Airline Claims "Duty And Obligation"
Caught in an apparent
-- how should we put this... misstatement -- Northwest Airlines now
admits that it provided passenger data to NASA in the wake of the
September 11, 2001, attacks on New York and Washington.
"We do not provide that type of information to anyone,"
Northwest spokesman Kurt Ebenhoch told the New York Times on
September 23. But records obtained by the Electronic Privacy
Information Center under the Freedom of Information Act
indicate otherwise.
The records involved usually include passengers' credit card
numbers, addresses and telephone numbers. The government requested
the information to see whether "data mining" might improve efforts
to keep terrorists off airplanes.
"Our privacy policy commits Northwest not to sell passenger
information to third parties for marketing purposes," the airline
said in its statement to the Post. "This situation was entirely
different, as we were providing the data to a government agency to
conduct scientific research related to aviation security and we
were confident that the privacy of passenger information would be
maintained."
It's the same sort of
situation, however, that got JetBlue sued by passengers in a
class-action lawsuit. Already, the Electronic Privacy Information
Center says it plans legal action against US Airways.
The Electronic Privacy Information Center's Statement
Documents obtained by the Electronic Privacy Information Center
(EPIC) reveal that Northwest Airlines, in clear violation of its
stated privacy policy, provided the National Aeronautics and Space
Administration (NASA) with personal data about millions of its
passengers. The federal agency retained the information for almost
two years, and returned it to the airline only after the public
outcry that followed the revelation that JetBlue Airways had made
similar disclosures of passenger data.
NASA documents released to EPIC under the Freedom of Information
Act (FOIA) show that agency officials met with Northwest
representatives in December 2001 to discuss NASA research,
including passenger screening technology. Soon thereafter, NASA
asked Northwest for "system-wide Northwest Airlines passenger data
from July, August and September 2001" to be used in NASA's
"research and development work." In September 2003, NASA returned
to Northwest the CDs on which the passenger records were provided.
A NASA researcher noted in an e-mail message to the airline that,
"you may have heard about the problems that JetBlue is now having
after providing passenger data for a project similar to ours."
The massive disclosure, which likely involved information about
more than 10 million Northwest passengers, clearly violated the
privacy policy posted on the airline's website. That policy assures
passengers that they will be in "complete control of . . . the use
of information [they] provide to Northwest Airlines." The airline
further assures customers that it has "put in place safeguards to .
. . prevent unauthorized access or disclosure" of the information
it collects.
While it is unclear how
NASA may have used the passenger information, the data formed the
basis of NASA research contained in a published study. The agency
continues to withhold an unspecified number of documents detailing
its receipt and use of the personal data.
This week, EPIC will file suit against NASA to seek release of
the withheld material. EPIC will also file a complaint with the
Department of Transportation alleging that Northwest's disclosure
constitutes an unfair and deceptive trade practice, and requesting
a formal investigation.
"The airline industry has been at the center of several recent
privacy controversies," said EPIC General Counsel David L. Sobel.
"The improper disclosures of personal data all involve government
efforts to 'screen' passengers for security risks. The security
benefits of these efforts are questionable, and there is a great
deal of skepticism within Congress and the general public." Noting
the controversy that has surrounded the development of the
Transportation Security Administration's CAPPS II screening
project, Sobel added that, "These systems must be debated and
designed openly. We've seen too many backdoor transfers of personal
information that seek to avoid justifiable public opposition."
Northwest's disclosure is likely to fuel concerns about
passenger data privacy that have long been expressed by the
European Union. According to EPIC Staff Counsel Marcia Hofmann,
"The Department of Transportation has previously assured the EU
that airline privacy practices would be closely monitored. DOT's
response to the complaint we will submit this week will be the
first test of those assurances."
The recently obtained NASA documents are the result of EPIC's
ongoing use of the FOIA to examine aviation security initiatives
and associated privacy issues. Earlier requests and litigation
forced the release of information detailing problems with TSA's
"no-fly" list and the early role of John Poindexter's now-defunct
Information Awareness Office in the development of the CAPPS II
program.
Northwest's Statement Issued Sunday Night
In the aftermath of the September 11, 2001 tragedy, NASA had
discussions with Northwest Airlines' Security Department regarding
a NASA research study to improve aviation security. In
December 2001, NASA requested that Northwest's Security Department
provide it with passenger name record data from the period July,
August, and September 2001 for NASA's exclusive use in its research
study. Northwest Airlines agreed to provide that data.
On September 23, 2003, after a speech to the St. Paul (MN)
Rotary Club, Richard Anderson, Northwest Airlines chief executive
officer, responded to a reporter's question regarding JetBlue
Airway's release of passenger data to a private contractor. He
said, 'Northwest Airlines will not share customer information, as
JetBlue Airways has.'
At the time Mr. Anderson answered this question, he had no
knowledge of the Northwest Security Department's provision of
passenger data for the NASA research study.
On the previous day, a Northwest spokesperson was asked
questions on the same topic. When the spokesperson answered those
questions, he also had no knowledge of the Security Department's
role in the NASA study.
On September 26 2003, Northwest Airlines CEO was advised of the
Security Department's provision of passenger data to NASA.
The NASA research study has been discontinued and the passenger
data has been returned to Northwest Airlines.
Northwest believes that it was appropriate to provide data
directly to NASA for a research study designed to improve aviation
security. In the immediate aftermath of September 11, 2001, the
federal government was searching for technological solutions to
improve aviation security and it was the responsibility of the
airline industry to cooperate with these efforts.
By providing the passenger name record data directly to NASA, a
federal agency with its own strict privacy protections, Northwest
acted appropriately and consistent with its own privacy policy and
all applicable federal laws.
Northwest Airlines' current policy is to not provide passenger
name record data to private contractors or federal government
agencies for use in aviation security research projects. While
Northwest Airlines still believes it would be appropriate to
provide such data to the U.S. Government to advance aviation
security, in light of current privacy concerns, Northwest believes
a data protection protocol addressing privacy concerns should be
developed before any further aviation security research with
passenger data is conducted."