Where will it end???
Confidential Passenger Data Used for Air Security Project
By Sara Kehaulani Goo
Washington Post Staff Writer
Saturday, January 17, 2004; 6:50 PM
Northwest Airlines provided information on millions of passengers for a secret U.S. government air security project soon after the Sept. 11th terrorist attacks, raising fresh concerns among some privacy advocates about the airlines' use of confidential consumer data.
The nation's fourth-largest carrier publicly asserted in September that it "did not provide that type of information to anyone." But Northwest acknowledged Friday it had already turned over three months of reservation data to the National Aeronautics and Space Administration's Ames Research Center by that point.
Northwest is the second carrier to have been identified as secretly passing travelers' records to the government. The airline industry has publicly said it would not cooperate in development of a new government computer passenger screening program because of concerns the project would infringe on customer privacy. But the participation of two airlines in separate programs underscores the industry's clandestine role in government security initiatives.
In September, JetBlue admitted that it turned over passenger records to a defense contractor and apologized to its customers for doing so. Northwest said in a statement Friday that it participated in the NASA program after the 2001 terrorist attacks to assist the government's search for technology to improve aviation security. "Northwest Airlines had a duty and an obligation to cooperate with the federal government for national security reasons," the airline said.
The carrier declined to say how many passengers' records were shared with NASA from the period offered, October to December 2001. More than 10.9 million passengers traveled on Northwest flights during that time, according to the Department of Transportation.
NASA documents show that NASA kept Northwest's so-called "passenger name records" until September 2003. Such records typically include passenger credit card numbers, addresses and telephone numbers.
NASA said it used the information to investigate whether "data mining" of the records could improve threat assessments of passengers, according to the agency's written responses to questions. At the time the agency also was exploring other possible projects aimed at improving air security, it said. NASA said no other airlines were involved in the project and that it did not share its data with other parties. The agency said it did not pay for the data.
The company said it did not inform any passengers that it shared data with NASA. It also said it did not believe that the data-sharing violated its privacy policy.
NASA officials did not seem concerned about potential privacy violations until last fall, when news about JetBlue's cooperation with the Pentagon surfaced.
In an e-mail written on Sept. 23, 2003 to Northwest's security manager, a NASA official indicated he wanted to return the airlines' passenger data, which was stored on CD-ROMs.
"As you probably have heard by now, our 'data mining for aviation security' project did not receive any FY2003 funds. My interpretation is that NASA management decided that they did not want to continue working with passenger data in order to avoid creating the appearance that we were violating people's privacy," wrote NASA engineer Mark Schwabacher to Northwest Airlines' security manager Jay Dombrowski. "You may have heard about the problems that JetBlue is now having after providing passenger data for a project similar to ours."
In its written responses, NASA said it terminated the program in late 2002 because data mining was not a "viable line of investigation."
The e-mail to Northwest included a link to a news report about the JetBlue matter.
On the same day as the NASA e-mail, news media quoted Northwest officials responding to the JetBlue incident. "We do not provide that type of information to anyone," Northwest spokesman Kurt Ebenhoch told the New York Times in a Sept. 23 article.
An article in the following day's St. Paul Pioneer Press reported, "Northwest Airlines will not share customer information, as JetBlue Airways has, Northwest CEO Richard Anderson said Tuesday in brief remarks after addressing the St. Paul Rotary."The Electronic Privacy Information Center said it originally filed a Freedom of Information Act request in 2002 with the Transportation Security Administration as part of an effort to obtain details of development of CAPPS II. Surprisingly, TSA responded to the request by providing NASA documents that indicated NASA was involved with the "data mining" system with Northwest Airlines. The CAPPS II system, scheduled to debut this summer, seeks to identify all U.S. passengers using commercial databases and then rate the security risk of each passenger as red, yellow or green.
The Electronic Privacy group and other privacy activists have argued for years that CAPPS II is being developed under strict secrecy and they believe that plans disclosed so far appear to violate personal privacy.
The organization said it plans to file a complaint about the Northwest incident this week with the Department of Transportation, which oversees the airline industry's compliance with "safe harbor" principles of guarding private consumer information. The group said it also plans to file suit against NASA in U.S. District Court in San Jose, Calif., this week, because the organization said the agency did not disclose enough information in the FOIA request.
The Electronic Privacy group seeks to know more about the NASA program, including whether the agency shared the information with other parties and whether any other airlines were involved.
"There doesn't seem to be a classic space exploration endeavor here," said Barry Steinhardt, director of the American Civil Liberties Union's technology and liberty program.
The TSA has said that it is developing CAPPS II as a means to better identify people who might be terrorists. But the program will also be used by law enforcement officials to identify and question suspected violent criminals.
Steinhardt said the Northwest incident, coupled with the JetBlue data sharing, provides Americans with one more reason to be wary about CAPPS II. "What this makes plain is that we cannot believe the assurances we've received that this passenger data will only be used for limited purposes," he said. "Inevitably, it will leak out for other uses."
. "Our privacy policy commits Northwest not to sell passenger information to third parties for marketing purposes," the company said in its statement Friday . "This situation was entirely different, as we were providing the data to a government agency to conduct scientific research related to aviation security and we were confident that the privacy of passenger information would be maintained."
The carrier tells passengers visiting its Web site that "when you reserve or purchase travel services through Northwest Airlines nwa.com Reservations, we provide only the relevant information required by the car rental agency, hotel, or other involved third party to ensure the successful fulfillment of your travel arrangements."
The disclosure of Northwest's participation with NASA comes just four months after JetBlue's admission of involvement in a secret security project conducted by the Pentagon. The airline conceded that it violated its own privacy policy when it turned over records of 1.1 million passengers and the carrier is now being sued by passengers in class action lawsuits.
The Northwest and NASA documents were released in response to a Freedom of Information Act request filed by the Electronic Privacy Information Center, a non-profit organization that advocates privacy rights and open government. The organization, which provided the documents to the Washington Post, said it plans to take legal action this week in an effort to force the government to disclose more information about NASA's secret security project and to investigate the airline's actions.
"We strongly believe aviation security programs should be developed publicly," said David L. Sobel, general counsel for the Electronic Privacy group. "While the airline in this case might have thought the action appropriate, the public at large sees it as a serious violation of personal privacy."
Northwest's data sharing might also have implications in Europe, where European Union officials have balked at providing European passenger data to the TSA as part of the agency's computer passenger screening program, known as CAPPS II. The European Union has said that turning over passenger records to TSA for the CAPPS II program would violate EU privacy laws.
Source: http://www.washingtonpost.com/wp-dyn/articles/A26037-2004Jan17.html
