A Federal judge has ruled that JetBlue Airways violated its privacy policy by selling data on its passengers to a contracting company, but dismissed a lawsuit because passengers could not prove that damages resulted from the information sale, or that JetBlue "unjustly enriched itself" from collecting or selling the data.
Judge Carol Bagley Amon, ruling for the U.S. District Court in New York City, stated that when TorchConcepts, a contractor working for the Transportation Security Administration (TSA) and the Department of Homeland Security purchased data on JetBlue passengers who flew on or prior to September 2002, "the only benefit JetBlue derived was 'the potential for increased safety on its flights and the potential to prevent the use of commercial airlines as weapons that target military bases.'"
Amon granted the defendants' request to dismiss the lawsuit due to her ruling that the sale did not violate Federal privacy laws. The plaintiffs had filed a class action lawsuit against JetBlue and its partners for selling their information without their permission.
The TSA requested that JetBlue provide data on its passengers in July of 2002 in order to test "predictive screening" programs that could ferret out potential terrorist activity.
The JetBlue data, including names, addresses, and flight itineraries, was combined with information from Acxiom, a fellow government contractor and one of the largest information brokers in the business.
The Acxiom data included "passenger demographics" such as length of time at a residence, income level, gender, etc. In its report on the findings, TorchConcepts found that the JetBlue data was "very limited" and could not create a predictive model without the additional passenger demographics information Acxiom provided, but that most "known airline terrorists" did not match the profiles of JetBlue passengers, and if a "more comprehensive ... database were available, it is expected that analysis could identify and characterize all normal travel patterns."
Although the Army initially downplayed the results of the study, the TSA later admitted the data was being used for CAPPS II, the controversial airline passenger screening program that was shut down in 2003 until the General Accounting Office (GAO) could provide a full study of the program's impact on passenger privacy.
The GAO has since found similar flaws in "Secure Flight," the TSA's proposed program to replace CAPPS II. The GAO issued a report in July 2005 which found the TSA in violation of the Privacy Act for allowing another TSA contractor to collect millions of records containing individual Americans' personal data.
TorchConcepts has since reorganized itself as TorchTechnologies and Acxiom continues to be a prime contractor in providing "augmented" personal data for the "Secure Flight" program.
As for JetBlue itself, the airline is moving ahead with plans to introduce a new fleet of 100-seat Embraer 190 regional jets to compete with established carriers on short-haul routes.
Privacy advocates and lawyers alike continue to oppose "Secure Flight" for being, in the words of cybersecurity expert Bruce Schneier, "a rogue program that is operating in flagrant disregard for the law."
