Sunday, 10 December 2017

"No airline adheres to the Privacy Shield"

The U.S. Department of Transportation has consistently failed to protect consumers against deceptive advertising and opaque pricing by airlines that frustrates comparison shopping, while blocking any enforcement against airline of any rules promulgated by other Federal agencies or of the state and local truth-in-advertising and other consumer protection laws that apply to other businesses.

As I discussed in an article here last week in response to the latest outrage, I've been complaining about this for years.

DOT's dereliction of its duty to protect consumers extends to privacy protection as well, an issue highlighted by a report and staff working document released last week by the working party of data protection authorities of the European Union and EU members.

Airlines' privacy obligations under U.S. Federal law are limited: Under U.S. law, airlines can legally violate consumers' privacy, as long as they don't lie about what they do. But DOT has made no attempt whether airlines are truthfully disclosing their privacy practices, and has brushed off complaints that airlines violated their own privacy policies and lied about their practices.

Whether most other U.S. businesses comply with their professed privacy policies is subject to the jurisdiction of the Federal Trade Commissionn. But the DOT has zealously defended the exclusivity of its jurisdiction over airlines against any regulation of airline practices, with respect to privacy or anything else, by the FTC, any other Federal agency, or state or local consumer protection or law enforcement authorities.

I've complained about this in testimony to both the FTC and the DOT, as have other consumer advocates and state Attorneys General (2000 letter, 2006 letter).

Laws in Canada, the European Union, and some other countries restrict transfers of personal information from those countries to countries where personal data isn't adequately protected by law. Without adequate privacy protections and enforcement mechanisms in the U.S., it wouldn't be legal for businesses in those countries to transfer data to the U.S. about customers, travellers, or other individuals.

Because DOT and only DOT has jurisdiction over airlines, the U.S. government has had to pay lip service to DOT's commitment to policing airlines' compliance with their privacy policies when the U.S. has tried to persuade other countries that the U.S. provide adequate legal protection for personal information.

A bogus claim by the DOT that it would take action against any airline that lied about its privacy practices was an essential element in the so-called "Safe Harbor" framework negotiated to provide a legal fig leaf for businesses transferring personal data from the EU to the US.

After the highest EU court determined (unsurprisingly) that the Safe Harbor framework failed to satisfy the adequacy requirements of EU law, a similar and equally bogus claim by the DOT about its commitment to enforcement of airline compliance with published privacy policies was an element of the Privacy Shield (Safe Harbor 2.0) negotiated to provide businesses with a renewed legal fig leaf for transfers of personal data from the EU to the U.S.

So how many airlines claim that they comply with the Privacy Shield? To date, none.

And what has DOT done about this? To date, nothing.

We know this not from DOT but from documents released by European participants in the first annual joint US-EU review of compliance with the Privacy Shield.

According to the report by the Article 29 Working Party on the US-EU meetings:

The DoT made a presentation of its jurisdiction (over airline agencies and ticket agencies on the basis of the Unfair and deceptive practices Act) and of its activities. It has the authority to enforce civil penalties (up to 22 100 dollars for each violation).

No airline company currently adheres to the Privacy Shield, and initially 27 entities identified DoT as regulator (some by mistake). In total, 13 Privacy Shield companies are registered under the DoT's jurisdiction . For 10 of them, DoT's jurisdiction has been validated, while the jurisdiction issue of the other 3 is being examined. All of these 3 companies nevertheless appear on the Privacy Shield list.

Questioned on this, the DoT, the DoC and the FTC indicated that the allocation of jurisdiction between the DoT and the FTC did not stop the self-certification process as the DoT and the FTC have concurrent jurisdiction.

It would be a good thing if the FTC had such concurrent jurisdiction over airline practices with respect to privacy and other consumer issues. But the DOT has consistently claimed that its jurisdiction over airlines is exclusive, and it has used that claim of exclusive jurisdiction to discourage or prevent the FTC from getting involved in any investigation or enforcement of violations of privacy policies by airlines.

In litigation, DOT has argued ever since the Airline Deregulation Act of 1978 that has exclusive jurisdiction over airlines. And that's still the claim made on the US government's official Privacy Shield Web site, as noted in the staff working document prepared for the Article 29 Working Party in preparation for its report on the Privacy Shield review:

A company may only certify if it is subject to the investigatory and enforcement powers of the FTC or the DoT. The FTC and DoT's respective jurisdictions are described on the Privacy Shield website as follows: "...The DOT has exclusive jurisdiction over U.S. and foreign air carriers...."

