Canada proposes to follow USA lead on surveillance of travellers

The re-opening of talks between the USA and Canada on transfers of airline reservations (PNR's), and their use by government, also re-opens a long-running debate on this question within Canada.

I'm neither a lawyer nor an expert on Canadian Parliamentary procedure , but for those who are just now beginnning to follow this sotry, here's my understanding of the state of Canadian travel data privacy law legislation.

Since 1 January 2004, airline reservation data subject to Canadian jurisdiction has been protected by the Personal Information Protection and Electronic Documents Act , which generally restricts its use to the purpose(s) for which it was collected, except with the knowldge and consent of the person(s) to whom the data pertains, guarantees the right of access to information about oneself, and requires any recipient of personal information (whether in the private sector or the government) to agree to the same conditions.

The Canadian Personal Information Protection Act provides the best available model for what a consumer privacy law in the USA ought to, and could, look like. It accords with the emerging international norms of privacy as a human right, and (unlike the USA) satisfies the European Union standard of "adequacy" of data protection, thus permitting airline data to be sent freely (within the conditions set by the law) back and forth between Canada and the EU. So far, so good.

After 11 September 2001, the USA began insisting on access to reservation data for passengers on flights from Canada (and everywhere else in the world) to the USA.

To accommodate these demands -- the same ones that have led to the current impasse with the EU -- Bill C-44 was enacted 18 December 2001, making an exception from the Personal Information Protection and Electronic Documents Act to allow Canadian airlines to provide foreign governments with "any information ... relating to persons on board or expected to be on board the aircraft and that is required by the laws of the foreign state."

Bill C-44 created an exception only for transfers of data by Canadian airlines, not travel agents or tour operators. So travel agents' transfers of customer data to USA-based airlines and CRS's are still in violation of the Personal Information Protection Act . And the information actually being provided by Canadian airlines to the USA government isn't limited, as Bill C-44 would require it to be, either to persons on board or expected to be on board, or to the information required by USA law. All this, yet USA Secretary of Homeland Security Tom Ridge still claims that, "The Bush administration will respect Canadian sovereignty and privacy laws" even while including Canadians in CAPPS-II .

That's why, "It's very important for us to get C-17, which provides us with the legal authority to go further," Deputy Prime Mininter and Minister of Public Safety and Emergency Preparedness Anne McLellan told Canada Press after her meetings last week with the USA Department of Homeland Security -- all but admitting that current travel data practices violate current Canadian law.

What's this "C-17" she's talking about? Bill C-17, the Public Safety Act, 2002 is a much more sweeping "security" bill that has provoked controversy since an earlier version was proposed in 2001.

Bill-17 is intended to faciliate implementation of a Canadian counterpart of the CAPPS-II scheme in the USA . "Last spring, the federal government agreed to put strict checks on the use of passenger information in the wake of widespread complaints about Bill C-17.... The bill was passed by the Commons, but not by the Senate before Parliament was prorogued in November."

Bill C-17 itself contains a schedule of information believed to be included in passenger name records, and subject to being given to USA or other foreign governments. The Canadian government's official FAQ on Bill C-17 is more apology than explanation, but there's a useful analysis by the Parliamentary Research Branch of the Library of Parliament of the legislative history of Bill C-17, as last revised 8 May 2003. The description of the debate on the information-sharing provisions highlights the unresolved difference of interpretation as to whether Bill C-17 would provide for access to passenger information only on specific request, or as a "continuous electronic data feed from the airlines regarding all passengers for all flights".

That analysis also highlights the crucial role played by the then Privacy Commisisoner of Canada in exposing the real intentions of Bill C-17's backers. For his successor, renewed consideration of Bill C-17 will be one of the first major tests.

USA and Canada open talks on airline data

Just over three full years after the Canadian Personal Information Protection and Electronic Documents Act took effect for airlines that do business in Canada on 1 January 2001 , the Canadian government has finally begun negotiations with the USA regarding the conflict between the Canadian law and USA government demands for access to airline reservations, according to reports of a joint news conference in Washington with USA and Canadian officials from the Globe and Mail , GovExec.com , and AP .

As with the European Union's consideration of airline reservation data transfers to the USA, the key question is whether the Canadian authorities will limit their concern to future USA government uses of travel data, or whether they will also address past and ongoing violations of the rights of Canadian travellers, including those by commercial users of reservation data as well governments.

I expected travel businesses in the USA to disregard EU data protection law -- especially once they could claim, albeit falsely, that the so-called "safe harbor" agreement had "resolved" the issue with the EU -- and to postpone compliance with the Canadian law as long as possible. But I thought that both the scale of transborder air travel between the USA and Canada, and Canadian enforcement efforts, would eventually, grudingly, force USA travel companies into at least a show of compliance, as the price of continuing to do business in and with Canada.

No such luck. Call me cynical if you like, but I've been genuinely shocked at how long, and how systematically, airlines, CRS's, and travel agencies have continued simply to ignore their obligations to respect Canadians' rights, and have continued to treat Canadian data as cavalierly as data collected in the USA (where there are no privacy rules except those that businesses voluntarily adopt for themselves). Under the Canadian law, personal infomation isn't supposed to be transferred to third parties -- as it is between travel agencies, CRS's, and airlines almost every time a reservaion is made -- without a commitment from the recipient to respect the conditions (on notice, access, disclosure, and purpose of use) under which the data was originally collected. Those agreements simply don't exist, and that fact is, or should be, a major scandal across Canada.

In part because of the absence of these agreements or any measures to give them effect, it's impossible to identify which passenger name records (PNR's) associated with a particular flight in the USA contain data that was collected in Canada. I myself couldn't tell with certainty, at the travel agency where I work , which reservations were made by our agents in the USA and which by our agents in Canada . Any sample of USA airline reservation data of significant size will include personal information about Canadians, collected in Canada, protected by Canadian law.

If -- as now appears to have been admitted by both USA and Canadian officials -- CAPPS-II is contrary to current Canadian law, that means the previous CAPPS-II tests with real reservations violated Canadian law, and no future CAPPS-II tests can be conducted legally unless and until Canadian law is changed. "Homeland Security Department Secretary Tom Ridge said an agreement is 'by no means automatic' and will require 'lengthy' negotiations." That's a major setback to the previuously-announced CAPPS-II testing schedule, and gives the DHS no excuse for issuing a directive commandeering data for CAPPS-II tests unless and until an agreement to permit such tests can be concluded with Canada.

The first Privacy Commisisoner of Canada took a strong stand against earlier proposals for government access to airline reservation data, but it remains to be seen how the current Commissioner will address the issue.

One of the previous Privacy Commissioner's major enforcement actions, in fact, was against Air Canada for its handling of its frequent flyer program database . It's worth re-reading, even outside Canada, for its findings against the airline -- especially with US Airways (US) again in serious danger of being unable to meet its 30 June 2004 deadline for repayment of US$1 billion of USA government-guaranteed loans . US is already putting its most valuable assets up for bid, and if it goes bankrupt again, it will probably be liquidated. That means the US frequent flyer and PNR databases would be up for auction to the highest-bidding consortium of direct marketers and data miners. (For more on what you can do to protect yourself, see my FAQ about Airline Bancruptcies .) The possibility of a US liquidation lends considerable urgency to the need for Congress to enact a federal travel privacy law soon, before a bancruptcy court has to supervise the auction of a major airline reservation and customer database.

EU national data protection commissioners (the "Article 29 Working Group") were scheduled to meet yesterday to discuss the draft agreement on CAPPS-II testiong and passenger data transfers to the USA proposed by the European Commission, according to the French national data protection commission (CNIL) Web site.

In addition to the previous ruling in Belgium and the pending investigation in Spain of complaints against PNR data transfers to the USA, both the French (en français) and German (in German; report in English from Reuters ) data protection authorities have issued statements that the current transfers (and implicitly, CAPPS-II testing or deployment) are contrary to the laws of their countries and the EU. But there's been no word yet on what transpired at yesterday's meeting.

Business Travel Coalition joins call for hearings on CAPPS-II and travel data privacy

Prompted by Jane Black's column this week in Business Week (which in turn drew its recommendations from her interview with me last July and the agenda I've outlined here , here , here , here , and in my books , among other places), the Business Travel Coalition has launched a call for Congressional hearings on CAPPS-II and data privacy issues within the travel industry .

On its first day, the joint letter to the chairs of the USA House and Senate Transportation Committees has been signed by dozens of travel managers for corporations and organizations, travel consultants, travel agencies, and even some airline executives:

Personal travel information deserves the same level of Congressional scrutiny and debate that medical records and financial information policies were afforded in the past. We hope that you give serious consideration to exploring these important issues during hearings in the near future.

The BTC reportedly plans to collect signatures only through today, Friday, given the USA Department of Hoimeland Security's stated intention to issue a (secret) security directive forcing airlines to start turning over PNR's for CAPPS-II testing as early as "next month", i.e. Monday.

Travel executives who want to be seen as being on the side of their customers should make sure their names are included when the letter goes to Congress on Monday. Signatures are being collected today on the BTC Web site .

The only even partially dissenting view that the first report on the BTC campaign could find to "balance" the story came from David Stempler, whose purported "Passener Association" is actually an ill-concealed front for the Cendant Corp. , which runs Galileo -- one of the big four computerized reservation systems (CRS's) -- and is already gearing up to profit from the additional data CAPPS-II will force travellers to hand over for their commercial use.

Also today, Statewatch reports from the UK on the latest European Union plans for their own counterparts of the CAPPS-II and US-VISIT programs .

It's increasingly clear that what is at stake is nothing less than a global agenda of government and commercial surveillance and monitoring of travellers, leading to the creation of integrated dossiers of each person's lifetime movements by public transport or across borders, enforced on the basis of specious claims of "aviation and border secuirty", and automatically collected, without the knowledge or consent of travellers, through mandatory remotely-readable RFID travel documents.

Travellers and civil libertarians have to draw the line somewhere. CAPPS-II and the tragic absence of any legal privacy protection for travellers in the USA are a good place to start, followed by the ICAO, USA, and EU plans to mandate biometric RFID passports up for decision at ICAO's March-April 2004 meetings.

More questions on reservation data shared by NASA, Northwest, & KLM

The official agenda said yesterday's hearing by the USA Senate Committee on Science and Transportation on "NASA Future Space Mission" was supposed to "focus on President Bush's recent proposal to return astronauts to the Moon and expand human space exploration to Mars."

But Senators had more down-to-Earth concerns. In the event, "The meeting focused on Northwest Airlines' participation in a National Aeronautics and Space Administration research study designed to improve aviation security," reported Scripps Howard News Service .

Transcripts of the questioning won't be published for some time, and the witnesses' prepared statements didn't mention the Northwest Airlines (NW) / NASA privacy scandal. But reports on the hearing had somewhat different interpretations of what was said about NASA's use of the data:

The space agency planned to use its scientific and computational expertise to try to do a security analysis to find trends or patterns that might not be apparent.... But information on the ... disks was so elaborately encrypted that after a year of work, only two days worth of data could be extracted. (AP )

NASA analysts were able to extract only two days of passenger data after a year of effort.... Northwest's data-compression technique hindered NASA's analysts. (Washington Post )

What this real means, I think, is not that NW had actually "encrypted" or "compressed" the data at all, but that airline PNR's are stored and transmitted in extremely compact formats unfamiliar to those outside the industry.

These formats and data structures are typical of the global netwrok of reservation systems, which place an exceptionally high priority on extreme backward compatibility with older, low-data-capacity "legacy" equipment installed in remote locations and used by smaller and poorer airlines around the world. They seem very strange, however, and take a long time to figure out, for people unfamiliar with travel industry protocols.

The established CRS's operate in a parallel universe with its own standards, often very different ones from those in other industries that have only more recently gotten into large-scale, truly global, real-time networking.

The difficulty smart, technically sophisticated NASA data analysts had in making sense of raw dumps of PNR data is indicative of the distance between the assumptions about reservations of people outside the airline industry -- such as those who have devised the CAPPS-II scheme -- and the reality. It should also be a warning about the surprises, the unexpected difficulties, and the massively higher costs they will find, compared to what they have naively expected, each time they try to test their CAPPS-II concepts against real reservation data.

At the same time that NASA as the recipient of NW reservation data was coming under questioning in the USA Congress, KLM Royal Duth Airlines as the source of some of the data NW turned over to NASA was coming under scrutiny today on its home turf.

The latest issue of the newsletter of the European Digital Rights initiative reports that the Dutch civil liberties group Bits of Freedom (sponsor of the Big Brother Awards for the Netherlands), "will ask the Dutch Data Protection Authority to investigate the transfer [of PNR data], the role of KLM and to order KLM to notify the passengers involved."

KLM is the most obvious, but not the only, other company at risk: Any company that collected passenger information in Europe, and transferred it to NW in the USA, is vulnerable enforcement actions under EU data protection laws. That includes:

1. More than 100 airlines that are represented in the EU and that have "interline" ticketing and reservation agreements that permit them, and their agents, to accept reservations and issue tickets for interlione journeys that include NW connecting flights as well as their own flights.
2. Thousands of travel agencies and tour operators throughout the EU who booked clients on NW flights. These include both storefront agencies and Internet travel agencies such as Opodo , eBookershttp//www.ebookers.com , Expedia.co.uk , etc.
3. The four major computerized reservations systems (CRS's) that accepted reservations from travel agents in the EU, and passed them on to NW: Amadeus, Sabre, Galileo (a division of Cnedant Corpo.), and Worldspan (which actually hosts NW's own PNR database).

Each of these companies violated EU and national data protection rules -- and, in the case of the CRS's, the EU code of conduct for CRS's -- whenever they passed on personal data to NW, unless they had agreements and procedures in place to ensure that NW would respect passengers' (and other data subjects') rights of access, notice, and consent to any disclosure of personal data.

Since few if any companies passing EU data to NW have, or had, such commitments from NW, all their transfers of perosnal data to NW (and other airlines in the USA) have been and continue to be in violation of EU laws.

It's the transfer of data across EU-USA borders to NW, without adequate protection against its subsequent misuse, that was and is illegal -- whether or nor NW actually misused the data .

That means almost every time any travel agency, tour operator, CRS, or airline in the EU accepts a reservation for travel on an airline based in the USA, or that has its passenger database hosted in one of the 3 (out of 4 globally) CRS's that are based in the USA (all except Amadeus), EU law is violated. Regardless of whether the data is passed on to the USA government or anyone else.

