Canada proposes to follow USA lead on surveillance of travellers

The re-opening of talks between the USA and Canada on transfers of airline reservations (PNR's), and their use by government, also re-opens a long-running debate on this question within Canada.

I'm neither a lawyer nor an expert on Canadian Parliamentary procedure , but for those who are just now beginnning to follow this sotry, here's my understanding of the state of Canadian travel data privacy law legislation.

Since 1 January 2004, airline reservation data subject to Canadian jurisdiction has been protected by the Personal Information Protection and Electronic Documents Act , which generally restricts its use to the purpose(s) for which it was collected, except with the knowldge and consent of the person(s) to whom the data pertains, guarantees the right of access to information about oneself, and requires any recipient of personal information (whether in the private sector or the government) to agree to the same conditions.

The Canadian Personal Information Protection Act provides the best available model for what a consumer privacy law in the USA ought to, and could, look like. It accords with the emerging international norms of privacy as a human right, and (unlike the USA) satisfies the European Union standard of "adequacy" of data protection, thus permitting airline data to be sent freely (within the conditions set by the law) back and forth between Canada and the EU. So far, so good.

After 11 September 2001, the USA began insisting on access to reservation data for passengers on flights from Canada (and everywhere else in the world) to the USA.

To accommodate these demands -- the same ones that have led to the current impasse with the EU -- Bill C-44 was enacted 18 December 2001, making an exception from the Personal Information Protection and Electronic Documents Act to allow Canadian airlines to provide foreign governments with "any information ... relating to persons on board or expected to be on board the aircraft and that is required by the laws of the foreign state."

Bill C-44 created an exception only for transfers of data by Canadian airlines, not travel agents or tour operators. So travel agents' transfers of customer data to USA-based airlines and CRS's are still in violation of the Personal Information Protection Act . And the information actually being provided by Canadian airlines to the USA government isn't limited, as Bill C-44 would require it to be, either to persons on board or expected to be on board, or to the information required by USA law. All this, yet USA Secretary of Homeland Security Tom Ridge still claims that, "The Bush administration will respect Canadian sovereignty and privacy laws" even while including Canadians in CAPPS-II .

That's why, "It's very important for us to get C-17, which provides us with the legal authority to go further," Deputy Prime Mininter and Minister of Public Safety and Emergency Preparedness Anne McLellan told Canada Press after her meetings last week with the USA Department of Homeland Security -- all but admitting that current travel data practices violate current Canadian law.

What's this "C-17" she's talking about? Bill C-17, the Public Safety Act, 2002 is a much more sweeping "security" bill that has provoked controversy since an earlier version was proposed in 2001.

Bill-17 is intended to faciliate implementation of a Canadian counterpart of the CAPPS-II scheme in the USA . "Last spring, the federal government agreed to put strict checks on the use of passenger information in the wake of widespread complaints about Bill C-17.... The bill was passed by the Commons, but not by the Senate before Parliament was prorogued in November."

Bill C-17 itself contains a schedule of information believed to be included in passenger name records, and subject to being given to USA or other foreign governments. The Canadian government's official FAQ on Bill C-17 is more apology than explanation, but there's a useful analysis by the Parliamentary Research Branch of the Library of Parliament of the legislative history of Bill C-17, as last revised 8 May 2003. The description of the debate on the information-sharing provisions highlights the unresolved difference of interpretation as to whether Bill C-17 would provide for access to passenger information only on specific request, or as a "continuous electronic data feed from the airlines regarding all passengers for all flights".

That analysis also highlights the crucial role played by the then Privacy Commisisoner of Canada in exposing the real intentions of Bill C-17's backers. For his successor, renewed consideration of Bill C-17 will be one of the first major tests.

USA and Canada open talks on airline data

Just over three full years after the Canadian Personal Information Protection and Electronic Documents Act took effect for airlines that do business in Canada on 1 January 2001 , the Canadian government has finally begun negotiations with the USA regarding the conflict between the Canadian law and USA government demands for access to airline reservations, according to reports of a joint news conference in Washington with USA and Canadian officials from the Globe and Mail , GovExec.com , and AP .

As with the European Union's consideration of airline reservation data transfers to the USA, the key question is whether the Canadian authorities will limit their concern to future USA government uses of travel data, or whether they will also address past and ongoing violations of the rights of Canadian travellers, including those by commercial users of reservation data as well governments.

I expected travel businesses in the USA to disregard EU data protection law -- especially once they could claim, albeit falsely, that the so-called "safe harbor" agreement had "resolved" the issue with the EU -- and to postpone compliance with the Canadian law as long as possible. But I thought that both the scale of transborder air travel between the USA and Canada, and Canadian enforcement efforts, would eventually, grudingly, force USA travel companies into at least a show of compliance, as the price of continuing to do business in and with Canada.

No such luck. Call me cynical if you like, but I've been genuinely shocked at how long, and how systematically, airlines, CRS's, and travel agencies have continued simply to ignore their obligations to respect Canadians' rights, and have continued to treat Canadian data as cavalierly as data collected in the USA (where there are no privacy rules except those that businesses voluntarily adopt for themselves). Under the Canadian law, personal infomation isn't supposed to be transferred to third parties -- as it is between travel agencies, CRS's, and airlines almost every time a reservaion is made -- without a commitment from the recipient to respect the conditions (on notice, access, disclosure, and purpose of use) under which the data was originally collected. Those agreements simply don't exist, and that fact is, or should be, a major scandal across Canada.

In part because of the absence of these agreements or any measures to give them effect, it's impossible to identify which passenger name records (PNR's) associated with a particular flight in the USA contain data that was collected in Canada. I myself couldn't tell with certainty, at the travel agency where I work , which reservations were made by our agents in the USA and which by our agents in Canada . Any sample of USA airline reservation data of significant size will include personal information about Canadians, collected in Canada, protected by Canadian law.

If -- as now appears to have been admitted by both USA and Canadian officials -- CAPPS-II is contrary to current Canadian law, that means the previous CAPPS-II tests with real reservations violated Canadian law, and no future CAPPS-II tests can be conducted legally unless and until Canadian law is changed. "Homeland Security Department Secretary Tom Ridge said an agreement is 'by no means automatic' and will require 'lengthy' negotiations." That's a major setback to the previuously-announced CAPPS-II testing schedule, and gives the DHS no excuse for issuing a directive commandeering data for CAPPS-II tests unless and until an agreement to permit such tests can be concluded with Canada.

The first Privacy Commisisoner of Canada took a strong stand against earlier proposals for government access to airline reservation data, but it remains to be seen how the current Commissioner will address the issue.

One of the previous Privacy Commissioner's major enforcement actions, in fact, was against Air Canada for its handling of its frequent flyer program database . It's worth re-reading, even outside Canada, for its findings against the airline -- especially with US Airways (US) again in serious danger of being unable to meet its 30 June 2004 deadline for repayment of US$1 billion of USA government-guaranteed loans . US is already putting its most valuable assets up for bid, and if it goes bankrupt again, it will probably be liquidated. That means the US frequent flyer and PNR databases would be up for auction to the highest-bidding consortium of direct marketers and data miners. (For more on what you can do to protect yourself, see my FAQ about Airline Bancruptcies .) The possibility of a US liquidation lends considerable urgency to the need for Congress to enact a federal travel privacy law soon, before a bancruptcy court has to supervise the auction of a major airline reservation and customer database.

