Friday, 12 November 2004
TSA orders USA airlines to turn over June 2004 reservations
The USA Transportation Security Administration (TSA) today issued an order to all airlines based in the USA to turn over to the TSA, by 23 November 2004, passenger name records (PNR's) including data on flights in June 2004 for testing of the TSA's Secure Flight airline passenger identification, surveillance, and "screening" system.
I don't yet know if the GAO has completed its report on "Secure Flight" testing. If it hasn't, today's TSA order is clearly illegal, since the GAO report is required before the TSA can test any passenger identification system using commercial databases such as PNR's. Today's TSA notice mentions the GAO reporting requirment, but doesn't make clear whether it has yet been satisfied.
The TSA's Notice of Final Order for Secure Flight Test Phase and Response to Public Comments was docketed today; TSA spokesperson Jennifer Peppin told me it will be published Monday in the Federal Register . Unlike the TSA's purported "analysis" of the last round of comments on the CAPPS-II proposal that preceded "Secure Flight", the TSA at least acknowledges in today's filing most of the arguments I and more than 500 others raised in our comments on the proposal (almost all of which, the TSA admits, opposed it) .
But the TSA's responses to its critics are wholly inadequate and largely conclusionary, frighteningly dismissive of fundamental rights and concerns, and indicative of continued profound ignorance of the actual contents of the data being demanded.
- The TSA continues to quote selectively from the report of the 9/11 Commission, ignoring its recommendations (pointed out to the TSA by myself and other commenters) that the burden of justifying all its proposals be on the government, and that they be subject to independent civil liberties and oversight authority -- neither of which would be the case for the Secure Flight tests, as epitomized by the fact that the system would be managed directly by the TSA's supposed "privacy" [invasion?]office. Who will watch the watchers? They will watch themselves, apparently.
- The TSA claims that passengers can be considered to have "consented" to this after-the-fact use of reservation data about them because "the existence of ... prescreening measures has been public knowledge for many years". But the current tests involve post-screening, not pre-screening. And in June-July 2003, when reservations for June 2004 flights began to be made, the TSA was still officially refusing to confirm or deny even the existence of any such measures. Even today the TSA continues vigorously to contest disclosure of anything about them, either in response to Freedom of Information Act request or Federal civil rights lawsuits, making it disingenuous at best to call them "public knowledge". If the TSA wants to make such a claim, it needs to make its rules and procedures public, and then let prospective passengers and other data subjects decide whether they want to provide information that will be used in that manner.
- The TSA responds to my comment that the Privacy Act forbids collection of information regarding the exercise of rights protected by the First Amendment with the conclusionary claim, entirely without supporting argument, "TSA does not agree that PNR's contain information related to First Amendment rights, including the right of assembly." If records of when we assemble, how we assemble, where and from where we assemble, and with whom we assemble by common-carrier air transportation aren't "related to" how we exercise our rights of assembly, I don't know what is. And someone such as the TSA's "Privacy Officer", Lisa Dean, who doesn't understand that to travel is -- in many, probably most, cases -- a form of assembly, is manifestly unfit to protect the privacy rights (or any other rights) of travellers.
- In response to my objection to the inclusion (without the notice required by the Privacy Act) of data in PNR's concerning people other than passengers, the TSA claims that, "It is our understanding that the inclusion in PNR's of names other than passengers is rare." No one familiar with PNR content could possibly believe this. Names of people other than passengers routinely appear in PNR's whenever someone makes a reservation for someone else, pays for tickets for someone else, gives a contact name (e.g. as a local contact when reconfirming a flight, or for ticket delivery) other than the passenger, and in a variety of other circumstances. The TSA says it will exclude cancelled PNR's, but that would still leave PNR's that were neither flown nor cancelled, i.e. reservations of "no-shows", which include data on people who, by definition, weren't passengers (and who, in many cases, don't even know that reservations were made in their names).
- The TSA claims, without explanation, that the proposed order is "not a rulemaking" and not subject to any of the normal rules governing the issuance of Federal agency regulations -- although it admits that "operational" rulemaking for Secure Flight would be subject to those requirements. But there is no "testing exception" to the definitions of "rulemaking" or "regulation", and courts have held that any "final order" (as the TSA itself describes its order to the airlines) is subject to those rules.
