Privacy Rights Clearinghouse
Hallen D. Rosner (SBN 109740)
Alan M. Mansfield (SBN 125998)
John W. Hansen (SBN 214771)
ROSNER, LAW & MANSFIELD
10085 Carroll Canyon Road, First Floor
San Diego, California 92131
Attorneys for Plaintiffs
SUPERIOR COURT OF THE STATE OF CALIFORNIA
FOR THE COUNTY OF SAN DIEGO
PRIVACY RIGHTS CLEARINGHOUSE and PRIVACYACTIVISM, on behalf of the general public,
CASE NO. GIC 818603
Complaint for Violations of Business and Professions Code Sections 17200, et seq.
Plaintiffs the Privacy Rights Clearinghouse and PrivacyActivism (collectively, "Plaintiffs"), on behalf of the general public, allege as follows against the above-listed defendants and Does 1 through 25, inclusive (hereinafter referred to collectively as "Defendants"), all on information and belief, formed after an inquiry reasonable under the circumstances, which allegations are likely to have evidentiary support after appropriate investigation and discovery:
JURISDICTION AND VENUE
1. This Court has jurisdiction over all causes of action asserted herein pursuant to the California Constitution, Article VI, §10, because this case is a cause not given by statute to other trial courts.
2. This Court has exclusive jurisdiction over the claims asserted and each of the Defendants because each are individuals, associations or corporations that are either based in, authorized or registered to conduct, or in fact do conduct, substantial business in the State of California. Each of the defendants has sufficient minimum contacts with California, or otherwise intentionally avail themselves of the markets within California, through collecting monies, entering into contracts and/or distributing their products or services in California to render the exercise of jurisdiction by the California courts permissible under traditional notions of fair play and substantial justice. No state or federal regulatory agency has either primary, exclusive or any jurisdiction over the claims at issue herein and/or is able to provide the complete relief prayed for in this matter.
3. Venue is proper in this County as the acts upon which this action is based occurred in part in this County. One of the Plaintiffs resides in this County, and one or more of the Defendants received substantial compensation and profits from entering into agreements and/or the sale of their products or services to persons located in this County, caused misrepresentations to be disseminated, entered into transactions and/or breached agreements in this County. Thus, Defendants' liability arose in part in this County.
INTRODUCTION AND SUMMARY OF ACTION
6. Such conduct is of a continuing nature that requires prompt relief, since while some of the Defendants have claimed the profiling data have been destroyed, they have not taken the steps necessary to purge the offending data from the Internet as claimed, have not revealed the true facts underlying why such data were gathered and merged and under whose auspices, and the Defendants' true role in this controversy, and have not taken appropriate corrective relief to ensure the true facts are revealed and the data gathered are not replicated.
7. Defendants have uniformly represented to the general public through their representatives that their actions were legally appropriate when in fact they were not and/or Defendants have concealed material facts, as detailed throughout this Complaint, and the disclosure of such information was necessary in order to make Defendants' other representations not misleading for want of disclosure of such omitted facts or because Defendants possess superior knowledge of the true facts.
8. This private Attorney General action is brought by the Plaintiffs listed in ¶10 herein, to remedy violations of California's state consumer protection statutes arising out of Defendants' and/or their representatives' misrepresentations, omissions of material facts, and breaches of agreements.
9. Members of the general public also face irreparable harm in terms of, inter alia, not being fully informed of the true facts, not having the full value of any monies wrongfully received or saved provided to them, having the status of data regarding their personal travels and associated financial information vulnerable to reproduction (including for at least one individual whose personal data is still publicly available and who for a period of time resided in California), and having the offending materials still publicly available, accessible and usable.
10. (a) Plaintiff Privacy Rights Clearinghouse ("PRC") is an affiliate of the Utility Consumers' Action Network, a 501(c)(3) non-profit consumer advocacy organization with its office located at 3100 Fifth Avenue, San Diego, California. PRC is an education, research and advocacy organization that operates a consumer complaint hotline and publishes guides for consumers on how to safeguard informational privacy. Plaintiff asserts the Cause of Action solely in its capacity as a private Attorney General pursuant to the provisions of Cal. Bus. & Prof. Code Section 17204 and seeks no relief on behalf of itself.
(b) Plaintiff PrivacyActivism is a 501(c)(3) non-profit organization with its office located at 406 18th Street, San Francisco, California. The mission of PrivacyActivism is to enable people to make well-informed decisions about the importance or privacy on both a personal and societal level. PrivacyActivism has been an active participant in the public debate over the CAPPS II passenger profiling program discussed in detail below. Plaintiff asserts the Cause of Action solely in its capacity as a private Attorney General pursuant to the provisions of Cal. Bus. & Prof. Code Section 17204 and seeks no relief on behalf of itself.
(b) Defendant Torch Concepts Inc. ("Torch" or "Torch Concepts") is a Delaware organization operating and conducting business with at least one contractor located in California, and has its principal place of business located at 4650 Whitesburgh Drive, Huntsville, Alabama 35802. Torch is a claimed leader in advanced technology for content management and information mining. Torch was the organization that, under the guise of a government contract, procured the personal and confidential JetBlue passenger and reservations data set forth herein and thereafter, without the authorization or consent of either JetBlue or its passengers, contacted Acxiom Inc. obtained highly sensitive personal data regarding such passengers from Acxiom without notice, merged such data together to create a mega-database of personal information, used that database to engage in a massive and unprecedented passenger profiling project involving over a million JetBlue customers, then publicly disclosed the results of that profiling. Torch Concepts directly profited from the undertaking and completion of this passenger profiling study and is in part responsible for the wrongful conduct at issue herein.
(c) Defendant SRS Technologies ("SRS") is a California corporation with its principal place of business located at 1800 Quail Street, Suite 100, Newport Beach, California 92660. SRS claims to be a significant provider of information technology services to the government intelligence community, and through its Washington Group, engages in significant interaction with the U.S. Department of Defense and various government intelligence offices, and is a major military contractor. SRS was the government contractor who, allegedly at the request of the U.S. Army, subcontracted with Torch Concepts to perform the consumer profiling study referred to herein without consumer consent. This was apparently due to SRS's involvement in the development of the Pentagon's controversial (and now scrapped) Terrorist Information Awareness program, although SRS claims now there was no connection between the two projects. SRS has claimed that, even though as the government contractor it was or should be responsible for the actions of its subcontractor, the company had not been fully briefed on the details of the activities of Torch Concepts in gathering and merging passenger and reservation data for the purposes of engaging in a passenger profiling study without obtaining customer consent. SRS also likely directly profited from the creation of such a study pursuant to this government contract and is responsible in part for the wrongful conduct at issue herein.
12. The true names, conduct and capacities of the defendants sued herein under Code of Civil Procedure section 474 as Does 1 through 25, inclusive, are presently unknown to Plaintiffs who, therefore, sue these defendants by such fictitious names. Plaintiffs will include these Doe defendants' true names and capacities when they are ascertained. Each of the fictitiously named defendants is responsible in some manner, including, inter alia, as aiders and abettors or co-conspirators, for the conduct alleged herein and for the injuries suffered by the general public.
13. At all times mentioned in the Cause of Action alleged herein, each and every Defendant was an agent, representative, affiliate, or employee of each and every other Defendant, and in doing the things alleged in the Cause of Action stated herein, each and every Defendant was acting within the course and scope of such agency, representation, affiliation, control or employment and was acting with the consent, permission and authorization of the other Defendants (except where otherwise noted). During the relevant time period, each of these Defendants agreed either by words or conduct to misrepresent, fail or refuse to notify members of the general public about the scope and nature of the illegal business practices detailed herein, thus engaging in a conspiracy that resulted in injury to members of the general public.
14. Whenever this Complaint refers to any act or acts of Defendants, the reference shall also be deemed to mean that the directors, officers, employees, affiliates, controlling companies or agents of the responsible Defendant authorized such act while actively engaged in the management, direction or control of the affairs of Defendant, and each of them, and/or by persons who are the alter ego of Defendants, or while acting within the scope of their agency, affiliation, control or employment. Whenever this Complaint refers to any act of Defendants, the reference shall be deemed to be the act of each Defendant, jointly and severally.
