European Parliament rejects travel data "deal" with the USA

At today's plenary session today, the European Parliemant voted 229 to 202, with 19 abstentions, in favor of a report and motion for a resolution with additional strengthening amendments that rejects, on multiple grounds, the "agreement" proposed by the European Commission to permit transfers of airline PNR's ("passenger name records") from the European Union to the USA. (Today's plenary minutes aren't yet posted on the Europarl Web site. Thanks to Statewatch for mirroring the EP documents.)

The vote to reject the proposed agreement came despite the defection from the liberal/socialist caucus of one of the largest EP delegations, that of the UK Labour Party.

The USA and some in the EU had hoped to use the proposed "agreement" as the model for further agreements for the transfer to the USA, and sharing with the USA government and governments worldwide, of additional travel data from other sources and for other purposes, including "Advance Passenger Information" (API) collected by airlines from passports and/or passengers, and PNR and API data to be used in the CAPPS-II scheme.

In an interview with EUpolitix.com before the plenary vote, USA Under Secretary of Homeland Security for Border and Transportion Security Asa Hutchinson gave an ambiguous statement of how the USA would proceed:

Question: Looking to the future in this field, what is the new CAPPS II timetable?

Asa Hutchinson: There is not a timetable other than we hope to test the system this summer or at the latest this fall. Our first responsibility is to test it, to evaluate it and make whatever adjustments are necessary. The CAPPS II timetable will depend on the completion of testing.

The CAPPS II negotiations with Europe are really in abeyance until we have the system tested, further discussions will be required and obviously to have the final adoption of the current PNR 'adequacy' finding.

Where there was no ambiguity was in Hutchinson's endorsement of mandatory worldwide fingerprinting for biometric identity documents -- currently under discussion by ICAO as "reasonable" and as no more than an "inconvenience", not a violation of rights:

Question: Benjamin Franklin said: "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety". How far can security be put first and what is the limit in terms of privacy and civil liberties?

Asa Hutchinson: We should not give up essential liberty but we should be willing to give up some level of convenience in order to achieve greater security.

Question: In terms of something concrete, such as mandatory fingerprinting for biometric ID documents, is that something that is a matter of convenience?

Asa Hutchinson: That specific example is reasonable inconvenience, or intrusion, in order to tremendously enhance the security of our travellers. So I think it is a reasonable step to confirming the identity of international travellers.

Today's vote was on Europarl approval on the proposed agreement on PNR transfers. It's not clear whether the EP vote is directly binding on the European Commission, which brought the agreement before Parliament. But the EP resolution points out that the proposed agreement fails to satisfy both EU and USA procedural requirements (in the USA, that would require ratification by the U.S. Senate as a treaty, something the DHS has never mentioned as a possibility). And the EP resolution explicitly calls for enforcement of national data protection laws whihc are being violated by non-consensual PNR transfers to the USA, and reserves the right to challenge the proposed "agreement" and the EC finding of "adequacy" of USA data protection in the European Court of Justice.

The finding of "adequacy" of protection for travel data once transferred to the USA is the subject of separate report and motion for a resolution, which is expected to be considered next week by the LIBE Committee and later next month by the Europarl plenary. Since the proposed "agreement" depends on the proposed finding of "adequacy", an EP vote against a finding of adequacy of data protection will make it substantially more difficult for the European Commission, or the USA, to disregard the will of the European Parliament (which the USA has previosuly promised it would respect on this issue).

Both the Europarl and ICAO continue to consider parallel proposals for Europe-wide and worldwide sharing of PNR's and other travel data.

[Addendum, 1 April 2004: Statewatch has now posted the full text of the resolution as moved in the European Parliament plenary.]

Record on CAPPS-II hearing closes today

The written record of the 17 March 2004 hearing on CAPPS-II before the USA House Aviation Subcommittee closes at the close of business today in Washington, DC (14 days after the hearing date).

My own written testimony included my comments on the CAPPS-II Privacy Act notices and focused on the failure of the Federal agencies developing CAPPS-II -- first the Department of Transportation (DOT) and now the Transportation Secuirty Administration (TSA), which becoame part of the Department of Homeland Security (DHS) -- to consider most of the relevant issues, and thus the need for Congress itself to investigate and consider them directly.

International privacy coalition calls for halt to ICAO biometric/RFID passport plans

In An Open Letter to the ICAO released today by Privacy International, 34 privacy and civil liberties organizations from around the world (with more still joining as endorsers) are calling on the International Civil Aviation Organization not to adopt the proposals currently before ICAO for passport and travel document standards to include biometric information and remotely-readable radio-frequency identification (RFID) chips.

As discussed in a background paper from Privacy International accompanying the joint letter to ICAO, and as previously discussed in my blog, ICAO's Facilitation Division has been meeting last week and this week in Cairo, Egypt to consider, inter alia, proposals to require the inclusion in passports and travel documents of remotely-readable RFID chips and digitally encoded biometric information, and for the standardization and sharing with governments of personal information contained in airline reservations.

These proposals, which are already close to adoption, have enormous privacy and civil liberties implications which ICAO has not addressed. So far as I know, no privacy or civil liberties organizations have been consulted by the relevant ICAO working group, or are in attendance at the Cairo meetings.

In combination, the proposals now before ICAO would convert existing commercial airline reservation systems, and individual countries' border control systems into an integrated "International Infrastructure for Surveillance of Movement" which would lead both to global biometric (facial photo and/or iris scan and/or fingerprint) databases and the ability for governments and commercial entities secretly (due to the potential for remote reading of RFID chips) to construct and access lifetime biographic and biometric travel histories.

ICAO is the source of current passport optical character recognition (OCR) standards. Because the law in the USA already requires passports used for visa-free travel to the USA to comply with whatever standard is adopted by ICAO, ICAO (a "technical" body with no formal procedure for public input) has in effect been delegated authority to legislate USA and global legal requirements for passports.

Today's open letter to ICAO is signed by Privacy International, the American Civil Liberties Union, and other leading digital privacy and civil liberties groups in the USA, Canada, Europe, Australia, and Korea.

Specifically, the undersigned call on the ICAO to:

• Follow through on earlier promises to review privacy implications of biometrics and trans-border personal information transfers;
• Release clear and binding privacy requirements that will reduce the risks of illegal collection, use,
  retention, and transfers of this information;
• Uphold national data protection laws or cultural practices, as previously promised by the ICAO;
• Prevent, by design or biometric selection, the development of biometric databases;
• Refrain from adopting RFID or biometric standards until their privacy and surveillance implications -- and the possibility of alternatives with less potential for privacy invasion or other abuse by surveillance agencies -- can be more fully evaluated.

We hope that the choices of biometrics have been driven primarily by logistical and commercial concerns, and were not intended to facilitate the conversion of travel systems into a global infrastructure of surveillance. But we are deeply concerned that this may become their unintended consequence.

The joint statement on RFID and biometric passports, travel document, and databases is the second in a series entitled, "Towards an International Infrastructure for Surveillance of Movement". The first paper in the series, Transferring Privacy, focused on international transfers of airline reservations, particularly between the European Union and the USA.

[Addendum, 30 March 2004: More from the ACLU statement as one of the original co-signers of the joint letter to ICAO:

"The right to movement is recognized as a fundamental right around the world, and any steps that could restrict that right must be taken with the utmost care and deliberation," [Barry] Steinhardt [Director of the ACLU's Technology and Liberty Program] added. "We have not seen that kind of public discussion about these measures."

