Sunday, 18 January 2004
Northwest Airlines gave NASA millions of PNR's
In late 2001, as several airlines and private contractors were using archived Passenger Name Records to test new concepts for profiling of airline passengers, Northwest Airlines (NW) gave CD's containing PNR's for perhaps 10 million or more NW passengers to the USA National Aeronautics and Space Administration for testing of airline passenger profiling concepts.
NASA's request for NW passenger data had been known of for more than a year: it was revealed in documents obtained by the Electronic Privacy Information Center (EPIC) under the Freedom of Information Act, and had been mentioned in the New York Times in 2002 and in much more detail in the Washington Times , NASA sought airline records (27 September 2003).
But it hadn't been known whether NW had acceded to the NASA request, until EPIC obtained another batch of documents from NASA last month, in response to further FOIA requests. Those documents were revealed in today's Washington Post along with a response from NW; there are responses from NASA in todays's San Jose Mercury News and New York Times ).
NASA requested system-wide Northwest Airlines passenger data from July, August and September 2001 . According to the Post , NW said it actually provided data for October through December 2001, which if system-wide would include PNR's for than 10 million passengers. Neither the documents posted by EPIC nor the comments from NW in the Post make clear whether the NASA request was granted in whole or only in part.
"System-wide" NW data would include flights operated by Northwest to and from Amsterdam and other points in the European Union, and flights not touching the USA operated by KLM Royal Dutch Airlines (KL, part owner of NW) with NW code-share flight numbers within the EU and between the EU and other parts of the world. And even domestic NW flights within the USA include many flights with KL code-share flight numbers.
(I think code-sharing should be prohibited as fruadulent, but that's another story: which I've written previously. Legitimately or not, there are NW flight numbers on flights within the EU, and KL flight numbers on flights within the USA.)
So it's highly likely that the data given to NASA, even if it was less than "system-wide", included passengers on flights sold under the label of an EU airline. And it's certain that, even if it excluded international or code-share flights, the data given to NASA included large volumes collected in, and transferred from, the EU, Canada, and other countries.
Unlike jetBlue Airways, which has no "interline" agreements, NW has interline ticketing agreements permitting more than 100 other airlines around the world, and their appointed agents, to issue tickets including NW flights. And like most other airlines (but again unlike jetBlue) NW outsources hosting of its reservation database to one of the big 4 computerized reservation system (CRS's), in NW's case the Worldspan CRS.
Through Worldspan and the network of travel reservation systems , other airlines, other travel services providers (hotels, car rental companies, tour operators, etc.), other CRS's, and tens of thousands of travel agents can create and/or enter data in PNR's that include NW flights. All those companies -- but especially KL and Worldspan -- are now at risk of consumer litigation and regulatory enforcement actions in various countries. They'll have to choose between joining with NW in trying to defend against those claims, or joining with consumers to pursue their own claims against NW for violating their customers privacy.
NW, KL, Worldspan, and other travel companies are likely to face especially severe scrutiny and legal liability in the EU. An agreement with the USA on transfers of passenger data was proposed by the European Commission in December, just before the European Parliament and most other EU bodies recessed for the holidays. Consideration of a working document on "Transfer of data on trans-Atlantic flights: situation concerning negotiations with the USA" is on the agenda this week when Parliament's Committee on Citizens' Freedoms and Rights, Justice and Home Affairs returns from the recess for meetings scheduled in Brussels all day Wednesday and Thursday, 21-21 January 2004, to start its new session. Presumably, the latest revelations about NW -- and their implications for KL, Worldspan, and other travel companies based or doing business in the EU -- will be on the table too.
EU authorities need to ask if when KL passes reservation data collected in the EU to NW in the USA -- or when any travel agency or tour operator in the EU collects passenger data and passes it to an airline or CRS in the USA -- there are agreements and oversight mechanisms in place to ensure the protection of passengers' privacy under EU laws.
The fact is that there are rarely any such protections. When I talked with aviation consultant Bob Mann about the passenger profiling tests he helped conduct in 2001 (more on those below), he said that, (1) no one involved with the tests had ever raised a question about privacy -- Airline Automation, Inc. was considered to own the data and assumed they could use it for anything they liked, which is true with respect to USA law, and (2) it never occurred to him or anyone else that EU laws or any other countries' laws could apply to PNR's from flights within the USA.
While the jetBlue and now Northwest scandals have been the most widely publicized, they aren't the only cases since 2001 in which real data from real airline reservations has subsequently been used -- without the knowledge or consent of the passengers -- for testing of passenger profiling systems .
In 2001, Airline Automation, Inc., a company which provides PNR data-mining services to several airlines, under agreements which permit it to retain the PNR data for later uses of its own, ran more than 5 million PNR's from its archives, originally obtained from multiple airlines, through an experimental system designed to test the prospects for identification of terrorists. Those experiments became public when they were described in detail by Bob Mann in a report (see page 23) by the Reason Public Policy Institute in May 2003, and further reported on my Web site a few days later based on my interviews with Mr. Mann.
(A report in the Wall Street Journal, 25 October 2001, entitled, "Nation's airlines adopt aggressive measures for passenger profiling", said that, "Airline Automation Inc. ... uses reservation and ticket data to draw up marketing profiles of passengers for more than a dozen airlines clients, including Delta Air Lines, Alaska Airlines, Continental Airlines and American. Airline Automation's records may be the closest thing there is to a national database of airline passengers.")
In mid-2002, four teams competing for the prime "CAPPS-II" contract were awarded smaller "proof of concept" contracts to test their systems. Each received several million real PNR's from multiple airlines -- undoubtedly including data collected in the EU and other countries -- which they used in their tests. In at least one of those cases, reported last year first on my Web site and some months later in the London Times , those PNR's came -- either directly or by way of the USA Department of Transportation -- from the PNR archives of the Sabre CRS.
There's no telling how many more cases like these there may have been, or how many other companies you've never dealt with directly, or even heard of, may have received your travel records.
Nonconsensual "sharing" of customer data within the industry, and with government agencies, is the rule, not the exception, in the travel industry.
Regulatory authorities and the public in the EU have, until now, focused their attention on transfers of passenger data to the government of the USA. But the larger and more routine violations of EU data protection laws and the EU CRS regulations occur when travel data collected in the EU is transferred -- without the privacy safeguards required by EU law -- to commercial entities in the USA, including USA-based airlines and CRS's. These violations of EU privacy law are flagrant, large-scale, long-standing, and ongoing.
Unlike the EU, the USA has no general data privacy law , and the piecemeal approach to privacy protection in the USA through industry-specific privacy laws (primarily for financial and medical data) hasn't yet been extended to travel data.
What's needed, as I've argued in my analysis of CAPPS-II , is either a comprehensive federal data privacy law on the Canadian, EU, and general international model, or a Federal travel privacy law giving at least as much protection to travel reservation records as is currently provided for financial and medical data.
The first question many people have been asking about the Northwest scandal is, "Isn't that illegal?" Unfortunately, the problem isn't that NW broke the law -- which would present a relatively straightforward enforcement problem -- but that NW's abuse of most customers' privacy may not have broken any USA law.
EPIC announced today that they plan to file a complaint with the USA Department of Transportation "alleging that Northwest's disclosure constitutes an unfair and deceptive trade practice". And numerous consumer class-action lawsuits are likely to be brought against NW, as they have (thus far only in preliminary stages of litigation) against jetBlue.
The primary problem this episode reveals is not the need for enforcement of existing USA law, but the need for new USA federal law and enforcement of EU and other countries' laws until the USA brings its privacy protection legislation into line with international human rights norms.
The NASA and NW documents obtained by EPIC show that NASA returned the original CD's on which NW had provided the PNR data. But the documents don't show, and neither NASA nor NW has yet said, whether NASA has any controls in place to be able to tell if NASA retained copies of all or part of the data, or with whom it might have been "shared" while NASA had it.
Travellers whose privacy may have been compromised are unlikely to get the answers to any of these questions without a full-fledged Congressional investigation, including public hearings, on protection, sharing, and privacy practices and policies for travel reservation data.
There have been persistent calls for a Congressional investigation of the jetBlue Airways privacy scandal, and the sharing of the entire jetBlue PNR database with a U.S. military subcontractor. Both the Army and the Chief Privacy Officer of the Department of Homeland Security promised to investigate their department's roles in the jetBlue scandal, but no reports have yet been made public. Written questions from members of Congress about the jetBlue scandal, CAPPS-II, and government use of PNR's haven't received even courtesy replies from the TSA, DHS, and DOD.
The latest revelations about NW reinforce a pattern of unconcern for privacy, breach of public promises, and widespread unauthorized dissemination of sensitive passenger data, both within the travel industry and between industry and government. Clearly the problem, and the need for Congressional scrutiny and action, extends beyond these few well-publicized scandals.
What can be done?
Write to Congress -- today. Tell them you want:
- A Congressional investigation of privacy practices throughout the travel industry;
- Public Congressional hearings;
- Termination of CAPPS-II and any other government programs to mandate collection of data on travellers or turn that data over to the government; and
- A Federal law protecting the privacy of travel data.
[Addendum, 21 January 2004: If you've just arrived at this site, there's more background information on this topic in my earlier article on Total Travel Information Awareness , the index of postings in the Privacy and Travel category of this blog, and this September 2003 interview with me from NPR on Privacy, travel records, and the jetBlue scandal (4 minutes, Real Audio).]Link | Posted by Edward on Sunday, 18 January 2004, 14:58 ( 2:58 PM) | TrackBack (0)