Thursday, 22 January 2004

"Homeland Security" meeting today with USA airlines on data privacy

Northwest Airlines, the Air Transport Association (ATA), and the USA Department of Homeland Security (DHS) are putting very different spins on their meeting today on CAPPS-II and the privacy of airline passengers, held while angry travellers jammed the phones at the ATA headqurters to complain about past and possible future violations of their privacy and warn airlines of the likely backlash if they fail to stand up for their customers' privacy.

Reuters and an early report by the AP quoted an ATA statement and comments by ATA spokesperson Doug Wills on what the airlines told the DHS, with AP saying, "the airlines expect to hear details [from the DHS] about the steps being taken to protect travelers' privacy," as though all the risk of misuse of information was from the government, and what's needed are steps by the DHS.

And an ATA spokesperson told me after the meeting that, contrary to some reports that billed the meeting as an airline "summit" on CAPPS-II and privacy, there was actually no discussion of the airlines' own privacy policies. The regularly-scheduled quarterly meeting of chief operating officers of the major "network carriers" was simply the opportunity for an exchange with the DHS on DHS data protection protocols.

But a later report by the AP, Airline industry to work on privacy issues said, "Major airlines agreed Thursday to work with the Homeland Security Department on ways to protect traveler privacy,", and quoted DHS Chief Privacy Officer Nuala O'Connor Kelly as lecturing the airlines on best practices, as though the problem were with the airlines' practices: "'It's more than a privacy policy on a Web site,' Kelly said. 'It's having good internal protocols.'"

And the Minneapolis Star Tribune , Northwest CEO urges new 'data protection protocol' , and Information Week , Northwest CEO Urges Airline Execs To Talk Privacy , relying on statements from Northwest Airlines (NW), said "Northwest Airlines Inc. CEO Richard H. Anderson recommended that the Air Transport Association discuss developing a data-protection protocol to address privacy concerns about passenger data," as though NW -- which is still claiming it was "appropriate" to give its files on as many as 10 million passengers to the government -- had something to teach the rest of industry other than by negative example.

All we really have to go on for what happened at today's meeting are self-serving statements by NW, ATA, and the DHS, each trying to pose as privacy advocates in spite of their dismal track records of unconcern for passenger privacy. IT and security executive in other industries are looking for lessons in the airline privacy scandals -- see these stories in CIO magazine and CSO magazine -- but neither the airlines, the CRS's, nor the DHS have cleaned up their act, or even really ackowledged that they are the cause of a privacy problem.

Most ATA members don't have any privacy policies for most of their reservations: an ATA spokesperson admitted that their only privacy policies are those on their Web sites, which in almost all cases apply only to reservations made through the airlines' own Web sites, not the majority made through other channels. So far as I've been able to tell, no ATA member includes their privacy policy as part of their conditions of carriage -- if they have one at all, it's outside the actual contract, and thus of ambiguous enforceability.

A second class action lawsuit has been filed against NW in Federal District Court in Minnesota, this one by the same law firm that represents the plaintiffs in one of the pending suits against jetBlue. The New York Times has an interesting analysis of the difficulty of making a case in the USA, in the absence of a Federal privacy law, and the fact that, "In Europe what Northwest did is clearly illegal."

This isn't the first time ATA has met with the DHS on CAPPS-II, according to the ATA spokesperson who I talked with after the meeting. And ATA says that, "In the future, we expect to have additional discussions with Homeland Security officials and airline officials on this subject." But ATA represents only airlines based in the USA. The much larger number of airlines based in other countries, but that fly to the USA, would be equally impacted by CAPPS-II. But so far as I've been able to find out, the DHS has never met with the International Air Transport Association , presumably because they would be more likely to insist on compliance with international privacy laws and norms, and reimbursing airlines worldwide for CAPPS-II costs would be many times more expensive than just reimbursing USA airlines.

If there's any real disagreement between the DHS and ATA about CAPPS-II, it's about who will pay for it. According to ATA's spokesperson, "We still support CAPPS-II. We just feel that the burden of its cost shouldn't be borne entirely by the airlines."

When I met with European Commission staff members in Washington in November, they were extremely interested in the possibility that the USA might reimburse USA-based, but not EU-based, airlines for CAPPS-II or other security costs. It's highly likely that the EC would construe such preferential reimbursement as a preferential government subsidy to domestic airlines -- over and above current protectionist USA laws benefitting domestic airlines -- and would impose reciprocal trade sanctions against airlines from the USA flying to the EU.

This week there's been a flurry of editorials raising questions about CAPPS-II in newspapaers across the country, including USA Today , the Denver Post , the Rocky Mountain News , the Boston Globe , and the Washington Post . (And then there's the satirical commentary .)

But there's no reason to expect meetings between travel companies and the DHS, who have already collaborated in several years of successive tests of airline passenger profiling schemes, to answer the questions about CAPPS-II, or resolve the privacy problems posed by government-industry sharing of passenger data.

