Monday, 26 January 2004
"Our privacy laws are rather primitive" - ACLU
USA Undersecratary of Homeland Security Asa Hutchinson reportedly told an AP interviewer today that the DHS has decided to order airlines to turn over passenger reservation records to the DHS for tests of the CAPPS-II passenger profiling and surveillance system.
The DHS claimed to have been considering a public rule-making process, but has apparently decided simply to issue a security directive (probably secret) to the airlines to order them to turn over passenger data. In addition to intimate details about airline passengers, airline PNR's also contain extensive personal information on people who make reservations but choose not to travel, airline and travel agency workers, people who arrange travel for friends or family members or business associates, and people who pay for others' tickets. All of these groups -- most of whose rights haven't even been considered in the DHS Privacy Act notices about CAPPS-II -- would have their privacy violated by CAPPS-II testing.
There was no report today on whether the DHS would simultaneously be issuing the other directives required for CAPPS-II .
As I've reported earlier, DHS Chief Privacy Officer Nuala O'Connor Kelly told me in an interview in November 2003 that people about whom information is to be used in CAPPS-II tests will "almost certainly not be given any opportunity to opt out" of being used as data guinea pigs.
Since there is not (yet) any USA privacy law for travel records, USA citizens may not even be entitled to know if their reservations have been given to the DHS for CAPPS-II tests or other purposes. But EU citizens are entitled under the EU data directive to know to whom their reservations have disclosed. All EU citizens travelling to, from, or within the USA, either on USA or foreign airlines, should make a formal request to the airline and their national data protection authorities, after each flight, to find out if their reservations for that flight were given to the DHS for CAPPS-II tests. Since the tests may be conducted with archived, "historical" data for past flights, it would be a good idea for EU citizens also to ask each airline on which you have previously flown to, from, or within the USA which of your past reservations have been provided to the DHS, and for what purpose. For good measure, ask each of the big four CRS's (Sabre, Amadeus --including its Airline Automation subsidiary, Worldspan, and Cendant's Galileo division), since the DHS could get PNR's directly from them without going through the airlines. That's probably the only way we will find out which past or present flights are being used for CAPPS-II testing.
Questions continue to be raised about the passenger records Northwest Airlines turned over to NASA for use in some of the earlier experiments in passenger profiling, in editorials with titles like, Big Brother Air , or these from the Scripps-Howard News Service and the Mankato [MN] Free Press ) from a region where Northwest Airlines has a near-monopoly on service to smaller airports).
Joyce McGreevy in Salon.com (cookie acceptance and viewing of an ad required) takes note of the State of the Union address:
The president assured us at the top of his address that "analysts are examining airline passenger lists." But give credit where credit is due. Let us not fail to thank JetBlue Airways and Northwest Airlines for reportedly supplying passenger data, without which the government might have had to do its own violating of federal and state laws, thus taking time away from the important business of detaining readers of the Farmer's Almanac .
And the American Civil Liberties Union has sent a letter to Europeasn Commissioner Frits Bolkestein "to report what may have been a violation" of the EU Data Directive. The ACLU letter points out that, "In light of the fact that Northwestern has a partnership with the Royal Dutch Airlines (KLM) through which it provides one-stop reservations and ticketing it is almost certain that at least some of these improperly disclosed passenger records belonged to citizens of the European Union."
The ACLU suggests that Bolkestein and the Commission " may wish to conduct an investigation of Northwest's information collection and dissemination practices, full notification to all individuals effected by this disclosure and the imposition of all appropriate civil penalties."
More importantly, perhaps, in light of ongoing USA-EU discussions on transfers of passenger data, the ACLU says that:
We also believe that this latest revelation calls into question the ability of the US to honor any promises made regarding the transfer of air passenger data. Sadly, our privacy laws are rather primitive and the unrelated uses of private data are prohibited in Europe occur far too often.
Two members of the House Committee on Government Reform , Representatives Lacy Clay and Carolyn Maloney, have sent written questions to the U.S. Census Bureau, as have members of the Census Advisory Committee, seeking clarification of whether Census data has been, or could be, "mined" for data used for law eneforcement or "Homeland Security" targetting or profiling.
In this vein, the Washington Times reports on Cendant's plans to integrate its customer databases , including travel reservations from the Galileo CRS (a Cendant divison) and other Cendant travel, direct marketing, and data mining divisions . It's exactly the sort of data "sharing" within the travel industry that raises privacy concerns even if the government isn't involved, and that wouldn't be allowed if companies like Galileo and the rest of Cendant actually complied with the privacy laws of the EU, Canada, or the other countries where they operate.
The Washington Post has a contrasting report on last Friday's meeting between USA-based airlines and the DHS. The Post focuses on the changes in airline-industry procedures that would be required in order to notify travellers about CAPPS-II and other government uses of travel records: "The cost of installing privacy policies throughout the industry could easily run into 'hundreds of millions' of dollars." (That's just for policy changes, not the infrastructure changes required to collect and transmit the additional data required for CAPPS-II.)
But the Post says, strangely, that "the industry has been too slow to inform customers when it shares data with the government even though airlines have clear policies explaining how they might share customer information with travel-related companies ." That may be what airlines told the Post , and what they want trusting travellers to believe, but it's nonsense . Most airlines and travel companies have no policies whatsoever explaining their data-sharing practices for most reservations.
If travel companies have privacy policies at all, they generally apply only to data collected through their Web sites, and don't mention important categories of companies with which data is shared -- especially the CRS's. I know of no airline, CRS, or major travel agency that is prepared to provide a traveller, on request, with copies of their archived PNR's, which would be the first step toward compliance with EU and Canadian law. (Chief privacy officers from CRS's and mega-agencies with millions of customers have told me this wasn't necessary because no traveller has ever asked them for their personal travel records. If so, that's becasue -- in violation of EU and Canadian law-- they aren't informed of their right of access.) And, of course, the privacy policies that do exist are routinely violated by standard industry practices .
Business as well as leisure travellers are beginning to demand improvements in travel privacy policies and, more importantly, privacy practices. Eeven before the Northewest scandal, the Business Travel Coalition had called for industry-wide ground rules and safeguards with regard to passenger data . Members polled by the BTC are concerned about both the Northwest scandal and CAPPS-II , as discussed in BTC chairman Kevin Mitchell's new blog.
Those concerns are shared by the Association of Corporate Travel Executives, which has said there is a need for changes in IATA regulations on privacy of business data in reservations and filed critical comments on CAPPS-II .
There's no quick fix in sight, but at least there's a growing consensus on the need for action.Link | Posted by Edward on Monday, 26 January 2004, 13:48 ( 1:48 PM)