Last October, a few of us at ThePrivacyPlace.Org examined the JetBlue Airways’ policy in an attempt to better understand the revelation that JetBlue had violated its public privacy policy when it gave the travel records of five million JetBlue customers to Torch Concepts, a private contractor to the Department of Defense (DoD). This paper is scheduled to appear in IEEE Security & Privacy and is entitled, “The Complexity Underlying JetBlue’s Privacy Policy Violations.” If you don’t want to wait for the paper to appear in print, the technical report is currently available here: The Complexity Underlying JetBlue’s Privacy Policy Violations.

The Department of Homeland Security (DHS)
Privacy Office investigated jetBlue to determine if the DoD had violated any laws. The DHS Privacy Office released a Report to the Public on Events Surrounding jetBlue Data Transfer on February 20, 2004. This report asserts that there is no evidence that jetBlue had provided directly to the Transportation Security Administration (TSA) or the U.S. Department of Transportation (DOT). Instead, that jetBlue had provided the information to Torch Concepts through its contractor (Acxiom). This objective of this investigation, was to determine whether government agencies had played a role in the privacy violation. The report states that no TSA employee had violated the Privacy Act; however, TSA employees were involved in the data transfer and failed to consider privacy policy impacts of this transfer: “The TSA employees involved acted without appropriate regard for individual privacy interests or the spirit of the Privacy Act of 1974.” The DHS report specific recommendations, including the need for comprehensive privacy training for employees and the establishment of data sharing guidelines.

It was later revealed that Northwest Airline had also disclosed the travel records of its customers as well. This privacy violation also prompted a number of complaints, including one by the Electronic Privacy Information Center (EPIC). See: Northwest Airlines’ Disclosure of Passenger Data to Federal Agencies.

On the 15th of September, the Transportation Administration dismissed the privacy complaint filed by EPIC against Northwest (see: Transportation Department dismisses privacy complaint against Northwest.

We at ThePrivacyPlace.Org will continue to investigate methods and tools that can be developed to help stop sensitive information from being disclosed when such disclosures are not in compliance with governing policies and laws. For a sample of some our efforts, check out our reports that are available on our publications page.

– Annie Antón