As first reported by Wired News, in September 2002 JetBlue released personal details – names, addresses and phone numbers – of over one million of its passengers to Torch Concepts so that the contractor could study its ability to assess the terrorist risk of passengers. The test involved checking the passenger information against other databases to which the contractor had access.
A data company called Acxiom provided the additional information – which included social security numbers and income levels – even though both Acxiom and JetBlue had visible privacy policies stating that personal information would not be given out to third parties.
Criticism of the data release has been widespread, and David Neeleman, CEO of JetBlue, has been replying personally to irate e-mails in an effort to salvage the company's reputation. Yesterday, JetBlue announced that it has retained Deloitte & Touche to assist in the analysis and continued development of its privacy policy. Neeleman said:
"The information given to Torch contained name, address and phone number, along with flight information, but absolutely no payment or credit card information."
He added:
"While this is a concern, we want to let our customers know that we are fully committed to their privacy and are working with the assistance of Deloitte & Touche to further develop our internal processes and procedures to address the protection of personally identifiable customer information."
But this has not been enough to appease outraged customers and privacy groups. On Monday, the Electronic Privacy Information Center (EPIC) filed a complaint with the Federal Trade Commission against JetBlue and Acxiom over the privacy violations.
EPIC has also requested the Federal Aviation Administration, the Army and the Transportation Security Administration (TSA) for additional information on the matter.
Monday also saw the filing of a class action lawsuit against the airline, as five named individuals sued the company for invasion of privacy, fraudulent misrepresentation and breach of contract, according to a report in the Washington Post.
JetBlue has now confirmed that it will not be a test airline nor has it ever shared customer information for the TSA's controversial Computer Assisted Passenger Pre-screening System programme – known as CAPPS II. The company said that it will not share this information unless required to by law. Neeleman said:
"We support the TSA and the important work they do to ensure the safety and security of all airline passengers but we decided not to be involved in CAPPS II testing given the unresolved issues regarding privacy protection."