Thursday, 20 December 2007
Back in Brussels
Six months into my current year-long trip around the world, I'm spending this week in Brussels (Belgium). Some of the high points of our trip so far include English House in Buenos Aires (Argentina), Potosi (Bolivia), driving across the Atacama Desert and down the desert coast of northern Chile, Brazilian hospitality, Porto (Portugal), Ourense (Spain), the train trip through and along the Pyrenees, and Marseille (France).
A lot has happened in the nine months since my last visit here:
I was here in Brussels once before, in March 2007, for meetings of the European Parliament and European Union national data protection authorities (the "Article 29 Working Group") on transfers of travel reservation records (Passenger Name Records or PNR's) from the EU to the USA.
Following my trip, I used the opportunity presented by my having flown on an airline based in the EU, and subject to EU privacy laws (which have no counterpart for travel records in USA law), to request my travel records from KLM Royal Dutch Airlines (part of the merged KLM/Air France corporate group). KLM responded months later, claiming that they don't know who may have accessed my PNR's and other records, and that KLM is not responsible for what its agents and contractors do with travellers' records. The Dutch Data Protection Authority is now attempting to mediate, and has sent KLM a list of unanswered questions . I'm waiting for KLM's formal response to the Dutch DPA request, and the Dutch DPA's opinion on whether KLM has complied with Dutch privacy law. I will also be meeting informally with KLM's privacy and security directors at their corporate headquarters near Amsterdam this Friday.
My experience wit KLM confirms the need for EU citizens and residents, as well as other people like me who travel on EU airlines because we expect them to provide a higher level of privacy protection than those in the USA, to test the system by requesting our records from these travel companies , and complaining to national data protection authorities if they don't comply. If you have travelled to or from the USA, even if you are not a USA citizen, you can also request the PNR's and other travel records about you kept by the USA Department of Homeland Security in its "Automated Targeting System" (ATS). (In my case the DHS had a different PNR for my trip, from a different CRS, than the one that KLM claimed had been given to the DHS.)
Here in Brussels, the European Commission has completed its review of the EU Code of Conduct for Computerized Reservation Systems (CRS's), including its provisions requiring CRS's to protect the privacy of PNR's. On 15 November 2007, the EC published its proposal for a revised CRS Code.
The good news is that, in response to the comments submitted by the Identity Project, the EC has proposed to (1) make the privacy provisions of the CRS Code more detailed, (2) broaden them to protect all subjects of data in PNR's (such as travel agents, people paying for other people's tickets, etc.) and not just travellers, and (3) make explicit that CRS's are "data controllers" required to answer directly to members of the public for their use of PNR's (and not just, as CRS's seem to have believed, processors of data on behalf of airlines, travel agencies, and other third parties).
The bad news is that the EC proposal would, inexplicably, exempt from the privacy (and other) protections of the CRS Code those PNR's created by airlines in the CRS's to which they outsource hosting of their PNR databases as "system users". The CRS Code would apply only to PNR's created by travel agencies, tour operators, and other CRS "subscribers".
But the privacy provisions of the CRS Code will remain meaningless unless the EC begins to enforce them. Airlines, travel agencies, and CRS's routinely and systematically violate the privacy provisions of the CRS Code (as well as the EU Data Protection Directive and EU national data protection laws). The EC proposal for changes to the CRS Code is currently being reviewed by the European Parliament. Members of the European Parliament -- some of whom I have been meeting here -- should demand a detailed accounting of compliance with the existing privacy rules for CRS's, and the EC's investigation and enforcement activities and plans, before approving a proposal that is likely to be rendered meaningless by noncompliance and nonenforcement.
The EC has also put forward a proposal for a council decision that would obligate each EU member nation to set up a PNR processing and passenger profiling unit, and require all airlines operating to or from the EU to provide their PNR's to these units. This proposal is currently being considered by several EU bodies including, in an advisory role, the European Parliament,
The EU proposal for PNR-based government profiling of travellers is based on the schemes already being used in the USA and the (illegal and unenforceable) USA-EU agreement for government access to PNR's. In a speach this week in Dublin, USA Secretary of Homeland Security Chertoff said:
I'm delighted to note that earlier this month the EU released a proposed requirement from member states relating to the collection of Passenger Name Record data that is strikingly similar to the arrangement that we have in the United States.
Chertoff made clear that governments want access to PNR's not just for identification of people of people on "watch lists", but primarily to identify people "who are unknown to us, whose identities are not manifest, whose names we do not have on a watch list." That's why governments aren't satisfied with basic identifying data, but want as much descriptive information as possible about our travels, especially our associations with other people such as people who have the same telephone number in our PNR's. In other words, the fundamental goal of a PNR-based profiling system is data mining or "social network analysis", in order to carry out police actions against travellers premised on a theory of guilt by association.
In the same speach, Chertoff also claimed that PNR data is "not particularly sensitive -- we're not interested in the habits that people have in their personal lives -- but information they communicate to the airline". That's a lie, and he knows it. In a Privacy Act notice published in the Federal Register earlier this year, the DHS specifically acknowledged that PNR's contain personal information about travellers from a variety of commercial sources (travel agents, airlines, tour operators, other travel companies, intermediaries, etc.), not just information provided by travellers themselves. Rather than trying to exclude this third-party data from the (illegal) DHS "Automated Targeting System", the DHS has proposed to retain it and use it in making decisions about whether to permit individuals to travel, while at the same time exempting it from the Privacy Act so that it can be kept secret from the travellers against whom it it used.
