Wednesday, 25 February 2004

TSA finally starts talking to travel execs about CAPPS-II

The USA Transportation Security Administration held its first meeting with corporate travel managers and privacy officers last Friday, according to an announcement from the Association of Corporate Travel Executives:

"It's time for the Transportation Safety Administration to consult with corporate travel managers and privacy officers..." This is the conclusion of the Association of Corporate Travel Executives, following a special meeting held today with the TSA. ACTE leaders are attempting to head off a confrontation between the TSA and corporate America over possible CAPPS II violations of company privacy policies. A previous ACTE survey indicated that 78% of respondent travel managers said that the collection of PNR data in this manner could compromise corporate privacy policies.

"The time has come for the TSA to sit down and talk to business travel managers and corporate privacy officers before moving forward with any more plans to extract information," said Nancy Holtzman, ACTE's executive director. "We are in the process of assembling a working group of travel managers and corporate privacy officers to advise the TSA to avoid further confusion stemming from the development of CAPPS II....

"The travel industry is just beginning to see what those costs might be. Earlier this week, travel industry authorities indicated that TSA data requirements could cost millions in reprogramming systems and in training," said Holtzman.

Earlier this month, ACTE said that they are "solidly behind" the GAO's report on CAPPS-II:

"Business travel managers from the largest companies in the country are questioning the impact CAPPS II will have on both their companies travelers and the travel industry as a whole," said Nancy Holtzman, executive director for the Association of Corporate Travel Managers. "In the scramble to draw the lines for privacy, little has been said about the deleterious effect the unworkable aspects of CAPPS II may have on a fragile industry recovery," said Holtzman.

Ninety-five percent of survey respondents in a recent ACTE poll found CAPPS II unacceptable in its current form.

More than a year ago, in my comments on the CAPPS-II Privacy Act noticce, I pointed out the conflict between CAPPS-II and the privacy clauses in corporate travel management contracts. But this is the first time it has been discusssed by the TSA with the corporations whose confidential business information would be disclosed under the CAPPS-II scheme.

These same privacy clauses in travel management contracts were almost certainly violated when airlines (including jetBleu and Northwest), CRS's (including Sabre), and third-party PNR processing firms (including Airline Automation -- now part of the Amadeus CRS -- and Acxiom) shared PNR data with government contractors and agencies for profiling tests. As recognition of the issue grows, so does the likelihood that all these companies handling, and secretly disclosing, reservation data will face breach of contract lawsuits from corporate travellers, in addition to the current crop of class action lawsuits by individual passengers.

Link | Posted by Edward, 25 February 2004, 11:52 (11:52 AM) | Comments (0) | TrackBack (0)

Friday, 20 February 2004

DHS Privacy Officer releases report on jetBlue Airways scandal

The Chief Privacy Officer of the USA Department of Homeland Security today released her Report to the Public on Events Surrounding jetBlue Data Transfer of the entire jetBlue Airways reservation archives to a military contractor.

The DHS also released a Transcript of Media Roundtable with Nuala O'Connor Kelly, Chief Privacy Officer, DHS conducted earlier this week. (Should I be surprised that, as the first to have uncovered and reported the jetBlue scandal, I wasn't invited?)

Perhaps the most important thing about the DHS Privacy Officer's report is its narrow focus:

This report is not intended to comment on allegations involving jetBlue's activities or the activities of Department of Defense employees or contractors, which in these circumstances is beyond the statutory purview of the DHS Privacy Office.

So the publication of this report should not be misunderstood to mean that the scandal has been "fully" investigated, much less "laid to rest".

The issues of privacy practices within the travel industry -- by jetBlue, Northwest Airlines, other airlines, CRS's/GDS's, travel agencies, and third-party PNR processing companies -- and of use of airline reservation data for other government programs including "Total Information Awareness", continue to demand a Congressional investigation that would extend well beyond the scope of next month's hearing on CAPPS-II.

