SAFE & SOUND IN THE CYBER AGE: CODE RED FOR JET BLUE

Privacy concerns over who has access to electronic information and what they use it for continue to be an issue to our society. ddv

From: NewsScan Daily: September 24, 2003

"SAFE & SOUND IN THE CYBER AGE: CODE RED FOR JET BLUE
by Chey and Stephen Cobb
We had several interesting responses to our last column, concerning the blue TSA (Transportation Security Administration) tags that are appearing on airline baggage. So we stick with the travel theme this week. We even use the same color scheme: the story we want to cover concerns the airline known as Jet Blue.
Whether you read this story as it broke on Wired.com, or saw the Associated Press piece in your local newspaper, alarm bells had to be going off. Here was a U.S. airline giving its passenger records to a Defense Department contractor (Torch Concepts) working with the TSA to test the feasibility of combining such records with other commercially available data (like credit bureau records) to single out passengers for additional security screening, all documented in a set of PowerPoint slides titled 'Homeland Security -- Airline Passenger Risk Assessment,' presented at a public conference in February of this year and subsequently posted on the Internet.
If alarm bells did not go off, it may be because the media is now an irony-free zone. Tom Brokaw mentioned the Jet Blue story on NBC right before a "special report" on the insurance company practice of denying automobile coverage to people based on their credit records. NBC apparently missed the fact that the "Jet Blue project" could mean people getting frisked at airports, or even kicked off airplanes, based in part upon those same records.
So let's spell out what happened. At the end of 2001, Torch Concepts made initial overtures to airlines asking for passenger data, namely who flew what flights. We may take some comfort in the fact that American and Delta appear to have said no. In March of 2002 the DoD funded the Torch Concepts research and in April the company started meeting with the DoT and, via "Congressional Liaison," with TSA. In June of 2002 a DOT-TSA meeting addressed the Torch Concepts project and in July told the company it would soon receive "the necessary database being used by CAPPS II contractors."
Heavens knows what's in the CAPPS II database, currently the target of several lawsuits, but apparently Torch Concepts didn't get that database. What it got, in September, sounds like a consolation prize: the Jet Blue database. Torch Concepts complained that this was very limited in terms of the goals of the research, but went ahead with the project anyway. In October, Torch Concepts purchased additional demographic data from Acxiom, a company that sells a lot of interesting data, such as your social security number. That's right, you are probably among the 700 million individuals and companies on whom Acxiom keeps records, somewhere in its seven acres of computers.
What kind of records? For a start there's name, birth date, social security number, plus current and former address. There's a good chance that Acxiom also knows who you work for, the names of the people who live with you, and whether you own or rent.
What does Acxiom do with this information? It sells it, often in the form of data appending and verification services. Suppose I have some of the above pieces of information about a list of people, my customers perhaps, but I don't have all that information. Acxiom can provide the missing data (even if my customers declined to provide it when I asked for it). That's appending. Acxiom can also verify that the data I have on my customers is correct, by checking it against data on the same people held by other companies. In the wake of 9/11 and the Patriot Act, Acxiom has been keen to show that its database can also be used to fight terrorism, but the Arkansas-based company suffered an embarrassing setback last month when a flaw in its security led to a hacker accessing data being uploaded to Acxiom by a customer, something Acxiom only found out about when contacted by an Ohio law enforcement agency.
Anyway, back in 2002, Torch Concepts used Acxiom to increase the amount of information it had on the people who flew Jet Blue; then analyzed everything to see what could be learned. Here are some of the conclusions presented at the conference:
* Known airline terrorists appear readily distinguishable from the normal Jet Blue passenger patterns (that's a relief)
* The "Passenger Stability Indicators" that distinguish normal Jet Blue passengers from past terrorists include social security number, length-of-residence, income, and home ownership (terrorists tend not to be homeowners with social security numbers?)
These are hardly stunning revelations; we don't know how may taxpayer dollars it cost to reach them, but we are inclined to think it was too many. As for Jet Blue, which appears to have violated its own privacy policy when it handed over the data, the cost could also be too much. The Federal Trade Commission is apt to file suit when companies who do that, as in the cases of drug maker Eli Lilly and jeans maker Guess, Inc. Privacy advocates and state attorneys general are apt to follow suit, so to speak.
As we see it, even if amassing and analyzing huge databases is a reliable way to spot terrorists, which frankly we doubt, it wouldn't be a good idea. Apart from the very serious privacy concerns, as Acxiom demonstrated last month, you put the data itself at risk. The day when computer security practices are as good as they should be is a long way off. We should use that time to address the reasons why people commit acts of terror, not hunt for needles in haystacks.
[Chey Cobb, CISSP, the author of Network Security for Dummies, is an independent consultant (www.cheycobb.com) and a former senior technical security advisor to the NRO. She can be emailed as chey at patriot dot net. Stephen Cobb, CISSP, wrote his first computer security book twelve years ago. He can be emailed as scobb at cobb dot com.] "