Mistakes Happen
Updated · Oct 08, 2003
I'm sure you read about it in the news recently. You're likely to have heard about it by the water cooler. For a couple days, everyone talked about it. A company with an airtight customer privacy policy handed over the private, personal customer data it vowed to protect to a third party. The third party analyzed the data, appended it to other data it collected, and used it for its own purposes. If you're a customer of the first company, you're angry. But you can't blame the first company, can you? They didn't have a choice. They had to turn over private, personal customer data and breech their own privacy policy — or violate federal law.
Confused?
You may think I'm talking about the boneheads at JetBlue who thought it a good idea to turn over private, personal customer data (five million passenger itineraries) to Torch Concepts, a company conducting a study for the Department of Defense. No one forced JetBlue to fork over the information. They just thought it was a good idea. Why was it a good idea? I have no idea.
Neither does JetBlue's CEO, David Neeleman. In a statement addressing the obvious gaffe, he notes, “Although I had no knowledge of this data transfer at the time it was made, I accept full responsibility for this action by our company.”
Isn't accepting responsibility what CEOs are supposed to do? Doesn't that come along with the title, salary, stock options, car service and private jet? Are we to congratulate him for not pulling a Bernie Ebbers and proclaiming himself a victim of his own company's incompetence? His statement is tantamount to one of his own baggage handlers professing, “Although I have no knowledge of how your luggage ended up in Peoria, and it really isn't my fault you're without your suit for that big client meeting, I will try to help get your luggage returned.”
Would Neeleman be proud if he overheard that statement coming from one of his employees?
Neeleman's statement shows he still misses the big picture. Another excerpt: “The information we gave was limited to name, address and phone number, along with flight information. Absolutely no payment or credit card information was given by JetBlue.” He seems to think customers are more concerned about their financial security than their privacy. Everyone knows if your credit card is stolen, you're only liable for the first $50 in charges. The real problem is the information JetBlue gave Torch Concepts provided the means to track the movements of JetBlue's customers from coast-to-coast. These are private citizens neither charged with nor convicted of crimes. When appended to additional data Torch collected, it's anyone's guess as to the level of personal privacy violated. Your personal privacy is worth well in excess of the $50 you might pay if your credit card were stolen.
JetBlue made a stupid mistake. It should never have happened. It's likely they won't make the same mistake again. Unless, of course, a federal court orders JetBlue to provide a third party with the personal, private data it collects from customers. Couldn't happen, could it? Maybe Neeleman should spend some time with Ivan Seidenberg, Verizon's CEO.
Verizon has a privacy policy protecting customer data. Verizon takes that privacy policy seriously. When the Recording Industry Association of America (RIAA) used the powers vested in it by The Digital Millennium Copyright Act of 1998 to request Verizon turn over private, personal customer data, Verizon said no. A federal court judge ordered Verizon to hand over the customer data to the RIAA.
At the time, the RIAA argued the information would be appended to data it collected on its own, and used to identify specific Verizon customers who clearly infringed on RIAA members' copyrights by swapping songs over the Internet. The RIAA claimed it wasn't after the little guys peddling a song here or there, but instead was targeting those Verizon customers who were extreme file-sharers. It wasn't after street corner dime-bag peddlers; it was after drug cartels. Verizon wondered if the little guys, even innocent customers, would be caught in the dragnet. The RIAA assured the federal court judge it could identify IP addresses of miscreant file sharers. All it needed was for Verizon to provide some additional information (like name, address and telephone number) to identify the criminals.
Sarah Ward may become to the RIAA what Rosa Parks became to Jim Crow laws.
Sarah Ward is a 66-year-old grandmother living outside Boston. She's a retired schoolteacher who enjoys sculpting. Recently, she faced a $300 million penalty for illegally swapping music online.
Sarah Ward was identified by the RIAA as an extreme file sharer. Using information the RIAA collected and combined with customer data requested from Comcast under the Digital Millennium Copyright Act (unlike Verizon, Comcast didn't fight the RIAA's request), the RIAA accused Ward of having over 2,000 copyrighted songs available for download to anyone using the KaZaa network. At a penalty of $150,000 per song, (the maximum penalty) that works out to a cool $300 million.
You can only imagine how Sara Ward felt. Spend your whole life teaching children, retire to long afternoons of sculpting. Suddenly, her pension and Social Security checks were at risk of being garnished because of a few thousand Frank Sinatra and Bing Crosby tunes on her hard drive.
Just one problem. Ward doesn't have KaZaa on her computer. Ward uses a Mac. KaZaa doesn't run on a Mac. The tunes? They didn't exist. Neither did songs by Busta Rhymes or Trick Daddy the RIAA claimed were also on Ward's drive. A 66-year-old grandmother with a taste for rap? Are “Pass the Courvoisier” and “I'm a Thug” good sculpting music?
Ward's attorney fired off a letter to the RIAA. After investigating, the RIAA dropped the case, not without noting, “…we reserve the right to refile the complaint against Mrs. Ward if and when circumstances warrant.” Mrs. Ward's assured pension and Social Security are safe from the RIAA — for now.
What happened to the RIAA's assurances innocent citizens wouldn't be caught in the stomp down? How quickly can Ivan Seidenberg's attorneys bring the RIAA's mistake to the attention of the federal courts and request requirements to provide personal, private customer data to the RIAA be overturned?
Not soon enough for the unknowing, innocent Mrs. Wards of the world who may soon receive a you-owe-us-$300-million letter from the RIAA. Like Neeleman making sure JetBlue never turns over private personal data to third parties again, the federal government should ensure the RIAA doesn't again have the opportunity to bring criminal charges against innocent citizens.