In September 2002, at the request of the Transportation Security Administration (TSA), JetBlue released personal details – names, addresses and phone numbers – of over one million of its passengers to contractor Torch Concepts so that the contractor could study its ability to assess the terrorist risk of passengers.
The test involved checking the passenger information against other databases to which the contractor had access.
A data company called Acxiom provided the additional information – which included social security numbers and income levels – even though both Acxiom and JetBlue had visible privacy policies stating that personal information would not be given out to third parties.
In September last year, customers of the airline filed a class action against the company over the alleged breach of privacy, while civil liberties group the Electronic Privacy Information Center (EPIC) filed a complaint with the Federal Trade Commission against JetBlue and Acxiom.
The US Army ordered its own investigation into the affair, looking for violations of the US Privacy Act. This Act is designed to ensure that there are no secret government systems for gathering personal data, and that any data collected is restricted to that which is strictly necessary.
The Act also requires that individuals can see what information is kept about them, and can challenge the accuracy of that information; that personal data collected for one purpose cannot then be used for another purpose without consent; and that if any data is disclosed the individuals involved will be able to find out to whom, when and why it was disclosed.
The Army's inspector general has now published a report exonerating the contractor from any privacy breaches.
Torch, states the report, did not breach the US Privacy Act because it did not maintain a system of records that is covered by the Act. In effect the contractor did not actually retrieve individual files from the database "by name or by any other identifying particular at any time in the course of the study."
Torch simply sorted passengers into separate risk groups by looking at aspects of the data, such as age and income.
The report was actually published in June, but not made widely available. Wired News was able to obtain a censored copy after making a Freedom of Information request.
In a statement, Senator Patrick Leahy, who has seen the full report, criticised the Army finding. According to Wired News he said, "Neither the Army nor its subcontractor considered informing customers that their data would be used".