That wouldn't be a problem, or a violation of law, if the USA enacted an adequate travel privacy law.Now that EU enforcement agencies are beginnning to pay attention, let's see if they notice the full extent of the problem, and demand that it be dealt with.

USA airlines ask Congress to merge US-VISIT and CAPPS-II

James May, President and CEO of the Air Transport Association, the trade association of USA-based airlines, told a very different story to Congress today than had been suggested by ATA press statements following last week's ATA meeting with the USA Department of Homeland Security on the privacy of travel records.

Testifying at the House Homeland Security Subcommittee hearing I talked about in this space yesterday , May made no mention of privacy policies or practices, either on the part of airlines or the government. Nor did he suggest that government programs for access to reservation data should be postponed until such protocols could be developed or put in place.

Quite the contrary. USA airlines want the US-VISIT program, designed to facilitate the collections of lifetime biometric and biographic travel histories on visitors to the USA, deployed without delay:

We support DHS in its efforts to create and implement US-VISIT.... We believe it is critical that DHS adhere to the planned schedule for deploying US-VISIT.

The only objection to government surveillance of travellers that was voiced by May on behalf of the airlines was to the possibility that airlines might have to conduct this passenger surveillance at their own expense:

ATA opposes any requirement that airline staff collect the biometric data, either at the check-in counters or at the departure gates. Airline personnel should not be used as quasi-immigration officers.

On the other hand, airlines have indicated no objection to the government forcing travel agents -- the people who actual create most airline reservations -- to function as unpaid "Homeland Security" surveillance and data collection agents for CAPPS-II and other programs.

The airlines' real objection seems to be to having to bear the cost of US-VISIT or CAPPS-II, not on principle to collaborating in the creation of permanent dossiers on airlines' customers. Airlines want to do the latter, as long as the government reimburses their costs and they get to keep the additonal data for their own commercial purposes.

But USA government payments to USA-based airlines to offset "government-imposed security costs" are increasingly being viewed as a government subsidy to domestic airlines, since foreign airlines that serve the USA, and are subject to the same government requirements, aren't eligible for any of these funds.

For example, a 1 December 2003 policy paper from a coalition of European airline industry associations argued that:

Particular reference should be paid to the US, where US$5 billion in cash was granted to the country's air transport sector in 2001 and more than US$2.3 billion is being granted in 2003 to pay for security measures. The US air transport industry is clearly enjoying a competitive advantage vis-à-vis its European counterparts.

In the face of such objections from airlines serving the USA from abroad, the USA government will likely have to choose in the future to suspend reimbursement of security costs (losing the government the cooperation in security/surveillance schemes of USA-based airlines), include foreign airlines in the security-cost reimbursement program (increasing its cost by an order of magnitude), or face trade sanctions from the EU and elsewhere in retaliation for continued preferential security subsidies to domestic airlines.

As for the CAPPS-II program, which ATA members have claimed they would cooperate with only if ordered to do so by the goverment (although no airline has yet said they will try to contest such a legally questionable order), and which the government has claimed has absolutely nothing to do with US-VISIT, May quickly put the lie to all that:

The CAPPS II program ... may be adapted to also readily identify US-VISIT exiting passengers. We would urge that, as these programs develop, consideration be given to combining screening and exit processing.... We believe that the nation's interests will best be served by a seamless, fully integrated approach to passenger processing and screening.

That's a really bad idea that goes beyond anything the DHS has yet proposed, and would multiply the intrusiveness of both the CAPPS-II and US-VISIT programs.

US-VISIT is designed to facilitate the creation of a lifetime lifetime biographic and biometric travel history , stored in a DHS database, on each foreigner who has ever visited the USA. CAPPS-II would accomplish much the same thing for domestic travellers, forcing them identify themselves and provide additional information each time they travel to enable airlines and computerized reservation systems (CRS's) to index reservation records into lifetime travel histories.

Even if the government doesn't itself keep CAPPS-II records, it could get access to CRS archives whenever it likes: under the Patriot Act, travel records can be requisitioned with a "national security letter", without a warrant or subpoena or judicial review, and the recipient of such a letter can be forbidden to reveal that information has been given to the government. Denials by airlines, CRS's, or other travel companies that they have furnished passenger records to the government cannot be taken at face value, since under Patriot Act those denials could be government-ordered lies.

But integrating CAPPS-II with US-VISIT would make the process much easier by merging all four CRS's databases on travellers to, from, or within the USA with the US-VISIT database on travel by foreigners across US borders. (The Transportation Security Administration could still claim with a straight face that, "The TSA does not retain CAPPS-II data," since US-VISIT records are stored by a different division of the DHS.) The result would be a single comprehensive archive, in government hands, of lifetime records of the movements of everyone, foreigner or citizen, who has ever taken an airplane flight touching the USA, or crossed the USA border.

Also at today's US-VISIT hearing, Assistant Secretary of State Maura Harty boasted of the success of USA lobbying for an international agreement on remotely-readable RFID biometric passports:

We are also undertaking a massive effort to introduce embedded biometrics into the U.S. passport through the insertion of a contact-less chip, which will store biometric and biographic data including digital photos.... We recognize that convincing other nations to change and improve their passport requires U.S. leadership both at the International Civil Aviation Organization (ICAO) and practically by introducing these changes into the U.S. passport. Thus, the Department of State has underway a program that should result in the production of our first enhanced biometric passports using the ICAO standard of facial recognition techniques in October of this year and we plan to complete the transition to this new biometric passport by the end of calendar year 2005.... The U.S. has played a leadership role in ICAO working groups to advocate the successful inclusion of biometrics in travel documents.

It's clear from Harty's testimony that the USA is treating ICAO's decision as a fait accompli , despite the fact that the proposed RFID biometric passport standard isn't actually scheduled to be decided until the next meeting of the ICAO working group, 22 March - 2 April 2004 in Cairo .

It's becoming increasing apparent that ICAO is on the verge of adopting an extraordinarily controversial item, without having involved the relevant stakeholders (e.g. travellers and consumer and privacy advocates) and without having given any serious consideration to its profound implications for privacy and civil liberties. ICAO needs to postpone its decision until after a full and open privacy impact assessment can be completed and its results considered in the debate.

Within the USA, similar arguments are being raised about the need to consider the privacy and civil liberties implications of government access and commercil sharing of travel records, as FoxNews.com reports in Massive Travel Database Raises Eyebrows . And Business Week's Jane Black endorses my call for Congressional hearings on the use of travel data, and enactment of a Federal travel privacy law, in her latest Privacy Matters column: The airline-data mess should be cleared up.... It's time to regulate travel data.

A few of our favorite places

Airtreks.com staff recommendations

(from the January 2004 Airtreks.com monthly newsletter -- you can subscribe here at the lower left of the home page)

Travelers often ask our consultants, "Where do you think we should go?" Usually, our answer is, "Wherever you like!" Each of you, like each of us, has different tastes and interests, and no one place is best for everyone.

But all of us at Airtreks.com love to travel. Between us, we visit dozens of countries each year. We have our favorites, and we're the first to hear about it when air trekkers are starting to discover a new destination.

So we polled our staff of resident experts to find out where they recommend: the best place in the world to go right now. Our answers are as far-flung as our travels. Top picks for some of us who've been there include Zanzibar, Iceland, Capetown, and Syria. Inevitably, some of us start with the unmatched ethnic and cultural richness and diversity of India and China, which between them make up a third of the human world.

But there was also surprising agreement amongst our travel consultants,with two regions in particular getting our, "go there now" nod:

A sizeable contingent of our staff points air trekkers to the South Pacific, especially New Zealand ("So much to do on each island, good land transportation, best weather right now, the scenery you've seen in the Lord of the Rings movies") but also Australia ("friendly people and so many great things to do").

Even more of our staff give their top recommendation to southern South America: Brazil (Carnaval is coming up in February -- check it out in Salvador or around Recife), Chile (the beauty of the Andes mountains, the city of Santiago, and "wineries to the north are wonderful day trips"), and the clear winner in our staff poll: Argentina and its queen mega-city, Buenos Aires .

Why? Diversity and beauty of the land. Wonderful people. (You could say that, truthfully, about almost anywhere, of course.) Music and dancing. Shopping. Excellent infrastructure. Great food ("steaks the size of shoes", elaborate European-style cuisine with the best and freshest local ingredients -- for peanut prices). Above all, "Great value for the money."

Wherever you're going, there are a couple of lessons here, especially about that, "value for the money":

1. Don't let stories about the rise of the Euro confuse you about the cost of travel to the rest of the world. Yes, travel to Western Europe is more expensive for Americans than it was last year. But that's not a reason to stay home -- that's a reason to consider traveling further afield, to places where the U.S. dollar still goes much further than it does at home. Most air trekkers still find that their expenses on the road are substantially less than their living expenses were at home in the USA.
   
   
2. Don't confuse bad news for locals with bad news for visitors. Reports about Argentina have focused on the fall of the peso, and the problems that has caused. As the local currency has collapsed against the dollar, local salaries and savings have lost two-thirds of their purchasing power. But that also means that the buying power of tourists' dollars has tripled, and that they can travel just as well on a budget a third the size of what they used to need.

And the warmth and sincerity of the welcome! Argentines know they live in a beautiful country that just a few years ago was expensive for foreigners on a budget. If they were Americans, they'd be jumping at the chance to visit Argentina now, while it's such a bargain. Like people in other such spots around the world, they welcome visitors and their dollars, and congratulate them on their good taste in choosing their vacation destination so well.

It's a great time to travel, and there are lots of great places to choose from. Overall, travel values have never been better. Go! And wherever you go, have a wonderful trip.

European Commissioner ackowledges need of USA airlines to respect EU privacy laws

In a letter dated 18 December 2004 to USA Secretary of Homeland Security Tom Ridge, European Commissioner Frits Bolkestein has clearly ackowledged the practical impossibility (as I've been discussing for months) of segregating personal data in airline reservations collected in the European Union from data collected in the USA or elsewhere:

I also understand that, when CAPPS II begins testing and even more when it becomes operational -- even if not at all applied to flights within the EU -- PNR data of some subset of passengers on such flights may emanate from the EU and that there is no reasonable or cost-effective mechanism for airlines or TSA to identify or filter out such PNR. I recognize that airlines are concerned that this situation might leave them vulnerable to enforcement action by data protection authorities in the EU Member States.

The letter from Bolkestein to Ridge, posted in a semewhat obscure location on the European Commission Web site, was brought to public attention by Member of the European Parliament (MEP) Marco Cappato. MEP Cappato's statement today says that by the letter, "The Commission hereby confirms its attitude of not taking into due account citizens' rights and the EP serious reservations on the issue of the transfer of personal data of transatlantic airline passengers to the US."

But while Bolkestein's comments were made in the specific context of CAPPS-II , the larger implication may be this:

If, as Commissioner Bolkestein has now admitted, some subset of passenger data on any flight may have been collected in the EU, and it is impossible for airlines in the USA to identify or filter out such data, then the only way airlines or other travel companies in the USA can ensure their compliance with EU data protection regulations is if they treat all PNR data as though it might have come from the EU, and handle all PNR's, even on domestic flights within the USA, in compliance with EU data protection standards. (Which of course they don't.)

The only legal way for airlines, CRS's, and other travel companies to withhold from customers in the USA the rights they are required to give EU customers would be if they tracked whether each item of personal data in each PNR originated in the EU. They don't, and their failure to do so -- or to treat all PNR's in accordance with EU data protection standards -- is the essence of their near-total disregard to date for any actual compliance with EU data protection laws, as applied to PNR (travel reservations) data.

MEP Cappato's statement continues:

We appeal to the President of the EU Privacy Authorities, Stefano Rodotà, to formally intervene to ask for provisions and sanctions to be applied against current illegal practices. And we ask to national privacy authorities to take measures where they have powers to do so, such as in Italy. We do not understand why President Rodotà and national privacy authorities do not activate the national and European instruments at their disposal to have the laws applied and citizens' rights respected.

The real question now is not just what will be done by European authorities about CAPPS-II, but what will be done about the larger issue of compliance with EU data protection rules throughout the handling of PNR data in the USA.

Hearings on US-VISIT, but ...

The Subcommittee on Infrastructure and Border Security of the USA House Select Committee on Homeland Security will hold a hearing on the US-VISIT program tomorrow, 28 January 2004.

As I've discussed in previous articles , the US-VISIT prgram has come under intense worldwide criticism for subjecting foreign visitors, including tourists and people merely changing planes in the USA, to photgraphing and fingerprinting like criminals, and for its use in compiling lifetime travel histories on all visitors to the USA.

But don't expect tomorrow's Congressional hearings to call attention to the controversy. In addition to representatives of the architects of the program from the Departments of Homeland Security (Undersecrtary Asa Huthcinson, who just yesterday told an AP interviewer the DHS would order airlines to collaborate with CAPPS-II testing ) and State, the one-sided witness list (as of the close of business today in Washington) includes the following people:

1. James May of the Air Transport Association , the lobbyinbg group for USA-based airlines that has just announced that they won't go to bat for their customers to contest the imminent DHS security directive ordering them secretly to turn over all their reservation records for tests of the CAPPS-II passenger profiling and surveillance system
2. Dennis Carlton of the International Biometrics Group , one of the DHS contractors sharing in the US$10 billion US-VISIT jackpot and likely to profit further if ICAO's proposed worldwide requirement for biometric travel documents is approved
3. Kathleen Campbell Walker of the American Immigration Lawyers Association , who has testified previously to Congress in support of both biometricv travel documents and government access to airline reservation data well in advance of flights

Privacy? Surveillance? Collection of travel dossiers? Impact on tourism and other travel to the USA? Fuggedaboutit.

A full and fair hearingy, indeed.

"Our privacy laws are rather primitive" - ACLU

USA Undersecratary of Homeland Security Asa Hutchinson reportedly told an AP interviewer today that the DHS has decided to order airlines to turn over passenger reservation records to the DHS for tests of the CAPPS-II passenger profiling and surveillance system.

The DHS claimed to have been considering a public rule-making process, but has apparently decided simply to issue a security directive (probably secret) to the airlines to order them to turn over passenger data. In addition to intimate details about airline passengers, airline PNR's also contain extensive personal information on people who make reservations but choose not to travel, airline and travel agency workers, people who arrange travel for friends or family members or business associates, and people who pay for others' tickets. All of these groups -- most of whose rights haven't even been considered in the DHS Privacy Act notices about CAPPS-II -- would have their privacy violated by CAPPS-II testing.

