WASHINGTON – Governmental Affairs Committee Chairman Susan Collins, R-Me., Ranking Member Joe Lieberman, D-Conn., and Armed Services Committee Ranking Member Carl Levin, D-Mich. – in a letter to Defense Secretary Donald Rumsfeld Friday- sought to determine if DOD had complied with Privacy Act requirements when an information-mining contractor working for the U.S. Army acquired the names, addresses, phone numbers, and itineraries of more than one million JetBlue passengers. The contractor then matched the personal information against information contained in private databases and reportedly presented the results at a public symposium.
“We support the development of effective new systems and technologies to protect homeland and national security, with appropriate safeguards regarding the privacy of personal information,” the Senators wrote. “At the same time, we note that many Americans have expressed concern that proposals for new data systems being considered may intrude too far on their personal privacy… This apparent misuse of JetBlue passenger information only adds to these concerns.” The bipartisan group of Senators – who all hold leadership positions on the Governmental Affairs Committee, which has responsibility for overseeing homeland security and government privacy laws – asked Rumsfeld to determine if the DOD followed Privacy Act regulations by, among other things, publishing a notice regarding the system of records being created by the contractor and preventing unauthorized disclosures. “The terrorist attacks of September 11th have forced us to consider anew how to undertake the difficult balance between the public’s interest in improved security versus our fundamental commitments to personal privacy,” the Senators wrote. “However, the best way to win support for effective homeland security systems is by reassuring Congress and the public that agencies have appropriately considered the impacts on personal privacy, as required by law.” Following is full text of the letter: October 17, 2003 The Honorable Donald Rumsfeld Secretary U.S. Department of Defense The Pentagon Washington, D.C. 20301 Dear Secretary Rumsfeld: We are writing to seek further information regarding why a Department of Defense contractor collected the personal information of more than one million passengers of a commercial airline, JetBlue Airways, and then matched that information against commercial databases to develop passenger profiles. These actions suggest the contractor may have violated the Privacy Act of 1974, and they raise disturbing questions about the reliability of safeguards in place at the Defense Department to protect Americans’ privacy. According to published reports and the statements of the companies involved, Torch Concepts Inc., an information mining contractor doing work for U.S. Army, acquired from JetBlue Airways itinerary information of well over 1 million passengers; the information included the passengers’ names, addresses and phone numbers. Torch Concepts matched the passenger information against more detailed personal data on the same individuals, purchased from Axciom Corporation. The contractor then attempted to draw inferences as to which data elements “best distinguish normal JetBlue passengers from past terrorists.” An Army spokesman has stated that Torch Concepts was performing work for the Army on how personal data could be used to improve security at defense bases. Nevertheless, officials from the Transportation Security Administration (TSA) reportedly helped the contractor acquire the passenger data from JetBlue, and the program’s results were presented at a symposium sponsored by the Department of Homeland Security. Indeed, employees of Torch Concepts reportedly considered whether its research might be of use to the Department of Homeland Security. We support the development of effective new systems and technologies to protect homeland and national security, with appropriate safeguards regarding the privacy of personal information. At the same time, we note that many Americans have expressed concern that proposals for new data systems being considered may intrude too far on their personal privacy; on occasion, Congressional and public opposition to poorly explained programs has required agencies to curtail their programs. This apparent misuse of JetBlue passenger information only adds to these concerns. The database established by Torch Concepts may be covered by the Privacy Act of 1974. The Privacy Act makes agencies responsible for ensuring that contractors comply with the law’s terms when establishing a system of records on the agency’s behalf. Torch Concepts may well have created system of records, as defined by the Act, as the contractor was collecting and maintaining personal information that was presumably retrieved by the names of the individuals, or by other identifying characteristics. The Privacy Act requires an agency to publish in the Federal Register a notice when it establishes a system of records. The notice must describe what information about individuals the system will contain, and it must describe how an individual can gain access to any information pertaining to him. The Act prohibits disclosure of the personal