Tuesday, 29 March 2005

Auditors question TSA use of airline reservations

Two reports by different sets of internal USA government auditors have questioned the appropriateness and legality, and revealed more details, about past, present, and proposed uses by the USA Transportation Security Administration (TSA) of airline reservation data for "passenger screening" and other purposes.

On Friday, 25 March 2005, the (acting) Inspector General of the USA Department of Homeland Security (DHS), which includes the TSA, released a redacted (i.e. censored) version of their Review of the Transportation Security Administration's Role in the Use and Dissemination of Airline Passenger Data .

There aren't, on first reading, any bombshells in this report, but it does provide by far the most comprehensive list released to date of airlines, Computerized Reservation Systems (CRS's), and reservation data aggregators who have turned over Passenger Name Records (PNR's), or data extracted from them, to the TSA. It's worth reading, and will remain a useful reference.

The report reveals that these disclosures to the TSA (almost all of which violated European Union laws and the EU Code of Conduct for Computerized Reservation Systems, if not necessarily in all cases laws of the USA) were more extensive than has even previously been confirmed by any agency or official of the government of the USA, and puts the lie to a series of denials by TSA spokespeople and officials to reports of these disclosures, especially the reports by, and denials to, members of Congress, myself, and Ryan Singel of Wired News . Ryan's stories on this, with links to more background, are here and here ; further comments by Bruce Schneier, security expert and member of the TSA's advisory committee on "Secure Flight", are here .

Because this report was focused exclusively on the TSA, it doesn't discuss the more than 250 million PNR's obtained, aggregated into a data warehouse, indexed, and still held by the USA Federal Bureau of Investigation (FBI). Nor does it discuss whether the TSA had access to that data or any of the FBI's analysis of it, which could be significant to whether the TSA knew that the FBI had discovered that PNR's contain personally identifiable data on non-passengers such as travel agents and airline staff, which could be critical to whether TSA officials committed criminal violations of the Privacy Act in setting up databases of PNR data without notice to those non-passengers as data subjects.

On Monday, 28 March 2005, the USA Government Accountability Office (GAO) released a report commissioned and mandated by Congress as a precondition to deployment and/or testing of the TSA's Secure Flight airline passenger surveillance and monitoring system, Secure Flight Development and Testing Under Way, but Risks Should Be Managed as System Is Further Developed . (Comments on the GAO report from Ryan Singel , Bruce Schneier , the ACLU , and EPIC .)

The initial focus on the GAO report has been on whether it constitutes the certification required by Congress before the TSA can proceed with "Secure Flight" deployment (clearly not) or testing with commercial data such as PNR's. With respect to testing with PNR's, I don't think so, but the report says the TSA has already conducted such testing, and recent reports such as this and this suggest that the TSA intends to continue and expand both testing and deployment of "Secure Flight" (perhaps defining the initial deployment as merely a very large scale "test") without waiting for the requires GAO certification. The TSA seems to assume that travel data such as PNR's is sui generis and thus exempt from all Constitutional, statutory, or regulatory requirements applicable to other categories of commercial data, just as it seems to think airline security in general is sui generis and outside normal constraints on search, seizure, or freedom to assemble. (Whether travel is, or should be considered, sui generis is a larger question I hope to address in a future article).

The GAO report seems to confirm, although it doesn't emphasize, the likelihood that the "Secure Flight" testing already conducted (or, more specifically, the handover of PNR data by airlines and CRS's for "Secure Flight" testing) was not authorized by any agreement with the EU, and thus that it may have violated EU laws.

It's clear from reading the GAO report that the TSA has defined the "success" of "Secure Flight" testing by the ability to match entries in PNR's with entries in watch lists. Difficult though that has proven in past tests, that's the (relatively) easy part. And that begs the more difficult questions of the degree to which PNR data matches "real identities" (or ever could, even if the First and Fourth Amendments to the Constitution of the USA were modified to authorize compulsory production and display of identity credentials as a precondition to exercising the right to travel), or the degree to which entries on watch lists correspond to threats sufficient to warrant restrictions on the exercise of Constitutional rights (especially in the absence of a judicial finding in each case of sufficient basis for such a restraining order).

