More on jetBlue, CAPPS-II, and Total Information Awareness

Last Monday, I broke the story on my Web site, in my newsletter, to
the Infotec-Travel e-mail list, and in the "rec.travel.air" Usenet
newsgroup that 5 million jetBlue Airways passenger name records (PNR's)
were provided to a USA government subcontractor apparently working on
the CAPPS-II airline passenger profiling system:

http://hasbrouck.org/articles/travelprivacy.html

By Thursday, the story was picked up by Wired.com, properly acknowledging
me as the original source. By Saturday, it was on the front page of the
New York Times, and in newspapers around the world, although the Times and
most of the other stories incorrectly attributed the original source to
Wired.com, rather than to my Practical Nomad Web site.

JetBlue has apologized (sort of), but there's much more to the story:

Neither jetBlue, nor the USA government, nor the contractor has yet come
clean about what was really going on, much less taken any action to keep
this sort of invasion of travellers' privacy from happening again.

So what really happened? And what should be done about it?

In September 2002, 5 million jetBlue Airways PNR's (reservation records)
were provided to "Torch Concepts, Inc.", at the request of the
Transportation Security Administration, for development and testing of
systems for "Homeland Security - Airline Passenger Risk Assessment".

JetBlue Airways and the TSA admitted this much, but only after first
denying it, and only when confronted with a conference presentation by
Torch Concepts about their use of jetBlue Airways reservation data. (The
report was removed from the conference Web site 3 days after I revealed
its existence, but public-spirited volunteers have made copies available
from several mirror sites, despite demands from Torch Concepts' lawyers
for its complete suppression.) The conference presentation describes how
the individual jetBlue reservations were combined into a profile of each
passenger's travel pattern (they hoped eventually to be able to have
"lifetime" travel data), and matched with Social Security Numbers, income
and other financial records, past and present residence addresses, and
other personal data purchased from Axciom, a data aggregation and
warehousing firm. Based on all this, travellers were classified according
to how "suspicious" their records and travel patterns appeared to be.

That's exactly what CAPPS-II would do. And according to the presentation,
in July 2002 Torch Concepts was "given assurance that we would receive the
.... data base being used by CAPPS II contractors." According to my
sources, CAPPS-II contractors were also receiving PNR's from other
airlines, mainly through computerized reservations systems (CRS's).

But the TSA and jetBlue both claim the jetBlue reservations were provided
for a "threat identification" subcontract that had nothing to do with
CAPPS-II. and that was funded by Department of Defense, not the TSA.

What might that contract have been? A press release on the Torch Concepts
Web site, dated 8 May 2002, "Torch Concepts, Inc. Wins Contract To Develop
Technologies To Identify Terrorist Threats", says, "This effort will be
performed under a subcontract to SRS Technologies ("SRS")." That sentence
was removed from the Torch Concepts Web site this past Friday, presumably
to avoid having the use of jetBlue reservation data, and the involvement
of the TSA, linked to SRS Technologies.

Who is SRS Technologies? According to a 19 April 2002 news release, "SRS
Technologies was recently selected as the single prime contractor to
support DARPA's Information Awareness Office."

DARPA (the Defense Advanced Research Projects Agency), and its Information
Awareness Office, is a branch of the Department of Defense. But in
describing the Torch Concepts subcontract to the sole prime Total
Information Awareness (later renamed Terrorism Information Awareness)
contractor as simply "a Department of Defense subcontract", jetBlue and
the TSA are telling substantially less than the whole truth.

I'm not yet convinced that we should believe jetBlue Airways and the TSA,
given the explicit indication in the Torch Concepts presentation that they
believed that the same data, and more (probably involving other airlines
as well), had been provided to CAPPS-II contractors. But even if they are
to be believed, and the jetBlue reservation data was used in a study by
the Department of Defense under a Total Information Awareness subcontract,
rather than by the TSA or its predecessor DOT under a CAPPS-II contract
(despite the TSA and DOT meetings with the subcontractor), the implication
is that the real story is one or more of the following:

1. The Total Information Awareness Office was actively researching and
testing the ways that travel reservations, obtained through CAPPS-II,
could be used for other purposes as part of the TIA program. (I think this
is the most likely scenario.)

2. The government concealed the real costs of CAPPS-II by funding parts
of the CAPPS-II research, development, and testing through DARPA's
Information Awareness Office rather than through the TSA, hiding part of
the real CAPPS-II budget in the much larger TIA budget. (Quite possible,
given the resistance of the TSA to releasing any data on the total costs
of CAPPS-II.)

