Thursday, October 02, 2003

Anita Ramasastry has done a typically incisive analysis of the privacy issues related to the recent JetBlue case and the US government's proposals on the CAPPS11. The 1974 Privacy Act in the US only relates to databases compiled by the government and does not cover government's access to private sector databases.

"Soon, the Transportation Security Administration (TSA) - which was
involved in the JetBlue data transfer - will begin to implement CAPPS II.
CAPPS II will attempt to update and revamp the existing federal no-fly
list program by employing the same kind of private sector data that
JetBlue provided to Torch Concepts.

Disturbingly, however, CAPPS II currently lacks meaningful privacy and
due process safeguards. Thus, not only should the Privacy Act be
amended, but so should the CAPPS II proposal.

Otherwise, consumers may find that data that they have provided to
companies in the private sector is now being used to target them for the
same scrutiny would-be terrorists receive. "

The defense contractor that analysed the data on 5 million JetBlue passengers, had been contracted by the army "to determine how information from public and private records
might be analyzed to help defend military bases from attack by terrorists
and other adversaries."

The contractor synthesised the JetBlue data with data bought from a large aggregating company and created a set of profiles:
(1) Young Middle Income Home Owners with Short
Length-of-Residence; (2) Older Upper Income Home Owners with
Longer Length-of-Residence; and (3) travellers with "anomalous
records."

As Prof Ramasastry says, "The third category, by definition, might potentially include renters,
students with both home and school addresses, older persons who have
moved recently, and persons with low incomes. Of course, such persons
are in some senses the norm in America. Yet the program may have
deemed them "anomalous" - and, thus a risk from a security standpoint. "

The other problem comes when there are errors in the data or it gets misused by the various actors (or their employees) engaged in the processing or transfer of the data.

The guy that is trying to sell his electronic voting machines to Ohio state, told Republicans in a recent fund-raising letter that he is "committed
to helping Ohio deliver its electoral votes to the president next year." If you read in a novel you wouldn't believe it. Not, of course, suggesting that we should believe everything we read on the Net. Although, Walden O'Dell, chief executive of Diebold Inc., has been reported as having said similar things in the past.

No comments: