Latest News | Background Information | Procedural History| Legal Documents | FOIA Documents | Previous Top News Latest News
Court Rejects Agency's "Sensitive Information" Claim in EPIC FOIA Case. A federal court has held (pdf) that the Department of Homeland Security may not withhold a document sought by the public simply by describing it as "sensitive security information." Though federal agencies "are not required to describe the withheld portions in so much detail that it reveals the sensitive security information itself," the court said they are required to "provide a more adequate description" to explain why material is not made public. EPIC filed a Freedom of Information Act suit to force DHS, TSA and the FBI to release documents detailing the agencies' efforts to obtain airline passenger information. Though the court found that the FBI had conducted an adequate search for documents, and TSA and DHS had properly withheld some material, the court has ordered DHS and TSA to provide more detailed justification for numerous withholdings. (July 26, 2005)
EPIC Sues Agencies for Passenger Data Disclosure Info. In court papers (pdf) filed today, EPIC is seeking the expedited release of records from the Transportation Security Administration and Federal Bureau of Investigation detailing the agencies' efforts to obtain passenger information from major commercial airlines. A document (pdf) obtained by EPIC earlier this year led to the revelation that the FBI collected a year's worth of passenger information from numerous airlines after 9/11. Despite substantial media coverage of the matter and Congressional concern about government acquisition of such data, the FBI has refused to expedite EPIC's disclosure request. For more information about passenger data disclosures, see EPIC's page on the Northwest Airlines disclosure. (June 9, 2004)
EPIC Lawsuit Reveals Massive Disclosure of Air Passenger Data to FBI. According to information obtained by EPIC through Freedom of Information Act litigation, the Federal Bureau of Investigation obtained one full year's worth of Northwest Airlines passenger data after 9/11. The amount of personal data was so large that Northwest provided the data to the FBI on 6000 CDs. In an article based upon this new information, the New York Times has confirmed the disclosure of passenger data to the FBI -- by Northwest as well as other U.S. air carriers. Other information obtained by EPIC details the acquisition and use of Northwest passenger data by the National Aeronautics and Space Administration. See EPIC's Northwest Data Disclosure page for additional information and links to relevant documents. (Apr. 30, 2004)
Background Information
In September 2003, JetBlue Airways confirmed that it had provided 5 million passenger itineraries, without the passengers' consent, to defense contractor Torch Concepts to test the feasibility of an Army data mining project. Torch Concepts added to the JetBlue data information it purchased from Acxiom, a large consumer research company. This information included passengers' Social Security numbers, occupations, income, gender, home ownership, car ownership, and the number of adults and children living in the passengers' households.
On February 20, 2004, the Department of Homeland Security (DHS) Privacy Office released a report (pdf) on the JetBlue disclosure which said that in 2002 officials of Torch Concepts met with Transportation Security Administration (TSA) officials. After this meeting, a TSA employee sent JetBlue a written request asking the airline to provide passenger data to the Defense Department for use in the Torch Concepts study. The report found that TSA employees involved "acted without appropriate regard for individual privacy interests or the spirit of the Privacy Act of 1974," but that no violation of the law had occurred.
In April 2004, American Airlines' parent corporation issued a press release admitting that an American Airlines vender had turned over passenger travel data to four research companies vying for contracts with TSA.
In April 2004, EPIC received documents from the National Aeronautics and Space Administration (NASA) in response to a FOIA request. One document (pdf) stated that Northwest Airlines "gave the FBI one year's [passenger] data on 6000 CDs."
To learn the extent of the government's passenger data collection scheme, and to determine whether passenger data might have been collected for purposes of developing the controversial second-generation Computer Assisted Passenger Prescreening System (CAPPS II), EPIC ultimately sent four expedited Freedom of Information Act requests to TSA and the Federal Bureau of Investigation (FBI) seeking information on passenger data disclosure from any airline since September 11, 2001, as well as records relating to Acxiom, Torch Concepts, and SRS Technologies (the primary contractor in the Defense Department project).
Procedural History
September 22, 2003, FOIA Request to TSAEPIC's first FOIA request (pdf) to TSA about passenger profiling was sent on September 22, 2003. In the request, EPIC asked for information relating to JetBlue, Acxiom, Torch Concepts, and SRS Technologies. After conferring with TSA, EPIC agreed to limit the request to records from September 2002 to the present time. TSA granted expedited processing of the request on September 30, 2003.
In February 2004, in a series of three "interim responses," TSA informed EPIC that it had identified four relevant documents totaling 138 pages that had been withheld in full under exemptions to the FOIA. TSA also released to EPIC three e-mails and a 23-page presentation named "Homeland Security Airline Passenger Risk Assessment." On February 24, 2004, EPIC appealed TSA's first two interim responses stating the agency had improperly withheld material responsive to EPIC's request and had not conducted an adequate search for responsive material. On April 26, 2004, TSA responded to the appeal, but did not release any additional information.
