New York Times carries a comprehensive report about the circumstances in which JetBlue shared its passenger data base with a research company working as a US Army contractor. An e-mail apology came from the company to those passengers who complained about privacy violation in respect of the illegal disclosure .Following is the text of this e-mail message sent by David Neeleman, the chief executive of JetBlue, to customers who complained after the airline provided this information about passengers to a Defense Department contractor involved in an antiterrorism project:

Thank you for writing to me so that I have an opportunity to apologize to you personally and set the record straight.


Most importantly, JetBlue has never supplied, nor will supply, customer information to the Transportation Security Administration, or any government agency, unless we are required to do so by law — not for CAPPS II or for any other purposes, whatsoever.

However, I regret that, more than a year ago, we responded to an exceptional request from the Department of Defense to assist their contractor, Torch Concepts, with a project regarding military base security. This project had no connection with aviation security or the CAPPS II program and no data files were ever shared with the Department of Defense or any other government agency or contractor.

We provided limited historical customer data including names, addresses and phone numbers. It DID NOT include personal financial information, credit card information, or Social Security numbers.

Torch further developed this information into a presentation, without JetBlue's knowledge, for a Department of Homeland Security symposium. We regret that this presentation included the personal information of one customer — although the customer's name was not used. Again, we had no knowledge of this presentation until two days ago and we were deeply dismayed to learn of it.

The sole set of data in Torch's possession has been destroyed; no government agency ever had access to it. With Torch's help, we are continuing to make every effort to have the Torch presentation with the one customer's information removed from the Internet.

This was a mistake on our part and I know you and many of our customers feel betrayed by it. We deeply regret that this happened and have taken steps to fix the situation and make sure that it never happens again.

I am saddened that we have shaken your faith in JetBlue but I assure you personally that we are committed to making this right.

Sincerely,

David Neeleman

Chief Executive Officer



(reproduced from NYT)

The story originally appeared in Wired magazine's daily Web-posted news on Thursday, and on Friday. It was picked up by the New York Times and Washington Post on Saturday. See links below for the sordid tale of what happened.

The email of apology sent to those who complained about what JetBlue had done only gets to half of what became of the passenger list. Once JetBlue had turned over the list of 5 million passengers and their itineraries to the Dept. of Defense's contractor, the contractor "purchased matching personal records [of the passengers] from Acxiom, one of the country's largest data-aggregation companies."

That information included incomes, occupations, vehicle ownership information, number of children and Social Security numbers.
The company then used the data to create profiles of groups of travelers, dividing them into three specific groups: young middle-income homeowners, older upper-income homeowners and a group of passengers with anomalous records, which the presentation attributes to "erroneous entry, fraud or mischief."
Mind you, the use of the passenger list had absolutely nothing to do with transportation security, but involved a proof of concept test of controlling access to US Army installations. Of course, the potential marketing value of such a passenger profile database is obvious.

The lawyers are now setting up a class action lawsuit, JetBlue said what it did violated its own privacy rules, the Department of the Army probably violated the law by creating a system of records that was illegally established, and the Department of Homeland Security is saying, 'Thank God, we had nothing to do with this."

Thursday's Wired story.

http://www.wired.com/news/privacy/0,1848,60489,00.html

Friday's Wired story.

http://www.wired.com/news/politics/0,1283,60502,00.html

Thanks for the full background and the original links Saturn V. What a sorry sordid mess.Notwithstanding the audible sighs of relief from the homeland security people in this situation it demonstrates that very human right and every privacy policy is in jeopardy at the hand of every petty beaurocrat trotting out the old line of if you are an innocent person you will have nothing to fear from this collection of data ...... and if you are not with us you must be against us....qed

It came to light this past Friday, that Jetblue provided in excess of 5 million passenger records to a 3rd party goverment contractor called Torch in efforts to assist in the creation of the CAPS II project. The actual number of passengers involved came to over 1 million names (Many people like myself travelled more than once). This is in direct contradiction of Jetblue's website which says passenger information will never be provided to any 3rd party agency or vendor.

It gets better: From there, Torch contacted with another 3rd party vendor to use data mining to obtain each customers socail security number as well as financial and family information.

Am I wrong here, and Jetblue has admitted and apologised for the screw-up, or did they really violate my rights of privacy and make me a target for identity theft? Sites on the Internet are only as good as their disclaimer and because the Internet is the only way you can buy Jetblue tickets, I think I've been taken for a ride. Am I paranoid or did Jetblue really give me the proverbial shaft by disclosing my personal information?

Newarksmells

Jetblue has admitted and apologised for the screw-up

That's not a screw-up - that's someone's decision to do something. Sounds like a fine class-action suit you've got. 1 million possibles. You could sink an airline. If this is true, they are seriously stupid and perhaps deserve to be sued.

Rollingthunder;

Bear in mind once Jetblue gave the info. to Torch Concepts, Torch provided it to ANOTHER vendor. Here's the link...

http://biz.yahoo.com/rb/030919/airlines_jetblue_2.html

Where's FlyingLawyer when you need him?

Thanks

Newark

Now I see a posting with the title BlueJet -v- Privacy and have a panic attack only to discover that some tuppence ha'penny airline has almost nicked me name. Just to set the record straight I was BlueJet before they were JetBlue....although I am still stuck as to see what BlueJet -v- Privacy has got to do with JetBlue. I aint dun nuffink.

