From potential customer to boycotter: jetBlue, what were you thinking?

I wanted to fly jetBlue, but then they did something stupid, and now I won't. Bruce Schneier explains why their actions were dumb in Terror Profiles by Computers Are Ineffective:

Many JetBlue customers feel angry and betrayed that their data was shared without their consent. JetBlue's privacy policy clearly states that "the financial and personal information collected on this site is not shared with any third parties." Several lawsuits against JetBlue are pending. CAPPS II is the new system designed to profile air passengers -- a system that would eventually single out certain passengers for extra screening and other passengers who would not be permitted to fly.


There's a common belief - generally mistaken - that if we only had enough data we could pick terrorists out of crowds, and CAPPS II is just one example. In the months after 9/11, the FBI tried to collect information on people who took scuba-diving lessons. The Patriot Act gives the FBI the ability to collect information on what books people borrow from libraries.


Security is always a trade-off: How much security am I getting, and what am I giving up to get it? These "data-mining" programs are not very effective. Identifiable future terrorists are rare, and innocents are common. No matter what patterns you're looking for, far more innocents will match the patterns than terrorists because innocents vastly outnumber terrorists. So many that you might as well not bother. And that assumes that you even can predict terrorist patterns. Sure, it's easy to create a pattern after the fact; if something identical to the 9/11 plot ever happens again, you can be sure we're ready. But tomorrow's attacks? That's much harder.

Written by Andrew Ittner in misc on Sat 17 January 2004. Tags: commentary, privacy