If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
More on jetBlue, CAPPS-II, and Total Information Awareness
Last Monday, I broke the story on my Web site, in my newsletter, to
the Infotec-Travel e-mail list, and in the "rec.travel.air" Usenet newsgroup that 5 million jetBlue Airways passenger name records (PNR's) were provided to a USA government subcontractor apparently working on the CAPPS-II airline passenger profiling system: http://hasbrouck.org/articles/travelprivacy.html By Thursday, the story was picked up by Wired.com, properly acknowledging me as the original source. By Saturday, it was on the front page of the New York Times, and in newspapers around the world, although the Times and most of the other stories incorrectly attributed the original source to Wired.com, rather than to my Practical Nomad Web site. JetBlue has apologized (sort of), but there's much more to the story: Neither jetBlue, nor the USA government, nor the contractor has yet come clean about what was really going on, much less taken any action to keep this sort of invasion of travellers' privacy from happening again. So what really happened? And what should be done about it? In September 2002, 5 million jetBlue Airways PNR's (reservation records) were provided to "Torch Concepts, Inc.", at the request of the Transportation Security Administration, for development and testing of systems for "Homeland Security - Airline Passenger Risk Assessment". JetBlue Airways and the TSA admitted this much, but only after first denying it, and only when confronted with a conference presentation by Torch Concepts about their use of jetBlue Airways reservation data. (The report was removed from the conference Web site 3 days after I revealed its existence, but public-spirited volunteers have made copies available from several mirror sites, despite demands from Torch Concepts' lawyers for its complete suppression.) The conference presentation describes how the individual jetBlue reservations were combined into a profile of each passenger's travel pattern (they hoped eventually to be able to have "lifetime" travel data), and matched with Social Security Numbers, income and other financial records, past and present residence addresses, and other personal data purchased from Axciom, a data aggregation and warehousing firm. Based on all this, travellers were classified according to how "suspicious" their records and travel patterns appeared to be. That's exactly what CAPPS-II would do. And according to the presentation, in July 2002 Torch Concepts was "given assurance that we would receive the .... data base being used by CAPPS II contractors." According to my sources, CAPPS-II contractors were also receiving PNR's from other airlines, mainly through computerized reservations systems (CRS's). But the TSA and jetBlue both claim the jetBlue reservations were provided for a "threat identification" subcontract that had nothing to do with CAPPS-II. and that was funded by Department of Defense, not the TSA. What might that contract have been? A press release on the Torch Concepts Web site, dated 8 May 2002, "Torch Concepts, Inc. Wins Contract To Develop Technologies To Identify Terrorist Threats", says, "This effort will be performed under a subcontract to SRS Technologies ("SRS")." That sentence was removed from the Torch Concepts Web site this past Friday, presumably to avoid having the use of jetBlue reservation data, and the involvement of the TSA, linked to SRS Technologies. Who is SRS Technologies? According to a 19 April 2002 news release, "SRS Technologies was recently selected as the single prime contractor to support DARPA's Information Awareness Office." DARPA (the Defense Advanced Research Projects Agency), and its Information Awareness Office, is a branch of the Department of Defense. But in describing the Torch Concepts subcontract to the sole prime Total Information Awareness (later renamed Terrorism Information Awareness) contractor as simply "a Department of Defense subcontract", jetBlue and the TSA are telling substantially less than the whole truth. I'm not yet convinced that we should believe jetBlue Airways and the TSA, given the explicit indication in the Torch Concepts presentation that they believed that the same data, and more (probably involving other airlines as well), had been provided to CAPPS-II contractors. But even if they are to be believed, and the jetBlue reservation data was used in a study by the Department of Defense under a Total Information Awareness subcontract, rather than by the TSA or its predecessor DOT under a CAPPS-II contract (despite the TSA and DOT meetings with the subcontractor), the implication is that the real story is one or more of the following: 1. The Total Information Awareness Office was actively researching and testing the ways that travel reservations, obtained through CAPPS-II, could be used for other purposes as part of the TIA program. (I think this is the most likely scenario.) 