No airline company had certified under the Privacy Shield at the time of the Annual Joint Review.

Like its predecessor "Safe Harbor", the "Privacy Shield" is a sham. Its name is Newspeak.

Europeans and Americans alike need to recognize that the DOT does not adequately protect air travellers' privacy. Airlines will stop making false claims about respect for their passengers' privacy only when European, Canadian, and/or other non-U.S. privacy and data protection authorities impose sufficiently severe financial penalties on airlines and computerized reservation systems to motivate them to change their typically undisclosed and systematically insecure and privacy-invasive practices.

[Correction: The article above has been corrected to remove an erroneous statement in the original version that the FTC is part of the Department of Commerce. The FTC is a quasi-independent regulatory agency, not part of the Department of Commerce.]

Link | Posted by Edward, 10 December 2017, 17:01 ( 5:01 PM) | Comments (0) | TrackBack (0)

Friday, 8 December 2017

U.S. Dept. of Transportation ends review of airline truth-in-advertising rules

Yesterday the U.S. Department of Transportation (DOT or USDOT) announced that it has terminated two ongoing "rulemaking" proceedings related to disclosure and transparency of airline fees, and withdrawn its proposal for rules which would have required airlines "to disclose baggage fee information to consumers when fare and schedule information is provided".

As my friend Charlie Leocha of Travelers United notes in his apt denunciation of DOT's abdication of any effort to protect consumers against bait-and-switch airline price advertising:

This withdrawn rulemaking was created to allow airline consumers to determine the full cost of travel, including airfare as well as ancillary fees together with their exceptions and exemptions. Without clear, public data available to travel agents and on the Internet, travelers find it impossible to effectively comparison shop. By withholding this information from normal airline ticket sales channels, the airlines are misleading consumers about the true cost of travel.

This rulemaking has been in play for half-a-decade with thousands of pages of testimony and comments from consumers and all travel stakeholders. The claim that this rulemaking is "of limited public benefit" is simply not true.

It's not as though DOT has been aggressively protecting consumers. DOT has been dragging its feet, studying and collecting comments on whether additional rules were necessary to protect airline consumers against deceptive advertising since 2011 without finalizing the necessary regulations. But now DOT has officially abandoned any consideration of such rules.

In theory, the existing DOT regulations regarding truth in airline advertising and fare transparency, as well as Federal laws giving the DOT exclusive responsibility for policing deceptive airline practices, remain on the books. But DOT's withdrawal of its proposed rules on ancillary fee disclosure is a signal that DOT's already grossly inadequate enforcement of existing laws protecting airline ticket purchasers will become even more lax. Caveat emptor.

As I've noted in another context, President Trump campaigned on a platform of rolling back Federal regulations, including rules to protect consumers. Trump is the former owner of a (failed and bankrupt) airline, and he appointed Carl Icahn, his fellow billionaire and the former owner of another bankrupt airline, as his special advisor on repeal of "excessive regulation". Icahn resigned less than a year later in the face of allegations of conflict of interest for which he is now under investigation by Federal prosecutors. It should come as no surprise to anyone that Trump's program for deregulation, as planned in consultation with Icahn, includes putting an end to any effort to protect consumers against deceptive practices by airline owners such as Trump and Icahn.

DOT's determination not to address this issue through administrative rulemaking is, as Travelers United notes, a clear indication of the need for Congressional action:

It is time for Congress to get involved. If DOT, tasked with protecting the American public from misleading and deceptive practices, will not act, Congress must....

If DOT will not act, the current system must be abandoned and airline consumers should be provided the same rights of all other consumers -- the right to petition their local courts for justice.

That would require repealing Federal preemption of state and local consumer protection and truth-in-advertising laws as applied to airlines and airline ticket agencies. I've been talking about this in print for almost 20 years; it was at the top of my Federal airline consumer protection agenda eight years ago, as the Obama administration was setting its course; and it remains so today as the Trump administration is putting into effect its thoroughgoing opposition to consumer protection with respect to airlines or other businesses.

Link | Posted by Edward, 8 December 2017, 15:07 ( 3:07 PM) | Comments (0) | TrackBack (0)

Monday, 27 November 2017

New look for PapersPlease.org

Over the Thanksgiving weekend, The Identity Project deployed the first redesign of its Web site in more than a decade.

I hope that the new look and formatting will be easier on the eyes and easier to read on a variety of devices, including those with small screens.

For the last ten years, more of my writing has appeared on PapersPlease.org than anywhere else.

