[Politech] JetBlue privacy woes: my column and John Gilmore's request [priv]

From: Declan McCullagh (declan@private)
Date: Wed Sep 24 2003 - 10:08:16 PDT

  • Next message: Declan McCullagh: "[Politech] A followup to RIAA attorney apparently suing the wrong person"

    JetBlue privacy--under federal wings?
    September 23, 2003, 4:00 AM PT
    By Declan McCullagh
       Ever  since its launch, I've been an unabashed fan of JetBlue Airways,
       the brash start-up that offers comfortable seats, satellite-linked TVs
       and beat-the-competition prices.
       Until  last  week,  that  is,  when  I found out that JetBlue secretly
       turned  over  my  personal  information  and details on some 5 million
       other   passengers  to  a  private  contractor  that's  working  on  a
       data-mining project for the Bush administration.
       A  presentation  prepared by contractor, Torch Concepts of Huntsville,
       Ala.,  describes  how  it merged the JetBlue database with U.S. Social
       Security  numbers, home addresses, income levels and vehicle ownership
       information  it  purchased  from Acxiom, a company that sells consumer
       data.  Not  all  the details are clear, but the presentation discusses
       how  Torch,  on  behalf  of  Uncle Sam, tried to rate each passenger's
       security risk level by analyzing the merged databases.
       That kind of disgraceful privacy intrusion demonstrates that it's high
       time  to amend the Privacy Act of 1974, which restricts databases that
       the U.S. government compiles but does not regulate how agencies access
       databases the private sector runs.
    ----- Forwarded message from John Gilmore <gnu@private> -----
    From: John Gilmore <gnu@private>
    Subject: Please submit public comments on CAPPS 2 / JetBlue
    Date: Wed, 24 Sep 2003 02:12:16 -0700
    [Moderator's note: This isn't about crypto, but I have a tradition of
    forwarding John's appeals on such topics. --Perry]
    There's something you can do *right now* that will stop pending abuses
    of air travelers' private data.  And your chance to do it will expire
    this coming Tuesday (Sept 30).
    The government has published a Privacy Act notice about its CAPPS-2
    program, which would require all airlines to provide JetBlue-style
    information (full PNRs) to the government -- all the time, before
    every flight.  It's like another JetBlue database dump that happens
    again and again, day after day, month after month, airline after
    airline.  Affecting everyone who ever flies.
    CAPPS-2 is the real thing, for which the Torch Concepts/JetBlue
    contract was one of the test runs.  The government is taking public
    comments on the CAPPS-2 proposal, by email or postal mail, between now
    and September 30th.  After that, if you send them your opinion,
    they'll ignore it (even more than usual).
    Address your email like this:
      To:  privacy@private
      Subject:  DHS/TSA-2003-1
    Then tell them whatever you want.  If the government is honest, then
    they would stop CAPPS-2 if they got individual notes from 10,000
    people saying "KILL CAPPS-2!  Don't sacrifice the privacy of 600
    million travelers each year in a foolish attempt to catch less than a
    dozen actual terrorists each year."  If they are dishonest and don't
    care what the public thinks, then they would at least be on notice
    that 10,000 honest and involved people are watching them.
    You can write them pages and pages of details on how terrible CAPPS-2
    is, and how corrupt they are to propose it, instead of a short note.
    But I suggest reading the details of what they propose, if you're
    going to that much trouble.  You can find their proposal (in
    proprietary PDF format) here:
    They claim that they're putting up the comments for public viewing on
    http://www.dhs.gov, but if they have done so, I can't find them there.
    You can find an earlier round of 282 overwhelmingly negative public
    comments on CAPPS-2 here, if you click "Simple Search" and enter
    "1437": http://dms.dot.gov
    As a brief overview, CAPPS-2 would require airlines to collect
    peoples' full legal name, residence address, home phone number, and
    date of birth (none of which is currently used by airlines today)
    before they can even make a flight reservation.  They would be
    required to hand this information, and everything else in the PNR
    (flight reservation), to the government, LONG BEFORE the flight takes
    off.  Then the government (or its "contractors") would do the same
    kind of data matching that Torch Concepts did, hooking up your flight
    reservations to credit databases and many other government and private
    databases.  The difference is that if YOUR data was one of those
    "anomalous records" (that didn't fit one of the standard patterns of
    your airline's customers), you would be singled out to be specially
    searched, and/or kept off the airplane.
    Torch Concepts' report blew the whistle on this secret program.  The
    report is at http://cryptome.org/jetblue-spy.pdf.  On page 22,
    Torch found two major groupings of JetBlue customers:
      (1) Young Middle Income Home Owners with Short Length-of-Residence
      (2) Older Upper Income Home Owners with Longer Length-of-Residence
    Everybody else they categorized into "anomalous records".  If you're
    an oldster who moved to Florida recently -- or a renter -- or a lower
    income person of any type -- you're anomalous.  You're going to get
    that special government search whenever you fly on JetBlue, if TSA
    succeeds in imposing CAPPS 2.
    (Oh, perhaps their final system will be more subtle than this clumsy
    contractor was, but the basic problem is the same: the government will
    forcibly identify each traveler, evalulate their lifestyle from
    database records, and then make snap decisions about what civil rights
    that person will have while traveling.  They propose to permanently
    withhold the right to anonymity; grant or withhold the right to
    travel; and grant or withhold the right not to be searched without
    probable cause.  I thought rights were something that you had *all the
    time*, not just if the government likes your lifestyle.)
    CAPPS-2 also proposes that this "airport checkpoint" also be used to
    try to catch various kinds of criminals, rather than solely to make
    flying supposedly safer.  It would also be used to catch foreign
    visitors whose visa has expired or whose paperwork is snarled.  And
    once the public is used to it, of course I expect it would be expanded
    to stop people for everything up to and including parking tickets.
    The judges say that searching the general public without cause, in
    order to catch criminals, is unconstitutional.  But don't depend on a
    judge to guard your rights.  Complain to the government yourself,
    right now!
    Here's the best part.  Besides the "blacklists" that today's CAPPS-1
    system uses, the CAPPS-2 system will have "whitelists".  Anyone with a
    government security clearance, or a "position of trust and
    confidence", will never get singled out, screened, or delayed.  They
    will be able to show up at the airport half an hour before their
    flight, like everyone used to be able to do, and just walk on board.
    There'll be one rule for "Party members" and another rule for the
    "proletariat".  CAPPS-2 assumes you are guilty until proven innocent
    -- and assumes you are innocent if you work for the government.  That
    alone is reason enough to stop it.
    EFF has also set up an Action Alert web site as another way to submit
    your comments on CAPPS-2.  See:
    	John Gilmore
    and	Electronic Frontier Foundation (EFF)
    ----- End forwarded message -----
    Politech mailing list
    Archived at http://www.politechbot.com/
    Moderated by Declan McCullagh (http://www.mccullagh.org/)

    This archive was generated by hypermail 2b30 : Wed Sep 24 2003 - 09:20:55 PDT