There was no report today on whether the DHS would simultaneously be issuing the other directives required for CAPPS-II .

As I've reported earlier, DHS Chief Privacy Officer Nuala O'Connor Kelly told me in an interview in November 2003 that people about whom information is to be used in CAPPS-II tests will "almost certainly not be given any opportunity to opt out" of being used as data guinea pigs.

Since there is not (yet) any USA privacy law for travel records, USA citizens may not even be entitled to know if their reservations have been given to the DHS for CAPPS-II tests or other purposes. But EU citizens are entitled under the EU data directive to know to whom their reservations have disclosed. All EU citizens travelling to, from, or within the USA, either on USA or foreign airlines, should make a formal request to the airline and their national data protection authorities, after each flight, to find out if their reservations for that flight were given to the DHS for CAPPS-II tests. Since the tests may be conducted with archived, "historical" data for past flights, it would be a good idea for EU citizens also to ask each airline on which you have previously flown to, from, or within the USA which of your past reservations have been provided to the DHS, and for what purpose. For good measure, ask each of the big four CRS's (Sabre, Amadeus --including its Airline Automation subsidiary, Worldspan, and Cendant's Galileo division), since the DHS could get PNR's directly from them without going through the airlines. That's probably the only way we will find out which past or present flights are being used for CAPPS-II testing.

Questions continue to be raised about the passenger records Northwest Airlines turned over to NASA for use in some of the earlier experiments in passenger profiling, in editorials with titles like, Big Brother Air , or these from the Scripps-Howard News Service and the Mankato [MN] Free Press ) from a region where Northwest Airlines has a near-monopoly on service to smaller airports).

Joyce McGreevy in Salon.com (cookie acceptance and viewing of an ad required) takes note of the State of the Union address:

The president assured us at the top of his address that "analysts are examining airline passenger lists." But give credit where credit is due. Let us not fail to thank JetBlue Airways and Northwest Airlines for reportedly supplying passenger data, without which the government might have had to do its own violating of federal and state laws, thus taking time away from the important business of detaining readers of the Farmer's Almanac .

And the American Civil Liberties Union has sent a letter to Europeasn Commissioner Frits Bolkestein "to report what may have been a violation" of the EU Data Directive. The ACLU letter points out that, "In light of the fact that Northwestern has a partnership with the Royal Dutch Airlines (KLM) through which it provides one-stop reservations and ticketing it is almost certain that at least some of these improperly disclosed passenger records belonged to citizens of the European Union."

The ACLU suggests that Bolkestein and the Commission " may wish to conduct an investigation of Northwest's information collection and dissemination practices, full notification to all individuals effected by this disclosure and the imposition of all appropriate civil penalties."

More importantly, perhaps, in light of ongoing USA-EU discussions on transfers of passenger data, the ACLU says that:

We also believe that this latest revelation calls into question the ability of the US to honor any promises made regarding the transfer of air passenger data. Sadly, our privacy laws are rather primitive and the unrelated uses of private data are prohibited in Europe occur far too often.

Two members of the House Committee on Government Reform , Representatives Lacy Clay and Carolyn Maloney, have sent written questions to the U.S. Census Bureau, as have members of the Census Advisory Committee, seeking clarification of whether Census data has been, or could be, "mined" for data used for law eneforcement or "Homeland Security" targetting or profiling.

In this vein, the Washington Times reports on Cendant's plans to integrate its customer databases , including travel reservations from the Galileo CRS (a Cendant divison) and other Cendant travel, direct marketing, and data mining divisions . It's exactly the sort of data "sharing" within the travel industry that raises privacy concerns even if the government isn't involved, and that wouldn't be allowed if companies like Galileo and the rest of Cendant actually complied with the privacy laws of the EU, Canada, or the other countries where they operate.

The Washington Post has a contrasting report on last Friday's meeting between USA-based airlines and the DHS. The Post focuses on the changes in airline-industry procedures that would be required in order to notify travellers about CAPPS-II and other government uses of travel records: "The cost of installing privacy policies throughout the industry could easily run into 'hundreds of millions' of dollars." (That's just for policy changes, not the infrastructure changes required to collect and transmit the additional data required for CAPPS-II.)

But the Post says, strangely, that "the industry has been too slow to inform customers when it shares data with the government even though airlines have clear policies explaining how they might share customer information with travel-related companies ." That may be what airlines told the Post , and what they want trusting travellers to believe, but it's nonsense . Most airlines and travel companies have no policies whatsoever explaining their data-sharing practices for most reservations.

If travel companies have privacy policies at all, they generally apply only to data collected through their Web sites, and don't mention important categories of companies with which data is shared -- especially the CRS's. I know of no airline, CRS, or major travel agency that is prepared to provide a traveller, on request, with copies of their archived PNR's, which would be the first step toward compliance with EU and Canadian law. (Chief privacy officers from CRS's and mega-agencies with millions of customers have told me this wasn't necessary because no traveller has ever asked them for their personal travel records. If so, that's becasue -- in violation of EU and Canadian law-- they aren't informed of their right of access.) And, of course, the privacy policies that do exist are routinely violated by standard industry practices .

Business as well as leisure travellers are beginning to demand improvements in travel privacy policies and, more importantly, privacy practices. Eeven before the Northewest scandal, the Business Travel Coalition had called for industry-wide ground rules and safeguards with regard to passenger data . Members polled by the BTC are concerned about both the Northwest scandal and CAPPS-II , as discussed in BTC chairman Kevin Mitchell's new blog.

Those concerns are shared by the Association of Corporate Travel Executives, which has said there is a need for changes in IATA regulations on privacy of business data in reservations and filed critical comments on CAPPS-II .

There's no quick fix in sight, but at least there's a growing consensus on the need for action.

"Homeland Security" meeting today with USA airlines on data privacy

Northwest Airlines, the Air Transport Association (ATA), and the USA Department of Homeland Security (DHS) are putting very different spins on their meeting today on CAPPS-II and the privacy of airline passengers, held while angry travellers jammed the phones at the ATA headqurters to complain about past and possible future violations of their privacy and warn airlines of the likely backlash if they fail to stand up for their customers' privacy.

Reuters and an early report by the AP quoted an ATA statement and comments by ATA spokesperson Doug Wills on what the airlines told the DHS, with AP saying, "the airlines expect to hear details [from the DHS] about the steps being taken to protect travelers' privacy," as though all the risk of misuse of information was from the government, and what's needed are steps by the DHS.

And an ATA spokesperson told me after the meeting that, contrary to some reports that billed the meeting as an airline "summit" on CAPPS-II and privacy, there was actually no discussion of the airlines' own privacy policies. The regularly-scheduled quarterly meeting of chief operating officers of the major "network carriers" was simply the opportunity for an exchange with the DHS on DHS data protection protocols.

But a later report by the AP, Airline industry to work on privacy issues said, "Major airlines agreed Thursday to work with the Homeland Security Department on ways to protect traveler privacy,", and quoted DHS Chief Privacy Officer Nuala O'Connor Kelly as lecturing the airlines on best practices, as though the problem were with the airlines' practices: "'It's more than a privacy policy on a Web site,' Kelly said. 'It's having good internal protocols.'"

And the Minneapolis Star Tribune , Northwest CEO urges new 'data protection protocol' , and Information Week , Northwest CEO Urges Airline Execs To Talk Privacy , relying on statements from Northwest Airlines (NW), said "Northwest Airlines Inc. CEO Richard H. Anderson recommended that the Air Transport Association discuss developing a data-protection protocol to address privacy concerns about passenger data," as though NW -- which is still claiming it was "appropriate" to give its files on as many as 10 million passengers to the government -- had something to teach the rest of industry other than by negative example.

All we really have to go on for what happened at today's meeting are self-serving statements by NW, ATA, and the DHS, each trying to pose as privacy advocates in spite of their dismal track records of unconcern for passenger privacy. IT and security executive in other industries are looking for lessons in the airline privacy scandals -- see these stories in CIO magazine and CSO magazine -- but neither the airlines, the CRS's, nor the DHS have cleaned up their act, or even really ackowledged that they are the cause of a privacy problem.

Most ATA members don't have any privacy policies for most of their reservations: an ATA spokesperson admitted that their only privacy policies are those on their Web sites, which in almost all cases apply only to reservations made through the airlines' own Web sites, not the majority made through other channels. So far as I've been able to tell, no ATA member includes their privacy policy as part of their conditions of carriage -- if they have one at all, it's outside the actual contract, and thus of ambiguous enforceability.

A second class action lawsuit has been filed against NW in Federal District Court in Minnesota, this one by the same law firm that represents the plaintiffs in one of the pending suits against jetBlue. The New York Times has an interesting analysis of the difficulty of making a case in the USA, in the absence of a Federal privacy law, and the fact that, "In Europe what Northwest did is clearly illegal."

This isn't the first time ATA has met with the DHS on CAPPS-II, according to the ATA spokesperson who I talked with after the meeting. And ATA says that, "In the future, we expect to have additional discussions with Homeland Security officials and airline officials on this subject." But ATA represents only airlines based in the USA. The much larger number of airlines based in other countries, but that fly to the USA, would be equally impacted by CAPPS-II. But so far as I've been able to find out, the DHS has never met with the International Air Transport Association , presumably because they would be more likely to insist on compliance with international privacy laws and norms, and reimbursing airlines worldwide for CAPPS-II costs would be many times more expensive than just reimbursing USA airlines.

If there's any real disagreement between the DHS and ATA about CAPPS-II, it's about who will pay for it. According to ATA's spokesperson, "We still support CAPPS-II. We just feel that the burden of its cost shouldn't be borne entirely by the airlines."

When I met with European Commission staff members in Washington in November, they were extremely interested in the possibility that the USA might reimburse USA-based, but not EU-based, airlines for CAPPS-II or other security costs. It's highly likely that the EC would construe such preferential reimbursement as a preferential government subsidy to domestic airlines -- over and above current protectionist USA laws benefitting domestic airlines -- and would impose reciprocal trade sanctions against airlines from the USA flying to the EU.

This week there's been a flurry of editorials raising questions about CAPPS-II in newspapaers across the country, including USA Today , the Denver Post , the Rocky Mountain News , the Boston Globe , and the Washington Post . (And then there's the satirical commentary .)

But there's no reason to expect meetings between travel companies and the DHS, who have already collaborated in several years of successive tests of airline passenger profiling schemes, to answer the questions about CAPPS-II, or resolve the privacy problems posed by government-industry sharing of passenger data.

The only way passengers' and the public's concerns can be addressed is if the process is conducted in public, and if passengers themselves, and consumer and privacy advocates who represent them, are involved. The only way that is likely to happen is through the Congressional process of investigation, hearings, and legislation.

Business Travel News points out that the same day that G.W. Bush boasted in his State of the Union Address that "Each day ... analysts are examining airline passenger lists", British Airways CEO Rod Eddington was telling another Washington audience across town that, "A unilateral imposition of longer term security measures can be counter-productive". Eddington singled out demands by the USA for passenger data form the EU in his call for, "More co-operation and consultation between governments" on security demands affecting airlines. The complete text of Eddington's op-ed earlier this month in the Financial Times on USA "security" demands, previously mentioned in my blog, also has now been posted on the Britsh Airways web site.

British Airways was the only airline to file comments on the DOT's initial CAPPS-II proposal , in which they rasied questions -- still unanswered, and entirely ignored in the DHS analysis of comments -- about its incompatibility with EU and other countries' laws.

Sen. Gordon Smith of Oregon has become the first member of Congress to demand answers as to what NASA did with Northwest Airline reservation data, sending a list of written questions to NASA and the CEO of Northwest. Meanwhile, DontSpyOn.US and the Washington Times have more details on the census data used in the same NASA research as the NW reservations.

The Northwest privacy scandal has also fueled the fires of public skepticism in the European Union as to whether travel companies in the USA, or the government of the USA, can be be trusted to police their privacy practices without independent oversight.

I've received no news of what happened yesterday and today in the European Parliaments's Committee on Citizens' Freedoms and Rights, Justice and Home Affairs (LIBE). But Memebrs of the European Parliament (MEP's) are continuing to raise questions about the proposed agreements with the USA on passenger data transfers and CAPPS-II testing. The (lengthy) committee agenda included consideration of the status of discussions on transfers to the USA of airline passenger data, as well as a draft European Parliament resolution which:

Reiterates that EU data protection rules are seriously infringed when personal data are, without informing and obtaining the consent of the data subject, transferred or accessed directly and systematically by a third state party or law enforcement authority, notably when data are collected for another purpose and without judicial authorisation, as in the case of US authorities accessing transatlantic passenger data collected in the EU by airline companies and electronic reservation systems.

On 18 December 2003, the Belgian national privacy commission ruled that the rights of MEP, LIBE Committee member, and EP rapporteur on privacy Marco Cappato had been violated by United Airlines (UA), Continental Airlines (CO), and Delta Air Lines (DL). The ruling (en français) was based both on Belgian law and the particularly strict privacy provisions of the EU code of conduct for computerized reservation systems ("systèmes informatisés de réservation, SIR").

In a statement preceding this week's LIBE Committee meetings, MEP Cappato said (in translation from the original Italian):

On the occasion of tomorrow morning meeting in Brussels of the EP Civil liberties committe, I will draw colleagues' attention on the opinion by the Belgian Privacy Committee, in the view of deciding in the next weeks on the possibility of challenging the EU Commission in front of the European Court of Justice concerning the violation of EU law on privacy. The Belgian document has also been sent to the Privacy Authorities of EU Member States, and to the Belgian Minister of Justice. I hope that they will assure that laws are respected. I address myself to the Italian Privacy Authority, and notably to its Chief, Stefano Rodotà, currently also President of the EU Privacy Authorities working party, to ask him to intervene at the national and European level so to assure that the law and the corresponding adeguate sanctions are finally applied.

Elsewhere in Europe, German data protection commissioner Peter Schaar said in an interview with the Frankfurter Allgemeine Zeitung that the handling of passenger data in the USA "does not meet EU privacy standards." As the interview points out, Schaar is "a member of the Article 29 Working Party advising the European Commission on privacy issues. The working party, composing all of the EU's privacy commissioners, is currently drafting a recommendation on demands made by the United States government for information on airline passengers." Schaar also spoke out against both US-VISIT and the proposals for biometric passports.