If you've been interested in this work and/or my writing, but put off by hard-to-read colors, fonts, and layout, please give it a fresh look and let your friends know about it.

Link | Posted by Edward, 27 November 2017, 08:56 ( 8:56 AM) | Comments (0) | TrackBack (0)

Tuesday, 14 November 2017

Is Silicon Valley building the infrastructure for a police state? Yes, it is.

I was interviewed by Reason.TV for their latest report, Is Silicon Valley Building the Infrastructure for a Police State? New AI tools could empower the government to violate our civil liberties.

If you have ten minutes to watch the video, it's a good introduction to some of the issues I've been working on for the Identity Project including Palantir, pre-crime policing, automated decision-making and control ("extreme vetting"), and the homeland-security industrial complex.

Link | Posted by Edward, 14 November 2017, 15:12 ( 3:12 PM) | Comments (0) | TrackBack (0)

Tuesday, 3 October 2017

U.S. government monitoring of social media

Yes, the U.S. government is monitoring you on social media if you live in or travel to the USA.

Here are some of my answers to frequently asked questions and other recent articles and interviews about this:

I was also interviewed about this for the public radio show The World (BBC/PRI/WGBH). I'll add a link when the segment is broadcast.

Update: The new DHS plan to gather social media information has privacy advocates up in arms (by Shirin Jafaari, PRI's The World, 12 October 2017):

According to Edward Hasbrouck, DHS has been collecting social media data since the Obama administration -- for at least five years. Hasbrouck works for The Identity Project, a civil liberties and human rights project focused on travel-related issues and freedom of movement.

He explains that under the Privacy Act of 1974, DHS should have gotten approval from the Office of Management and Budget before it started tracking social media information.

"This has been going on for at least five years without their complying with even those minimal notices that are supposed to give the public awareness of what's going on," he says. So now, he adds, the DHS has published this notice in order to legitimize what it has been doing....

Meanwhile, advocates like Hasbrouck also worry about the sheer amount of the data that gets collected and how it gets processed. "There's no way they have enough warm bodies to read this stuff," he says. "It's only going to be grist for the mill of robotic profiling."

Listen or download the podcast for more of this story.

Link | Posted by Edward, 3 October 2017, 10:28 (10:28 AM) | Comments (1) | TrackBack (0)

Thursday, 14 September 2017

Digital devices for world travellers

Gemni PDA prototype

[Some of the mini-laptops and handheld computers I've used in my travels around the world since 1995. Back row, left to right: Gateway 2000 Handbook 486, Asus Eee PC 901, Panasonic Let's Note CF-R7. Front row, left to right: Psion netBook / Psion Series 7, Psion 5mx, Psion Revo Plus / Diamond Mako.]

Among the most frequently-asked questions at my travel talks is, "What type of laptop computer, tablet, smartphone, or other digital device do you recommend that I bring with me on a trip around the world?"

The answer begins, of course, with, "The smallest, lightest, and most rugged device that will meet your needs." But what device that is depends on your needs.

Some people get by with a smartphone. But what if you need or want to write documents or blog posts or lengthy messages or do work that requires a keyboard, but you don't want to carry a "full-sized" (and fragile) laptop computer?

You can carry a tablet, a separate (folding) keyboard, and some sort of case or stand to hold them both in the right position. But that tends to be awkward to use, and the whole kit typically weighs as much as a miniature laptop, "subnotebook", or "palmtop" computer with a built-in keyboard.

Do miniature devices with "real" built-in keyboards really exist? Yes. Since 1995, when I first got a computer small enough to bring with me when I travel, I've had a succession of devices (as shown in the photo above) that are substantially smaller, lighter, and more rugged than any typical laptop. On any of these except the smallest (the Psion 5mx and Psion Revo at lower right), I could comfortably write and edit long documents. I wrote and edited most of my first book on the Gateway 2000 Handbook 486 at the top left, which is the next smallest of these devices.

The problem isn't that devices like this don't exist, but that (with the exception of the brief popularity from 2007-2010 of the Eee PC and competing "netbooks" -- none of which came close to the build quality or performance of the Psion netBook from a decade earlier) relatively few people have been willing to pay the price of miniaturization or of higher quality construction for smaller and lighter devices that can stand up to travel.

Most travellers in the USA go by car, not by plane, and have plenty of room in their vehicle for a full-sized laptop if they need it on the road. As a result, keyboard devices smaller and more expensive than a "standard" laptop have been niche products in the USA and many other parts of the world -- except in Japan and to a much lesser extent in Europe, where more business people travel by train and by mass transit. Few models or even product lines of smaller devices with keyboards -- again, except for some that are distributed only in Japan -- have been widely available or remained in production for very long.