15. Defendants hold themselves out as possessing superior knowledge regarding their products or services, particularly in the markets they serve. Defendants are either based in, entered into agreements with persons based or residing in, or provided their products or services for use throughout, California. Defendants generate millions of dollars each year by providing such products or services.
16. JetBlue is no stranger to controversy over possible invasions of passenger privacy, despite its public assurances to the contrary. In an article in Aviation Daily dated September 10, 2002, it was reported that certain airlines, including JetBlue, had surreptitiously placed video surveillance systems in the passenger cabins of its airplanes. Tom Anderson of Jet Blue admitted his company was using such surveillance cameras to view passengers during flight, but claimed JetBlue had no plan to store the images obtained and that passengers (to the extent they knew about it) had not complained. In addition, in December 2002 the U.S. Transportation Security Agency ("TSA") announced that, in cooperation with JetBlue, it was dispensing with the usual intrusive personal gate searches, but rather would engage in "enhanced security screening procedures" at the primary security checkpoint. JetBlue failed to elaborate what those "enhanced" measures were.
18. JetBlue specifically represents that any ticket information collected by JetBlue "is not shared with any third parties, and is protected by secure servers," and also claims to have in place security measures to protect against the loss, misuse and alteration of consumer information under JetBlue's control. Moreover, as to children, JetBlue specifically represents that it does not seek data from children and does not distribute to third parties any personally identifiable information about children without prior parental consent.
19. Despite these public assurances, which created a contractual obligation and duty on the part of JetBlue to persons with whom it did business not to act in derogation of that policy and to refuse to share personal and financial information collected on JetBlue's website with any third parties, in September 2002 - at or about the same time it had decided to implement the undefined "enhanced" security measures referred to above - Jet Blue turned over to Torch Concepts as part of a taxpayer-funded study for which Torch Concepts received compensation (as presumably did SRS, as the primary contractor for the project) JetBlue's Airline Passenger and Reservation database, containing the personal information of JetBlue travelers between the beginning of 2000 and September 2002 - approximately 5 million records from over a million passengers that had flown JetBlue prior to that date, and presumably without distinguishing between adults and children. This database contained passenger names, addresses, and telephone numbers. Also, while JetBlue has not expressly admitted to this, the reservations data base provided to Torch would have contained information regarding passenger itineraries so that Torch Concepts could analyze passenger traffic patterns, and possibly contained other information.
20. All of this personal information was stored in temporary, intermediate computer storage within JetBlue's servers since JetBlue takes a significant number of its reservations directly either over the Internet or through the phone, and such data are entered and stored in such servers. Yet prior to turning over such data, JetBlue failed to obtain the consent of passengers necessary under its policy to permit it to turn over such data to a third party for profiling, testing or any other purpose, and failed to provide notice to consumers about Defendants' use and manipulation of their data and the sharing of such data with an unrelated third party.
21. While admitting on or about September 17, 2003, that it violated the rights of privacy of over a million consumers, many of whom are likely located in California, and while JetBlue's CEO, David Neeleman, claims all this was all done without his knowledge, JetBlue claims it provided this massive amount of information in violation of the civil liberties of its passengers in "an act of patriotism" and "a concern for the safety of its passengers," in response to an "exceptional request from the Department of Defense" in an effort to assist with a government project regarding military base security (calling to mind a Benjamin Franklin quote: "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety"). If this were the case, such conduct by JetBlue may have been in violation of both federal and state law, since a defense contractor that sets up a private records system may need to issue official notice of that system, which did not take place here. But more significant, this explanation appears implausible in light of the lack of any apparent correlation between such passenger data and military base security, and co-defendant Torch Concepts claims otherwise in its presentation materials.