April 2, 2004, FOIA Request to TSAThe DHS Privacy Office's report (pdf) on the JetBlue transfer revealed that passenger data collection had begun prior to September 2002, the cut-off date from EPIC's first FOIA request. On April 2, 2004, EPIC filed a second FOIA request (pdf) with TSA seeking information dated from September 2001 to September 2002 that related to JetBlue, Acxiom, Torch Concepts, and SRS Technologies. TSA granted expedited processing of the request on April 16, 2004, but had not released any information or issued a determination on the request prior to EPIC filing suit.
April 12, 2004, FOIA Request to TSAAfter American Airlines released its press release admitting the disclosure of passenger data to research companies working for TSA, EPIC filed a third FOIA request (pdf) with TSA seeking information on this disclosure. On April 15, 2004, TSA granted expedited processing of this request. On May 19, 2004, EPIC was informed that, at the request of the DHS, EPIC's FOIA request was forwarded to that agency for response. No information had been released nor had a determination on the request been issued by DHS prior to EPIC filing suit.
May 6, 2004, FOIA Request to FBIOn May 6, 2004, EPIC filed a FOIA request (pdf) with the FBI seeking "any records concerning, involving, or related to the FBI's acquisition of passenger data from any airline since September 11, 2001." EPIC also informed the agency that it had sent three FOIA requests to the TSA seeking similar information and that TSA had granted EPIC's request for expedited processing. On May 19, 2004, the FBI denied EPIC's request for expedited processing.
EPIC's Complaint for Injunctive Relief and Motion for Preliminary InjunctionOn June 9, 2004, EPIC filed a complaint (pdf) with the United States District Court for the District of Columbia to force DHS, TSA, and the FBI to comply with FOIA and release all materials responsive to EPIC's four FOIA requests in an expedited manner. EPIC also filed a motion for an emergency order (pdf) to compel the FBI to grant expedited processing. The FBI reevaluated EPIC's request and soon thereafter granted (pdf) expedited processing, which effectively mooted out EPIC's motion.
The agencies answered (pdf) EPIC's complaint on July 9, 2004, and admitted they had not finalized the processing of EPIC's four FOIA requests. They stated that the relevant offices would coordinate the final responses to EPIC's requests. The agencies also denied that they had wrongfully withheld records EPIC had requested.
On January 19, 2005, the agencies moved for summary judgment, arguing (pdf) that they had "conducted a thorough search and released all responsive, non-exempt documents" to EPIC. DHS and TSA released a "Vaughn index"(pdf), a document which listed the documents responsive to EPIC's request and explained why exemptions were used to withhold some material. The index and an accompanying declaration (pdf) from the DHS Privacy Office described more than 80 documents that had been withheld in full by TSA and DHS. The FBI also filed a declaration (pdf) detailing its search and the documents the FBI withheld from EPIC. This declaration revealed that the FBI obtained 257.5 million Passenger Name Records following 9/11, and that the Bureau has permanently incorporated the travel details of tens of millions of innocent people into its law enforcement databases.
EPIC agreed not to challenge exemptions claimed by the FBI in its decision to withhold certain records. EPIC also decided not to challenge TSA and DHS's withholdings under certain exemptions to FOIA which protect the agencies' internal rules and practices, privileged commercial information, information protected by attorney client privilege, or information when disclosure would interfere with ongoing law enforcement investigations. EPIC did challenge TSA and DHS's broad use of FOIA exemptions to protect "sensitive security information," personal privacy and the agencies' deliberative processes.
On February 22, 2005, EPIC opposed (pdf) the agencies' motion. EPIC asked the court to direct the FBI to conduct an adequate search for records responsive to EPIC's request. EPIC also asked the court to review each of the documents which TSA and DHS had withheld from EPIC and to determine whether they should be released to the public.
The District Court DecisionOn July 25, 2005, the U.S. District Court for the District of Columbia issued its opinion (pdf) in the case. The court denied the agencies' Motion for Summary Judgment in respect to certain documents withheld by TSA and DHS.
The court determined that the FBI had conducted an adequate search for documents, and that DHS and TSA properly withheld some information under the FOIA. However, the court found that the agencies did not provide enough justification for numerous withholdings.
The court found that DHS may not withhold a document sought by the public simply by describing it as "sensitive security information" or "part of the deliberative process." Though federal agencies "are not required to describe the withheld portions in so much detail that it reveals the sensitive security information itself," the court found that the DHS and TSA's descriptions of certain withheld documents were insufficient.
The court also determined that while agency employees have a privacy interest in their identities, the agencies did not provide enough information for the court to decide whether business and agency identifiers and domain names were properly redacted to protect personal privacy.
The court has ordered TSA and DHS to provide more detailed justification for numerous withholdings.
