ACLU Letter to the FTC Regarding JetBlue's Unauthorized Release of Passenger Data

Timothy Muris
Chairman
Federal Trade Commission
600 Pennsylvania Avenue
Washington, DC 20580

Dear Chairman Muris:

We are writing in regard to the violation of Federal trade laws that involves the privacy of more than a million JetBlue Airways passengers.

JetBlue has admitted that it released 5 million customer personal information files to a contractor of the United States Department of Defense (DoD), Torch Concepts. These files apparently contained details about some 1.1 million JetBlue passengers, including names, addresses and phone numbers. JetBlue supposedly released the information in response to an “”exceptional request”” from the DoD to assist Torch Concepts in a project to improve military base security.

Torch Concepts used this information for analysis and combined the information with data acquired from the Acxiom Corporation. Under this scheme, Acxiom allegedly provided further information regarding JetBlue’s customers, including Social Security Numbers, income levels, vehicle ownership and income levels. The results of this analysis were presented at a Department of Homeland Security symposium earlier this year. Among other things, the presentation divulged personal information about a particular JetBlue passenger, including that person’s Social Security Number. The document, entitled “”Homeland Security: Airline Passenger Risk Assessment,”” was later posted on the Internet and could be freely downloaded.

It is unclear at this point what precise internal rules JetBlue followed in handling its customers’ personal information (during the time that the transfer took place). However, JetBlue’s privacy statement (which is posted on the company’s website) includes the following language (as of September 23, 2003):

“JetBlue Airways has created this privacy statement in order to demonstrate our firm commitment to privacy. ? Our optional site’s registration form requires users to give us contact information (like their name and email address) and demographic information (like their zip code). We use customer contact information from the registration form to send the user updates and offers from JetBlue. ? The financial and personal information collected on this site is not shared with third parties, and is protected by secure servers. ? This site has security measures in place to protect against the loss, misuse and alteration of the information under our control.”

The statement goes on to state:

“”It is the policy of JetBlue Airways:

1. NOT to seek to collect online contact information from children without prior parental consent or parental notification.

2. NOT to seek to collect personally identifiable offline contact information from children.

3. NOT to distribute to third parties any personally identifiable information with out prior parental consent.

4. NOT to give the ability to publicly post or otherwise distribute personally identifiable contact information without prior parental consent.””

A copy of this policy is enclosed with this letter. Indeed, after the data transfer came to light, a JetBlue spokesperson reportedly boasted that his company had “”the strongest privacy policy in the industry, which clearly says that we don’t supply customer data to third parties.””

Based on these facts, and JetBlue’s stated promises, we believe that JetBlue’s actions do indeed constitute unfair trade practices in violation of section 5 of the FTC Act, 15 U.S.C. § 45 (a), which prohibits unfair or deceptive acts or practices in or affecting commerce. JetBlue had led its customers to believe that their personal information would be protected. Its apparently willful dissemination of that information was made without their knowledge or consent. By divulging their information, JetBlue’s actions have caused them substantial injury, and are likely to cause substantial injury to them in the future-injuries that they cannot reasonably avoid and are not outweighed by countervailing benefits to them or competition.

These events set a dangerous precedent. JetBlue had a duty of care and a duty under the Federal Trade laws to protect the privacy of the consumers who used its services. If this breach of duty goes unnoticed, it would raise the possibility not only that JetBlue will continue to injure consumers and harm the public interest, but that other companies will be encouraged to engage in similarly unfair and deceptive practices, and the privacy interests of the millions of airline passengers will be significantly diminished.

It is our understanding that the Commission has begun an investigation into this matter. We would like to make two requests with regard to the Commission’s efforts to remedy JetBlue’s trade law violation:

1. We request that you make the results of this investigation public. The privacy of airline passengers is now a matter of paramount public concern. This concern has been heightened in recent months by revelations over the Computer Assisted Passenger Prescreening System II (CAPPS II), which bears a strong resemblance to Torch Concepts’ collection and analysis of JetBlue passenger information. It is imperative that the public know what happened during this incident (including the extent to which individual privacy was violated), in order to ensure proper redress and to allow the public to make properly informed decisions concerning their privacy in the future.

2. We further request that, as a part of the settlement agreement for this incident, the FTC require and verify the complete destruction of the JetBlue passenger data that was transferred. As long as the data remains available, the temptation to use it for privacy-invasive purposes will persist; the destruction of that data would go long way toward prevent fresh abuses and restore public confidence.

Thank you for your time and consideration.

Sincerely,

Christopher T. Chiu
Technology Policy Analyst

Barry Steinhardt
Director, Technology & Liberty Program

To find out more about JetBlue’s unauthorized release of their passenger’s private data, please visit our JetBlue feature page.