"Tiny" in the USA connotes "toy-like", and people expect toys to be (a) cheap and (b) not suitable for doing real work.

Not so in Japan, where "tiny" connotes "finely crafted" and "precious". A Panasonic Let's Note is marketed in Japan (and not marketed at all in any other country) as a premium-priced jewel of a computer, not a cheap toy. The smallest current model, the Let's Note CF-RZ6a, is smaller than the first (and smallest) Eee PC in the photo above, but as powerful and full-featured as many "full-sized" contemporary laptops. Like the Psion netBook of 20 years ago, but unlike most other laptops or digital devices, it's designed and tested to withstand shock and vibration including being dropped onto a hard floor from the height of a desk -- a routine travel event that will crack the screen and often the case of most other laptops. I've dropped my Psion netBook off a podium onto a hard floor without it being damaged, and I've carried my Let's Note in a bicycle pannier for months at a time and over hundreds of miles of bone-shaking gravel and paving-stone surfaces. The Let's Note CF-RZ6a is the the best netbook-sized device for world travel currently in production -- if, and only if, price is no object.

Lack of distribution and availability in brick-and-mortar stores is especially problematic for a category of device that most people not only don't know exists but can't evaluate (or assume won't be worth the price) until they can try it. Most people won't pay more for a smaller computer that they assume must be less powerful or that has a keyboard they assume will be too small to really be useful.

I had to buy each of the devices in the photo above, except the Asus Eee PC, by mail or online without being able to inspect or try them. Few people will do that. I plan to look at a Let's Note RZ6a, to replace my 10-year-old Let's Note RZ-7 whose batteries no longer hold a charge, when I'm in Tokyo in November. But I'm not going to spend more than US$2,000 to order one from Japan without a hands-on inspection of the size, shape, weight, build quality, and functioning of the keyboard, touchscreen, and other components.

Can you really type, even touch type, on a device that's smaller than a standard laptop? Maybe, depending on your own typing style, the size and shape of your hands, and the design and build of the keyboard. A keyboard is not a commodity. Personal tastes for key spacing, layout, and feel vary so much that reviews are of limited use. You can't tell if a keyboard will work for you until you try it, hands on.

Last night, for example, I got my hands on a prototype of one of the most promising of the current crop of new digital devices that might enable me to leave even my mini-laptop behind some of the time when I travel, and still get writing and other work done on the road. But because the keyboard (although functional) was one of the components of the prototype that wasn't yet in its final form for mass production, I can't really judge the keyboard until I receive one of the production models.

Gemini PDA prototype

[Prototype of the Gemini Android/Linux clamshell PDA with keyboard and touchscreen. The lighting was poor; there are better photos of the Gemini PDA here in the only earlier hands-on review of the prototypes.]

I prefer to buy "mature" hardware and software that has been tested and debugged in extended real-world use. It's typically cheaper (especially second-hand), more reliable, and better value than anything on the cutting edge. But mass-produced time-proven hardware isn't an option if you want a digital device you can travel with that has a keyboard but that's smaller than a netbook with a 10" diagonal display. No smaller "palmtop" or "subnotebook" sized digital device with a keyboard has been mass-produced in several years.

The only current prospects for such a device are from crowd-funded start-up projects. In March 2017, I contributed to the crowd-funding campaign for the Gemini PDA with an estimated delivery date in November 2017. I was willing to risk my money on this particular project because it was deliberately trying to replicate the most successful elements of the Psion design (but with updated digital components and connectivity), and because the keyboard and case of the Gemini PDA were being designed by Martin Riddiford, the same person who did such a superb job on the design of the Psion netBook, 5mx, and Revo.

As I wrote some years ago, "IMHO (in my humble opinion), the Psion line of 'palmtop' computers running Psion's EPOC version 5 operating system (ER5) are the best portable computers for travellers ever made. Although I no longer use my Psions on a daily basis, neither the hardware nor the software have been matched, much less surpassed, by any competitor or successor. They have both hardware and software features that wouldn't be matched for years, and in some cases has yet to be matched, by later generations of netbooks, tablets, and smartphones."

The Gemini PDA prototype photographed for the Indiegogo crowd-funding campaign was actually built around an actual Psion 5mx keyboard. It's the odd case of a "start-up" with a proven design I already know I like.

