Friday, 28 November 2003
EU to require passports for pets
The European Commission today adopted a Decision establishing a model passport which will allow pets and their owners to travel more easily within the European Union. New EU legislation comes into force in July 2004 which will mean all cats, dogs and ferrets will need a passport to travel....
David Byrne, the EU Health and Consumer Protection Commissioner said: "This is great news for pet owners like myself.... This is a significant step for the free movement of people and their pets."....
Why do pets need passports?
...From 3 July 2004 the Regulation will require cats, dogs and ferrets to have a pet passport....
What will the passport look like?
The pet passport will measure 100 × 152 mm with a blue cover and the yellow stars of the European emblem. The languages used will be English and the official language of the Member State where the passport is issued. The words ?European Union? and the name of the Member State will appear on the cover, along with the passport number which is the ISO code of the Member State followed by a unique number. This number corresponds to the pet's identification microchip or tattoo.
I haven't been able to figure out why this requirment will apply only to "cats, dogs, and ferrets", or what happens if the pet doesn't have a "microchip or tattoo".
New public face for CAPPS-II profiling office
Last week's meeting of the Department of Defense Technology and Privacy Advisory Committee (TAPAC) marked the public debut of the new spokesperson and second-in command of the TSA's "Office of National Risk Assessment", the TSA division whose primary responsibility is the development of traveller profiling algorithms for CAPPS-II.
Although ONRA director, NSA cryptology school graduate, and military intelligence expert Ben H. Bell, III, was reportedly in the room, testimony for the ONRA was given by ONRA Deputy Director Stephen Thayer.
The only article I can find about his August 2003 appointment to the ONRA position descibed his sterling background thusly:
Stephen Thayer, the former New Hampshire Supreme Court justice who resigned three years ago after allegations of judicial misconduct , was recently tapped to be the deputy director of the new Office of National Risk Assessment in the Department of Homeland Security's Transportation Safety Administration. Thayer resigned from the court in March 2000 rather than face a grand jury investigation into claims that he tried to influence his own divorce proceedings. His resignation prompted the impeachment of the court's chief justice, David Brock, who was eventually acquitted. TSA spokesman Brian Turmail says that Thayer was chosen for the job in part because of his experience with "complex privacy issues," which will come in handy as the office tries to implement the controversial Computer Assisted Passenger Pre-Screening (CAPPS II) Program. From February until he took the TSA post in July, Thayer was executive director of the American Conservative Union. According to Turmail, Thayer was not available for comment.
(Ironically, current ACU board member Grover Norquist was among those who filed comments with the TSA and DHS opposed to CAPPS-II.)
It's not clear what, if any, actual qualifications Thayer has with respect to either transportation security or privacy. I can only guess that he was brought in as a political spokesperson, (1) to render less conspicuous the extent to which CAPPS-II and other DHS "security" programs have come to be dominated and driven by military intelligence officers, to the near-total exclusion of the aviation industry and security experts, and (2) to carry out lobbying with his old right-wing cronies in Washington in behalf of the ONRA profiling and intelligence-gathering programs.
Thayer's actual testimony, as it has been reported , pursued the same line of misdirection as other TSA and DHS public staements. According to Drew Clark's account in National Journal's Technology Daily , "Thayer said, "In effect, there is no record" of the passenger names, addresses, phone numbers and dates of birth that travelers would have to provide to airlines when they purchase tickets." But there's still nothing in the CAPPS-II Privacy act notice, or any existing law, to change current practices under which airlines, travel agencies, and CRS's keep records of this data for years.
Thayer also appears to have contradicted other TSA and DHS spokespeople -- who continue to claim that the TSA hasn't yet tested CAPPS-II, isn't testing it, and has no idea when it will be deployed -- when he said that, "ONRA is testing the system and hopes to have it running by the end of March."
TAPAC also got a briefing from the Army on the military subcontract in relation to which jetBlue Airways gave its reservation archives to Torch Concepts for passenger profiling tests. The Army claims the research was a "Base Security Enhancement Study", even though military bases were never mentioned in the Torch Concepts presentation. And, as Ryan Singel points out in Wired News , the briefing contains some peculiar-seeming statistics on the "success" of the profiling tests.
[Addendum: For more on Thayer's appointment to the ONRA, see Ex-supreme court justice wins Homeland Security post from New Hampshire's arch-conservative newspaper of record, the Manchester Union-Leader (free registration and cookie acceptance required).]
Airlines complain about government-imposed "security" costs
At the International Air Transportation Association's annual aviation security conference earlier this month in Athens, Greece (the location a nod to the anticipated security issues associated with the summer 2004 Olympic Games in Athens), IATA's Director General and CEO Giovanni Bisignani devoted his keynote address to a demand for governments, not airlines or air travellers, to bear the cost of government-imposed "security" measures.
Some of Bisignani's and IATA's logic is suspect. "Aviation cannot be discriminated against when the state provides security free of charge for other modes of transport," he claimed. But the government doesn't provide free security for other modes of transport: railroads, for example, have extensive private security forces to protect their rights of way, as do other private landowners. And his argument that, "The cost of aviation security must be borne by governments through general revenue and not from special taxes and user fees," amounts to a demand that the vast majority of the world's people who can't afford to fly should subsidize, with their general taxes, the small minority of globally wealthy members of the jet set. That may be the nmost regressive tax proposal I've ever heard.
But IATA's call "for a decision ... to oblige governments to assume responsibility for and funding of security measures" is a portent of the likely force of opposition to proposals to impose the cost the of additional "security" measures, such as CAPPS-II , on the aviation industry.
Even before CAPPS-II, according to Bisignani, "These measures have carried a high price tag, with costs for extra security measures imposed on the industry reaching 5 billion dollars last year."
CAPPS-II alone could cost airlines hundreds of millions of dollars, and the industry as a whole (including travel agencies, CRS's, and tour operators) a billion dollars or more. With the attitudes Bisignani describes, that's not an expense the industry will absorb without a fight (even if they could afford to do so).
Bisignani also noted that, "Only globally harmonized systems and standards can facilitate the smooth flow of passengers through security and border control formalities." But with CAPPS-II plans not yet having even been presented to industry standards bodies like the IATA Reservations Committee Working Group (RESCOM) responsible for the ATA/IATA AIRIMP protocol for transmitteing reservation data between systems, that doesn't seem likely to happen. That lack of coordination or consultation with industry will likely contribute to both higher costs and stronger industry opposition to schemes like CAPPS-II that depend on cooperation with, and implementation by, the air transport industry.
Thursday, 27 November 2003
No progress reported by European Commission on USA demands for access to airline reservations
The enforcement of European Union laws against the transfer of airline reservation data (or other personal information collected in the EU) to countries like the USA that lack adequate legal protection for privacy rights was reportedly on the agenda for yesterday's meeting of the European Commission in Brussels. But no announcement was made following yesterday's meeting as to what, if any, decision was reached.
The European Commission is the branch of the European Union responsible for enforcing the EU code of conduct for computerized reservation systems (CRS's), and for overseeing administration of the EU Data Protection Directive . The negotiations with the USA Department of Homeland Security on this issue have been led by European Commissioner Frits Bolkestein as part of his brief for internal markets issues including data protection and e-commerce. But final decisions and recommendations are made by the entire college of 20 members of the Commission.
A resolution enacted 9 October 2003 by the European Parliament called on the European Commission to take action by 9 December 2003 to ensure compliance with EU laws and regulations, either through cessation of transfers of passenger data from the EU to the USA or through adequate privacy provisions for the protection of passenger data once transferred to the USA.
An earlier resolution of the European Parliament, adopted 12 March 2003 by an overwhelming vote of 414 to 44, was amended on the floor of Parliament to include an explicit threat that Parliament could bring legal action in the European Court of Justice against the Commission should the Commission fail to carry out its duty to enforce EU privacy laws with respect to transfers of EU airline reservation data to the USA.
While most concern about CAPPS-II in the USA focused, at least initially, on the other personal information (from credit records and other data aggregators) that would be compared with reservation data, the profiling algorithm, and how the government would use this data, concern in Europe about CAPPS-II and other "Homeland Security" proposals affecting travellers has centered on the information contained in reservations themselves and how reservation data would (or wouldn't) be protected from both commercial and governmental misuse. That's clear from recent European reports on the issue, such as those here and here , and was equally clear in my meeting last week in Washington with European Commission staff familiar with the negotiations.
The crux of the diplomatic impasse is that:
- The USA Department of Homeland Security is demanding access to the contents of all passenger name records (PNR's) on all flights to or from the USA.
- EU law forbids the transfer of personal data from the EU to countries that do not provide adequate legal protection for the privacy of such data.
- There are currently no legal protections whatsoever for the privacy of airline reservations in the USA. Travel data in the USA, like "commercial" data in almost all industries except certain areas of finance and health care, is considered the property of travel companies, which are free to use, sell, or disclose it without the knowledge or consent of travellers.
Particularly in the USA, reporting on the negotiations has concentrated on the first two of these three items. And negotiators for the USA (led by Secretary of Homeland Security Tom Ridge, Under Secretary for Border & Transportation Security Asa Hutchinson, and Chief Privacy Officer Nuala O'Connor Kelly) have tried -- falsely -- to represent the conflict between (1) the USA demand and (2) EU law as irreconcilable without "compromise" by both sides. On that basis, they have pressured the European Commission to approve an "agreeemnt" that falls short of full compliance with EU law, in exchange for slight reductions in the overbroad USA demands for data.
But the EC has no power to modify or authorize non-compliance with the law as enacted by the European Parliament. Both the European Commission and the European Parliament have already determined that the USA doesn't have "adequate" legal protections for travel data. (It's hard to imagine them finding otherwise, since at present there are no such legal protections at all.) And Parliament has already made clear, in both its March and October resolutions, that the duty of the EC is to enforce the existing law. That leaves the EC little choice but enforcement action -- except perhaps to suggest changes in EU law for Parliament to consider.
Unless, that is, the USA agrees to provide adequate protection for travel data. That's why the third item in the list above -- lack of travel privacy law in the USA -- has really become the key to resolution of the dispute.
The current dispute isn't about USA government demands for data, or EU unwillingness to cooperate with USA "homeland security" measures. It's about DHS unwillingness even to consider legislation governing commercial use of travel data, collected and turned over under goverment compulsion, that would conform to international norms of privacy rights.