Passengers sue. Airlines circle the wagons.

The first consumer class action lawsuit against Northwest Airlines by a passenger was filed Tuesday, 20 January 2004, in U.S. District Court in St. Paul, Minnesota, the Federal judicial district that includes NW's headquarters, the Minneapolis Star Tribune reports . The plaintiff's attorney, Shawn Raiter , "said he expects other class-action lawsuits to be filed across the United States in other court jurisdictions."

Today's Washington Post says that, in response to the Northwest Airlines (NW) scandal, the Air Transportation Association (ATA), the lobbying association of USA-based airlines, "will meet in Washington this week to discuss the development of an industry-wide privacy policy to protect consumers."

A more accurate statement might be, "... to protect airlines against legal liability." Almost every ATA member (and more than 100 other airlines around the world) has an interline ticketing agreeement permitting them and their agents to make reservations for journeys including NW flights. They have collected perosnal information from passengers and third parties, and passed it on to NW, without having any contractual commitment from NW, or any operational protocols, to ensure that it wouldn't be further "shared" -- as, in fact, it was, with NASA and who knows how many others.

Virtually all passenger name records (PNR's) contain data from mulitple sources that has been transferred between different compnaies through the network of reservations systems .

The holding of ATA's first-ever meeting on privacy policy and personal data sharing is thus a damning admission that the airline industry has no standards, agreements, or procedures in place to protect the privacy of travel data when it is passed between travel companies such as airlines, travel agencies, tour operators, and CRS's.

But the place to determine global public policy on issues like privacy is in the legislature or another public forum, not a private conference of corporate executives who have in common only their business -- not public -- interests and their demonstrated historical lack of concern for the impact on their customers of their data interchange procedures.

In the USA, the most obvious objection to the ATA meeting is its apparent violation of anti-trust law. Congress has given airlines a limited exemption from anti-trust law to participate in IATA "traffic conferences" (international price-fixing meetings). But that exemption extends neither to ATA meetings, nor to collusion on contract terms, such as privacy policies and conditions of carriage.

Concern for possible anti-consumer airline collusion on conditions of carriage is well-founded: almost all ATA member airlines already have suspiciously similar language in their conditions of carriage requiring passengers to "consent" to submit to search and provide government-issued documentary evidence of their identity.

Left to their own devices, USA-based airlines would probably all agree to require passengers to "consent" to personal data sharing, with few if any meaningful constraints, as a condition of air transportation. Such an agreed-upon united front by the airlines would leave would-be air travellers no meaningful alternative -- other than to walk or bicycle across the country -- and render their so-called "consent" meaningless.

In the European Union, Canada, and other countries where airlines (including those from the USA) have promised to abide by legal privacy protection codes, the absence of privacy protocols or formal agreements governing current transfers of personal data within the industry raises more serious issues of lack of legal compliance, and breach of the promises made to those countries' authorities.

Wired News says EPIC's European representative, Cedric Laurant, expects a "heated discussion in the European Parliament" when the debate on passenger data transfers to the USA, originally scheduled for today but now pushed down on the agenda , resumes Thursday in Brussels.

As it becomes more and more evident that airlines aren't complying with existing EU privacy laws, it becomes ever less likely that EU agencies will approve demands by the USA for even greater mandatory collection, government access, wider dissemination, and free sharing with travel companies in the USA of travel data collected in other countries, for CAPPS-II and other surveillance and monitoring programs.

Thta's not a problem ATA, or any private or national organization, can resolve. What's needed is a comprehensive international dialogue and privacy impact assessment of travel reservation data, to include CRS's, airlines (represented internationally through IATA, not just ATA), other travel copmpnaies (travel agencies, tour operators, reservation software companies, etc.), national and regional (e.g. EU) data protection authorities, and consumer and privacy advocates and NGO's.

In the meantime, as long as USA-based airlines and their European and worldwide partners are in such manifest vioaltion of the EU data protection directive, without even the pretense of privacy commitments from their data interchnage "partners", the EU should close the door -- promptly and firmly -- to any continued sharing with the USA government of data collected in the EU by airlines, CRS's, travel agencies, or tour operators.

And the EU should set a firm deadline -- 90 days, perhaps -- for airlines and travel companies that want to collect personal data in the EU, and pass it on to CRS's or other airlines and travel companies in the USA, to complete the first phase of the privacy impact assessement I've just described. If they don't, enforcement action to prohibit commercial sharing of travel data betweeen the EU and the USA, and suspension of the right to operate in the EU for companies that fail to comply, is long past due.

EPIC files complaint against Northwest Airlines; EFF calls for Congressional hearings

The Electronic Privacy Information Center (EPIC) filed a complaint today with the USA Department of Transportation (DOT), asking DOT to take action against Northwest Airlines (IATA code "NW") for turning over 3 months of passenger name records (PNR's) to NASA for use in development and testing of passenger-profiling schemes .

Reuters says the DOT immediately issued a statement which, "noted that airlines are not prohibited by law from providing or selling passenger information such as passenger lists."

I'm not surprised by the DOT's lack of enthusiasm for pursuing the case: enforcement of consumer protection laws, especially on privacy and Internet issues, has had the lowest possible priority for the DOT's tiny enforcement division.

DOT has been the in the forefront of deregulation, from the Airline Deregulation Act of 1978 (the first major deregulation legislation before the Reagan Administration) to its decision on New Year's Eve of 2003 to entirely eliminate the 20-year-old regulations that have protected consumers agianst anti-trust collusion by the computerized reservation system (CRS) oligopoly (more on that story in the future, I promise). The limited DOT enforcment staff has focused on safety and pricing issues, not data protection.

The difficulty of getting a reluctant and understaffed DOT to act on a complaint like EPIC's latest against NW is exacerbated by a gap between the relevant agencies' conception of their jursidiction, as I learned while researching The Practical Nomad Guide to the Online Travel Marketplace (see pp. 254-262).

Senior DOT enforcement attorneys told me that the DOT and the Federal Trade Commisison (FTC) had "concurrent" jurisdiction over privacy protection, truth in advertising, and other consumer protection issues involving airlines. But since the FTC takes the lead on such issues for other industries, especially when the Internet is involved, it knows more about them, and the DOT leaves them to the FTC. DOT attorneys were horrified -- both on laissez-faire principle and because of the extra work it would entail -- at my suggestion that they had any significant responsibility for policing deceptive advertising and privacy practices by the airlines, especially on the Internet.

FTC staffers, on the other hand, told me that the DOT has primary, if not exclusive, jurisdiction over anything related to the airlines, including privacy and consumer fruuad. So the FTC has never initiated an enforcement action against an airline on any of these issues.

The end result is that sales of airline tickets -- by far the largest single category of e-commerce -- have almost completely fallen through the cracks of Federal enforcement of basic truth-in-advertising and consumer fraud rules, and have never taken their rightful place at center stage in debates about Internet privacy and consumer protection.

The DOT has brought a token few enforcement actions against out-and-out scams involving airline ticket sales on the Internet, but so far as I can tell, an action against NW for breach of privacy promises would be the first privacy action ever for the DOT.

The only visible protest against this sorry situation for travel consumers has come from state consumer protection authorities. In 2000, 43 state attorneys general sent a joint letter to Congress urging the repeal of Federal preemption to permit enforcement of "state laws prohibiting unfair or deceptive business practices or unfair methods of competition with respect to air transportation or the advertisement and sale of air transportation services." But Congress has, to date, shown no interest in restoring even limited state jurisdiction over fraud by airlines.

EPIC's complaint cites the promise made to the European Union by the DOT that the EU can rely on the DOT to police the data protection practices of airlines and travel companies in the USA, and points to the "virtual certainty that ... European citizens' personal information comprised part of what was disclosed to NASA" by NW (and KLM).

EU authorities will no doubt be watching closely to see if the DOT keeps its word, since the willingness of USA authorities to enforce voluntary pledges of compliance with privacy codes is the keystone of the so-called "Safe Harbor" scheme negotiated by the USA to permit personal data transfers from the EU to the USA in spite of the lack of adequate (by EU and international standards) privacy law in the USA.

NW hasn't certfied itself as being in compliance with the "Safe Harbor" rules. Indeed, the only airline on the Safe Harbor self-certification list is Continental Airlines (CO). But CO has had a code-share agreement with NW since 1998, meaning that some CO flight numbers are and were actually operated by NW.

So "system-wide" NW data provided to NASA would have included data on flights booked and ticketed in the EU, by EU citizens, as CO flight numbers, under a "safe harbor" pledge.

CO's current privacy policy , obviously rewritten since the jetBlue Airways scandal, gives "consent" for all sorts of invasive practices. But depending on what CO's privacy policy (if any) was at the time, the CO/NW codeshare flights could provide one of the first direct tests of the effectiveness of the supposed "Safe Harbor" enforcement system: CO made promises to EU citizens, collected their personal data, and then transferred it to NW in the USA -- without, so far as I can tell, having any agreement or systems in place to control NW's subsequent nonconsensual use and further disclosure of the data.

And this is nothing exceptional. "Airlines and government agencies have routinely exchanged passenger information for decades," concludes Minnesota Public Radio (transcript ; audio ) after inteviewing industry experts.

Not surprisingly, questions are already being raised in Europe as to whether, in light of the latest NW scandal, the USA can be counted on to keep its promises to the EU about the use and dissemination of PNR data optained under other programs such as APIS (the subject of recent negotiations), US-VISIT, or CAPPS-II . And we still don't know the full extent of what data was disclosed, to whom, or who still has copies of it.

What is to be done? The Electronic Frontier Foundation (EFF) is calling for a Congressional investigation and hearings (statement ; fax and e-mail forms ). The Business Travel Coalition, after a survey showing widespread concern by corporate travel executives, has called on NW to apologize to passengers for the breach of privacy and for trying to deny it.

How the USA honors the memory of M.L.K., Jr.

It's a national holiday today in the USA in honor of the birth anniversary of Dr. Martin Luther King, Jr.

So what stirring story of the progress of American freedom and racial tolerance do I wake up to?

French fury over US treatment of air staff (free registration and cookie acceptance required)

The article is worth reading in full, but here's the gist:

It seems that the USA is now requiring a personal interview with a TSA specialist, on each arrival in the USA, for foreign-citizen airline staff born in specified countries (all of which have Muslim-majority populations) -- even though they already have multiple-entry professional visas, and could be questioned and investigated as thoroughly as desired before those visas are issued.

It also seems that there are no such TSA specialists in Cincinnati, even though it is an international airport and Delta Air Lines hub, served by regular flights on Delta's "Skyteam" marketing partner, Air France.

Since knowledge of multiple languages is one of the most important qualifications for flight attendants, and many Air France passengers are travelling to and from points beyond France in Africa, Asia, etc., it should be no surprise that many Air France flight attendants were born outside France, and are either immigrants or children of French parents born abroad.

So what has happened? According to the Telegraph (UK):

One Moroccan-born stewardess who flew into the city was prevented from leaving when officials could not conduct her interview. Instead, she was driven for eight hours to Atlanta, nearly 500 miles away, and forced to fly back to France as an ordinary passenger.

And now the TSA has issued a a new directive:

The directive ... advises Air France not to use the foreign-born crew members on flights to Cincinnati because airport staff there lack the facilities needed to conduct the security interviews.

Let's get this straight: the TSA is telling Air France to discriminate against members of its staff -- French citizens holding valid professional visas to the USA -- in assignments to flights to the USA, on the basis of their country of birth.

If an airline or company based in the USA did that, it would constitute illegal discrimination based on national origin.

So the USA is ordering Air France to engage in discriminatory practices that would be illegal for a USA company.

Ah, but they're French, which makes everything different, doesn't it.

Where's Dr. King when we need him?

[Addendum, 20 January 2004: Earlier report with more details (en français) from Le Monde : Le personnel navigant d'Air France soumis à un 'circuit spécifique' d'entrée aux Etats-Unis . And the first report, apparently, from L'Humanité (13 January 2004): Obsession: Ces français indésirables ("La phobie des Etats-Unis sur la sécurité aérienne instaure une discrimination inacceptable vis-à-vis des Français nés hors de France.") The print edition of L'Humanité reportedly also included a reproduction of the TSA directive; if anyone has a copy, please let me know.]

Northwest Airlines admissions on lack of privacy safeguards

Northwest Airlines (NW) released a statement last night attempting to explain why CEO Richard Anderson said in September 2003, "Northwest Airlines will not share customer information, as JetBlue Airways has", when in fact -- as NASA documents released to EPIC under the Freedom of Information Act show -- NW had done exactly that. NW says that, "At the time Mr. Anderson answered this question, he had no knowledge of the Northwest Security Department?s provision of passenger data for the NASA research study."

That might well be true -- and if so, it's an incredible indictment of the (lack of) privacy protection, awareness ,and safeguards on the part of NW and, unfortunately, most other travel companies. JetBlue Airways, some of you may recall, also said that its CEO had been unaware that a complete copy of the company's entire reservation archive had been given to a military contractor.

Consider what this means for Northwest, jetBlue, and companies like them:

1. Complete control and authority over the most sensitive personal information about travellers, including authority to disseminate it in bulk, has been delegated to second-level departmental managers.
2. No safeguards or procedures are in place that would require consultation of, or notice to, the CEO or a privacy officer (so far as I can tell, neither jetBlue nor Northwest had, or yet have even now, a designated privacy officer) for disclosure of passenger data, even on the largest possible scale.
3. No privacy or data protection and security audits or reports are made that would bring such disclosure or dissemination of sensitive customer data to the attention of the CEO or Chief Privacy Officer.

There's no hint of apology in the NW statement, by the way: "Northwest believes that it was appropriate to provide [passenger reservation] data ... to NASA".

Meanwhile, DontSpyOn.US and the Washington Times, Study used census information for terror profile dig into the implications of the use of both NW passenger name records and 1990 U.S. Census data in the same NASA study .

Not surprisingly, some (former) NW customers, even at their headquarters hub in Minneapolis/St. Paul, are saying they will never fly Northwest again . And I've already heard from at least one Twin Cities privacy attorney researching a possible lawsuit against NW on behalf of passengers.

If you're interested in an overview of US-VISIT, CAPPS-II, and other privacy issues related to travel records, I'll be speaking on Tuesday, 27 January 2004, from 6-8:45 p.m., at the Claremont Branch of the Berkeley Public Library , 2940 Benvenue Ave. (at Ashby), on "The monitoring and surveillance of visitors and travellers in the USA."

