Tuesday, 9 May 2017
European Commission to investigate airline reservation (in)security
Fifteen years after I published my first critique of the extreme insecurity of airline reservations stored by computerized reservations systems (CRSs) and made available without passwords or access logs on public Web sites, and four months after the continued existence 15 years later of those same vulnerabilities was publicly demonstrated by hackers inspired in part by reading an interview with me on a German IT news site, I've finally found the right unit of the European Commission to investigate my complaint that these CRS practices violate the privacy and data protection provisions of the European Union's Code of Conduct for CRSs.
In the U.S., there is no general Federal privacy law requiring businesses to protect personal data about their customers or other individuals. But there are general requirements for this in the European Union(and many other jurisdictions including in Canada), as well as specific requirements for the protection of travellers' personal data in the EU Code of Conduct for CRSs.
The European Commission has the authority to enforce the Code of Conduct for CRSs, and the responsibility to investigate complaints of violations. But I have never been able to find any public indication of how or to whom to submit such a complaint. Saying, "You can complain to the European Commission" is like saying, "You can complain to the U.S. government." Exactly how, and to whom, are you supposed to complain? Knock on the door of the White House or the nearest U.S. Embassy? Try that in the U.S., and you are likely to be arrested, if not shot, if you even manage to get within shouting distance of the door. The European Commission has published procedures for complaints against EU member states, but not for complaints against commercial entities such as the CRSs which are regulated directly by the Commission rather than, or in addition to, by the national governments of EU member states.
I'm not the only person to have asked this question.
In 2011, MEP Martin Ehrenhauser, an independent Member of the European Parliament, submitted a written question to the European Commission asking, "Has the Commission designated a point of contact or established procedures for handling complaints from individuals of violations of the Code of Conduct for CRSs? If so, how has the Commission made public this point of contact and the procedures for handling such complaints? If not, why not?". The eventual written response from the Commission ignored this part of the question entirely, and didn't mention the Code of Conduct for CRSs.
More recently, on 20 March 2017, MEPs from three different countries and political groups -- MEPs Jan Philipp Albrecht (Verts/ALE), Birgit Sippel (S&D), and Sophie in 't Veld (ALDE) -- submitted a new question to the Commission:
Article 11 of the Code of Conduct for Computerised Reservation Systems (Regulation (EC) No 80/2009 of 14 January 2009) requires that 'technical and organisational measures shall be taken ... to ensure that personal data are only accessible for the specific purpose for which they were collected.' The Commission has the power to investigate and enforce the code under Section 6 of the regulation.
Personal data in the passenger name records (PNR) hosted by Computerised Reservation Systems (CRS) are available through CRS-operated public websites, just by using a name and the short 'record locators' displayed on items such as boarding passes and baggage labels. Due to a lack of access logs, data subjects are unable to gather from CRSs, whether their PNR data have been disclosed and to whom. Security researchers demonstrated these and other vulnerable aspects of CRSs at the Chaos Communication Congress held on 27 December 2016.
1. Does the Commission believe that giving access to PNR data on the basis of a name and record locator, with no password nor access logging, is compliant with Article 11 of the Code of Conduct?
2. Does it intend to investigate these vulnerable aspects and possible violations of the code?
3. Has it established procedures for handling complaints from individuals about violations of the code?
If a written question such as this from an MEP is not answered by the Commission within six weeks, the MEP who submitted the question is entitled to place it on the agenda of the next meeting of the responsible committee of the European Parliament. More than seven weeks have passed, but there has been no answer from the Commission to this question.
Meanwhile, however, I made contact while I was in Brussels with Mr. Paul Nemitz, Director of the unit for Fundamental Rights and Union Citizenship of the European Commission Directorate-General for Justice and Consumers (DG JUST). Mr. Nemitz and I agreed that his unit was probably not the one responsible for investigating my compliant, but he generously offered to accept my complaint, find out what unit was supposed to be responsible for dealing with it, and forward it to them.
To my pleasure, Mr. Nemitz did as he said he would. I have now received a letter from the Head of Unit (Acting) of the Directorate General for Mobility and Transport (DG MOVE), Directorate E.1, advising that "my unit is in charge at the European Commission of the implementation of the Code of Conduct and deals with any alleged infringements of the Code of Conduct. There is no specific form or procedures to be used for lodging a complaint for an alleged violation of the Code of Conduct."
[Update: On 17 May 2017, I received a follow-up message from DG MOVE: "We will now assess your allegations on an infringement of the Code of Conduct and the information provided by you.... I will of course keep you informed on our assessment."]
I have not yet received any indication of how long the investigation of my complaint may take.
For those who may wish to submit their own complaints of violations of the Code of Conduct for CRSs, these can be directed to:
Directorate General for Mobility and Transport (DG MOVE)
Unit E.1 - Aviation Policy
Rue J.-A. Demot, 24, 5/76
B - 1049 Brussels
Many thanks to former MEP Ehrenhauser; current MEPs Albrecht, Sippel, and in 't Veld; their assistants; and Mr Nemitz for helping to uncover this information and finally get my complaint accepted and (I hope) investigated.
Background on CRS/GDS insecurity:
- Who's watching you while you travel? (18 April 2002)
- How safe is airline passenger data? Not secure at all. (20 April 2016)
- "Travel data: fraud with booking codes is too easy" (27 December 2016)
- CRS/GDS companies and travellers' privacy (30 December 2016)
- "What can I do to protect my PNR data?" (12 January 2017)
- Unresponsive "comments" from Amadeus (18 January 2017)
Background on EU CRS regulations and enforcement:
- EU Code of Conduct for CRSs
- Parliamentary Question: Implications for the EU/US PNR agreement on CRSs, including new CRS providers such as Google (30 November 2011)
- Answer on behalf of the Commission (9 February 2012)
- Parliamentary Question: Enforcement of the Code of Conduct for CRSs (20 March 2017)
- Letter from the European Commission, DG MOVE, Directorate E.1 (27 April 2017)