The ACLU also suggested that some of these measures might be part of an effort by member nations to enact a surveillance regime by working through international bodies that would never win political approval if it were to be directly proposed.

"We call that 'policy laundering,'" Steinhardt said. "The U.S. government knows that the American people will never go for a national I.D. card or a national database of every American?s fingerprints and photographs, but this proposal, if approved, will allow the United States to claim that large steps toward those policies are 'necessary to comply with international standards.'"

Additional signatories are copntinuing to endorse the letter, but there's been no immediate indication as to whether any attention is being paid to it at the Cairo meeting of ICAO.]

Public radio report on CAPPS-II features tired TSA lies

I was interviewed by Minnesota Public Radio's Jeff Horwich for a two-part, 15-minute feature on CAPPS-II that's being broadcast today and tomorrow:

Part One: Years after 9/11, passenger screening system still grounded
Part Two: Civil liberties groups fear travel "surveillance"

Transcripts:

• Part One
• Part Two

Real Audio streams:

• Part One - 7:44
• Part Two - 7:33

The USA Transportation Security Administration's latest spokesperson, Mark Hatfield, resoonds to my criticisms and those of other privacy advocates and civil libertarians by telling Horwich that, "When you get shrill opponents out there who make simply false claims in an effort to either fear-monger or discredit the program, it's truly unfortunate."

But it's Hatfield, unfortunately, who makes the false claims in his very next sound bite: "While opponents fear the TSA will compile a 'travel dossier' that keeps a running log of our movements, Hatfield says that would be impossible."

Hatfield and the TSA may think it's impossible (nobody at the TSA -- at any rate, nobody involved in designing CAPPS-II -- appears to have any real understanding of how airline reservation data is collected, entered, stored, and processed) but it's very much possible, both for airlines and the government.

The Department of Homeland Security admitted as much in its Privacy Impact Assessment for the US-VISIT system, which would incorporate data obtained from CAPPS-II into biometric and biographic travel histories stored by the government for up to 100 years.

Hatfield continues, "The travel information used in CAPPS II will be deleted shortly after a trip is completed."

The government will delete some of its copies (but not those transferred by the TSA to the US-VISIT system or other agencies or databases), but the airlines can keep their copies for as long as they like -- several years at minimum just for accounting purposes, probably for life once they realize the marketing value of the additional data travellers will be required to provide for CAPPS-II.

"What's more, Hatfield says the TSA will never actually touch that data." But there's absolutely nothing in any current USA law, or in any of the policies proposed by TSA in its Privacy Act notices for CAPPS-II, that would limit TSA access to reservation data.

Even long after a flight, and without the need to ask permission from a judge, the TSA or other Federal agencies could use a "national security letter" under the Patriot Act both to force airlines or computerized reservation services to turn over data, and to forbid them from admitting that they have done so. They might have done so already: even if airlines and CRS's deny that they've turned over reservation data, their denials could be government-ordered lies.

Hatfield is new in his position, but if he didn't know it already, he's quickly learning what it takes to sell CAPPS-II: big lies.

European Parliament to vote on transfer of PNR data to the USA

Consideration and a vote on the draft European Parliament resolution against PNR data transfers to the USA, as recommended for approval by the LIBE Committee, has been placed on the draft agenda for the Europarl plenary session on Wednesday, 31 March 2004, in Strasbourg.

Statewatch, citing EUpolitix.com and internal Europarl documents, reports on the intense lobbying being carried out by the USA, and by factions within the EU, in support of a deal to authorize the already ongoing USA access to reservation data collected in the EU, and to find (in the face of plain facts to the contrary) that the non-protection from disclosure or misuse of travel data in the USA somehow satisfies EU legal standards of "adequacy" of data protection.

But the latest proposal, which is being presented to the council of EU governments as a way to try to bypass the Parliament, still rests on the so-called Undertakings which the USA Department of Homeland Security has promised to publish (but hasn't published yet) in the Federal Register.

As anyone who has read the Constitution knows, mere publication in the Federal Register does not, and cannot, give the "Undertakings" any legal significance in the USA: international treaties involving the USA must be ratified by the Senate before they come into effect. Members of the European Parliament, and of other EU and national government bodies, should think twice before finding that a draft treaty -- not yet introduced, much less ratified, in the Senate, and thus not subject to being invoked as binding in any USA legal proceeding -- provides anyone with any legally enforceable rights at all, much less "adequate" protection for privacy rights in PNR data.

Aside from the fact that the Undertakings are legally meaningless and completely unenforceable (at least in the USA) unless and until they are ratified as a treaty by the Senate, which neither the Undertakings nor the DHS have ever mentioned as a possibility, the Undertakings continue to contain, and to be based on, materially and demonstrably false and misleading claims about the nature of the data contained in airline reservations (PNR's).

As I noted in my earlier detailed analysis of the draft Undertakings, and of "Attachment A" to the Undertakings containing the list of PNR data elements to be authorized for access by the USA, the factual misrepresentations are so extreme as to betray either gross technical incompetence or deliberate intent to mislead.

That should come as no surprise: the claims made by the DHS about its proposed CAPPS-II airline passenger profiling and surveillance system have likewise been based on a profoundly inaccurate and misleading representation of what data is contained in PNR's, and how and by whom it is collected and transmitted.

European and other legislators abroad, still stinging from having been misled by the USA about the alleged factual basis for the invasion of Iraq, should -- and probably will -- exercise much more due diligence both in investigating the factual claims about PNR data in the Undertakings, and in auditing whether (as I've previously reported that it has not) the USA has actually complied, to date, with the restrictions the Undertakings claim that it has placed on its access to other PNR data.

USA to world musicians and artists: "Keep out!"

Artists from all over the world are being refused entry to the US on security grounds.
(The Guardian, UK)

The insanely cumbersome process of entering America [as a performing artist] now goes something like this: first, the manager or producer or venue who wants to book a foreign artist must petition one of four USCIS [US Customs and Immigration Service, part of what used to be the INS] service centres. They must prove the artist is unique, extraordinary or renowned, and that he or she intends to return to their home country after their work is done.

If the petition is accepted, it is then sent to the artist in their home country, and the artist in turn brings it to the US consulate, where he or she is fingerprinted and interviewed. After the interview, the waiting begins, as the consulate sends the application to the Department of Homeland Security and "all interested agencies". It may take seven weeks, it may take seven months, but - and here the Kafkaesque institutional absurdity really takes hold - the law says that visas can be applied for, at the earliest, only six months in advance. Waits of up to 10 months are not uncommon.

Nor are visa applications that are never returned. "A case can disappear into the ozone," says Ginsburg. The entire process normally runs from $2,000 to $4,000 per artist, depending on lawyers' fees, and that does not include travelling expenses to and from consulates. In Iran, there is no American consulate, so someone like Kiarostami must travel to Syria and back - twice.

I guess all this means that if you're in the USA, and want to hear or see world music and art first-hand, you'll just have to go travel yourself to find it, since the USA won't let it come to you.

One more reason to travel, if you needed one.

TSA appoints its first privacy officer

Ryan Singel of Wired News reports this morning that Lisa Dean, since mid-2003 the Washington, DC representative of the Electronic Frontier Foundation, has been appointed as the first Chief Privacy Officer of the USA Transportation Security Administration.