And I've gotten approval from the program committee for this year's Computers Freedom and Privacy Conference (also in Berkeley, coincidentally, 20-23 April 2004), for a "Birds-Of-a-Feather" (BOF) session on "Travel Data and Privacy", most likely Thursday night, 22 April. BOF's are usually quite informal and relatively unstructured, but I would welcome suggestions for the agenda from any of you planning to be at CFP and interested in participating.

As always, the latest details are on my events page .

Northwest Airlines gave NASA millions of PNR's

In late 2001, as several airlines and private contractors were using archived Passenger Name Records to test new concepts for profiling of airline passengers, Northwest Airlines (NW) gave CD's containing PNR's for perhaps 10 million or more NW passengers to the USA National Aeronautics and Space Administration for testing of airline passenger profiling concepts.

NASA's request for NW passenger data had been known of for more than a year: it was revealed in documents obtained by the Electronic Privacy Information Center (EPIC) under the Freedom of Information Act, and had been mentioned in the New York Times in 2002 and in much more detail in the Washington Times , NASA sought airline records (27 September 2003).

But it hadn't been known whether NW had acceded to the NASA request, until EPIC obtained another batch of documents from NASA last month, in response to further FOIA requests. Those documents were revealed in today's Washington Post along with a response from NW; there are responses from NASA in todays's San Jose Mercury News and New York Times ).

NASA requested system-wide Northwest Airlines passenger data from July, August and September 2001 . According to the Post , NW said it actually provided data for October through December 2001, which if system-wide would include PNR's for than 10 million passengers. Neither the documents posted by EPIC nor the comments from NW in the Post make clear whether the NASA request was granted in whole or only in part.

"System-wide" NW data would include flights operated by Northwest to and from Amsterdam and other points in the European Union, and flights not touching the USA operated by KLM Royal Dutch Airlines (KL, part owner of NW) with NW code-share flight numbers within the EU and between the EU and other parts of the world. And even domestic NW flights within the USA include many flights with KL code-share flight numbers.

(I think code-sharing should be prohibited as fruadulent, but that's another story: which I've written previously. Legitimately or not, there are NW flight numbers on flights within the EU, and KL flight numbers on flights within the USA.)

So it's highly likely that the data given to NASA, even if it was less than "system-wide", included passengers on flights sold under the label of an EU airline. And it's certain that, even if it excluded international or code-share flights, the data given to NASA included large volumes collected in, and transferred from, the EU, Canada, and other countries.

Unlike jetBlue Airways, which has no "interline" agreements, NW has interline ticketing agreements permitting more than 100 other airlines around the world, and their appointed agents, to issue tickets including NW flights. And like most other airlines (but again unlike jetBlue) NW outsources hosting of its reservation database to one of the big 4 computerized reservation system (CRS's), in NW's case the Worldspan CRS.

Through Worldspan and the network of travel reservation systems , other airlines, other travel services providers (hotels, car rental companies, tour operators, etc.), other CRS's, and tens of thousands of travel agents can create and/or enter data in PNR's that include NW flights. All those companies -- but especially KL and Worldspan -- are now at risk of consumer litigation and regulatory enforcement actions in various countries. They'll have to choose between joining with NW in trying to defend against those claims, or joining with consumers to pursue their own claims against NW for violating their customers privacy.

NW, KL, Worldspan, and other travel companies are likely to face especially severe scrutiny and legal liability in the EU. An agreement with the USA on transfers of passenger data was proposed by the European Commission in December, just before the European Parliament and most other EU bodies recessed for the holidays. Consideration of a working document on "Transfer of data on trans-Atlantic flights: situation concerning negotiations with the USA" is on the agenda this week when Parliament's Committee on Citizens' Freedoms and Rights, Justice and Home Affairs returns from the recess for meetings scheduled in Brussels all day Wednesday and Thursday, 21-21 January 2004, to start its new session. Presumably, the latest revelations about NW -- and their implications for KL, Worldspan, and other travel companies based or doing business in the EU -- will be on the table too.

EU authorities need to ask if when KL passes reservation data collected in the EU to NW in the USA -- or when any travel agency or tour operator in the EU collects passenger data and passes it to an airline or CRS in the USA -- there are agreements and oversight mechanisms in place to ensure the protection of passengers' privacy under EU laws.

The fact is that there are rarely any such protections. When I talked with aviation consultant Bob Mann about the passenger profiling tests he helped conduct in 2001 (more on those below), he said that, (1) no one involved with the tests had ever raised a question about privacy -- Airline Automation, Inc. was considered to own the data and assumed they could use it for anything they liked, which is true with respect to USA law, and (2) it never occurred to him or anyone else that EU laws or any other countries' laws could apply to PNR's from flights within the USA.

While the jetBlue and now Northwest scandals have been the most widely publicized, they aren't the only cases since 2001 in which real data from real airline reservations has subsequently been used -- without the knowledge or consent of the passengers -- for testing of passenger profiling systems .

In 2001, Airline Automation, Inc., a company which provides PNR data-mining services to several airlines, under agreements which permit it to retain the PNR data for later uses of its own, ran more than 5 million PNR's from its archives, originally obtained from multiple airlines, through an experimental system designed to test the prospects for identification of terrorists. Those experiments became public when they were described in detail by Bob Mann in a report (see page 23) by the Reason Public Policy Institute in May 2003, and further reported on my Web site a few days later based on my interviews with Mr. Mann.

(A report in the Wall Street Journal, 25 October 2001, entitled, "Nation's airlines adopt aggressive measures for passenger profiling", said that, "Airline Automation Inc. ... uses reservation and ticket data to draw up marketing profiles of passengers for more than a dozen airlines clients, including Delta Air Lines, Alaska Airlines, Continental Airlines and American. Airline Automation's records may be the closest thing there is to a national database of airline passengers.")

In mid-2002, four teams competing for the prime "CAPPS-II" contract were awarded smaller "proof of concept" contracts to test their systems. Each received several million real PNR's from multiple airlines -- undoubtedly including data collected in the EU and other countries -- which they used in their tests. In at least one of those cases, reported last year first on my Web site and some months later in the London Times , those PNR's came -- either directly or by way of the USA Department of Transportation -- from the PNR archives of the Sabre CRS.

There's no telling how many more cases like these there may have been, or how many other companies you've never dealt with directly, or even heard of, may have received your travel records.

Regulatory authorities and the public in the EU have, until now, focused their attention on transfers of passenger data to the government of the USA. But the larger and more routine violations of EU data protection laws and the EU CRS regulations occur when travel data collected in the EU is transferred -- without the privacy safeguards required by EU law -- to commercial entities in the USA, including USA-based airlines and CRS's. These violations of EU privacy law are flagrant, large-scale, long-standing, and ongoing.

Unlike the EU, the USA has no general data privacy law , and the piecemeal approach to privacy protection in the USA through industry-specific privacy laws (primarily for financial and medical data) hasn't yet been extended to travel data.

What's needed, as I've argued in my analysis of CAPPS-II , is either a comprehensive federal data privacy law on the Canadian, EU, and general international model, or a Federal travel privacy law giving at least as much protection to travel reservation records as is currently provided for financial and medical data.

The first question many people have been asking about the Northwest scandal is, "Isn't that illegal?" Unfortunately, the problem isn't that NW broke the law -- which would present a relatively straightforward enforcement problem -- but that NW's abuse of most customers' privacy may not have broken any USA law.

EPIC announced today that they plan to file a complaint with the USA Department of Transportation "alleging that Northwest's disclosure constitutes an unfair and deceptive trade practice". And numerous consumer class-action lawsuits are likely to be brought against NW, as they have (thus far only in preliminary stages of litigation) against jetBlue.

Unfortunately, NW's privacy policy only applies to data collected through the NWA.com Web site. Like most airlines and CRS's, NW has no privacy policy whatsoever regarding the vast majority of reservations made through travel agencies or tour operators, over the phone, in person at NW ticket counters, or through airlines with which NW has interline agreements.

The primary problem this episode reveals is not the need for enforcement of existing USA law, but the need for new USA federal law and enforcement of EU and other countries' laws until the USA brings its privacy protection legislation into line with international human rights norms.

The NASA and NW documents obtained by EPIC show that NASA returned the original CD's on which NW had provided the PNR data. But the documents don't show, and neither NASA nor NW has yet said, whether NASA has any controls in place to be able to tell if NASA retained copies of all or part of the data, or with whom it might have been "shared" while NASA had it.

Travellers whose privacy may have been compromised are unlikely to get the answers to any of these questions without a full-fledged Congressional investigation, including public hearings, on protection, sharing, and privacy practices and policies for travel reservation data.

There have been persistent calls for a Congressional investigation of the jetBlue Airways privacy scandal, and the sharing of the entire jetBlue PNR database with a U.S. military subcontractor. Both the Army and the Chief Privacy Officer of the Department of Homeland Security promised to investigate their department's roles in the jetBlue scandal, but no reports have yet been made public. Written questions from members of Congress about the jetBlue scandal, CAPPS-II, and government use of PNR's haven't received even courtesy replies from the TSA, DHS, and DOD.

The latest revelations about NW reinforce a pattern of unconcern for privacy, breach of public promises, and widespread unauthorized dissemination of sensitive passenger data, both within the travel industry and between industry and government. Clearly the problem, and the need for Congressional scrutiny and action, extends beyond these few well-publicized scandals.

What can be done?

Write to Congress -- today. Tell them you want:

1. A Congressional investigation of privacy practices throughout the travel industry;
2. Public Congressional hearings;
3. Termination of CAPPS-II and any other government programs to mandate collection of data on travellers or turn that data over to the government; and
4. A Federal law protecting the privacy of travel data.

[Addendum, 21 January 2004: If you've just arrived at this site, there's more background information on this topic in my earlier article on Total Travel Information Awareness , the index of postings in the Privacy and Travel category of this blog, and this September 2003 interview with me from NPR on Privacy, travel records, and the jetBlue scandal (4 minutes, Real Audio).]

New book. New events.

This week for my birthday I received the first advance copy of the 3rd edition of The Practical Nomad: How to Travel Around the World (grin) along with the news that by the time printing and bindery work is completed and the books are shipped first to distributors and then to bookstores, the new edition won't be in your hands until mid-February, a couple of weeks later than I had previously been told (gnashing of teeth).

I've you've pre-ordered a copy, please be patient and accept my apologies for the slight delay.

The new edition will be launched with talks and book signings at two of my favorite places, Easy Going Travel Shop and Bookstore in Berkeley on February 19th, and Get Lost Travel Books in San Francisco on March 24th. See my events page for complete details on these and my other appearances.

It's more and more important for travellers to support independent specialty travel stores and other independent bookstores like those where I'm speaking, as there are fewer and fewer places to actually browse through travel books before you buy.

The USA's only national chain of specialty travel stores is discontinuing almost all sales of travel books: when I went into the local Rand McNally store here in San Francisco a few days a go, I was shocked to find their stock of guidebooks in the final stages of being removed from the shelves and replaced with more displays of luggage and Rand McNally's own maps and atlases. I've always found Rand McNally store staff knowledgable and helpful, but they told me that this was a decision from headquarters, over which they had no control: the profit margins and revenue per square foot per month are higher for luggage and other products than for books. In San Francisco, we're lucky to have several independent bookstores with extensive displays of travel books, but that's not true in some of the other locations of Rand McNally stores.

Come to the USA from Europe to buy a car?

Americans taking a long trip through Europe, and in the market for a new car anyway, often used to arrange to purchase a European car direct from the manufacturer or a dealer in Europe, pick it up in Europe (perhaps directly at the factory), use it for their European travels, and then have it shipped back to the USA at the end of their vacation.

Especially in the days before widespead availability of long-term automobile leases at reasonable prices, such an arrangement often cost less than the combined cost of renting a car for the duration of a lengthy European stay, plus buying a new car in the USA.

And a further incentive was provided by the fact that many European car makers charged more for the same models in the USA than in Europe, not just to cover the cost of shipping but because Americans were percieved as wealthier, and willing to pay more for the same vehicle than Europeans.

Some Europeans car and motorcycle manufactures still offer special packages for American buyers who want to take delivery in Europe of a new car certified for USA emissisons and safety standards, use it in Europe for some time, and then have the manufacturer handle shipping it to the USA.

But the tables have turned.

With the rise of the Euro against the U.S. dollar, some European car companies are now deliberately pricing soem vehicles in the USA substantially below their prices for the same models in Europe -- by more than the cost of shipping them back to Europe! Such lower pricing is necessary to compete in the American market, even if it reduces their prifit margin on sales made in the USA.

Mark Lander reports from Munich in today's New York Times :

Ferdinand Dudenhaffer, director of the Center for Automotive Research in Gelsenkirchen.... raised eyebrows here recently with a study meant to dramatize how exchange rates can shake up the global auto industry. He showed that the euro had risen so much against the dollar that it would be cheaper for Germans to buy high-priced German cars in the United States and pay import duties and other costs to have them shipped back to Germany than to buy them at home.

One example used in the study was Porsche's new Carrera GT sports car, which costs $440,000 in the United States. Converting that into euros at $1.30 each yields a euro price of 338,462. Add 16 percent in taxes and that total rises to 392,615 euros. Getting the car back to Germany might add a few thousand euros. The Carrera GT, Porsche's most expensive model, sells for 452,690 euros in Germany....

"Even for a Rolls-Royce owner, 65,000 euros is nice money," Mr. Dudenhöffer said. "You can do something with that."

With the fallen (and perhaps still falling) U.S. dollar making the USA the bargain destination of the year for European travellers, and the great American road trip one of the big draws for USA visitors from Europe and other more crowded places, will we start seeing special packages for European vacationers who want to take delivery of a car in the USA, use it to explore Amaeirca, and have it shipped home at the end of their holiday?

After all, what could be a more genuine way to experience the American way of life than to buy a car?

If you aren't from the USA, and want to try it, just be forewarned that -- unlike in almost any other country -- procedures for automobile and driver purchasing, registration, and insurance aren't standardized throughout the country, but vary drastically from state to state, as I discuss in The Practical Nomad: How to Travel Around the World . Try to get a local person familiar with the procedures in that particular state to help walk you through the paperwork and red tape.

How to encourage visitors to come to the USA

I was (not?) amused to receive a press release today from the "Office of Travel and Tourism Industries, International Trade Administration, U.S. Department of Commerce", informing me of the progress of the government's U.S. Promotion Campaign .