But while the GAO report is damning, it still seems to me on first reading that the GAO auditors were entirely too credulous in several respects. Perhaps that's because, while they talked to (some) privacy advocates and some airline and CRS representatives, that don't appear to have talked to any travel agents -- the people who work with PNR's on a constant basis, and would have to do most of the "heavy lifting" of data collection and data entry for "Secure Flight" (the GAO does confirm that this would be difficult and expensive to a degree it can't yet quantify because the TSA still hasn't decided what data it will require, or in what format) -- or any independent experts on PNR data and associated business practices.

In particular, the GAO report consistently and repeatedly adopts the TSA's false categorization of data in PNR's as "passenger provided" information. This is more than a semantic error.

By describing PNR data as "passenger provided", the TSA is trying to imply -- falsely --- that the subjects of data in PNR's are limited to passengers, that the data was voluntarily provided by the data subjects, and that their "consent" can be inferred from their having provided it and by their subsequently seeking to board flights. But PNR's contain personally identifiable data on people other than passengers, obtained from and through sources other than the data subjects themselves.

The GAO seems to have adopted the TSA's simplistic, and wrong, conception of a unitary transaction, engaged in directly between the airline and the passenger (who never subsequently changes or cancels their reservations), in which a reservation (PNR) is created, all PNR data is entered, and a ticket is issued, at the same time and place and by the same person. Any reservation agent, and especially any travel agent, would find this over-simplification laughably inaccurate.

The GAO misunderstanding is most clear in its statement that, "even a wholly domestic U.S. flight could involve European Union data if the passenger purchased the ticket in the European Union." Actually, this has little -- possibly nothing -- to do with where the ticket was purchased, and everything to do with where the data was collected from the original source for entry into the reservations. It's clear that the GAO didn't understand that distinction, and assumed that the making of reservations, purchase of a ticket, and issuance of the ticket necessarily occurred as part of a single transaction. But it's possible to collect data for one PNR in different places and at different times. It's possible to make reservations without buying a ticket, and it's possible to buy an "open" ticket without making any reservations.

A PNR is, in industry lingo, "built" by a series of entries, often over a considerable period of time, in which different bits of data (much of which the prospective passenger(s) never see), originating with different parties, are entered through different intermediaries. At Airtreks.com where I work with complex around-the-world itineraries, the audit trail or "history" for a single PNR routinely contains more than 100 distinct entries, each identified uniquely with its source. As I've discussed previously, "Most PNR data is provided to airlines by a chain of between two and four intermediaries: (1) the travelling companion who makes the travel arrangements for the typical travel party of more than one person, (2) the travel agency they deal with (online or offline), (3) the CRS used by that travel agency, and (4) the CRS that hosts the airline's PNR database." Their role (and the necessity for them to obtain and document consent for onward personal data transmission) remains unacknowledged by the TSA.

The GAO report describes a "Secure Flight" process in which the TSA would obtain all PNR's containing reservations for each flight (it's silent on whether this would include only confirmed reservations, all confirmed or waitlisted reservations, or all reservations including cancelled ones) 72 hours before scheduled departure. At this point, or any point prior to "wheels up" (and then only if the TSA limited itself to PNR's of those who actually boarded), names in PNR's correspond not to "passengers" but to a vastly larger class of what might more accurately be called "prospective passengers". In many cases, a prospective passenger has made reservations not just for themselves but for their travelling companion(s), who may not even know they have done so, and from whom no consent to anything can be inferred.

