Tuesday, 9 May 2017

European Commission to investigate airline reservation (in)security

Fifteen years after I published my first critique of the extreme insecurity of airline reservations stored by computerized reservations systems (CRSs) and made available without passwords or access logs on public Web sites, and four months after the continued existence 15 years later of those same vulnerabilities was publicly demonstrated by hackers inspired in part by reading an interview with me on a German IT news site, I've finally found the right unit of the European Commission to investigate my complaint that these CRS practices violate the privacy and data protection provisions of the European Union's Code of Conduct for CRSs.

In the U.S., there is no general Federal privacy law requiring businesses to protect personal data about their customers or other individuals. But there are general requirements for this in the European Union(and many other jurisdictions including in Canada), as well as specific requirements for the protection of travellers' personal data in the EU Code of Conduct for CRSs.

The European Commission has the authority to enforce the Code of Conduct for CRSs, and the responsibility to investigate complaints of violations. But I have never been able to find any public indication of how or to whom to submit such a complaint. Saying, "You can complain to the European Commission" is like saying, "You can complain to the U.S. government." Exactly how, and to whom, are you supposed to complain? Knock on the door of the White House or the nearest U.S. Embassy? Try that in the U.S., and you are likely to be arrested, if not shot, if you even manage to get within shouting distance of the door. The European Commission has published procedures for complaints against EU member states, but not for complaints against commercial entities such as the CRSs which are regulated directly by the Commission rather than, or in addition to, by the national governments of EU member states.

I'm not the only person to have asked this question.

In 2011, MEP Martin Ehrenhauser, an independent Member of the European Parliament, submitted a written question to the European Commission asking, "Has the Commission designated a point of contact or established procedures for handling complaints from individuals of violations of the Code of Conduct for CRSs? If so, how has the Commission made public this point of contact and the procedures for handling such complaints? If not, why not?". The eventual written response from the Commission ignored this part of the question entirely, and didn't mention the Code of Conduct for CRSs.

More recently, on 20 March 2017, MEPs from three different countries and political groups -- MEPs Jan Philipp Albrecht (Verts/ALE), Birgit Sippel (S&D), and Sophie in 't Veld (ALDE) -- submitted a new question to the Commission:

Article 11 of the Code of Conduct for Computerised Reservation Systems (Regulation (EC) No 80/2009 of 14 January 2009) requires that 'technical and organisational measures shall be taken ... to ensure that personal data are only accessible for the specific purpose for which they were collected.' The Commission has the power to investigate and enforce the code under Section 6 of the regulation.

Personal data in the passenger name records (PNR) hosted by Computerised Reservation Systems (CRS) are available through CRS-operated public websites, just by using a name and the short 'record locators' displayed on items such as boarding passes and baggage labels. Due to a lack of access logs, data subjects are unable to gather from CRSs, whether their PNR data have been disclosed and to whom. Security researchers demonstrated these and other vulnerable aspects of CRSs at the Chaos Communication Congress held on 27 December 2016.

1. Does the Commission believe that giving access to PNR data on the basis of a name and record locator, with no password nor access logging, is compliant with Article 11 of the Code of Conduct?

2. Does it intend to investigate these vulnerable aspects and possible violations of the code?

3. Has it established procedures for handling complaints from individuals about violations of the code?

If a written question such as this from an MEP is not answered by the Commission within six weeks, the MEP who submitted the question is entitled to place it on the agenda of the next meeting of the responsible committee of the European Parliament. More than seven weeks have passed, but there has been no answer from the Commission to this question.

Meanwhile, however, I made contact while I was in Brussels with Mr. Paul Nemitz, Director of the unit for Fundamental Rights and Union Citizenship of the European Commission Directorate-General for Justice and Consumers (DG JUST). Mr. Nemitz and I agreed that his unit was probably not the one responsible for investigating my compliant, but he generously offered to accept my complaint, find out what unit was supposed to be responsible for dealing with it, and forward it to them.

To my pleasure, Mr. Nemitz did as he said he would. I have now received a letter from the Haed of Unite (Acting) of the Directorate General for Mobility and Transport (DG MOVE), Directorate E.1, advising that "my unit is in charge at the European Commission of the implementation of the Code of Conduct and deals with any alleged infringements of the Code of Conduct. There is no specific form or procedures to be used for lodging a complaint for an alleged violation of the Code of Conduct."

I have not yet received any indication of how long the investigation of my complaint may take.

For those who may wish to submit their own complaints of violations of the Code of Conduct for CRSs, these can be directed to:

European Commission
Directorate General for Mobility and Transport (DG MOVE)
Unit E.1 - Aviation Policy
Rue J.-A. Demot, 24, 5/76
B - 1049 Brussels
BELGIUM

telephone +32-22991111
MOVE-INFOS@ec.europa.eu

Many thanks to former MEP Ehrenhauser; current MEPs Albrecht, Sippel, and in 't Veld; their assistants; and Mr Nemitz for helping to uncover this information and finally get my complaint accepted and (I hope) investigated.

Background on CRS/GDS insecurity:

Background on EU CRS regulations and enforcement:

Link | Posted by Edward on Tuesday, 9 May 2017, 13:07 ( 1:07 PM) | TrackBack (0)
Comments

I've received no further news as to the status of the investigation of my compliant, buy the same unit of the European Commission has lunched a review of the Code of Conduct for CRSs:

https://ec.europa.eu/info/law/better-regulation/initiative/120003/attachment/090166e5b594463f

You can give feedback on this "Roadmap" here through 2 November 2017:

https://ec.europa.eu/info/law/better-regulation/initiatives/ares-2017-4870475_en

My feedback on the Evaluation Roadmap is here:

https://ec.europa.eu/info/law/better-regulation/initiatives/ares-2017-4870475/feedback/F7291_en

The "Evaluation Roadmap" for this review notes that, "Since the adoption of the Code of Conduct in 2009 there have been a limited number of complaints or own-initiative investigations....
To date, there is no ruling of the European Court of Justice linked to the application of the Code of Conduct."

The Evaluation Roadmap is dated September 2017, and indicates that the evaluation is planned to start in February 2018 and to be completed in February 2019:

"The roadmap will be open for feedback for 4-weeks and main stakeholders will be contacted directly to draw their attention to it. The feedback will be used where appropriate to revise the approach to the evaluation.

The stakeholders to be consulted for the purposes of this evaluation include: CRS providers and their trade associations (ETTSA), airlines and their trade associations (A4E, ERA, IATA); rail operators and their trade associations (CER, AllRail); travel agents and their trade associations (ECTAA), technology companies, including meta-search engines, and consumer protection organisations (BEUC).

An extensive consultation process will be undertaken structured around two main axes of actions:

* A 12-weeks internet-based public consultation provisionally planned to take place in the first quarter of 2018. It will give the opportunity to individual companies and consumers to express their views on the topic. The questionnaire will be available in French, German and English. Replies can be given in any of the official
EU languages.

* A set of targeted consultation activities tailored for particular stakeholders' groups, including surveys, interviews and case studies to be conducted in the context of the evaluation study run by a consultant."

Posted by: Edward Hasbrouck, 8 October 2017, 15:23 ( 3:23 PM)
Post a comment









Save personal info as cookie?