The USA has been one of the few countries without a government department or budget for the promotion of tourism. So the tourism industry welcomed the appropriation of US$50 million in February 2003 for "an international advertising and promotional campaign to encourage individuals to travel to the United States." That's a small fraction of the US$10 billion predicted budget for the US-VISIT visitor surveillance and tracking program, but it still seemed like a positive step.

A year after receiving the appropriation, the DOC is proud to report that... a request for proposals has been issued and the first grants may be awarded as soon as next month.

If you'd like to learn more, "The U.S. Department of Commerce has set up a U.S. Promotion Campaign reading room for the public." It's open only by appointment, and if you go, "Please note to enter a federal government building you must have a drivers' license, passport, or other government issued picture ID."

Dare I suggest that a more effective way for the government of the USA to "encourage individuals to travel to the United States" would be for the government of the USA to treat them like guests when they arrive, rather than like suspected terrorists?

"Statewatch" on proposed USA-EU agreement on airline passenger data

From the UK, Statewatch ("monitoring the state and civil liberties in the European Union") has a detailed report and analysis of the status and possible next steps in the EU on transfers of airline passenger data to the USA.

Statewatch editor Tony Bunyan summarizes the conclusions thusly:

It is very hard to see how the Commission can come to the conclusion that the safeguards on access to PNR data are "adequate" under Article 25 of the EC Directive on Data Protection. All the evidence coming out of the USA shows that this data will be: accessed by a multitude of agencies, is intended to be integrated into the US-VISIT and CAPPS II projects, and will be used to create lifetime travel dossiers on everyone flying to and travelling within the USA.

As the Statewatch analysis shows, the more closely one looks at the record of the European Commission's proposed agreement with the USA, and its presentaiton to the European Parliament at a joint committee meeting 16 December 2003, the more problems emerge. For example:

Replies by two Commissioners to questions put by MEPs on the Committee reveal other, deeper, problems. Commissioner de Palacio made the extraordinary statement that "the United States actually have a data protection system as well as a system for the protection of privacy". The USA does not have a data protection law and its Privacy Law only protects US citizens' rights not those of foreigners.

Commissioner Bolkestein also told the Committee that "only the Department of Homeland Security, not other agencies" would get access to passenger data unless there was a court order. This statement is incorrect.

The US-VISIT Program, Increment 1, Privacy Impact Assessment (dated 18.12.03) says that the information will be accessed by "employees of DHS components - Customs and Border Protection, Immigration and Customs Enforcement, Citizenship and Immigration Services and the Transportation Security Administration." The US-VISIT report adds that access will also be given to "consular officers of the State Department. Additionally, the information may be shared with other law enforcement agencies at the federal level, state, local, foreign or tribal level, who in accordance with their responsibilities, are lawfully engaged in collecting law enforcement intelligence information (whether civil or criminal)"

Thus numerous US agencies, at all levels, will "share" the information and add their own observations. During the negotiations on data protection clauses in the EU-USA agreements on extradition and judicial cooperation the US side admitted that they had no idea how many law enforcement agencies would have access to data collected from airlines computer reservations systems (CRS) in the EU.

Statewatch also analyzes The next steps - a formal agreement has to be adopted by the Commission

The agreement signed on 16 December ... has to be adopted as a formal decision by the European Commission.... The formal decision is taken by the Commission's Article 31 Committee comprised of representatives of each EU member state which decide by majority voting. The powers of the European Parliament to intervene are very limited, it can only pass a Resolution on the grounds that the draft implementing measure "would exceed the implementing powers provided for in the basic instrument". The EU's Article 29 Working Party on Data Protection also has to be consulted for its opinion - which is unlikely to be favourable as they have: "declined to adopt or approve the text, on the grounds that the transfer of PNR to the US are in any case illegal and nothing should be done to blur that fact".

Statewatch predicts that "the Commission will produce a draft at the beginning of February." It remains unclear when the actual text of the proposed agreement will be made public, or how mnay more surprises -- like the "side agreement" to allow use of data from the EU in CAPPS-II testing -- it may still hold.

"Brazil vs. US: The Finger Affair"

My favorite source of news and views from Brazil, by Brazilians, in English, Brazzil.com , weighs in with this perspective by José Gurgel on the fingerprinting, photographing, and other entry requirments for Brazilian citizens visiting the USA, and USA citizens visiting Brazil. Here are some excerpts, but it's well worth reading in full:

Brazil has been harshly criticized for its decision to identify Americans arriving in its land. However, nothing has been said about the grueling process Brazilians have to endure to simply obtain an entry Visa to the U.S. The procedure may take days and entail an undue invasion of privacy of Brazilian citizens.

Brazil has been harshly criticized for its decision to identify Americans arriving in its land, a process based solely upon the international principle of diplomatic reciprocity. However, nothing has been said about the grueling battery of interviews and bureaucracy that Brazilians have to go through to simply obtain an entry Visa to the United States.

This is a process done by the American Embassy and consulates in Brazil that lasts hours and sometimes even days to be completed and requires travelers to disclose their income, purpose of travel, among other things, which many people consider an invasion of privacy. Not to mention the fact that after spending all the time to obtain the Visa any Brazilian can at any time be barred from obtaining said Visa depending simply upon whether or not the immigration agent "likes" that person.

In addition, the prohibitive costs associated with obtaining the Visa act as a first deterrence by those who desire to travel to the U.S. The costs, excluding travel costs for those who live in other cities without an American consular agency, revolve around US$ 100, not much until you consider the minimum wage in Brazil is set at about US$ 140 per month....

... The New York Times , in its January 9, 2004 edition, declared Brazil an ally "docile and reliable no longer," but the fact of the matter is that they should have replaced the words "docile and reliable no longer" with "subservient no longer." I think this is a better representation of Brazil's position when it comes to international affairs.

[Addendum, 15 January 2004: There's also this editorial today from Miami, the city in the USA most impacted by lost tourist revenue as a result of US-VISIT and the abolition of transit of the USA without visa: U.S.-VISIT still needs adjusting (Miami Herald).]

"Color it gone -- why TSA's new screening plan won't fly"

Today's Seattle Post-Intelligencer editorial on CAPPS-II

The Transportation Security Administration's latest flailing at airline terror risks has earned immediate and justified outrage. The color-coded CAPPS II proposal, a system of segregating passengers into presumed threat categories, is Big Brother played by Barney Fife....

Possibilities for abuse are legion. Derogatory colors could be slapped arbitrarily on dissidents, government critics and even on political activists to restrict their travels. Nothing more than a computer glitch -- or misreading of a foreign-sounding name, as in the Air France flight cancellations -- could brand an innocent flier passenger non gratis ....

Perhaps the proposal's worst failing is the false sense of security it may offer air travelers. Identities can be stolen, identification doctored, records altered. A committed terrorist would slip through such a system, while innocent passengers are delayed, inconvenienced, stereotyped and stigmatized....

This one won't fly.

More criticism of European Commission for "deal" on CAPPS-II testing

European Commissioner Frits Bolkestein is under increasing attack for the "deal" he has tried to make to turn over European Union airline passenger data to the USA, first for selling out EU citizens privacy rights, and now for trying to keep the "side agreement" authorizing use in CAPPS-II tests of data from the EU out of the attention of the European Parliament.

In a statement today, the European Digital Rights initiative (EDRi) says:

Commissioner Bolkestein claimed that the use of EU citizen's personal data in the CAPPS-II system was explicitly exempt from the agreement a negotiation group he headed had reached with U.S. authorities. According to Commissioner Bolkestein , this exclusion was prerequisite to the Commission's agreement to the transfer of PNR data to the U.S.: "The arrangement will not cover the US Computer Assisted Passenger Pre-Screening System (CAPPS II)."

Commissioner Bolkestein mentioned CAPPS-II testing only at the tail end of the discusssion in the European Parliament last month, in his final, impromptu responses to questions from MEP's. Presumably, he wouldn't have mentioned it at all had ne not been aksed about it specifically.

Even then he seemed (at least in the initial unoffical transcription and translation) to contradict his official, published report. While saying that CAPPS-II would require a separate agrement, he stopped well short of saying explicitly that such a separate "side agreement" had already been agreed to by the EC:

Ms Buitenweg asked me about CAPPS II. That is not part of the agreement. We have agreed to run a trial, to make a trial run on CAPPS II, but those data will be immediately destroyed and any further exercise involving CAPPS II will be subject to a new and separate agreement.

According to Andreas Dietl, EDRi's EU Affairs Director:

It is a shame that Commissioner Bolkestein has tried to mislead the European Parliament on the nature of the draft agreement dealt out with the U.S. Department of Homeland Security.

It is now clear that the Commission has agreed to the abuse of EU citizen's personal data to test a surveillance system that in its very nature is against the principles of EU data protection legislation. The claim by the U.S. that the data used for testing purposes will be deleted thereafter is merely a joke: The data will still be available in the Computerized Reservation System (CRS), where it can be accessed by government agencies at any time.

In not mentioning this side agreement, Commissioner Bolkestein has come close to lying to the Parliament. If the Commission does not stop the transfer of personal data from the EU now, it is time to take them to the European Court of Justice for breach of Article 25 of the EU Data Protection Directive 95/46/EC.

[Addendum, 15 January 2004: The Register and EurActiv.com have picked up the story. As the typically ascerbic John Lettice writes today in The Register , "Aside from not mentioning this (indeed, implying the contrary) when announcing the agreement, the Commission was silent on whatever safeguards it may or may not have implemented in order for this to have been permitted. There is, one might suspect, a certain implausibility to the US using live data under the public agreement, using the same data under the shadier CAPPS II testing agreement, and then not finding itself (oops...) getting mixed up."]

22 government agencies want airline passenger lists

Criticism of government demands -- especially from the USA -- for airline passenger data is being heard increasingly even from within the airline industry.

Today, Air Transport World reports that British Airways president Rod Eddington complained to an interviewer from the Financial Times that delays to BA flights to Washington last week were due, "in part, to the fact that a total of 22 different agencies claimed a reason to check one passenger list." Edddington also reportedly continues to object to USA demands for airborne guards with guns: "My starting position has always been that guns and planes don't mix."

In the same interview, according to another report in The Independent , "Mr Eddington revealed that last October the RAF scrambled two Tornado fighter jets to Heathrow airport when it was feared that an incoming service from Baltimore faced a hijack attempt. But the two men who were reportedly overheard saying 'we've been planning this for six months - let's do it' were debating the merits of a family reunion with a long-lost aunt."

Even in the USA, the airlines are beginning to go public with the objections that many airline industry insiders have been voicing privately to me for months. Referring to the proposed use of credit and financial records by the CAPPS-II airline passenger profiling and surveillance system, a spokesman for the Air Transport Association told the Chicago Tribune (free registration and cookie acceptance required), "we encourage the federal government to focus their search on law-enforcement databases.... I don't understand how somebody's Visa statement would help determine if he or she is a terrorist risk."

Meanwhile, in Sao Paulo, an American Airlines pilot and USA citizen who made "an obscene gesture" while being photgraphed on arrival in Brazil (in reciprocation of the photographing of all Brazilian visitors to the USA) was arrested and fined the equivalent of US$12,000. "American Airlines has agreed to pay the fine and has issued an apology", according to the BBC , although I can't find the apology on the American Airlines Web site (registration, cookie acceptance, and credit card details required).

I wonder what would happen to a Brazilian citizen who gave the finger to a Customs and Border Protection officer on arrival in the USA?

[Addendum, 15 January 2004: According to a reprint of Eddington's full article by EyeForTravel , Eddington also confirmed that, as I've previously suggested here and here , the source of the passenger data on which recent flight cancellations and delays have been based was the APIS system: "Throughout last week the passenger list of one of our Washington flights, the BA223, had to be checked by the US authorities. It was an extension of the APIS (Advance Passenger Information System) regulations which are now a requirement of the US for all overseas carriers." This immediate misuse of the newly proposed "agreement" with the European Commission on passenger data transfers is likely to heighten the pressure on the European Parliament not to approve the EC proposal.]

"Wanna Go Where Everybody Knows Your Name?"

How about everything else about you? (Reason Online)

Brian Doherty, who wrote the cover story in Reason's print magazine last year on John Gilmore's legal challenge to airline demands for identity documents (still awaiting a preliminary ruling, incidentally), steps back from the current CAPPS-II news to put it in a larger context.

"US loses its tourism allure"

Fewer and fewer Norwegians are opting to spend their holidays in the United States. A new survey indicates that half of all questioned view the US as an unattractive travel destination. (Aftenposten)

Travel bureau Berg-Hansen commissioned the survey and was amazed by its results, reports newspaper Dagens Naeringsliv .

"We were very surprised that every second Norwegian thinks the USA is either an 'unattractive' or a 'very unattractive' destination," said Berg-Hansen's chief executive Per Arne Villadsen. "We think the survey clearly shows that the USA has an image problem."

Villadsen said he couldn't be sure why the US has lost its allure, but he thinks fear is a factor. "When flights to the US need to have an armed guard on board, Americans may feel safer," he said. "But for Norwegians, armed guards create uncertainty and uneasiness."

As I always remind travellers, please don't judge any country by its border guards.

USA will keep visitor travel histories for 100 years

A Privacy Impact Assessment for the US-VISIT program I've discussed in previous articles appeared last week on the Web site of the Chief Privacy Officer for the USA Department of Homeland Security.

The requirement for fingerprinting and photographing of visitors to the USA (except for short-term tourists from a few countries, almost all of them inhabited mainly by white people) has gotten most of the attention paid to US-VISIT. But the real privacy invasion feature of US-VISIT is buried deeply, and its significance evaded, in the Privacy Impact Assessment: US-VISIT will be used to maintain a lifetime travel dossier for anyone who ever visits the USA, just as CAPPS-II will enable the maintenance of lifetime travel dossiers on anyone who ever travels by air to, from, or within the USA.

US-VISIT will be many times larger and more complex than its predecessor systems, and is already drawing questions from within the security industry on feasibility as well as cost and civil liberties implications . But while it is unlikely to serve any real security function, it would effectively serve a surveillance function through the maintenance of lifetime travel dossiers on visitors.

In order to implement US-VISIT more quickly than would otherwise have been possible, it is being treated for Privacy Act purposes as merely a "modification" of existing systems, rather than a new system. The US-VISIT data flow diagram on page 4 of the Privacy Impact Assessment includes a "modified database" labelled "biographic and biometric travel history", to be included within the ADIS (Arrival Departure Information System).