Continue reading "Digital devices for world travellers"
Link | Posted by Edward, 14 September 2017, 18:53 ( 6:53 PM) | Comments (14) | TrackBack (0)

Tuesday, 29 August 2017

What would happen if a robot got hit by a train?

A couple of weeks ago, while waiting for a commuter train back to San Francisco from Redwood City, I had an unexpected and disturbing encounter with one of the "self-driving" motorized delivery robots that are currently being tested in Redwood City.

The robot -- a knee-high wheeled box about the size of a hassock fan or footstool -- was working its way along the edge of the platform, beyond the yellow line marking the danger zone, where it could have been struck by or sucked into a passing train and turned into 50 pounds of flying shrapnel. Some "Baby Bullet" express trains on that track go past the platform in Redwood City at 60 mph without stopping.

I was surprised to see one of these robots on the Caltrain platform at all, much less to see it trying to use the platform as a through passageway, and even more surprised to see it drive right up to the edge of the platform before it jerked to a stop and turned to continue along the platform toward me.

I yelled at the robot, hoping that a human operator might be monitoring it, but the only response from the robot was a repeated recorded message, "Let me go! I'm working! I'm going to be late!" -- as if the platform was a right-of-way, and humans were expected to yield to robots.

I saw no marking on the robot, but another passenger on the train had encountered a similar robot accompanied by a human minder earlier in the day. They passed on the card they'd gotten from the robot handler with the name of the company that operates the robots, "Starship Technologies".

The e-mail address on the business card didn't work, and there's no phone number on the company's Web site. I got in touch with a spokesperson for Starship Tech only after they responded to my Tweet about the incident. But almost three weeks later, and after multiple exchanges with staff of Starship Tech, Caltrain, and the government of Redwood City, I still haven't gotten any coherent explanation of what happened or why.

Last night, all else having failed, I took the Caltrain to Redwood City again to bring the issue before the city council. I hadn't planned on writing about this yet, but since I've heard that some of my comments from the webcast of the city council meeting are circulating and being discussed elsewhere online, I'm posting them here in full.

My name is Edward Hasbrouck, and I came down from San Francisco today to alert you to a serious safety issue involving the delivery robots that are operating here in Redwood City.

On August 9th, I was on the Redwood City Caltrain platform when I saw a delivery robot on the platform, out at the edge beyond the yellow line marking the danger zone. The robot went almost to the drop-off before it turned back, and then it tried to push along the platform through the crowd of people waiting for the oncoming train, playing a loud recorded demand that we move aside to let it pass.

There was no visible marking on the robot. There's no phone number on the Web site of the company, Starship Tech. Supposedly there's a 2 × 3" label on each robot with a phone number. But that's too small to read from any distance, and that phone number goes to voicemail, so it doesn't provide any way to communicate with the human operator or report problems in real time.

Caltrain told me they don't believe that the city permit authorizes use of the Caltrain platform by these robots. But a spokesperson for Starship Tech told me that the company intends to continue using the Caltrain platform as a robot thoroughfare at all times except 4 to 6 p.m.

One of the first things we teach small children before we let them out on the street is to stay away from train tracks. Similarly, keeping robots away from moving trains should have been a priority for robot programmers and operators.

This incident should be a wake-up call that the city needs policies and procedures to deal with the inevitable cases when robots get into places where they aren't allowed, aren't wanted, fail to yield to pedestrians, or cause a nuisance, tripping hazard, or even a greater danger.

Redwood City took the lead on this issue, and you are setting a precedent not just for this technology, but also for the regulatory framework in which it operates. You need to get this right, not just for your own sake but also for the sake of other cities following your lead. But because there wasn't yet any experience with these robots, some of the problems may not yet have been apparent.

Other cities and states that have more recently adopted rules for delivery robots have almost all included requirements that aren't part of the Redwood City pilot. These include an adequately sized label with an ID number and contact information on each robot, prompt responses to public inquiries, and reporting of safety incidents to the authorities.

People who see robots where they shouldn't be, or doing things they shouldn't do, need to be able to identify the robot, communicate the
problem quickly to the robot operator, and have their complaints reported to the city so it can learn from experience.

I request that the City Manager revoke the delivery robot permit until the permit conditions can be revised to deal with incidents such as this. If the City Manager does not do so, I request that you place on the agenda for your next meeting a resolution to suspend the pilot program and direct that the permit be rescinded pending revision of the rules for operation of these robots.

I could have gone into more detail if I hadn't been limited to three minutes. But I've already heard from the Mayor and one of the other members of the City Council today, promising that city staff will be looking into this matter further.