22. In a February 25, 2003 report entitled "Homeland Security Airline Passenger Risk Assessment", prepared by Torch Concepts and publicly disclosed at a seminar conducted by the Tennessee Valley Chapter of the National Defense Industrial Association - sponsored by the TSA on the development of the TSA's airline passenger surveillance system -- Torch claims that it made initial overtures to obtain passenger data for this particular study in December 2001 from various airlines. After receiving funding for conducting a "passenger screening" study in March 2002, Torch claims that in July 2002 it was "given assurance that we would receive the necessary data base being used by CAPPS II contractors in weeks" (by way of background, CAPPS II stands for the second version of the Computer Assisted Passenger Prescreening System, a controversial air passenger profiling system in the testing stage but being opposed by numerous privacy and civil liberties advocates as one of the largest surveillance efforts ever undertaken by the U.S. government on its own citizens). The "CAPPS II contractor" was not identified, but at the time JetBlue had agreed to participate in CAPPS II.
23. Moreover, according to published reports on or about September 15, 2003, the TSA had previously informed privacy advocates that JetBlue had given assurances to the TSA that it would help in the testing of CAPPS II. JetBlue now claims it has rescinded that agreement, and JetBlue's Neeleman claimed on or about September 22, 2003 that JetBlue was not participating and will not participate in CAPPS II, despite earlier contrary statements.
24. In August 2002, Torch was informed (presumably by the TSA) that it would be receiving JetBlue's data base of customers for prior to September 2002, and in September 2002 actually received the JetBlue data base. Despite a later representation by JetBlue officials that "no data files were ever shared with the Department of Defense or any other government agency or contractor" and that it had provided such data to Torch over a year before this revelation, Torch - a government contractor -- claims to have received government funding for its passenger risk assessment project in March 2002 and the JetBlue data in connection with that particular project in September 2002.
25. If Torch had previously received this data over a year before September 2003 there would have been no reason for the TSA to claim to have "facilitated" the transfer of such data as part of this project in August 2002. The TSA now claims to have had no role in this project and that it was not conducted under its auspice, despite the contrary statements of Torch Concepts in its presentation referring to several meetings with the TSA and the fact this study was presented at a TSA-sponsored seminar.
27. In October 2002, based on the massive data base it had received from JetBlue, Torch Concepts purchased data from a data aggregation company, Acxiom, Inc., containing detailed passenger demographic information. That data was then "merged" to create a mega data base of JetBlue passenger information - name, address, gender, own or rent a home, years at residence, economic status, number of adults and children in family, Social Security number, occupation and number of vehicles owned or leased.
28. Based on the data it received from Acxiom as part of its agreement with JetBlue, Torch Concepts was thereby able to gather detailed demographic data for over 40% of the entire JetBlue data base provided to Torch. Torch Concepts then engaged in a data analysis for 200,000 "sample" passengers, grouped into "Younger Affluent" and "Older Affluent" categories, to determine JetBlue's passenger median age, income, length of residence, home ownership status, gender, adults, and children in family and Social Security number grouping - all valuable marketing information (interestingly, Acxiom has an "ongoing relationship" with Jet Blue that would make the results of such information useful to JetBlue), but arguably at best a tangential relationship to military base security.
29. As a result, with the active assistance of and/or agreement from Jet Blue, Torch Concepts, acting as a subcontractor for SRS, was able to create an unprecedented customer profiling scheme to "demonstrate that airline passenger and reservation data can be clustered to form groups of conventional travelers" and then show how this type of characterization, when extended to a more complete data base, can be used to identify "high risk passengers" who would be tagged yellow or red (and thereby subject to either higher pre-flight airlines checks or detention) to "distinguish normal JetBlue passengers from past terrorists" based solely on data attributable to "erroneous entry, fraud or mischief." Significantly, while this study was supposedly related to military base security, nowhere in the 23-page report by Torch Concepts does it mention or even imply that this study was performed as part of an analysis of military base security. However, such a study sounds close to what is contemplated under CAPPS II.
30. As an example of the type of data it had managed to gather, Torch Concepts publicly disclosed the personal details of what it characterized as "anomalous customer data" for at least one passenger, which was then made available on the Internet - where it remains accessible today, contrary to JetBlue's claims to the contrary that such data are no longer accessible. The most Torch will say about this gaffe is that it was "unfortunate."
