Putting a Stop to Fly and Tell

By Jane Black "Some people just know how to fly," boasts Northwest Airlines' advertising slogan. But some people evidently don't know how to protect your privacy. On Jan. 18, the Electronic Privacy Information Center (EPIC), a Washington-based advocacy group, revealed that Northwest (NWAC) had secretly shared millions of passenger data records with NASA back in 2001. This despite Northwest CEO Richard Andersen saying last September that his airline hadn't -- and wouldn't -- share customer data with the federal government.

Andersen made those comments just after the otherwise loveable upstart airline JetBlue (JBLU) said it had handed over 5 million passenger records to a Defense Dept. contractor -- despite a promise not to share such information. Northwest now claims that its CEO wasn't aware that his security staff had given NASA three months' worth of data to help it develop powerful algorithms that might aid in spotting terrorists.

Northwest's breach was yet another example of post-September 11 corporate irresponsibility. Granted, Northwest handed over sensitive personal data in the anxious days soon after 9/11, when airline execs had a reason to be paranoid. Even today, though, "nonconsensual 'sharing' of customer data within the [travel] industry -- and with government agencies -- is the rule, not the exception," argues Edward Hasbrouck, author of the Practical Nomad guidebook and a leading travel privacy advocate (see BW Online, 7/22/03, "Covering the Traveler's Electronic Trail").

That's going to continue until the public learns four important lessons:

1. Many companies still just don't get it.

In a brief statement, Northwest claimed that the sharing of data didn't violate its privacy policy, which prohibits only the selling of data to third parties. So it won't sell your private information -- but it will give it to a federal agency that asks nicely.

In taking that step, Northwest appears to have overlooked its promise to customers of giving them "complete control" over information they share with the airline. When an outfit I've given my data to hands it over to someone else, that doesn't make me feel in control. At the least, Northwest seems to have violated the spirit of its privacy policy.

"Northwest's disregard for its customers' privacy is shocking," says Marcia Hoffman, staff counsel of EPIC, which discovered Northwest's action after requesting documents under the Freedom of Information Act. "If you care about privacy and need to book a ticket, the last place I'd go is Northwest."

That remains a subject for debate, and many members of the flying public may not care, given their inclination to trade privacy for security. Yet the Northwest incident does raise this question: Who's in charge of releasing millions of passenger records if not the CEO? According to the documents EPIC released, the person responsible is Jay Dombrowski, head of Northwest's security. Who does he report to? Northwest spokesman Kurt Ebenhoch -- the same spokesman who unwittingly misled reporters about Northwest's data sharing -- had no comment beyond the company statement.

Northwest's nonchalance about all this is sobering. Unlike JetBlue's CEO, who immediately apologized to customers, Andersen hasn't. His only attempt to smooth things over came on Jan. 22 -- five days after the news broke -- when he urged fellow airline execs to develop protocols to protect customer data.

2. Technology is no magic bullet against terrorism.

In 2002, the Defense Dept.'s Terrorist Information Awareness (TIA) program aimed to aggregate every traveler's credit history, itinerary, and medical information in an effort to screen out terrorists. When Congress put the kibosh on its funding, Homeland Security's Travel Security Administration stepped up its work on a new version of Computer Assisted Passenger Pre-Screening. Known as CAPPS 2, this program assigns each passenger a label -- "no fly, warning, or safe," even though evidence shows that such unsophisticated screening keeps law-abiding people off planes while allowing suspicious travelers on board -- like the man who recently flew from Washington to London with ammunition in his pocket (see BW Online, 4/17/03, "The System That Doesn't Safeguard Travel", and BW Online, 4/17/03, "Better Safety Is in the Bag").

Avoiding some variation of such invasive-but-ineffective technology has turned into an absurd game of whack-a-mole for privacy advocates. Smash TIA, and up pops CAPPS 2. More recently, from the Northwest documents, comes word that NASA also had a project on the books. Perhaps everyone would be better off if the government stuck to old-fashioned detective work to prevent terrorism.

3. The airline-data mess should be cleared up.

Since September, calls for a congressional investigation of Jet Blue's privacy practices have been persistent. Both the U.S. Army and Homeland Security's chief privacy officer have promised to report on their roles in that incident. Neither has.

It's time for answers -- about Jet Blue, Northwest, and every federal program that has asked airlines to share passenger data. The European Union also will be looking for answers. Last month, after lengthy negotiations, the EU signed a tentative agreement to share passenger data with the U.S., even though such disclosures flout EU law. In the wake of the Jet Blue and Northwest incidents, more than a few U.S. government officials are worried that the EU will reconsider.

On Jan. 20, EPIC filed a complaint with Transportation, alleging that Northwest's data sharing amounted to a deceptive trade practice. If the agency agrees, the case will be a first step toward establishing legal protection for traveler data.

However, that's not enough. Congress should look into what happened at Jet Blue and Northwest. It should also recommend that every federal agency appoint a chief privacy officer to prevent data sharing without affording individuals privacy protections (see BW Online, 1/08/04, "Privacy Progress at Homeland Security").

4. It's time to regulate travel data.

Unlike the situation with medical and financial data, no law directs how travel records should be stored, sold, used, or who can see them. Government agencies can use this data -- where you went, with whom, whether you asked for one bed or two -- for surveillance and monitoring, even if you've never been convicted of a crime. Apparently, all they have to do is ask. Can you say Big Brother?

What the Northwest privacy breach reveals is the need for new federal rules that mimic the data-protection principles in the EU and Canada: Travelers should have the right to choose whether their airline can share information, know whether and how their data is shared, and be able to correct errors that appear in corporate or government travel databases. Such a law should also cover any government agencies that want to collect and parse travelers' personal travel histories.

Even Northwest seems to agree with the need for more oversight. In the final line of its statement on its 2001 data sharing, it observed that "in light of current privacy concerns, Northwest believes a data-protection protocol addressing privacy concerns should be developed before any further aviation-security research with passenger data is conducted." Amen. Black covers privacy issues for BusinessWeek Online in her twice-monthly Privacy Matters column

Toyota's Hydrogen Man
blog comments powered by Disqus