Federal employees who persuaded JetBlue Airways to give a defense contractor personal information about 1.5 million passengers — without their knowledge or permission — will have to undergo training about privacy issues.
Employees of the Transportation Security Administration broke the spirit, but not the letter, of federal privacy laws, Nuala O’Connor Kelly, the chief privacy officer for the Department of Homeland Security, said Friday. She said fewer than six current employees were involved.
As a result of her internal investigation, Kelly concluded that the TSA didn’t violate the law because it never possessed the passenger data. But, she said, JetBlue wouldn’t have turned over the passenger information unless TSA had asked it to.
“TSA involvement was essential,” Kelly said in a briefing with reporters.
Willful violation of the Federal Privacy Act of 1974 is a misdemeanor and carries a civil fine of up to $5,000.
JetBlue gave the passenger records in September 2002 to Torch Concepts, a Defense Department contractor that used the information as part of a study seeking ways to predict who posed a risk to military installations.
The airline turned over to Torch more than 5 million records — including at least name, address, telephone number and some itinerary-related information — representing more than 1.5 million passengers, according to Kelly’s 10-page report on the investigation.
The report said Torch stripped the data of the passengers’ name and later destroyed the tests.
Worries about CAPPS II
Details of the study and JetBlue’s involvement were reported in September, prompting several class-action lawsuits, a complaint to the Federal Trade Commission, a separate investigation by the Defense Department’s inspector general and congressional inquiries.
But the revelation also aroused concerns about a government project to use personal information to assign threat levels to all airline passengers, called the Computer-Assisted Passenger Prescreening System, or CAPPS II.
Kelly concluded that testing CAPPS II wasn’t the reason for transferring the data, though the knowledge gained from testing it may have helped in developing the prescreening program.
Kelly also found no evidence that the TSA initiated the sharing of data from any other airline or other source for the Torch project.
Todd Burke, JetBlue spokesman, referred reporters to Homeland Security for comment, saying it’s “a government report about a government agency.”
Worries about loopholes
Privacy advocates had mixed reactions to Kelly’s findings.
The Electronic Privacy Information Center commended her for conducting the investigation, but said it revealed big holes in the legal fabric governing privacy.
“The report underscores the need for laws to regulate the transfer of information from private companies to companies acting as contractors for the government,” said Marcia Hofmann, EPIC’s staff counsel.
Barry Steinhardt, director of the American Civil Liberties Union’s technology and privacy program, was more critical. He said the public shouldn’t be asked to trust a government agency’s investigation of itself.
Steinhardt said Homeland Security had been stonewalling the ACLU’s effort to obtain documents about the JetBlue incident.
“If they had time to conduct the investigation, they should have time to get us the documents,” Steinhardt said.
Kelly also referred her report to Homeland Security’s inspector general to determine whether TSA employees had been acting outside the scope of the agency.
A spokeswoman for the inspector general said the office would review the report and possibly make recommendations.