Tuesday, 27 May 2014

"Can I see what information the feds have on my travel?"

Ars Techica editor and technology journalist Cyrus Fariva reports today on the initial response to his Freedom Of Information Act (FOIA) request to US Customs and Border Protection (CBP) for CBP’s records about his travel history, including CBP’s copies of airline Passenger Name Records (PNRs):

I then asked Edward Hasbrouck, a traveler and writer who has extensively researched passenger data and who has even sued the CBP for failing to hand over data about himself.

"You got 72 pages of shit, to put it crudely," he said, explaining that the CBP didn’t give me the crown jewel of what I asked for: my own PNR records. His own PNR records, as he demonstrated in 2009, included far more detailed information, including the IP address used when he booked an airline ticket.

"Why they didn’t include that when you explicitly asked for it, I can’t tell you,” he added. Hasbrouck agreed with Crump’s assessment that the agency’s lack of response was to be expected. "It’s completely erratic. Some people get just the PNR and not the entry and exit data. Whether it’s gross incompetence, malign neglect, or if they’re overworked, whether it’s that they don’t understand the nature of what the data is—[it] suggests that the people doing the redacting don’t know what the data is."

Read more at PapersPlease.org.

I've posted forms and instructions on how to request your travel records. Please let me know if you’d like help interpreting responses.

Link | Posted by Edward on Tuesday, 27 May 2014, 10:41 (10:41 AM) | TrackBack (0)
Comments

Hi Edward,

Thank you very much for your blog posts on FOIA and the PNR data.  It is very interesting.

One question I have is information such as IP-address / Email / Frequent Flier numbers also recorded for domestic flights in PNR or by the TSA?

How long do airlines/CRS/GDS keep PNR records typically?

Thank you very much, again.

Posted by: Anonymous, 27 May 2014, 11:33 (11:33 AM)

Is IP address, e-mail address, frequent flyer number, etc. routinely included in PNRs for domestic US travel? Yes.

How often does the TSA access PNR data? We don't know.

CBP requires airlines to provide copies of complete PNRs for all international flights to, from, or overflying the US. CBP keeps a complete archive of mirror copies of these PNRs in the CBP "Automated Targeting System" database.

TSA requires airlines to send only a subset of PNR data called "Secure Flight Passenger data" (SFPD) for domestic flights within the US:

http://papersplease.org/sf_faq.html

TSA does not keep a complete archive of mirror copies of domestic PNRs.

BUT... the SFPD includes the "record locator" for the PNR, which is a pointer to the master copy of the PNR held by the airline or, more often, an outsourced database hosting company (CRS/GDS).

Under the US "third party" legal doctrine, PNR data is not the property of the traveller. It is the property of the airline, which can "voluntarily" provide it to TSA or anyone else without notice to or consent of the traveller. TSA could also demand PNR data in secret, using a "National Security Letter". We don't know how often this happens.

Posted by: Edward Hasbrouck, 27 May 2014, 11:39 (11:39 AM)

How long do airlines/CRS/GDS keep PNR records typically?

Posted by: Anonymous, 27 May 2014, 12:34 (12:34 PM)

Airlines, CRSs, or GDSs typically keep PNR data for US domestic flights forever. Storage is cheap, and they might find value in the data.

Posted by: Edward Hasbrouck, 27 May 2014, 12:35 (12:35 PM)

Storage is understandably cheap, but shouldn't there be a privacy policy?  Is there a way to find this out through the storage vendors or airlines?

Posted by: Anonymous, 27 May 2014, 12:37 (12:37 PM)

There should be a privacy policy. But there might not be one, it might not cover data retention, and it might not actually be followed.

You can ask, but:

(1) In the US, there is no general data protection law, and no legal requirement for a business to have a privacy policy.

(2) Many privacy polices of US businesses don't mention the duration of data retention, or allow indefinite retention of personal data.

(3) It can be hard to find out what outsourced hosting company actually holds the data. Airlines and travel agencies rarely disclose this, even
if asked (or give incomplete disclosures). US law does not require them to to disclose this information.

Posted by: Edward Hasbrouck, 27 May 2014, 12:40 (12:40 PM)

"How to request your US Border file (and what you're likely to get)" (by Cory Doctorow, BoingBoing.net, 27 May 2014):

http://boingboing.net/2014/05/27/how-to-request-your-us-border.html

Posted by: Edward Hasbrouck, 28 May 2014, 06:13 ( 6:13 AM)
Post a comment









Save personal info as cookie?