Saturday, 10 January 2009
How to request your travel records
[Excerpt from a simple Passenger Name Record (PNR) from the file about me kept by the CBP division of DHS. Click image for larger version. Most PNRs have more information than this. More examples and discussion of what information these records contain and how they are used.]
By popular demand, I'm posting updated forms to request your PNR's and other records of your international travel that are being kept by the U.S. Customs and Border Protection (CBP) division of the Department of Homeland Security (DHS).
If you made a similar request previously, the answer you got (if any) was almost certainly incomplete. These forms are long, but they have been revised repeatedly [most recently in early 2014] to anticipate and preempt the ways CBP has misconstrued and failed to respond fully to earlier requests.
If you want to know all of what's really in your file, you should probably make a request again, using this updated form, and appeal any response (or non-response). Please feel free to contact me for assistance in interpreting any response, and/or in appealing any failure to respond, incomplete response (every response I have seen has been obviously incomplete, and every appeal that was responded to at all has resulted in the disclosure of additional information), improper withholdings (most responses have invoked FOIA exemptions which don't apply to responses to Privacy Act requests), or if you have exhausted your appeals and are interested in suing the DHS or pursuing a complaint with data protection authorities in another country that has participated in the DHS scheme.
The DHS has recently admitted that in most cases when people asked for "all information held by CBP", their Freedom Of Information Act/Privacy Act office didn't even try to search for PNR data. And the records that were released were typically improperly and inconsistently censored ("redacted"). I don't expect the DHS to review all the previous requests on their own initiative. The only way to ensure your request is reviewed, and find out what they should have told you the first time you asked, is to start all over with a new request, and to exhaustively appeal any response or non-response.
We don't yet know what all is included in CBP travel records. But a full response should include, by way of examples from incomplete, redacted, responses I've received so far:
- Passenger Name Records (In addition to the CBP redactions, I've redacted some IP addresses, credit card numbers, friends' phone numbers, and other personal data I don't want to publish online.)
- TECS border crossing and entry/exit logs (These include entries and exits by air, rail, bus, car, and foot, although not always all of them -- I don't know why. Some of mine go back to 1992, but I've seen some older entries in other people's files.)
- Secondary inspection records (Once I asked if I could bring in an apple and a couple of slices of bread I had left over from breakfast: "PAX VERBALLY DECLARED FOOD. 1 APPLE WAS SEIZED. BREAD WAS INSPECTED AND RELEASED. NO PENALTY." Another time they washed all my shoes for me, as they will -- while you wait, for free -- if you check the box on the entry form that says you've been near animals: "PAX ARRIVED FROM ARGENTINA... IN A LIVESTOCK SHOW. HIS SHOES WERE CLEANED AND DISINFECTED FOR POSSIBLE CONTAMINATION." And so forth. Note that although these are labeled as "Secondary Inspection" records, they include notes, such as those I just quoted, regarding entries and exits at which I was not referred to secondary inspection.)
- An "accounting of disclosures" listing which other government agencies or third parties CBP has "shared" your records with (This is required by the Privacy Act, but nobody I know of has received such an accounting of disclosures of their travel records. It's unclear whether no access logs are maintained, or whether they are maintained but have been withheld.)
(Continue reading for instructions, details, and similar forms to request your travel records from airlines, travel agencies, tour operators, and other travel companies as well as the government. See additional information here for additional rights you have if you travelled to, from, or via the European Union, on an airline based in the EU, or made reservations or bought your tickets through a travel agency, tour operator, or airline office in the EU.)
You can make a request with this same form even if you are not a U.S. citizen or resident. This form should get you the CBP's history of your international travels to, from, or via the USA, including your PNR's and your records from the Automated Targeting System (ATS). You'll need to make a separate request to the TSA for their records of your domestic travel from the Secure Flght program. (I'm working on a form for that, but haven't posted it yet.)
You don't have to have the Privacy Act request form notarized, but you do have to sign it under penalty of perjury. I strongly request that you send it by certified mail, return receipt requested. The CBP has a habit of not acknowledging requests or acting on them, and you can't appeal their inaction or sue unless you can prove they got your request.
It's probably a good idea to also send a courtesy copy of your request by e-mail to "CBPFOIA@dhs.gov", to make it harder for them to claim that they didn't receive your request. Put "Privacy Act Request" in the subject line. But e-mail is not sufficient for a Privacy Act request. If you don't send a paper copy with a signature, your request will be processed -- if at all -- only under the much more limited provisions and broader exceptions from disclosure of the Freedom Of Information Act (FOIA), not as a Privacy Act request.
It's not clear what information the CBP needs to have to retrieve your records -- which categories of PNR data are indexed, for example, or whether full-text search ("grep") is possible. PNR and other data can be retrieved by exact name or similar name, date of birth, and passport number, but probably also by telephone number, credit card number, etc. You can choose what information to give them to use to search for your records. Misspellings and data entry errors in PNRs are common, so even using "fuzzy" name search they are more likely to find your records if you also give them at least your passport number(s).
