Sunday, 20 March 2005
FBI releases details of its files of airline reservations
I've been meaning to comment on two documents released by the USA Federal Bureau of Investigation in January 2005, in response to a Freedom of Information Act lawsuit by EPIC , giving details of the data from airline reservations collected by the FBI during its "PENTTBOMB" criminal investigation of the events of 11 September 2001.
I had expected to discuss these in the context of the Transportation Security Administration's plans for testing of the proposed Secure Flight airline passenger identification, surveillance, and "screening" system.
But despite news reports, apparently confirmed by TSA officials, that "Secure Flight" testing has begun, the TSA has made no official statement about "Secure Flight" testing since its order to airlines to turn over all reservations that included flights in June 2004 for "Secure Flight" testing.That's probably because any testing begun before 23 February 2005, and possibly any being conducted now, would have violated a Congressional mandate that any testing of an airline passenger screening system using commercial data -- such as the commercial airline reservation records at the core of "Secure Flight" -- not begin until after "TSA has developed measures to determine the impact of such verification on aviation security and the Government Accountability Office has reported on its evaluation of the measures".
The GAO report on the criteria for 'Secure Flight' testing was released 23 February 2005, and concluded that:
TSA measures developed to date for commercial data testing do not, and were not designed to, provide information on overall Secure Flight system operations (i.e., system response time, connectivity with air carriers, security, and privacy) or identify impacts of using commercial data on aviation security in an operational environment. Accordingly, the measures do not generally reflect attributes of successful performance measures for this purpose. Additional work reviewing TSA’s refined measures, should DHS and TSA decide to pursue the use of commercial data for Secure Flight, would be needed to determine if the measures are designed to identify relevant impacts on aviation security, and reflect attributes of successful performance measures for that purpose.
It's not at all clear that this report constitutes the finding by the GAO that "TSA has developed measures to determine the impact of such verification on aviation security" required by Congress as a prerequisite to "Secure Flight" testing using information from airline Passenger Name Records (PNR's)or other commercial databases. The GAO report is also fundamentally mistaken in referring to data in PNR's as "passenger-provided information". In fact, almost no PNR data is entered by passengers, and some of it (such as in cancelled PNR's naming people who never became passengers) doesn't pertain to passengers at all. Most PNR data is provided to airlines by a chain of between two and four intermediaries: (1) the travelling companion who makes the travel arrangements for the typical travel party of more than one person, (2) the travel agency they deal with (online or offline), (3) the CRS used by that travel agency, and (4) the CRS that hosts the airline's PNR database.
The TSA has also directed the appointment of a privacy advisory committee on "Secure Flight" under the auspices of the pre-existing Aviation Security Advisory Committee (ASAC). But the TSA privacy advisory committee on "Secure Flight" has complied with none of the public notice and transparency requirements applicable to the ASAC or other Federal advisory committees, making it impossible to know what, if anything, it has been assigned to do, or has done.
Anyway, while the TSA has been going about its business in secret, the FBI has admitted to having received, compiled into an integrated database, and indexed more than a terabyte of data from airline reservations and passenger manifests including 257.5 million PNR's covering flights between 31 December 2000 and 30 September 2001.
The FBI and/or the grand jury investigating the hijackings on 11 September 2001 would have been remiss not to subpoena PNR data that might have helped to identify the hijackers and, perhaps, co-conspirators who might still have been alive and subject to prosecution. But there are two particularly notable revelations in the FBI declaration describing the acquisition of the PNR and manifest data, and the outline of the structure of the aggregate data warehouse created by the FBI from this reservation data:
First, the FBI declares that "This airline passenger data was provided by the airlines to the FBI with implied assurances of confidentiality. One exception is one set of airline passenger data which was acquired through a Federal Grand Jury subpoena."
While airlines and CRS's wouldn't have violated any USA law in "voluntarily" turning over data collected in the USA, they would have violated European Union law, and the EU code of conduct for CRS's, by turning over any of this data originally collected in the EU, or transmitted through a CRS which does business in the EU (as, of course, all the major CRS's do), without the affirmative consent of the data subjects.
The FBI declaration thus reveals a massive violation of the law and the CRS regulations with respect to probably several millions of people whose reservations on USA-based airlines for 2001 flights were made in the EU. Anyone who made reservations from the EU for flights in the USA in January-September 2001 should ask the airline, the travel agency, and the CRS they use whether their data was handed over "voluntarily" (but without their consent) to the FBI -- and, if it was, should request enforcement action and sanctions by EU data protection authorities and the European Commission as enforcement agency for the CRS regulations.
Second, the structure of the FBI Oracle database includes a field for the "AgentSine" (unique identifier for the travel agent or airline agent who created the PNR) for each PNR.
What makes this significant is that it shows that the FBI not only received data concerning, but actually retained and used as an indexing (and, presumably, retrieval) field, as early as late 2001, unique identifiers for people in a category -- airline and travel agency staff -- completely distinct from airline passengers. Yet, three years later, the TSA was still claiming to believe that, "It is our understanding that the inclusion in PNR's of names other than passengers is rare", when in fact every PNR is required to include a unique ideitifier of a person other than the prospective passenger(s).
Once again, the question comes down to whether the TSA was incompetent or lying: Was the TSA actually unfamiliar with the FBI's analysis of the content of PNR data, even as the TSA was devising massive, and massively intrusive, systems highly dependent on what such data might contain? Or was the TSA actually aware, from its familiarity with at least the structure of the FBI data set, that PNR's invariably contain personally identifiable information on people other than passengers, in the form of the required unique agent sine?
If the latter, than the creation of the "Secure Flight" testing database, without proper notice of their inclusion to travel agents and airline staff, constituted a criminal violation of the Privacy Act .
And regardless of what the TSA knew (and they should have known, since I had told them this specifically in my comments on the "Secure Flight" proposal), this also constituted a further violation of the rights under EU law of travel agents and airline staff who made reservations in the EU that ended up in the FBI database without their knowledge or consent.Link | Posted by Edward on Sunday, 20 March 2005, 23:29 (11:29 PM)