If the USA-EU negotiations fall through, blame will belong squarely on the DHS Chief Privacy Officer, Ms. Nuala O'Connor Kelly, for failing to propose federal travel privacy legislation that would satisfy international (including EU) standards of adequacy. And if her superiors are unwilling to allow her to propose or endorse the legislation that would be essential to fulfilling her ostensible privacy protection assignment, she should do the honorable thing and resign.
In resisting any privacy legislation enforceable through courts or any independent arbiter, Ms. O'Connor Kelly is advocating for the DHS the same system of privacy "self-regulation" that she championed for corporate data aggregators and abusers in her previous job as chief privacy (invasion) officer for the Internet advertising company Doubleclick. So-called "self regulation" has failed to protect the public in the USA against corporate privacy invasion on the Internet, and the EC is right to dismiss it out of hand as ineffective and legally "inadequate".
When I asked Ms. O'Connor Kelly why she didn't propose travel data privacy legislation as the solution to the dispute with the EU, she told me, "That isn't the only thing they [the EC] asked for". That's true -- the EC has also, quite properly, asked that the DHS demand for access to data in PNR's data be limited to information relevent to determining security risks -- but the EC negotiators have made clear that they have considerably more flexibility in negotiating which data is passed to the USA than in approving any "deal" that failed to include any legal privacy guarantees for that data once it's in the USA.
In spite of the EC willingness to negotiate on this point, the DHS has described the data in PNR's to the EC in seriously misleading terms. According to the Undertakings of the U.S. Bureau of Customs and Border Protection and the TSA to the EC (the document labeled 22 May 2003 is labeled a draft, but was released and is available from the EC Web site), "Most data elements contained in PNR data can be obtained by ... examining a data subject's airline ticket and other travel documents." But that's complete nonsense, as is apparent from a comparison of any actual ticket with the list at the end of the same "Undertakings" of 39 possible types of data in current PNR's (most of them never incdicated on tickets) and 4 additional data items proposed to be added to all PNR's for use in CAPPS-II. Even that list of 43 items is merely a partial list of what might be included in PNR's, since lack of standardization in data entry permits the same type of data (such as e.g. religious meal preferences or other sensitive data) to be entered in any of several fields, and virtually any imaginable type of personal infomation can be entered -- typically without the passenger's knowledge -- in unrestricted free-text fields.
The same discrepancy between the actual breadth of information in PNR's, and the narrower categories of information likely to have any use in assessing potential threats to aviation security, is apparent in the DHS/TSA demands for data for CAPPS-II.
The DHS and TSA claim publicly that CAPPS-II will use only the four newly-mandated PNR fields, or "Name plus three" ("full name", "home address", "home phone number", and data of birth). But the most recent CAPPS 2.1 Privacy Act notice still provides for DHS/TSA access to all data in each PNR. When I asked Ms. O'Connor Kelly and the TSA spokesperson why they needed access to the whole PNR if only the "name plus 3" would be used, they said they couldn't comment on which data elements would be required because, "We don't yet know how CAPPS-II will work."
(This uncertainty about how CAPPS-II will work hasn't, of course, kept DHS and TSA officials from declaring confidently that it will work, although it certainly raises questions as to the basis for that confidence.)
As long as the DHS/TSA are unable or unwilling to justify their demands for the entire contents of each PNR on security grounds, it's hard to avoid the inference that their real interest is in using the additional data for surveillance, not security, purposes.
The distinction between existing PNR data and the newly required "name plus 3" on which CAPPS-II will supposedly be based also raises serious questions about the testing of CAPPS-II. Admiral Loy of the TSA has reportedly been considering issuing a "security directive" that would purport to require airlines to turn over "historical" PNR data (such as has been used in previous CAPPS-II concept tresting) for further CAPPS-II tests. And Ms. O'Connor Kelly reiterated to me that future CAPPS-II testing would depend on access to airline PNR data. But supposedly CAPPS-II will use only the "name plus 3" (not in current PNR's), and won't use any of the other data actually in current PNR's.
When I asked Ms. O'Connor Kelly how PNR's without the "name plus 3" would be useful in testing CAPPS-II, given its supposed reliance on "name plus 3", she returned to the argument that she couldn't comment because she doesn't know how CAPPS-II will work. If true, her remarks cast serious doubt on any claims about the likely cost, implementation time, or effectiveness of CAPPS-II -- the subjects, among other issues, of the ongoing investigation of CAPPS-II by the General Accounting Office mandated by Congress as a precondition to CAPPS-II deployment.
[Addendum: The Euopean Parliament has scheduled an "exchange of views" on this topic with Commissioner Bolkestein at a joint meting of the parliamentrary Committee on Citizens' Freedoms and Rights, Justice and Home Affairs with the Committee on Legal Affairs and the Internal Market in Brussels on Monday, 1 December 2003, in anticipation of the 9 December 2003 deadline previously set by Parliament for Commission action.]
Tuesday, 25 November 2003
USA airlines say CAPPS-II could cost them "tens of millions of dollars"
This week Ms. Nuala O'Connor Kelly, the Chief Privacy Officer of the USA Department of Homeland Security -- with whom I met last week in Washington, DC (more on that and the PhoCusWright conference of travel executives I attended in Orlando in future articles) -- has posted two more batches of letters received by her office during the August-September 2003 public comment period on the CAPPS-II (CAPPS 2.1) Privacy Act notice.
Many of the public comments (including my comments and many of those I'm aware of from other privacy advocates and civil liberties groups) still haven't been publicly posted, so there's no way to know what is yet to be revealed.
But the most recently-released batches include comments raising questions about CAPPS-II from, among others, the director of the Sacramento (CA) airport system, Americans for Tax Reform, People for the American Way, former Member of Congress Bob Barr, the Association of Corporate Travel Executives, and, most significantly, the Air Transport Association of America (ATA) -- the trade association and lobbying group for USA-based airlines.
ATA's comments warrant reading in their entirety.
As had British Airways -- the only airline to file comments on the earlier CAPPS 2.0 Privacy Act notice -- ATA's comments indicate considerable concern with the apparent incompatibility of the CAPPS 2.1 proposal and European Union data privacy law (with which ATA members that sell tickets in the EU, as do even purely "domestic" USA-based airlines) must comply. ATA also stressed that, "Consumer acceptance, both in the United States and overseas, of CAPPS II depends on the government's assurance of suitable privacy protections."
But privacy is only one of two issues ATA describes as "indispensable considerations in the development of CAPPS II.... We also believe that the implementation and operational issues associated with CAPPS II need to be clearly recognized."
ATA's comments on these "implementation and operational issues" of CAPPS-II, including its costs, warrant quoting at length:
Implementation and application of CAPPS II will impose substantial new requirements on passengers and airlines. As we have noted in previous conversations with TSA officials, passenger name records do not contain all the categories of information that TSA contemplates will be available for CAPPS II.... Moreover, some current PNR categories are not mandatory. CAPPS II will consequently require airlines to change significantly their practices for acquiring information from customers. This will create substantial new resource demands on airlines.
The essential implications about the anticipated CAPPS II passenger information collection requirements are:
- Airlines will have to obtain the required CAPPS II information from every passenger. This will be more intrusive for the passenger and far more resource intensive for the airline than is the case today.
- Airlines do not control third parties, such as travel agents and online booking entities, through which the majority of air transportation is purchased. Any failure of such a party to obtain mandated information will have to be remedied at the airport, which will delay passenger processing and inconvenience customers.
- Information in many instances will be obtained from passengers orally and entered manually into reservations systems. This will not only impose greatly expanded resource demands on airlines, it will also place demands on the time of customers.
As indicated above, airlines will need to reprogram their reservation systems to accommodate the mandatory collection of the expanded information categories. In addition, reservation call "talk time" will increase markedly, affecting the length of time a consumer is on a reservation call and the cost of such calls to air carriers. Furthermore, because the majority of reservations are made through third parties, most notably travel agents, airlines often do not have direct contact with the passenger until he or she arrives at the airport. This means that airlines cannot assure that information is collected from such customers at the time of reservation. Any CAPPS II rule must recognize this fundamental characteristic of airline distribution.... The failure to do so will result in serious delays for airline passengers at airport check-in, where airline customer service agents will have to collect from them the information that is necessary for CAPPS II.
The foregoing is not meant to be an exhaustive explanation of the implications of the mandatory collection of CAPPS II passenger information. It is intended, instead, to underscore that changes in the reservation and passenger processing environments will have substantial consequences, including added expenses and the likelihood of increased customer processing times.
The ultimate cost to the U.S. airline industry is unclear because the exact requirements of CAPPS II are unknown, as is the likely level of third-party provision of the required passenger information. With those caveats, the reprogramming and transaction costs of CAPPS II could generate tens of millions of dollars of costs for the aviation industry. This would be a very substantial burden for the airline industry, which is struggling to recover from unprecedented financial losses.
Extrapolating from this ATA estimate, the total cost to the hundreds of airlines around the world that have interline agreements with USA-based airlines, and accept reservations that include travel to, from, or within the USA, would likely be at least an order of magnitude greater than those to the couple of dozen USA-based airlines, i.e. in the hundreds of millions of dollars And the costs to the CRS's, the hundred thousand or more travel agencies, and the many other tour operators and software and services providers around the world who deal with reservation data could conservatively be expected to exceed a billion dollars.
When I spoke with Ms. O'Connor Kelly last Thursday morning, she told me that, "We expect that CAPPS-II will reduce the cost to airlines compared to what they have to do now for CAPPS 1." She couldn't say on what that opinion was based; in fact, she appeared to deny that it had any basis at all. Her statement that CAPPS-II would reduce airlines' costs was immediately followed by her saying that she didn't yet have any cost estimates for CAPPS-II because the program hasn't yet been tested or deployed, and many decisions about how it will work haven't yet been made.
When I asked specifically whether she, the DHS, or the TSA had solicited or received any estimates of CAPPS-II costs or required implementation times from airlines, CRS's, or travel agencies, she only reiterated (with annoyance) that no cost estimates had been completed -- not mentioning that she had received, and withheld from public release for almost two months, an estimate from the collective voice of USA-based airlines that costs to them alone could be increased by "tens of millions of dollars." (By comparison, the line item for CAPPS-II in the DHS budget for fiscal year 2004 is US$35 million, making it highly unlikely that the DHS could afford to defray the airlines' costs, much less those of other companies involved in collecting and processing reservation data.)
