Tuesday, 9 November 2004

OMB approves data demand for "Secure Flight" testing

The USA Presidential Office of Management and Budget (OMB) has approved the proposed order from the Transportation Security Administration (TSA) to USA-based airlines requiring them to turn over all data in PNR's (reservations) that included flights within the USA in June 2004 for use in testing of the TSA's Secure Flight airline passenger "screening" (surveillance) system.

The OMB approval and assignment of an information collection "control number" (OMB No. 1652-0025) was finalized on 20 October 2004, five days before the expiration of the public comment period on the proposal. Since almost all of the public comments including my comments were submitted in the final days of the 30-day comment period, which ended 25 October 2004, the OMB's action came before the agency was even aware of most of the criticisms of the proposal.

By approving the proposal without changes, the OMB has endorsed the TSA's ludicrous under-estimate of a total cost of US$810,000 for 77 airlines to identify and extract the requested PNR's with June 2004 domestic USA flights from their archives (or, in most cases, the archives of the CRS's that host their databases), filter out and exclude the portions of those PNR's pertaining to international flights to or from the USA (but leaving the data about flights entirely outside the USA), and deliver the data to the TSA in acceptable format (preferably XML, the TSA has requested, clearly not realizing how different that is from the structure in which PNR's are stored in most CRS's).

More importantly, the OMB's approval of the TSA compliance cost estimate clearly fails to consider the cost consequences of the incompatibility of the proposed data dump with European Union and member countries' national data protection laws, or the EU Code of Conduct for CRS's . That's no surprise, since the OMB probably didn't become aware of this issue -- which the TSA has pretended not to be aware of -- until it was raised in my comments and in European news reports after the OMB had (unbeknownst to the commenters) already approved the TSA plan and cost estimates.

Gary Bass, executive director of OMB Watch , who pointed me in the right direction to find the OMB's notice of its decision, says it's neither unusual nor unlawful for OMB to issue a decision before the end of the comment period. While OMB approval of any government demand for private information is required by the Paperwork Reduction Act, Bass says OMB approval proceedings aren't considered a "rulemaking" subject to the usual rules that govern Federal agencies and regulations.

With the OMB approval and information collection control number in hand, the only remaining prerequisites to the TSA's demand for PNR data and start of Secure Flight testing is the statutory requirement that the TSA "develop[] measures to determine the impact of such [identity] verification on aviation security" and that the Government Accountability Office (GAO) complete its evaluation and report on those aspects of Secure Flight testing.

Since the OMB made up its mind on Secure Flight testing without waiting long enough to learn about the problems that airlines and CRS's would have in complying with the Secure Flight testing data demand while still operating in, and subjecting themselves to, contrary EU legal obligations, it's critical that the GAO consider these issues.

According to several of my sources, the TSA and GAO have been making contrary statements about whether the proposal would include a demand for data about flights outside the USA, such as those within or between EU members countries or between EU members and other countries. TSA officials, in particular, have claimed that the order would not include any data about flights outside the USA.

I haven't been able to tell if the TSA has actually modified its proposed order to the airlines, or if TSA officials are claiming that the proposed order doesn't include flights outside the USA because the TSA doesn't realize that USA-based airlines operate flights, with local traffic rights, between points outside the USA (United Airlines between Tokyo and Bangkok, American Airlines between Montevideo and Buenos Aires, Northwest Airlines between Mumbai and Amsterdam, etc.) , put their code-shares on other flights operated by airlines in other countries, and reserve local flights on other airlines throughout the world, all in the same PNR's with reservations for flight segments within the USA.

I'm not the only one asking these questions: In comments (dated 21 October 2004) and a set of questions (dated 27 September 2004) on the Secure Flight testing proposal -- both of which were, oddly, docketed only today (see my index of some of the other detailed comments) -- the Air Transport Association (the trade association representing most major airlines based in the USA) identified exactly these potential problems with the Secure Flight testing proposal:

Requiring carriers to filter or manipulate stored PNR data will generate significant expenses for them.... Who will bear the new information systems connection and programming costs that will be incurred for transmitting PNRs for the Secure Flight test program?...

We suggest that the TSA expand the proposed order to explain fully the statutory authority for TSA's order to airline requiring provision of personal data ... about passengers who have completed their travel (as contrasted with data to facilitate the screening of passengers who will in the future travel on passenger aircraft)....

Some of the PNRs that carriers will provide TSA for the Secure Flight test program will contain passenger data that have been collected in the European Union. The adequacy determination and international agreement predated the Secure Flight program and consequently do not state that they cover it....

Clarification that the European Commission agrees that the test program is permissible under the EC-U.S. Government PNR access agreement and the related European Council adequacy finding must occur before the program proceeds.... We renew out request that TSA ... discuss this matter with EC authorities to ensure that U.S. airlines are not ensnared in contradictory regulatory demands.

This matter has become more significant recently because of emerging uncertainty about the ability to identify points of booking in all reservation records. We are working with GDSs on this matter. The problem is that deleting international segments from a reservation may be an inadequate fix for the European privacy issue. There may be European-originating reservations for U.S. domestic-only air transportation that cannot in all instances be identified as European-originating.

The ATA member airlines also ask detailed questions, similar to those in my articles here and my comments to the TSA and OMB, concerning the definition of "domestic flight", applicability of the proposed order to "codeshare" flights, flights on different airlines included in the same PNR, and so forth.

In the end, these questions may not be answered unless people who made reservations in the EU for flights in the USA in June 2004, along with EU national data protection officials and the European Commission as enforcer of the EU Code of Conduct for CRS's , start making complaints and pursuing enforcement actions against both airlines and CRS's that cooperate (or, if they don't announce their non-cooperation, will be presumed to have cooperated) with the TSA demand for non-consensual disclosure to the government of reservation data for Secure Flight testing.

Link | Posted by Edward on Tuesday, 9 November 2004, 13:10 ( 1:10 PM) | TrackBack (0)
Comments
Post a comment









Save personal info as cookie?