Despite being designed to emulate the bad example of the USA, the EU PNR proposal containes several provisions designed to reassure Europeans that the data accessible to government agencies, the ways it is used, and its retention will all me more limited and better regulated than is the case in the USA.
Europeans shouldn't be fooled. For both technical and political reasons, data will "leak" through and around these purported limitations, with little prospect of real control. Here's how:
- The EU proposal would require that certain categories of "sensitive data" be filtered out of PNR's before they are pushed to government profiling units. But that's technically impossible, becuase these categories of information are entered in PNR's neither in discrete fields nor in any standard way. Trade union membership, for example, could be deduced from a fare basis or ticket designator indicating a discount negotiated for a union congress, from an organizational credit card number used as a form of payment, from a ticket delivery address or phone number at a union office, or from information in the free-text "general remarks" portion of the PNR. It's especially essential to exclude the "general remarks" in order to have any possibility of meaningful filtering. But even without the general remarks, senstive data will leak through into government PNR dossiers, and be available for government use as a basis for profiling.
- The EU proposal would require that no enforcement action be taken "solely" on the basis of "automated" processing of PNR's. But that language means that only the most cursory human review and approval (for example, someone glancing at a screen and clicking "OK") is needed to convert an automated "recommendation" based on PNR profiling into a purportedly lawful, although still extra-judicial, basis for enforcement action.
- The EU proposal would limit the time for which PNR data can be retained by governments. But that will have little consequence unless there are effective controls -- which there aren't -- on PNR data retention by private companies. In practice, storage of most PNR data collected in the EU is outsourced to CRS's based in the USA. In the USA, they are free to retain it forever for their own commercial uses, and to make it available to whomever they choose -- including government agencies in the USA, EU, or elsewhere -- without notice to, or consent of, the data subjects. Unless European authorities actually enforce the existing EU Data Protection Directive and the privacy provisions of the Code of Conduct for CRS's, PNR data will continue to be outsourced to the USA, warehoused and retained forever by these private data aggreagtors, and made available to governments at the whim of the CRS's, in secrecy and without accountability. Europans should demand a thorough review of the (non)compliance with, and (non)enforcement of, existing data protection rules as they apply to PNR data, before any expansion of permitted access to, or use of, those PNR's. If existing data protection rules for PNR's aren't being complied with or enforced, neither are the purported limitations and protections in the new proposal likely to be complied with or enforced.
A further danger in the EU PNR proposal is that it puts in place the basis for a a European system that could, with only slight tweaks, be converted from a PNR-based system of travel surveillance into the sort of permission-based system of travel control that is now in the process of being implemented in the USA.
Effective 19 February 2008, under the latest revision to the international APIS (Advance Passenger Information System) regulations, all airlines operating international flights to, from, or overflying the USA will be required to obtain individualized permission from the DHS before issuing each prosepective passenger a boarding pass, or allowing them on a plane.
The Identity Project addressed this issue in our formal comments to the DHS on the proposed international APIS revisions, but our objections were ignored when the new rules were finalized.
A similar permission requirement is contained in the proposed Secure Flight rules for domestic flights within the USA, which have not yet been finalized. This was addressed both in the comments of the Identity Project and in my testimony at the DHS hearing on the Secure Flight proposal in Washington in September 2007.
The Secure Flight proposal also prompted extensive comments from the travel industry about the cost of modifying their computer systems and business processes in order for them to function more effectively as an outsourced government system of travel surveillance. Although they are specifically addressed to the issue of domestic flights in the USA, many of the practical and cost problems will be similar for international and European flights. You can read the docket of comments at Regulations.gov . Because the comment period is now closed, you have to choose "all documents" and search by docket number TSA-2007-28572 .
The EU PNR proposal stops just short of the change from watch lists screening (which has as its default a right to travel in the absence of a legal prohibition) to a system like the one the USA is implementing of government authorization to travel (with a default of "no"). But international human rights treaty law, specifically Article 12 of the International Covenant on Civil and Political Rights , explicitly creates a right of freedom of movement. Article 12 of the ICCPR has also been interpreted as setting specific legal standards that must be satisfied by any regulation or law related to freedom of movement. Any PNR proposal in countries that are party to the ICCPR, including the USA and all EU members, must recognize that travel is a right, not a privilege granted by governments, and must meet those tests
Members of the European Parliament and EU data protection authorities should ask the European Commission about its intentions with respect to any such travel authorization scheme, and whether it complies with the ICCPR. And all Europeans should insist that the PNR proposal be evaluated for compliance with the legal standards set by the ICCPR. In particular, proponents of the PNR proposal should be required to demonstrate that each PNR data category is actually "necessary" for a valid purpose, and cannot be obtained, if it is needed for law enforcement, by less intrusive means such as a warrant, subpoena, or other court order. The Europarl could also ask its legal service for an opinion on the compatibility of the PNR proposal with Article 12 of the ICCPR.Link | Posted by Edward on Thursday, 20 December 2007, 01:58 ( 1:58 AM) | TrackBack (0)