A large percentage of reservations are cancelled, or expire unticketed. Airlines can't always tell which reservations have been ticketed, and don't necessarily cancel them, so there are always some confirmed reservations for prospective passengers who fail to "materialize", as we say in the industry, and present themselves for boarding. That's why airlines overbook. There are no-shows on every flight, and for every no-show there is PNR data on a non-passenger in a confirmed, possibly even ticketed, PNR. And that's at departure time: 72 hours in advance, there are even more live, confirmed PNR's for prospective passengers who won't actually become "passengers".

Aside from all that, every PNR -- as the FBI found out -- contains a unique "agent sine" for the travel agent or airline staff person who made each manual entry. This is clearly "personally identifiable information" that can't be described as "passenger" information.

Aside from the degree of TSA ignorance this reveals, it's significant because the TSA's Privacy Act notices for CAPPS-II and Secure Flight, for which it has received entire PNR's, claim -- falsely and, since I had pointed out their mistake in my comments , knowingly falsely -- that the only people about whom those PNR's would contain personally identifiable information would be airline passengers. No mention of prospective passengers who did not actually travel (cancellations, no-shows, etc.) and no mention of travel agents or airline staff.

In its response to my comments , the TSA said it was "rare" for PNR's to contain personal data on non-passengers. This claim is obviously false, and I don't find it credible that anyone competent at the TSA could believe it to be true, even if they hadn't read my comments. It's rare to cancel or change reservations? It's rare to no-show? These things happen on every flight. And every PNR contains the unique agent sine of the person who first created it, as well as the history of who made each subsequent entry.

PNR's contain personally identifiable information on at least four obvious categories of people, not just the single category of "passengers" admitted by the TSA and GAO: (1) airline passengers, (2) prospective passengers in whose names reservations are made (whether or not they are ever ticketed or flown), (3) travel agents, and (4) airline staff members. They also contain information about a variety of other, possibly less obvious, classes of people, such as the holders of credit cards used to pay for other people's tickets.

Knowingly creating a Federal government database of personal information without formal notice of all the categories of people with respect to whom it will contain personal information is a Federal crime in the USA, under the Privacy Act. Those TSA personnel responsible for the creation of the PNR database used for "Secure Flight" testing are criminals. Their only possible defense to such a charge would be an implausible degree of ignorance (including failure to read the comments calling their attention, in advance, to this crime), amounting to gross incompetence.

[Addendum, 29 March 2005: In my first posting of this article, I neglected to mention another item of unwarranted GAO credulity: the GAO report repeats without question the TSA claim that, "in its order requiring airlines to provide historical PNR data for Secure Flight testing, TSA allowed air carriers to exclude from the June 2004 PNR submission any European Union flight segments." That's not true: the TSA's Final Order a much narrower category: "PNRs which include any flight segments between the EU and the United Sates." The difference between what the TSA actually ordered, and what it told the GAO (and the GAO repeated), is that the order actually included flight segemnts within the EU, and between the EU and places other than the USA. It's unclear whether the TSA and GAO are so USA-centric that it has never occurred to them that airlines based in the USA operate flights between points outside the USA (including within the EU, and between the EU and other places), or if this was a knowing (and successful) attenpt by the TSAislead the GAO. They can't plead ordinary ignorance, since I had explained this point in detail in my comments to the TSA on the proposed order.]

Link | Posted by Edward on Tuesday, 29 March 2005, 16:03 ( 4:03 PM) | TrackBack (3)
Comments

I worked on the project that attempted to use PNR data to match passengers on watch lists. It didn't work. I wrote a paper demonstrating that it couldn't work. The data is so bad that you either get excessive false positives or false negatives depending on how you set the match criteria.

The way it works now is they take a credit card number and go to one of the credit check systems and base the risk assessment on one's credit rating. If they happen to get an exact match on a threat list, they still cannot confirm identity of most nonUS citizens.

It's all a fraud.

Posted by: Charles Watkins, 28 March 2006, 10:13 (10:13 AM)
Post a comment









Save personal info as cookie?