In her previous job as director of the Free Congress Foundation's Center for Technology Policy, Dean worked with Stephen Thayer -- now deputy and acting director of the TSA's Office of National Risk Assessment -- while Thayer was executive director of the American Conservative Union.

Let's hope Dean's established relationships with Thayer and with DHS Chief Privacy Officer Nuala O'Connor Kelly enhance her ability to stand up for the privacy rights of travellers, travel and transportation workers, those who arrange or pay for travel for others, prospective passengers who make reservations but don't actually travel, and other individuals whose personally identifiable information is included in travel records.

A sincerely committed privacy officer at the TSA will certainly have their work cut out for them: the TSA and DHS have pledged to issue a new Privacy Act notice before deploying their planned CAPPS-II airline passenger profiling and monitoring system. But many of the comments received in response to the previous Privacy Act notice (the largest number of public comments ever on a Privacy Act notice) have yet to be made public by the DHS, much less considered, responded to, or acted on.

The DHS's purported "analysis" of the first round of comments failed even to acknowledge most of the issues they raised, including whether the CAPPS-II proposal is constitutional, whether it exceeds the statutory authority of the TSA and DHS (particularly with respect to the proposed new mandates for reservations, information, and identification documents), or whether the reservations accessed by the government would include personally identifiable information on other categories of individuals beside those who actually travel (as they would, and which, in and of itself, would be sufficient to ensure that any attempt to implement CAPPS-II without a much-expanded notice would be blocked in court for failure to comply with the requirement of notice to all those whose data would be given to the government).

Even the CAPPS-II notice currently proposed to be given to travellers is legally insufficient: at last week's House subcommitteee hearing, the TSA said that notice would be given at the time reservations are made, but that the TSA plans to order airlines to start turning over data within a few months. Taken together, those two statements evince an intent to flout the Privacy Act requirement of prior notice, since some people have already made reservations and/or bought tickets for flights up to a year form now.

If notice is to be given at the time of making reservations and/or buying tickets, the Privacy Act prohibition on use of information provided without notice would preclude any use of pre-existing reservations until at least a year after the notice-at-the-time of reservations system is fully in place.

And CAPPS-II is, of course, only one of a wide range of potentially privacy-invasive proposals on the table at the TSA as it attempts -- in much the same manner as the attempts under the Communications Assistance to Law Enforcement Act (CALEA) to mandate the conversion of commercial communications systems into an infrastructure of communications surveillance -- to mandate the conversion of existing travel reservation systems into an infrastructure of surveillance of travellers.

It won't be an easy job being Chief Privacy Officer for such an agency, the less so the more sincere the office-holder's commitment to privacy protection.

"Travel Data and Privacy" session on CFP 2004 agenda

Despite having been omitted in error from the printed schedule you may be receiving in the mail, and the PDF file on the CFP2004.org Web site, I'm assured that the "birds-of-a-feather" session I'm facilitating on "Travel Data and Privacy" is still on the agenda for this year's "Computers, Freedom, and Privacy" conference in Berkeley and Oakland (the conference venue straddles the city line), CA, USA.

The BOF session on Thursday evening, 22 April 2004, will provide an update and overview of:

1. Current proposals for government and commercial uses of travel data and the conversion of the travel reservation infrastructure into a system for surveillance of travellers, including CAPPS-II, US-VISIT, APIS, biometric and RFID passports and travel documents, the jetBlue Airways and Northwest Airlines "sharing" of reservation archives, and current and potential policies and practices for commercial uses of travel reservation archives;
2. The status of related regulatory and legislative activity
   and litigation in the USA, EU, Canada, and international
   standard-setting bodies such as IATA and ICAO;
3. Gilmore v. Ashcroft, Hiibel v. Nevada, and anonymous travel; and
4. Strategizing for responses and initiatives to protect and defend the privacy of travellers and the right to travel.

I hope and expect that many of the leading activists on this issue from around the country and the world will be in attendance and able to contribute to the discussion.

I'll be arriving late at CFP, due to another travel event earlier in the week in New York, but I look forward to seeing many of you there on the 22nd.

I'll also be discussing the impact of current "Homeland Security" measures on travel industry workers and their privacy -- one of the aspects of CAPPS-II and related measures that's been least widely recognized -- at a panel on workplace sureveillance with Deborah Pierce of PrivacyActivism and Nancy Bupp of the IAM Education and Technology Center at LaborTech/Aceess 2004 at Stanford Univeristy on Saturday, 3 April 2004, 5:00 - 6:15 p.m.

And, for those of you in the Bay Area interested in more general travel advice, a reminder that I'll be speaking and signing copies of the new 3rd edition of "The Practical Nomad: How to Travel Around the World" this Wednesday, 24 March 2004, at 7:00 p.m. at Get Lost Travel Books at 1825 Market St. (on the south side of Market St. between Valencia St. and Guerrero St.) in San Francisco. (Note that the San Francisco Chronicle travel section published the wrong date for this event: it's Wednesday, 24 March, not Friday.)

As always, details of all events are on my events page.

USA Supreme Court hears argument on ID case

In a case with profound implications on the freedom to travel (in the USA, that's part of the First Amendment to the Constitution: "the right of the people ... peacably to assemble") the USA Supreme Court hears arguments today in Hiibel v. Nevada, in which a Nevada cowboy was arrested, while standing off the side of a rural road, under a state law providing that:

1. Any peace officer may detain any person whom the officer encounters under circumstances which reasonably indicate that the person has committed, is committing or is about to commit a crime....

3. The officer may detain the person pursuant to this section only to ascertain his identity and the suspicious circumstances surrounding his presence abroad. Any person so detained shall identify himself.

At the time, the police officer told Hiibel that he was "investigating an investigation". Later, he claimed to have been investigating a complaint of domestic violence against Hiibel's daughter, who was in a (legally parked) truck nearby. But the video of the entire incident, taken by a camera in the arresting officer's car, shows that none of the officers made any attempt to question or ascertain the condition of Hiibel's daughter until she protested after Hiibel's arrest -- at which point they seized her too.

Yet Hiibel was convicted, and the conviction upheld by the Nevada Supreme Court in the decision now on appeal to the USA Supreme Court.

The gory details, including all of the legal documents in the case, are on Hiibel's Web site. But in addition to its direct application, the Supreme4 Court's decision in the Hiibel case is likely to be extremely significant in defining the extent of permissible government ID demands on travellers, by airline and otherwise.

John Gilmore, himself the plaintiff in Gilmore v. Ashcroft, the pending Federal lawsuit challenging the requirement for airline passengers on domestic flights within the USA to produce identity documents (and challenging the secrecy of the relevant government "security directives", which makes it impossible for travellers to know what, if anything, those directives actually require), has filed a friend of the court brief pointing out the Nevada court's error in assuming both that the law requires airline passengers to produce evidence of their identity, and that such a law is Constitutional, when neither issue has yet been settled.

PrivacyActivism, the Cyber Privacy Project, and FreeToTravel.org, in another friend of the court brief that draws heavily on some of my own arguments about the difference between "to identify" (state one's name or identity) and "to produce credentials or proof of identity", points out both the vagueness of the law (what is sufficent statement or evidence of identity?), the impotance of anonymity as a right, and -- perhaps most significantly -- the importance of freedom to travel as a right.