These "travel histories" aren't mentioned anywhere in the so-called "assessment", which says of ADIS and other records only that, "The policies of individual component systems, as stated in their SORNs [System of Records Notices under the Privacy Act], govern the retention of personal information collected by US-VISIT." To find out anything about the policies governing these records, one has to look at the most recent SORN for the ADIS system , which was published in the Federal Register on 12 December 2003.

Only there, deep in the acronym soup at 68 Federal Register 69412-69414, does one learn that these records may be disclosed without restriction to any law enforcement agency in the USA or any other country (even if not actually relevant to any specific investigation) and, even more significantly, that "Records will be retained for 100 years." Full stop.

Even if you die, or become a citizen of the USA, the history of each of your prior movements in or out of the USA will still be kept for the full 100 years. This database of lifetime travel dossiers makes no sense as a security system, but it makes a lot of sense (from the perspective of the NSA types setting policy at the DHS) as a surveillance system.

In parallel with the deployment of US-VISIT to collect travel histories of international movements by non-USA citizens, the DHS is preparing to move forward on the CAPPS-II system, which would require additional "indexing" information in each airline reservation, so that the history of each person's air travels would become as readily accessible to the CRS's that host airline databases (and from them, on request, by the government) as a criminal history is today.

It's all part of a comprehensive array of overlapping programs for tracking people's movements and compiling them into lifetime dossiers recording both their international and domestic travels.

The DHS says, misleadingly, that the DHS itself won't retain CAPPS-II data. But the CRS's will be free to do so (and will have every commercial motive to do so), there are only 4 of them worldwide, and they are under no legal restrictions whatsoever, at least in the USA, on how they use their archives.

Right now, though, it's hard for a CRS or anyone else to tell which individual reservations, especially in common names, correspond to the same person. The crucial significance of the CAPPS-II requirement to include a name, date of birth, etc. in reservations will be the ability it gives the CRS's (and anyone else with access to the archives) to identify all your reservations from different trips on different airlines, and construct a lifetime history of everywhere you've ever been on an airplane, who you went with, where you stayed, etc.

What data, if any, the DHS itself retains, is largely irrelevant as long as the CRS's remain free to retain, use, and sell CAPPS-II data -- supplied under government duress -- however they wish.

In interviews yesterday with Christopher Elliott and the Washington Post , and in a conference call with reporters today, DHS spokespeople reiterated that -- as I reported a month ago -- the DHS is preparing, if necessary, to issue (secret) "security directives" to the airlines to force them to implement CAPPS-II in spite of their and their employees' and customers objections, those of the public, and those of other countries' governments.

The Post reports that, "The European Union, whose passengers would also be rated and screened, have said the system would violate EU privacy laws, but it has allowed the TSA to use passenger data for testing purposes." It would be more accurate to say that, "The USA claims that the EU has agreed to allow the TSA to use EU data for CAPPS-II testing purposes."

In the press conference call today, DHS spokespeople claimed that there was a "side agreement" on CAPPS-II testing to the proposed USA-EU agreement on passenger manifest (APIS) data.

But there was no mention of any such side agreement when the proposal was presented to the European Parliament last month. I've looked carefully through the European Commission's report and the preliminary transcript and translation of the European Parliament committee meeting on the proposed agreement, and there's only a hint of a "side agreement" for CAPPS-II testing. All the other references to CAPPS-II exclude it categorically from the proposed agreement.

According to a report by the Agence Europe news service from Brussels over the weekend, a spokesperson for European Commissioner Frits Bolkestein confirmed the existence of the side agreement and "gave assurances that 'In the CAPPS II test phase, they (the Transport security agency responsible for developing the system) can use PPD [protected personal data] but only for testing the system. We also have commitments that this data will not be kept or used in any operational way'."

In light of the EC failure to disclose the side agreement earlier, the EC negotiators are likely to be in for a tough time with Parliament, which hasn't yet approved any part of an agreement with the USA. Some MEP's on the committee were already calling for legal action against the EC in the European Court of Justice for the EC's failure to enforce EU privacy law on passenger data transfers to the USA. The relevant committee was scheduled to hold its first meeting today since its holiday recess; I haven't heard if this subject was discussed, but it's sure to be back on the agenda at future sessions.

Ultimately, though, people in the USA can't rely on international or European law to protect our rights, or those of visitors to our country. If we don't want our travel history to be treated like a criminal history, or available for sale to all comers, we need a Federal data privacy law on the Canadian or EU model, or at least a Federal travel privacy law as strong as, or stronger, than existing Federal laws for financial and medical data.

(I'll be talking about the latest CAPPS-II developments, and what they mean, tonight on KGO-TV news on Channel 7 in San Francisco.)

[Addendum, 13 January 2004: I neglected to mention that at least the Privacy Act Notice and Privacy Impact Assessment for US-VISIT do say to whom you can complain if you think that fingerprinting and photgraphing visitors, and keeping the records for 100 years, invades their privacy: Steve Yonkers, US-VISIT Privacy Officer, telephone +1-202-298-5200. Yesterday was the deadline for formal comments on the proposal for 100-year retention of visitor travel dossiers. The notice claimed that, "DHS will make comments received available online at http://www.dhs.gov ." But they said the same thing about the public comments on CAPPS-II, most of which still haven't been posted more than 3 months after the close of the comment period, so I wouldn't hold my breath.]

[Further addendum, 14 January 2004: EPIC's comments on the ADIS Privacy Act notice, US-VISIT, and the 100-year retention of travel histories include an excellent summary of the emerging international humnan rights norms of privacy protection, and how far short of them USA laws and regulations like this one fall.]

"Scenes From A Sad Airport"

Welcome to America. Please give us the finger. Smile for the camera. Now get the hell out (by Mark Morford, columnist for the San Francisco Chronicle's Web site, SF Gate )

This is long, but worth reading all the way through -- it gets better as it goes on.

It's OK, come on out of that plane. Ignore the stun guns and the growling dogs. America loves you....

Welcome to America, foreign traveler. Please hold still and place your finger here and smile for the camera and enjoy your first taste of our trademark, wickedly ironic and hypocritical joke about America being the land of the free.

My usual favorite of S.F. Chronicle and SF Gate columnists, Jon Carroll , also weighs in with, Let us today take a look at the US-VISIT program, which is, as the name implies, a government program designed to discourage people from visiting the United States.

Approximately 18 percent of American have passports, although it is unclear how many have used them. That means that if you have a passport and have traveled abroad, you are already in a distinct minority. This may be why you feel so isolated in America.

So most Americans have never been anywhere. The unknown is always more scary than the known, and when the unknown is the Whole World, that's a lot to be frightened of. Fear breeds hysteria, and now we are spending good money on policies that seem to protect us but do not in fact do so.

I couldn't have said it better myself.

[Addendum, 10 January 2004: In a more straightforward vein, yet another San Francisco Bay area newspaper, the San Jose Mercury News, had this survey of the impact of "Homeland Security" policies on inbound international tourism to the USA: Things were already rough for the tourism industry. ]

USA snooping on airline reservations violates so-called "deal" with EU

One of the major concerns of the European Union (and other countries) about the demands by the USA for access to airline reservations has been how that access could be limited and controlled.

In its report last month to the European Parliament, the European Commission noted the urgency of, "Replacing 'pull' (direct access by US authorities to airlines' data bases) with a 'push' method of transfer... The Commission is of the opinion that the rapid development and introduction of filter and 'push' technology is necessary." But, as the EC also noted, "It would be difficult to envisage obliging airlines, including US airlines, to adopt such a system, without creating a legal obligation for them to do so. There is currently no EU law or Community policy that obliges airlines to transfer PNR data in this way."

Unlike the USA authorities, the EC has actually consulted, to a degree, with industry: "The Commission's services held a second technical meeting with industry experts and various technology providers on 13 November. We learnt that these systems were technically feasible, but it is still unclear how they could best be implemented or supervised. It was also made clear at that meeting that implementation of a 'push' system could not solve the problem alone. Filters would also need to be installed. These filters entail significant costs for the airlines."

Under a "pull" system, the DHS has access to the CRS hosting each airline's database, and can query or "pull" any data in any PNR for any flight, at any time. Under a "push" system, a batch process by the airline or CRS when the flight departs would collect the PNR's for passengers actually on board (after any no-shows, last-minute cancellations, boarding of standby passngers, etc.), "filter" them to remove all data except that required and authorized for the DHS to receive, and "push" the filtered data for the flight to the DHS. Under a "push" system, the DHS would have no way to access any data except when it was pushed by the airline or CRS, on departure and after filtering.

In any event, a "push" system hasn't (yet) been implemented. Instead, the USA Department of Homeland Security has been given direct access to each of the CRS's hosting reservations on international flights to or from the USA. There are no (technical or security) limits on that access: DHS staff with access to the CRS's have the capability to review the entire contents of any reservation in any of those CRS's, at any time.

In theory, the USA has agreed to policy limits on what data they will view. In particular, the DHS only claims the right to review PNR's for flights to, from, or within, the USA, and only once incoming flights depart their origin for the USA.

But the unique CRS "set addresses" (the CRS counterpart of IP addresses) assigned to the DHS make it possible to track and log each query they make to the CRS. And I've learned from a source familiar with those records of DHS use of their CRS terminals that the agreed-upon limits have not been observed:

"They [the DHS] pull flights to the US days, weeks before departure and list all PNR's. Then they pull each PNR and names that are "odd" they pull the history. It's bizarre! Their entries are: List the flight and all PNR's, then they start displaying each PNR, then they start looking at histories."

The "history" of a PNR is the "audit trail" that shows each addition, deletion, or change to a PNR (reservation, cancellation, confirmation, service or action request or acknowledgement, message form another CRS, etc.), who made each entry (by sign-in ID, travel agency or airline office "pseudo-city code", and set address), and the name of the person who requested the change to the reservation (the "received from" field).

I've also been told that DHS set addresses have been used to access PNR's for flights entirely within the European Union, and not touching the USA, in even more clear violation of EU law and USA government promises.

Workers with airlines and CRS's who are aware of this are, quite justifiably, concerned that they may be subject to legal liability, especially in the EU, for complicity in facilitating this illegal access to personal data protected by EU law.

The lesson here is that neither EU citizens nor anyone else can rely on the DHS to police its own practices or to comply voluntarily with self-imposed limits on access to, or use of, sensitive personal data. Citizens of the EU, other countries, and of course the USA itself should insist on both stong technical limits on access to personal information, and independent oversight authority with full investigative and enforcement powers to ensure DHS compliance with its legal commitments in the USA and abroad.

European civil libertarians denounce USA use of EU data for CAPPS-II and other unauthorized purposes

My report here yesterday that the USA Department of Homeland Security is claiming the authority to use airline passenger data from the European Union to test the CAPPS-II passenger profiling and surveillance system has drawn immediate reaction from a leading European civil liberties coalition, the European Digital Rights initiative (EDRi).

The news release I received from EDRi isn't currently available on the EDRi Web site, so I'm reproducing it here in full:

Department of Homeland Security uses EU Air Passenger Data for Testing CAPPS-II

EU Personal Data in Maelstrom of U.S. Surveillance Networks

[European] Commission called to withdraw its finding of adequate data protection in the U.S.

Tuesday January 6th, 2004.

Personal data of EU citizens may, according to the EU Data Protection Directive, be transferred to foreign countries only if these have an adequate level of Data Protection. In the case of the Passenger Name Record (PNR) data transferred to the U.S., a senior U.S. official has now confirmed the data is already being used for purposes noncompliant with EU law.

After months of secretive negotiations with U.S authorities, EU Commissioner Frits Bolkestein announced on December 16 that the EU would transfer up to 34 fields of personal data to U.S. authorities for every passenger travelling to the United States. This decision was based on a so-called finding of adequacy in which the Commission assumes the data will be treated in a manner compatible with EU Data Protection law.

In an e-mail to Practical Nomad editor Edward Hasbrouck, Nuala O'Connor Kelly, the Chief Privacy Officer of the U.S. Department of Homeland Security, has now confirmed that this is not the case. According to O'Connor Kelly, "the language of the agreement contemplates the use of data to test -- and only to test -- CAPPS-II". She continues: "We also stated publicly that we will immediately begin follow-on discussions with the EU in order to establish a framework for the transfer of PNR data for use by CAPPS-II operations once the system has been fully developed and deployed."

According to Bolkestein, in his deliberations before two Committees of the European Parliament three weeks ago, the exclusion of the CAPPS-II system -- also known as "Total Travel Information Awareness" -- from the scope of the agreement had been prerequisite for the issuing of the finding of adequacy. Summing up his negotiations with Tom Ridge, the U.S. Secretary for Homeland Security and Bolkestein's U.S. counterpart in the negotiations on airline passenger data, the Commissioner said: "In concluding my last round of discussions with Mr Ridge, I informed him that in the light of the narrower uses for PNR, the exclusion for now of CAPPS-II and all the other improvements they had made, I was prepared to propose that the Commission make a finding of adequate protection with regard to transfers of PNR to the US Bureau of Customs and Border Protection." And Bolkestein clarified: "The arrangement will not cover the US Computer Assisted Passenger Pre-Screening System (CAPPS-II)".

Andreas Dietl, EU Affairs Director of data privacy watchdog European Digital Rights, comments: "Either Commissioner Bolkestein has been lying to the Committees of the European Parliament, or the U.S. Administration is re-interpreting the outcome of the negotiations. This is just one more indication that, once the data has reached the U.S., it will inevitably, like in a Maelstrom, end up in surveillance networks where it can never be controlled according to EU law. CAPPS-II data is fed directly into the US-VISIT database network, which grants access to a whole range of government agencies, including all secret services. If the Commission cannot assure that the data will be treated in the U.S. in a manner compliant with EU law, it has the obligation to halt its transfer immediately."

Media inquiries:
T[elephone]: +32-2-660-47-81
M[obile]: +32-498-34-56-86
andreas@edri.org

[Addendum, 6 January 2004: The EDRi news release is now available here , but only in German. There's also an introduction in English and more related links in German on the same Web site.]

[Further addendum, 7 January 2004: The English-language version of the EDRi news release has now been posted on the EDRi home page . And there's more European reaction from Statewatch: USA to use EU PNR data for CAPPS II testing despite assurances no agreement covering it .]