If you see a robot on any of the Caltrain platforms, please report it immediately to Caltrain staff, with a photo if possible. If you send me a copy of your report and/or photos, I'll also do what I can to get them to the relevant Caltrain and city staff.

Link | Posted by Edward, 29 August 2017, 12:39 (12:39 PM) | Comments (12) | TrackBack (0)

Tuesday, 9 May 2017

European Commission to investigate airline reservation (in)security

Fifteen years after I published my first critique of the extreme insecurity of airline reservations stored by computerized reservations systems (CRSs) and made available without passwords or access logs on public Web sites, and four months after the continued existence 15 years later of those same vulnerabilities was publicly demonstrated by hackers inspired in part by reading an interview with me on a German IT news site, I've finally found the right unit of the European Commission to investigate my complaint that these CRS practices violate the privacy and data protection provisions of the European Union's Code of Conduct for CRSs.

In the U.S., there is no general Federal privacy law requiring businesses to protect personal data about their customers or other individuals. But there are general requirements for this in the European Union(and many other jurisdictions including in Canada), as well as specific requirements for the protection of travellers' personal data in the EU Code of Conduct for CRSs.

The European Commission has the authority to enforce the Code of Conduct for CRSs, and the responsibility to investigate complaints of violations. But I have never been able to find any public indication of how or to whom to submit such a complaint. Saying, "You can complain to the European Commission" is like saying, "You can complain to the U.S. government." Exactly how, and to whom, are you supposed to complain? Knock on the door of the White House or the nearest U.S. Embassy? Try that in the U.S., and you are likely to be arrested, if not shot, if you even manage to get within shouting distance of the door. The European Commission has published procedures for complaints against EU member states, but not for complaints against commercial entities such as the CRSs which are regulated directly by the Commission rather than, or in addition to, by the national governments of EU member states.

I'm not the only person to have asked this question.

In 2011, MEP Martin Ehrenhauser, an independent Member of the European Parliament, submitted a written question to the European Commission asking, "Has the Commission designated a point of contact or established procedures for handling complaints from individuals of violations of the Code of Conduct for CRSs? If so, how has the Commission made public this point of contact and the procedures for handling such complaints? If not, why not?". The eventual written response from the Commission ignored this part of the question entirely, and didn't mention the Code of Conduct for CRSs.

More recently, on 20 March 2017, MEPs from three different countries and political groups -- MEPs Jan Philipp Albrecht (Verts/ALE), Birgit Sippel (S&D), and Sophie in 't Veld (ALDE) -- submitted a new question to the Commission:

Article 11 of the Code of Conduct for Computerised Reservation Systems (Regulation (EC) No 80/2009 of 14 January 2009) requires that 'technical and organisational measures shall be taken ... to ensure that personal data are only accessible for the specific purpose for which they were collected.' The Commission has the power to investigate and enforce the code under Section 6 of the regulation.

Personal data in the passenger name records (PNR) hosted by Computerised Reservation Systems (CRS) are available through CRS-operated public websites, just by using a name and the short 'record locators' displayed on items such as boarding passes and baggage labels. Due to a lack of access logs, data subjects are unable to gather from CRSs, whether their PNR data have been disclosed and to whom. Security researchers demonstrated these and other vulnerable aspects of CRSs at the Chaos Communication Congress held on 27 December 2016.

1. Does the Commission believe that giving access to PNR data on the basis of a name and record locator, with no password nor access logging, is compliant with Article 11 of the Code of Conduct?

2. Does it intend to investigate these vulnerable aspects and possible violations of the code?

3. Has it established procedures for handling complaints from individuals about violations of the code?

If a written question such as this from an MEP is not answered by the Commission within six weeks, the MEP who submitted the question is entitled to place it on the agenda of the next meeting of the responsible committee of the European Parliament. More than seven weeks have passed, but there has been no answer from the Commission to this question.

Meanwhile, however, I made contact while I was in Brussels with Mr. Paul Nemitz, Director of the unit for Fundamental Rights and Union Citizenship of the European Commission Directorate-General for Justice and Consumers (DG JUST). Mr. Nemitz and I agreed that his unit was probably not the one responsible for investigating my compliant, but he generously offered to accept my complaint, find out what unit was supposed to be responsible for dealing with it, and forward it to them.