31. In an ominous Orwellian statement, Torch Concepts concluded that its profiling system was workable and that with two additional elements that would require even more intrusive profiling (miles flown annually and lifetime) it would be able to "identify and characterize all normal travel patterns" and develop "passenger stability indicators" to assist in the passenger profiling process.
32. In the days since these revelations of wrongdoing began to be reported, JetBlue has admitted it made a "mistake" but tried to publicly obfuscate its role in this controversy. First, in an interview published on or about September 17, 2003, JetBlue cryptically admitted that "we clearly have to review internally this decision and reconsider our policies" in light of this admittedly embarrassing disclosure (not revealing which of its policies it needed to reconsider), but claimed that no customer information "has been provided for purposes of testing the CAPPS II program currently under design."
33. In light of the above statements made by the TSA about JetBlue's involvement in CAPPS II at the time of this study and where the study results were presented, this statement is of dubious accuracy. It is also misleading because the Torch Concepts analysis may not have been directly part of CAPPS II, but still tested a computer assisted passenger profiling system of some form utilizing massive computer profiling of passengers that at least looks like a CAPPS II prototype, and its design involved several meetings with the representatives of the TSA (which is overseeing the CAPPS II program), rather than with the Army or the Department of Defense, since at all relevant times the TSA was under the jurisdiction of the Department of Transportation.
34. Second, on or about September 18, 2003, JetBlue began to send e-mails to angry passengers, signed by CEO Neeleman in an attempt to distance itself from the controversy and "set the record straight". JetBlue represented that it has never supplied data to the TSA "or any other government agency" for CAPPS II "or for any other purpose whatsoever." Yet the TSA's spokesperson Brian Turmail has stated the TSA facilitated the transfer of JetBlue data to its contractor for a project that appears analogous to the mechanism that is contemplated in CAPPS II, thus at a minimum making JetBlue's statement misleading for want of disclosing material facts. Moreover, unless JetBlue agrees this data was misappropriated, it did in fact voluntarily turn over personal JetBlue passenger data to a TSA or government contractor for at least some purpose.
35. JetBlue also claims that the project had no connection with CAPPS II or aviation security, despite the express statement in the Torch study that its objective was to show how by "characterizing" passengers such an aggregation analysis "can be used to identify high risk passengers." JetBlue also asserts "no data files were ever shared with the Department of Defense or any other government agency or contractor". Yet JetBlue admitted turning over private passenger name, address and itinerary information obtained from its website and kept in storage on its own computer system, and transferred such data either directly or indirectly to Torch Concepts in electronic format. JetBlue apparently is using its own undisclosed definition of a "data file".
38. SRS has also attempted to distance itself from this controversy. The study in question was performed pursuant to contract that SRS had apparently entered into with the federal government. Torch Concepts acted as a subcontractor under that contract. But while as a matter of practice contractors should be responsible for the acts of their subcontractors, especially in the area of sensitive issues involving consumer privacy, SRS claims it had no role in the study and "was not briefed" on what Torch was actually doing with the data it obtained from JetBlue and Acxiom pursuant to that government contract. Either these statements are untrue because SRS did know, or SRS abdicated its responsibilities as a government contractor to know what its subcontractor was doing, to the detriment and injury of members of the general public.
39. There has been either no or insufficient notice or warning provided by Defendants disclosing the material facts stated above, even though there was a regular series of correspondence or method of communication where either authorization or disclosure could be obtained or made. In addition, Defendants appear to be aware of this inaccuracy, as their representatives apparently answer inquiries by referring to scripted answers. Such conduct has adversely impacted and will continue to impact the general public.
40. As a result of the foregoing, Defendants or their representatives are failing and refusing to abide by and breaching their own agreements with customers and/or applicable standards in the industry, taking actions in violation of state and federal privacy laws including, inter alia, Article I of the California Constitution, the common law and statutory right of privacy, and 18 U.S. C. Section 2701 et seq., making uniform misleading representations about the data in question, why it was provided and utilized, what was the true purpose of the profiling study, what actions have been taken to delete the information from the Internet and what became of the data and any copies thereof, and/or consistently and uniformly omitting material facts as set forth above. Defendants are also failing and refusing to advise members of the general public of the material facts as set forth above.