information, including disclosure to other agencies; it also allows individuals to gain access to information pertaining to them, and to correct errors. We note that a spokesman for the Army reportedly asserted that the Army never had access to the passenger records collected by Torch Concepts, and that therefore it did not expect to find any privacy violations of its own. However, the Privacy Act applies to contractors working for the federal government, and the Act’s criminal penalties apply to employees of the contractor as if they were employees of the federal government. The Defense Department has an affirmative obligation to ensure compliance by its contractor, and the contractor itself must be aware of its legal obligations as well. We question whether that has happened in this case. We are unaware of any Privacy Act notice published by the Department of Defense for this data-mining system. The absence of such a notice would suggest that the Department of Defense did not believe that it had to comply with the Privacy Act’s other provisions. In the absence of such public notice, there is less likelihood of public discussion and Congressional oversight concerning adequacy of privacy protections. It also appears that passenger information was shared with others, which may constitute a violation of the Act. An exemption to the Privacy Act protects classified information from disclosure, but still requires compliance with other provisions of the Act. The Administration has committed to implementing the Privacy Act, and recently supported enactment of new privacy provisions in last year’s E-Government Act. These and other privacy laws on the books ultimately must be enforced by agencies. A searching inquiry by the Defense Department may be necessary to determine whether it has adequate Privacy Act procedures. The terrorist attacks of September 11th have forced us to consider anew how to undertake the difficult balance between the public’s interest in improved security versus our fundamental commitments to personal privacy. However, the best way to win support for effective homeland security systems is by reassuring Congress and the public that agencies have appropriately considered the impacts on personal privacy, as required by law. Disclosures of the sort involved in the JetBlue case only heighten the public’s concerns, and may make the development of needed security systems more difficult in the future. Because of these concerns we are seeking additional information on this Defense program and the use of passengers’ personal information: 1. What was the nature of the U.S. Army’s contract with Torch Concepts? What specific tasks was the contractor expected to perform? What was the contract’s budget and duration, and what have been the expenditures under the contract to date? 2. Why did Torch Concepts, pursuant to its contract, collect passenger information from JetBlue Airways? It has been reported that the contractor collected personal information on more than 1 million passengers. Are these reports accurate? Please provide a detailed description of the information collection by Torch Concepts. 3. Did Torch Concepts, pursuant to its contract, create a system of records as defined by the Privacy Act of 1974? If you contend that no system of records was created, please explain your answer. 4. Did the Department of Defense comply with the following Privacy Act requirements? Please explain each answer: a) Did it publish a Privacy Act notice in the Federal Register for the system of records that Torch Concepts created? b) Did it allow individuals to gain access to information pertaining to them? c) According to news reports, Torch Concepts disclosed passenger information at a public conference; it appears that the presentation may later have been posted on a public website. Did the Department of Defense or its contractor disclose personal information to any other person or entity, including another federal agency? If so, describe the circumstances in which the information was disclosed, and whether the disclosures complied with federal law. d) Did the Department of Defense ensure that the information maintained in the system of records was timely, accurate, and relevant? If so, how? 5. Representatives of JetBlue and Torch Concepts have asserted that the passenger information was destroyed soon after news of the program was disclosed by the press. What steps were taken to ensure that the destruction of these records complied with the Privacy Act, the Federal Records Act, or other applicable laws? 6. The Chief Privacy Officer at the Department of Homeland Security (DHS) is investigating whether DHS violated the Privacy Act through its participation in this program. What is the Department of Defense doing to investigate the possibility that Torch Concepts and the Army violated the Privacy Act? Will you request an independent investigation by the Department of Defense Inspector General? Thank you for your prompt attention to these matters. Sincerely, Senator Susan M. Collins Chairman Committee on Governmental Affairs Senator Joseph I. Lieberman Ranking Democrat Committee on Governmental Affairs Senator Carl Levin Ranking Democrat Committee on Armed Services