2. The government concealed the real costs of CAPPS-II by funding parts of the CAPPS-II research, development, and testing through DARPA's Information Awareness Office rather than through the TSA, hiding part of the real CAPPS-II budget in the much larger TIA budget. (Quite possible, given the resistance of the TSA to releasing any data on the total costs of CAPPS-II.) 3. All parties to the scandal (the TSA, jetBlue Airways, Torch Concepts, SRS Technologies, and DARPA's Information Awareness Office), are trying to avoid evade public scrutiny of the relationship of CAPPS-II and airline passenger reservation data to the discredited Total Information Awareness program, as evidenced by the removal from the press release, just days after I revealed the scandal, of the key reference to the source of the Torch Concepts subcontract as being SRS Technologies, the sole prime TIA contractor. Should we be "reassured" that our travel records might "only" have been used to test how useful reservations obtained through CAPPS-II could be to the Total Information Awareness program, and/or other military programs, and not necessarily for CAPPS-II tests funded by the TSA? I don't think so, and I don't think many of my fellow jetBlue passengers will think so either. Whatever turns out to have happened with the jetBlue Airways data, the most important lesson in this scandal may be that even travel companies with the best privacy policies have virtually no control over who gets access to their passenger data once it is passed on to third parties. At Airtreks.com, where I work, our policy is never to disclose information about our customers unless legally compelled to do so (which, fortunately, has never happened in our 15 years of operations). But if airlines, or the CRS's that host most airline databases, choose to rape our customers' privacy by turning their travel records over to government agencies or private data warehouses, we probably couldn't stop them even if we knew about it (which, as with jetBlue, we probably wouldn't). Travelers, of course, know even less, and have no control at all over how, with whom, or for what purposes data about them is "shared" or used. I can't imagine clearer evidence of the need for Federal legislation to give travelers the control most people think they should have, and probably expect that they already have a right to have, over their personal travel records -- whether in private, corporate, or government hands. There's still time this week for the public (that's you, folks) to file comments with the TSA and the Department of Homeland Security on the latest CAPPS-II proposal. Send your comments to " by 30 September 2003, with "docket number DHS/TSA-2003-1" in the subject line of the e-mail message. If you need ideas for what to say, see my summary, "What's Wrong With CAPPS-II?", at: http://hasbrouck.org/aerticles/CAPPS-II.html You can also tell Congress to exercise its oversight authority to block CAPPS-II, but that's not enough to solve the underlying problem. Congress really ought to enact a comprehensive consumer privacy law (perhaps modelled on the successful Canadian example) requiring fair information practices in the handling of personal information -- including travel records -- by both government agencies and private companies. Even if it doesn't go that far, tell Congress to at least hold hearings on privacy practices and the ways personal information is used and "shared" in the travel industry (including the jetBlue privacy scandal), and to pass a law to give travel data as least as much protection as is currently given to medical and financial data, and to give travelers in the USA the same privacy protections as travelers in Canada or the European Union. And if jetBlue Airways *really* wants to make amends for breaking its privacy promises to its customers, it should be the first airline to step up and endorse such legislation, and to start lobbying other airlines, and the CRS's that host their reservation databases, to do likewise. I'm not holding my breath for Congress, but I'll keep following the story. Bon voyage! Edward Hasbrouck P.S. The producers of the reality-TV show about travel around the world, "The Amazing Race", are now accepting applications for the cast of a fifth season, to be filmed in January 2004 and broadcast in spring or summer. You can apply at http://www.cbs.com/primetime/amazing_race5; all my weekly columns on the lessons for real-world travellers of the previous four seasons are archived at http://hasbrouck.org/amazingrace ---------------- Edward Hasbrouck http://hasbrouck.org "The Practical Nomad Guide to the Online Travel Marketplace" "The Practical Nomad: How to Travel Around the World" http://www.practicalnomad.com |
#2
|
|||
|
|||
More on jetBlue, CAPPS-II, and Total Information Awareness
On Mon, 22 Sep 2003 08:02:48 GMT, Edward Hasbrouck