Contradicting published reports by myself and other journalists (including the Times of London) that CAPPS-II contractors in 2002 received and used tapes of several million reservations on multiple airlines from the Sabre CRS, the DHS Privacy Officer says that, "At this time, there is no evidence that CAPPS II testing has taken place using passenger data." But no details are given as to what effort the Privacy Officer made to seek out such eveidence, or whether she even asked the members of the four 2002 CAPPS-II proof-of-concept contractor teams what data they used in their tests.

The DHS Privacy Officer's report concludes that:

TSA participation was essential to encourage the data transfer. As several airlines had refused to participate in this program absent TSA's involvement, it appears that, but for the involvement of a few TSA officials in these events, the data would likely not have been shared by jetBlue with the Department of Defense and its contractors.

The DHS report confirms that Torch Concepts received the jetBlue data as a subcontractor to SRS Technologies -- a relationship Torch excised from its Web site just days after I broke the jetBlue story, and SRS has been reluctant to admit.

SRS was the exclusive prime information technology contractor to the military's "Total Information Awareness" (TIA) program, but there's no mention in the DHS report of whether the Torch subcontract was under SRS's contract for TIA (and, once again, no indication that DHS Privacy Officer even asked). The relationship of the jetBlue/Acxiom/Torch/SRS project to the TIA program remains an open question, unlikely to be answered without a Congressional investigation.

The real bombshell in the report is the revelation that Acxiom Corp., a "data aggregator serving as a contractor for jetBlue", already had received all the jetBlue reservation data before it turned it over to military contractor Torch Concepts at the request of the TSA:

The actual transfer of the data, was, in fact, accomplished between Acxiom (acting as a contractor for jetBlue) and Torch Concepts.

In the USA, as the DHS Privacy Officer's report correctly points out, the Privacy Act only regulates the use of data actually held by the Federal government. So it wouldn't have prohibited jetBlue from giving copies of reservations to Acxiom or anyone else, as long as the government wasn't involved.

But this newly-disclosed earlier transfer of jetBlue reservations to Acxiom may have been an independent violation of jetBlue's privacy policy -- and, to the extent that privacy policy is legally binding, may provide an independent basis for legal action against jetBlue.

There's nothing particularly unusual in this sort of wholesale transfer of reservation data, without notice or consent from travellers, to companies travellers have never heard of or dealt with directly. As I've said all along, the only peculiarity of the jetBlue case is that jetBlue hosts its own database -- most airlines outsource hosting of their reservation databases to one of the big four CRS's/GDS's -- and that jetBlue actually has a privacy policy against the things it did.

The first reported tests of passenger profiling from reservation data after 11 September 2003 were conducted with several million reservations from the archives of another third-party PNR processing company that works as a contractor to airlines, Airline Automation, Inc. (now a division of the Amadeus CRS/GDS).

We don't know what Acxiom was already doing with the jetBlue records. (If the DHS Privacy Officer asked, she doesn't say in her report.) jetBlue has tried to excuse its gift of passenger data to a military contractor as a well-intentioned excess of patriotism, but jetBlue's newly-revealed prior "sharing" of passenger records with a data aggregator will be harder to justify. It's only one of a number of more recent signs of increasing efforts by travel reservation companies to "monetize" their archives of passenger data for targeted marketing and other purposes, including by aggregating them with other databases. (More on this in a future story I'm working on.)

But just as the fact that the TSA didn't violate the Privacy Act when they asked jetBlue to turn over their files to a military contractor is a sign of the need to close the loophole in the Privacy Act for commercial databases constructed at the government's behest, so the fact that jetBlue violated no law (except to the extent they violated their self-imposed privacy policy) when they gave their archives to a contractor to "aggregate" with other financial and government data is a sign of the need for a Federal travel privacy law protecting personal travel records in both corporate and government hands.

Link | Posted by Edward, 20 February 2004, 14:44 ( 2:44 PM) | Comments (1) | TrackBack (0)

Congressional hearing on CAPPS-II set for 11 March 2004

The Subcommittee on Aviation of the USA House Committee on Transportation and Infrastructure has scheduled a public subcommittee hearing on Thursday, 11 March 2003, on the proposed Computer Assisted Passenger Prescreening System, version 2 (CAPPS-II).