Ms. O'Connor Kelly has professed great interest in "listening" to public comments on the CAPPS-II proposals. But if she had read the ATA comments, there was certainly no evidence in her responses to my questions that she had understood or paid any attention to them. The same could be said for my comments, and most of the other public comments: she had my comments in front of her on the table when we met, but but she professed surprise when I mentioned key points that I had explained in them, and in my other writings, in great detail, many months ago. In fact, there was nothing in anything Ms. O'Connor Kelly said in our hour-long conversation, or in the written analysis of the CAPPS 2.0 comments that accompanied her office's CAPPS 2.1 notice, that acknowledged any of the major lines of criticism of the CAPPS-II proposal, or gave any indication that she had actually read or endeavored to understand them.
When I had pressed Ms. O'Connor Kelly as to whether her office, the DHS, or the TSA were consulting with the travel industry on the potential impact of CAPPS-II, she said that, "We have talked to some of the airlines." So after reading the newly-released comments, I spoke with ATA Vice President James Casey, in whose name they were filed, to see if ATA was being consulted on CAPPS-II plans.
Mr. Casey of ATA told me that, "We don't have any information the public doesn't have about CAPPS-II", that no far as he knew there had been no response from anyone at the DHS or TSA to ATA's comments, and that he didn't expect any.
He also said that so far as he knew there had as yet been no discussion at all of what would be required beyond ATA on a global scale for CAPPS-II, such as modifications to the ATA and IATA Airline Interline Message Protocol (AIRIMP) to support transmission of the additional data proposed to be required for CAPPS-II.
The implication is that the DHS and TSA, particularly Ms. O'Connor Kelly's office as the initial recipient of the public and industry comments, have ignored warnings of potentially huge implementation and IT infrastructure costs from the airlines through ATA, and from myself as the only travel agent to file comments on CAPPS-II. And they have made no effort to contact or consult with even those parties within the travel industry who filed comments raising these issues.
So much for dialogue and consultation with CAPPS-II "stakeholders".
[Addendum, 26 November 2003: Because of a "referring page" restriction, it isn't possible to link directly to the CAPPS 2.1 public comment files. All 4 files of comments released to date are linked from this page -- more will presumably be added someday. The ATA comments are on pages 30-37 of what is currently the first of the listed files of comments, with the link labeled "Letters received to DHS/TSA-2003-1, CAPPS II System of Records Interim Final Notice, 11-07-03". And you'll have to enable referral logging in your browser for the download links to work.]
Friday, 14 November 2003
Call for moratorium on RFID tagging of consumer products
In a Position Statement on the Use of RFID on Consumer Products released today, a wide range of privacy and consumer organizations and advocates (including myself) have called for, "a voluntary moratorium on the item-level RFID tagging of consumer items until a formal technology assessment process involving all stakeholders, including consumers, can take place."
Radio Frequency Identification (RFID) is an item-tagging technology with profound societal implications. Used improperly, RFID has the potential to jeopardize consumer privacy, reduce or eliminate purchasing anonymity, and threaten civil liberties.... The development of this technology must be guided by a strong set of Principles of Fair Information Practice, ensuring that meaningful consumer control is built into the implementation of RFID.... Some uses of RFID technology are inappropriate in a free society, and should be flatly prohibited. Society should not wait for a crisis involving RFID before exerting oversight.
RFID tags are tiny computer chips connected to miniature antennae that can be affixed to physical objects. In the most commonly touted applications of RFID, the microchip contains an Electronic Product Code (EPC) with sufficient capacity to provide unique identifiers for all items produced worldwide. When an RFID reader emits a radio signal, tags in the vicinity respond by transmitting their stored data to the reader. With passive (battery-less) RFID tags, read-range can vary from less than an inch to 20-30 feet, while active (self-powered) tags can have a much longer read range.
Publication of the joint position paper coincides with an important RFID Privacy Workshop tomorrow at MIT (to be Webcast by the MIT Media Lab). I won't be able to be there, but I fully endorse the statement, and look forward to the outcomes of the workshop and to more coordinated national organization and education on RFID. (I'll be on my way to Orlando, Florida for the 10th annual PhoCusWright Executive Conference , where'll I'll get to find out what's new in the Internet travel business, and what -- if any -- changes the travel industry is making in response to consumer concerns about privacy, surveillance, and the jetBlue scandal.)
For better or worse, RFID technology (1) is on the brink of widespread, potnetially near-universal, deployment by businesses and goverment, and (2) has potentially profound implications for privacy, anonymity, surveillance, and civil liberties. For more, see CASPIAN's Stop RFID Web site and Database Nation author Simson Garfinkel's RFID Privacy blog , as well as the other endorsers of the statement.
Some of the most problematic uses of RFID would relate to travel, and the potential that items with RFID chips carried by travellers could be used for monitoring, surveillance, and recording of travellers' movements, possibly without their knowledge. And use of RFID in either tickets and payment devices (as is already being done by some transit and toll-road systems) or in government documents (such as passports , visas, or even paper money with remotely-readable serial numbers), could make it impossible to travel at all without RFID tracking -- precluding any opportunity to give or withhold consent, except by staying home.
Although the joint position statement is concerned primarily with RFID in consumer products, it concludes with this note:
Although not examined in this position paper, we must also grapple with the civil liberties implications of governmental adoption of RFID... As an open democratic society, we must adopt a strong policy framework based on Principles of Fair Information Practice to guide governmental implementation of RFID.
Thursday, 13 November 2003
ICAO proposes to require remotely-readable passports by 2006
This week the Technical Advisory Group on Machine Readable Travel Documents (TAG/MRTD) of the International Civil Aviation Organisation , a technical standards organization affiliated with the UN and the ISO , published a formal proposal that all ICAO member countries begin issuing remotely-readable RFID passports by 1 April 2006.
The Proposed Amendments to the ICAO Standards and Recommended Practices were published on the Web site for the next meeting of ICAO's so-called "Facilitation Division", which sets aviation standards for travel documents (including the current passport optical character recognition standards), in Cairo 22 March - 2 April 2004.
Why, you may ask, does an aviation standards organization decide how passports will be formatted? Governments (with the USA taking the lead, but many others following) have turned airlines into de facto immigration enforcement agents: if an airline transports you to a country, but you aren't admitted, the airline is liable for substantial administrative fines -- regardless of whether your doucments appeared valid and sufficient to the airline. With so much money at stake, airline have to err on the side of denial of transort if they have any doubt about the validity or sufficiency of your passport, visa, or other documents. As a result, the crucial threshhold for most international travellers is whether their documents will be acceptable to the airline at check-in: far more people have their documents rejected at check-in by airlines than are turned back on arrival for insufficient or invalid documents.
Because ICAO is a technical standards-setting group whose decisions are rarely politically controversial, and because the members of the working group are mainly airlines and immigration authorities, there has been little if any public participation in this plan to require all international travellers to carry remotely-readable personal identification chips.
Most of the criticism of RFID has focused on its use for commercial surveillance of consumers, but its use on ID documents like passports -- which international travellers are legally required to carry on their persons at all times, in most countries, and which would thus be exposed at all times to remote identity theft -- it at least as problematic.
The Machine Readable Travel Documents plan is summarized in a briefing paper for the Cairo meeting, Biometrics Technology in Machine Readable Travel Documents -- The ICAO Blueprint
Through the work of the Technical Advisory Group on Machine Readable Travel Documents (TAG/MRTD), ICAO is currently developing detailed specifications for biometric-enabled, machine readable passports, visas and other official travel documents. On 22 May 2003 the Air Transport Committee of the Council approved a four-part recommendation from the TAG/MRTD which subsequently became known as the ICAO "Blueprint". The recommendation entailed selection of facial recognition to be used worldwide for machine-assisted identity confirmation [and] use of a contact-less integrated circuit (IC) (chip), with a minimum capacity of 32K bytes of data, as the medium for storage of electronic data, including biometric(s), on a travel document....
The fifth edition of Doc 9303, Part 1 (2003) includes a specification for insertion of a contactless IC in a machine readable passport. Technical reports elaborating on each of the four components of the blueprint have been prepared as precursors to formal specifications, and are available to administrations upon request, in CD-ROM format, as companions to Doc 9303 - Machine Readable Travel Documents, Part 1, Fifth Edition (2002) and Part 3, Second Edition (2003).... In due course formal specifications based on the technical reports will be incorporated in Doc 9303 and eventually will be processed for adoption as updated ISO standards.
The Division is invited to recommend adoption of the following new Standards and Recommended Practice: ... Contracting States should incorporate biometric data in their machine readable passports, visas and other official travel documents... Contracting States incorporating biometric data in their machine readable passports shall store the data as image(s) in a contactless integrated circuit, specified in ISO/IEC 14443, programmed according to the logical data structure as specified by ICAO.
A March-April 2004 meeting and a 2006 implementation target date may seem far in the future, but by the standards of international standards this whole scheme is already close to a fait accompli , and it's likely to take prompt and vociferous protest to ICAO by travellers and the privacy community, especially those already opposed to RFID in other areas, if it's to be derailed. (ICAO's "Machine-Readable Travel Document" scheme is also closely allied with IATA and SITA's "Simplifying Passenger Travel" scheme to integrate ticketing, check-in, and immigration and security clearance in a single document, which I discussed yesterday .)
I look forward to hearing from those with more technical knowledge just what is implied by the proposed RFID standards for travel documents, or the more detailed specifications contained in ICAO document 9303 (a US$204 set of four volumes summarized here , but that I haven't yet invested in or located in any public library -- if you have a copy to lend, please let me know).
Wednesday, 12 November 2003
Setback for "Simplified Travel" field test
Greece's national data protection authority has blocked a test that was scheduled to begin later this month of fingerprinting and iris scans of passengers on Athens-Milan flights.
The ruling is a major setback for the joint IATA/SITA Simplifying Passenger Travel (SPT) project, in which "biometric" data plays a central role:
The one-stop check concept is built around a passenger "travel card" which facilitates all aspects of the journey from initial enquiry/reservation through to baggage pick-up and exit at final destination. The card will be a "smart-card" holding secure personal data, including a machine-readable biometric, and passport/visa information.
(There's no explicit reference to remotely-readable radio-frequency ID chips in the SPT concept description, and RFID wouldn't have been used in the pilot programs, but the final SPT cards would almost certainly include RFID chips.)
Like every European Union member country, Greece has a national data privacy protection commisison responsible for enforcement of the EU Data Protection Directive as well as the country's own privacy laws. EU airlines have been leaders in the SPT project; if other EU countries' data projection authorities take the same view of the illegality of biometric data collection as their counterparts in Greece, the whole SPT porject will have to go back to the drawing board, if it isn't abandoned altogether.
