Comment Articles

US privacy flies out the window

Declan McCullagh CNET News

Published: 23 Sep 2003 15:20 BST

Ever since its launch, I've been an unabashed fan of JetBlue Airways, the brash start-up that offers comfortable seats, satellite-linked TVs and beat-the-competition prices. Until last week, that is, when I found out that JetBlue secretly turned over my personal information and details on some 5 million other passengers to a private contractor that's working on a data-mining project for the Bush administration.

A presentation prepared by contractor, Torch Concepts, describes how it merged the JetBlue database with US Social Security numbers, home addresses, income levels and vehicle ownership information it purchased from Acxiom, a company that sells consumer data. Not all the details are clear, but the presentation discusses how Torch, on behalf of Uncle Sam, tried to rate each passenger's security risk level by analyzing the merged databases.

That kind of disgraceful privacy intrusion demonstrates that it's high time to amend the Privacy Act of 1974, which restricts databases that the US government compiles but does not regulate how agencies access databases that the private sector runs.

Enacted largely as a result of a federal report on automated data systems, the Privacy Act covers any "system of records" that the government operates with personal information on American citizens. It limits the use and disclosure of those records and requires that the databases be protected with "appropriate administrative, technical and physical safeguards" to preserve their security and confidentiality. Government employees who disclose records in violation of the law's procedures can be fined and imprisoned on misdemeanour charges.

In today's world, the venerable Privacy Act doesn't go far enough. It worked when computers could be defined as "automated data systems," but Moore's Law has exploded early 1970s-era notions of computing speed, and hard-drive capacity has increased even more dramatically. The law fails to address the databasification of modern life.

To give this a historical perspective, the Privacy Act was enacted just a few years after Intel introduced the 4004, the first single-chip microprocessor, and the 1103 dynamic RAM chip, which replaced magnetic core-type memory.