To my pleasure, Mr. Nemitz did as he said he would. I have now received a letter from the Haed of Unite (Acting) of the Directorate General for Mobility and Transport (DG MOVE), Directorate E.1, advising that "my unit is in charge at the European Commission of the implementation of the Code of Conduct and deals with any alleged infringements of the Code of Conduct. There is no specific form or procedures to be used for lodging a complaint for an alleged violation of the Code of Conduct."

I have not yet received any indication of how long the investigation of my complaint may take.

For those who may wish to submit their own complaints of violations of the Code of Conduct for CRSs, these can be directed to:

European Commission
Directorate General for Mobility and Transport (DG MOVE)
Unit E.1 - Aviation Policy
Rue J.-A. Demot, 24, 5/76
B - 1049 Brussels
BELGIUM

telephone +32-22991111
MOVE-INFOS@ec.europa.eu

Many thanks to former MEP Ehrenhauser; current MEPs Albrecht, Sippel, and in 't Veld; their assistants; and Mr Nemitz for helping to uncover this information and finally get my complaint accepted and (I hope) investigated.

Background on CRS/GDS insecurity:

Background on EU CRS regulations and enforcement:

Link | Posted by Edward, 9 May 2017, 13:07 ( 1:07 PM) | Comments (1) | TrackBack (0)

Thursday, 4 May 2017

The Amazing Race 29, Episode 6

Lake Como (Italy) - Venice (Italy)

The "streets" of the old city of Venice are mostly too narrow for cars or trucks. Transportation and deliveries are by water along the canals, or by foot and handcart. As one of their tasks in this episode of The Amazing Race 29, each pair of travellers had to maneuver a heavy cart through the pedestrian streets and up and down the steps of the bridges over the canals to deliver a load of suitcases to a hotel.

In real life, multiple workers' cooperatives have, for many years, provided porterage between the docks and Venice hotels for tourists who don't want to schlep their own luggage through the lanes and alleys, over bricks and cobblestones, and up and down steps.

The cast of The Amazing Race is often given tasks that the TV producers consider characteristic of local work. But this was a rare on-camera reminder that, as organizations like Tourism Concern and the hotel and restaurant workers' union UNITE HERE have long pointed out, some of the hardest jobs in places like Venice economically dominated by tourism are jobs in the "hospitality industry" itself.

One reason that the cast of The Amazing Race is able to keep up such a grueling pace of seemingly continuous travel around the world for the month or so each season takes to film is the work done by the employees of the luxury hotels and resorts where they are pampered and fed and get to rest between each leg of the race.

As a traveller, I am grateful to the workers (as well as the hosts who help visitors without remuneration) around the world who make my journeys possible, especially in parts of the world where the standards of tourist accommodations and services are far above those of most local residents, including the workers who serve tourists..

That's become less and less visible over the years of The Amazing Race. In the first seasons of the TV show, each episode began and ended with scenes of the racers relaxing at the "pit stop". In later seasons, footage of the "pit stops" disappeared from the broadcast episodes, and was moved first to "DVD extras" and then to bonus streaming segments on the CBS Web site.

Using a bland and comfortable hotel as a refuge from culture shock, poverty, noise, etc. can give you a chance to process your travel experiences and recover from temporary sensory overload. But it's a mixed blessing: it can keep you from ever fully immersing yourself or assimilating.

Regardless of where you stay, and how well rested you are, you shouldn't expect to enjoy travelling at the pace set by around-the-world racers -- or most guidebooks. I ignore most published estimates of how much time to allocate to particular destinations, or multiply them by a factor of at least two or three, even if they are written by people I know and whose expertise I respect.

Articles that purport to explain how many "been there, done that" notches you can cut in your travelling stick in 48 hours or a week or some other amount of time are especially misleading. Successful travel writers are, by professional necessity, experts at checking out as many sites and sights and inspecting and assessing as many hotels and restaurants as possible, as quickly as possible. A guidebook writer's trip is not a vacation, as my friend the consummate guidebook writer (and recently also novelist) Tom Brosnahan illustrates with the story of his honeymoon in the final chapter of his memoir, Turkey: Bright Sun, Strong Tea.

Link | Posted by Edward, 4 May 2017, 23:59 (11:59 PM) | Comments (0) | TrackBack (0)

Thursday, 27 April 2017

The Amazing Race 29, Episode 5

Dar es Salaam (Tanzania) - Alesund (Norway) - Oslo (Norway) - Milan (Italy) - Lake Como (Italy)

There's more than one way to travel -- or to accomplish almost any travel task.

That's one of the lessons of this season of The Amazing Race, in which each of the travellers met their partner only at the starting line of the race around the world.