The CBP eventually admitted (in response to my complaints) that their records include information about travel agents and airline reservation staff, but hasn't said what unique identifiers are used to retrieve travel agency and airline staff records, such as the PNR's you created or in which you made entries. The DHS has not yet provided any response to my request for their records about me in my former capacity as a travel agent, which remains pending (nor, so far as I know, have they responded to such a request from any other travel agent or airline staff person). If you worked for a travel agency or airline, I presume that they would need to know which CRS/GDS or airline hosting system you used, your city or pseudo-city or office code and/or IATA number, and your agent sine, in order to retrieve their record of PNR's and other data associated with your work.
[In February 2009, the DHS admitted that Amtrak and bus companies "voluntarily" provide the DHS with information on bus and train passengers travelling between the USA and Canada and Mexico. Those records are specifically included in the request forms I've posted, but I have yet to see a response from the DHS that included any records of train or bus travel, even when requests were made by people such as myself who had travelled between the USA and Canada by both Amtrak and Greyhound. This is part of the basis for my own Privacy Act appeal, which has been pending since September 2007, and the lawsuit I filed in August 2010. If you receive any Amtrak, Greyhound, or other train or bus records, please let me know what information they contain. The DHS promised that it would issue an updated Privacy Act SORN to give proper notice of its collection and use of bus and rail data, but as of August 2010 when I filed my lawsuit, they still had not done so.]
The DHS itself also reported that their own internal audit showed that CBP was typically taking a year or more to respond to requests like this. But that shouldn't discourage you from making a request. Making a request shows that you care that the government is keeping a file on your lifetime travel history. If nobody asks for their files, the CBP will claim nobody cares. The larger the backlog of unanswered requests, the more evidence that the DHS isn't keeping its promises to the American people and the European Union, the more likely that the EU will shut off DHS access to EU data, and the more likely that CBP will come under pressure from Congress to process the backlog and tell us what recrods they are keeping about us. The more people (eventually) get their files, the more we will learn about what information is in those files.
And if you don't like the fact that the government is keeping these records about innocent travellers, demand that Congress and the new Presidential administration enact legislation to require that they be destroyed .
According to official (but non-binding) "undertakings" to the European Union, the U.S. government has promised that, although foreigners have no legal rights under the U.S. Privacy Act, DHS will nonetheless process requests for PNR data from European citizens under the Privacy Act. In practice, requests from EU citizens (like most requests from US citizens) have been processed only under the much more limited rights afforded by the Freedom of Information Act (FOIA). If you are a citizen or resident of the EU, and you receive no response from DHS or a response that only mentions your FOIA request and not your Privacy Act request, you can and should complain to your national data protection authority in the EU. Under the terms of the US "undertakings", EU data protection authorities can raise the issue with DHS, and demand a proper response under the Privacy Act as though you were a US citizen.
If you travelled on an airline based in the European Union, or made your reservations or bought your ticket in the EU or from an airline office or travel agency or tour operator in the EU, you can also request your records (including an accounting of what information they passed on directly to the DHS or outsourced or transferred to Computerized Reservation Systems (CRS's) or other commercial entities in the USA), from the airline, travel agency, tour operator, or CRS. Even if they claim that you "consented" to data sharing, EU laws require that they disclose, on request, exactly what data about you they have "shared", and with whom. Note that you can make such a request of a USA-based airline if you bought your ticket from them in Europe. EU data protection law is applicable whenever data is originally collected in the EU, regardless of your citizenship or where the company is based.
I've written before about why these requests under European law are so important, including in testimony to the European Parliament and the Article 29 Working Group and articles published in Europe. By subscribing to CRS's based in the USA, and by participating in code-sharing and other marketing (and data sharing) "partnerships", most airlines, travel agencies, and tour operators based in the EU have effectively outsourced and offshored the storage of all of their PNR's and customer data. Even PNR's for flights within the EU, on EU airlines, by EU residents, booked and tickets by EU travel agencies, are routinely and illegally stored in CRS's in the USA. Even when they are stored in the EU, these European PNR's are routinely accessible to "partners" in the USA.
Once this data is in the hands of commercial entities in the USA -- where travel companies are subject to no data protection law at all -- this data can be retained forever by US companies, sent to other countries, and/or given to the US government. The US government can use a "national security letter" to obtain PNR's or other data from an airline or CRS, in secret, and can forbid that US company from telling the European company that gave them the data, or the data subject, that they have done so. Few, if any, European travel companies disclose this to their customers, or obtain their consent before making customer data available to CRS's and other companies in the USA.
