Saturday, 10 January 2009

How to request your travel records

example of a PNR

[Excerpt from a simple Passenger Name Record (PNR) from the file about me kept by the CBP division of DHS. Click image for larger version. Most PNRs have more information than this. More examples and discussion of what information these records contain and how they are used.]

By popular demand, I'm posting updated forms to request your PNR's and other records of your international travel that are being kept by the U.S. Customs and Border Protection (CBP) division of the Department of Homeland Security (DHS).

If you made a similar request previously, the answer you got (if any) was almost certainly incomplete. These forms are long, but they have been revised repeatedly [most recently in early 2014] to anticipate and preempt the ways CBP has misconstrued and failed to respond fully to earlier requests.

If you want to know all of what's really in your file, you should probably make a request again, using this updated form, and appeal any response (or non-response). Please feel free to contact me for assistance in interpreting any response, and/or in appealing any failure to respond, incomplete response (every response I have seen has been obviously incomplete, and every appeal that was responded to at all has resulted in the disclosure of additional information), improper withholdings (most responses have invoked FOIA exemptions which don't apply to responses to Privacy Act requests), or if you have exhausted your appeals and are interested in suing the DHS or pursuing a complaint with data protection authorities in another country that has participated in the DHS scheme.

The DHS has recently admitted that in most cases when people asked for "all information held by CBP", their Freedom Of Information Act/Privacy Act office didn't even try to search for PNR data. And the records that were released were typically improperly and inconsistently censored ("redacted"). I don't expect the DHS to review all the previous requests on their own initiative. The only way to ensure your request is reviewed, and find out what they should have told you the first time you asked, is to start all over with a new request, and to exhaustively appeal any response or non-response.

We don't yet know what all is included in CBP travel records. But a full response should include, by way of examples from incomplete, redacted, responses I've received so far:

  1. Passenger Name Records (In addition to the CBP redactions, I've redacted some IP addresses, credit card numbers, friends' phone numbers, and other personal data I don't want to publish online.)
  2. TECS border crossing and entry/exit logs (These include entries and exits by air, rail, bus, car, and foot, although not always all of them -- I don't know why. Some of mine go back to 1992, but I've seen some older entries in other people's files.)
  3. Secondary inspection records (Once I asked if I could bring in an apple and a couple of slices of bread I had left over from breakfast: "PAX VERBALLY DECLARED FOOD. 1 APPLE WAS SEIZED. BREAD WAS INSPECTED AND RELEASED. NO PENALTY." Another time they washed all my shoes for me, as they will -- while you wait, for free -- if you check the box on the entry form that says you've been near animals: "PAX ARRIVED FROM ARGENTINA... IN A LIVESTOCK SHOW. HIS SHOES WERE CLEANED AND DISINFECTED FOR POSSIBLE CONTAMINATION." And so forth. Note that although these are labeled as "Secondary Inspection" records, they include notes, such as those I just quoted, regarding entries and exits at which I was not referred to secondary inspection.)
  4. An "accounting of disclosures" listing which other government agencies or third parties CBP has "shared" your records with (This is required by the Privacy Act, but nobody I know of has received such an accounting of disclosures of their travel records. It's unclear whether no access logs are maintained, or whether they are maintained but have been withheld.)

[More examples of DHS travel records and how they are compiled and used.]

(Continue reading for instructions, details, and similar forms to request your travel records from airlines, travel agencies, tour operators, and other travel companies as well as the government. See additional information here for additional rights you have if you travelled to, from, or via the European Union, on an airline based in the EU, or made reservations or bought your tickets through a travel agency, tour operator, or airline office in the EU.)

You can make a request with this same form even if you are not a U.S. citizen or resident. This form should get you the CBP's history of your international travels to, from, or via the USA, including your PNR's and your records from the Automated Targeting System (ATS). You'll need to make a separate request to the TSA for their records of your domestic travel from the Secure Flght program. (I'm working on a form for that, but haven't posted it yet.)

You don't have to have the Privacy Act request form notarized, but you do have to sign it under penalty of perjury. I strongly request that you send it by certified mail, return receipt requested. The CBP has a habit of not acknowledging requests or acting on them, and you can't appeal their inaction or sue unless you can prove they got your request.

It's probably a good idea to also send a courtesy copy of your request by e-mail to "CBPFOIA@dhs.gov", to make it harder for them to claim that they didn't receive your request. Put "Privacy Act Request" in the subject line. But e-mail is not sufficient for a Privacy Act request. If you don't send a paper copy with a signature, your request will be processed -- if at all -- only under the much more limited provisions and broader exceptions from disclosure of the Freedom Of Information Act (FOIA), not as a Privacy Act request.

