by Martha Cooke | November 01, 2003

When the public learned in September that New York City-based airline JetBlue had shared passenger information with a defense contractor a year earlier, the outcry led to two class-action lawsuits and a formal complaint by a privacy watchdog group. Industry experts say the incident exposed serious flaws in the use of online travel data. "It seems once the information is in the hands of the airline, it’s up to them to protect it," said Marcia Hofmann, staff counsel at the Washington, D.C.-based Electronic Privacy Information Center, which filed a complaint with the Federal Trade Commission in September.

JetBlue CEO David Neeleman denied knowledge of the events, which involved the transfer of five million passenger records to Huntsville, Ala.-based Torch Concepts, a data-mining/management firm with which the government had contracted for testing a terrorist screening program.The carrier provided the information when the Department of Defense asked JetBlue to assist with a project on military base security, Neeleman said. EPIC alleged this action violated JetBlue’s privacy policy, which states the carrier will not share personal and financial information with third parties."We realize that we made a mistake," Neeleman wrote in a letter to the airline’s customers in September. Travel data is not nearly as well protected as financial or medical data, according to Edward Hasbrouck, San Francisco-based privacy expert and author of the travel technology book, The Practical Nomad (Avalon Travel).Hasbrouck advises asking a lawyer to add privacy clauses to travel agent or airline contracts limiting disclosure of information to vendors and specifying terms under which the data can be used. Others said vendors’ privacy policies are problematic. "A lot of them are written in legalese," said Jay Ellenby, president and CEO of Safe Harbors Travel Group Inc., a Baltimore-based corporate travel management firm. In fact, a national survey of 1,200 online consumers released this summer by the Annenberg Center for Public Policy of the University of Pennsylvania in Philadelphia found more than half of respondents were confused by online privacy policies. In September, the Bellevue, Wash.-based Customer Respect Group released a study that included an analysis of nine airline privacy policies. The report said those of Continental and US Airways were the hardest to understand and relied heavily on legal jargon.The bottom line? "Don’t reveal any information online that you would not reveal over the phone," warned Thorsten Ganz, vice president of research at CRG."For travelers, privacy is the big issue on the horizon, and it’s just waiting for something to bring it out in the open," said Hasbrouck. "JetBlue is not going to be the end of this." BRUCE MYINT