Legal Documents
- Memorandum Opinion from the U.S. District Court for the District of Columbia (pdf) (July 25, 2005)
- Defendant's Reply to EPIC's Opposition to Defendant's Motion for Summary Judgment (pdf) (March 29, 2005)
- EPIC's Opposition to Defendant's Motion for Summary Judgment (pdf) (Feb. 22, 2005)
- Declaration of FBI's Chief FOIA Officer (pdf) (Jan. 19, 2005)
- Declaration of DHS Privacy Office's Chief Counsel (pdf) (Jan. 5, 2005)
- Vaughn Index for TSA and DHS records (pdf) (Jan. 19, 2005)
- Memorandum of Points and Authorities in Support of Defendant's Motion for Summary Judgment (pdf) (Jan. 19, 2005)
- EPIC's Complaint For Injunctive Relief (pdf) (June 9, 2004)
- EPIC's FOIA Request to the FBI (pdf) (May 6, 2004)
- EPIC's FOIA Request to the TSA RE: American Airlines (pdf) (Apr. 12, 2004)
- EPIC's Second FOIA Request to the TSA RE: JetBlue, Acxiom, Torch Concepts, and SRS Technologies (pdf) (Apr. 2, 2004)
- EPIC's Initial FOIA Request to the TSA RE: JetBlue, Acxiom, Torch Concepts, and SRS Technologies (pdf) (Sept. 22, 2003)
Selected FOIA Documents
- Airline Data Sets for PENTBOMB from the FBI (pdf)
- Email from DHS Privacy Office to TSA Officials Regarding Cooperation in the JetBlue Investigation (pdf)
- Torch Concepts Documents released by DHS and TSA (pdf)
Previous Top News
American Admits Disclosing Passenger Data. American Airlines has announced that Airline Automation, a vendor working for the airline, turned over 1.2 million passenger records in June 2002 to four companies that were competing for contracts with the Transportation Security Administration. The airline authorized the records to be disclosed to the agency, which then directed Airline Automation to give the data directly to the potential contractors. JetBlue and Northwest have made similar disclosures of passenger information. The Northwest disclosure was revealed through EPIC's FOIA work. (Apr. 9, 2004)
Homeland Security Privacy Office Releases JetBlue Report. The Department of Homeland Security's Chief Privacy Office has released a report (pdf) criticizing the Transportation Security Administration's role in the controversial transfer of JetBlue passenger information to Defense Department contractor Torch Concepts for use in a data mining study. The report finds that "The TSA employees involved acted without appropriate regard for individual privacy interests or the spirit of the Privacy Act of 1974." In September, EPIC submitted a complaint to the Federal Trade Commission alleging that JetBlue and data broker Acxiom committed unfair and deceptive trade practices by disclosing personal information to Torch Concepts in violation of their publicly posted privacy policies. The complaint is still pending. (Feb. 20, 2004)
Senators Request JetBlue Investigation. A trio of senators have sent a letter to Secretary of Defense Donald Rumsfeld, calling for an investigation into whether the Department of Defense violated Privacy Act regulations in its dealings with JetBlue Airways. In the letter, Susan Collins (R-Me.), Joe Lieberman (D-Conn.), and Carl Levin (D-Mich.) call on Rumsfeld to determine why Torch Concepts, a Department of Defense contractor, solicited passenger information from JetBlue and whether or not this action was a violation of the Privacy Act of 1974. EPIC has filed expedited Freedom of Information Act requests with several federal agencies to learn more about the uses of the disclosed JetBlue passenger records. (Oct. 21, 2003)
EPIC Files Complaint with Federal Trade Commission about JetBlue and Acxiom, Also Seeks Government Records on Secret Government Profiling Program. Today the Electronic Privacy Information Center filed a complaint with the Commission alleging that JetBlue and Acxiom violated federal consumer law when they transferred information on passengers in violation of their own privacy policies. EPIC also filed expedited Freedom of Information Act requests with several federal agencies. Press briefing at 1 pm EDT. For more information, see the European Digital Rights Initiative webpage. (Sept. 22, 2003)
JetBlue Confirms Sharing Passenger Data. JetBlue Airways has confirmed that in 2002 it had provided 5 million passenger itineraries to a defense contractor for proof-of-concept testing of a Pentagon project unrelated to airline security, without the passengers' consent. The contractor, Torch Concepts, then augmented that data with Social Security numbers and other sensitive personal information, including income level, to develop what looks to be a study of whether passenger-profiling systems such as CAPPS II are feasible. JetBlue clearly violated its own privacy policy by transferring its passenger data. Such a violation could be grounds for an investigation of unfair business practices by the Federal Trade Commission, which has the authority to fine companies and issue injunctions. Read more about JetBlue's transaction in Wired magazine. (Sept. 18, 2003)
Last
Updated: July 28, 2005
Page URL: http://www.epic.org/privacy/airtravel/passengerdata/default.html