CAPPS II will rate every passenger by checking dates of birth, home addresses and phone numbers against not only the government's terrorist watch lists, but also commercial databases.

That reality should make those in the third group, in particular, extremely nervous. People may face increased screening simply because they are too poor to own their home, because they have recently relocated, or because, as students, they maintain both home and dorm addresses. That is extremely unfair.

Congress Is Right to Scrutinize CAPPS II

Fortunately, Congress has taken heed of the privacy and due process issues relating to CAPPS II. For instance, it has asked the General Accounting Office (GAO), by February 15, 2004, to review the CAPPS II proposal, and certify that among other things " a system of due process exists whereby aviation passengers determined to pose a threat and either delayed or prohibited from boarding their scheduled flights by the TSA may appeal such decision and correct erroneous information contained in CAPPS II."

Congress is rightly concerned about ensuring that "the underlying error rate of the government and private data bases that will be used both to establish identity and assign a risk level to a passenger will not produce a large number of false positives that will result in a significant number of passengers being treated mistakenly or security resources being diverted."

Congress should hold firm in its insistence that CAPPS II comply with due process. And it should think carefully before it allows private sector databases to be used in CAPPS II - and if it does permit it, should make sure strong safeguards are implemented.

Meanwhile, it should also amend the Privacy Act to make sure violations of these safeguards can be properly punished even if it is a private sector - not a government - database from which the relevant private data originates.

Our privacy, and our right to due process, demand these changes. If we do not safeguard these rights, we will doubtless lose them.


Anita Ramasastry is an Associate Professor of Law at the University of Washington School of Law in Seattle and a Director of the Shidler Center for Law, Commerce & Technology.

FindLaw Career Center


      Post a Job  |  View More Jobs

    View More