The Aviation Subcommittee Charperson, Rep. John Mica (republican of Florida) has been strongly critical of the Department of Homeland Security's Transportation Security Administration, but has to date stopped short of endorsing other House members' calls for suspension or termination of the CAPPS-II program.

Congress is in recess this week, and the list of witnesses who will testify at the CAPPS-II hearing has not yet been announced. The agenda for the hearing does not appear to include the privacy policies or practices of the travel industry, or any legislation to protect the privacy of travel records, so it's important to keep the pressure on Congress to address those larger issues.

This will be the first public inquiry into the billion-dollar plus scheme (the largest domestic intelligence program in USA history) to:

  • profile all air travellers (and eventually all travellers by surface common carriers);
  • conscript airlines and travel agents into collecting additional personal information to enable the indexing of reservations into lifetime travel dossiers (held by private reservation services, but accessible to the government at any time, and including information on travel industry workers, travel planners, and many other people besides travellers);
  • require for the first time in USA history a de facto domestic passport for the exercise of the right of the people peacably to assemble, protected under the First Amendment; and
  • begin the process of integrating airline reservation systems and government databases and networks, creating a new global surveillance insfrastructure for monitoring and recording the movements of people

While the DHS and its predecessor, the Department of Transportation, twice last year requested public comments on portions of the CAPPS-II scheme, many of the comments they received -- the largest volume of comments of any Privacy Act notice ever, almost all of them strongly critical -- are still being withheld from public release.

The DHS's purported "Analysis of Comments" failed even to ackowledge that any comments had been received concerning most of the main criticisms actually raised during the public comment periods: whether CAPPS-II would be Constitutional, whether it was authorized by law, whether it would include information on other people besides travellers, how much it would cost, its impact on the travel reservations industry, and so forth.

Written questions from several members of Congress concerning CAPPS-II and other government use of airline reservations for passenger profiling have gone unanswered by the TSA, DHS, and other agencies.

And more questions were raised by the report of Congress's General Accounting Office on the TSA's (lack of) success in meeting the prerequisites set by Congress for any further CAPPS-II funding.

One day of hearings can't begin to answer all these questions, but it's a welcome, and long overdue, start on bringing them into the limelight. I hope to be there, and will keep you posted.

Link | Posted by Edward, 20 February 2004, 11:28 (11:28 AM) | Comments (0) | TrackBack (0)

Tuesday, 17 February 2004

Call for Congressional hearings on CAPPS-II and travel privacy

A coalition of privacy groups from across the political spectrum today jointly called on Congress to hold hearings on "on the threat to privacy and civil liberties posed by government collection and use of airline passenger name records (PNRs)."

In a letter sent to the Chairperson and Ranking Minority Member of the House Committee on Transportation and Infrastructure, the privacy coalition says:

We are particularly concerned about the Computer Assisted Passenger Prescreening System (CAPPS II) being developed by the Transportation Security Administration (TSA), but in the wake of the JetBlue and Northwest Airlines scandals, it has become clear that there are too many unanswered questions generally about the government's use of PNR data and the state of our travel privacy. In the interest of transparency, hearings held by your committee will shed some light on this important issue and answer the following questions:

  1. What passenger information is collected, how is it shared and with whom?
  2. How long is the information retained?
  3. What are the names and numbers of government contractors (Torch), data-brokers and other third parties as well as their level of involvement in the PNR process?
  4. What rights do passengers have to correct information, as they do their credit reports?
  5. What rights do passengers have to view their personal data, as they do their medical records?
  6. What recourse do passengers have if they believe they have been wrongly "flagged"?
  7. Will CAPPS II be effective for identifying individuals who pose a threat to aviation security?
  8. How much will it cost the travel industry as a whole to comply with requirements to provide TSA with data not currently collected by the agency?

Before federal agencies further determine uses for our personal information, Congress itself needs to examine the issue, beginning with the collection of PNR data and the threat it poses to personal privacy.

The letter was signed by representatives of the Electronic Frontier Foundation, Free Congress Foundation, Electronic Privacy Information Center, Center for Democracy and Technology, People for the American Way, American Civil Liberties Union, Common Cause, Business Travel Coalition, Americans for Tax Reform, and DontSpyOn.US.

You can send your own letter to Congress supporting this call by filling out this form on the EFF Web site. EFF also has an updated backgrounder on their Web site, Why EFF Is Concerned About CAPPS II: Government Surveillance via Passenger Profiling .

Key themes of the privacy coalition letter to the House committee are echoed in another letter sent last week to the Transportation Security Administration by the Chairperson and Ranking Minority of the Senate Committee on Governmental Affairs, questioning the role of the TSA in requesting that jetBlue Airways give a copy of its reservation archives to a military contractor:

Press reports have indicated that TSA was involved in the transfer of millions of Passenger Name Records (PNR) to the Army contractor. Although the Department of Homeland Security (DHS) has indicated that TSA's role was limited, it has come to our attention that this may not have been the case. Army officials recently indicated to Committee staff that airlines were reluctant to provide PNR data to Torch Concepts without TSA's approval. It is our understanding that TSA did provide such approval in the form of a written request to JetBlue asking the airline to provide PNR data to Torch Concepts.

If TSA's involvement in the JetBlue incident is greater than previously acknowledged, then TSA needs to fully disclose its actions and swiftly move to reassure the public that it will act with greater concern for privacy rights in the future. This is especially important given that, in order to test and implement the new Computer Assisted Passenger Prescreening System (CAPPS II), TSA will likely need to compel airlines to turn over PNR data. Americans, in turn, need to know that TSA will be forthright in how it handles information about them. That reassurance can only come following a complete public accounting of TSA's role in the JetBlue incident.

"Specifically," according to their press release, "the Senators requested copies of any written communications from TSA to JetBlue Airways related to the Army's research project conducted by Torch Concepts, as well as an explanation of why this information might not have been previously disclosed."

Both the privacy coalition letter to the House Transportation and Infrastructure Committee leadership , and the Senators' letter to the TSA, reflect growing recognition that the potential for government abuse of travel data is inextricably linked with the privacy policies of "private" (but, of course, government licensed and heavily government subsidized) airlines, as well as travel agencies, CRS's/GDS's, and everyone else in the reservation data "food chain".

Meanwhile, the General Accounting Office is also turning its attention to the role of airlines and computerized reservations services (CRS's) in CAPPS-II. Business Travel News quotes Cathleen Berrick, co-author of GAO's latest report on CAPPS-II: "We have started initial interviews with airlines and reservations companies to assess the impact on them and on the traveling public." BTN picks up on the fact that, according to the GAO's recent audit, the TSA's "estimated life cycle cost of over $380 million through fiscal year 2008" for CAPPS-II did "not include air carrier, reservation company or passenger costs."

In my comments submitted to the Departments of Transportation and Homeland Security on the CAPPS-II Privacy Act notices, I estimated CAPPS-II implementation costs to the travel industry at US$1 billion or more . Since those were the only comments from anyone in the travel industry concerning the cost of CAPPS-II, it's more than a little shocking that they were ignored, that it's taken this long before anyone in the government has begun to pay attention to the cost of CAPPS-II, and that this is being done first by the GAO -- not the TSA or DHS, which ought to have had some concern for the cost implications of their schemes. Let's hope the GAO also looks into the impact on the tens of thousands of travel agents in the USA, and several times more around the world, who will be conscripted into doing the lion's share of the work (unpaid, presumably, or paid for by travellers in higher fares and/or service fees) of collecting and entering the additional tracking data required for CAPPS-II, in order for reservations to be indexed into lifetime travel dossiers.

Rounding out today's debates on the integration of passenger surveillance capabilities into the infrastructure of airline reservations, the European Parliament's Committee on Citizens' Freedoms and Rights, Justice and Home Affairs (LIBE) was scheduled to resume its consideration in Brussels of both a draft Report on the level of protection provided by the USA on air passenger name records (PNR) and of a Spanish initiative, Obligation of [air] carriers to communicate passenger data . Statewatch has more details on the continuing opposition from governmental and non-governmental organizations throughout Europe to both proposals, as well as to future plans for biometric/RFID travel documents .