EU national data protection commissioners (the "Article 29 Working Group") were scheduled to meet yesterday to discuss the draft agreement on CAPPS-II testiong and passenger data transfers to the USA proposed by the European Commission, according to the French national data protection commission (CNIL) Web site.

In addition to the previous ruling in Belgium and the pending investigation in Spain of complaints against PNR data transfers to the USA, both the French (en français) and German (in German; report in English from Reuters ) data protection authorities have issued statements that the current transfers (and implicitly, CAPPS-II testing or deployment) are contrary to the laws of their countries and the EU. But there's been no word yet on what transpired at yesterday's meeting.

Business Travel Coalition joins call for hearings on CAPPS-II and travel data privacy

Prompted by Jane Black's column this week in Business Week (which in turn drew its recommendations from her interview with me last July and the agenda I've outlined here , here , here , here , and in my books , among other places), the Business Travel Coalition has launched a call for Congressional hearings on CAPPS-II and data privacy issues within the travel industry .

On its first day, the joint letter to the chairs of the USA House and Senate Transportation Committees has been signed by dozens of travel managers for corporations and organizations, travel consultants, travel agencies, and even some airline executives:

Personal travel information deserves the same level of Congressional scrutiny and debate that medical records and financial information policies were afforded in the past. We hope that you give serious consideration to exploring these important issues during hearings in the near future.

The BTC reportedly plans to collect signatures only through today, Friday, given the USA Department of Hoimeland Security's stated intention to issue a (secret) security directive forcing airlines to start turning over PNR's for CAPPS-II testing as early as "next month", i.e. Monday.

Travel executives who want to be seen as being on the side of their customers should make sure their names are included when the letter goes to Congress on Monday. Signatures are being collected today on the BTC Web site .

The only even partially dissenting view that the first report on the BTC campaign could find to "balance" the story came from David Stempler, whose purported "Passener Association" is actually an ill-concealed front for the Cendant Corp. , which runs Galileo -- one of the big four computerized reservation systems (CRS's) -- and is already gearing up to profit from the additional data CAPPS-II will force travellers to hand over for their commercial use.

Also today, Statewatch reports from the UK on the latest European Union plans for their own counterparts of the CAPPS-II and US-VISIT programs .

It's increasingly clear that what is at stake is nothing less than a global agenda of government and commercial surveillance and monitoring of travellers, leading to the creation of integrated dossiers of each person's lifetime movements by public transport or across borders, enforced on the basis of specious claims of "aviation and border secuirty", and automatically collected, without the knowledge or consent of travellers, through mandatory remotely-readable RFID travel documents.

Travellers and civil libertarians have to draw the line somewhere. CAPPS-II and the tragic absence of any legal privacy protection for travellers in the USA are a good place to start, followed by the ICAO, USA, and EU plans to mandate biometric RFID passports up for decision at ICAO's March-April 2004 meetings.

More questions on reservation data shared by NASA, Northwest, & KLM

The official agenda said yesterday's hearing by the USA Senate Committee on Science and Transportation on "NASA Future Space Mission" was supposed to "focus on President Bush's recent proposal to return astronauts to the Moon and expand human space exploration to Mars."

But Senators had more down-to-Earth concerns. In the event, "The meeting focused on Northwest Airlines' participation in a National Aeronautics and Space Administration research study designed to improve aviation security," reported Scripps Howard News Service .

Transcripts of the questioning won't be published for some time, and the witnesses' prepared statements didn't mention the Northwest Airlines (NW) / NASA privacy scandal. But reports on the hearing had somewhat different interpretations of what was said about NASA's use of the data:

The space agency planned to use its scientific and computational expertise to try to do a security analysis to find trends or patterns that might not be apparent.... But information on the ... disks was so elaborately encrypted that after a year of work, only two days worth of data could be extracted. (AP )

NASA analysts were able to extract only two days of passenger data after a year of effort.... Northwest's data-compression technique hindered NASA's analysts. (Washington Post )

What this real means, I think, is not that NW had actually "encrypted" or "compressed" the data at all, but that airline PNR's are stored and transmitted in extremely compact formats unfamiliar to those outside the industry.

These formats and data structures are typical of the global netwrok of reservation systems, which place an exceptionally high priority on extreme backward compatibility with older, low-data-capacity "legacy" equipment installed in remote locations and used by smaller and poorer airlines around the world. They seem very strange, however, and take a long time to figure out, for people unfamiliar with travel industry protocols.

The established CRS's operate in a parallel universe with its own standards, often very different ones from those in other industries that have only more recently gotten into large-scale, truly global, real-time networking.

The difficulty smart, technically sophisticated NASA data analysts had in making sense of raw dumps of PNR data is indicative of the distance between the assumptions about reservations of people outside the airline industry -- such as those who have devised the CAPPS-II scheme -- and the reality. It should also be a warning about the surprises, the unexpected difficulties, and the massively higher costs they will find, compared to what they have naively expected, each time they try to test their CAPPS-II concepts against real reservation data.

At the same time that NASA as the recipient of NW reservation data was coming under questioning in the USA Congress, KLM Royal Duth Airlines as the source of some of the data NW turned over to NASA was coming under scrutiny today on its home turf.

The latest issue of the newsletter of the European Digital Rights initiative reports that the Dutch civil liberties group Bits of Freedom (sponsor of the Big Brother Awards for the Netherlands), "will ask the Dutch Data Protection Authority to investigate the transfer [of PNR data], the role of KLM and to order KLM to notify the passengers involved."

KLM is the most obvious, but not the only, other company at risk: Any company that collected passenger information in Europe, and transferred it to NW in the USA, is vulnerable enforcement actions under EU data protection laws. That includes:

1. More than 100 airlines that are represented in the EU and that have "interline" ticketing and reservation agreements that permit them, and their agents, to accept reservations and issue tickets for interlione journeys that include NW connecting flights as well as their own flights.
2. Thousands of travel agencies and tour operators throughout the EU who booked clients on NW flights. These include both storefront agencies and Internet travel agencies such as Opodo , eBookershttp//www.ebookers.com , Expedia.co.uk , etc.
3. The four major computerized reservations systems (CRS's) that accepted reservations from travel agents in the EU, and passed them on to NW: Amadeus, Sabre, Galileo (a division of Cnedant Corpo.), and Worldspan (which actually hosts NW's own PNR database).

Each of these companies violated EU and national data protection rules -- and, in the case of the CRS's, the EU code of conduct for CRS's -- whenever they passed on personal data to NW, unless they had agreements and procedures in place to ensure that NW would respect passengers' (and other data subjects') rights of access, notice, and consent to any disclosure of personal data.

Since few if any companies passing EU data to NW have, or had, such commitments from NW, all their transfers of perosnal data to NW (and other airlines in the USA) have been and continue to be in violation of EU laws.

It's the transfer of data across EU-USA borders to NW, without adequate protection against its subsequent misuse, that was and is illegal -- whether or nor NW actually misused the data .

That means almost every time any travel agency, tour operator, CRS, or airline in the EU accepts a reservation for travel on an airline based in the USA, or that has its passenger database hosted in one of the 3 (out of 4 globally) CRS's that are based in the USA (all except Amadeus), EU law is violated. Regardless of whether the data is passed on to the USA government or anyone else.

That wouldn't be a problem, or a violation of law, if the USA enacted an adequate travel privacy law.Now that EU enforcement agencies are beginnning to pay attention, let's see if they notice the full extent of the problem, and demand that it be dealt with.

USA airlines ask Congress to merge US-VISIT and CAPPS-II

James May, President and CEO of the Air Transport Association, the trade association of USA-based airlines, told a very different story to Congress today than had been suggested by ATA press statements following last week's ATA meeting with the USA Department of Homeland Security on the privacy of travel records.

Testifying at the House Homeland Security Subcommittee hearing I talked about in this space yesterday , May made no mention of privacy policies or practices, either on the part of airlines or the government. Nor did he suggest that government programs for access to reservation data should be postponed until such protocols could be developed or put in place.

Quite the contrary. USA airlines want the US-VISIT program, designed to facilitate the collections of lifetime biometric and biographic travel histories on visitors to the USA, deployed without delay:

We support DHS in its efforts to create and implement US-VISIT.... We believe it is critical that DHS adhere to the planned schedule for deploying US-VISIT.

The only objection to government surveillance of travellers that was voiced by May on behalf of the airlines was to the possibility that airlines might have to conduct this passenger surveillance at their own expense:

ATA opposes any requirement that airline staff collect the biometric data, either at the check-in counters or at the departure gates. Airline personnel should not be used as quasi-immigration officers.

On the other hand, airlines have indicated no objection to the government forcing travel agents -- the people who actual create most airline reservations -- to function as unpaid "Homeland Security" surveillance and data collection agents for CAPPS-II and other programs.

The airlines' real objection seems to be to having to bear the cost of US-VISIT or CAPPS-II, not on principle to collaborating in the creation of permanent dossiers on airlines' customers. Airlines want to do the latter, as long as the government reimburses their costs and they get to keep the additonal data for their own commercial purposes.

But USA government payments to USA-based airlines to offset "government-imposed security costs" are increasingly being viewed as a government subsidy to domestic airlines, since foreign airlines that serve the USA, and are subject to the same government requirements, aren't eligible for any of these funds.

For example, a 1 December 2003 policy paper from a coalition of European airline industry associations argued that:

Particular reference should be paid to the US, where US$5 billion in cash was granted to the country's air transport sector in 2001 and more than US$2.3 billion is being granted in 2003 to pay for security measures. The US air transport industry is clearly enjoying a competitive advantage vis-à-vis its European counterparts.

In the face of such objections from airlines serving the USA from abroad, the USA government will likely have to choose in the future to suspend reimbursement of security costs (losing the government the cooperation in security/surveillance schemes of USA-based airlines), include foreign airlines in the security-cost reimbursement program (increasing its cost by an order of magnitude), or face trade sanctions from the EU and elsewhere in retaliation for continued preferential security subsidies to domestic airlines.

As for the CAPPS-II program, which ATA members have claimed they would cooperate with only if ordered to do so by the goverment (although no airline has yet said they will try to contest such a legally questionable order), and which the government has claimed has absolutely nothing to do with US-VISIT, May quickly put the lie to all that:

The CAPPS II program ... may be adapted to also readily identify US-VISIT exiting passengers. We would urge that, as these programs develop, consideration be given to combining screening and exit processing.... We believe that the nation's interests will best be served by a seamless, fully integrated approach to passenger processing and screening.

That's a really bad idea that goes beyond anything the DHS has yet proposed, and would multiply the intrusiveness of both the CAPPS-II and US-VISIT programs.

US-VISIT is designed to facilitate the creation of a lifetime lifetime biographic and biometric travel history , stored in a DHS database, on each foreigner who has ever visited the USA. CAPPS-II would accomplish much the same thing for domestic travellers, forcing them identify themselves and provide additional information each time they travel to enable airlines and computerized reservation systems (CRS's) to index reservation records into lifetime travel histories.

Even if the government doesn't itself keep CAPPS-II records, it could get access to CRS archives whenever it likes: under the Patriot Act, travel records can be requisitioned with a "national security letter", without a warrant or subpoena or judicial review, and the recipient of such a letter can be forbidden to reveal that information has been given to the government. Denials by airlines, CRS's, or other travel companies that they have furnished passenger records to the government cannot be taken at face value, since under Patriot Act those denials could be government-ordered lies.

But integrating CAPPS-II with US-VISIT would make the process much easier by merging all four CRS's databases on travellers to, from, or within the USA with the US-VISIT database on travel by foreigners across US borders. (The Transportation Security Administration could still claim with a straight face that, "The TSA does not retain CAPPS-II data," since US-VISIT records are stored by a different division of the DHS.) The result would be a single comprehensive archive, in government hands, of lifetime records of the movements of everyone, foreigner or citizen, who has ever taken an airplane flight touching the USA, or crossed the USA border.

Also at today's US-VISIT hearing, Assistant Secretary of State Maura Harty boasted of the success of USA lobbying for an international agreement on remotely-readable RFID biometric passports:

We are also undertaking a massive effort to introduce embedded biometrics into the U.S. passport through the insertion of a contact-less chip, which will store biometric and biographic data including digital photos.... We recognize that convincing other nations to change and improve their passport requires U.S. leadership both at the International Civil Aviation Organization (ICAO) and practically by introducing these changes into the U.S. passport. Thus, the Department of State has underway a program that should result in the production of our first enhanced biometric passports using the ICAO standard of facial recognition techniques in October of this year and we plan to complete the transition to this new biometric passport by the end of calendar year 2005.... The U.S. has played a leadership role in ICAO working groups to advocate the successful inclusion of biometrics in travel documents.

It's clear from Harty's testimony that the USA is treating ICAO's decision as a fait accompli , despite the fact that the proposed RFID biometric passport standard isn't actually scheduled to be decided until the next meeting of the ICAO working group, 22 March - 2 April 2004 in Cairo .

It's becoming increasing apparent that ICAO is on the verge of adopting an extraordinarily controversial item, without having involved the relevant stakeholders (e.g. travellers and consumer and privacy advocates) and without having given any serious consideration to its profound implications for privacy and civil liberties. ICAO needs to postpone its decision until after a full and open privacy impact assessment can be completed and its results considered in the debate.

Within the USA, similar arguments are being raised about the need to consider the privacy and civil liberties implications of government access and commercil sharing of travel records, as FoxNews.com reports in Massive Travel Database Raises Eyebrows . And Business Week's Jane Black endorses my call for Congressional hearings on the use of travel data, and enactment of a Federal travel privacy law, in her latest Privacy Matters column: The airline-data mess should be cleared up.... It's time to regulate travel data.

A few of our favorite places

Airtreks.com staff recommendations

(from the January 2004 Airtreks.com monthly newsletter -- you can subscribe here at the lower left of the home page)

Travelers often ask our consultants, "Where do you think we should go?" Usually, our answer is, "Wherever you like!" Each of you, like each of us, has different tastes and interests, and no one place is best for everyone.

But all of us at Airtreks.com love to travel. Between us, we visit dozens of countries each year. We have our favorites, and we're the first to hear about it when air trekkers are starting to discover a new destination.

So we polled our staff of resident experts to find out where they recommend: the best place in the world to go right now. Our answers are as far-flung as our travels. Top picks for some of us who've been there include Zanzibar, Iceland, Capetown, and Syria. Inevitably, some of us start with the unmatched ethnic and cultural richness and diversity of India and China, which between them make up a third of the human world.

But there was also surprising agreement amongst our travel consultants,with two regions in particular getting our, "go there now" nod:

A sizeable contingent of our staff points air trekkers to the South Pacific, especially New Zealand ("So much to do on each island, good land transportation, best weather right now, the scenery you've seen in the Lord of the Rings movies") but also Australia ("friendly people and so many great things to do").

Even more of our staff give their top recommendation to southern South America: Brazil (Carnaval is coming up in February -- check it out in Salvador or around Recife), Chile (the beauty of the Andes mountains, the city of Santiago, and "wineries to the north are wonderful day trips"), and the clear winner in our staff poll: Argentina and its queen mega-city, Buenos Aires .

Why? Diversity and beauty of the land. Wonderful people. (You could say that, truthfully, about almost anywhere, of course.) Music and dancing. Shopping. Excellent infrastructure. Great food ("steaks the size of shoes", elaborate European-style cuisine with the best and freshest local ingredients -- for peanut prices). Above all, "Great value for the money."

Wherever you're going, there are a couple of lessons here, especially about that, "value for the money":

1. Don't let stories about the rise of the Euro confuse you about the cost of travel to the rest of the world. Yes, travel to Western Europe is more expensive for Americans than it was last year. But that's not a reason to stay home -- that's a reason to consider traveling further afield, to places where the U.S. dollar still goes much further than it does at home. Most air trekkers still find that their expenses on the road are substantially less than their living expenses were at home in the USA.
   
   
2. Don't confuse bad news for locals with bad news for visitors. Reports about Argentina have focused on the fall of the peso, and the problems that has caused. As the local currency has collapsed against the dollar, local salaries and savings have lost two-thirds of their purchasing power. But that also means that the buying power of tourists' dollars has tripled, and that they can travel just as well on a budget a third the size of what they used to need.

And the warmth and sincerity of the welcome! Argentines know they live in a beautiful country that just a few years ago was expensive for foreigners on a budget. If they were Americans, they'd be jumping at the chance to visit Argentina now, while it's such a bargain. Like people in other such spots around the world, they welcome visitors and their dollars, and congratulate them on their good taste in choosing their vacation destination so well.

It's a great time to travel, and there are lots of great places to choose from. Overall, travel values have never been better. Go! And wherever you go, have a wonderful trip.

European Commissioner ackowledges need of USA airlines to respect EU privacy laws

In a letter dated 18 December 2004 to USA Secretary of Homeland Security Tom Ridge, European Commissioner Frits Bolkestein has clearly ackowledged the practical impossibility (as I've been discussing for months) of segregating personal data in airline reservations collected in the European Union from data collected in the USA or elsewhere:

I also understand that, when CAPPS II begins testing and even more when it becomes operational -- even if not at all applied to flights within the EU -- PNR data of some subset of passengers on such flights may emanate from the EU and that there is no reasonable or cost-effective mechanism for airlines or TSA to identify or filter out such PNR. I recognize that airlines are concerned that this situation might leave them vulnerable to enforcement action by data protection authorities in the EU Member States.

The letter from Bolkestein to Ridge, posted in a semewhat obscure location on the European Commission Web site, was brought to public attention by Member of the European Parliament (MEP) Marco Cappato. MEP Cappato's statement today says that by the letter, "The Commission hereby confirms its attitude of not taking into due account citizens' rights and the EP serious reservations on the issue of the transfer of personal data of transatlantic airline passengers to the US."

But while Bolkestein's comments were made in the specific context of CAPPS-II , the larger implication may be this:

If, as Commissioner Bolkestein has now admitted, some subset of passenger data on any flight may have been collected in the EU, and it is impossible for airlines in the USA to identify or filter out such data, then the only way airlines or other travel companies in the USA can ensure their compliance with EU data protection regulations is if they treat all PNR data as though it might have come from the EU, and handle all PNR's, even on domestic flights within the USA, in compliance with EU data protection standards. (Which of course they don't.)

The only legal way for airlines, CRS's, and other travel companies to withhold from customers in the USA the rights they are required to give EU customers would be if they tracked whether each item of personal data in each PNR originated in the EU. They don't, and their failure to do so -- or to treat all PNR's in accordance with EU data protection standards -- is the essence of their near-total disregard to date for any actual compliance with EU data protection laws, as applied to PNR (travel reservations) data.

MEP Cappato's statement continues:

We appeal to the President of the EU Privacy Authorities, Stefano Rodotà, to formally intervene to ask for provisions and sanctions to be applied against current illegal practices. And we ask to national privacy authorities to take measures where they have powers to do so, such as in Italy. We do not understand why President Rodotà and national privacy authorities do not activate the national and European instruments at their disposal to have the laws applied and citizens' rights respected.

The real question now is not just what will be done by European authorities about CAPPS-II, but what will be done about the larger issue of compliance with EU data protection rules throughout the handling of PNR data in the USA.

Hearings on US-VISIT, but ...

The Subcommittee on Infrastructure and Border Security of the USA House Select Committee on Homeland Security will hold a hearing on the US-VISIT program tomorrow, 28 January 2004.

As I've discussed in previous articles , the US-VISIT prgram has come under intense worldwide criticism for subjecting foreign visitors, including tourists and people merely changing planes in the USA, to photgraphing and fingerprinting like criminals, and for its use in compiling lifetime travel histories on all visitors to the USA.

But don't expect tomorrow's Congressional hearings to call attention to the controversy. In addition to representatives of the architects of the program from the Departments of Homeland Security (Undersecrtary Asa Huthcinson, who just yesterday told an AP interviewer the DHS would order airlines to collaborate with CAPPS-II testing ) and State, the one-sided witness list (as of the close of business today in Washington) includes the following people:

1. James May of the Air Transport Association , the lobbyinbg group for USA-based airlines that has just announced that they won't go to bat for their customers to contest the imminent DHS security directive ordering them secretly to turn over all their reservation records for tests of the CAPPS-II passenger profiling and surveillance system
2. Dennis Carlton of the International Biometrics Group , one of the DHS contractors sharing in the US$10 billion US-VISIT jackpot and likely to profit further if ICAO's proposed worldwide requirement for biometric travel documents is approved
3. Kathleen Campbell Walker of the American Immigration Lawyers Association , who has testified previously to Congress in support of both biometricv travel documents and government access to airline reservation data well in advance of flights

Privacy? Surveillance? Collection of travel dossiers? Impact on tourism and other travel to the USA? Fuggedaboutit.

A full and fair hearingy, indeed.

"Our privacy laws are rather primitive" - ACLU

USA Undersecratary of Homeland Security Asa Hutchinson reportedly told an AP interviewer today that the DHS has decided to order airlines to turn over passenger reservation records to the DHS for tests of the CAPPS-II passenger profiling and surveillance system.

The DHS claimed to have been considering a public rule-making process, but has apparently decided simply to issue a security directive (probably secret) to the airlines to order them to turn over passenger data. In addition to intimate details about airline passengers, airline PNR's also contain extensive personal information on people who make reservations but choose not to travel, airline and travel agency workers, people who arrange travel for friends or family members or business associates, and people who pay for others' tickets. All of these groups -- most of whose rights haven't even been considered in the DHS Privacy Act notices about CAPPS-II -- would have their privacy violated by CAPPS-II testing.

There was no report today on whether the DHS would simultaneously be issuing the other directives required for CAPPS-II .