SAS (Scandinavian Airlines System) is scheduled to begin another major SPT pilot test later this month, also involving fingerprinting and iris scans of passengers , at the much smaller airport in Umea, Sweden. Sweden is an EU member, and has its own strong privacy law, but SAS has gone further than any other airline in deploying multi-purpose smart frequent flyer/debit/e-ticket cards. So far as I know, Swedish courts and data protection authorities haven't yet been asked to rule on the legality of the planned test.
Airlines have conflicting interests in potentially privacy-invasive technologies: On the one hand, these programs might have operational and marketing advantages for airlines (especially if airlines are allowed free use of data passengers are required to provide on ostensible grounds of "security"). On the other hand, excessive data collection is likely to run afoul of many countries' privacy laws, in ways that could prove impossible for airlines to comply with if data collection demands by some other countries' (especially the USA) aren't harmonized with global privacy norms.
The airlines' official collective positions reflect this contradiction: the declared priorities of the International Air Transportation Association (IATA) include the following two potentially contradictory items under the heading of "Security":
- Promote the implementation of global biometric techniques that enhance aviation security and passenger convenience.
- Ensure that new regulations affecting Advance Passenger Information [which are the subject of the current USA-EU negotiations] are internationally harmonised and minimally disruptive to airline costs and operations.
Tuesday, 11 November 2003
I am the child of a computer program.
I can prove it. It says so right here on my birth certificate, under the seal of the City of Cambridge: "Father's occupation: computer program".
Back in 1960, I guess, the clerk didn't know what a "programmer" was. Growing up, even on Route 128 , relatively few of my friends knew what that was either.
I've never been a programmer, but I've been around them in various capacities (family, friends, housemates, co-workers, lover) for most of my life. So I suppose it's natural that it was love at first byte when I came across Ellen Ullman's memoir of 20 years in Silicon Valley and South of Market, Close to the Machine: Technophilia and Its Discontents . Like many readers, I found it the best depiction I'd seen in print (or pixels) of real life in software development and testing. (And if you think there is no intersection of "real life" and "software development and testing", all I can say, is, "Read Ellen Ullman's books.")
I've been home sick yesterday and today (Wi-Fi + netBook = blogging in bed), hoping to get over a sinus infection before getting on a plane on Saturday. So I've had a chance to plunge into Ullman's new work, The Bug: A Novel. I'm smitten again.
Leave it to a woman, and a self-described "Old Programmer", to capture the essential truth that de-bugging, not design or coding, is the essence of programming, as well as the mindset of its practitioners (not to mention the elusive yet polymorphously perverse sex life of the geek, both male and female). Some may find the plot a bit unrealistic, but those in (or who've been exposed to) the life of the coder may find the characters too real. Certainly too real, I suspect, to be a best-seller (sadly), but still an instant classic.
(Caution: The Bug contains strongly technical language and explicit images of unexpurgated C code, although no understanding of either is neeeded to follow the plot. Reader discretion is advised for the squeamish or computer-phobic.)
[Addendum, 12 February 2005: The Bug has also been published in a paperback edition.]
"Key escrow" with TSA for airline luggage locks?
In a story apparently slated for general release tomorrow, Joe Sharkey gives advance notice in his column in today's New York Times that the USA Transportation Security Administration will cooperate in a program to sell special luggage locks to which the TSA will have either master keys or a master combination provided to all TSA inspectors.
"All will be geared around a uniform technology allowing them to be opened by T.S.A. inspectors using a combination of secure codes and special tools," the Times quotes the founder of the company set up to sell the locks as saying.
The main purpose of the scheme is undoubtedly for the companies making and selling the locks to make money. For the TSA, however, there's another motive: to the extent that the new locks are used, it will be harder for passengers to tell if their baggage has been opened, and thus harder to press claims against airlines or the TSA for damage or pilferage by TSA inspectors.
Currently, the TSA claims that it isn't liable to passengers for damage to locks or luggage when it breaks into bags. That's generally true, but that doesn't mean passengers are out of luck, or that the TSA isn't liable to the airlines.
It works like this: In most cases it's the airline, not the TSA, who accepts the bags from the passenger and is responsible for them until they are returned to the passenger in good condition. Passengers whose bags are damaged, or locks broken, should pursue their claims with the airline, in small claims court if necessary, even if the airline says that it isn't responsible because the damage was done by the TSA.
If a passenger consigns their bag to the airline, and receives it back damaged, the airline is liable to the passenger. Whether the airlines can collect from the TSA in such cases remains to be litigated, but but that's not the passengers' problem, and doesn't affect the liability of the airlines to passengers for the damage.
Whatever its purposes, such a key or code escrow program is also idiotic and insecure: the tools or codes needed to open the special locks will be available to thieves (even those thieves who aren't also TSA employees) almost as soon as the master keys and opening instructions are disseminated to tens of thousands of TSA inspectors.
[Update: The scheme has been named Travel Sentry .]
Amazon.com cuts back on copyright infringement -- step by step
As of today, my books seem to have been removed (at my publisher's request -- Amazon.com still hasn't made any effort to obtain permission from authors) from Amazon.com's co-called Search Inside the Book program(s). Other books whose publishers have requested their removal seem to be working their way through the same process.
I can't tell if the removal is really complete, or if Amazon.com has retained copies of its "library" of page images and OCR-generated text.
But the 3-stage process by which my books have been removed, and others are being removed, has itself made clear 2 important things about the scheme(s):
First, the fact that it took so long (and wasn't done all at once, once Amazon.com decided to do it) strongly implies that Amazon.com hadn't considered the copyright implications of its plans (as others have also inferred ), hadn't planned to offer even an "opt-out" option, and wasn't technically prepared to do so. In light of this, Amazon.com's claimed legal justifications need to be interpreted as ex post facto attempts to avoid liability, not as statements of their actual thinking or beliefs.
Perhaps more importantly, the step-by-step "removal" process exposed the independence of what are really three separate programs, despite their bundling by Amazon.com into a package it has somewhat misleadingly labeled "Search". By removing them one at a time, Amazon.com has demonstrated that they don't need to be linked and. most important of all, that they need to be independently justified.
- Search to identify books containing specific search text.
- Display of searched-for text in brief (2-4 line) context from the full text of the book.
- Display of full-page images.
In the case of my books, these were removed in inverse order.
First, as I reported earlier , the page image display was suppressed (with an "error") message, while the search results were still shown in context.
Then the search results were removed, but by searching for a text string appearing in my book, and in no other book in the Amazon.com program, I discovered that the book(s) containing that string would still be displayed (as cover thumbnails) in response to the search. This was perhaps the most interesting and promising stage, since it showed that the ability to search for and identify books containing specific text can be offered without needing to display either text excerpts or page images. "Search" and "electronic content delivery" are already, with Amazon.com's current technology, completely separable.
Finally, Amazon.com stopped identifying the books at all in response to searches.
Amazon.com listings for some books not in the "Search Inside the Book" and text and page-display programs now include a "Why can't I search inside this book?" link, which pops up the following message:
Our Search Inside the Book feature includes only books for which we have the publisher's permission to display copyrighted material.
That's a significant admission that the co-called "search" program actually involves the "display" of copyrighted material, of a sort that requires permission from someone other than Amazon.com (i.e that it wouldn't be permitted as "fair use").
Continuing the discussion, Steven Kaye's Thousand-faced Moon blog has had a thoughtful series of articles on this, including lots of good links.
Copyright attorney Neil Isenberg of Gigalaw.com has a column on Cnet's News.com, Steal this book online in which he concludes that Amazon.com's conduct moght be legal, based on the (erroneous, in many cases) assumption that "authors may have granted to their publishers the right to participate in a program such as this." Isenberg also suggests that page-image display, if sufficently limited, might constitute "fair use". But his argument on this latter point is clearly flawed, since he bases it on the impact of digital giveaways on print sales, rather than the impact of e-book and e-excerpt giveaways on potential e-book and e-excerpt sales .
Monday, 10 November 2003
Lowell Thomas Award for PracticalNomad.com article on travel and privacy
I was notified today by the Society of American Travel Writers Foundation that my article, Total Travel Information Awareness , as first published on this Web site ( PracticalNomad.com and Hasbrouck.org ) has been selected as the bronze medal winner in the "Travel News/ Investigative Reporting" category of the 19th annual Lowell Thomas Travel Journalism Awards , America's most prestigious awards in the field. The winners were announced at the SATW annual convention in Orlando, Florida.
According to the panel of judges from the faculty of the University of Missouri's renowned School of Journalism, "This is an incredible journey into the traveler's loss of privacy in the post 9-11 era. The author relentlessly probes how government actions and loose or non-existent laws open a traveler's life to extraordinary and possibly unnecessary scrutiny. This article should be bookmarked on the Web by everyone who decides to leave home."
Judging for the Lowell Thnomas Awards is blind: the judges don't know who wrote each article or where it was published.
Mine was the first article self-published on the Internet ever to win a Lowell Thomas Award (I hope it won't be the last, by me and/or others), the only article self-published in any medium (print or Internet) to win in any category this year, and the only article written for the Internet to win an award this year in any category except those limited to Internet publications.
Leading travel lawyer calls for privacy law
"There ought to be a law protecting the privacy of travel records, just as there is a law protecting your health records. There also ought to be a federal government agency that enforces the law."
So writes Mark Pestronk , legal advice columnist for the influential trade publication for travel agents, Travel Weekly , as the conclusion this week of a two-part series on the privacy of travel records: Clients' travel data isn't as private as they think (3 November 2003), and U.S. should take note of EU's data-privacy rules (10 November 2003); free registration and cookie and popup acceptance required.
Pestronk is a big fish in the small pond of experts on travel law, and his endorsement of the calls for Congressional action on travel privacy is likely to carry significant weight with travel agents.
Pestronk reports that "Contrary to popular belief, there are no federal or state laws prohibiting a travel supplier or travel agency from giving travel data to the government or any third party. [They] can even sell your data to the highest bidder."
Pestronk correctly, I think, assesses the divergent interests of travellers and travel agents and agencies (especially, I would argue, the vast majority of small travel agencies), in support of privacy laws, and the likely opposition from large suppliers of travel services and especially the CRS's/GDS's.
"The biggest commercial data gatherers of all, the GDS vendors, have no privacy policies that affect agency bookings," Pestronk points out. He describes travel services providers' privacy policies as "almost worthless", noting that " all these voluntary promises are empty because there are no meaningful consequences for violations."
