Almost nine months ago, the Transportation Security Administration (TSA) disclosed plans to upgrade the nation's airport security system with data-mining technology designed to catch potential terrorists before they board commercial flights. The second-generation Computer Assisted Passenger Prescreening System (CAPPS II) would scan government and private-sector databases for criminal, financial and other information and ferret out high-risk passengers using a color-coded "risk score." As details emerged, however, the program became embroiled in controversy. Senator Ron Wyden, instrumental in exposing the privacy threat posed by John Poindexter's Total Information Awareness (TIA) project, led a backlash in Congress that challenged the TSA's authority to create such a system. The Senate Appropriations Committee denied funding for the CAPPS II program pending a privacy-impact study from the General Accounting Office.
Meanwhile, thanks to a series of suits by the ACLU and the Electronic Privacy Information Center (EPIC), documents emerged showing that dozens of innocent passengers--including American Muslims, South Asians and senior citizens--were being harassed, detained and even strip-searched by National Guard, airport security and local law-enforcement officials because of a secret no-fly list, the existence of which the TSA had previously denied. TSA administrator James Loy repeatedly promised that CAPPS II would not move forward until all privacy concerns were addressed, and the Department of Homeland Security hired a chief privacy officer to make sure all programs measured up to existing privacy laws. At the end of July, the TSA made several concessions to critics, calling for a Passenger Advocate Office to assist passengers mistakenly flagged as high risk under the program.
But in mid-September, the furor reignited when a lone privacy advocate uncovered a disturbing document regarding New York-based JetBlue Airways, which has been in talks with the TSA to participate in testing the CAPPS II program. According to the document, JetBlue secretly provided 5 million passenger-name records, involving some 1.5 million passengers, to a Huntsville, Alabama-based defense contractor called Torch Concepts, which government officials say was participating in a military base security program for the Defense Department. One of Torch Concepts' vendors, Little Rock-based Acxiom Corporation, then used the JetBlue data to extrapolate Social Security numbers and other private information on almost half these customers, according to the document, which was a Torch Concepts presentation on passenger risk assessment. The TSA admitted that it helped facilitate the JetBlue relationship with Torch Concepts but claimed that the firm was not a TSA contractor and had nothing to do with the development of CAPPS II. However, TSA officials told The Nation that Acxiom is a subcontractor to Lockheed Martin, the main contractor on the CAPPS II project.
What is interesting about this is that the TSA has repeatedly claimed that its screening system would require access only to the travel itineraries, names, addresses, dates of birth and phone numbers of passengers. The JetBlue scandal shows that passengers could lose control of a great deal more personal information.
"For me it was totally consistent with what I've seen in my research of the privacy practices of the travel industry in the USA," said privacy advocate Edward Hasbrouck, who uncovered the original document and leaked it to Wired News.
A December 2002 Defense Department report on security and privacy, which can be found on the Defense Advanced Research Projects Agency website (www.darpa.mil.iao/secpriv.pdf ), cites the "stunning" amount of data that Acxiom is capable of gathering and suggests that the government may be able to cull data from Acxiom without the firm even knowing about it.
Acxiom, one of the nation's largest data-mining companies, has actively sought federal contracts related to homeland security in the past two years. In December 2001 Acxiom hired Gen. Wesley Clark, now a Democratic presidential candidate, as a lobbyist and board member to help procure government contracts.
Washington-based EPIC earlier this year filed suit in an effort to connect the dots between the CAPPS II program and the TIA program. Now EPIC has filed a complaint with the Federal Trade Commission alleging that JetBlue and Acxiom violated consumer-protection laws when they disclosed the information to Torch Concepts. EPIC has also filed Freedom of Information Act requests with the Defense Department, the Federal Aviation Administration and the TSA to get to the bottom of the JetBlue imbroglio. Until the TSA, JetBlue, Torch Concepts and Acxiom come clean, there can be no confidence that CAPPS II will make Americans either safe or free.