Controversy could limit government’s upgraded computerized screening program
It is not good when the chief executive officer of an airline has to post a message to all customers confessing, “I feel very badly about the concern this matter has created.”
That was part of the “explanation” offered Sept. 23 by JetBlue Airways [Nasdaq: JBLU] CEO David Neeleman in the public relations disaster that exploded following revelations that the airline provided – in violation of its own privacy protocols – one million passenger records to a Department of Defense subcontractor involved in a project to assess if a computerized screening system could be used to identify potential terrorists. The project, carried out by the U.S. Army and using subcontractor Torch Concepts, was a data-mining effort to see if personal information could be used ostensibly to foil terrorist attacks on military bases. According to JetBlue, the carrier’s data was used a second time by Torch, without JetBlue’s knowledge, for a presentation titled “Homeland Security – Passenger Risk Assessment.”
Neeleman’s characterization of the “concern” understated the storm of controversy. In the frenzy of media reports, an essential point was lost – the project’s results were virtually useless.
First, highlights of the feeding frenzy:
- A group of JetBlue passengers has filed a lawsuit alleging fraudulent misrepresentation and invasion of privacy.
- The Federal Trade Commission is investigating JetBlue’s actions.
- The Army, which hired Huntsville, Ala.-based Torch Concepts, is reviewing the potential privacy violations.
- The American Civil Liberties Union (ACLU) unveiled Sept. 24 a handy online form enabling airline passengers to submit a Privacy Act request regarding any information the government may hold about them in connection with the JetBlue data-sharing fiasco. “We want to empower people to find out for themselves if they have been caught up in this experiment using average Americans’ personal information in a misguided effort to detect terrorists,” declared Barry Steinhardt, director of the ACLU’s Technology and Liberty Program.
How, more precisely, did Torch Concepts use the JetBlue data? According to a copy of its briefing on the study given at a homeland security panel during a software conference earlier this year, the limited JetBlue passenger database was merged with a personal demographic database purchased from a company called Acxiom and fed into a process dubbed the ‘ACUMEN Analysis.’
To the basic JetBlue information of name, address, telephone number and flight itinerary, the Acxiom database added gender, age, home specifics (own/rent), years at residence, economic status (income), social security number, occupation, vehicles, and so forth. Only about 40 percent of the JetBlue and Acxiom records could be matched. The Torch briefing said JetBlue passengers generally “appear to be largely upper middle class tourists.” More specifically, JetBlue passengers fell into two main groups: young middle-income home owners with short length-of-residence, and older upper-income homeowners with longer length of residence. A third group also was identified: passengers with ‘anomalous’ records, whether through erroneous entry, fraud or mischief.
The briefing concluded that “known airline terrorists appear readily distinguishable from the normal JetBlue travel patterns.” This assertion is based on the study concept: that “deviations from normal behavior point to terrorists.” In this respect, JetBlue’s passengers seem eminently normal.
The methodology supports no such conclusion, according to independent security experts. The data sample is too limited and skewed because JetBlue is a low-cost airline with a limited number of locations served. Even the 40 percent matching of personal data to the JetBlue database is misleading, because of incomplete data on many passengers. For these reasons, there is no way to tell if the process would be beneficial for identifying higher-risk passengers. Of course, this is the premise behind the CAPPS II (computer assisted passenger prescreening system) propounded by the Department of Homeland Security as the vehicle for categorizing passengers by level of risk. CAPPS II is designed to mine databases, looking to confirm that passengers are who they claim to be and that they are “rooted in the community.”
The furor over JetBlue’s release of passenger data could discourage airlines from sharing passenger records in support of CAPPS II. Other airlines evidencing a willingness to support CAPPS II development can anticipate websites like the one titled “Boycott Delta,” which offers a 10-point action plan whereby passengers can vent their displeasure with the perceived invasiveness of CAPPS II (see http://www.boycottdelta.com).
Dr. Arnold Barnett of the Massachusetts Institute of Technology, an expert on aviation safety and security statistics, cautioned that CAPPS II runs the danger of becoming a flawed ‘Maginot Line’ of security (see ASW, Jan. 27). Regarding the Torch approach, Barnett said, “At best, these people are arguing that JetBlue’s passengers generally do not look like past terrorists. But why would we assume that future terrorists and their dupes would look like past terrorists?”