The Supreme Court's decision will be announced by the end of the term, probably in late June or early July of this year.

[Addendum, 22 March 2004: Dahlia Lithwick in MSN Slate has the first blow-by-blow of who said what during today's oral argument.]

Application for ".travel" top-level Internet domain name renewed

A group of travel industry associations led by the International Air Transport Association (IATA) and acting through Tralliance Corp. and the Travel Partnership Corporation (a sham organization operating almost entirely in secret, created by IATA to provide a non-profit front for the ".travel" sponsorship application originally made by IATA, and whose domain name currently is aliased to that of the for-profit Tralliance Corp.), has filed a renewed application with ICANN to sponsor a ".travel" top-level Internet domain name for businesses in the travel industry.

The renewed ".travel" sponsorship application repeats almost all the defects (plus some new ones) that I've identifed in my previous articles and comments to ICANN on the attempts by the travel industry to co-opt Internet domain names for travel (the proposed ".travel" and the current, little-used ".aero" for air transportation) for the exclusive use of industry, to the exclusion of consumers, industry critics, individual travellers (those who would likely make the most use of a ".travel" TLD, if it weren't limited to industry, for travel blogs, travelogues and travel journals, travel photo galleries, and the like), and other non-commercial Internet travel users and communities who aren't part of the industry of providers and sellers of travel services. But that's a distinction between a human community and an industry that ICANN, with its slavish devotion to the religion of the market, seems constitutionally incapable of recognizing.

ICANN has announced that, "A public comment period will open 1- 30 April 2004." The comment forum might be here and the e-mail address for comments might be stld-rfp-comments@icann.org . But those are only guesses: No URL or e-mail address for submitting comments has yet been posted on the ICANN Web site, and ICANN has a history of changing comment period dates, e-mail addresses, and URL's without notice. Given a chance, I'll submit detailed comments, and encourage other travellers to do so.

House hearing on CAPPS-II shows continued TSA distortions, growing airline concerns

Testimony at last Wednesday's hearing on CAPPS-II before the Subcommittee on Aviation of the USA House of Representatives Commiteee on Transportation and Infrastructure continued the Transportation Security Administration's campaign of lies about CAPPS-II, while revealing increasing concern by airlines -- even those in the USA -- about the cost and logistical burden of CAPPS-II on the travel industry.

Acting TSA Administrator David M. Stone tried to deny those implications by claiming, falsely, that:

"Currently, the CAPPS II system is being designed to ... Obtain available Passenger Name Record (PNR) data from airlines and computer reservation systems. At a minimum this data will include full name, home address, home telephone number, and date of birth.

In fact, Stone and the TSA know full well (at least if they bothered to read any of the formal comments I and others submitted, starting more than a year ago, on their CAPPS-II proposals) that this data is not now "available": the items Stone listed are not part of the data which, "at a minimum", PNR's include (if PNR's exist at all, which they don't for e.g. passengers on most charter flights).

As James C. May, President and CEO of the Air Transport Association (the lobbying association for major USA-based airlines), told the same hearing:

Passenger name records do not contain all the categories of information that TSA contemplates will be required for CAPPS II. CAPPS II will consequently require airlines to change significantly their practices for acquiring information from customers....

Airline reservation systems and the reservation systems of global distribution systems and online reservation systems will have to be reprogrammed to respond to the new information collection requirements. This will create substantial new resource demands on airlines and other providers of reservation services.

Because of the necessary reservation system reprogramming and revision of reservation agent practices to accommodate CAPPS II, airlines will need to know the technical requirements for and implementation schedule of CAPPS II well in advance of its startup. TSA, however, has not yet provided airlines with specifics about the CAPPS II system architecture.

May didn't give any estimate on behalf of ATA for the caost of CAPPS-II to airlines or other companies that collect and process airline reservations, such as travel agencies and CRS's/GDS's.

But such an estimate was given earlier in the week by the International Air Transport Association, representing airlines worldwide, in a 15 March 2004 working paper prepared by IATA for the session of the International Civil Aviation Organization's "Facilitation Division", that begins today, 22 March, and runs through 2 April 2004 in Cairo, Egypt.

The preparatory documents for the ICAO standard-setting session include a wide variety of proposals for surveillance and monitoring of travellers, including mandatory machine-readable RFID and biometric passports, travel documents, and tranasportation worker credentials; profiling of passengers; comprehensive monitoring of passengers and cargo; and standardization of PNR formats and additional data collection requirments to faciliate uniform government access to, and sharing of, reservation data.

But IATA's backgrounder on "Airline reservation system and passenger name record (PNR) access by States" [i.e national governments], the most comprehensive survey of CAPPS-II costs and other implications yet made public from within the airline industry, shows the increasing recognition by airlines that they can't afford these measures -- and that governments haven't ackowledged their costs, and may not be able to afford them either.

IATA's briefing paper warrants careful study in its entirety, and reinforces the comments I and others have made on the requirement of CAPPS 2.1 that additional data be provided by airlines, in a standard format, for each passenger. According to IATA's latest assessement:

Since only portions of Airline Reservation Systems are regulated by Industry standards, significant parts of the underlying architecture vary. Any movement to impose changes on the industry with respect to the way that PNR's are constructed, stored or exchanged would require a massive restructure of the entire industry's underlying IT base. While no firm analysis has been undertaken to identify the final cost of such a restructuring across the industry - including within the Travel Agency community - some in the industry have estimated that the costs could conceivably exceed US $2 billion.

That's a sign that my own earlier estimate that CAPPS-II could cost US$1 billion or more -- itself an extrapolation from earlier IATA comments on much narrower government-imposed data collection requirements -- may have been overly conservative.

TSA Acting Adminitrator Stone also told this week's House Subcommittee hearing that, "CAPPS II will not be an intelligence gathering system."

But IATA directly contradicted that claim in its backgrounder for the upcoming ICAO Facilitation Section Session:

There is a consensus within the industry that access to PNR data by any government agency is in fact an intelligence gathering operation.... Accordingly, the air transport industry firmly supports the premise that the costs associated with access to airline reservation data should be borne solely by the government(s) requesting those data [rather than by the industry].

Stone also told the House that, "We [the TSA] are designing CAPPS II so it will not maintain data files on passengers beyond the time necessary to complete their itineraries." But of course he failed to mention that airlines, CRS's/GDS's, travel agencies, and other companies that handle reservations would be free under the lastest CAPPS-II proposals to keep this data -- provided to them under government orders -- for as long as they like, and to use, rent sell, or disclose it to anyone (inlcluding any government officer or agency) for any prupose, without notice to, or the consent of, the traveller or anyone else (such as the travel agent making the reservation or the person paying for someone else's ticket) identified in the reservation.

And while Stone boasted that the TSA has "issued two Interim Privacy Act notices to date" on CAPPS-II, he neglected to tell Congress that the first of those notices hid its real interntions by never mentioning CAPPS-II; that the TSA has yet to make public most of the comments it received in response to those notices; that in response to the comments on the first Privacy Act notice, the revised CAPPS 2.1 involved more extensive, intrusive, and burdensome reservation data requirements than CAPPS 2.0; and that the TSA's purported "analysis" of the comments failed even to acknowledge that there were any comments -- much less to respond or make any changes in response to them -- questioning whether the proposal is Constitutional, whether it is authorized by statute or conflicts with other laws such as the Privacy Act and the Airline Deregulation Act, or whether the notice is deficient in failing to include an economic impact analysis and failing to include people other than travellers whose personally identifiable information is included in airline reservations.

Finally, several members of the Subcommitttee reportedly expressed particular concern about the possibility that -- as pointed out in testimony by Kevein Mitchell for the Business Travel Coalition and three European business travel organization's, and exploed in more detail in a recent law column in Travel Weekly (free registration and cookie and popup acceptance required) by Mark Pestronk -- the TSA could be held liable for consequential damages of "false positives" and delays to travellers as a result of CAPPS-II errors.

Europarl committee recommends rejection of travel data "deal" with the USA

At its meeting Thursday, 18 March 2004, the European Parliament's Committee on Citizens' Freedoms and Rights, Justice and Home Affairs (LIBE Committee) voted 25 to 9, with 3 abstentions, to recommend adoption of a resolution to "Call... upon the [European] Commission to withdraw the draft decision" on the adequacy of protection provided for personal data contained in airline reservation Passenger Name Records (PNR's) transferred to the USA from the European Union.

In the meantime, the resolution calls on national data privacy protection authorities to enforce national laws violated by the ongoing PNR transfers to the USA, and reserves the right of Parliament to appeal to the European Court of Justice should the Commission continue without taking account of Parliament's demands.

The proposed resolution will next go before the Europarl plenary session on Thursday, 25 March 2004, where it seems virtually assured of passage.

A wide range of other proposals for the EU to follow the USA lead in selling out civil liberties to "Homeland Security" have been made in the EU in the wake of the bombings in Madrid. The vote against the proposed "deal" with the USA on airline reservation data, in the immediate aftermath of the bombing, is an encouraging sign that EU legislators have learned from the second thoughts voiced by many in Congress about their votes after 11 Spetember 2001 for repressive laws like the "Patriot Act". If this vote is any indication, the Europarl is less likely to be stampeded into forgetting its principles of freedom.

I'm no expert on European Parliamentary procedure, and some reports on the LIBE Committee vote, such as those from the BBC and Agence France-Press , differ on whether even a plenary Europarl vote will be binding on the European Commission with respect to the current PNR transfers under the Advanced Passenger Information System (APIS). But if the Europarl is unwilling to approve the the APIS data transfers of current PNR's, it is even less likely to approve the separate deal that would be required for collection and use of additional data, not in current PNR's, for CAPPS-II.

But the USA Undersecratary of Homeland Security for Border and Transportation Security, Mr. Asa Hutchinson, promised explicitly in an interview 13 February 2004, which was published by the DHS itself, that the USA will not prceed with CAPPS-II testing without Europarl approval:

Question: Mr. under Secretary, Robert Block from the Wall Street Journal, I have a letter here from Fritz Bolkestein to the Secretary, to Secretary Ridge, in which it says that Europe has not agreed to submit its data for CAPPS II testing. Then it also reminds you that because there is no situation that use of this could leave airlines open to law suits and the same problems that are here, if its used. Also, just a few days ago another report came out from the European Union, which also recommends that in no way that PNR Data should be used for CAPPS II testing, at all, especially given that the GAO Report was not out yet. So I am confused where the agreement exists to test and have the European data used for testing.

Undersecretary Hutchinson: First of all any agreement that is reached has to be approved by the European Parliament and so that is really the status of it and I think that reflects Commissioner Bolkestein's language that there has not been final approval for that purpose because it has not been finalized in final agreement form and it has not been approved by European Parliament. What I have referenced is that we have had negotiations that have been on going for months and that we have reached agreement, oral understanding, this has been communicated by Commissioner Bolkestein as well for the submission of this agreement to the European Parliament and part of that agreement that has been breached with Commissioner Bolkestein, in these negotiations, is that the PNR Data would be able to be used for testing purposes of CAPPS II with the understanding that the system would not be used for fully implementing CAPPS II system until the Congressional review is completed and the European Commission has an opportunity to review the results of the testing. So that's where we stand with them, now, underlining all of that is our independent decision that we're not going to try to move forward with the testing of this system with European data because of the state of the plague [transcrition error -- probably should be "debate"]there.

As Hutchinson also admitted in the same interview, it's impossible to separate data from the EU from data collected in the USA -- the place of data collection is nowhere coded in any PNR (although much other intimate information about travellers, travel industry workers, and other people is).

The only choices that will leave the DHS are to:

1. Suspend or abandon plans to resume CAPPS-II testing;
2. Break its public promise, and proceed with CAPPS-II testing without Europarl approval, precipitating a diplomatic crisis, enforcement action against airlines and reservation systems by EU authorities, and the possible interruption of USA-EU flights; or
3. Postpone any resumption of CAPPS-II testing until Congress has enacted a privacy law providing "adequate" protection, according to EU and international norms, for travel reservation data in the USA, in both corporate and government hands..

Only the third of these options will allow CAPPS-II testing to reume without breaking diplomatic assurances given to friendly countries. So the measure of the sincerity of DHS claims to want to protect privacy and honor diplomatic commitments, while proceeding with CAPPS-II, is the extent to which the DHS itself works to get Congress to pass travel privacy legislation satisfying international norms of privacy as a human right.

If the DHS makes no move to introduce such legislation (or does so without drafting its bill to meet EU, Canadian, and other key air travel partners' adequacy standards), yet continues to push for CAPPS-II -- knowing that, as this week's committee vote makes clear, CAPPS-II stands no chance of Europarl approval without such action by Congress -- it will be hard to escape the conclusion that the DHS was lying to the EU when it promised to respect the Europarl decision on CAPPS-II.

Congress to hear today from opponents of CAPPS-II

Testimony prepared for today's Congressional hearing on the status of the CAPPS-II airline passenger profiling and monitoring system reveals increasing unity of opposition from business travellers and organizations, and continued hypocrisy by the airlines with respect to prtecting travellers' privacy.

In a series of articles this week here and here and here , Business Travel News reports how organizations representing business travellers and the travel companies that serve them -- including the Business Travel Coalition (BTC), the Association of Corporate Travel Executives (ACTE), and the Travel Business Roundtable (TBR) -- have all been vying for the leading role as spokespeople for their members' and constituents' objections to CAPPS-II.

In addiiton to business critics of CAPPS-II, the House Transportation and Infrastructure Committee's Subcommittee on Aviation is also scheduled to hear testimony from the Electronic Privacy Information Center (EPIC) on behalf of privacy advocates.

The BTC, which will be represented at today's hearing by Executive Director Kevin Mitchell, is joined by several of the leading European business travel organizations in its prepared testimony against CAPPS-II. With respect to CAPPS-II implementation costs, the BTC says that, "Firms in the travel industry distribution business face unknowable costs at this time to reconfigure their systems in accordance with the requirements of a CAPPS II."

I'm at the Eye For Travel conference of travel distribution executives this week near Los Angeles. No one I've talked to here likes CAPPS-II, but few are prepared to say so publicly, and none have been given any clear guidance as to what the government plans to require them to do, what it will cost, or who is expected to pay for it.