Meanwhile, on 7 November 2003, Member of the European Parliament Marco Cappato made a formal request to the European Commission (the EU's administrative and enforcement agency) for enforcement action under the privacy provisions of the EU code of conduct for computerized reservation systems for transferring his personal data to the USA without his consent, on flights he took to the USA earlier this year. MEP Cappato also renewed his call for the European Parliament itself to "start proceedings against the EU Commission for failure to act" on violations of the EU CRS regulations.
MEP Cappato's complaint was directed to European Commissioner Frits Bolkestein, who described the demands by the USA for passenger data from the EU as "surely excessively intrusive by any standards" in a recent op-ed column in the International Herald Tribune .
Today's Wall Street Journal reports (with, I think, an excess of what from their point of view would be called "optimism"), that a "Passenger-data deal may be near." From the details of the story, it looks to me like the way forward still would have to start with adoption of adequate privacy protections for travel data in the USA.
Reportedly, "The U.S. says it is willing to entrust [passenger] data to a privacy officer within the Department of Homeland Security who is responsible directly to the U.S. Congress." But that would likely be meaningless, even if it satisfied EU requirements for independent oversight, which it probably wouldn't. Aside from the role of the DHS Chief Privacy Officer to date as a privacy-invasion apologist, not a privacy advocate, President Bush has already declared in signing the CAPPS-II oversight bill that Congress has no authority to exercise any oversight over the Department of Homeland Security, on separation-of-powers grounds, and that the Executive branch will treat Congressional oversight as purely "advisory". I don't know what could make it more clear that the DHS Chief Privacy Officer isn't independent (as would be required to satisfy EU law), and answers solely to the President, not Congress -- no matter what law Congress might enact. At a minimum, to satisfy EU requirements, President Bush would have to renounce his signing statement on the CAPPS-II bill, and accede to Congressional oversight over DHS privacy practices.
Travellers, travel agencies, airlines based outside the USA don't have the lobbying clout in Washington that CRS's and USA-based airlines do. But with calls for a Federal travel data privacy law trickling up from the grassroots and being pressed by European Union authorities as the precondition to sharing fo EU data, it's only a matter of time before someone in Congress introduces such a bill.
Friday, 7 November 2003
Cendant buys huge UK consolidator
The Cendant Corp. -- already the most vertically integrated travel company in the USA -- further expanded its range of holdings yesterday with its purchase of Travel 2 / Travel 4 , perhaps the largest purely wholesale airline consolidator in the UK (as well as a major tour and land services wholesaler).
Consolidators have long had a much larger share of ticket sales in most other countries, especially the UK, than the USA. Travel agents in the USA have been looking increasingly to consolidators as a way to offer travellers lower prices than are available directly from the airlines, at a higher profit margin than published fares (on which airlines no longer pay commissions to most travel agents). Most USA-based airlines, computerized reservation services (like Cendant's Galileo division) and travel agencies that have traditionally ignored consolidators, and assumed that the available ticket prices were those published directly by airlines (when in reality there are far more consolidator prices than published fares), are poorly prepared to negotiate or market consolidator tickets.
For all these reasons, it makes sense for a company like Cendant to acquire successful consolidators to expand the range of prices they can offer both to the public and to the travel agents who subscribe to Galileo. Cendant started with Cheap Tickets in the USA; Travel 2 is a logical successor acquisition.
According to the announcment of the purchase, "Cendant Travel Distribution Services will use some of the technology available in its other subsidiaries, such as Galileo ... , to significantly enhance the offerings made by Travel 2/Travel 4 to the retail travel trade." It's unclear if that means that consolidator prices from Travel 2 will be made available to customers in the USA through CheapTickets.com or Galileo subscriber travel agencies, or if Travel 2 will still sell only through retail agencies in the UK.
Integrating Travel 2 with the rest of Cendant's information technology will also make it more difficult for Cendant to evade compliance with European Union customer data privacy laws. As DontSpyOn.US has recently reported , Cendant is planning a unified customer database , including a lifetime "Cendant ID number" for its dossier on each person who touches any tentacle of the Cendant octopus. Cendant provides CRS services in the EU, but has thus far avoided admitting to a direct relationship or responsibility for protecting the privacy, in accordance with EU law, of Cendant customers in the EU. That won't be possible with Travel 2, as a UK-based subsidiary: if Cendant wants to include any data from Travel 2 in their new central data warehouse, all of Cendant, and especially the central customer database (wherever it is located), will have to be brought into compliance with UK and EU privacy law.
"Terms of the acquisition were not disclosed" in the announcement, "But are not material to Cendant. The transaction is not expected to have a material impact on future Company earnings. This transaction reflects Cendant's previously announced strategy of identifying "tuck in" acquisitions." That's indicative of the scale of Cendant as a vertically-integrated travel Goliath: Travel 2 is "not material" to Cendant, even though Travel 2 serves 200,000 travellers a year and has annual gross revenues of GBP170 million (approx. US$285 million).
TSA lies to Congress about CAPPS-II
Testifying at a hearing on aviation security Wednesday before the U.S. Committee on Commerce, Science, and Transportation, Transportation Security Administration (TSA) Deputy Administrator Stephen McHale repeated the same tired lies about CAPPS-II that the TSA has been telling for months.
I found McHale's prepared testimony on the State Department public relations Web site. It's odd that they think it would make effective propaganda, especially abroad. His responses to Senators' reportedly extensive questions may not not be available online for some time (let me know if you find them).
- McHale testified, "CAPPS II will ... us[e] information provided by passengers during the reservation process -- including name, date of birth, home address and home phone number." But the first time CAPPS-II concepts were tested by the Department of Transportation with real reservation data, before the TSA was even created, they learned that none of these 4 items are necessarily included in reservations. And my comments to the DOT and DHS/TSA should have made clear -- if they read them, as McHale claimed they were "in the process of reviewing the many comments" they received -- that data in reservations are rarely provided by passengers, but are provided primarily by third parties and intermediaries (travelling companions, travel agents, and so forth).
- McHale said that under CAPPS-II, "The "risk score" includes an "authentication score" provided by running passenger name record (PNR) data..." But the TSA has known for many months that the specific data it has requested (and which McHale had just listed) aren't in PNR's at all; indeed, current PNR data structures don't even provide fields for them, if someone wanted to try to enter them.
- McHale described the current CAPPS (CAPPS 1) airline passenger profiling and selection system as "airline-controlled". In fact, airlines are required by a (secret) government security directive to use a specific, government-supplied algorithm and "watch lists". Airlines are expressly forbidden from exercising any control over the profiling and selection criteria. Airlines themselves have publicly contradicted McHale's lie on this point. For example, in reponse to a racial profiling lawsuit filed earlier this week against Southwest Airlines by a University of Wisconsin business professor, the campus newspaper reported that, "The attorneys [for Southwest] interviewed the Southwest personnel involved in the incident and concluded the guards did not choose Mohammed independent of the technology... "In this case, what we believe is that Southwest personnel did not select Mohammed for specific screening, and it was done by CAPPS computers." "
- McHale told the Senators, "We are committed to continuous testing, evaluation and assessment of the system that is designed to ensure compliance with privacy policies -- by our own experts, independent overseers, and the public." I guess that's why they have proposed to exempt the system from the Privacy Act, have failed to meet deadlines for responding to Freedom Of Information Act requests, and have forced public interest groups to sue to compel even minimal compliance with FOIA requirements for public access to the information required for independent or public evaluation, assessment, and oversight.
- McHale claimed that, "CAPPS II would not retain data on U.S. passengers who are permitted to fly.... Information would not be kept after completion of the traveler's reserved itinerary, apart from a necessary audit trail that would not be searchable by passenger name or other personal identifier." This is by far the most categorical and significant of his, and the TSA's, ongoing campaign of lies. No current USA law, nothing in the CAPPS-II proposal, and no other proposal yet suggested by the TSA, the DHS or its Chief Privacy Officer, or the DOT (which still regulates the CRS's that store most reservation data), would place any restrictions whatsoever on the ability of CRS's, travel agencies, airlines, or anyone else to keep the data collected for CAPPPS-II (under government mandate) for as long as they like, to use it for anything they like, or to sell, rent, or disclose it to whomever they please, without notice or consent from travellers or anyone else. And the DHS/TSA have repeatedly rebuffed requests from the European Union that they adopt such retention and usage restrictions as the preconditon to transfers of data from the EU for use in the CAPPS-II system.
The last time I checked, lying to Congress was still a crime, especially when done by government employees, under oath, with intent to defraud.
There's also a lengthy story about the hearing and related developments in the San Francisco Chronicle . Particularly noteworthy is the strength and unanimity of opposition from international airlines to police state measures by the USA government that are likely to reduce foreign visitorship to the USA . According to the Chronicle story:
Spokesmen for several European airlines refused to speak on the record about CAPPS II, but said their carriers have not been consulted in formulating the regulations. "The Bush administration says, 'This is what you guys are going to do.' We don't have any input,'' said the communications director for a major European carrier.... "There should be a sign in every American airport that says, 'Welcome to the United States, you're under arrest,' '' said a spokesman for a major Asian airline who asked for anonymity.
LAS to use RFID baggage tags
McCarran International Airport in Las Vegas (IATA city and airport code LAS) has signed a 5-year, US$25 million contract to track all baggage checked in by passengers at LAS using 100 million remotely readable, uniquely numbered radio-frequency (RFID) identification tags.
Regardless of the merits or demerits of RFID, what got my attention was the rationale being offered for it in this case, and the discrepancy between the arguments for RFID usage in airports presented to the travelling public and to the RFID industry.
In their press release , the airport and the RFID suppliers lead with the claim that RFID tags are "for use in tracking passenger bags as part of the airport's ongoing commitment to improving customer safety."
What does RFID baggage tracking have to do with safety? "The new system, operational in 2004, is designed to automatically track all passenger bags through inline explosive detection and screening equipment, ensuring safe passage for the airport's millions of customers."
What's that really supposed to mean? If a bag sets off the explosives detector, or the X-ray image is deemed suspicious, it's immediately opened and searched. Are we supposed to believe that, without an attached radio transponder, the bag inspectors would lose track of bags on the conveyor inside the screening machine, and wouldn't be able to figure out which one had the suspicious image or set off the explosives alarm? I don't think so. Lost bags at other points in the process are costly for airlines, but not a safety issue.
It we were going to do something about baggage tracking for safety , virtually all security experts would agree that the most important area for improvement would be to match passengers with checked bags when they change planes. (That's standard in the rest of the world, but not yet required in the USA.) But since the RFID system will only be used for passengers originating at LAS, it will do nothing to address the concerns of the seucrity community, and many in Congress, about connecting bags, at LAS (an America West hub) or anywhere else.