[Addendum, 20 February 2004: full text of letter from Senators Collins and Lieberman to the DHS]

Link | Posted by Edward, 17 February 2004, 16:26 ( 4:26 PM) | Comments (0) | TrackBack (0)

DHS spin doctors respond to GAO critique of CAPPS-II

Transcript of Media Roundtable with Nuala O'Connor Kelly, Chief Privacy Officer, DHS
(17 February 2004)

Transcript of DHS Undersecretary Hutchinson's Remarks at a CAPPS II Media Roundtable
(13 February 2004)

DHS 'Fact' Sheet: CAPPS II at a Glance
(13 February 2004)

CAPPS II: 'Myths' and 'Facts' from the DHS
(13 February 2004)

TSA Video News Release on CAPPS-II:

Most of this recent propaganda is merely a misleading attempt at "spin doctoring", but some of it is simply false -- especially the video news release.

DHS Chief Privacy Officer Nuala O'Connor Kelly manages to fit four of the DHS's biggest lies about CAPPS-II into a single (no doubt carefully crafted) sentence of her one sound bite of the video news release -- a sound bite constructed entirely of out-and-out lies.

Speaking about the changes from the earlier CAPPS 2.0 to the current CAPPS 2.1 proposal , she says:

  1. "We've actually reduced the amount of information we're collecting,..."
    In fact, one of the most significant changes from CAPPS 2.0 to CAPPS 2.1 was to increase the amount of data collected, by requiring airlines and travel agents to enter and pass on to the TSA additional information -- never previously required, and rarely if ever collected -- in each reservation.

  2. "...limited the ways that information will be used,..."
    In fact, there are no limitations whatsover in the CAPPS-II Privacy Act notices, or any other publicly-disclosed government regulation or policy, limiting the ways that airlines, reservation services, or travel agencies -- to whom travellers will be required by government order to provide their personal information -- can use that information. They will remain free under USA law, as they are now, to use or sell that information commercially, or give it to any government agency, for any purpose, without asking permission from, or giving notice to, the people whose personal data is to be disclosed.

  3. "...and also reduced the length of time the information will be kept...."
    In fact, neither are there any restrictions whatsoever in any current or proposed USA government rules on the lngth of time airlines, reservation services, and/or travel agencies are allowed to keep reservation records. Under the latest CAPPS-II proposals, they will remain free to retain them indefinitely, as lifetime travel history archives.

  4. "...We're also building systems where passengers can see their information and correct it if necessary."
    In fact, as the GAO noted in its audit report, nothing in current USA laws or regulations, or the CAPPS-II proposals, would require airlines, reservation services, or travel agencies to show travellers their reservation records, or correct them. As the GAO also noted, it's not clear that the TSA or DHS would have the authority to order private compnaies to change reservation records, even if the TSA or DHS wanted to.
Link | Posted by Edward, 17 February 2004, 12:54 (12:54 PM) | Comments (0) | TrackBack (0)

Friday, 13 February 2004

"Government Data Rules Eliminate Hope of Privacy for US Air Travelers"

Government Data Rules Eliminate Hope of Privacy for US Air Travelers
(Gene J. Koprowski, TechNewsWorld, 13 February 2004)

Most airlines outsource their domestic reservation databases, known as Passenger Name Records (PNRs) to organizations with clever names like Sabre, Amadeus and Worldspan.

"With the cost of storage dropping, retention times have been increasing, but they've always been at least three to five years," said Edward Hasbrouck, the travel guru at Airtreks.com , an Internet travel agency. "PNRs are kept in live storage until the completion of travel, after which they are moved to permanent archival storage."

Since 9-11, the government has been closely eying that domestic travel data, through the jurisdiction of the U.S. Patriot Act, and other measures. As a result, travelers in the United States "shouldn't have confidence in the privacy of their reservations" said Hasbrouck.

