An Army data-mining project that searched through JetBlue's passenger records and sensitive personal information from a data broker to pinpoint possible terrorists did not violate federal privacy law, according to an investigation by the Army's inspector general.
The inspector general's findings (PDF) were accepted by some, but critics say the report simply highlights the inability of the country's privacy laws to cope with 21st-century anti-terrorism efforts.
News of the Army project came to light in September 2003 when JetBlue admitted it had violated its privacy policy by turning over 5.1 million passenger records to Torch Concepts, an Alabama-based defense contractor.
Torch subsequently enhanced the JetBlue data with information about passengers' salaries, family size and Social Security numbers that it purchased from Acxiom, one of the country's largest data aggregators.
The Army says it was testing the data-mining technology as part of a plan to screen visitors to Army bases.
JetBlue, which turned over the data at the request of the Transportation Security Administration, was the first airline fingered for secretly sharing data with the government. But it is now known that six of the 10 largest airlines, along with two of the largest airline reservation centers, also did so.
The inspector general found Torch did not violate the Privacy Act, which prohibits government officials from creating secret databases that track information about American citizens by name and Social Security number. The report said the company didn't violate the law because no one looked up any passenger by name and its algorithm simply sifted through the data using factors such as home ownership, age and income in order to sort passengers into risk groups.
"The evidence indicated that Torch neither created nor maintained a system of records as defined by the Privacy Act of 1974," the report said. "There was no evidence that Torch retrieved individual records from the databases ... by name or by any other identifying particular at any time in the course of the study."
The report did find, however, that Torch violated the conditions of its subcontract by presenting the study's findings at a conference in April 2003, which later led to the public disclosure of the project.
The Army did not publicly release the June 21 report, though it provided copies to some senators in July and Wired News later obtained a heavily redacted version through a Freedom of Information Act request.
The committee's chairwoman, Sen. Susan Collins (R-Maine), said she was "pleased to learn that there was no Privacy Act violation," but added she would continue to "closely monitor any further attempts by the government to obtain passenger data to ensure that the process ... complies with privacy laws and is sensitive to Americans' privacy interests."
However, Sen. Patrick Leahy (D-Vermont), who independently asked the Pentagon to investigate the Torch matter, sounded annoyed by the Army investigation's technical reading of the law.
"Neither the Army nor its subcontractor considered informing customers that their data would be used," Leahy said in a written statement. "TSA failed to identify the privacy policy and privacy impact on individuals. Yet both the Army and TSA were able to report that they technically did not violate the letter of the Privacy Act of 1974 because the personal data was collected from private sources and was never in the hands of the government," he said.
Leahy compared the Army's findings to those of Department of Homeland Security chief privacy officer Nuala O'Connor Kelly, whose February report (PDF) said TSA employees violated of the spirit of the Privacy Act by asking JetBlue to provide data.
Ari Schwartz, associate director of the Center for Democracy and Technology, thinks the report makes faulty assumptions about how Torch worked with the data and feels that the law was broken.
"They worked through all the holes in the definition of a system of records because this is a 2000 database with a 1970s regulation," he said. Schwartz said the definition of "system of records" needs to updated to include any database that contains sensitive information about individuals, not simply those in which records are retrieved by looking up a name or Social Security number.
Using the Army's definition, a system like the proposed Total Information Awareness system could search for patterns of terrorist activities within massive amounts of data and output the names and activities of suspected terrorists without needing to tell the public about the existence of the database, so long as analysts never search through records using anyone's name.
The report also indicates that the Army's ultimate goal was to use Torch's technology to predict future terrorist attacks. In 2002, the Army authorized Torch to access Los Alamos laboratory databases and counter-intelligence databases housed in the FBI, although it is unclear whether the company did so.
Even though the Army report concerns information revealed nine months ago and the government has since shelved plans for a new passenger profiling system because of privacy concerns, the report remains germane to ongoing debates about the balance between security and civil liberties, according to Schwartz.
"You look at the 9/11 commission report and there is all this stuff in there about transportation screening and there's another section on civil liberties and at some point, you have to map those two together to build a system that takes civil liberties into account." Schwartz said. "But if the response is completely 'We are going to do whatever we can to route around privacy laws,' you are going to end up with a lack of trust in the government to do their job, as well as in the companies who are asked to turn over data."
Leahy concurs that report's technical reading of the law highlights the challenges the government will face in trying to implement recommendations from the 9/11 commission.
"Effective information sharing and analysis can enhance our security capabilities," Leahy said. "As the 9/11 report recommended, we need to develop those capabilities, but it should not be done without due consideration for individual privacy.
Leahy said the government and private sectors need to be upfront with the public about the type of personal information that will be shared and tested, and about what protections are in place to protect privacy, prevent identity theft, ensure accuracy and protect civil liberties.
The Army report will not be the last word on the propriety of airline data transfers to the government as both the DHS' inspector general and its chief privacy officer, O'Connor Kelly, are currently probing the TSA's use of airline passenger data for its own projects.
20040824
Army: JetBlue Data Use Was Legal
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment