Thursday, 11 December 2003
DHS calls for proposals for US-VISIT visitor tracking system
As reported here , here , and here , the USA Department of Homeland Security (DHS) has published its request for proposals for the US-VISIT system database and tracking system for foreign visitors. The US-VISIT prime contract will cover the database itself, integration with other government and private information technology, equipment for digital fingerprinting and photography at international entry and exit points, and RFID sensors for remote reading of next-generation travel documents .
The RFP has already brought questions from the Senate and the House of Representatives as to whether a privacy impact assessment must first be completed. In response, DHS Chief Privacy Officer Ms. Nuala O'Connor Kelly says a privacy assessment isn't required because, so she reportedly claims, digital fingerprinting and photography of visitors don't involve any "new" technology or equipment purchases.
The RFP will no doubt come under especially close scrutiny in the European Union, as part of the ongoing debate on DHS access to EU-originating reservation data.
Today European Parliament Member and rapporteur on privacy Marco Cappato issued a statement pointing out the expiration of the deadline set by Parliament for the European Commission to bring about compliance with EU privacy law by airlines and computerized reservation systems (CRS's), and holding the European Commission legally responsible for this ongoing "violation of the fundamental right to privacy ... as implemented by EU law, and of the principle of democracy and of the rule of law in the EU."
Parliament had previously voted to threaten action against the Commission in the European Court of Justice unless it brought about compliance with the law -- either by stopping the data transfers to the USA, or getting the USA to agree to adequate data privacy protections -- by 9 December 2003.
In an effort to delay action by the EP, an unnamed U.S. official leaked a statement to Reuters that a deal on airline passenger reservation data has been agreed to with the EC. But the official spokesperson for the lead EC negotiator denied it, saying that, "There are still several outstanding issues". And as Parliament has repeatedly made clear, the Commission has no authority to "compromise" on enforcement of laws enacted for the EU by its Parliament.
The RFP makes clear (pp. 20, 22, 35) that the US-VISIT database will include the information obtained from airline reservations through the Advance Passenger Information System (APIS), the system currently at the center of the USA-EU data transfer dispute. As with the DHS/TSA CAPPS-II proposals, the US-VISIT RFP ignores the many intermediaries involved in collecting, entering, and forwarding that data, especially travel agents and CRS's -- neither of which are mentioned in the list of US-VISIT stakeholders (p. 19).
Privacy concerns -- including concerns in the EU about how widely US-VISIT data will be disseminated -- are likely to be exacerbated by the scope of the proposal: "This program is no longer an entry-exit project encapsulated within a single agency (the former Immigration and Naturalization Service) but is now a cross-government program with a large number of stakeholders." (p.16)
While one of the requirements in the RFP is that the prime contractor, "Deploy the program in accordance with existing privacy laws and policies" (p. 16), there's no mention in the RFP of the possibility that the unprecedented scope of the program might require any new privacy policies.
The estimated total cost of the system -- potentially as much as US$10 billion, including an initial $60 million for RFID sensors in fiscal year 2003 (pp. 121-122) -- should also raise questions about the DHS/TSA budget of US$35 million for CAPPS-II deployment, and the likely extent of the unreimbursed costs that will be imposed on the travel reservations industry to implement CAPPS-II.
[Addendum, 13 December 2003: A further report from EUpolitix.com makes even more clear that the USA still hasn't agreed to adequate protection for EU-originating travel reservation data:
"There is no agreement ... there are still a number of obstacles," said a spokesman for Bolkestein, indicating that not much had even moved during talks since the beginning of the month, when the commissioner outlined the sticking points still holding up an accord.
"If Bolkestein is going to make a statement [announcing an agreement] on the 16th, then something's going to have to move between now and then."
European Commissioner Bolkestein is currently scheduled to report back to the European Parliament with what the agenda diplomatically terms an exchange of views at an extraordinary joint committee meeting in Strasbourg this Tuesday, 16 December 2003.]Link | Posted by Edward on Thursday, 11 December 2003, 15:59 ( 3:59 PM)