Although they aren't scheduled to testify in person at today's hearing, ACTE has submitted written testimony against CAPPS-II including "a highly conservative estimate that gives CAPPS II the benefit of the doubt" that it would cost US$2 billion per year in additional travel expenses, plus additional costs of lost business, just from delays to business travellers. (That's in addition to the direct costs of CAPPS-II implementation for the travel industry, which I've estimated as likely to exceed US$1 billion.)

The TBR has released a broader white paper on the excessive and unnecessary burden of a wide range of "Homeland Security" measures, not just CAPPS-II.

The testimony of the Air Transport Association (ATA) -- the lobbying association for USA-based airlines -- is less forthright, according to advance reports on what ATA plans to say.

Reportedly, ATA plans to tell Congress that CAPPS-II shouldn't be implemented unless and until the government agrees to respect a set of minimal privacy principles for what travel data it will use, and how.

That's good, as far as it goes, and certainly reflects the collective recognition by airlines -- even those in the USA (Congress hasn't sought testimony from the worldwide airline organization IATA, which would likely be much more critical of CAPPS-II) -- that their customers do care about the privacy of the information about them contained in their reservations -- notwithstanding absurd denials like the recent one from Northwest Airlines.

But the airlines themselves have never respected any of the privacy principles that they are proposing be applied to government use of reservation data. If, as it should, Congress acts on what it hears today, and has been hearing for months, by enacting privacy legislation governing travel data, it needs to subject airlines and other travel companies, especially the computerized reservations systems, to the same standards as the government.

If airlines and other travel companies aren't included in any new Federal travel privacy rules or legislation, those rules will provide no effective protection for travellers' privacy.

For example, ATA argues (rightly) that the government shouldn't be allowed to retain the details of your reservations once your trip is completed. But such a restriction would be meaningless if the airlines were allowed (as they now are) both to retain those records indefinitely (as they now do) and to provide them to the government any time the government asks for them (as the jetBlue Airways and Northwest Airlines incidents make clear that they have done, and as they can be required to do, without warrant, notice, or prior opportunity for judicial review, under the Patriot Act).

The most dangerous and privacy invasive element of the current CAPPS-II (CAPPS 2.1) proposal is its requirement that all airline passengers have reservations (effectively outlawing unreserved travel and invalidating "open" tickets) containing specific new data -- never required, not provided for in reservation standards, and not usually entered at all -- for each prospective traveller.

The government claims (perhaps truthfully, though they've been too secretive for outsiders to tell) that its intent in requiring this additional information in reservations, and in proposing to require proof of identity from each travellers (in a form as yet unspecified -- current evidence-of-ID requirements are imposed by airlines, not the government, and are impermissibly vague for a government regulation) is to facilitate verification of each traveller's identity.

But the more significant consequence of requiring both this additional identifying information in reservations, and production credentials (a de facto national travel ID card) by travellers, will be to enable airlines, other travel companies (especially the CRS's which host most reservation databases), and the government to ndex previously discrete reservation records (PNR's from separate trips into lifetime travel histories for each traveller.

Those travel histories -- to be merged with, among other databases, the lifetime biographic and biometric border crossing histories from the US-VISIT program -- would be subject, in the current absence of travel privacy law in the USA, to a wide variety of potential future uses and abuses, both by diverse government agencies and by all sorts of travel and other commercial entities.

But ATA's only reported objection is that the travel agencies who make 75% of all reservations -- not the airlines -- should be required to bear the cost of collecting and entering this additional information.

As long as someone else (travellers, ultimately, through costs passed on in higher ticket prices and/or service fees) will have to pay to collect and enter this data, and as long as the airlines themselves will be under no constraints in their ability to retain, mine, use, sell, or rent this data for their own profit, they have no objection per se to doing whatever is necessary to enable individual airline reservations to be indexed into dossiers of each traveller's movements by air throughout their lifetime.

So much for airlines' phony claims to be looking out for their passengers' privacy.

Want privacy? Don't fly Northwest Airlines.

In a memorandum of law at once extraordinary and typical in its dismissal of travellers' concerns for the privacy of their reservation records, Northwest Airlines (IATA airline code "NW") has declared that:

[T]here is no general "public policy" in favor of such [privacy] rights. Passengers have no inherent right or expectation of total privacy in the information provided when traveling on commercial airlines..... Northwest Airlines makes no representations that information will not be shared with the government.

The privacy rights advocated by EPIC and MCLU do not exist in the rules, precedent or practices of the Department. There is similarly no applicable right to privacy imposed by any other federal law. Indeed, passengers have no inherent right or expectation of total privacy in the information they provide when traveling on commercial airlines.... Congress has not imposed any affirmative privacy obligations on airline passenger data, and Congress knows how to do so.

Expectations of privacy in air travel have always been low.... A reasonable person does not expect privacy in his personal information.... The Supreme Court has further held that citizens forfeit any expectation of privacy when they voluntarily provide information to third parties.... [T]here is no reasonable expectation of privacy in public travel.... Given that the public does not reasonably expect the type of privacy that EPIC and MCLU advocate, there is no "substantial" injury in the disclosure of passenger information.

NW's claims were made in its answer to complaints filed with the USA Department of Transportation (DOT) by the Electronic Privacy Information Center (EPIC) and the Minnesota Civil Liberties Union (MCLU), alleging that NW engaged in "unfair and deceptive trade practices" by having a so-called privacy policy that was contrary to its actual privacy practices and specifically by secretly turning over millions of reservations to NASA for experiments in passenger profiling, even while NW's own CEO denied it had done so.

EPIC's reply to the NW argument makes clear the government's dilemna in responding to the complaint while simultaneously trying to defend the government's increasing demands for access to travel records for CAPPS-II and other "Homeland Security" surveillance and monitoring programs.

As EPIC points out, this is the first test case of the USA government's claims to the European Union that the DOT complaint and enforcement process provides a level of privacy protection that satisfies EU standards of "adequacy".

If the DOT fails to upheld the complaints against NW in such an egregious case of lying and privacy invasion, it will severely jeopardize whatever slight chance the USA might have had to get a finding of "adequacy" approved by the European Parliament (as the USA Dept. of Homeland Security has promised it will do before resuming testing or deplyment of CAPPS-II.) But a ruling against NW would significantly limit the government's future ability to gain access to PNR's or PNR archives without prior notice to, and consent of, travellers -- as would be required for CAPPS-II as currently planned.

I've spoken in the past with senior DOT officials supposedly responsible for acting on complaints like the one by EPIC against NW, and it was clear to me that they had no desire at all to get involved in privacy enforcement -- even under laws prohibiting lying to consumers. Local law eneforcement authorities are powerless to object: state attorneys general have almost unanimously denounced their inability, under the "Federal preemption" provisions of the Airline Deregulation Act of 1978, to subject airlines to the same state consumer fraud laws that govern all other businesses. (A 2000 letter to Congress calling for legislation to narrow the preemption provisions of the 1978 law was signed by 47 state and territorial attorneys general.)

To date, Congress has been reluctant to act, but if the DOT upholds NW's claim that their actions violated no existing law, it will be hard to escape the conclusion that there ought to be such a law. There could scarcely be a clearer call for Congressional action than NW's argument that, "Congress has not imposed any affirmative privacy obligations on airline passenger data, and Congress knows how to do so."

Indeed Congress does, and should. In the meantime, NW has made clear where they stand, and travellers should act accordingly.

