Northwest confesses sharing passenger data with.....NASA?

http://tinyurl.com/3d2oe

From the Washington Post.

NW denied it twice (including once by the CEO) but the ACLU dug out
the info using a Freedom of Information Act action.

" "There doesn't seem to be a classic space exploration endeavor
here," said Barry Steinhardt, director of the American Civil Liberties
Union."

Maybe NASA is unaware of the broad definition of "aliens."

More lies, more lying liars.

"Dick Locke" wrote in message
news | http://tinyurl.com/3d2oe
|
| From the Washington Post.


http://slashdot.org/article.pl?sid=0...tid=158&tid=99

for links to reference and background, see:
http://hasbrouck.org/blog/archives/000114.html

====

NORTHWEST AIRLINES GAVE NASA MILLIONS OF PNR'S

In late 2001, as several airlines and private contractors were
using archived Passenger Name Records to test new concepts for
profiling of airline passengers, Northwest Airlines (NW) gave
CD's containing PNR's for perhaps 10 million or more NW
passengers to the USA National Aeronautics and Space
Administration for testing of airline passenger profiling
concepts.

NASA's request for NW passenger data had been known of for more
than a year: it was revealed in documents obtained by the
Electronic Privacy Information Center (EPIC) under the Freedom of
Information Act, and had been mentioned in the New York Times in
2002 and in much more detail in the Washington Times , NASA
sought airline records (27 September 2003).

But it hadn't been known whether NW had acceded to the NASA
request, until EPIC obtained another batch of documents from NASA
last month, in response to further FOIA requests. Those documents
were revealed in today's Washington Post along with a response
from NW; there are responses from NASA in todays's San Jose
Mercury News and New York Times (free registration and cookie
acceptance required).

NASA requested system-wide Northwest Airlines passenger data from
July, August and September 2001 . According to the Post , NW said
it actually provided data for October through December 2001,
which if system-wide would include PNR's for than 10 million
passengers. Neither the documents posted by EPIC nor the comments
from NW in the Post make clear whether the NASA request was
granted in whole or only in part.

"System-wide" NW data would include flights operated by Northwest
to and from Amsterdam and other points in the European Union, and
flights not touching the USA operated by KLM Royal Dutch Airlines
(KL, part owner of NW) with NW code-share flight numbers within
the EU and between the EU and other parts of the world. And even
domestic NW flights within the USA include many flights with KL
code-share flight numbers.

So it's highly likely that the data given to NASA, even if it was
less than "system-wide", included passengers on flights sold
under the label of an EU airline. And it's certain that, even if
it excluded international or code-share flights, the data given
to NASA included large volumes collected in, and transferred
from, the EU, Canada, and other countries.

Unlike jetBlue Airways, which has no "interline" agreements, NW
has interline ticketing agreements permitting more than 100 other
airlines around the world, and their appointed agents, to issue
tickets including NW flights. And like most other airlines (but
again unlike jetBlue) NW outsources hosting of its reservation
database to one of the big 4 computerized reservation system
(CRS's), in NW's case the Worldspan CRS.

Through Worldspan and the network of travel reservation systems ,
other airlines, other travel services providers (hotels, car
rental companies, tour operators, etc.), other CRS's, and tens of
thousands of travel agents can create and/or enter data in PNR's
that include NW flights. All those companies -- but especially KL
and Worldspan -- are now at risk of consumer litigation and
regulatory enforcement actions in various countries. They'll have
to choose between joining with NW in trying to defend against
those claims, or joining with consumers to pursue their own
claims against NW for violating their customers privacy.

NW, KL, Worldspan, and other travel companies are likely to face
especially severe scrutiny and legal liability in the EU. An
agreement with the USA on transfers of passenger data was
proposed by the European Commission in December, just before the
European Parliament and most other EU bodies recessed for the
holidays. Consideration of a working document on "Transfer of
data on trans-Atlantic flights: situation concerning negotiations
with the USA" is on the agenda this week when Parliament's
Committee on Citizens' Freedoms and Rights, Justice and Home
Affairs returns from the recess for meetings scheduled in
Brussels all day Wednesday and Thursday, 21-21 January 2004, to
start its new session. Presumably, the latest revelations about
NW -- and their implications for KL, Worldspan, and other travel
companies based or doing business in the EU -- will be on the
table too.

EU authorities need to ask if when KL passes reservation data
collected in the EU to NW in the USA -- or when any travel agency
or tour operator in the EU collects passenger data and passes it
to an airline or CRS in the USA -- there are agreements and
oversight mechanisms in place to ensure the protection of
passengers' privacy under EU laws.

The fact is that there are rarely any such protections. When I
talked with aviation consultant Bob Mann about the passenger
profiling tests he helped conduct in 2001 (more on those below),
he said that, (1) no one involved with the tests had ever raised
a question about privacy -- Airline Automation, Inc. was
considered to own the data and assumed they could use it for
anything they liked, which is true with respect to USA law, and
(2) it never occurred to him or anyone else that EU laws or any
other countries' laws could apply to PNR's from flights within
the USA.

While the jetBlue and now Northwest scandals have been the most
widely publicized, they aren't the only cases since 2001 in which
real data from real airline reservations has subsequently been
used -- without the knowledge or consent of the passengers -- for
testing of passenger profiling systems .

In 2001, Airline Automation, Inc., a company which provides PNR
data-mining services to several airlines, under agreements which
permit it to retain the PNR data for later uses of its own, ran
more than 5 million PNR's from its archives, originally obtained
from multiple airlines, through an experimental system designed
to test the prospects for identification of terrorists. Those
experiments became public when they were described in detail by
Bob Mann in a report (see page 23) by the Reason Public Policy
Institute in May 2003, and further reported on my Web site a few
days later based on my interviews with Mr. Mann.