BlueJet :O

edited for spolling.

Jetblue alledgedly violated its own privacy policy. This took a specific decision by management. That would seem to be grounds for a case. Torch took this further - that might be grounds for another or a joint case.

JetBlue violated its own privacy policy, which says the airline will not provide information on its customers to ANY third party

This case would be tried in the US and FlyingLawyer might not be up on the jurisprudence in that venue.

A once promising airline now has very big problems, if someone wants to seek legal redress.

Would not want to be in managements shoes.

You see, 411A, sometimes you do post sensibly, and it doesn't hurt....what a pleasant change....:ok: It's why I voted to keep you around, 'cos you do have something to add with your lengthy background...

I agree with you, JetBlue are in a mess with this one - a pile of NY's finest legal brains will be lined-up to get a piece of the only US airline pie that's worth anything....really a massive c*ck-up, and a shame. My friends that fly for them are concerned, to say the least.

Someone's going to have to fall on a sword, despite the "we're all in this together" claims by their spokesman.:ouch:

Maybe their popularity will see them wriggle out of this, but I'm not convinced - they'll have to pull some major stunts and favours. Let's face it - their GenY standard pax with backpack is not the major plaintiff here...it's going to be the Business traveller with his mistress (!) or whatever, that's going to be livid and calling his lawyer. Ooohh errr....:ooh:

A basic question is who Jetblue released the data to: The Army or the Army's contractor. If the data went to the Army who then gave it to the contractor (legally, not that a diskpack or tape or whatever literally was touched by the Army) then JetBlue is in much better shape legally because then the data was provided by the Army, not Jetblue to the bozos at Torch to do dumb things with.

JetBlue could cover itself then by saying that it was provided for national security to a government agency who received it and was obligated to protect it under the Privacy Act and Jetblue has a signed document to that effect. This isn't quite as good as actually living up to the privacy policy, but it does give a bit of a fig leaf. Question on the privacy policy of Jetblue is whether the policy is a contractual agreement or whether it is just something they say like "new, improved, less filling, tastes great, etc..." that really doesn't mean anything.

This will be much more fun to watch than to participate in.

They provided it to a Government Vendor...who then in turn provided it to another vendor to extract all the personal information... credit card info, bank accounts, family history, social security numbers, marital status etc. From there, the info. was returned to the initial vendor that Jetblue gave the info. too.

The first (I think of many) lawsuit(s) was filed today in Utah under deceptive trade practises and violation of privacy laws.

Newark

The law suit filed in Utah seeks compensatory damages for both five named JetBlue passengers, and unnamed others in a class action. No filing for punitive damages yet.

Wired magazine said the contractor did turn over data to the US Army. The latest from Wired:

http://www.wired.com/news/privacy/0,1848,60540,00.

According to the New York Times and numerous other newspapers, two Federal government agencies are now investigating the turbnover of the passenger database. An excerpt from the New ork Times:
The Department of Homeland Security, which assumed responsibility for airport and airline security earlier this year, said it would try to determine if any government officials violated federal privacy laws in helping coordinate the passenger-screening study conducted by Torch Concepts.

The department's chief privacy officer, Nuala O'Connor Kelly, who is conducting the inquiry, said in a telephone interview that "this is an issue that concerns me and concerns the department — there was no notice to citizens or consumers about the use of their data and the sharing of data."

The Federal Trade Commission said that its investigation was prompted by a complaint filed today by a privacy rights organization, the Electronic Privacy Information Center in Washington, that urged the commission to bring civil charges against JetBlue for violating its own corporate privacy rules.
JetBlue asserts it turned over the passenger database for free.

Questions will surely be raised about: 1.) whether the contractor promised to provide a copy of the refined database to JetBlue, e.g., such as by telling the airline who among their passengers were high-income individuals; 2.) why was the database retained by the contractor after its analyses were done, and only apparently and hurriedly destroyed after the story of its existence got out; 3.) how many of the passengers were categorized as security threats because of incongruities in their profiled data, and what, if any, future use was to be made of the list of those so categorized.

With 1.1 million passengers, and about 5 million itineraries in the database, damages, let's say of $100 a passenger or itinerary, could prove to be rather expensive.

My point in asking whether JetBlue released the data to the Army or the company is that if the Army touched it or provided it as government furnished data to the company then Jetblue is pretty much in the clear.

From reading the Wired article from last friday Torch was called a subcontractor to another company that has a contract with the Army missile defense people. Under U.S. federal government contract law (which is very different from the commercial code) subcontractor has a very special meaning. If Torch is indeed a subcontractor then the provisions of the prime contract should flow down to their contract and the Army has a degree of control and visability and responsibility for what they are doing (if they are paying attention). CONVERSELY, if Torch is a vendor to the prime contractor the prime contract provisions do not flow down and the Army has no privity of contract with Torch and nothing to do with the direct management of the contract. In this case if the Army has no privity of contract neither Torch or Jetblue have the big Army green deep pockets involved. And if that is true then whoever was getting Jetblue to release the data was telling at least some little white fibs if not downright lying through their teeth and Torch and Jetblue will hang for it. Maybe.