To the extent we can judge from the edited version of "reality" on the TV show, this season's cast of racers hasn't fared much worse at travel teamwork or argued with their partners' much more than the pairs of racers in previous seasons, who auditioned for the cast as pairs and had months to prepare for the race. That suggests that while the racers in previous seasons may have "trained" for the race, they didn't focus as much as they should have on teamwork practice rather than just individual fitness. On the other hand, several of this season's racers seem to be making goodd use of their experience in the military and/or in emergency services, which often require collaboration and division of labor, under stress, with partners one didn't choose.

With experience, most travelling couples come to an informal and often unstated understanding about who is better at which travel tasks, or at least about who should lead when.

When you pair up with a stranger you meet on the road -- to share transportation or other services, for mutual support, for companionship, for protection, for a holiday romance, or for whatever other reason -- it takes time to figure out who should lead which steps in the travel dance. The result can be some hesitation and stumbling, as you both try to take charge or both wait to see if the other will do so.

It's also natural, if you haven't travelled with someone who does things differently, not to realize that there are other ways to do them than the ways that seem natural (to you), or to which you have become accustomed. That can lead to launching into Method A while your partner launches into Method B, without understanding why you are going in different directions. If you don't recognize that there is more than one possible approach, neither will you recognize the need to ask your partner, "How to you think we should deal with this problem? How should we start?"

We saw this when the racers had to follow a map on a scavenger hunt through the streets of Alesund, Norway.

Michael assumed that the way to orient himself with respect to the map was to consult his compass. I always carry a compass for this purpose, and Michael wasn't the only racer this season who brought a compass and was shown trying to use it.

Liz assumed that the way to orient herself with respect to the map was to observe the relative position and direction of landmarks sighted in the real world and shown on the map.

Both of these are valid orientation strategies, and each has its uses and limitations. A magnetic compass can't be relied on inside a metal-bodied vehicle or under overhead electrical lines such as those that power electric locomotives, streetcars/trams, or trolleybuses. A GPS compass won't work in the canyons between highrise building where it doesn't have a line of sight to the satellites. Orientation by landmarks isn't always feasible or reliable in a landscape of similar terrain and/or similar-looking buildings in all directions.

On the streets of Alesund, both techniques were workable, but neither Liz nor Michael seemed to recognize that there was more than one way to figure out which way to go to follow their map. Their different approaches were equally valid, but they wasted time arguing about which to rely on.

Michael and Liz rehashed the same argument later in this double-length episode when they were getting off a water taxi on Lake Como and trying to decide which path to follow along or inland from the lakeshore.

Have there been travel challenges that you assumed could only be dealt with in one way, but for which you discovered your travelling companion had a different but equally valid approach?

The water taxis we saw in this episode are themselves one of the characteristic sights and bucket-list fantasies of visitors to Lake Como: beautiful mahogany Italian-made Riva runabouts that reminded me of my automobile engineer uncle's prized Hacker, Riva's closest U.S.-built counterpart and principal international rival. Either a Riva or a Hacker Craft is the marine equivalent of Rolls-Royce touring car as a status symbol of speedy but also stately water transportation.

I've recent acquired one of my transportation fantasies, a gently-used Avatar 2000 recumbent bicycle that was being sold by someone who didn't really know what it was and charged much less than it might be worth. (Most people wouldn't want a recumbent, or vintage components, and it's not clear what, if anything, its "market" value would be today.) Like a Hacker, it embodies engineering elegance, style, and spare-no-expense detailing, components, and workmanship, including an extraordinary amount of custom leather-work and machining.

The "production" run of 200 or fewer hand-made Avatar 2000's over a decade wasn't intended to be profitable in itself, even with a US$2,000 (in 1981) price tag. The prototypes were intended as a proof-of-concept intended to sell some larger company on licensing the patents, which never happened. I test-rode a used Avatar 2000 in the 1980s when I was first looking for a recumbent. I coveted it, but couldn't justify what it would then have cost. I ended up with an Infinity instead, one of several much cheaper semi-mass-produced knock-offs of the Avatar 200 design. Functional and enjoyable, with all the general advantages of a long-wheelbase under-seat-steering recumbent bicycle, it was my main commuting and recreational bike for 20 years. But it was never going to be the same as an Avatar 2000. Now I've been able to acquire an Avatar 2000 for a fraction of what it would have cost when it was new.

What's your fantasy conveyance, and where on your travels might you find it?

Link | Posted by Edward, 27 April 2017, 23:59 (11:59 PM) | Comments (0) | TrackBack (0)