Experts believe that, unless the U.S. Congress passes an act to ensure privacy of travelers, unlikely, due to national security concerns, the collection of data on travelers will intensify, giving government users and some commercial entities with access the ability to track your travels -- and expected comings and goings too....

"There's an 'if you build it they will come' aspect to data collection and maintenance in such systems," said Hasbrouck.

"Once the data exists, even if technology restricts access to authorized users, technology can't determine who should be authorized. Decisions about authorization for access are policy choices, and can change long after the data is collected. Unless the records are destroyed, data can be used for purposes that weren't anticipated or authorized when it was collected."

Hasbrouck observes that as long as the data is kept, it can be requested by the DHS or TSA, regardless of whether the government maintains its own "mirror" of these data archives.

"The distinction between data retained by the government and by the private sector is largely meaningless in light of the Patriot Act provisions for the government to demand privately-held data, in secrecy, without the need of a court order," said Hasbrouck.

Link | Posted by Edward, 13 February 2004, 15:30 ( 3:30 PM) | Comments (0) | TrackBack (0)

Why CAPPS-II would cost a billion dollars

Several people have asked for the basis of my cost estimate for CAPPS-II, quoted today in Business Travel News online and elsewhere.

My estimate of US$1 billion or more in in infrastructure and implementation costs to airlines, computerized reservations systems (CRS's), travel agencies and agents, other intermediaries, and software and information technology service providers, in order to be able to provide the additional data about each prospective passenger in each PNR demanded for CAPPS-II ("full name", "home address", "home phone number", and date of birth) is an extrapolation from the IATA comments to the INS (see page 11) on the cost of the additional data collection required for the enahnced Advance Passenger Information System(APIS) system, based on the the relatively greater complexity and number of databases, intermediaries, interfaces, protocols, and API's required for CAPPS-II, as compared with APIS.

I've previously published my estimate in an article on my Web site, Total Travel Information Awareness , and in my comments to the DOT and DHS (see pp. 9-10, 50-52) last year, as excerpted below.

From my article, "Total Travel Information Awareness":

Personal data about travellers passes through a long "food chain" of people and information systems, in many cases, before it gets to the airline. In a typical case, it might go like this: You give your travel information to a travel arranger (travelling companion, family member, business associate, assistant, etc.). They provide your information, perhaps through a Web site (user interface, Web server, and booking engine) to an offline or online travel agency. They enter it (through a GUI, command-line interface, booking engine API, or third-party CRS interface) into a computerized reservations system (CRS), also known as a global distribution system (GDS). (The USA Department of Transportation regulations governing their operations refer to them as "CRS's", and that's the term usually used by travel agents. The companies themselves prefer to describe themselves as "GDS's".) The travel agent's CRS sends the relevant portions of the information (using bilaterally agreed inter-CRS data protocols, or the standard AIRIMP protocol) to the CRS of the airline on whose flight you are booked. If your trip involves travel on multiple airlines, or a "codeshare" flight actually operated by a different airline, your information is passed on again, perhaps to yet another CRS (again using bilaterally agreed protocols or the AIRIMP ).

None of these systems, interfaces, or protocols provide any way, much less any standard way, that the data the TSA plans to require under CAPPS 2.1 could be entered. Each of these systems and interfaces will have to be modified -- all in consistent and compatible way, and while continuing to handle millions of reservations every day -- to support the TSA's plans for CAPPS 2.1. There is no evidence that the TSA has even considered the cost (or who would pay it) or time required for these changes.

Airlines have put the cost of even much smaller IT infrastructure changes, limited to airlines' own internal systems, in the hundreds of millions of dollars. The best clue of likely CAPPS-II costs are the estimates, and commentary on them, in the comments of IATA, the international airline trade association, on the BCIS proposals to require airlines to collect passenger manifest data at check-in:

"IATA advised that the figures it was providing were estimates only and likely to be extremely conservative. The figures ... indicate that the estimated cost of the program's implementation will be approximately $164 million dollars. We believe now, based on a sampling of additional estimates now being reported by various airlines, that the actual costs for both initial implementation and data collection / airport operations will rise significantly higher."