USA government commission seeks public comment on travel to Cuba

I received the following alert from my friend Christopher Baker, fellow member of the Bay Area Travel Writers and author of the definitive Moon Handbooks Cuba and Moon Handbooks Havana as well as other guidebooks, photography, and travel stories of Cuba and the Caribbean -- and perhaps the leading expert in the USA on the reality of travel to Cuba:

Hello friends,

Most of you receiving this email have some connection to Cuba, or otherwise, I believe, hold the values of freedom to travel close to your hearts.

Last year, President Bush formed a Commission for Assistance to a Free Cuba, a private group of government officials who have been meeting in secret to take our failed Cuba policy and send it even further in the wrong direction.

With only weeks to go before the Commission files its report with
President Bush, it has finally invited public comment. The Commission must hear from concerned and conscientious Americans who are sick and tired of the restrictions US policy places on the freedom of Americans to travel to Cuba.

Secretary of State Colin Powell is now running this Commission, and he needs to hear from Americans who want this failed policy changed.

Please take a moment visit the Cuba Central website and sign a letter to Secretary Powell to voice your opposition to the travel ban.

Thanks for your support... and stay well.

Warm regards,
Christopher

If you'd like to send your own personal comments, in addition to or instead of signing the petition, "The Commission welcomes information, views, and opinions from ... interested individuals, international experts, and non-governmental organizations. All submissions that are not in English must be accompanied by an English translation. Send your comments to: cubacommission@state.gov."

CAPPS-II hearing rescheduled

The USA House Aviation Subcommittee hearing on the CAPPS-II airline passenger profiling and surveillance system, originally scheduled for today, has been rescheduled to next Wednesday, 17 March 2004, starting at 10 a.m. Washington time (GMT-5), in room 2167 of the Rayburn House Office Building.

So far as I know, the witness list and deadline for written testimony are unchanged.

European Parliament reaffirms rejection of USA demands for airline reservations

In response to a report and recommendations on the implementation of the 1995 European Union Data Protection Directive, the European Parliament has overwhelmingly reiterated its finding on airline reservation data that:

National and European laws on the transfer of personal data to third countries have been flagrantly breached by the transfer of transatlantic passengers' personal data to the US law-enforcement authorities, and ... the attitude of the [European] Commission, the Member States and some privacy protection authorities - particularly those which under national law have the power to block data transfers - has been basically to connive at this violation of the law and of the principle of legality....

As stated in ... the opinions of the Article 29 Working Party [of European Union national data protection authorities] and the report of the EU network of experts on human rights, EU data protection standards are seriously infringed when personal data are, without informing and obtaining the consent of the data subject, transferred or accessed directly and systematically by a third state party or law-enforcement authority, notably when data are collected for another purpose and without judicial authorisation, as in the case of US authorities accessing transatlantic passenger data collected in the EU by airline companies and electronic reservation systems;

The draft resolution was adopted unanimously by the EP Committee on Citizens' Freedoms and Rights, Justice and Home Affairs (LIBE), and was reported by Statewatch to have been approved by vote of 439 to 39, with 28 abstentions, by the full European Parliament at its plenary session on 9 March 2004.

The Committee on Legal Affairs and the External Market, whose recommendations were also solicited by Parliament and included in the report, also unanimously agreed that it "Reiterates the call made by the European Parliament in its resolution on the transmission.on of personal data by airlines in the case of transatlantic flights and expresses its wish to see that call implemented."

And the "Explanatory Statement" by Member of the European Parliament and the LIBE Committee and rapporteur Marco Cappato (whose complaint against USA-based airlines for illegally giving his reservations for flights between Brussels and Washington to the USA Department of Homeland Security, and possibly other unknown entities in the USA, has been upheld by the Belgian privacy law enforcement agency), noted that:

Commissioner Bolkestein stated at the joint meeting of the Committee on Legal Affairs and the Internal Market and the Committee on Citizens' Freedoms and Rights, Justice and Home Affairs which took place on 1 December 2003 that the accessing by US authorities of personal data on passengers on Transatlantic flights was 'illegal'. Stefano Rodotà, the Italian privacy guarantor and chairman of the Article 29 Group asserted at the same meeting that some national guarantors could have brought injunctions against the airline companies to suspend the transfer of data, but decided not to do so. Your rapporteur is greatly alarmed at the fact that when faced with a clear breach of European and national law and of the fundamental right to privacy, those institutionally responsible for ensuring observance of those laws and rights failed to do this and in essence became instrumental in violations of the law.... In view of the sensitivity of the information exchanged, the minimum rule that must be established is the application of a democratic clause prohibiting the transfer of data to states that do not respect basic human rights and freedoms, democracy, [and] the rule of law.

As Statewatch pointed out in reporting the EP vote on this resolution, "At the end of this month the European Parliament will be asked to vote again on the question of whether or not the USA offers 'adequate' protection of data for EU citizens flying there." The USA has promised explicitly to honor such a vote, at least with respect to testing and use, with reservation archives and databases that include data from the EU, of the CAPPS-II airline passenger profiling and monitoring system.

Further consideration in the LIBE Committee of the specific issue of PNR data transfers to the USA is now scheduled for Wednesday, 17 March 2004, in Brussels. The schedule of future EP votes will be determined by when the European Commission finalizes its proposed agreement with the USA on uses of reservation data.

But the overwhelming vote on this week's resolution underscores the clear consensus in the European Parliament against the use of EU airline data in such surveillance schemes -- notwithstanding the clearly illegal "deal" which another branch of the EU, the European Commission, had its arm twisted by the USA to approve.

If the USA really intends to keep its promise to get EP approval before testing or deploying CAPPS-II, this week's EP vote makes plainer than ever that the first step needs to be adoption in the USA of a Federal privacy law for travel records that meets EU (and Canadian and other countries') standards of "adequacy" in accord with international norms.

Witnesses selected for House hearing on CAPPS-II

The USA House Aviation Subcommittee has chosen the following witnesses to testify at this Thursday's first Congressional hearing on the CAPPS-II airline passengers profiling and monitoring system:

1. Tom Blank, Transportation Security Administration
2. Norm Rabkin, General Accounting Office
3. Jim May, Air Transport Association
4. Kevin Mitchell, Business Travel Coalition
5. Paul Rosenzweig, Heritage Foundation
6. David Sobel, Electronic Privacy Information Center

Written testimony for the record of the hearing will be accepted until 25 March 2004, and can be submitted by e-mail to Ms. Sharon Barkeloo of the Subcommittee staff, phone +1-202-226-4491.

Testimony should be addressed to:

Representative John Mica, Chairperson
Subcommittee on Aviation
Committee on Transportation & Infrastructure
House of Representatives
2251 Rayburn House Office Building
Washington, DC 20515
USA

Proposal in the European parliament to reject transfer of PNR's to the USA

The European Parliament would "Call... upon the [European] Commission to withdraw the draft decision" on the adequacy of protection provided for personal data contained in airline reservations Passenger Name Records (PNR's) transferred to the USA from the European Union, according to a resolution to be taken up by a European Parliament committee next week.

The resolution proposed by Member of the European Parliament (MEP) and rapporteur Johanna Boogerd-Quaak is on the agenda for the meeting in Strasbourg next Tuesday, 9 March 2004, of the Committee on Citizens' Freedoms and Rights, Justice and Home Affairs (LIBE).