It's not clear what information the CBP needs to have to retrieve your records -- which categories of PNR data are indexed, for example, or whether full-text search ("grep") is possible. PNR and other data can be retrieved by exact name or similar name, date of birth, and passport number, but probably also by telephone number, credit card number, etc. You can choose what information to give them to use to search for your records. Misspellings and data entry errors in PNRs are common, so even using "fuzzy" name search they are more likely to find your records if you also give them at least your passport number(s).

The CBP eventually admitted (in response to my complaints) that their records include information about travel agents and airline reservation staff, but hasn't said what unique identifiers are used to retrieve travel agency and airline staff records, such as the PNR's you created or in which you made entries. The DHS has not yet provided any response to my request for their records about me in my former capacity as a travel agent, which remains pending (nor, so far as I know, have they responded to such a request from any other travel agent or airline staff person). If you worked for a travel agency or airline, I presume that they would need to know which CRS/GDS or airline hosting system you used, your city or pseudo-city or office code and/or IATA number, and your agent sine, in order to retrieve their record of PNR's and other data associated with your work.

[In February 2009, the DHS admitted that Amtrak and bus companies "voluntarily" provide the DHS with information on bus and train passengers travelling between the USA and Canada and Mexico. Those records are specifically included in the request forms I've posted, but I have yet to see a response from the DHS that included any records of train or bus travel, even when requests were made by people such as myself who had travelled between the USA and Canada by both Amtrak and Greyhound. This is part of the basis for my own Privacy Act appeal, which has been pending since September 2007, and the lawsuit I filed in August 2010. If you receive any Amtrak, Greyhound, or other train or bus records, please let me know what information they contain. The DHS promised that it would issue an updated Privacy Act SORN to give proper notice of its collection and use of bus and rail data, but as of August 2010 when I filed my lawsuit, they still had not done so.]

The DHS itself also reported that their own internal audit showed that CBP was typically taking a year or more to respond to requests like this. But that shouldn't discourage you from making a request. Making a request shows that you care that the government is keeping a file on your lifetime travel history. If nobody asks for their files, the CBP will claim nobody cares. The larger the backlog of unanswered requests, the more evidence that the DHS isn't keeping its promises to the American people and the European Union, the more likely that the EU will shut off DHS access to EU data, and the more likely that CBP will come under pressure from Congress to process the backlog and tell us what recrods they are keeping about us. The more people (eventually) get their files, the more we will learn about what information is in those files.

And if you don't like the fact that the government is keeping these records about innocent travellers, demand that Congress and the new Presidential administration enact legislation to require that they be destroyed .

According to official (but non-binding) "undertakings" to the European Union, the U.S. government has promised that, although foreigners have no legal rights under the U.S. Privacy Act, DHS will nonetheless process requests for PNR data from European citizens under the Privacy Act. In practice, requests from EU citizens (like most requests from US citizens) have been processed only under the much more limited rights afforded by the Freedom of Information Act (FOIA). If you are a citizen or resident of the EU, and you receive no response from DHS or a response that only mentions your FOIA request and not your Privacy Act request, you can and should complain to your national data protection authority in the EU. Under the terms of the US "undertakings", EU data protection authorities can raise the issue with DHS, and demand a proper response under the Privacy Act as though you were a US citizen.

If you travelled on an airline based in the European Union, or made your reservations or bought your ticket in the EU or from an airline office or travel agency or tour operator in the EU, you can also request your records (including an accounting of what information they passed on directly to the DHS or outsourced or transferred to Computerized Reservation Systems (CRS's) or other commercial entities in the USA), from the airline, travel agency, tour operator, or CRS. Even if they claim that you "consented" to data sharing, EU laws require that they disclose, on request, exactly what data about you they have "shared", and with whom. Note that you can make such a request of a USA-based airline if you bought your ticket from them in Europe. EU data protection law is applicable whenever data is originally collected in the EU, regardless of your citizenship or where the company is based.

I've written before about why these requests under European law are so important, including in testimony to the European Parliament and the Article 29 Working Group and articles published in Europe. By subscribing to CRS's based in the USA, and by participating in code-sharing and other marketing (and data sharing) "partnerships", most airlines, travel agencies, and tour operators based in the EU have effectively outsourced and offshored the storage of all of their PNR's and customer data. Even PNR's for flights within the EU, on EU airlines, by EU residents, booked and tickets by EU travel agencies, are routinely and illegally stored in CRS's in the USA. Even when they are stored in the EU, these European PNR's are routinely accessible to "partners" in the USA.