Because data collection for the BCIS scheme would only occur at check-in, and would be done directly by the airlines, there would be no impact on travel agents, and no need to modify the interfaces between airlines. CAPPS 2.1 would implicate many more systems, interfaces, and protocols, and be much costlier.

IT implementation costs of CAPPS 2.1 would likely exceed a billion dollars, and even with funds in hand the work would likely take several times longer than the TSA has budgeted. Since the TSA's budget for CAPPS-II is only US$35 million in fiscal 2004, during which CAPPS-II is supposed to be put into full operation, it appears that the TSA expects the travel industry -- airlines, CRS's, and travel agencies -- to foot the bill themselves. That's unlikely to be possible, given the state of their cash reserves in the current travel climate. In effect, CAPPS 2.1 will conscript travel agents, airlines, and other travel data intermediaries into service as involuntary, unpaid servants of the government's surveillance, monitoring, and data collection agenda.

Collecting the additional data the TSA wants for CAPPS 2.1 will also require changes to business procedures, and require additional labor, especially for travel agents and airline reservations and ticketing staff. Travel agents will bear most of the burden of collecting and entering information about travellers, as well as complying with requirements to provide notice and obtain consent for disclosure of passenger data to the government (and keeping records that this has been done). CAPPS-II, in any of its variants, will also invade the confidentiality of travel agents' relationships with their clients: travel agents would be required to provide specified passenger data to the government, even if that information is subject to a contractual non-disclosure agreement and wasn't previously entered in PNR's.

From my comments on the CAPPS 2.0 Privacy Act notice (23 February 2004, pp. 46, 50-52):

The economic impact of the proposals would be immense. If the ... system were not exempted from the Privacy Act, and if airlines, CRS's/GDS's, airline hosting systems, and travel agencies could comply without violating the EU Data Directive or the Canadian Personal Information Protection and Electronic documents Act (all of which seem extremely unlikely to be possible), compliance would cost the travel industry at least hundreds of millions of dollars, probably billions, and take many months to implement....

Addition of entirely new fields to PNR data models is a slow and expensive process. So far as I know, the last time changes were made to a CRS's/GDS's data structure to enhance privacy protection was in April of 2002 when, in response to my criticisms of the disclosure of PNR data over the Internet without a password, Sabre (the largest CRS/GDS), began using the contents of the "passenger e-mail address" field in the Sabre PNR as a pseudo-password for access to Sabre PNR data through Sabre's Virtually There Web gateway. (See Who's Who's watching you while you travel? .)

This process took about two and a half months, even though it involved only adding a new function for the contents of an existing PNR field. Mr. David Houck, Sabre's Vice President, Industry Affairs, and chief privacy and regulatory compliance officer, told me in an interview that the reason Sabre chose to use the e-mail address as a pseudo-password, rather than a password stored as a separate field in the PNR (which would have been more secure, and standard data security and privacy practice in other industries), was that adding a new field to each PNR would take substantially longer and be prohibitively expensive.

Further indication of the potential cost of compliance with this proposal is contained in the comments of the International Air Transport Association (IATA) on the INS Notice of Proposed Rulemaking on Manifest Requirements , Docket No. INS 2182-01, RIN 1115-AG57, comments dated 3 February 2003.

According to these recent comments by IATA, the direct costs to the airlines alone of implementation of a system to provide the Federal government with post-departure batch access (not real-time or continuous access) to passenger manifest information (limited to a small finite number of specified data fields, not the entire PNR), for international flights only (not all flights), would be "significantly higher" than IATA's initial "extremely conservative" estimate of US$164 million. The cost of implementation of the ASSR [CAPPS-II] proposals at issue in this rulemaking proceeding would undoubtedly be substantially higher still....

For all these reasons the proposal should be withdrawn at least until the Department has conducted the requisite analysis of its impact as a significant regulatory action, particularly given its likely immense economic impact and its likely critical direct impact on tens of thousands of small travel businesses....

That analysis should include public hearings and expert and public testimony on the potential impact of the proposals, particularly on individual privacy, confidentiality of business information, personal and business data handling by small and large online and offline travel agencies, and related impacts on personal information practices in the travel industry.