41. Members of the general public are particularly vulnerable to such deceptive and fraudulent practices. Most persons possess limited knowledge of such a potential for misleading statements and the massive amount of data gathering and profiling that can occur in the travel industry absent adequate protections.
42. Defendants have represented that they possess special expertise in the offering of such products and services and presumably would not place profits over their duties and obligations to their customers. Without having been fully informed of the facts as detailed herein, members of the general public may not be aware of their rights and how such conduct violates those rights.
43. Defendants' failure to abide by their legal obligations and their making of false and misleading representations or failing to disclose material facts as set forth above are ongoing and continue to this date.
FIRST CAUSE OF ACTION
Unlawful, Unfair and Fraudulent Business Acts and Practices
44. Plaintiffs hereby incorporate each and every allegation contained in ¶¶1-43 as if fully alleged herein and further alleges as follows.
45. Defendants' acts and practices as detailed above constitute acts of unfair competition. Defendants have engaged in an unlawful, unfair or fraudulent business act and/or practice within the meaning of California Business & Professions Code §17200.
46. Defendants have engaged in an "unlawful" business act and/or practice by engaging in the conduct set forth above. These business acts and practices violated numerous provisions of law, including, inter alia, state and federal privacy laws as set forth above, California Civil Code §1565 et seq., California Civil Code §1709, the Consumers Legal Remedies Act, California Civil Code §§1750, et seq., as well as operate as a systemic breach of uniform agreements. Plaintiffs reserve the right to identify additional violations of law as further investigation warrants.
47. Through the above-described conduct, Defendants have engaged in an "unfair" business act or practice in that the justification for such actions and the refusal to notify the general public of the true facts, either in the past or presently, based on the business acts and practices described above is outweighed by the gravity of the resulting harm, particularly considering the available alternatives, and/or offends public policy, is immoral, unscrupulous, unethical and offensive, or causes substantial injury to consumers.
48. By engaging in the above-described conduct, Defendants have engaged in a "fraudulent" business act or practice in that the business acts and practices described above had a tendency and likelihood to deceive JetBlue passengers and the general public.
49. Defendants need only to have violated one of the three provisions set forth above to be strictly liable under this Cause of Action.
50. The above-described unlawful, unfair or fraudulent business acts and practices engaged in by Defendants continue to this day and/or present a threat of irreparable harm to the general public. Defendants have failed to publicly acknowledge the wrongfulness of their actions and provide the complete relief required by the statute.
51. Pursuant to California Business & Professions Code §17203, Plaintiffs, on behalf of the general public, seek a temporary, preliminary and/or permanent order from this Court prohibiting Defendants from refusing to continue to engage in the unlawful, unfair, or fraudulent business acts or practices set forth in this Complaint and from failing to fully disclose the true facts as set forth herein, and or ordering Defendants or their representatives to stop misleading the public and engage in a corrective campaign, particularly in light of the public misperception created by Defendants' and/or their representatives' misstatements and omissions of material fact, as well as provide appropriate equitable monetary relief as the court deems just and appropriate to all persons with a vested interest therein.
52. Plaintiffs, on behalf of the general public, also request the Court issue an order granting the following injunctive and/or declaratory relief:
a. That a judicial determination and declaration be made of the rights of the general public, and the corresponding responsibilities of Defendants;
b. That Defendants' representatives be ordered to cease and desist from making misrepresentations to the general public; and
c. That Defendants be required to provide equitable monetary relief to the members of the general public adversely affected by the practices at issue.
PRAYER FOR RELIEF
WHEREFORE Plaintiffs pray for judgment against Defendants, and each of them jointly and severally, as follows:
(1) For the declaratory, equitable, injunctive, equitable monetary and/or other relief requested;
(2) For attorneys' fees pursuant to, inter alia, the private Attorney General doctrine and/or C.C.P. §1021.5 as may be appropriate, and for costs of suit incurred herein; and
(3) For such other and further relief as this Court may deem just and proper.
DATED: September __, 2003 ROSNER, LAW & MANSFIELD
By: ALAN M. MANSFIELD
Attorneys for Plaintiffs