Secondary Screening

Archives
By Date
April 2006
March 2006
January 2006
December 2005
November 2005
October 2005
September 2005
August 2005
July 2005
June 2005
May 2005
April 2005
March 2005
February 2005
January 2005
December 2004
November 2004
October 2004
September 2004
August 2004
By Category
Airline Security Measures
Bicycles
Book Reviews
Congress
Data Mining
Department of Homeland Security
Freedom of Information
Government Secrecy
Miscellany
Other People's Writing
Privacy
Security Measures
The Courts
The New Web
Threat Level
Recent Entries
Change of Address
Privatized Registered Traveler On Track
Software Bug Shuts Down Nation's Busiest Airport
HostGator Rocks
But some butter is more butter than other butter
TSA Picks Privacy Player
AT&T Loses A Customer Over NSA Lawsuit
Jetsons Video Phone? Deaf Say Yes!
AT&T *69s EFF
Narus Not in the Know
Published articles
Wired News Articles
Links
Wired News
DefenseTech
Practical Nomad
BeSpacific
DHS Privacy Office
Memory Hole Blog
Electronic Privacy Information Center
Privacy Digest
Electronic Frontier Foundation
Homeland Security Institute
Secrecy News
Emergent Chaos
EPIC West's Chris Hoofnagle
Prawfs Blog with Daniel Solove
Ann Harrison
Reuter's Andy Sullivan
Schneier on Security
Talk Left
Reason's Hit & Run
W. David Stephenson
Phillip Carter's Intel Dump
Project on Government Oversight
Technology Liberation Front
Edward Felten's Freedom to Tinker
Contact
Email me
415.375.3150
Subscribe
Feed: Your Reader
Atom
RSS 1.0
RSS 2.0
RSD
About Ryan Singel
I'm a San Francisco-based freelance journalist who covers antiterrorism programs, civil liberties, the Internet and privacy.
« DOT: Northwest in the clear | Main | REDACTED »
September 14, 2004 | DoT Clears Northwest

The Department of Transportation dismissed EPIC's complaint about Northwest Airline's secret sharing of passenger data in 2001 with NASA researchers working on passenger screening algorithms.

(Normally such a complaint would be filed with the Federal Trade Commission, but if airlines engage in unfair business practices, the DOT has jurisdiction.)

Also in related news, a judge threw out another passenger class action against Northwest last week.

I don't find the ruling (PDF) surprising. When I wrote about the transfer for Wired News back in January, I noted that Northwest's privacy policy was unclear enough to give the airline an out. JetBlue's very strict privacy policy very clearly outlawed its transfer of passenger data to the Army's contractor, Torch Concepts. (They admitted as much and apologized in that case, but have yet to acknowledge two other transfers, let alone that they too violated the company's privacy policy.)

Here's the relevant grafs (full story here):

Northwest maintains that it did not violate that policy by giving the records to the government.

But while the Northwest website's privacy policy promises users that they are in complete control of the information they provide, the body of the policy only specifically prohibits Northwest from selling its records.

[EPIC attorney David] Sobel called that an "absurd reading of the privacy policy."

That disagreement is central to whether Northwest will face lawsuits or federal censure for deceptive business practices, as passengers have little protection under federal law.

American privacy laws are a complex patchwork, covering some data, such as financial and health information and information in government databases, while leaving the rest, including travel data, protected only by a company's privacy policy, which itself is optional.

But the point is not to say I told you so, but to point out how strong the DOT ruling is.

In fact the ruling almost seems to say that any airline privacy policy that provides even a modicum of privacy protection would be illegal.

The DOT argues that because Northwest has to share info with the DOT by regulation and with law enforcement upon subpoena, their privacy policy's promise that "you are in complete control" has no meaning.

DOT assistant counsel Samuel Podberesky argues that wording implies a passenger would have the right to stop Northwest from turning over data when the airline was legally required, so the statement does not block any transfers of data.

This reading is tortured and has an unintended side effect: it legitimizes companies who make sweeping promises of privacy rights in privacy policies, and then hide their true practices in fine print.

Take Northwest's policy. It only expressly bans the company from "selling" its list. Most people would take this to mean the company could not give its list to outside companies for money.

Northwest could however lease its list to another company for 100 years, and I'd bet you Podberesky would find no harm.

Also note that Podberesky totally failed to address EPIC's contention that the transfer violated EU privacy law since some of the affected fliers certainly booked their tickets from Europe.

That's surprising given his assurances to the European Commission in 2000 that his office took privacy and the EU data protection directive seriously:

The Department of Transportation encourages self-regulation as the least intrusive and most efficient means of ensuring the privacy of information provided by consumers to airlines and accordingly supports the establishment of a "safe harbor" regime that would enable airlines to comply with the requirements of the European Union's privacy directive as regards transfers outside the EU. The Department recognizes, however, that for self-regulatory efforts to work, it is essential that the airlines that commit to the privacy principles set forth in the "safe harbor" regime in fact abide by them. In this regard, self-regulation should be backed by law enforcement. Therefore, using its existing consumer protection statutory authority, the Department will ensure airline compliance with privacy commitments made to the public, and pursue referrals of alleged non-compliance that we receive from self-regulatory organizations and others, including European Union member states.

Posted by Ryan Singel at September 14, 2004 11:03 PM

 Trackback Pings

TrackBack URL for this entry:
http://www.secondaryscreening.net/cgi-bin/mt-tb.cgi/12
Powered by
Movable Type 3.2