While a Computerworld story based on the press release echoes the putative "safety" rationale for RFID deployment, the contractors told a different story to those within their industry: a longer, more detailed article in RFID Journal mentions "safety" only in a throwaway final sentence. It's solely about cost savings for airlines.
What's really going on here? Under intense atttack on privacy grounds (especially in the USA, where there are no general privacy laws to protect travellers and consumers against abuse of RFID data), the RFID industry is trying to exploit fears of flying that are widespead and understandable, but grossly disporportionate to actual risk , in order to scare the public into acquiescence and suppress public scrutiny of the implications of widespread, unregulated deployment of RFID tracking -- just as "aviation security" has become a magic mantra invoked against criticism of CAPPS-II and other surveillance and tracking programs, even when, as with this RFID scheme, they actually have nothing to do with any actual risk or threat.
At least they're not using RFID to track passengers --yet. (That's in the next phase of plans by IATA and immigration authorities for an integrated, RFID enabled, passport/visa/e-ticket/boarding pass/frequent flyer/trusted traveller/credit/debit/ATM card.)
[Addendum, 7 November, 2003: In a similar vein of doublespeak, I got an e-mail message today from the Chief Privacy Officer of Earthlink, informing me that, unless I opt out within the next 30 days, "Earthlink plans to start buying "publicly available" information about me from credit bureaus":http://mail.hasbrouck.org/Redirect/www.earthlink.net/optout , "so we can provide new and improved products and services." Uh-huh. You need my entire credit history in order to figure out how to forward my e-mail messages for $6.95 a month? Credit files aren't really "public information" even now, and wouldn't be at all if the USA complied with global norms of privacy protection.
Thursday, 6 November 2003
Lawyers, bloggers weigh in on Amazon.com book page images
Authors' lawyer (and former book editor) Charles E. Petit , who apparently represents a number of short-story writers, offers both an excellent page of advice for authors on dealing with Amazon.com and some right-on commentary on the issue in his blog, starting with this article on 27 October 2003 (check his whole archive since then for the rest of the thread, describing in detail his communications with Amazon.com regarding the infringement of his clients' copyrights).
As of 31 October 2003, when Amazon.com was reported in the press as saying that only 15 authors had asked to have their works removed from the giveaway program, Petit noted that, "I am personally aware of more than 15 authors who had asked for removal by the close of business on Tuesday, and I'm certain there are others I don't know about."
Petit also writes, inter alia :
Using a 56k dialup connection, it took me less than six minutes to get a "free" copy of a 9,000-word article in investigating one of my clients' collections of academic works. It's an important, indeed seminal, work in that field; and it took less than five minutes thereafter to run the result through OCR software and get a compact, editable version that could easily have been posted on the Internet through any of the various pirate sources. Needless to say, my client was not very pleased....
What this really points out more than anything else is that S&M [sales & marketing] dorks don't care about legalities. Only someone who had no familiarity with Tasini could have conceived of this program, or at least conceived of it without running immediately to the legal department for advice. (That goes for you, too, Google and B&N; don't think my clients and I are not watching.) Instead, because getting a solid legal review might have derailed this neato idea before it started, whoever came up with it probably started lots of planning in an effort, whether conscious or not, to build so much momentum that it could not be easily derailed by some crummy lawyer "who doesn't understand sales in the first place."...
An individual author may decide that he or she does not care if the material becomes available through Amazon's program. That is his or her right. It is not, however, the right of either Amazon itself or the publisher (unless special contract language exists) to make that decision for the copyright holder....
This should have been done on an opt-in basis, not an opt-out basis. The publishing contracts and copyright law demand nothing less.
Eugene Volokh notes the issue in The Volokh Conspiracy , one of the leading legal blogs, but says, "I express no views on the economic or the legal question (in part because to answer the legal question I'd have to see just what the contracts say)." IMHO, saying he needs to read all the contracts (while true, in a sense) is missing the essence of what Amazon.com seems to be claiming: that the right of publishers (and perhaps, as Petit suggests , distributors) to dispose of electronic rights is somehow inherent by default in the right to print publication, irrespective of copyright ownership (as stated in the book itself) by the author, and even in the absence of any explicit contractual grant of electronic rights. That's exactly what the Supreme Court's decision in Tasini v. NYT would seem to imply that they don't have.
Like someone who likes free MP3's but who knows that Napster infringes copyrights, Volokh also seems reluctant to criticize such a "worthy endeavor", by which I guess he means "a program I might want to make use of myself".
Brian Dear's Nettle blog makes the same ambivalence -- he would find it useful himself, but recognizes that it's based on copyright theft -- more explicit in Unfair Use? Amazon's Free Book Giveaway and More on Amazon's Search Inside the Book :
For someone like me who's spent years doing research for a nonfiction history book, it's an incredible tool. This is the best thing on the web since Google unleashed a fully searchable Usenet archive dating back to 1982.
However, I am doubtful the service -- as it exists today -- will last long. It is too good.
Why is it too good? Because if you're determined, you can copy entire chapters out of books --- or, if you are really determined, entire books. Here's how...
How could this kind of feature possibly qualify as fair use of a copyrighted work? Amazon does not seem to place any burdens or restrictions in the way that would prevent such unfair use --- for that is surely what this is.
Books sold to law students for secondary reading are my stock in trade. From my perspective, what Amazon is doing is no different than what Kazaa is doing to music....
As a researcher, I have to agree: it is incredibly useful. It will help me satisfy law review editors' insatiable desire for citations. As an author of low volume reference works, however, I am afraid it will eviscerate my modest sales.
When he reviewed his particular contract with his publisher, Bainbridge discovered that even he, a commercial law professor, had explicitly signed away electronic rights to his books, without realizing or remembering having done so. But not all book contracts include grants to the publisher of electronic rights -- I know mine don't, and from my limited knowledge, I suspect most don't.
(You can seaa all my coverage of this topic since I first learned of Amazon.com's program in the Writing and Publishing section of this blog.)
[Addendum, 6 November 2003: As of this afternoon, the "Search Inside This Book" links and banner over the cover image have been removed from the Amazon.com pages listing my books, as have the previous "Look Inside the Book" excerpts. (Evidently Amazon.com will no longer provide for display of only selected pages: now it's the entire book or none of it. And they've reinstated earlier versions of the cover images -- even going back, for The Practical Nomad Guide to the Online Travel Marketplace, to the first version of the cover they ever used, from the publisher's pre-publication catalog, with a different title, subtitle, and look from how the book actually appears in print.) I guess that, even though they haven't deigned to talk with me, they are reading this blog, and noticed what I said in yesterday's entry . Come on, guys and gals: if you're reading this, and we both know you are, let's talk directly, OK? You know where to find me if you truly are willing to work with , and not against, authors and our interests. As I've outlined, I think there's a great opportunity to make this into an electronic text distribution system that benefits Amazon.com, publishers, readers, and writers.
Also today, the New York Times has a lengthy piece in the Circuits section on Amazon.com's "Search" program. (They still don't want to admit that "search" is not the same as "page-image delivery".) The Times reports that my publisher, Avalon Travel Publishing, "contacted its 140 writers to explain the program and offer to remove the books of those declining to take part.... 10 authors ... asked that their books be withdrawn." But the words "copyright" and "infringement" never intrude on the picture painted by the Times; also unmentioned is the fact that the governing legal precedent is the one in which the U.S. Supreme Court upheld the liability of the Times itself (and its co-defendants) for wholesale plagiarism in granting "licenses" for electronic distribution when their contracts with writers gave them only print rights.]
Wednesday, 5 November 2003
More book genres join travel authors in questioning Amazon.com giveaway of e-rights
Authors and publishers of cookbooks, short stories, and how-to books are joining travel writers and publishers, as well as major publishers like Penguin, in raising questions about Amazon.com's so-called "Search Inside the Book" program, which actually bundles together searching with free display of images of all pages from the books included in the program.
(According to a statement on the Amazon.com site , Amazon.com is "no longer accepting submissions to the Look Inside the Book program", under which publishers and/or authors could authorize only selected pages to be available through Amazon.com -- typically the introduction, table of contents, index, and perhaps a sample section -- without having to make the entire book available for free online display and download. Now, apparently, Amazon.com is requiring access to images of all pages as a condition of display of any excerpts, or inclusion of the text in searches.)
In Amazon's New Search Serves Up Recipes , the Washington Post (29 October 2003) describes the particular concerns of cookbook authors that "Amazon.com was giving away the recipe[s] for free".
Although some cookbook publishers quoted by the Post defended their decisions to participate in the page-display program, they also acknowledged that their right to do so was dependent on the terms of their contracts with authors for electronic rights to the content of the books. For example, the Post quotes Natalie Chapman, vice president and publisher of culinary at John Wiley & Sons, Inc. as saying, "If we have acquired electronic rights I would imagine that would allow us to do this." The Post says that, "Most contracts [between authors and publishers] now contain clauses that allow for all manner of electronic rights," but that's not true of many contracts, including those for many of the books currently included in Amazon.com's page-display program.
As of this morning, the listings for my books on Amazon.com still carry the "Search Inside!" banner across the cover images, and a "Search Inside This Book" link. But when I click on the cover image or the link, I get a page saying, "An error occurred when we tried to process your request. Rest assured, we're working to resolve the problem as soon as possible." Let's hope that means they are working to resolve the problem of their copyright theft.
The Post story also gives readers precise directions for how to overcome Amazon'com's "copy protection". It's not hard, and takes only a single keystroke: press the "Print Screen" key to print. Surely no one would figure that out without professional assistance from a hacker.
The Post points out that authors sometimes authorize specific content to be made available on the Web for a limited time. What isn't mentioned is that Amazon.com's Alexa division (the apparent source of the "Search Inside the Book" and page-display programs) already infringes those time-limited rights by making copies of Web pages available from its "archive" without regard for whether the license for Web display (which was never granted to Alexa in the first place) has expired. Google's so-called "cache" does the same thing, with the same disregard for copyright. Both sabotage authors' ability to re-sell the content for display elsewhere on the Web, or in other form, once the original license has expired.