Once this data is in the hands of commercial entities in the USA -- where travel companies are subject to no data protection law at all -- this data can be retained forever by US companies, sent to other countries, and/or given to the US government. The US government can use a "national security letter" to obtain PNR's or other data from an airline or CRS, in secret, and can forbid that US company from telling the European company that gave them the data, or the data subject, that they have done so. Few, if any, European travel companies disclose this to their customers, or obtain their consent before making customer data available to CRS's and other companies in the USA.

This commercial data transfer is in flagrent violation of EU data protection law, including the EU Data Directive, national laws, and the EU Code of Conduct for CRS's . By obtaining European data indirectly, by way of commercial entities in the USA, the US government can easily bypass any limits on transfers of data directly from EU airlines to the US government, making the "restrictions" in the EU-USA agreement on direct PNR transfers and on data retention by government agencies effectively meaningless.

Only access requests by individual travellers in the EU, and complaints to EU data protection authorities, can expose and shut down this fundamentally illegal system of outsourcing and offshoring of storage and processing of European travel records by unregulated companies in the USA.

I've updated the forms below based on my experience trying to get my records from KLM , which they told me was the most detailed such request yet received by any European airline. [Update on the significance for Europeans of recent developments in the USA in travel data presented at a conference in Brussels, 16-17 January 2009.]

The exact form of these requests varies slightly under each EU member country's data protection law. Because the largest number of travellers to the USA from any EU country is from the UK, and because I'm writing in English, I've prepared sample request letters under the UK Data Protection Act. It should be fairly easy to adapt these for use in other countries:

  • Request for PNR's and other travel records from a travel agency or tour operator: OpenOffice | MS-Word | text
  • Request for PNR's and other travel records from an airline: OpenOffice | MS-Word | text
  • Request for PNR's and other travel records from a computerized reservation system (CRS): OpenOffice | MS-Word | text

Most European companies will request a photocopy of your passport, national ID card or other government-issued identity credential, in order to verify your identity, before responding to such a request. So if you are willing to provide it, you'll probably expedite the response by including a copy of your passport with your initial request.

For some idea of what might be in these government and commercial files about your travels, see the examples above, my article What's in a PNR?, the excerpts from DHS travel records published last year in the Identity Project report , the Washington Post story about IDP's research, the records released to me by KLM and by Air France , Sean O'Neill's story in Budget Travel about the DHS response to his request, including a sample page from a TECS index of Border Crossing Information System entries and a sample page from a PNR, and the anonymized response to a request made using these forms posted at philosecurity.org being discussed on Slashdot (including both PNR and TECS data).

If you make a request, I'd love to know what (if any) response you get. Good luck! Time permitting, I'll be happy to help you interpret your files, and saying any parts of them you are willing to share (either with me in confidence, or more widely) would help my advocacy on behalf of other travellers. Feel free to e-mail me or post comments here.

Addendum: I am continuing to update these forms as I learn more about how the US government and travel companies are responding to these requests. So in order to make sure people have the benefit of those updates, please link to this article rather than mirroring the forms.

Further update, 10 September 2009: Even while long-delayed requests and appeals for these travel records remain pending, the DHS is trying to exempt more of the data we've requested from the disclosure and other requirements Privacy Act. Make your request for your travel records ASAP, before they try to exempt even more of those records and make even more of their dossier about you a secret.

Further update, 18 August 2010: CBP has finally admitted, in response to persistent inquiries from other requesters, that it has given incorrect information, or no information, about Privacy Act appeal rights and contact addresses. Different official notices, DHS Web sites, and DHS communications to requesters have given different addresses for appeals. Regardless of any address(es) provided by CBP, and whether they say your request was processed under the Privacy Act, FOIA, or both, you should identify any appeal as being made under both the Privacy Act and FOIA, state that you appeal the response (or lack of response) in its entirety under both the Privacy Act and FOIA, and copy your appeal to each of the following addresses:

FOIA and Privacy Act Appeals
Associate General Counsel (General Law)
U.S. Department of Homeland Security
Washington, D.C. 20528

FOIA Appeals
Office of Regulations and Rulings
U.S. Customs and Border Protection
799 - 9th St. NW, 5th Floor
Washington DC 20229-1179

Privacy Act Policy & Procedures Branch
U.S. Customs and Border Protection
799 - 9th St. NW, Mint Annex
Washington, DC 20229-1177

If the responses seem to become more standardized, I will post a standardized appeal template. In the meantime, I'm happy to assist in drafting appeals, if you send me a copy of your request and the response (if any) you received. As noted above, every appeal I have seen has resulted in the disclosure of additional information.