Beware of travellers bearing almanacs

FBI Intelligence Bulletin No. 102 (from Cryptome.org)

FOR LAW ENFORCEMENT USE ONLY
TO: Law Enforcement Agencies
FROM: FBI Counterterrorism Division
December 24, 2003

Threat Level: Orange (High).

THE FBI INTELLIGENCE BULLETIN, DISSEMINATED ON A WEEKLY BASIS, PROVIDES LAW ENFORCEMENT WITH CURRENT, RELEVANT TERRORISM INFORMATION DEVELOPED FROM COUNTERTERRORISM INVESTIGATIONS AND ANALYSIS. THE INTELLIGENCE BULLETIN DOES NOT CONTAIN THREAT WARNING INFORMATION.

ITEM I: HSAS THREAT LEVEL RAISED TO ORANGE (HIGH)

On December 21, 2003, the Homeland Security Advisory System (HSAS) threat level was raised from Yellow (Elevated) to Orange (High), the second highest level on the HSAS, which characterizes the terrorist threat based on a five-tier scale of threat conditions and corresponding colors: Low (Green), Guarded (Blue), Elevated (Yellow), High (Orange), and Severe (Red)....

ITEM II: POTENTIAL TERRORIST USE OF ALMANACS

Investigation has revealed that terrorist operatives may rely on almanacs to assist with target selection and pre-operational planning. Almanacs, available both in print and online, provide comprehensive information on a variety of topics, including government, geography, vital statistics, the economy, health matters, science and technology, weather trends, and tourism. Information commonly found in almanacs that may be exploited for terrorist use includes profiles of U.S. cities and states and information on geographic and structural features such as waterways, bridges, dams, reservoirs, tunnels, buildings, and landmarks. This information is often accompanied by photographs and maps.

The use of almanacs or maps may be the product of legitimate recreational or commercial activities; however, when combined with suspicious behavior or other information such as evidence of surveillance activities, these indicators may point to possible terrorist planning. The practice of researching potential targets is consistent with known methods of Al-Qaeda and other terrorist organizations that seek to maximize the likelihood of operational success through careful planning.

During the course of authorized searches, traffic stops, and other contacts, law enforcement officers should be alert to the potential terrorist use of almanacs for pre-operational activities. Indicators of the use of almanacs for this purpose may include suspicious notations concerning high-profile locations such as tall buildings or landmarks and references to specific dates. Agencies should report any suspected use of almanacs in this manner to their nearest FBI Joint Terrorism Task Force.

Departments are requested to contact the nearest FBI field office or resident agency in their area should additional information be developed related to the above matter. Questions regarding the content of these Bulletins should also be directed to the nearest FBI field office or resident agency. Specific comments or suggestions about the format or content can be provided to [removed].

If this makes you want to carry an almanac (epsecially while travelling), or to place one conspicuously in your vehicle, keep in mind that second-hand almanacs can often be obatined free, or for only a dollar or two, from thrift stores or used book stores.

Remember, report all almanac sightings to the FBI! If you see an almanac, call the FBI at +1-202-324-3000, or write to them at the J. Edgar Hoover Building, Washington, D.C. 20535, USA. I'm sure that their operators are standing by, eager to take your calls.

USA starts fingerprinting visitors. Brazil reciprocates.

Effective today, the USA is fingerprinting and photographing all visitors arriving or departing from the USA except short-term tourist visitors from a few mostly Western European countries, and will retain the digital images in a new US-VISIT database .

Most countries have waived the usual international reciprocity of entry requirements when it comes to the USA. But not necessarily all countries: Brazil has imposed the same requirements on visitors from the USA to Brazil as are imposed on Brazilian visitors to the USA.

That should come as no surprise, as Brazil has been one of the few countries insistent on reciprocity, in an effort to negotiate mutually easier travel by both USA and Brazilian citizens between the 2 countries. Brazil has offered to lift its visa requirement for tourists from the USA as soon as the USA does the same for Brazilian tourists, and to lower the US$100 visa fee as soon as the USA lowers its US$100 tourist visa fee for Brazilian (and most other) visitors to the USA.

Brazil hasn't been fully reciprocal: USA citizens are still allowed to transit Brazil without visas, as long as they hold onward tickets and don't leave the transit area of the airport, even though the USA has completely abolished its transit without visa program, of which Brazilians travelling to and from Canada, Europe, and Asia via the USA (mainly LAX, MIA and JFK) were the biggest users.

Now, a Brazilian judge has ordered that as long as Brazilians must be fingerprinted to enter or leave the USA, USA citizens must be fingerprinted on entry to Brazil .

My friend Wayne Bernhardson , who writes the guidebooks to Southern South America in the Moon Handbooks series, notes that, "This matter is not so simple as it seems at first glance, as it appears to be the action of one indignant rogue judge....

"Both the Brazilian federal police and the mayor of Rio de Janeiro have already spoken out against it. The police, who handle immigration matters at the border, appear to lack the resources to carry out such an order, while the mayor of Rio is concerned that this will negatively impact tourism in the upcoming Carnaval season. Their objections appear to be purely pragmatic."

The USA, on the other hand, appears to be paying no attention at all to the likely effect on inbound international tourism, business travel, and visitor spending of of more burdensome requirements and more intrusive scrutiny of visitors.

As Wayne Bernhardson also points out, Brazilians (and others) being fingerprinted in the USA "... will already have gone through an exhaustive US visa process that includes a personal interview at the US consulate in their own country." That's particularly onerous in large countries like Brazil, Argentina, Chile, Russia, etc., where the nearest USA embassy or consulate could be a thousand miles or more and a couple of days bus ride away.

Meanwhile, airline pilots in the UK are reportedly refusing to agree to operate flights with armed guards on board . According to different reports, pilots have argued that:

1. The presence of firearms will make flights less safe, not more safe,
2. If there is so much danger that armed guards are required, flights shouldn't be operated at all, and
3. under international aviation law, any onboard guards must be subordinate to the command of the pilot, as the captain of a vessel in international airspace -- which hasn't been assured for so-called "sky marshalls".

I'll be discussing the US-VISIT program, the Brazilian reciprocity policy, and the impact on travellers tomorrow morning (Tuesday, 6 January 2004) from 8:00-8:30 a.m. PST (16:00-16:30 UTC/GMT) on The Morning Show on KPFA , 94.1 FM in Berkeley, CA. For those outside the broadcast area, there's real-time streaming audio and archived audio files after the show.

[Addendum, 5 January 2004: More on the proposed uses of biometrics in passports, visas, and other travel documents and security systems, from The Economist , 4 December 2003: Prepare to be scanned . See the full story for details. Here's the conclusion: "Spurred by the misplaced enthusiasm of governments around the world, biometrics seem headed for dramatic growth in the next few years. But calm, public discussion of their benefits and drawbacks has been lamentably lacking. Such discussion is necessary both to prevent the waste of public money in the short term -- for the most part, the private sector has been wiser in its adoption of biometrics -- but also to regulate what will eventually have the potential to become a powerful mechanism for social control." (Thanks to Wayne Bernhardson for the reference.)]

[Further addendum, 6 January 2004: Audio archive of the KPFA segment with me on US-VISIT (20 minutes, 50 seconds). If this doesn't work with your browser, the full 2-hour show is archived on the KPFA Web site; the segment with me is from 1:10 to 1:32 of the archive file.]

USA uses airline reservation data as basis for flight cancellations and interrogations

As I was driving to Los Angeles (it's a nice place to visit, but I wouldn't want to live there) on Christmas Eve and Christmas Day, Air France (AF) flights to LAX were being cancelled on the instigation of the USA Department of Homeland Security. By the time I got back to San Francisco yesterday, more flights to the USA had been cancelled, including flights from London on British Airways (BA) and from Mexico City on Mexicana (MX). Passengers presenting themselves for check-in on the cancelled flights, as well as for other flights that were eventually allowed to proceed, were subjected to additional searching and interrogation before departure and/or on arrival in the USA. And people whose names match (or are considered to be similar to) names on passenger manifests, but who didn't show up for check-in, have been and continue to be sought for questioning by law enforcement and intelligence agencies in the USA, UK, France, and perhaps elsewhere.

Despite extensive news coverage of the flight cancellations, few questions have yet been asked about how the DHS got access to the passenger manifests, particularly for flights that originated in the European Union and that were cancelled 24 hours or more before their scheduled departures.

As I've reported here at length , the USA has demanded that all passenger airlines flying to the USA provide the DHS with "enhanced" passenger manifests at the time any flight bound for the USA takes off, under the "enhanced Advanced Passenger Information System (APIS)". (Strictly speaking, a "mainfest" contains only names. The enhanced APIS data includes nationality, passport number, date of birth, etc.)

In the absence of any legal privacy protection for the APIS data once transferred to the USA, the enhanced APIS requirements are contrary to European Union data protection law. On 16 December 2003, following extensive negotiations between the USA and the European Commission, the EC proposed an "agreement" which would, if various conditions are met, permit the use in the enhanced APIS system of data collected in the EU.

Questions remain as to whether those conditions have been met, whether the agreement requires the approval of the European Parliament and/or the U.S. Senate (as a treaty), or whether the agreement is yet in force.

But even if the agreement were in full effect, it would only cover transfers of data on passengers actually on board at the time of flight departure.

From news reports, it is clear that the DHS obtained complete lists of names on reservations (even of people in whose name reservations were held, but who did not check in or board the flights), well in advance of flight departures. I can find no conceivable interpretation of the enhanced APIS agreement on transfer of passenger data, as it was presented by the EC to the European Parliament, that could include this transfer of data on non-passengers in its authorization.

One of the largest reasons for sending the passenger manifest only at "wheeels up" is that until the plane is airborne it is impossible to know with certainty who will be on it, or who will board or be offloaded at the last minute. Any list transferred in advance of takeoff will inevitably risk including information on non-passengers, the more so the further in advance.

To date, no one has been arrested. No one is known to have tried to hijack or sabotage a plane. Of those names on reservations suspected of being potential terrorists, "One turned out to be a 5-year-old boy with the same name as a suspected Tunisian terrorist, another was an elderly Chinese woman and a third was a Welsh insurance agent," according to the Washington Post .

Some USA officials have said that some of those who held reservations but didn't show up for flights have "fled", and have tried to point to such no-shows as "suspicious". How Orwellian: if a suspect tried to check in, that would undoubtedly be pointed to as confirmation that there was a threat. But if a suspect doesn't check in, that too confirms that there was a threat.

All this really just confirms how little the DHS understands airline reservations -- even after years of development and testing of the CAPPS-II system for profiling passengers based on the contents of their reservation PNR's .

It would be extremely strange for there to be no no-shows, especially on a full long-haul holiday flight. Except for a few airlines that have abolished paper tickets, airlines have no certain way of knowing which reservations have been ticketed. Anyone can make reservations for anyone else, in any name, without the other person's knowledge. Travel agents sometimes make reservations for people who merely inquire about prices, since it's impossible to tell for sure at what price seats are available without confirming reservations. Sometimes the agent forgets to cancel the reservations, and sometimes the would-be passenger decides not to travel at all, and doesn't even know that reservations have been made in their name. Some percentage of ticketed passengers cancel or change their plans at the last minute, sometimes without bothering (or without being able) to notify the airline.

The bottom line is that until takeoff, any so-called "manifest" inevitably contains names and perhaps other data on people who aren't actually travelling, some of whom don't even know that their data is included.

This is a major flaw in the Privacy Act notice published by the DHS for the CAPPS-II system: the "Categories of Individuals covered by the system" are limited to, "Individuals traveling to, from or within the United States by passenger air transportation." But PNR's also include data on people who aren't travelling -- even people who never even bought tickets and may not even have known that reservations had been made in their name.

As I pointed out in my comments on the CAPPS-II Privacy Act notice, PNR's also contain personally identifiable data on numerous other categories of individuals not mentioned in the notice, incluidng people who make reservations or pay for tickets for others, travel agents, and airline reservation staff. It's hard to say whether the omission of these other categories of data subjuects from the notice is a sign of deception or ignorance on the part of the DHS, but either way it's a fatal flaw requiring re-publication of an expanded notice.

In the EU, it's clear that the transfer of reservations data (including data from PNR's for no-shows and other non-passengers), well in advance of flights, was not authorized by the proposed enhanced APIS agreement, which was limited to passenger data transferred only at takeoff.

Could there have been any other authority for the data transfer to the USA from British Airways, Air France, and the Amadeus CRS (based in Spain) that hosts their reservation databases? That's a question for the EC, the European Parliament, and the UK, French, and Spanish national data protection authorities to investigate, under the EU data protection agreement, national data protection legislation, and the EU code of conduct for CRS's .

Amadeus' employees -- already upset about the potential complicity of Amadeus in CAPPS-II -- will likely also raise more internal question about whether Amadeus is already involved in CAPPS-II testing or other unauthorized and illegal data transfers, as it appears to be. (Like many other travel companies, Amadeus has been privately oppsed to CAPPS-II, according to my sources. But like most other such companies, Amadeus has taken no public position on CAPPS-II.)

One disturbing possibility is that the USA is already testing CAPPS-II with data from the EU. Even domestic flights within the USA, of course, include reservations made in the EU and protected by EU law, as do flights by USA-based airlines. But the DHS, and its predecessor the Department of Transportation, seem erroneously to have assumed that only flights on EU airlines are subject to any EU jurisdiction.

In presenting the proposed enhanced APIS agreement to the European Parliament, Commissioner Bolkestein said categorically and repeatedly that the proposed agreement did not cover CAPPS-II, which would require further negotations and a separate agreement. He made no mention of an exception for testing (or any other exception).

The DHS takes a different view of the proposed agreement, however. Nuala O'Connor Kelly, the DHS Chief Privacy Officer, told a Washington press briefing, and repeated to me in an e-mail message:

There should not be any conflicting reports on the use of the data under the agreement with the European Union; I was part of the briefing and it was quite clear: The language of the agreement contemplates the use of data to test--and only to test--CAPPS II.

There's no indication that -- if such language was actually included in the proposed agreement -- Members of the European Parliament were made aware of it. With Parliament in holiday recess for the least 2 weeks, I've been unable as yet to get any reaction to Ms. O'Connor Kelly's statement from the EC or MEP's. But the issue of passenger data transfers from the EU to the USA, what really happened with passenger records for the cancelled flights, the fate of the proposed enhanced APIS agreement and of CAPPS-II, and the non-compliance of BA, AF, and Amadeus with EU privacy law remain very much active on the European agenda for 2004.