Thursday, 29 January 2004
More questions on reservation data shared by NASA, Northwest, & KLM
The official agenda said yesterday's hearing by the USA Senate Committee on Science and Transportation on "NASA Future Space Mission" was supposed to "focus on President Bush's recent proposal to return astronauts to the Moon and expand human space exploration to Mars."
But Senators had more down-to-Earth concerns. In the event, "The meeting focused on Northwest Airlines' participation in a National Aeronautics and Space Administration research study designed to improve aviation security," reported Scripps Howard News Service .
Transcripts of the questioning won't be published for some time, and the witnesses' prepared statements didn't mention the Northwest Airlines (NW) / NASA privacy scandal. But reports on the hearing had somewhat different interpretations of what was said about NASA's use of the data:
The space agency planned to use its scientific and computational expertise to try to do a security analysis to find trends or patterns that might not be apparent.... But information on the ... disks was so elaborately encrypted that after a year of work, only two days worth of data could be extracted. (AP )
NASA analysts were able to extract only two days of passenger data after a year of effort.... Northwest's data-compression technique hindered NASA's analysts. (Washington Post )
What this real means, I think, is not that NW had actually "encrypted" or "compressed" the data at all, but that airline PNR's are stored and transmitted in extremely compact formats unfamiliar to those outside the industry.
These formats and data structures are typical of the global netwrok of reservation systems, which place an exceptionally high priority on extreme backward compatibility with older, low-data-capacity "legacy" equipment installed in remote locations and used by smaller and poorer airlines around the world. They seem very strange, however, and take a long time to figure out, for people unfamiliar with travel industry protocols.
The established CRS's operate in a parallel universe with its own standards, often very different ones from those in other industries that have only more recently gotten into large-scale, truly global, real-time networking.
The difficulty smart, technically sophisticated NASA data analysts had in making sense of raw dumps of PNR data is indicative of the distance between the assumptions about reservations of people outside the airline industry -- such as those who have devised the CAPPS-II scheme -- and the reality. It should also be a warning about the surprises, the unexpected difficulties, and the massively higher costs they will find, compared to what they have naively expected, each time they try to test their CAPPS-II concepts against real reservation data.
At the same time that NASA as the recipient of NW reservation data was coming under questioning in the USA Congress, KLM Royal Duth Airlines as the source of some of the data NW turned over to NASA was coming under scrutiny today on its home turf.
The latest issue of the newsletter of the European Digital Rights initiative reports that the Dutch civil liberties group Bits of Freedom (sponsor of the Big Brother Awards for the Netherlands), "will ask the Dutch Data Protection Authority to investigate the transfer [of PNR data], the role of KLM and to order KLM to notify the passengers involved."
KLM is the most obvious, but not the only, other company at risk: Any company that collected passenger information in Europe, and transferred it to NW in the USA, is vulnerable enforcement actions under EU data protection laws. That includes:
- More than 100 airlines that are represented in the EU and that have "interline" ticketing and reservation agreements that permit them, and their agents, to accept reservations and issue tickets for interlione journeys that include NW connecting flights as well as their own flights.
- Thousands of travel agencies and tour operators throughout the EU who booked clients on NW flights. These include both storefront agencies and Internet travel agencies such as Opodo , eBookers , Expedia.co.uk , etc.
- The four major computerized reservations systems (CRS's) that accepted reservations from travel agents in the EU, and passed them on to NW: Amadeus, Sabre, Galileo (a division of Cnedant Corpo.), and Worldspan (which actually hosts NW's own PNR database).
Each of these companies violated EU and national data protection rules -- and, in the case of the CRS's, the EU code of conduct for CRS's -- whenever they passed on personal data to NW, unless they had agreements and procedures in place to ensure that NW would respect passengers' (and other data subjects') rights of access, notice, and consent to any disclosure of personal data.
Since few if any companies passing EU data to NW have, or had, such commitments from NW, all their transfers of perosnal data to NW (and other airlines in the USA) have been and continue to be in violation of EU laws.
It's the transfer of data across EU-USA borders to NW, without adequate protection against its subsequent misuse, that was and is illegal -- whether or nor NW actually misused the data .
That means almost every time any travel agency, tour operator, CRS, or airline in the EU accepts a reservation for travel on an airline based in the USA, or that has its passenger database hosted in one of the 3 (out of 4 globally) CRS's that are based in the USA (all except Amadeus), EU law is violated. Regardless of whether the data is passed on to the USA government or anyone else.
That wouldn't be a problem, or a violation of law, if the USA enacted an adequate travel privacy law.Now that EU enforcement agencies are beginnning to pay attention, let's see if they notice the full extent of the problem, and demand that it be dealt with.Link | Posted by Edward on Thursday, 29 January 2004, 07:31 ( 7:31 AM)