3. All parties to the scandal (the TSA, jetBlue Airways, Torch Concepts,
SRS Technologies, and DARPA's Information Awareness Office), are trying to
avoid evade public scrutiny of the relationship of CAPPS-II and airline
passenger reservation data to the discredited Total Information Awareness
program, as evidenced by the removal from the press release, just days
after I revealed the scandal, of the key reference to the source of the
Torch Concepts subcontract as being SRS Technologies, the sole prime TIA
contractor.

Should we be "reassured" that our travel records might "only" have been
used to test how useful reservations obtained through CAPPS-II could be to
the Total Information Awareness program, and/or other military programs,
and not necessarily for CAPPS-II tests funded by the TSA? I don't think
so, and I don't think many of my fellow jetBlue passengers will think so
either.

Whatever turns out to have happened with the jetBlue Airways data, the
most important lesson in this scandal may be that even travel companies
with the best privacy policies have virtually no control over who gets
access to their passenger data once it is passed on to third parties. At
Airtreks.com, where I work, our policy is never to disclose information
about our customers unless legally compelled to do so (which, fortunately,
has never happened in our 15 years of operations). But if airlines, or
the CRS's that host most airline databases, choose to rape our customers'
privacy by turning their travel records over to government agencies or
private data warehouses, we probably couldn't stop them even if we knew
about it (which, as with jetBlue, we probably wouldn't).

Travelers, of course, know even less, and have no control at all over how,
with whom, or for what purposes data about them is "shared" or used. I
can't imagine clearer evidence of the need for Federal legislation to give
travelers the control most people think they should have, and probably
expect that they already have a right to have, over their personal travel
records -- whether in private, corporate, or government hands.

There's still time this week for the public (that's you, folks) to file
comments with the TSA and the Department of Homeland Security on the
latest CAPPS-II proposal. Send your comments to " by 30
September 2003, with "docket number DHS/TSA-2003-1" in the subject line of
the e-mail message. If you need ideas for what to say, see my summary,
"What's Wrong With CAPPS-II?", at:

http://hasbrouck.org/aerticles/CAPPS-II.html

You can also tell Congress to exercise its oversight authority to block
CAPPS-II, but that's not enough to solve the underlying problem.

Congress really ought to enact a comprehensive consumer privacy law
(perhaps modelled on the successful Canadian example) requiring fair
information practices in the handling of personal information -- including
travel records -- by both government agencies and private companies.

Even if it doesn't go that far, tell Congress to at least hold hearings on
privacy practices and the ways personal information is used and "shared"
in the travel industry (including the jetBlue privacy scandal), and to
pass a law to give travel data as least as much protection as is currently
given to medical and financial data, and to give travelers in the USA the
same privacy protections as travelers in Canada or the European Union.

And if jetBlue Airways *really* wants to make amends for breaking its
privacy promises to its customers, it should be the first airline to step
up and endorse such legislation, and to start lobbying other airlines, and
the CRS's that host their reservation databases, to do likewise.

I'm not holding my breath for Congress, but I'll keep following the
story.

Bon voyage!

Edward Hasbrouck

P.S. The producers of the reality-TV show about travel around the world,
"The Amazing Race", are now accepting applications for the cast of a fifth
season, to be filmed in January 2004 and broadcast in spring or summer.
You can apply at http://www.cbs.com/primetime/amazing_race5; all my
weekly columns on the lessons for real-world travellers of the previous
four seasons are archived at http://hasbrouck.org/amazingrace

----------------
Edward Hasbrouck

http://hasbrouck.org

"The Practical Nomad Guide to the Online Travel Marketplace"
"The Practical Nomad: How to Travel Around the World"
http://www.practicalnomad.com

On Mon, 22 Sep 2003 08:02:48 GMT, Edward Hasbrouck
wrote:

Last Monday, I broke the story on my Web site, in my newsletter, to
the Infotec-Travel e-mail list, and in the "rec.travel.air" Usenet
newsgroup that 5 million jetBlue Airways passenger name records (PNR's)
were provided to a USA government subcontractor apparently working on
the CAPPS-II airline passenger profiling system:

http://hasbrouck.org/articles/travelprivacy.html
[snip]

But the TSA and jetBlue both claim the jetBlue reservations were provided
for a "threat identification" subcontract that had nothing to do with
CAPPS-II. and that was funded by Department of Defense, not the TSA.

What might that contract have been? A press release on the Torch Concepts
Web site, dated 8 May 2002, "Torch Concepts, Inc. Wins Contract To Develop
Technologies To Identify Terrorist Threats": ...

