More CAPPS II Privacy Violations Revealed

by Jim Malmberg

Washington, DC – David Stone, who is the acting head of the Transportation Security Administration (TSA), revealed in Congressional testimony that three additional airlines and two of the four largest reservation systems in the US, provided passenger data to the TSA for CAPPS II testing. This revelation comes in the wake of a variety of false statements by TSA officials that these data transfers had been limited to three airlines, JetBlue, American and Delta.

Stone told Congress that Continental, America West, Frontier, Sabre and Galileo had also provided data. Sabre and Galileo are passenger reservation systems. Their participation is particularly troubling because these two systems handle a large percentage of the airline reservations made in the United States. As a result, simply making a reservation could have triggered a data transfer to the TSA, even if the airline that was being booked was not cooperating with them.

Another troubling aspect of the reservation systems’ participation is the fact that these systems are often marketed under other names. For instance, Sabre actually powers Travelocity’s reservation system. Because of this, many passengers may think that their data was not provided to the government when in fact it was.

Galileo, on the other hand, is a Cendant company. This gives them a tremendous amount of power in the travel industry. Cendant owns a number of hotel chains and rental car companies. They are also in the process of building a huge data center for the government, in conjunction with CAPPS II, which will assign the traveling public a Cendant Security Number (CSN).

This CSN will be attached to everyone’s travel profile. Profiles will include everything about the travel habits of American consumers and their Social Security Numbers. Cendant plans to scrub their data with other lists. This will allow them to include data on any associations that consumers belong to (AARP, VFW, etc…), credit card and driver’s license numbers, home ownership status, occupation, and just about anything else that anyone might want to know. Cendant plans to use this database for commercial purposes, other than CAPPS II. Cendant clearly has conflicting interests here.

Stone’s remarks may open a Pandora’s Box for the TSA. According the Nuala O’Conner Kelly, the head of privacy for the Department of Homeland Security, the TSA’s actions are a violation of The Privacy Act, which makes it illegal for the government to establish secret databases on American citizens. Furthermore the TSA has previously denied the participation of airlines outside of JetBlue, American and Delta, even though the TSA was aware that it was being investigated by the Congressional Budget Office for potential privacy abuses in conjunction with CAPPS II.

In November of last year, Stone’s predecessor, Admiral James Loy gave sworn written testimony to the Senate that the TSA had not used any real passenger records in its testing of the CAPPS II system. Clearly, he perjured himself.

As a result of these numerous violations of the Privacy Act, certain TSA officials may face criminal charges or other disciplinary action. For violating their own privacy policies, the airlines involved will likely find themselves the subject of class action law suits. JetBlue as already been pulled into court.

The outcome of the Airlines’ actions is far from certain. In a related civil case, last week a judge in California threw out a lawsuit that was brought against Northwest Airlines. Northwest had transferred passenger data to NASA shortly after the attacks on the World Trade Center. The data was used for a prototype passenger screening system.

In transferring the data, Northwest clearly violated their privacy policy. U.S. District Court Judge Paul Magnuson who presided over the case issued a ruling which read in part, "Although Northwest had a privacy policy for information included on the Web site, plaintiffs do not contend that they actually read the privacy policy prior to providing Northwest with their personal information,…". Based on this lack of reading, his ruling states "Thus, plaintiffs' expectation of privacy was low."

If Magnuson’s ruling is allowed to stand, it has sweeping implications. It would mean that any privacy policy, even those associated with credit cards, is unenforceable unless the person suing actually read the policy thoroughly, prior to furnishing information. This would effectively render all privacy policies useless for consumer protection.