“A few weeks ago on a Jerusalem bus, 20 people were killed by a suicide bomber who was a clergyman with two young children,” Barnett went on to say. “The Israelis openly admit that he fit no terrorist profile. The 9-year old who arrived recently at the airport with a teddy bear gift containing a gun would not be singled out by this system any more than by CAPPS II. Luckily, the bear did not contain plastic explosives. If the young man from the San Francisco suburbs who joined the Taliban had instead served al Qaeda as a sleeper, would this system have identified him?”
“The real story here is not JetBlue’s mistake but the shallow use of data and its implications for CAPPS II,” Barnett said.
Barnett and other experts said CAPPS II must be part of a layered security system of multiple, independent elements, both human and technological. Specifically, the gun in the teddy bear might have been uncovered by a questioning system about whether the teddy bear was bought by the parents or obtained as a gift. One would have to start with a general questioning process, e.g., are you (and your family/associates) carrying any gifts? The security screener would then move to specific article, bags, etc. Were this layer in place, the bear should have been x-rayed and examined using a trace explosive detector once the child (or parents) stated that it was obtained as a gift. Using a multiple layered approach, more threats can be identified and most interdicted.
In a July article in MIT’s Technology Review, Barnett cautioned that relying on CAPPS II as the pre-eminent weapon could represent aviation security’s false hope. Barnett argued that CAPPS II needs to select roughly the same percent of passengers as CAPPS I to “ensure that the number of terrorists caught in the net goes up.”
This point may be open to challenge. If the CAPPS II elements are well crafted, fewer persons may be identified as “selectees.” On the other hand, adding elements to CAPPS II may result in more persons identified as “selectees” for additional security screening. Much depends on the specific changes from CAPPS I to CAPPS II, but it may not be necessary to identify the same percentages in CAPPS II to have a more successful profile program. In a Sept. 18 letter to the Washington Post newspaper, Transportation Security Administration chief James Loy said, “We won’t know with certainty how many passengers could be affected until we fully test the system.”
“Our goal is to identify only 3 percent to 4 percent of travelers for a second screening prior to boarding and to prohibit an infinitesimally small number from flying. That would represent a significant reduction in those subjected to secondary screening now,” Loy declared.
In response to Loy’s disclosure, Barnett said, “But surely the goal should be to stop terrorism. I would be happier if the percentage selected stays at essentially the current level.” >> Barnett, e-mail [email protected] <<
Flying Above a Public Relations Disaster
September 23, 2003
Dear JetBlue Customers (extracts):
The information we gave [to Torch Concepts] was limited to name, address and phone number, along with flight information. Absolutely no payment or credit card information was given … It was a well-intentioned attempt to assist the Department of Defense in a national security matter.
1. How did this happen? I had no knowledge of this data transfer [and] I accept full responsibility for this action by our company.
2. How was this data used and where is it now? It is our understanding that Torch only used the data for concept testing purposes … all the data has been destroyed.
3. How can I know this will never happen again? We realize that we made a mistake … I give you my personal assurance that we are committed to protecting both the security and the privacy of our valued customers.
Sincerely,
David Neeleman
Chief Executive Officer
Source: http://www.jetblue.com/learnmore/privacypolicy.html
CAPPS II – Airline Security’s False Hope?
Dr. Arnold Barnett (extracts):
“CAPPS II could yield some security improvements over CAPPS I – as long as two conditions are met. The first is that CAPPS II designates the same percentage of passenger selectees as CAPPS I. This should ensure that the number of actual terrorists caught in the net goes up. The second condition is that security processing does not slacken under CAPPS II – for either selectees or non-selectees.
“Alas, the evidence suggests that neither of these conditions will be met. The Transportation Security Administration (TSA) says travelers ‘may well notice’ that fewer passengers are designated selectees under CAPPS II, and has described non-selectees under the system as people who ‘clearly pose no threat of terrorism.’ In other words, the agency envisions that CAPPS II will select fewer people but nab practically all terrorists.
“I see no reason for that, if the overall selection rate declines from, say, 5 percent to 2 percent, the selection rate among terrorists will rise. The new system probably isn’t that much better than CAPPS I. If security processing for non-selectees becomes less demanding (after all, what sort of screening is needed for people who ‘pose no threat of terrorism?’), then a terrorist erroneously assigned to the low-risk group could have a greater chance of success under the new system than the existing one.
“Used wisely, CAPPS II could be a moderately helpful weapon in the antiterrorist arsenal. Unaccountably, however, many security planners see CAPPS II as the preeminent weapon, and their excess confidence in the system suggests that its forecasts will get more weight than is prudent. This supposed foundation of security could therefore pose a new security threat to U.S. air travelers.”
Source: MIT Technology Review, reproduced with the author’s permission