As I've reported earlier, DHS Chief Privacy Officer Nuala O'Connor Kelly told me in an interview in November 2003 that people about whom information is to be used in CAPPS-II tests will "almost certainly not be given any opportunity to opt out" of being used as data guinea pigs.

Since there is not (yet) any USA privacy law for travel records, USA citizens may not even be entitled to know if their reservations have been given to the DHS for CAPPS-II tests or other purposes. But EU citizens are entitled under the EU data directive to know to whom their reservations have disclosed. All EU citizens travelling to, from, or within the USA, either on USA or foreign airlines, should make a formal request to the airline and their national data protection authorities, after each flight, to find out if their reservations for that flight were given to the DHS for CAPPS-II tests. Since the tests may be conducted with archived, "historical" data for past flights, it would be a good idea for EU citizens also to ask each airline on which you have previously flown to, from, or within the USA which of your past reservations have been provided to the DHS, and for what purpose. For good measure, ask each of the big four CRS's (Sabre, Amadeus --including its Airline Automation subsidiary, Worldspan, and Cendant's Galileo division), since the DHS could get PNR's directly from them without going through the airlines. That's probably the only way we will find out which past or present flights are being used for CAPPS-II testing.

Questions continue to be raised about the passenger records Northwest Airlines turned over to NASA for use in some of the earlier experiments in passenger profiling, in editorials with titles like, Big Brother Air , or these from the Scripps-Howard News Service and the Mankato [MN] Free Press ) from a region where Northwest Airlines has a near-monopoly on service to smaller airports).

Joyce McGreevy in Salon.com (cookie acceptance and viewing of an ad required) takes note of the State of the Union address:

The president assured us at the top of his address that "analysts are examining airline passenger lists." But give credit where credit is due. Let us not fail to thank JetBlue Airways and Northwest Airlines for reportedly supplying passenger data, without which the government might have had to do its own violating of federal and state laws, thus taking time away from the important business of detaining readers of the Farmer's Almanac .

And the American Civil Liberties Union has sent a letter to Europeasn Commissioner Frits Bolkestein "to report what may have been a violation" of the EU Data Directive. The ACLU letter points out that, "In light of the fact that Northwestern has a partnership with the Royal Dutch Airlines (KLM) through which it provides one-stop reservations and ticketing it is almost certain that at least some of these improperly disclosed passenger records belonged to citizens of the European Union."

The ACLU suggests that Bolkestein and the Commission " may wish to conduct an investigation of Northwest's information collection and dissemination practices, full notification to all individuals effected by this disclosure and the imposition of all appropriate civil penalties."

More importantly, perhaps, in light of ongoing USA-EU discussions on transfers of passenger data, the ACLU says that:

We also believe that this latest revelation calls into question the ability of the US to honor any promises made regarding the transfer of air passenger data. Sadly, our privacy laws are rather primitive and the unrelated uses of private data are prohibited in Europe occur far too often.

Two members of the House Committee on Government Reform , Representatives Lacy Clay and Carolyn Maloney, have sent written questions to the U.S. Census Bureau, as have members of the Census Advisory Committee, seeking clarification of whether Census data has been, or could be, "mined" for data used for law eneforcement or "Homeland Security" targetting or profiling.

In this vein, the Washington Times reports on Cendant's plans to integrate its customer databases , including travel reservations from the Galileo CRS (a Cendant divison) and other Cendant travel, direct marketing, and data mining divisions . It's exactly the sort of data "sharing" within the travel industry that raises privacy concerns even if the government isn't involved, and that wouldn't be allowed if companies like Galileo and the rest of Cendant actually complied with the privacy laws of the EU, Canada, or the other countries where they operate.

The Washington Post has a contrasting report on last Friday's meeting between USA-based airlines and the DHS. The Post focuses on the changes in airline-industry procedures that would be required in order to notify travellers about CAPPS-II and other government uses of travel records: "The cost of installing privacy policies throughout the industry could easily run into 'hundreds of millions' of dollars." (That's just for policy changes, not the infrastructure changes required to collect and transmit the additional data required for CAPPS-II.)

But the Post says, strangely, that "the industry has been too slow to inform customers when it shares data with the government even though airlines have clear policies explaining how they might share customer information with travel-related companies ." That may be what airlines told the Post , and what they want trusting travellers to believe, but it's nonsense . Most airlines and travel companies have no policies whatsoever explaining their data-sharing practices for most reservations.

If travel companies have privacy policies at all, they generally apply only to data collected through their Web sites, and don't mention important categories of companies with which data is shared -- especially the CRS's. I know of no airline, CRS, or major travel agency that is prepared to provide a traveller, on request, with copies of their archived PNR's, which would be the first step toward compliance with EU and Canadian law. (Chief privacy officers from CRS's and mega-agencies with millions of customers have told me this wasn't necessary because no traveller has ever asked them for their personal travel records. If so, that's becasue -- in violation of EU and Canadian law-- they aren't informed of their right of access.) And, of course, the privacy policies that do exist are routinely violated by standard industry practices .

Business as well as leisure travellers are beginning to demand improvements in travel privacy policies and, more importantly, privacy practices. Eeven before the Northewest scandal, the Business Travel Coalition had called for industry-wide ground rules and safeguards with regard to passenger data . Members polled by the BTC are concerned about both the Northwest scandal and CAPPS-II , as discussed in BTC chairman Kevin Mitchell's new blog.

Those concerns are shared by the Association of Corporate Travel Executives, which has said there is a need for changes in IATA regulations on privacy of business data in reservations and filed critical comments on CAPPS-II .

There's no quick fix in sight, but at least there's a growing consensus on the need for action.

"Homeland Security" meeting today with USA airlines on data privacy

Northwest Airlines, the Air Transport Association (ATA), and the USA Department of Homeland Security (DHS) are putting very different spins on their meeting today on CAPPS-II and the privacy of airline passengers, held while angry travellers jammed the phones at the ATA headqurters to complain about past and possible future violations of their privacy and warn airlines of the likely backlash if they fail to stand up for their customers' privacy.

Reuters and an early report by the AP quoted an ATA statement and comments by ATA spokesperson Doug Wills on what the airlines told the DHS, with AP saying, "the airlines expect to hear details [from the DHS] about the steps being taken to protect travelers' privacy," as though all the risk of misuse of information was from the government, and what's needed are steps by the DHS.

And an ATA spokesperson told me after the meeting that, contrary to some reports that billed the meeting as an airline "summit" on CAPPS-II and privacy, there was actually no discussion of the airlines' own privacy policies. The regularly-scheduled quarterly meeting of chief operating officers of the major "network carriers" was simply the opportunity for an exchange with the DHS on DHS data protection protocols.

But a later report by the AP, Airline industry to work on privacy issues said, "Major airlines agreed Thursday to work with the Homeland Security Department on ways to protect traveler privacy,", and quoted DHS Chief Privacy Officer Nuala O'Connor Kelly as lecturing the airlines on best practices, as though the problem were with the airlines' practices: "'It's more than a privacy policy on a Web site,' Kelly said. 'It's having good internal protocols.'"

And the Minneapolis Star Tribune , Northwest CEO urges new 'data protection protocol' , and Information Week , Northwest CEO Urges Airline Execs To Talk Privacy , relying on statements from Northwest Airlines (NW), said "Northwest Airlines Inc. CEO Richard H. Anderson recommended that the Air Transport Association discuss developing a data-protection protocol to address privacy concerns about passenger data," as though NW -- which is still claiming it was "appropriate" to give its files on as many as 10 million passengers to the government -- had something to teach the rest of industry other than by negative example.

All we really have to go on for what happened at today's meeting are self-serving statements by NW, ATA, and the DHS, each trying to pose as privacy advocates in spite of their dismal track records of unconcern for passenger privacy. IT and security executive in other industries are looking for lessons in the airline privacy scandals -- see these stories in CIO magazine and CSO magazine -- but neither the airlines, the CRS's, nor the DHS have cleaned up their act, or even really ackowledged that they are the cause of a privacy problem.

Most ATA members don't have any privacy policies for most of their reservations: an ATA spokesperson admitted that their only privacy policies are those on their Web sites, which in almost all cases apply only to reservations made through the airlines' own Web sites, not the majority made through other channels. So far as I've been able to tell, no ATA member includes their privacy policy as part of their conditions of carriage -- if they have one at all, it's outside the actual contract, and thus of ambiguous enforceability.

A second class action lawsuit has been filed against NW in Federal District Court in Minnesota, this one by the same law firm that represents the plaintiffs in one of the pending suits against jetBlue. The New York Times has an interesting analysis of the difficulty of making a case in the USA, in the absence of a Federal privacy law, and the fact that, "In Europe what Northwest did is clearly illegal."

This isn't the first time ATA has met with the DHS on CAPPS-II, according to the ATA spokesperson who I talked with after the meeting. And ATA says that, "In the future, we expect to have additional discussions with Homeland Security officials and airline officials on this subject." But ATA represents only airlines based in the USA. The much larger number of airlines based in other countries, but that fly to the USA, would be equally impacted by CAPPS-II. But so far as I've been able to find out, the DHS has never met with the International Air Transport Association , presumably because they would be more likely to insist on compliance with international privacy laws and norms, and reimbursing airlines worldwide for CAPPS-II costs would be many times more expensive than just reimbursing USA airlines.

If there's any real disagreement between the DHS and ATA about CAPPS-II, it's about who will pay for it. According to ATA's spokesperson, "We still support CAPPS-II. We just feel that the burden of its cost shouldn't be borne entirely by the airlines."

When I met with European Commission staff members in Washington in November, they were extremely interested in the possibility that the USA might reimburse USA-based, but not EU-based, airlines for CAPPS-II or other security costs. It's highly likely that the EC would construe such preferential reimbursement as a preferential government subsidy to domestic airlines -- over and above current protectionist USA laws benefitting domestic airlines -- and would impose reciprocal trade sanctions against airlines from the USA flying to the EU.

This week there's been a flurry of editorials raising questions about CAPPS-II in newspapaers across the country, including USA Today , the Denver Post , the Rocky Mountain News , the Boston Globe , and the Washington Post . (And then there's the satirical commentary .)

But there's no reason to expect meetings between travel companies and the DHS, who have already collaborated in several years of successive tests of airline passenger profiling schemes, to answer the questions about CAPPS-II, or resolve the privacy problems posed by government-industry sharing of passenger data.

The only way passengers' and the public's concerns can be addressed is if the process is conducted in public, and if passengers themselves, and consumer and privacy advocates who represent them, are involved. The only way that is likely to happen is through the Congressional process of investigation, hearings, and legislation.

Business Travel News points out that the same day that G.W. Bush boasted in his State of the Union Address that "Each day ... analysts are examining airline passenger lists", British Airways CEO Rod Eddington was telling another Washington audience across town that, "A unilateral imposition of longer term security measures can be counter-productive". Eddington singled out demands by the USA for passenger data form the EU in his call for, "More co-operation and consultation between governments" on security demands affecting airlines. The complete text of Eddington's op-ed earlier this month in the Financial Times on USA "security" demands, previously mentioned in my blog, also has now been posted on the Britsh Airways web site.

British Airways was the only airline to file comments on the DOT's initial CAPPS-II proposal , in which they rasied questions -- still unanswered, and entirely ignored in the DHS analysis of comments -- about its incompatibility with EU and other countries' laws.

Sen. Gordon Smith of Oregon has become the first member of Congress to demand answers as to what NASA did with Northwest Airline reservation data, sending a list of written questions to NASA and the CEO of Northwest. Meanwhile, DontSpyOn.US and the Washington Times have more details on the census data used in the same NASA research as the NW reservations.

The Northwest privacy scandal has also fueled the fires of public skepticism in the European Union as to whether travel companies in the USA, or the government of the USA, can be be trusted to police their privacy practices without independent oversight.

I've received no news of what happened yesterday and today in the European Parliaments's Committee on Citizens' Freedoms and Rights, Justice and Home Affairs (LIBE). But Memebrs of the European Parliament (MEP's) are continuing to raise questions about the proposed agreements with the USA on passenger data transfers and CAPPS-II testing. The (lengthy) committee agenda included consideration of the status of discussions on transfers to the USA of airline passenger data, as well as a draft European Parliament resolution which:

Reiterates that EU data protection rules are seriously infringed when personal data are, without informing and obtaining the consent of the data subject, transferred or accessed directly and systematically by a third state party or law enforcement authority, notably when data are collected for another purpose and without judicial authorisation, as in the case of US authorities accessing transatlantic passenger data collected in the EU by airline companies and electronic reservation systems.

On 18 December 2003, the Belgian national privacy commission ruled that the rights of MEP, LIBE Committee member, and EP rapporteur on privacy Marco Cappato had been violated by United Airlines (UA), Continental Airlines (CO), and Delta Air Lines (DL). The ruling (en français) was based both on Belgian law and the particularly strict privacy provisions of the EU code of conduct for computerized reservation systems ("systèmes informatisés de réservation, SIR").

In a statement preceding this week's LIBE Committee meetings, MEP Cappato said (in translation from the original Italian):

On the occasion of tomorrow morning meeting in Brussels of the EP Civil liberties committe, I will draw colleagues' attention on the opinion by the Belgian Privacy Committee, in the view of deciding in the next weeks on the possibility of challenging the EU Commission in front of the European Court of Justice concerning the violation of EU law on privacy. The Belgian document has also been sent to the Privacy Authorities of EU Member States, and to the Belgian Minister of Justice. I hope that they will assure that laws are respected. I address myself to the Italian Privacy Authority, and notably to its Chief, Stefano Rodotà, currently also President of the EU Privacy Authorities working party, to ask him to intervene at the national and European level so to assure that the law and the corresponding adeguate sanctions are finally applied.

Elsewhere in Europe, German data protection commissioner Peter Schaar said in an interview with the Frankfurter Allgemeine Zeitung that the handling of passenger data in the USA "does not meet EU privacy standards." As the interview points out, Schaar is "a member of the Article 29 Working Party advising the European Commission on privacy issues. The working party, composing all of the EU's privacy commissioners, is currently drafting a recommendation on demands made by the United States government for information on airline passengers." Schaar also spoke out against both US-VISIT and the proposals for biometric passports.

Passengers sue. Airlines circle the wagons.

The first consumer class action lawsuit against Northwest Airlines by a passenger was filed Tuesday, 20 January 2004, in U.S. District Court in St. Paul, Minnesota, the Federal judicial district that includes NW's headquarters, the Minneapolis Star Tribune reports . The plaintiff's attorney, Shawn Raiter , "said he expects other class-action lawsuits to be filed across the United States in other court jurisdictions."