  1. If the DHS Chief Privacy Officer were really concerned about protecting privacy, rather than making excuses for privacy-invasion and surveillance programs cooked up by the NSA and its friends in military intelligence, she'd order a halt to the program, not harangue the airlines.
  2. If the airlines really cared about their passengers' privacy, they'd put strong privacy guarantees in their conditions of carriage, lobby publicly against CAPPS-II, and promise to publicize and contest in court any government request or order to turn over passenger data.
  3. And if NW had learned anything about respect for its customers' privacy, they'd start with a public apology and an admisison that they did wrong.

The only way passengers' and the public's concerns can be addressed is if the process is conducted in public, and if passengers themselves, and consumer and privacy advocates who represent them, are involved. The only way that is likely to happen is through the Congressional process of investigation, hearings, and legislation.

Business Travel News points out that the same day that G.W. Bush boasted in his State of the Union Address that "Each day ... analysts are examining airline passenger lists", British Airways CEO Rod Eddington was telling another Washington audience across town that, "A unilateral imposition of longer term security measures can be counter-productive". Eddington singled out demands by the USA for passenger data form the EU in his call for, "More co-operation and consultation between governments" on security demands affecting airlines. The complete text of Eddington's op-ed earlier this month in the Financial Times on USA "security" demands, previously mentioned in my blog, also has now been posted on the Britsh Airways web site.

British Airways was the only airline to file comments on the DOT's initial CAPPS-II proposal , in which they rasied questions -- still unanswered, and entirely ignored in the DHS analysis of comments -- about its incompatibility with EU and other countries' laws.

Sen. Gordon Smith of Oregon has become the first member of Congress to demand answers as to what NASA did with Northwest Airline reservation data, sending a list of written questions to NASA and the CEO of Northwest. Meanwhile, DontSpyOn.US and the Washington Times have more details on the census data used in the same NASA research as the NW reservations.

The Northwest privacy scandal has also fueled the fires of public skepticism in the European Union as to whether travel companies in the USA, or the government of the USA, can be be trusted to police their privacy practices without independent oversight.

I've received no news of what happened yesterday and today in the European Parliaments's Committee on Citizens' Freedoms and Rights, Justice and Home Affairs (LIBE). But Memebrs of the European Parliament (MEP's) are continuing to raise questions about the proposed agreements with the USA on passenger data transfers and CAPPS-II testing. The (lengthy) committee agenda included consideration of the status of discussions on transfers to the USA of airline passenger data, as well as a draft European Parliament resolution which:

Reiterates that EU data protection rules are seriously infringed when personal data are, without informing and obtaining the consent of the data subject, transferred or accessed directly and systematically by a third state party or law enforcement authority, notably when data are collected for another purpose and without judicial authorisation, as in the case of US authorities accessing transatlantic passenger data collected in the EU by airline companies and electronic reservation systems.

On 18 December 2003, the Belgian national privacy commission ruled that the rights of MEP, LIBE Committee member, and EP rapporteur on privacy Marco Cappato had been violated by United Airlines (UA), Continental Airlines (CO), and Delta Air Lines (DL). The ruling (en français) was based both on Belgian law and the particularly strict privacy provisions of the EU code of conduct for computerized reservation systems ("systèmes informatisés de réservation, SIR").

In a statement preceding this week's LIBE Committee meetings, MEP Cappato said (in translation from the original Italian):

On the occasion of tomorrow morning meeting in Brussels of the EP Civil liberties committe, I will draw colleagues' attention on the opinion by the Belgian Privacy Committee, in the view of deciding in the next weeks on the possibility of challenging the EU Commission in front of the European Court of Justice concerning the violation of EU law on privacy. The Belgian document has also been sent to the Privacy Authorities of EU Member States, and to the Belgian Minister of Justice. I hope that they will assure that laws are respected. I address myself to the Italian Privacy Authority, and notably to its Chief, Stefano Rodotà, currently also President of the EU Privacy Authorities working party, to ask him to intervene at the national and European level so to assure that the law and the corresponding adeguate sanctions are finally applied.

Elsewhere in Europe, German data protection commissioner Peter Schaar said in an interview with the Frankfurter Allgemeine Zeitung that the handling of passenger data in the USA "does not meet EU privacy standards." As the interview points out, Schaar is "a member of the Article 29 Working Party advising the European Commission on privacy issues. The working party, composing all of the EU's privacy commissioners, is currently drafting a recommendation on demands made by the United States government for information on airline passengers." Schaar also spoke out against both US-VISIT and the proposals for biometric passports.

Link | Posted by Edward on Thursday, 22 January 2004, 18:05 ( 6:05 PM) | TrackBack (0)
Comments
Post a comment









Save personal info as cookie?