The chairman of the U.S. Senate Governmental Affairs Committee has sent a letter of inquiry to Defense Secretary Donald Rumsfeld seeking to determine if the Dept. of Defense complied with Privacy Act requirements when an information-mining contractor working for the U.S. Army acquired the names, addresses, phone numbers, and itineraries of more than one million JetBlue passengers.
The contractor, Torch Concepts Inc. of Little Rock, Ark., then matched the personal information against information contained in private databases and reportedly presented the results at a public symposium.
The letter asks Rumsfeld to determine if the DOD followed Privacy Act regulations by, among other things, publishing a notice regarding the system of records being created by the contractor and preventing unauthorized disclosures.
“We support the development of effective new systems and technologies to protect homeland and national security, with appropriate safeguards regarding the privacy of personal information,” Sen. Susan Collins (R.-ME) wrote in a letter co-signed by ranking member Joe Lieberman (D.-CT) and Armed Services Committee ranking member Carl Levin (D.-MI). “At the same time, we note that many Americans have expressed concern that proposals for new data systems being considered may intrude too far on their personal privacy. This apparent misuse of JetBlue passenger information only adds to these concerns.”
A Pentagon spokesman has stated that Torch Concepts was performing work for the Army on how personal data could be used to improve security at defense bases. The Privacy Act makes agencies responsible for ensuring that contractors comply with the law’s terms when establishing a system of records on the agency’s behalf.
“We note that a spokesman for the Army reportedly asserted that the Army never had access to the passenger records collected by Torch Concepts, and that therefore it did not expect to find any privacy violations of its own,” the letter states. “However, the Privacy Act applies to contractors working for the federal government, and the Act’s criminal penalties apply to employees of the contractor as if they were employees of the federal government. The Defense Department has an affirmative obligation to ensure compliance by its contractor, and the contractor itself must be aware of its legal obligations as well. We question whether that has happened in this case.”
The Privacy Act also requires an agency to publish in the Federal Register a notice when it establishes a system of records. The notice must describe what information about individuals the system will contain, and it must describe how an individual can gain access to any information pertaining to him or her. The Act prohibits disclosure of the personal information, including disclosure to other agencies. The law also allows individuals to gain access to information pertaining to them and to correct errors.
“We are unaware of any Privacy Act notice published by the Department of Defense for this data-mining system. The absence of such a notice would suggest that the Department of Defense did not believe that it had to comply with the Privacy Act’s other provisions,” the letter further states. “In the absence of such public notice, there is less likelihood of public discussion and Congressional oversight concerning adequacy of privacy protections.”
The letter requests Rumsfeld to answer the following questions:
Last month, The Electronic Privacy Information Center (EPIC) filed a complaint with the Federal Trade Commission (FTC) claiming JetBlue Airways violated the FTC Act when it provided personal passenger data to Torch Concepts. EPIC alleges JetBlue’s actions were in violation of its own privacy policies.
JetBlue does not deny the allegations but says it provided the information at the request of the Department of Defense. JetBlue’s privacy policy as stated on its website is not to disclose personal passenger information to third parties.
The EPIC complaint alleges JetBlue’s disclosures to Torch constitute a deceptive trade practice and is seeking an injunction against the airline, fines and an order forcing JetBlue to disclose to its customers that their personal information was disclosed.