This commercial data transfer is in flagrent violation of EU data protection law, including the EU Data Directive, national laws, and the EU Code of Conduct for CRS's . By obtaining European data indirectly, by way of commercial entities in the USA, the US government can easily bypass any limits on transfers of data directly from EU airlines to the US government, making the "restrictions" in the EU-USA agreement on direct PNR transfers and on data retention by government agencies effectively meaningless.
Only access requests by individual travellers in the EU, and complaints to EU data protection authorities, can expose and shut down this fundamentally illegal system of outsourcing and offshoring of storage and processing of European travel records by unregulated companies in the USA.
I've updated the forms below based on my experience trying to get my records from KLM , which they told me was the most detailed such request yet received by any European airline. [Update on the significance for Europeans of recent developments in the USA in travel data presented at a conference in Brussels, 16-17 January 2009.]
The exact form of these requests varies slightly under each EU member country's data protection law. Because the largest number of travellers to the USA from any EU country is from the UK, and because I'm writing in English, I've prepared sample request letters under the UK Data Protection Act. It should be fairly easy to adapt these for use in other countries:
- Request for PNR's and other travel records from a travel agency or tour operator: OpenOffice | MS-Word | text
- Request for PNR's and other travel records from an airline: OpenOffice | MS-Word | text
- Request for PNR's and other travel records from a computerized reservation system (CRS): OpenOffice | MS-Word | text
Most European companies will request a photocopy of your passport, national ID card or other government-issued identity credential, in order to verify your identity, before responding to such a request. So if you are willing to provide it, you'll probably expedite the response by including a copy of your passport with your initial request.
For some idea of what might be in these government and commercial files about your travels, see the examples above, my article What's in a PNR?, the excerpts from DHS travel records published last year in the Identity Project report , the Washington Post story about IDP's research, the records released to me by KLM and by Air France , Sean O'Neill's story in Budget Travel about the DHS response to his request, including a sample page from a TECS index of Border Crossing Information System entries and a sample page from a PNR, and the anonymized response to a request made using these forms posted at philosecurity.org being discussed on Slashdot (including both PNR and TECS data).
If you make a request, I'd love to know what (if any) response you get. Good luck! Time permitting, I'll be happy to help you interpret your files, and saying any parts of them you are willing to share (either with me in confidence, or more widely) would help my advocacy on behalf of other travellers. Feel free to e-mail me or post comments here.
Addendum: I am continuing to update these forms as I learn more about how the US government and travel companies are responding to these requests. So in order to make sure people have the benefit of those updates, please link to this article rather than mirroring the forms.
Further update, 10 September 2009: Even while long-delayed requests and appeals for these travel records remain pending, the DHS is trying to exempt more of the data we've requested from the disclosure and other requirements Privacy Act. Make your request for your travel records ASAP, before they try to exempt even more of those records and make even more of their dossier about you a secret.
Further update, 18 August 2010: CBP has finally admitted, in response to persistent inquiries from other requesters, that it has given incorrect information, or no information, about Privacy Act appeal rights and contact addresses. Different official notices, DHS Web sites, and DHS communications to requesters have given different addresses for appeals. Regardless of any address(es) provided by CBP, and whether they say your request was processed under the Privacy Act, FOIA, or both, you should identify any appeal as being made under both the Privacy Act and FOIA, state that you appeal the response (or lack of response) in its entirety under both the Privacy Act and FOIA, and copy your appeal to each of the following addresses:
FOIA and Privacy Act Appeals
Associate General Counsel (General Law)
U.S. Department of Homeland Security
Washington, D.C. 20528
Office of Regulations and Rulings
U.S. Customs and Border Protection
799 - 9th St. NW, 5th Floor
Washington DC 20229-1179
Privacy Act Policy & Procedures Branch
U.S. Customs and Border Protection
799 - 9th St. NW, Mint Annex
Washington, DC 20229-1177
If the responses seem to become more standardized, I will post a standardized appeal template. In the meantime, I'm happy to assist in drafting appeals, if you send me a copy of your request and the response (if any) you received. As noted above, every appeal I have seen has resulted in the disclosure of additional information.
Further update, 14 June 2013: I've updated the request forms several times. Those linked above are the most recent versions. CBP now has a Web page here that is supposed to allow you to file a FOIA rquest online, but I haven't yet been able to get it to work. DHS headquarters has begun sending "Glomar" responses ("We will neither confirm nor deny that we have any records responsive to your request") with respect to the DHS copy of the Terrorist Screening Database, and there is probably little point appealing these responses. But if you use the forms above, you should receive a response from CBP (including redacted excerpts from PNR, APIS, and other TECS data) separately from, and in addition to, the "Glomar" response from DHS headquarters with respect to the DHS copy of the TSDB.Link | Posted by Edward on Saturday, 10 January 2009, 09:57 ( 9:57 AM) | TrackBack (1)