Privacy Pressure

The Transportation Security Administration said last week that it may force airlines to provide information on passengers to test a new counterterrorism program, raising hackles in an industry that's already facing lawsuits filed by passengers for having previously shared such data without their knowledge. The outcome of the dispute could set a precedent for how much data companies share with federal agencies in the name of national security.

The latest development involving the Computer Assisted Passenger Prescreening System II, or CAPPS II, shines a light on a growing concern among airlines and other travel-related companies that counterterrorism efforts increasingly involve requests for information about their customers.

"The airlines will not voluntarily turn over this data," says Doug Wills, VP of external affairs for the Air Transport Association, the trade organization for the major U.S. airlines. While the association supports the concept of CAPPS II, its members want more privacy guarantees before they supply data for any purpose.

David Stone, acting administrator for the TSA, told the House of Representatives' aviation subcommittee that the agency is prepared to propose a rule forcing airlines to hand over passenger data to test CAPPS II's security and privacy safeguards. A TSA spokeswoman says the administration wants to work closely with the airlines. "We really want to ensure that we have an open, transparent, acceptable process that includes interactive discussion on all the issues associated with CAPPS II," she says.

Airlines and other businesses are caught between their duty and desire to help prevent terrorism and the need to maintain customer loyalty. Two airlines face pending class-action suits: JetBlue Airways, for giving a government contractor customer data to test an experimental Defense Department data-mining project; and Northwest Airlines, for giving similar data to NASA for an unspecified research test. Nuala O'Connor Kelly, chief privacy officer for the Department of Homeland Security, which oversees the TSA, last month concluded that the administration violated the spirit of federal privacy laws when it compelled JetBlue to provide its customer data to the federal contractor in 2002.

Stone testified that CAPPS II will flag fewer innocent passengers for security review. Under the current CAPPS system, airlines' reservation systems check passenger information against a government-supplied watch list. Putting the passenger-screening system and process in the federal government's hands would ensure a consistent approach, Stone said. The TSA also believes that consolidating the data would allow for more effective use of up-to-date intelligence information and make it easier to identify higher-risk flights and airports.

Passengers' identities would be authenticated by matching airlines' data against a TSA database maintained by a private-sector data aggregator such as LexisNexis or Acxiom Corp., then checked against a federal terrorism database and lists of individuals who have outstanding warrants for violent criminal acts. Precautions to protect privacy include installing private networks between the TSA and the airlines that would pass only encrypted data; requiring the data to pass through a multitier firewall before entering the TSA system; and implementing a 24-hour audit trail that documents all access to data, Stone said. But the Air Transport Association requested specific guarantees last week, including assurances that the TSA collects information pertaining only to aviation security, that the information is securely stored, that it's jettisoned as soon as travel is completed, and that passengers can access their own data and correct any errors. Several airlines contacted last week declined comment or didn't return phone calls.

Some of those requirements have yet to be met, according to a General Accounting Office report issued last month on CAPPS II. It concludes that the program lacks the security and oversight needed to safeguard privacy and fails to give passengers adequate means of clearing their names.

The government is as concerned as private industry is about maintaining consumer privacy, says O'Connor Kelly, who's responsible for ensuring that Homeland Security complies with privacy laws. But this is new territory, she says. The rules laid out in the Privacy Act of 1974 are clear when it comes to how government contractors handle private-sector data or when data is collected in relation to a specific national-security threat, but they're murky in the context of an ongoing threat. "Both sides have to have clear rules about what goes where and why," she says. "There are some really valid outstanding questions. I think the use of private-sector data for homeland security or any other governmental purpose is one of the most important privacy issues we're dealing with in the federal government."

The hotel industry faces equally murky questions of how to balance anti-terrorism efforts with customer privacy. In December, the FBI asked for and received customer data from casino resorts in Las Vegas because of a feared terrorist act on New Year's Eve. Hotel industry executives and the government won't comment on whether they've had more recent communications or data exchanges, but government requests for such data are "something that's being talked about a lot among general counsels and operations people," says Joe McInerney, president and CEO of the American Hotel & Lodging Association. "They're trying to figure out what the government wants and how they can make it easy to cooperate."

An executive in the hotel division of Cendant Corp., which owns the Days Inn, Howard Johnson, and Travelodge hotel chains, among others, says hotels would prefer to run internal checks against terrorism databases, provided the government gives them access to those lists. Rick Martinez, director of strategic planning and security for Cendant's hotel IT operation, says Cendant's senior management has launched an initiative on how to deal with government requests, but he wouldn't provide details.

"Everybody is resolved to the fact that we have to give this information," McInerney says. The association has received assurances from federal officials that the privacy of any data surrendered would be diligently protected and not used for purposes unrelated to terrorist threats. But Martinez says he's still concerned that the government won't provide guarantees about how customer data would be used and protected. "We all know how one-sided that relationship can be," he says.

"Mission creep," in which information intended for one purpose ends up being used for another, is a valid concern for companies asked to cough up customer data, says Mary Culnan, Slade professor of management and information technology at Bentley College in Waltham, Mass.

Some regulated industries have more practice working through these issues. Under the USA Patriot Act, Wachovia Corp., like all financial-services companies, is required to check lists provided by the Treasury Department against its own customer database to detect people who might be funneling money to terrorist organizations. To avoid unauthorized disclosure of customer data, Wachovia has a designated person within its security operations charged with the job. "You want to have a process that an individual oversees and is accountable for," says Bill Langley, the bank's chief compliance officer.

While the government has a responsibility to build public confidence in its ability to protect privacy, it's the companies that will pay dearly if consumers believe they're loose with personal information. The lawsuits against the airlines illustrate how unprepared companies are to deal with the situation, says Jim Harper, editor of Privacilla.org, a Web site that reports on privacy laws and policies. "They've got a social issue dropped in their lap, and they're struggling to deal with it," he says. "The first obligation is to the customers."

-- with Rick Whiting