The Complexity Underlying JetBlue’s Privacy Policy Violations

This report examines the actions of JetBlue Airways Corporation (JetBlue), which violated its privacy policy when it gave the travel records of five million customers to Torch Concepts, a private Department of Defense contractor. JetBlue’s actions have prompted at least two lawsuits, including a claim by the Electronic Privacy Information Center with the Federal Trade Commission that JetBlue engaged in deceptive trade practices when it violated its privacy policy. Our analysis reveals that JetBlue’s privacy policy contains ambiguities, which may pose additional significant threats to customer privacy. The complexity of our actor/information flow model elucidates the importance of organizations establishing clear contractual relationships that specify permissions, obligations and responsibilities for all parties. An implication of this study is that the anti-terrorism exercise of the new Department of Homeland Security described below has taken place at the expense of personal privacy.