Short stories are also at particular risk, since someone who wants one story may have little or no interest in the rest of the book in which it appears. Short stories in most genres pay poorly, but there's a well-established commercial market for science fiction short stories, novellas, and anthologies. Popular sci-fi stories are frequently re-sold to multiple anthologies. Not surprisingly, sci-fi story writers are also concerned about Amazon.com's online giveaway of excerpts undercutting the value of their electronic and print reprint rights. Sci-fi writer Kathryn Cramer reports in her blog that some have asked the Science Fiction and Fantasy Writers of America to get involved in the issue on their behalf. The SFWA already is the only writers organization with an active e-piracy public awareness campaign
[Addendum, 6 November 2003: In an update in her blog , Kathryn Cramer reports that several sci-fi anthologies she and others edited have already been removed from the page-image display program, although pages from other authors' books remain visible despite their requests for removal. In an earlier article , she had shown that URL's can be constructed to link directly to the image of a specific page from a specific book -- which some reports, presumably based on claims by Amazon.com, had said was impossible.]
Monday, 3 November 2003
Privacy issues for group travel
JetBlue Gaffe Adds To Privacy Concerns; RELEASE OF SENSITIVE PASSENGER DATA HIGHLIGHTS LACK OF OVERSIGHT ( Meetings and Conventions magazine, November 2003)
Meeting planners and group travel organizers and coordinators are beginning to wake up to the risks they face -- and the lack of protection they have -- if travellers and meeting participants' details are disclosed without their knowledge or consent.
Although it isn't mentioned in the quotes from me that were used in the final version of this article, some of most costly changes in business procedures implicit in the current CAPPS-II proposal would be those related to group air travel. Normally, group reservations are made long before any names are known. But despite its vagueness, it appears that the current CAPPS-II proposal would require full names, and other data about each passenger, before reservations could be made. I doubt the people at the TSA and DHS behind the scheme understand how disruptive that would be to current group travel business procedures and software; I talk about some of the implications in my latest comments on the CAPPS-II proposal
Saturday, 1 November 2003
The economics of e-books
Some commentators (at Ars Technica and elsewhere) have criticized me and other authors for being overly worried about the possible negative effect of free availability of page images on sales of printed books. I think print sales of some books would probably benefit, although some including my books would suffer. But that's missing the point: the major damage from giving away e-excerpts wouldn't be the incidental effect on print sales, but the direct effect on potential revenues from e-excerpt and e-book sales.
Amazon.com has represented what it's doing as a single program, called "Search Inside the Book", and it's been defended primarily in terms of the benefits, to authors and readers alike, of full-text search. But there's no necessary connection between "search" and "page image display", and so far as I know no one -- including me -- has objected to the "search" component of the system (except on the grounds that Amazon.com didn't ask for permission from the copyright holders, which I would probably have been happy to give if asked, depending on the terms).
As Thaen points out , "Amazon just needs to start selling eBooks alongside the hard copies, perhaps for slightly less money. Search for the book, if you like it/need it, just buy the eBook for $5. It's not like this technology doesn't give them the ability to do such a thing. It would discourage even the few people who would do this, and would encourage legal sales, ala the iTunes Music Store."
Let's look at the numbers for what that might mean:
The list price of the forthcoming 3rd edition of The Practical Nomad: How to Travel Around the World is US$21.95. The largest distributors get 60% discount from list price, so if Amazon.com buys from them, my publisher gets a net wholesale price from the distributor of $8.78 a copy. I receive royalties of 15% of the net price, or $1.32 a copy. Fairly typical numbers for royalty-based trade paperbacks.
But while my publisher splits wholesale receipts for my books with me 85/15, any revenues for so-called "subsidiary rights" (including e-book and other electronic rights) are split with me 50/50 (since in those cases the publisher doesn't have the costs of printing, binding, warehousing, or shipping of printed books). Again, fairly typical. Except that, as I'm about to show, the electronic rights should probably be considered primary, and the print rights "subsidiary".
Suppose that Amazon.com's markup on e-books were the same 150% as it is on my printed books. In order for me to earn the same $1.32 a copy, my publisher would have to get $2.64, and Amazon.com would have to price the e-book version of The Practical Nomad: How to Travel Around the World at $6.60. At that price, there would probably be relatively few takers, at least until the next generation of handheld display devices. (In reality, the retail markup and the selling price could probably be less, since Amazon.com would, like the publisher, have proportionately lower fulfillment and no warehousing costs for e-books. But I'm being generous to Amazon.com, for the sake of argument.)
E-book excerpts, however, are another story. Suppose the currently critical price point for e-book excerpts is, as several people have suggested, close to the successful iTunes price for a single song of a dollar a download (as discussed in this New York Times story last week comparing business models for music downloads; free registration and cookie acceptance required). Apple's iTunes had 70% of the total paid music download market even before it was available in a Windows version, and most other services are adopting similar pricing. At that price for an excerpt from one of my books (again, with the same generous 150% retail markup by Amazon.com), my publisher would receive $0.40, of which I would get $0.20.
The bottom line for me, the author: $1.32 for each $21.95 printed book sale; $0.20 for each $1 e-excerpt sale. So if there are 6 or 7 people willing to pay $1 to download a chapter of my latest book for every one willing to pay $21.95 for a printed copy, my royalty income from sales of e-book excerpts would equal or exceed that from printed books.
Is that likely to be the case? For most book-length novels, probably not. For some nonfiction, maybe not. For short stories, novellas, and anthologies, maybe. For my books, probably. For guidebooks, almost certainly.
My FAQ on international airfares and discounts , for example, gets tens of thousands of page views a month on multiple mirror sites. How many of those readers would be willing to pay $1 for the 100+ page chapter on airfares in the new edition of the book? Quite a lot, I suspect; I've even had discussions with my publisher about bringing it out in printed form as a separate book. The resource guide, another 100+ page chapter, would also seem likely to have a substantial potential market as a $1 download.
For a typical destination guidebook, it would seem almost beyond argument that the number of people willing to pay $1 to download the chapter or section relevant to their trip would be a multiple larger than 6 or 7 of the number willing to pay the price of the entire printed book.
I think the numbers I've sketched out here are fairly realistic. It doesn't actually matter, though, whether royalties for e-excerpts would exceed those for printed books. Only a tiny fraction of travellers to most destinations buy any guidebook. Most of the people who would pay $1 for an electronic guidebook excerpt wouldn't otherwise have bought a guidebook at all. So e-excerpt sales would be almost purely incremental revenue from a different group of customers, not diverted from would-have-been print book buyers.
Many travellers are going to only one or a few places, and want neither the expense nor the weight of an entire printed guidebook. Some buy the whole book anyway, and tear out just the section(s) they want. But many don't, feeling that it isn't worth paying for the parts of the book that aren't relevant to their trip, or that it's too hard to keep loose pages in order once they've broken the binding. Anyone who's spent time in travel bookstores or helping people plan their trips knows that there is enormous pent-up demand for customized or semi-customized guidebook excerpts.
Perhaps the clearest proof of the market potential for guidebook excerpts is the large number of successful volumes that were originally sections of guidebooks to larger regions. In the Moon Handbooks series from my publisher, for example, David Stanley's definitive Moon Handbooks South Pacific has expanded into an entire series of guidebooks to smaller sections of the region. Bill Dalton's Moon Handbooks Bali almost certainly outsells his Moon Handbooks Indonesia , of which it was originally a chapter, but I suspect only a small fraction of the buyers of the Bali handbook would otherwise have bought the complete Indonesia guide.
Given current technology, e-books are less valuable to most people than printed books. But since they can be sold much more cheaply, yet with the same profit to the author and publisher, that's much less important than you might think.
Just for kicks, I tried putting some page images saved from Amazon.com on my Diamond Mako (Psion Revo Plus) PDA. They were only barely legible (although I could have used them that way, in a pinch, for addresses, phone numbers, and the like). That's not a fair test, though, since Amazon.com has deliberately degraded the images, slightly, in an attempt to make them legible only on full-sized displays.
A better guide to the utility of e-guidebooks was my experience earlier this year travelling for the first time with a guidebook in electronic form: I "test drove" Wayne Bernhardson's excellent new Moon Handbooks Buenos Aires with a set of PDF files of the page proofs, downloaded with the permisison of both the author and our mutual publisher. On my PDA, they were quite sufficent for details like addresses, with the advantage that searching electronic text is often quicker than using the index of a printed book, and that my PDA is smaller and lighter than almost any guidebook. I read some longer sections on my small laptop-sized Psion netBook , and printed out some sections (on a high-speed office laser printer) to bring with me in a flexible three-ring binder. The binder was bigger than a guidebook, but most of the time we were staying in one place. And I found I actually preferred pulling just the relevant pages out of the binder to take with me for the day -- and being able to put them back in sequence later, which you can't do if you tear pages out of a bound book -- rather than having to decide whether to carry an entire printed book each day. For the price, after that experience, I'd buy a lot more $5 e-guidebooks than $20 printed ones, for certain types of trips (e.g. not to the Third or Fourth World) -- if Amazon.com or another distributor gave me that choice.
The point is not primarily that Amazon.com's unauthorized and copyright infringing giveaway of e-book excerpts is undermining print books sales (although I think it likely that for many books it is). The point is that Amazon's theft and giveaway of e-excerpts is depriving authors and publishers of all possible revenue from electronic rights that for many books are already, properly marketed, substantially more valuable than the print rights. And the share of potential royalties represented by electronic rights is only likely to increase as display technology improves. Amazon.com is stealing most of the value of my, and my publishers's, intellectual property in my books.
Another commenter at Ars Technica, Hux, dismisses my and other authors' objections to Amazon.com giving away our works in electronic form as "the idiocy of copyright holders trying to cling to outdated sales models". But it's precisely because I see new sales models like e-book downloads as valuable -- already potentially more valuable than printed books, and increasingly so in the future -- that I object to someone else giving mine away for free without my permission.
Based on what's already been developed and deployed, Amazon.com's page-display system could easily and fairly quickly be modified into an e-excerpt sales system generating, almost immediately, revenues for authors and publishers of many types of books exceeding anything they are ever likely to get from sales of print books through Amazon.com or any other channel. My goal isn't to shut down new e-distribution channels, but to realize their potential.
Copy protection is an issue, but it's a surmountable one: I've bought specialized business publications costing hunbdreds of dollars that were delivered as unencrypted PDF files. For most potential e-excerpt buyers, theft won't be worth the nuisance if the price point is low enough (e.g. $1).
Amazon.com has a large financial incentive to negotiate a better, author-approved and mutually beneficial e-distribution scheme. In the USA, statutory damages for copyright infringement under 17 U.S.C. 504c start at a minimum of $750 per infringement (up to $150,000), even in the absence of any actual damages. Statutory damages can be reduced to as little as $200 if "infringer was not aware and had no reason to believe that his or her acts constituted an infringement of copyright". But the copyright notices in the page images made available by Amazon.com, showing copyright in the names of authors, would seem to preclude any such claim of "innocent infringement".
