return to ICG Spaces home    ICG Risk Blog    discussions    newsletters    login    

TSA helped JetBlue share live passenger data with contractor


The diversion of JetBlue passenger information has vastly more impact than the recent Northwest Airlines privacy glitch (mainly because the census data that the NW info was cast against was a standard, sanitized test set without passenger specific data). In the JetBlue instance passenger specific data was merged with other commercial sources to obtain SSNs, home info, income, dependents, vehicles, and occupation.

And that is just the beginning in terms of data that can today be gathered and merged in credit, criminal, government, real estate, vehicular, and demographic data at the zip code and geo code level. The types of demographics that are readily available are:

Date of birth
Possible AKAs for subject
Social Security number
Possible other Social Security number
Possible other names associated with SSN
Possible addresses associated with subject
Possible real property ownership
Possible deed transfers
Possible vehicles registered at subjectís addresses
Possible watercraft
Possible FAA aircraft registration
Possible UCC filings
Possible bankruptcies, liens, and judgments
Possible professional licenses
Possible FAA pilot licenses
Possible DEA controlled substance licenses
Possible business affiliations
Possible relatives
Other people who have the same address as the subject
Possible licensed drivers at subjectís addresses
Neighbor phone listings for subjectís addresses

One of the contractors went so far as to present a "Homeland Security Airline Passenger Risk Assessment" to other contractors using the JetBlue data. That genie will just never get back in the bottle in terms of guaranteeing that the passenger data is completely scrubbed. (And I said scrubbed, not deleted, as a 'delete' merely clips off a file pointer leaving the balance of the file intact for later forensic recovery. One has to scrub, or actively overwrite, the data a minimum of three times to satisfy DoD5220.22-M. PGP notes that 'security continues to increase up to approximately 28 passes.')

And this will go on as while Congress eliminated funding for Pentagon TIA program, it left intact a similar research program at DoD ARDA (Advanced Research and Development Activity), using some of the same contractors who had worked on the TIA effort. "ARDA sponsors corporate and academic research on information technology for U.S. intelligence agencies, and is developing computer software dubbed "Novel Intelligence from Massive Data," which performs many of the same kinds of data-mining activities rejected by opponents of TIA. The ARDA project is vastly more powerful than other data-mining activities such as the Department of Homeland Security's CAPPS II program to classify air travelers or the six-state, Matrix data collection system funded by the Justice Department."

Your mileage may vary on the merit of these systems. It will be interesting to see the outcome of the class action suits on this one.

Gordon Housworth

InfoT Public  Infrastructure Defense Public  
In order to post a message, you must be logged in
message date / author

There are no comments available.

In order to post a message, you must be logged in