If anyone is interested:
http://www.torchconcepts.com
"Leaders in Content Management and Information Mining"
http://www.torchconcepts.com/news/release-9.htm

... says, "This effort will be
performed under a subcontract to SRS Technologies ("SRS")." That sentence
was removed from the Torch Concepts Web site this past Friday, presumably
to avoid having the use of jetBlue reservation data, and the involvement
of the TSA, linked to SRS Technologies.

Using the "wayback machine"
http://web.archive.org/collections/web.html to look for an earlier
version:
Not found

Who is SRS Technologies?

Directory of Corporate Affiliations:
[SRS Technologies is a] Provider of Defense Electronics Research &
Development; Systems Engineering & Technical Support; Software
Development.

SRS Technologies
1800 Quail St., Suite 101
Newport Beach, CA 92660-2301
http://www.srs.com
M.S. Sandhu - CEO
James N. Allburn - Pres & COO
Bob Conroy - VP & Gen Mgr
Bob Murrel - VP & Gen Mgr
Hal Pastrick - VP & Gen Mgr
Revenue: $72 Million / year
Employees: 477

SRS Information Services (Subsidiary)
http://www.srs.com/prof_divisions.asp#SRS-IS
General Manager: T. Trase Travers
6305 Ivy Ln., Suite T20
Greenbelt, MD 20770-1465
Revenue: $15 Million / year
Employees: 110

SRS Technologies / ASI Division (Branch)
[Formerly ASI Systems International of Orange, CA, which itself was
formerly Armament Systems, Inc. of Anaheim, CA - ASI was purchased by
SRS in 1999]
http://www.srs.com/asi
General Manager: Jim Whatley
838 North Eglin Pkwy., Suite 202
Fort Walton Beach, FL 32547
Revenue: $12.7 / Million year
Employees: 87

SRS Technologies / System Development Division - SDD (Branch)
http://www.srs.com/systemsafety/sdd
General Manager: Robert Murrel
1800 Quail St., Suite 101
Newport Center, CA 92660
Revenue: $9.2 Million / year
Employees: 59

SRS Technologies / System Technology Group - STG (Branch)
http://www.stg.srs.com
General Manager: Dr. Harold Pastrick
500 Discovery Dr.
Huntsville, AL 35806
Revenue: $14.3 Million / year
Employees: 91

SRS Technologies / Washington Group-WG (Branch)
http://www.wg.srs.com
General Manager: Charles Heber
1401 Wilson Blvd., Suite 1200
Arlington, VA 22209
Revenue: $31.2 Million / year
Employees: 200

... According to a 19 April 2002 news release, "SRS
Technologies was recently selected as the single prime contractor to
support DARPA's Information Awareness Office."

The Press Release is on SRS' Web site:
http://www.srs.com/news_archive.asp
DARPA IAO Awards SRS Technologies Prime Support Contract

April 19, 2002: SRS Technologies was recently selected as the single
prime contractor to support DARPA's Information Awareness Office. We
are excited and proud to be supporting this group, and their
initiatives in the development of technologies and systems to "counter
asymmetric threats by achieving total information awareness useful for
preemption and security warning & decision-making."

[snip]

Based on my knowledge of the company, I would not be inclined to
ascribe sinister intent to *their* actions.

[Disclaimer: not an employee of SRS or its subsidiaries/branches, nor
of any of the other companies listed here. Just an interested
observer]

So, Ed, who made money on this deal? I guess the government (us, you
and I) paid Torch Concepts. Who else got paid? Did Jet Blue give the
information away ("Hello, Mr. Blue, this is Mr. Torch, I wonder if you
could help me out on a little project I have going here...") or were
they paid? ("Hello, Mr. Blue, this is Mr. Torch, I've got this great
govenment contract worth a bucket of money, but it's really too big for
me to handle alone, would you be interested...")

On Tue, 23 Sep 2003 03:05:54 -0400 (EDT), Greg Johnson
wrote:

So, Ed, who made money on this deal? I guess the government (us, you
and I) paid Torch Concepts. Who else got paid?

(1) Acxiom was paid for their services on the project
(we don't yet know if they also got to keep the data).

(2) The prime contractor, SRS Technologies (prime contractor
to the DARPA Information Awareness Office) might have been
paid something to administer the subcontract to Torch.

Did Jet Blue give the information away

So they claim.

I don't think we will *really* know what happened without
a Congressional investigation, and maybe not even then.

----------------
Edward Hasbrouck

http://hasbrouck.org
http;//hasbrouck.org/articles/travelprivacy.html

"The Practical Nomad Guide to the Online Travel Marketplace"
"The Practical Nomad: How to Travel Around the World"