Today's Washington Post says that, in response to the Northwest Airlines (NW) scandal, the Air Transportation Association (ATA), the lobbying association of USA-based airlines, "will meet in Washington this week to discuss the development of an industry-wide privacy policy to protect consumers."

A more accurate statement might be, "... to protect airlines against legal liability." Almost every ATA member (and more than 100 other airlines around the world) has an interline ticketing agreeement permitting them and their agents to make reservations for journeys including NW flights. They have collected perosnal information from passengers and third parties, and passed it on to NW, without having any contractual commitment from NW, or any operational protocols, to ensure that it wouldn't be further "shared" -- as, in fact, it was, with NASA and who knows how many others.

Virtually all passenger name records (PNR's) contain data from mulitple sources that has been transferred between different compnaies through the network of reservations systems .

The holding of ATA's first-ever meeting on privacy policy and personal data sharing is thus a damning admission that the airline industry has no standards, agreements, or procedures in place to protect the privacy of travel data when it is passed between travel companies such as airlines, travel agencies, tour operators, and CRS's.

But the place to determine global public policy on issues like privacy is in the legislature or another public forum, not a private conference of corporate executives who have in common only their business -- not public -- interests and their demonstrated historical lack of concern for the impact on their customers of their data interchange procedures.

In the USA, the most obvious objection to the ATA meeting is its apparent violation of anti-trust law. Congress has given airlines a limited exemption from anti-trust law to participate in IATA "traffic conferences" (international price-fixing meetings). But that exemption extends neither to ATA meetings, nor to collusion on contract terms, such as privacy policies and conditions of carriage.

Concern for possible anti-consumer airline collusion on conditions of carriage is well-founded: almost all ATA member airlines already have suspiciously similar language in their conditions of carriage requiring passengers to "consent" to submit to search and provide government-issued documentary evidence of their identity.

Left to their own devices, USA-based airlines would probably all agree to require passengers to "consent" to personal data sharing, with few if any meaningful constraints, as a condition of air transportation. Such an agreed-upon united front by the airlines would leave would-be air travellers no meaningful alternative -- other than to walk or bicycle across the country -- and render their so-called "consent" meaningless.

In the European Union, Canada, and other countries where airlines (including those from the USA) have promised to abide by legal privacy protection codes, the absence of privacy protocols or formal agreements governing current transfers of personal data within the industry raises more serious issues of lack of legal compliance, and breach of the promises made to those countries' authorities.

Wired News says EPIC's European representative, Cedric Laurant, expects a "heated discussion in the European Parliament" when the debate on passenger data transfers to the USA, originally scheduled for today but now pushed down on the agenda , resumes Thursday in Brussels.

As it becomes more and more evident that airlines aren't complying with existing EU privacy laws, it becomes ever less likely that EU agencies will approve demands by the USA for even greater mandatory collection, government access, wider dissemination, and free sharing with travel companies in the USA of travel data collected in other countries, for CAPPS-II and other surveillance and monitoring programs.

Thta's not a problem ATA, or any private or national organization, can resolve. What's needed is a comprehensive international dialogue and privacy impact assessment of travel reservation data, to include CRS's, airlines (represented internationally through IATA, not just ATA), other travel copmpnaies (travel agencies, tour operators, reservation software companies, etc.), national and regional (e.g. EU) data protection authorities, and consumer and privacy advocates and NGO's.

In the meantime, as long as USA-based airlines and their European and worldwide partners are in such manifest vioaltion of the EU data protection directive, without even the pretense of privacy commitments from their data interchnage "partners", the EU should close the door -- promptly and firmly -- to any continued sharing with the USA government of data collected in the EU by airlines, CRS's, travel agencies, or tour operators.

And the EU should set a firm deadline -- 90 days, perhaps -- for airlines and travel companies that want to collect personal data in the EU, and pass it on to CRS's or other airlines and travel companies in the USA, to complete the first phase of the privacy impact assessement I've just described. If they don't, enforcement action to prohibit commercial sharing of travel data betweeen the EU and the USA, and suspension of the right to operate in the EU for companies that fail to comply, is long past due.

EPIC files complaint against Northwest Airlines; EFF calls for Congressional hearings

The Electronic Privacy Information Center (EPIC) filed a complaint today with the USA Department of Transportation (DOT), asking DOT to take action against Northwest Airlines (IATA code "NW") for turning over 3 months of passenger name records (PNR's) to NASA for use in development and testing of passenger-profiling schemes .

Reuters says the DOT immediately issued a statement which, "noted that airlines are not prohibited by law from providing or selling passenger information such as passenger lists."

I'm not surprised by the DOT's lack of enthusiasm for pursuing the case: enforcement of consumer protection laws, especially on privacy and Internet issues, has had the lowest possible priority for the DOT's tiny enforcement division.

DOT has been the in the forefront of deregulation, from the Airline Deregulation Act of 1978 (the first major deregulation legislation before the Reagan Administration) to its decision on New Year's Eve of 2003 to entirely eliminate the 20-year-old regulations that have protected consumers agianst anti-trust collusion by the computerized reservation system (CRS) oligopoly (more on that story in the future, I promise). The limited DOT enforcment staff has focused on safety and pricing issues, not data protection.

The difficulty of getting a reluctant and understaffed DOT to act on a complaint like EPIC's latest against NW is exacerbated by a gap between the relevant agencies' conception of their jursidiction, as I learned while researching The Practical Nomad Guide to the Online Travel Marketplace (see pp. 254-262).

Senior DOT enforcement attorneys told me that the DOT and the Federal Trade Commisison (FTC) had "concurrent" jurisdiction over privacy protection, truth in advertising, and other consumer protection issues involving airlines. But since the FTC takes the lead on such issues for other industries, especially when the Internet is involved, it knows more about them, and the DOT leaves them to the FTC. DOT attorneys were horrified -- both on laissez-faire principle and because of the extra work it would entail -- at my suggestion that they had any significant responsibility for policing deceptive advertising and privacy practices by the airlines, especially on the Internet.

FTC staffers, on the other hand, told me that the DOT has primary, if not exclusive, jurisdiction over anything related to the airlines, including privacy and consumer fruuad. So the FTC has never initiated an enforcement action against an airline on any of these issues.

The end result is that sales of airline tickets -- by far the largest single category of e-commerce -- have almost completely fallen through the cracks of Federal enforcement of basic truth-in-advertising and consumer fraud rules, and have never taken their rightful place at center stage in debates about Internet privacy and consumer protection.

The DOT has brought a token few enforcement actions against out-and-out scams involving airline ticket sales on the Internet, but so far as I can tell, an action against NW for breach of privacy promises would be the first privacy action ever for the DOT.

The only visible protest against this sorry situation for travel consumers has come from state consumer protection authorities. In 2000, 43 state attorneys general sent a joint letter to Congress urging the repeal of Federal preemption to permit enforcement of "state laws prohibiting unfair or deceptive business practices or unfair methods of competition with respect to air transportation or the advertisement and sale of air transportation services." But Congress has, to date, shown no interest in restoring even limited state jurisdiction over fraud by airlines.

EPIC's complaint cites the promise made to the European Union by the DOT that the EU can rely on the DOT to police the data protection practices of airlines and travel companies in the USA, and points to the "virtual certainty that ... European citizens' personal information comprised part of what was disclosed to NASA" by NW (and KLM).