- In response to my comments and those of several airlines that providing the TSA with data collected in the European Union would violate EU laws and regulations, "TSA has determined that for purposes of this test phase aircraft operators may elect to exclude from PNRs submitted to TSA any PNR that includes a flight segment between the United States and the EU." That only serves to make clear that the TSA still doesn't get it. First, they don't seem to grasp the concept of flights between points entirely outside the USA, and the fact that these can appear in the same PNR's with domestic flights within the USA. Some of these flights are to, from, and within the EU. Northwest Airlines, for example, operates its own flights between Amsterdam and Mumbai (Bombay), while United Airlines has its flight number on flights operated by Lufthansa both between EU countries and on domestic routes within Germany. (In response to questions form airlines and myself about codeshare flights, the TSA says that data on codeshare flights can be excluded from an airline's turnover to the TSA only if the same data is being reported by the operating airline, making clear that the "final order" will result in the acquisition, one way or another, of data on codeshare flights including those operated by non-USA carriers.) Second, the TSA still seems unable or unwilling to recognize that data in reservations made in the EU is protected by EU law, even if it concerns flights entirely within the USA. This was perhaps the most significant of the comments, made both by me and several of the airlines, not even to be mentioned in the purported "analysis" and response to comments -- probably because it is the way in which the proposal is most irreconcilably contrary to EU law. Third, the TSA fails even to mention, much less respond to, my comments concerning the role that the CRS's that host airline reservations databases would have to play in order for airlines to comply with the proposed order, and how that would violate their obligations under the EU Code of Conduct for CRS's .
The response to today's order by the Air Transport Association (ATA), the trade association representing the airlines, is grotesquely hypocritical, contradicting the airlines' previous public claims to be concerned about travellers' privacy, and indicating a willingness to comply with the order, and with the equally privacy-invasive scheme to require travellers to register with the government despite the airlines' own serious doubts about the legality of doing so without violating European Union privacy laws and regulations, as expressed in ATA's official comments to the TSA on the draft order. ATA President James May says today:
We are studying the final order. As a general matter, we look forward to working with the Transportation Security Administration on this test phase of Secure Flight. We continue to support the concept of Secure Flight, which promises to deliver a higher level of protection and fewer hassles for travelers. U.S. airlines have long-standing concerns that center on privacy and operational issues. We hope that many of the issues will be successfully addressed during the test phase of Secure Flight. It's important to strike a balance between the security of airline passengers and the security of their privacy. This is one of the reasons that U.S. carriers are enthusiastic supporters of the Registered Traveler Program, which is designed to get people through airports faster.
If the airlines really objected to the TSA proposal, they would be pledging to fight it in court, on behalf of their customers, rather then pledging their eagerness to collaborate with further invasions of their customers' privacy, and with violations of their obligations under the laws in many of the countries in which they operate.
Since the airlines apparently aren't going to do this, the only remaining recourse is for anyone who took a flight in the USA in June of 2004, and made a reservation for it while in the European Union, to file a complaint with their national data protection authority against both the airline and the CRS that hosts their database (and that will have to participate in the violation in order for the airline to comply with the TSA demand), and to file a complaint against the CRS directly with the European Commission, which is responsible for enforcement of the EU Code of Conduct for CRS's , including its requirement in all cases for passenger consent for disclosure of reservation data, including disclosures to government agencies.
For the largest USA-based airlines, the corresponding CRS's that host their reservation databases are as follows:
- American Airlines: Sabre
- Continental Airlines: SHARES (a product and service of EDS)
- Delta Air Lines: Worldspan
- Northwest Airlines: Worldspan
- United Airlines: Galileo
- US Airways: Sabre
[Addendum, 31 March 2005: In the original version of this article, I mistakenly reported that Contintal Airlines PNR's are hosted in the EU by the Amadeus CRS . Neither Continental nor Amadeus would confirm, deny, or respond to my queries about this, but I have since learned that Continental uses Amadeus to host its fares database but not its database of reservations. Continental's PNR database is hosted in the SHARES system run by EDS .]Link | Posted by Edward on Friday, 12 November 2004, 14:12 ( 2:12 PM) | TrackBack (4)