Senators Want More Info on JetBlue Data Disclosures

The chairman of the U.S. Senate Governmental Affairs Committee has sent a letter of inquiry to Defense Secretary Donald Rumsfeld seeking to determine if the Dept. of Defense complied with Privacy Act requirements when an information-mining contractor working for the U.S. Army acquired the names, addresses, phone numbers, and itineraries of more than one million JetBlue passengers.

The contractor, Torch Concepts Inc. of Little Rock, Ark., then matched the personal information against information contained in private databases and reportedly presented the results at a public symposium.

The letter asks Rumsfeld to determine if the DOD followed Privacy Act regulations by, among other things, publishing a notice regarding the system of records being created by the contractor and preventing unauthorized disclosures.

“We support the development of effective new systems and technologies to protect homeland and national security, with appropriate safeguards regarding the privacy of personal information,” Sen. Susan Collins (R.-ME) wrote in a letter co-signed by ranking member Joe Lieberman (D.-CT) and Armed Services Committee ranking member Carl Levin (D.-MI). “At the same time, we note that many Americans have expressed concern that proposals for new data systems being considered may intrude too far on their personal privacy. This apparent misuse of JetBlue passenger information only adds to these concerns.”

A Pentagon spokesman has stated that Torch Concepts was performing work for the Army on how personal data could be used to improve security at defense bases. The Privacy Act makes agencies responsible for ensuring that contractors comply with the law’s terms when establishing a system of records on the agency’s behalf.

“We note that a spokesman for the Army reportedly asserted that the Army never had access to the passenger records collected by Torch Concepts, and that therefore it did not expect to find any privacy violations of its own,” the letter states. “However, the Privacy Act applies to contractors working for the federal government, and the Act’s criminal penalties apply to employees of the contractor as if they were employees of the federal government. The Defense Department has an affirmative obligation to ensure compliance by its contractor, and the contractor itself must be aware of its legal obligations as well. We question whether that has happened in this case.”

The Privacy Act also requires an agency to publish in the Federal Register a notice when it establishes a system of records. The notice must describe what information about individuals the system will contain, and it must describe how an individual can gain access to any information pertaining to him or her. The Act prohibits disclosure of the personal information, including disclosure to other agencies. The law also allows individuals to gain access to information pertaining to them and to correct errors.

“We are unaware of any Privacy Act notice published by the Department of Defense for this data-mining system. The absence of such a notice would suggest that the Department of Defense did not believe that it had to comply with the Privacy Act’s other provisions,” the letter further states. “In the absence of such public notice, there is less likelihood of public discussion and Congressional oversight concerning adequacy of privacy protections.”

The letter requests Rumsfeld to answer the following questions:

  • What was the nature of the U.S. Army’s contract with Torch Concepts? What specific tasks was the contractor expected to perform? What was the contract’s budget and duration, and what have been the expenditures under the contract to date?
  • Why did Torch Concepts, pursuant to its contract, collect passenger information from JetBlue Airways? It has been reported that the contractor collected personal information on more than one million passengers. Are these reports accurate? Please provide a detailed description of the information collection by Torch Concepts.
  • Did Torch Concepts, pursuant to its contract, create a system of records as defined by the Privacy Act of 1974? If you contend that no system of records was created, please explain your answer.
  • Did the Department of Defense comply with the following Privacy Act requirements? Please explain each answer:
  • Did it publish a Privacy Act notice in the Federal Register for the system of records that Torch Concepts created?
  • Did it allow individuals to gain access to information pertaining to them?
  • According to news reports, Torch Concepts disclosed passenger information at a public conference; it appears that the presentation may later have been posted on a public website. Did the Department of Defense or its contractor disclose personal information to any other person or entity, including another federal agency? If so, describe the circumstances in which the information was disclosed, and whether the disclosures complied with federal law.
  • Did the Department of Defense ensure that the information maintained in the system of records was timely, accurate, and relevant? If so, how?
  • Representatives of JetBlue and Torch Concepts have asserted that the passenger information was destroyed soon after news of the program was disclosed by the press. What steps were taken to ensure that the destruction of these records complied with the Privacy Act, the Federal Records Act, or other applicable laws?
  • The Chief Privacy Officer at the Department of Homeland Security (DHS) is investigating whether DHS violated the Privacy Act through its participation in this program. What is the Department of Defense doing to investigate the possibility that Torch Concepts and the Army violated the Privacy Act? Will you request an independent investigation by the Department of Defense Inspector General?

  • Last month, The Electronic Privacy Information Center (EPIC) filed a complaint with the Federal Trade Commission (FTC) claiming JetBlue Airways violated the FTC Act when it provided personal passenger data to Torch Concepts. EPIC alleges JetBlue’s actions were in violation of its own privacy policies.

    JetBlue does not deny the allegations but says it provided the information at the request of the Department of Defense. JetBlue’s privacy policy as stated on its website is not to disclose personal passenger information to third parties.

    The EPIC complaint alleges JetBlue’s disclosures to Torch constitute a deceptive trade practice and is seeking an injunction against the airline, fines and an order forcing JetBlue to disclose to its customers that their personal information was disclosed.

    News Around the Web