EU authorities will no doubt be watching closely to see if the DOT keeps its word, since the willingness of USA authorities to enforce voluntary pledges of compliance with privacy codes is the keystone of the so-called "Safe Harbor" scheme negotiated by the USA to permit personal data transfers from the EU to the USA in spite of the lack of adequate (by EU and international standards) privacy law in the USA.

NW hasn't certfied itself as being in compliance with the "Safe Harbor" rules. Indeed, the only airline on the Safe Harbor self-certification list is Continental Airlines (CO). But CO has had a code-share agreement with NW since 1998, meaning that some CO flight numbers are and were actually operated by NW.

So "system-wide" NW data provided to NASA would have included data on flights booked and ticketed in the EU, by EU citizens, as CO flight numbers, under a "safe harbor" pledge.

CO's current privacy policy , obviously rewritten since the jetBlue Airways scandal, gives "consent" for all sorts of invasive practices. But depending on what CO's privacy policy (if any) was at the time, the CO/NW codeshare flights could provide one of the first direct tests of the effectiveness of the supposed "Safe Harbor" enforcement system: CO made promises to EU citizens, collected their personal data, and then transferred it to NW in the USA -- without, so far as I can tell, having any agreement or systems in place to control NW's subsequent nonconsensual use and further disclosure of the data.

And this is nothing exceptional. "Airlines and government agencies have routinely exchanged passenger information for decades," concludes Minnesota Public Radio (transcript ; audio ) after inteviewing industry experts.

Not surprisingly, questions are already being raised in Europe as to whether, in light of the latest NW scandal, the USA can be counted on to keep its promises to the EU about the use and dissemination of PNR data optained under other programs such as APIS (the subject of recent negotiations), US-VISIT, or CAPPS-II . And we still don't know the full extent of what data was disclosed, to whom, or who still has copies of it.

What is to be done? The Electronic Frontier Foundation (EFF) is calling for a Congressional investigation and hearings (statement ; fax and e-mail forms ). The Business Travel Coalition, after a survey showing widespread concern by corporate travel executives, has called on NW to apologize to passengers for the breach of privacy and for trying to deny it.

How the USA honors the memory of M.L.K., Jr.

It's a national holiday today in the USA in honor of the birth anniversary of Dr. Martin Luther King, Jr.

So what stirring story of the progress of American freedom and racial tolerance do I wake up to?

French fury over US treatment of air staff (free registration and cookie acceptance required)

The article is worth reading in full, but here's the gist:

It seems that the USA is now requiring a personal interview with a TSA specialist, on each arrival in the USA, for foreign-citizen airline staff born in specified countries (all of which have Muslim-majority populations) -- even though they already have multiple-entry professional visas, and could be questioned and investigated as thoroughly as desired before those visas are issued.

It also seems that there are no such TSA specialists in Cincinnati, even though it is an international airport and Delta Air Lines hub, served by regular flights on Delta's "Skyteam" marketing partner, Air France.

Since knowledge of multiple languages is one of the most important qualifications for flight attendants, and many Air France passengers are travelling to and from points beyond France in Africa, Asia, etc., it should be no surprise that many Air France flight attendants were born outside France, and are either immigrants or children of French parents born abroad.

So what has happened? According to the Telegraph (UK):

One Moroccan-born stewardess who flew into the city was prevented from leaving when officials could not conduct her interview. Instead, she was driven for eight hours to Atlanta, nearly 500 miles away, and forced to fly back to France as an ordinary passenger.

And now the TSA has issued a a new directive:

The directive ... advises Air France not to use the foreign-born crew members on flights to Cincinnati because airport staff there lack the facilities needed to conduct the security interviews.

Let's get this straight: the TSA is telling Air France to discriminate against members of its staff -- French citizens holding valid professional visas to the USA -- in assignments to flights to the USA, on the basis of their country of birth.

If an airline or company based in the USA did that, it would constitute illegal discrimination based on national origin.

So the USA is ordering Air France to engage in discriminatory practices that would be illegal for a USA company.

Ah, but they're French, which makes everything different, doesn't it.

Where's Dr. King when we need him?

[Addendum, 20 January 2004: Earlier report with more details (en français) from Le Monde : Le personnel navigant d'Air France soumis à un 'circuit spécifique' d'entrée aux Etats-Unis . And the first report, apparently, from L'Humanité (13 January 2004): Obsession: Ces français indésirables ("La phobie des Etats-Unis sur la sécurité aérienne instaure une discrimination inacceptable vis-à-vis des Français nés hors de France.") The print edition of L'Humanité reportedly also included a reproduction of the TSA directive; if anyone has a copy, please let me know.]

Northwest Airlines admissions on lack of privacy safeguards

Northwest Airlines (NW) released a statement last night attempting to explain why CEO Richard Anderson said in September 2003, "Northwest Airlines will not share customer information, as JetBlue Airways has", when in fact -- as NASA documents released to EPIC under the Freedom of Information Act show -- NW had done exactly that. NW says that, "At the time Mr. Anderson answered this question, he had no knowledge of the Northwest Security Department?s provision of passenger data for the NASA research study."

That might well be true -- and if so, it's an incredible indictment of the (lack of) privacy protection, awareness ,and safeguards on the part of NW and, unfortunately, most other travel companies. JetBlue Airways, some of you may recall, also said that its CEO had been unaware that a complete copy of the company's entire reservation archive had been given to a military contractor.

Consider what this means for Northwest, jetBlue, and companies like them:

1. Complete control and authority over the most sensitive personal information about travellers, including authority to disseminate it in bulk, has been delegated to second-level departmental managers.
2. No safeguards or procedures are in place that would require consultation of, or notice to, the CEO or a privacy officer (so far as I can tell, neither jetBlue nor Northwest had, or yet have even now, a designated privacy officer) for disclosure of passenger data, even on the largest possible scale.
3. No privacy or data protection and security audits or reports are made that would bring such disclosure or dissemination of sensitive customer data to the attention of the CEO or Chief Privacy Officer.

There's no hint of apology in the NW statement, by the way: "Northwest believes that it was appropriate to provide [passenger reservation] data ... to NASA".

Meanwhile, DontSpyOn.US and the Washington Times, Study used census information for terror profile dig into the implications of the use of both NW passenger name records and 1990 U.S. Census data in the same NASA study .

Not surprisingly, some (former) NW customers, even at their headquarters hub in Minneapolis/St. Paul, are saying they will never fly Northwest again . And I've already heard from at least one Twin Cities privacy attorney researching a possible lawsuit against NW on behalf of passengers.

If you're interested in an overview of US-VISIT, CAPPS-II, and other privacy issues related to travel records, I'll be speaking on Tuesday, 27 January 2004, from 6-8:45 p.m., at the Claremont Branch of the Berkeley Public Library , 2940 Benvenue Ave. (at Ashby), on "The monitoring and surveillance of visitors and travellers in the USA."

And I've gotten approval from the program committee for this year's Computers Freedom and Privacy Conference (also in Berkeley, coincidentally, 20-23 April 2004), for a "Birds-Of-a-Feather" (BOF) session on "Travel Data and Privacy", most likely Thursday night, 22 April. BOF's are usually quite informal and relatively unstructured, but I would welcome suggestions for the agenda from any of you planning to be at CFP and interested in participating.

As always, the latest details are on my events page .