Monday, 5 January 2004

USA uses airline reservation data as basis for flight cancellations and interrogations

As I was driving to Los Angeles (it's a nice place to visit, but I wouldn't want to live there) on Christmas Eve and Christmas Day, Air France (AF) flights to LAX were being cancelled on the instigation of the USA Department of Homeland Security. By the time I got back to San Francisco yesterday, more flights to the USA had been cancelled, including flights from London on British Airways (BA) and from Mexico City on Mexicana (MX). Passengers presenting themselves for check-in on the cancelled flights, as well as for other flights that were eventually allowed to proceed, were subjected to additional searching and interrogation before departure and/or on arrival in the USA. And people whose names match (or are considered to be similar to) names on passenger manifests, but who didn't show up for check-in, have been and continue to be sought for questioning by law enforcement and intelligence agencies in the USA, UK, France, and perhaps elsewhere.

Despite extensive news coverage of the flight cancellations, few questions have yet been asked about how the DHS got access to the passenger manifests, particularly for flights that originated in the European Union and that were cancelled 24 hours or more before their scheduled departures.

As I've reported here at length , the USA has demanded that all passenger airlines flying to the USA provide the DHS with "enhanced" passenger manifests at the time any flight bound for the USA takes off, under the "enhanced Advanced Passenger Information System (APIS)". (Strictly speaking, a "manifest" contains only names. The enhanced APIS data includes nationality, passport number, date of birth, etc.)

In the absence of any legal privacy protection for the APIS data once transferred to the USA, the enhanced APIS requirements are contrary to European Union data protection law. On 16 December 2003, following extensive negotiations between the USA and the European Commission, the EC proposed an "agreement" which would, if various conditions are met, permit the use in the enhanced APIS system of data collected in the EU.

Questions remain as to whether those conditions have been met, whether the agreement requires the approval of the European Parliament and/or the U.S. Senate (as a treaty), or whether the agreement is yet in force.

But even if the agreement were in full effect, it would only cover transfers of data on passengers actually on board at the time of flight departure.

From news reports, it is clear that the DHS obtained complete lists of names on reservations (even of people in whose name reservations were held, but who did not check in or board the flights), well in advance of flight departures. I can find no conceivable interpretation of the enhanced APIS agreement on transfer of passenger data, as it was presented by the EC to the European Parliament, that could include this transfer of data on non-passengers in its authorization.

One of the largest reasons for sending the passenger manifest only at "wheels up" is that until the plane is airborne it is impossible to know with certainty who will be on it, or who will board or be offloaded at the last minute. Any list transferred in advance of takeoff will inevitably risk including information on non-passengers, the more so the further in advance.

To date, no one has been arrested. No one is known to have tried to hijack or sabotage a plane. Of those names on reservations suspected of being potential terrorists, "One turned out to be a 5-year-old boy with the same name as a suspected Tunisian terrorist, another was an elderly Chinese woman and a third was a Welsh insurance agent," according to the Washington Post .

Some USA officials have said that some of those who held reservations but didn't show up for flights have "fled", and have tried to point to such no-shows as "suspicious". How Orwellian: if a suspect tried to check in, that would undoubtedly be pointed to as confirmation that there was a threat. But if a suspect doesn't check in, that too confirms that there was a threat.

All this really just confirms how little the DHS understands airline reservations -- even after years of development and testing of the CAPPS-II system for profiling passengers based on the contents of their reservation PNR's .

It would be extremely strange for there to be no no-shows, especially on a full long-haul holiday flight. Except for a few airlines that have abolished paper tickets, airlines have no certain way of knowing which reservations have been ticketed. Anyone can make reservations for anyone else, in any name, without the other person's knowledge. Travel agents sometimes make reservations for people who merely inquire about prices, since it's impossible to tell for sure at what price seats are available without confirming reservations. Sometimes the agent forgets to cancel the reservations, and sometimes the would-be passenger decides not to travel at all, and doesn't even know that reservations have been made in their name. Some percentage of ticketed passengers cancel or change their plans at the last minute, sometimes without bothering (or without being able) to notify the airline.

The bottom line is that until takeoff, any so-called "manifest" inevitably contains names and perhaps other data on people who aren't actually travelling, some of whom don't even know that their data is included.

This is a major flaw in the Privacy Act notice published by the DHS for the CAPPS-II system: the "Categories of Individuals covered by the system" are limited to, "Individuals traveling to, from or within the United States by passenger air transportation." But PNR's also include data on people who aren't travelling -- even people who never even bought tickets and may not even have known that reservations had been made in their name.

As I pointed out in my comments on the CAPPS-II Privacy Act notice, PNR's also contain personally identifiable data on numerous other categories of individuals not mentioned in the notice, including people who make reservations or pay for tickets for others, travel agents, and airline reservation staff. It's hard to say whether the omission of these other categories of data subjuects from the notice is a sign of deception or ignorance on the part of the DHS, but either way it's a fatal flaw requiring re-publication of an expanded notice.

In the EU, it's clear that the transfer of reservations data (including data from PNR's for no-shows and other non-passengers), well in advance of flights, was not authorized by the proposed enhanced APIS agreement, which was limited to passenger data transferred only at takeoff.

Could there have been any other authority for the data transfer to the USA from British Airways, Air France, and the Amadeus CRS (based in Spain) that hosts their reservation databases? That's a question for the EC, the European Parliament, and the UK, French, and Spanish national data protection authorities to investigate, under the EU data protection agreement, national data protection legislation, and the EU code of conduct for CRS's .

Amadeus' employees -- already upset about the potential complicity of Amadeus in CAPPS-II -- will likely also raise more internal question about whether Amadeus is already involved in CAPPS-II testing or other unauthorized and illegal data transfers, as it appears to be. (Like many other travel companies, Amadeus has been privately opposed to CAPPS-II, according to my sources. But like most other such companies, Amadeus has taken no public position on CAPPS-II.)

One disturbing possibility is that the USA is already testing CAPPS-II with data from the EU. Even domestic flights within the USA, of course, include reservations made in the EU and protected by EU law, as do flights by USA-based airlines. But the DHS, and its predecessor the Department of Transportation, seem erroneously to have assumed that only flights on EU airlines are subject to any EU jurisdiction.

In presenting the proposed enhanced APIS agreement to the European Parliament, Commissioner Bolkestein said categorically and repeatedly that the proposed agreement did not cover CAPPS-II, which would require further negotiations and a separate agreement. He made no mention of an exception for testing (or any other exception).

The DHS takes a different view of the proposed agreement, however. Nuala O'Connor Kelly, the DHS Chief Privacy Officer, told a Washington press briefing, and repeated to me in an e-mail message:

There should not be any conflicting reports on the use of the data under the agreement with the European Union; I was part of the briefing and it was quite clear: The language of the agreement contemplates the use of data to test -- and only to test -- CAPPS II.

There's no indication that -- if such language was actually included in the proposed agreement -- Members of the European Parliament were made aware of it. With Parliament in holiday recess for the least 2 weeks, I've been unable as yet to get any reaction to Ms. O'Connor Kelly's statement from the EC or MEP's. But the issue of passenger data transfers from the EU to the USA, what really happened with passenger records for the cancelled flights, the fate of the proposed enhanced APIS agreement and of CAPPS-II, and the non-compliance of BA, AF, and Amadeus with EU privacy law remain very much active on the European agenda for 2004.

Link | Posted by Edward on Monday, 5 January 2004, 07:53 ( 7:53 AM) | TrackBack (0)
Comments
Post a comment









Save personal info as cookie?