wrote: Last Monday, I broke the story on my Web site, in my newsletter, to the Infotec-Travel e-mail list, and in the "rec.travel.air" Usenet newsgroup that 5 million jetBlue Airways passenger name records (PNR's) were provided to a USA government subcontractor apparently working on the CAPPS-II airline passenger profiling system: http://hasbrouck.org/articles/travelprivacy.html [snip] But the TSA and jetBlue both claim the jetBlue reservations were provided for a "threat identification" subcontract that had nothing to do with CAPPS-II. and that was funded by Department of Defense, not the TSA. What might that contract have been? A press release on the Torch Concepts Web site, dated 8 May 2002, "Torch Concepts, Inc. Wins Contract To Develop Technologies To Identify Terrorist Threats": ... If anyone is interested: http://www.torchconcepts.com "Leaders in Content Management and Information Mining" http://www.torchconcepts.com/news/release-9.htm ... says, "This effort will be performed under a subcontract to SRS Technologies ("SRS")." That sentence was removed from the Torch Concepts Web site this past Friday, presumably to avoid having the use of jetBlue reservation data, and the involvement of the TSA, linked to SRS Technologies. Using the "wayback machine" http://web.archive.org/collections/web.html to look for an earlier version: Not found Who is SRS Technologies? Directory of Corporate Affiliations: [SRS Technologies is a] Provider of Defense Electronics Research & Development; Systems Engineering & Technical Support; Software Development. SRS Technologies 1800 Quail St., Suite 101 Newport Beach, CA 92660-2301 http://www.srs.com M.S. Sandhu - CEO James N. Allburn - Pres & COO Bob Conroy - VP & Gen Mgr Bob Murrel - VP & Gen Mgr Hal Pastrick - VP & Gen Mgr Revenue: $72 Million / year Employees: 477 SRS Information Services (Subsidiary) http://www.srs.com/prof_divisions.asp#SRS-IS General Manager: T. Trase Travers 6305 Ivy Ln., Suite T20 Greenbelt, MD 20770-1465 Revenue: $15 Million / year Employees: 110 SRS Technologies / ASI Division (Branch) [Formerly ASI Systems International of Orange, CA, which itself was formerly Armament Systems, Inc. of Anaheim, CA - ASI was purchased by SRS in 1999] http://www.srs.com/asi General Manager: Jim Whatley 838 North Eglin Pkwy., Suite 202 Fort Walton Beach, FL 32547 Revenue: $12.7 / Million year Employees: 87 SRS Technologies / System Development Division - SDD (Branch) http://www.srs.com/systemsafety/sdd General Manager: Robert Murrel 1800 Quail St., Suite 101 Newport Center, CA 92660 Revenue: $9.2 Million / year Employees: 59 SRS Technologies / System Technology Group - STG (Branch) http://www.stg.srs.com General Manager: Dr. Harold Pastrick 500 Discovery Dr. Huntsville, AL 35806 Revenue: $14.3 Million / year Employees: 91 SRS Technologies / Washington Group-WG (Branch) http://www.wg.srs.com General Manager: Charles Heber 1401 Wilson Blvd., Suite 1200 Arlington, VA 22209 Revenue: $31.2 Million / year Employees: 200 ... According to a 19 April 2002 news release, "SRS Technologies was recently selected as the single prime contractor to support DARPA's Information Awareness Office." The Press Release is on SRS' Web site: http://www.srs.com/news_archive.asp DARPA IAO Awards SRS Technologies Prime Support Contract April 19, 2002: SRS Technologies was recently selected as the single prime contractor to support DARPA's Information Awareness Office. We are excited and proud to be supporting this group, and their initiatives in the development of technologies and systems to "counter asymmetric threats by achieving total information awareness useful for preemption and security warning & decision-making." [snip] Based on my knowledge of the company, I would not be inclined to ascribe sinister intent to *their* actions. [Disclaimer: not an employee of SRS or its subsidiaries/branches, nor of any of the other companies listed here. Just an interested observer] |
#3
|
|||
|
|||
More on jetBlue, CAPPS-II, and Total Information Awareness
So, Ed, who made money on this deal? I guess the government (us, you
and I) paid Torch Concepts. Who else got paid? Did Jet Blue give the information away ("Hello, Mr. Blue, this is Mr. Torch, I wonder if you could help me out on a little project I have going here...") or were they paid? ("Hello, Mr. Blue, this is Mr. Torch, I've got this great govenment contract worth a bucket of money, but it's really too big for me to handle alone, would you be interested...") |
#4
|
|||
|
|||
More on jetBlue, CAPPS-II, and Total Information Awareness
On Tue, 23 Sep 2003 03:05:54 -0400 (EDT), Greg Johnson
wrote: So, Ed, who made money on this deal? I guess the government (us, you and I) paid Torch Concepts. Who else got paid? (1) Acxiom was paid for their services on the project (we don't yet know if they also got to keep the data). (2) The prime contractor, SRS Technologies (prime contractor to the DARPA Information Awareness Office) might have been paid something to administer the subcontract to Torch. Did Jet Blue give the information away So they claim. I don't think we will *really* know what happened without a Congressional investigation, and maybe not even then. ---------------- Edward Hasbrouck http://hasbrouck.org http;//hasbrouck.org/articles/travelprivacy.html "The Practical Nomad Guide to the Online Travel Marketplace" "The Practical Nomad: How to Travel Around the World" |
Thread Tools | |
Display Modes | |
|
|