(A report in the Wall Street Journal, 25 October 2001, entitled,
"Nation's airlines adopt aggressive measures for passenger
profiling", said that, "Airline Automation Inc. ... uses
reservation and ticket data to draw up marketing profiles of
passengers for more than a dozen airlines clients, including
Delta Air Lines, Alaska Airlines, Continental Airlines and
American. Airline Automation's records may be the closest thing
there is to a national database of airline passengers.")

In mid-2002, four teams competing for the prime "CAPPS-II"
contract were awarded smaller "proof of concept" contracts to
test their systems. Each received several million real PNR's from
multiple airlines -- undoubtedly including data collected in the
EU and other countries -- which they used in their tests. In at
least one of those cases, reported last year first on my Web site
and some months later in the London Times , those PNR's came --
either directly or by way of the USA Department of Transportation
-- from the PNR archives of the Sabre CRS.

There's no telling how many more cases like these there may have
been, or how many other companies you've never dealt with
directly, or even heard of, may have received your travel
records.

Nonconsensual "sharing" of customer data within the industry, and
with government agencies, is the rule, not the exception, in the
travel industry.

Regulatory authorities and the public in the EU have, until now,
focused their attention on transfers of passenger data to the
government of the USA. But the larger and more routine violations
of EU data protection laws and the EU CRS regulations occur when
travel data collected in the EU is transferred -- without the
privacy safeguards required by EU law -- to commercial entities
in the USA, including USA-based airlines and CRS's. These
violations of EU privacy law are flagrant, large-scale,
long-standing, and ongoing.

Unlike the EU, the USA has no general data privacy law , and the
piecemeal approach to privacy protection in the USA through
industry-specific privacy laws (primarily for financial and
medical data) hasn't yet been extended to travel data.

What's needed, as I've argued in my analysis of CAPPS-II , is
either a comprehensive federal data privacy law on the Canadian,
EU, and general international model, or a Federal travel privacy
law giving at least as much protection to travel reservation
records as is currently provided for financial and medical
data.

The first question many people have been asking about the
Northwest scandal is, "Isn't that illegal?" Unfortunately, the
problem isn't that NW broke the law -- which would present a
relatively straightforward enforcement problem -- but that NW's
abuse of most customers' privacy may not have broken any USA
law.

EPIC announced today that they plan to file a complaint with the
USA Department of Transportation "alleging that Northwest's
disclosure constitutes an unfair and deceptive trade practice".
And numerous consumer class-action lawsuits are likely to be
brought against NW, as they have (thus far only in preliminary
stages of litigation) against jetBlue.

Unfortunately, NW's privacy policy only applies to data collected
through the NWA.com Web site. Like most airlines and CRS's, NW
has no privacy policy whatsoever regarding the vast majority of
reservations made through travel agencies or tour operators, over
the phone, in person at NW ticket counters, or through airlines
with which NW has interline agreements.

The primary problem this episode reveals is not the need for
enforcement of existing USA law, but the need for new USA federal
law and enforcement of EU and other countries' laws until the USA
brings its privacy protection legislation into line with
international human rights norms.

The NASA and NW documents obtained by EPIC show that NASA
returned the original CD's on which NW had provided the PNR data.
But the documents don't show, and neither NASA nor NW has yet
said, whether NASA has any controls in place to be able to tell
if NASA retained copies of all or part of the data, or with whom
it might have been "shared" while NASA had it.

Travellers whose privacy may have been compromised are unlikely
to get the answers to any of these questions without a
full-fledged Congressional investigation, including public
hearings, on protection, sharing, and privacy practices and
policies for travel reservation data.

There have been persistent calls for a Congressional
investigation of the jetBlue Airways privacy scandal, and the
sharing of the entire jetBlue PNR database with a U.S. military
subcontractor. Both the Army and the Chief Privacy Officer of the
Department of Homeland Security promised to investigate their
department's roles in the jetBlue scandal, but no reports have
yet been made public. Written questions from members of Congress
about the jetBlue scandal, CAPPS-II, and government use of PNR's
haven't received even courtesy replies from the TSA, DHS, and
DOD.

The latest revelations about NW reinforce a pattern of unconcern
for privacy, breach of public promises, and widespread
unauthorized dissemination of sensitive passenger data, both
within the travel industry and between industry and government.
Clearly the problem, and the need for Congressional scrutiny and
action, extends beyond these few well-publicized scandals.

What can be done?

Write to Congress -- today.

Tell them you want:

(1) A Congressional investigation of privacy practices throughout
the travel industry;

(2) Public Congressional hearings;

(3) Termination of CAPPS-II and any other government programs to
mandate collection of data on travellers or turn that data over to
the government; and

(4) A Federal travel data privacy law.

----------------
Edward Hasbrouck

http://hasbrouck.org

"The Practical Nomad Guide to the Online Travel Marketplace"
"The Practical Nomad: How to Travel Around the World"

On Sun, 18 Jan 2004 19:52:02 GMT, Dick Locke
wrote:

http://tinyurl.com/3d2

Hmm, the tinyurl seems to be coming up with a Dell page I saw earlier.

Here's the right one, I hope.

http://tinyurl.com/32lbj

Lucky I didn't post one with my credit card. PS, NEW Dell 2.4GHzP4,
80GB, 128Meg Dram, for $349, CDRW, free shipping, ends at 11 tonight
in some US time zone.