Eric Nee: Mind Your Own Business

The Federal government’s controversial airline passenger screening system, dubbed CAPPS II, is effectively dead, the victim of the government’s own hubris. Homeland Security Secretary Tom Ridge was compelled to throw in the towel this summer, after the project drew fire from both liberals and conservatives who were concerned about its invasion of personal privacy.

The Transportation Security Administration’s plan involved running the name of every airline passenger through a massive database that contained not only government information, but commercially available information as well— including such personal data as credit reports, automobile registrations and home ownership records—all in hopes of detecting potential terrorists. The American Civil Liberties Union and the American Conservative Union opposed the system because of its invasiveness and the lack of privacy protections. The Association of Corporate Travel Executives opposed it because of the additional costs and potential delays the system would impose on air travel, an already beleaguered industry. Still others believed that the project was so ambitious that it would simply never work.

The demise of CAPPS II provides a stark reminder that even projects supported by organizations as powerful as the federal government can be stopped in their tracks if they fail to balance the interests of security and personal privacy. It also points up the importance of taking privacy concerns into consideration when the systems are first designed, rather than simply trying to add them on at the end in response to public outcry.

And therein lies a message for corporate America: If systems such as CAPPS II can be stopped, it can happen to corporate initiatives as well. Designing new systems without thinking about the privacy implications is a risky approach, especially given the growing number of sophisticated and intrusive new technologies that allow government and private companies to track people and to store and analyze information about them. These wonder technologies include RFID, global positioning, database mining, biometrics, Internet cams and spyware, among others.

“With the proliferation of so many new technologies, privacy is a key issue these days,” says Marc Rotenberg, executive director of the Electronic Privacy Information Center. “What the government and private sector should expect is that there will be continuing public scrutiny of these issues.”

Consider RFID tags. From the beginning, retailers have been enamored of the possibilities these little chips offer. Consultants and futurists have served up an array of inviting scenarios showing how RFID chips embedded in products can be used both to make supply chains more efficient and to track consumer behavior. Embed an RFID tag in consumer loyalty cards, install RFID readers around the store, and the possibilities seem endless. Retailers can find out when their best customers enter the store, and they can track what route those customers take through the store in order to learn if merchandise and promotions are displayed in the right locations. Such systems would allow retailers to learn not only what items customers buy, but also what items they look at but don’t buy. And these are just a few of the possibilities.

What many retailers have failed to do when dreaming up such ideas is to consider the privacy issues engendered by such projects. Can customers with loyalty cards opt out of this interactive shopping experience, or even choose to be in or out on different days depending on their mood? How much personal information about the customer will be attached to the shopping information? What are the company’s policies concerning this information when the government asks for it?

Consider the experience of JetBlue Airways Corp. In 2002, Torch Concepts, a Department of Defense contractor based in Huntsville, Ala., asked JetBlue for a copy of its customer database so that it could do a trial study for the DoD on potential terrorist travel patterns. JetBlue turned over the data records—including name, address, telephone number and itinerary—of 1.5 million passengers to Torch, mistakenly thinking that the federal government required them to do so. Acxiom, the data aggregator that stored the information for JetBlue, also sold Torch a wealth of other data on these same passengers, including Social Security numbers, the number of children and adults in the household, home ownership records, the works. JetBlue’s CEO later publicly apologized for this breach of customer privacy.

The subsequent bad publicity about JetBlue is just one of the possible consequences of serious violations of personal privacy. That’s why RFID is a potential quagmire for companies that don’t deal with these issues from the start. Some of the same groups that stopped CAPPS II, such as EPIC and the ACLU, are also targeting RFID. In July, EPIC’s policy counsel, Cédric Laurant, testified before a House subcommittee on the potential threat that unfettered RFID use posed to consumers. “The indiscriminate use of personally identifiable information is already a significant issue for consumers in the U.S., as numerous surveys have shown,” said Laurant during his testimony. “As RFID applications move into widespread use, this problem will only become more serious.” Laurant called on Congress to create laws to regulate the use of RFID and what companies can do with the information they collect.

RFID is only one of many new technologies that pose significant risks to personal privacy. Global Positioning Systems are another. Rental car agencies are now putting GPS in their cars (some 25 percent of rental cars now have them), which allows the car companies to track where the car, and driver, went. What will the car companies do with that information? How will it be stored? Will the company keep records of everybody who rents a car along with where they drove? Will these records be made available to the government?

Kate Delhagen, an analyst at Forrester Research, has come up with five lessons every company should learn when it comes to privacy.

  • Never underestimate the power of privacy bombs. Incidents that seem minor at the start can mushroom into major events very quickly. Groups like EPIC are focused on finding out about these incidents, and news organizations are ready to pounce.
  • Don’t mess with your customer’s data. Businesses that have collected customer data have done so with an explicit or implicit pact as to what they consider appropriate use of the information. Organizations that violate that pact are taking a big risk.
  • Designate a point person. Many large companies, particularly in the financial-services and healthcare sectors, have a chief privacy officer who is responsible for making sure the company pays attention to this issue. Every company should designate someone for this role.
  • Revisit your privacy policy and training plans—now. Every company should re-examine its privacy policies to make sure they are appropriate, and then train every single person in the company on how to treat customer information.
  • Don’t think privacy protection is a do-it-once-and-it’s-done thing. All of the factors that affect privacy and the collection of customer information—technology, laws, consumer behavior and opinions—are continually changing. Policies and practices that were once appropriate will probably no longer be appropriate in the future.


    Eric Nee, a longtime observer of Silicon Valley, has served in a variety of editorial positions at Forbes, Fortune and Upside magazines. His next column will appear in November.

  • Get the Free Newsletter!

    Subscribe to Daily Tech Insider for top news, trends, and analysis.

    Latest Articles