Further update, 14 June 2013: I've updated the request forms several times. Those linked above are the most recent versions. CBP now has a Web page here that is supposed to allow you to file a FOIA rquest online, but I haven't yet been able to get it to work. DHS headquarters has begun sending "Glomar" responses ("We will neither confirm nor deny that we have any records responsive to your request") with respect to the DHS copy of the Terrorist Screening Database, and there is probably little point appealing these responses. But if you use the forms above, you should receive a response from CBP (including redacted excerpts from PNR, APIS, and other TECS data) separately from, and in addition to, the "Glomar" response from DHS headquarters with respect to the DHS copy of the TSDB.

Link | Posted by Edward on Saturday, 10 January 2009, 09:57 ( 9:57 AM) | TrackBack (1)
Comments

Thank you for this detailed article which was commented on our website dedicated to french expatriates : http://www.expatriation.com/etats-unis-formulaire-esta-probleme-erreur.html
It is a frightful thing that the related ESTA has endorsed the PNR transmission to the DHS. And more than that, that is goes beyond appeal on the base that foreign tourists are by fact not entitled to any form of legal process...

Posted by: Laurent, 5 February 2009, 02:36 ( 2:36 AM)

Thank you for all this information I am placing a FOIA request on behalf of my Father to release information on his I-94 , I traveled to the port of entry to request such information with no luck, according to CBP they respond in an estimate of 20 days, I wonder if that's only an acknowledgement of receipt of my request. Hopefully it doesn't take forever.

Thanks again,

Posted by: Brenda G, 25 April 2009, 13:47 ( 1:47 PM)

Just remain OUT of the usa. No need to go there. Even american citizens are remaining OUTSIDE for the obvious. Hitler Nazi Germany all over again!

Posted by: rickie, 17 May 2009, 02:57 ( 2:57 AM)

I did not understand as to why the custom officer gave me the form and told me to go and read it at home. I have no clue why am I requesting this information and how is it going to reduce/eliminate the Border Patrol from stopping me and causing delays that have made me miss my connection flights from New York( often) when I take any international travelling. Any suggestions?

Posted by: Momboz, 26 August 2009, 09:31 ( 9:31 AM)

I don't understand why you would need this information if you have nothing to hide? You seem like a confused person that needs to seek salvation and repentance. God bless, Josh.

Posted by: , 8 September 2009, 06:14 ( 6:14 AM)

@Josh - 'nothing to hide' is such a nonsense response to those desiring some control over their privacy. should people that own guns have them taken away under the guise that 'they have nothing/no-one to be afraid of'? the more apathy people have over their own information the less control we have in the future and no god is going to come to the rescue.

Posted by: jojomonkey, 8 September 2009, 21:07 ( 9:07 PM)

i don't have anything to hide but i also don't want to give it all up to someone whose intent i do not clearly know

Posted by: envie23, 30 September 2009, 01:19 ( 1:19 AM)

I submitted my request for my records in early September, and got the packet back in the mail October 10th. They included PNRs for my most recent three trips, and a complete printout from TECS II between 1/1/83 and 9/30/09.

Thanks for the letter!

Neil

Posted by: Neil, 11 October 2009, 19:46 ( 7:46 PM)

This info is great though I am would like to know what you're actually told. Is it just flight and date info (I know all this already) or does it actually include comments from immigration officers who have dealt with you? I had a problem entering once and it has put me off returing again, though I am thinking of becoming a flight attendant so I would like to find out whats being held about me, but would it not look suspect if as for this info then apply for my b1 and b2 visa? Also as a UK citizen, what forms do I have send in? Thanks in advance

Posted by: sam, 19 October 2009, 14:36 ( 2:36 PM)

I am gravely concerned about Americans living abroad having to meet more and more requirements in order to continue to live abroad i.e. money transfers for example. I understand that more and more Americans are renouncing their citizenship in order to distance themselves from such things as the Patriot Act et al.

I live in Guatemala fulltime but need to travel to Seatte, WA for health care etc. and find it more and more difficult to do so. Banks and mutual fund companies have more and more requirements for me to access my own money and use it as I please.

I'm concerned that some day I will not be allowed back into or out of my own country at will.

I'm no one special and certainly don't require special monitoring or gathering of my personal data.

It may not impact many people how but I believe that it will be more and more difficult to live as and where you want to without the US government having some say in it.

