- An Army data-mining project that searched through JetBlue's
passenger records and sensitive personal information from a data broker
to pinpoint possible terrorists did not violate federal privacy law, according
to an investigation by the Army's inspector general.
-
- The inspector general's findings[1] were accepted by
some, but critics say the report simply highlights the inability of the
country's privacy laws to cope with 21st-century anti-terrorism efforts.
-
- News of the Army project came to light in September 2003
when JetBlue admitted it had violated its privacy policy by turning over
5.1 million passenger records to Torch Concepts, an Alabama-based defense
contractor.
-
- Torch subsequently enhanced the JetBlue data with information
about passengers' salaries, family size and Social Security numbers that
it purchased from Acxiom, one of the country's largest data aggregators.
-
- The Army says it was testing the data-mining technology
as part of a plan to screen visitors to Army bases.
-
- JetBlue, which turned over the data at the request of
the Transportation Security Administration, was the first airline fingered
for secretly sharing data with the government. But it is now known that
six of the 10 largest airlines, along with two of the largest airline reservation
centers, also did so.
-
- The inspector general found Torch did not violate the
Privacy Act, which prohibits government officials from creating secret
databases that track information about American citizens by name and Social
Security number. The report said the company didn't violate the law because
no one looked up any passenger by name and its algorithm simply sifted
through the data using factors such as home ownership, age and income in
order to sort passengers into risk groups.
-
- "The evidence indicated that Torch neither created
nor maintained a system of records as defined by the Privacy Act of 1974,"
the report said. "There was no evidence that Torch retrieved individual
records from the databases ... by name or by any other identifying particular
at any time in the course of the study."
-
- The report did find, however, that Torch violated the
conditions of its subcontract by presenting the study's findings at a conference
in April 2003, which later led to the public disclosure of the project.
-
- The Army did not publicly release the June 21 report,
though it provided copies to some senators in July and Wired News later
obtained a heavily redacted version through a Freedom of Information Act
request.
-
- The committee's chairwoman, Sen. Susan Collins (R-Maine),
said she was "pleased to learn that there was no Privacy Act violation,"
but added she would continue to "closely monitor any further attempts
by the government to obtain passenger data to ensure that the process ...
complies with privacy laws and is sensitive to Americans' privacy interests."
-
- However, Sen. Patrick Leahy (D-Vermont), who independently
asked the Pentagon to investigate the Torch matter, sounded annoyed by
the Army investigation's technical reading of the law.
-
- "Neither the Army nor its subcontractor considered
informing customers that their data would be used," Leahy said in
a written statement. "TSA failed to identify the privacy policy and
privacy impact on individuals. Yet both the Army and TSA were able to report
that they technically did not violate the letter of the Privacy Act of
1974 because the personal data was collected from private sources and was
never in the hands of the government," he said.
-
- Leahy compared the Army's findings to those of Department
of Homeland Security chief privacy officer Nuala O'Connor Kelly, whose
February report[2] said TSA employees violated of the spirit of the Privacy
Act by asking JetBlue to provide data.
-
- Ari Schwartz, associate director of the Center for Democracy
and Technology, thinks the report makes faulty assumptions about how Torch
worked with the data and feels that the law was broken.
-
- "They worked through all the holes in the definition
of a system of records because this is a 2000 database with a 1970s regulation,"
he said. Schwartz said the definition of "system of records"
needs to updated to include any database that contains sensitive information
about individuals, not simply those in which records are retrieved by looking
up a name or Social Security number.
-
- Using the Army's definition, a system like the proposed
Total Information Awareness system could search for patterns of terrorist
activities within massive amounts of data and output the names and activities
of suspected terrorists without needing to tell the public about the existence
of the database, so long as analysts never search through records using
anyone's name.
-
- The report also indicates that the Army's ultimate goal
was to use Torch's technology to predict future terrorist attacks. In 2002,
the Army authorized Torch to access Los Alamos laboratory databases and
counter-intelligence databases housed in the FBI, although it is unclear
whether the company did so.
-
- Even though the Army report concerns information revealed
nine months ago and the government has since shelved plans for a new passenger
profiling system because of privacy concerns, the report remains germane
to ongoing debates about the balance between security and civil liberties,
according to Schwartz.
-
- "You look at the 9/11 commission report and there
is all this stuff in there about transportation screening and there's another
section on civil liberties and at some point, you have to map those two
together to build a system that takes civil liberties into account."
Schwartz said. "But if the response is completely 'We are going to
do whatever we can to route around privacy laws,' you are going to end
up with a lack of trust in the government to do their job, as well as in
the companies who are asked to turn over data."
-
- Leahy concurs that report's technical reading of the
law highlights the challenges the government will face in trying to implement
recommendations from the 9/11 commission.
-
- "Effective information sharing and analysis can
enhance our security capabilities," Leahy said. "As the 9/11
report recommended, we need to develop those capabilities, but it should
not be done without due consideration for individual privacy.
-
- Leahy said the government and private sectors need to
be upfront with the public about the type of personal information that
will be shared and tested, and about what protections are in place to protect
privacy, prevent identity theft, ensure accuracy and protect civil liberties.
-
- The Army report will not be the last word on the propriety
of airline data transfers to the government as both the DHS' inspector
general and its chief privacy officer, O'Connor Kelly, are currently probing
the TSA's use of airline passenger data for its own projects.
-
- [1] http://www.secondaryscreening.net/static/docs/foias/2004/Ar
myIGTorchReport.pdf [2] http://www.dhs.gov/interweb/assetlibrary/Privacy
Office_jetBlueFINAL.pdf
-
- © Copyright 2004, Lycos, Inc. All Rights Reserved.
http://wired.com/news/print/0,1294,64647,00.html
|