Monday, 2 February 2004
Privacy watchdogs unite against travel surveillance. Tom Ridge replies with lies.
Both a coalition of leading European privacy advocates and NGO's, and the Article 29 Working Party of national data privacy protection authorities of European Union members, today released new joint critiques of current USA-led global schemes for international surveillance and monitoring of the movements of travellers. Their statements drew strong support in the USA, where over 100 travel industry leaders brought together by the Busienss Travel Coalition today sent a joint letter to Congress calling for hearings and Congressional action on CAPPS-II and the privacy of travel data.
The report by European privacy NGO's, Transferring Privacy: The Transfer of Passenger Records and the Abdication of Privacy Protection , was issued by Privacy International , the European Digital Rights initiative (EDRi) -- itself a coalition of NGO's from around Europe, the Foundation for Information Policy Research , and Statewatch .
The report focuses on the failure of the European Commission to enforce EU privacy law with respect to airline reservation data transferred to the USA. As Statewatch quotes Simon Davies, Director of Privacy International: "The European Parliament and the people of Europe have been deceived by the [European] Commission. A full-scale investigation is now necessary. We believe legal action should be taken against the Commission to ensure that this dangerous subterfuge does not occur in the future."
But the report, which describes itself as, "The first report on 'Towards an International Infrastructure for Surveillance of Movement'", also places the transfer of PNR data to the USA in the context of parallel traveller tracking initiatives at pan-European and global levels.
The report's principal author, Dr Gus Hosein, Senior Fellow at Privacy International, said: "This is a case of opportunism by the [European] Commission. The EU is blam[ing] the U.S. for an admittedly unjust law, but then going further than the U.S. to establish a global system of surveillance of movement."
The report also included a commentary from the American Civil Liberties Union, A Perspective from America :
In fact, the report makes it clear that we are not witnessing a battle between Europeans and Americans, but a battle between those in Europe and America who would like to construct an infrastructure for the global tracking and surveillance of individuals' movements, and those in Europe and America who believe that such a course is dangerous to freedom.
Also today, the Article 29 Working Party published its formal Opinion 2/2004 on the Adequate Protection of Personal Data Contained in the PNR of Air Passengers to Be Transferred to the United States' Bureau of Customs and Border Protection" .
By vote of the highest privacy protection law enforcement authorities of EU member states the Working Party determined that the Undertakings of the USA Department of Homeland Security on PNR data transfers (more on those to come in a separate article) "...do not allow a favourable adequacy finding to be achieved" with respect to the protection of reservation data once given to the USA government.
The opinion was especially critical of the use of EU data in the CAPPS-II system, making clear that any suggest use is and will ocntiunue to be in violation of EU laws, and subject to enforcement action at the national level by the members of the Working party:
The Working Party recommends the Commission to make clear, through a specific clause in the decision, that US authorities shall refrain from using passenger PNR data transmitted from the EU not only to implement the CAPPS II system but also to test it. It is the Working Party?s opinion that this should also apply to any other further use of European passengers? data transmitted by airlines in relation with other programmes such as Terrorism Information Awareness and US VISIT, or entailing the processing of biometric data.
At the same time, the Working Party released its Opinion 1/2004 on the level of protection ensured in Australia for the transmission of Passenger Name Record data from airlines as adopted 16 January 2004. Despite the much greater privacy protections afforded under Australian law, the Working Party was able to make only a highly conditional, time-limited, and "transitional" finding that they meet the EU standard of "adequacy". It's instructive as to how far the gap remains between the USA undertakings and meaningful privacy protection.
Last week TSA Administrator and (ex?)-admiral James M. Loy testified before the National Commission on Terrorist Attacks Upon the United States that, "We must be honest in dealing with the traveling public" (Loy also admitted in response to questions that CAPPS-II can be "gamed", according to a brief note about the hearing from EPIC ).
Today, Loy's boss, Secretary of Homeland Security Tom Ridge, uses an Op-ed in USA Today to repeat the same old lies about CAPPS-II that his underlings -- from TSA spokespeople to the DHS Chief Privacy Officer -- have been telling for months. To whit:
- Lie number 1: "CAPPS II uses routine passenger information.
In fact, the DHS Chief Privacy Officer admitted to me that CAPPS-II would require a directive compelling all would-be air travellers to provide additional information never before required or routinely entered in reservations.
- Lie number 2: "CAPPS II will help us preserve privacy."
Say what? One could argue (although I weouldn't do do) that invasion of privacy is only a "side effect" of CAPPS-II, not its primary purpose. But only those with a blind faith in, "We're from the government, and we're here to help you," could be expected to swallow the whopper that CAPPS-II is meant as some sort of "privacy protection" measure.
- Lie number 3: "Credit card purchases would not be accessed."
Actually, details of credit card ticket purchases (including the names and other details of people paying for tickets for others, but not themselves travelling) are routinely entered in reservations, and would be accessed by the government under CAPPS-II.
- Lie number 4: "Almost all passengers' data would be deleted immediately after a flight."
Exactly the opposite: no passenger data is ever deleted from airlines', CRS's, and/or travel agencies' electronic and microfiche archives until at least several years after a flight. For financial, tax, and accounting reasons (including the need to document credit card charges and tickets used in case of billing disputes), airlines wouldn't be permitted to delete reservation records even if they wanted to -- which they don't, especially since (as Ridge neglected to mention), there is nothing in USA law or the CAPPS-II proposal to limit their use, sale, or disclosure of passenger data to whomever and for whetver purposes they plase. Forever. When airlines say that PNR's are "purged" after the last flight in the itnerary, that's industry jargon for, "moved to permanent offline storage", not "deleted. And the airlines have said they want to feed reservation data from CAPPS-II into the US-VISIT system, under which it could be incorporated into "biometric and biographic travel histories" to be kept for up to 100 years .