Posted by: Nancy Guinn, 28 April 2010, 16:14 ( 4:14 PM)

Josh, how can one search or obtain a PNR for a specific person? Can one request a PNR for "Joe Schmo"? What sort of detailed information must be included for finding such travel history about another person?

Posted by: AUSTIN, 8 August 2010, 08:56 ( 8:56 AM)

Thank you for putting this together, I am going to send in a request and will let you know how it turns out. I did find one error in the letter.

Posted by: Q, 7 November 2010, 11:51 (11:51 AM)

Josh,I would like to ask at what point and how much the information is shared between agencies. I am a business man that travels and lives part of the year in Paris. I wounder how this effects me in the short and long term. many thanks for any information you have.

Posted by: Richard, 15 November 2010, 02:00 ( 2:00 AM)

Can you please tell me if the letter attachment "Privacy Act Request / Request for Accounting of Disclosures / Request for Correction of Records / Complaint of Criminal Violation of the Privacy Act" is still in date as I am trying to locate all travel records for my father (deceased) from 1955 to 1965 minimum as there are no records held for his passport details and he did have a passport and travelled to the UK in 1965.

Posted by: , 30 December 2010, 09:53 ( 9:53 AM)

Hi,

Is there a 101 on how to read CBP - TECS report. I received CBP TECS report in response my privacy request. Eventhough most of the entries are read-able, there are lot of annotations like (a), (e), (f) with shading without any explanation on what they mean.

BTW, I found 2 issues with the TECS record:

1. A trip I made from Canada to USA on foot as a pedestrian is missing from this record. [ A friend of mine dropped at the Canadian border and my relative picked up at the US side of the border!]. This entry is critical towards my Canadian Citizenship Residency Calculation.
2. I recently travelled from Vancouver to Seattle via Train. However, both my entry/exit dates from US are listed in the TECS report. I am confused on why my exit date from US for this trip is listed. Is this a mistake by CBP? Any thoughts/personal experiences in this regard?

IS there a process to get missing records/clarifications from CBP? I thought of posting this before I write to them.

Thanks very much for all the help.

Thanks.

Posted by: sivan, 7 June 2011, 12:37 (12:37 PM)

Hello

Firstly thank you for your blog, its very insightful and its great that you want to help people, I for one appreciate it.

I'm sorry to ask a question you may have already been asked, but I just need some clarification please. I've been looking at the forms to request my travel history as i want to apply for permanent residency in Canda, and this is something they want. I'm a British Citizen working in Canada, and so I was wondering if your form for applying for travel history via FOIA etc... to the US would be ok for me to use and if it is currently up to date? I noticed it had information for Europeans so I hope I can use it to get what I need, but obviously its quite a professional and formal piece of work with a lot of information which I don't understand or know if I need to leave in?

I'm sorry if I'm making you repeat yourself, but I appreciate any advice or help you can give me, I've searched a lot on Google and your website was the most helpful, I couldn't find anything from any UK government official sites, hence my query to you.

Many thanks for your time.

Naomi

Posted by: Naomi Went, 11 June 2012, 09:56 ( 9:56 AM)

I have been through 10 weeks of ordeal getting my passport renewed. At 72 yrs old, now living in panama, they made me re-invent myself back to birth, missed my flight, costs thousands.

all about the 'supplemental worksheet' requirements.
any input that I can give, I will gladly help.

Posted by: frank, 13 October 2012, 12:30 (12:30 PM)

How are PNR requests done by other countrys? Ignoring the obvious such as the EU what about China? Hong Kong?

Posted by: , 22 October 2012, 12:40 (12:40 PM)

Please help. My husband wants to request for his travel exit and enter history to the US. We would like to get it back within the 20 days..can you advise us so that we do everything correctly please

Posted by: Cassie, 7 February 2013, 03:03 ( 3:03 AM)

Hi, I'm looking into starting process to change of statutes through marriage USC but I lost my passport with visa 23years ago never replaced it.. now if I have information on my lawful entry to country will be much simpler than.. So all I need is the info of my lawful entry. I already file FOIA through U.S. Citizenship and Immigration Services anf according to their records "no records were located"

I'll be using your letter and tips and try now through FOIA By CBP. Hoping that I will find answers.

thank You,
Rosie

Posted by: Rosie, 15 July 2013, 13:44 ( 1:44 PM)

I applied for the info last December (2013) and up until this day I haven't received any records. I even asked a Senator for help expediting it, but they refused his pleas.

My kids have no citizenship since the Americans want proof of my presence in America under the Citizenship Act.

So frustrating.

Posted by: e lo, 28 August 2014, 11:21 (11:21 AM)
Post a comment









Save personal info as cookie?