Previous resolutions on this topic, strongly critical of the European Commission for its acquiescence to demands by the USA for access to PNR's in contravention of fundamental EU law, have been overwhelmingly approved by the European Parliament, with strengthening amendments adopted in committee and on the floor. As the latest draft resolution details, the Commission has ignored the desires of the Parliament, as clearly expressed in previous resolutions, and the latest resolution seems likely to be approved as well.

USA Undersecretary of Homeland Security for Border and Transportation Security Asa Hutchinson conceded last month that, "any agreement that is reached has to be approved by the European Parliament." And in the same interview, Hutchinson also conceded that (as I pointed out more than a year ago in my comments on the first CAPPS-II Privacy Act notice, but as the DHS had been ignoring), it's impossibe to identify where the data in any particular PNR was collected, or to separate "European Union" from "USA" or any other country's data: "Whenever we get data from domestic airlines many times we'll have a European link to the itinerary and so you cannot even test domestic flights without some data from European passengers being involved."

So the USA is publicly committed not to begin any testing of CAPPS-II unless and until the inclusion in the test sample of data collected in the EU has been approved by the European Parliament. If, as it is now considering doing, Parliament sends the European Commission's draft deal with the USA on CAPPS-II testing back to the drawing board, any eventuual Parliamentary approval will certainly take months -- if it is ever forthcoming at all. And, in the meantime, CAPPS-II or no CAPPS-II, the USA may have to suspend its other ongoing uses of PNR data, if it is truly to keep Hutchinson's promise.

But that's not the end of the obstacles to CAPPS-II and other USA uses of PNR data. In the words of the proposed European Parliament resolution, "in the USA the protection of privacy... is not regarded as a fundamental right... , nor is there any right of legal redress should the measures restricting the freedom to travel be abused." And it's no more possible to eliminate data from any other country from PNR's, even those of USA-based airlines, than to eliminate data from the EU from those PNR's.

That leaves the USA with only 2 choices if it wants to use PNR data for "Homeland Security" or other government or commercial purposes without the consent of the data subjects: either (1) adopt a data privacy law applicable to PNR's, and commensurate with international norms (something the Bush Administration and the DHS have adamently refused to consider, although Cangress may soon take such an initiative on its own), or (2) obtain the permission of every other country with whose laws CAPPS-II and/or other USA uses of PNR data conflict, and where data included in PNR's of USA airlines might have been collected, before beginning any use of any of that PNR data. In effect, the lack of any reliable geographic indicator in PNR's of where the data they contain was collected means that any country where data was collected which is included in the global PNR pool has power of veto over how that pool of data is used.

Somewhat amazingly, the General Accounting Office reported that the DHS claimed to have used only 32 PNR's, which they created themselves, as the entire basis for their assumptions about the contents of PNR's. But it's clear that CAPPS-II won't get much further, if at all, without renewed access to real PNR data.

At a minimum, the DHS seems to have conceded that permisison from both the EU and Canada is a prerequisite to any start (resumption, actually, although the DHS has repeatedly, and falsely, denied that real PNR's were used in previous CAPPS-II tests) of CAPPS-II testing with real PNR's.

But it's not hyperbole to describe EU and Canadian data privacy laws as exemplifying emerging global norms of privacy as a human right. Many other countries have similar laws, including for example several Latin American countries with large volumes of passenger air traffic to and from the USA that have based their data protection laws almost verbatim on those of Spain, and thus the EU. The only question is how mnay of these and other countries will assert their right to be consulted before their citizens' privacy rights are violated by nonconsensual USA government access to passenger reservation records.

"Is it fair to say that you really don't know when you will be able to begin testing the [CAPPS-II] system?", DHS undersecretary Huthinson was asked last month. "That is a fair statement," Hutchinson replied. But Hutchinson also said, "That timeline for testing probably will not be in a spring timeframe," i.e not until summer 2004 at the earliest. Presumably that would be only if no countries other than Canada and the EU object to inclusion of data from their countries in the tests, and if negotations with Canada and the EU are concluded as quickly as possible.

If agreements can't be reached with Canada and/or the EU, Canadian and/or EU legislators don't approve the changes to their laws required by the agreements, or other countries object as well, it could easily take much longer -- if ever -- before the USA has the necessary permisisons to start the CAPPS-II juggernaut moving again.

Question: Do you think you'll be able to start it by the end of the year?

Undersecretary Hutchinson: Absolutely, I certainly hope that is the case.

Question: You mean ... start what, testing?

Undersecretary Hutchinson: Testing, I take the question as testing.

Aside from its direct effect on CAPPS-II testing, the European Parliament draft resolution's detailed critique of the deal proposed to Parliament by the European Commission is noteworthy for bringing into the official debate several significant points that the USA authorities have until now avoided.

First, the draft resolution specifically notes that (as, once again, I pointed out a year ago in my comments), PNR's contain personal information on several other significant categories of "data subjects", not just airline passengers: "data enabling both the passenger and the persons accompanying him to be identified, together with the person who requested the reservation on the passenger's behalf, the agency or the employee who made the reservation and/or issued the ticket, and so on."

The failure of the DHS to disclose or deal with the implications of CAPPS-II for the privacy of airline and travel agency staff and other people besides passengers is perhaps the most glaring deficiency in the DHS's Privacy Act "Notice" for CAPPS-II -- certainly one of the deficiencies most like to lead to legal challenge, under the Privacy Act, to any attempt to implement CAPPS-II until the effect on other categories of data subjects is disclosed, and provision made for their rights.

Second, the draft resolution reminds the European Commission that:

On 9 October 2003, Parliament formally requested the Commission to check that Regulation (EC) No 2289/99 was being correctly implemented.... The Commission has not so far notified Parliament of the results of its inquiries.

As I've reported previously, the PNR data being accessed by USA government agencies already far exceeds that authorized by the proposed deal, as would be shown by a sufficiently independent, thorough, and technically competent audit. Pressure from Parliament for reporting by the Commssion on compliance with existing data transfer rules and agreements makes it increasingly likely that this scandal will be brought into the light sooner rather than later.

Third, the draft resolution suggests two independent modes of enforement if the Commisison fails to heed the "call" of Parliament.

The draft resolution "calls upon... the Member States to require ... airlines and travel agencies to obtain passengers' consent for the transfer of data; such consent must be given freely and passengers must be informed of the options open to them for influencing the content of their PNR, of the implications of failing to give consent and of the fact that an adequate level of
protection does not exist in the USA."

This would require a major change in business practices: I know of no major Internet travel agency, regardless of their purported privacy promises, that actually discloses which customer data is entered in a PNR, and which kept in a separate database, or at what point in the booking and purchasing process that irrevocable entry of certian data into a PNR is made.

In effect, this call in the draft resolution implicitly invokes the continued enforcement authority of national data protection authorities in EU member states -- who have unanimously opposed the European Commisison proposal -- regardless of the action or inaction of the European Commision.

The draft Parliamentary resolution also explicitly "Reserves the right to consult the Court of Justice with a view to ascertaining whether or not an international agreement which does not provide adequate guarantees regarding the protection of a fundamental right is soundly based;" and "reserves the right to appeal to the Court of Justice should such a decision be adopted." That's not a Constitutional crisis, but it's more or less the equivalent of Congress considering a resolution threatening to bring an action in the Supreme Court against the President.