Supposing that half of the 120,000 books in the Amazon.com page-view program are copyrighted by their authors (almost all the ones I looked at were), Amazon.com faces minimum liability of $45 million even if they desisted yesterday. Hopefully, that will provide sufficient incentive for them to desist from their ongoing copyright infringement, contact writers, apologize, and initiate negotiations toward a settlement that will provide fair compensation to authors and other rights holders for the infringement to date and, more importantly, for future e-distribution by Amazon.com of copyrighted works.
[Addendum: From this story today in Publishers Weekly , it sounds like Google is planning something much more like what I'm suggesting than like what Amazon.com has done: "it is unlikely that the content will be provided in excerpted passages to customers, as it is on Amazon.... If a user clicks through, he or she would be sent to a separate page that contains a book abstract and the opportunity to buy the title." That's getting closer, but still missing the opportunity for instant purchase of an excerpt in electronic form. PW quotes an unnamed publisher as saying Google claimed "it has reached agreements that allow it to enter as many as 60,000 titles in its database." Let's hope that Google recognizes the need to get approval from authors first, whatever it's planning to do.]
[Further addendum, 7 November 2003: In digging further, I came across this analysis of Electronic Rights: Publishing Agreement - Grant of Rights & Royalty Clauses, which is from a publishers' attorney but nonetheless supports the idea that under standard book publisheing contracts, authors are entitled to compensation for e-book and other electronic rights at the (almost always higher) percentage for "subsidiary rights", rather than the (typically much lower) royalty percentage for "primary rights" in the book itself. That's the assumption underlying my analysis above, and I wouldn't have thought that it even required argument. The author, Lloyd L. Rich, also calls attention in another article in the same series on Electronic Rights: What is a Book? to the opinion of the U.S. Court of Appeals for the 2nd Circuit, relying on New York state contract law, in Random House v. RosettaBooks , which is even more directly applicable than Tasini v. New York Times to the question of whether publishers or authors own e-book rights.]
Europe and U.S. (Still) at Odds on Airlines and Privacy
In an article in the travel section of tomorrow's New York Times , Europe and U.S. at Odds on Airlines and Privacy (already available on the Times Web site; free registration and cookie acceptance required), Times correspondent John Tagliabue reports from Paris that, "The trans-Atlantic differences [over travel data privacy] have put Europe's airlines in a bind. If they comply with American requirements, they violate European law; if they don't, they may be penalized by the United States."
In reality, EU data privacy laws apply to all data collected in the European Union, so the dispute affects USA-based airlines that sell tickets in the EU (i.e. all significant USA-based airlines, even ones that fly only domestic routes) just as much as EU-based airlines.
Tagliabue writes, "Last March the European Union gave airlines permission to comply temporarily with the requests [for travel data] from the United States even though they violate European privacy laws." Presumably, Tagliabue based this statement on what he was told by USA officials in the Department of Homeland Security. But in reality, the European Union never gave any such permsission, as the DHS knows full well. But if the DHS is still putting out that line, they are trying to defraud the Times , and its readers.
The "joint statements" on the USA-EU talks of 19 January 2003, 18 February 2003 , and 4 March 2003 , in their diplomatic langauge, were careful to avoid any staement of "agreement" or "approval"; they merely "noted" what the USA had said it would do.
To make EU non-approval of travel data transfers from the EU to the USA even more clear, the European Parliament voted 414 to 44 on 12 March 2003 to adopt a resolution that it, "Regrets the joint declaration ... by EU and US officials, which lacks any legal basis and could be interpreted as an indirect invitation to the national authorities to disregard Community law; calls on the President of Parliament to activate the procedure provided for in Rule 91 of the Rules of Procedure with a view to determining whether an action may be brought before the European Court of Justice."
In effect, Parliament, the higher authority, voted to threaten legal action against its administrative agency, the Commission, for issuing a statement that even might have been interpreted as "approval" of data transfers to the USA without first ensuring that EU privacy law would be complied with.
On 9 October 2003, the European Parliament adopted an even more strongly-worded resolution noting "the fact that it is currently not possible to consider the data protection provided by the US authorities to be adequate" and ordering the Commission, within at most 2 months, to take action "to deny airlines and computerised information systems any access and/or transfer [of personal data on passengers] which is not in accordance with the principles" of EU law.
The problem is that the DHS is refusing to negotiate in good faith with the EU, a concern explicitly raised in the European Parliament resolutions. In particular, the DHS has refused even to consider the simplest and most obvious way out of the impasse: the enactment by the USA of adequate protections for travel data.
As I've discussed previously , the EU has never objected to international passenger data transfers per se , which occur constantly within the EU and with other countries. The only EU objection has been to personal data transfers to countries like the USA without adequate privacy laws for travel data. And the easy way out -- for everyone except those with other, sub rosa agendas to use travel data for surveillance or other nefarious purposes that such a law wouldn't permit -- is for the USA to enact an adequate travel data privacy law. (At present we have none at all, adequate or otherwise.)
The failure of the so-called Chief Privacy Officer for the DHS to do her job and propose such a travel privacy law, as well as the propagation by the DHS of misstatements about the USA-EU negotiation such as those that were fed to Mr. Tagliabue of the Times , makes it increasingly questionable whether she and the DHS are functioning as privacy advocates or as privacy invasion apologists.
The fix is still in on .travel
At its annual business meeting, the day after its public forum -- not , ICANN announced "an expedited process for a round of new sponsored generic top level domains (sTLDs), which will result in new sTLDs in 2004. sTLDs serve specific communities. (Examples of current sTLDs include .museum, .coop, and .aero.) "ICANN is working hard to listen and be responsive to the Internet community's needs and they have asked for us to address the issues regarding new sTLDs" stated [ICANN's CEO and President] Dr. [Paul] Twomey, who introduced the resolutions to the Board." ( text of ICANN resolution )
Such are the depths of ICANN doublespeak: "working hard to listen" by adjourning before the start of the open mike for public comments.
Apparently some comments were taken earlier in the day, from those in the room in Tunisia or who had found out the comment e-mail address and submitted comments in advance, without waiting to see what proposals would be introduced at the last minute (usually, in ICANN's usual modus operandi , the most important ones). But those who actually wanted to respond to the staff and board proposals, and couldn't afford to be in Carthage, were SOL.
Anyway, ICANN's decision was exactly what IATA and its current front groups for its .travel scheme, Tralliance Corp. and the Travel Partnership Corp. , had requested (demanded?) in a letter to the ICANN Board of Directors after the Board's last telephone conference, when the Board indicated that it might not approve a request for TLD sponsorship proposals at the Carthage meeting.
IATA wanted to make sure that it's designee would be awarded .travel, ASAP, to manage for the benefit of the travel industry (and without regard for any conflicting interests of travellers, travel consumers, NGO's concerned with travel, or Internet users at large). Delivering .travel to IATA required the following, and this is exactly what IATA approved:
- IATA wants .travel approved, ASAP, since IATA and its friends have already been taking ICANN approval for granted and spending money on .travel plans accordingly. IATA got what they wanted: the ICANN board voted to direct ICANN's president to publish an RFP for new TLD's by 31 December 2003, not waiting for the evaluation -- only just begun -- of the (failure of the) previous round of TLD's including .aero . Interestingly, the Travel Partnership Corp. based its appeal for hasty action by ICANN on the cost to the TPC and its "constituents" of "delay" in approving .travel. This argument would make sense only if ICANN had already promised .travel to the TPC; if the only remaining isse was when -- not whether -- .travel would be awarded to the TPC and its partners; and if the TPC had invested in its plans on the basis of such a promise by ICANN. But the TPC didn't even exist when IATA's original application for .travel was passed over in 2000 -- on the appropriate grounds that IATA airlines don't represent the diversity of travel constituencies. And ICANN has never made any public statement whatsoever to the TPC, or promising to award .travel to anyone at all. The TPC's letter and its arguments are an implicit admission that there was a secret promise by ICANN that .travel would be awarded to IATA -- whihc there was, specifically through former ICANN staff person (and de facto manging director) Louis Touton), as I've written previously and described directly to the ICANN Board in my comments to previous ICANN meetings . The TPC's letter was a thinly-veiled demand to ICANN to honor ICANN's secret promise, and apparently ICANN got the message and acted accordingly.
- IATA needed a "sponsored" rather than an "unsponsored" domain: airlines and the rest of the travel industry weren't interested in the existence of a TLD for travel, open to all constituencies with an interest in travel. No, the whole point was to get control of the Internet travel namespace (IATA is a cartel , remember), which is only permitted with a sponsored TLD. IATA and the TPC got what they wanted: ICANN will only consider applications for new sponsored TLD's.
- IATA had originally argued for limiting the next round of TLD's to failed applications from the 2000 TLD application round (to rule out any potential competitors for .travel) by non-profit sponsors (IATA is, in theory, a non-profit orgnaization, although that's a bit of a stretch since all its members are for-profit or government-owned airlines). But ICANN passed over IATA's .travel application in 2000 because IATA couldn't represent all travel interests, and IATA had to create a new "non-profit" corporation, the TPC, to give the appearance of broader representation in the sponsoring body for .travel. Having done so, IATA realized that they couldn't necessarily "transfer" the original application to the new entity (without making apparent that it was a captive front for IATA), and that even if they did, the TPC as a new shell corporation couldn't meet the qualifications to actually operate a TLD. Tralliance Corp. might meet those qualifications, and has close ties to ICANN insiders, but it's a for-profit corporation. So IATA & Co. reversed themselves, and asked ICANN to eliminate the limitation to nonprofit sponsors passed over in 2000 . ICANN dutifully did so: the new RFP will allow applications for sponsored TLD's by any nonprofit or for-profit entity.
- Especially with applications theoretically open to all comers, IATA needed some way to ensure itself preferential treatment. ICANN delivered: the new round of TLD applications will be conducted so quickly as to heavily favor those who've already prepared their applications, and will lead to approval of only the top few applicants, probably 3, no matter how many worthy applications are submitted.
The fix is still in. Unless something major happens to derail it, ICANN will award sponsorship of a .travel TLD to Tralliance Corp. (with a nominal role for the TPC -- which will be forgotten as soon as the sponsorship agreement is signed -- as "policy making" body) as a front for IATA and the travel industry -- to the exclusion of the interests of travellers, travel consumers, consumer advocates, and Internet users at large -- at the next ICANN Board of Directors meeting, in Rome in March 2004.