From my comments on the CAPPS 2.1 Privacy Act notice (30 September 2003):

"A PNR may include each passenger's full name, home address, home telephone number, and date of birth."

This may be the most economically significant of all the misstatements in the Supplementary Information and the Notice.

In reality, most PNR's cannot now contain all this information, because current PNR formats, data structures, and interline data interchange and messaging protocols do not support these additional (currently optional, and some rarely used) data items.

It's not clear whether the Department has developed the CAPPS-II scheme in isolation from, and in ignorance of, how airline passenger information is handled, or whether the Department is knowingly trying to mislead the public and the Congress about the likely total cost of this proposal.

The Department's budget of US$35 million in 2004 for completion of development, testing, and deployment of CAPPS-II is ludicrously inadequate for this task. As I discussed in detail in my comments on the original Notice, the International Air Transportation Association (IATA) estimated earlier this year, in comments filed on a parallel but much more limited proposal by the INS (now also part of the Department of Homeland Security), that the cost of providing much more limited access to a smaller subset of PNR data on international flights only would be "significantly higher" then IATA's initial "extremely conservative" estimate of US$164 million. That proposal would have involved information collected from passengers directly by the airlines at check-in, so it would not have required any changes by travel agencies, CRS's, or any other intermediaries.

Either the Department is completely clueless about the implications of this proposal, and doesn't yet realize what sweeping changes in airline industry information technology infrastucture, protocols, and interfaces this proposal would require. Or the Department does know, and intends to impose implementation costs of US$1 billion or more on an airline industry that can ill afford them, and that will be obliged to pass them on to passengers in the form of higher fares.

Link | Posted by Edward, 13 February 2004, 12:41 (12:41 PM) | Comments (0) | TrackBack (0)

"CAPPS II Faces Massive Technical Challenges"

Industry: CAPPS II Faces Massive Technical Challenges
(Business Travel News online, 13 February 2004)

On top of myriad concerns already being debated (BTNonline, Feb. 12), sources said technical challenges to garnering additional passenger data for the planned computer assisted passenger prescreening system not only have gone unstudied, but may be so immense that implementation of CAPPS II before this summer is impossible....

American Civil Liberties Union technology and liberty program director Barry Steinhardt yesterday cited Edward Hasbrouck, a travel agent and traveler advocate, as the source of one estimate that reprogramming systems could cost up to $1 billion....

Hasbrouck came up with the $1 billion estimate by extrapolating from a $164 million estimate last year by the International Air Transport Association -- which it called "extremely conservative" -- on the cost of collecting passenger data for international flights at checkin with associated modifications to the airlines' host reservations systems, as part of a U.S. Immigration and Naturalization Service proposal that Hasbrouck called "parallel to but more limited" than CAPPS II. It related to the Advance Passenger Information System co-developed by INS and the U.S. Customs Service.

"But that IATA estimate does not address what CAPPS II would, which includes modifications at every intermediary layer of the distribution system," Hasbrouck said. "All the application programming interfaces have to be modified, starting with the airline interline messaging protocols, then the airlines' host systems, the GDSs, then the third-party software with their user interfaces, such as corporate booking tools."

Hasbrouck said that even these challenges leave out the facts that many business travelers simply walk up to buy a ticket and do not make reservations; group reservations often are made without using names; travelers can have multiple "home addresses" or, in the case of continuously flying consultants, no address at all; "full names" often exceed the space granted them in the PNRs or contain complicating characters; and more.

"Altogether, collecting and delivering the proposed data in a standardized format cannot take place in less than several years," Hasbrouck claimed....

As for the GDS companies, Hasbrouck said, they "are aware that their role and the abilities they would have, if unrestricted, would not withstand public scrutiny, so their main goal right now is to stay out of the spotlight."

One GDS company spokesperson agreed, calling "loaded" a question about the technical challenges to modifying the PNR data to serve CAPPS II. Another public relations representative called the same question anything but innocuous, reverting to a stock statement that, "We haven't been asked to disclose any customer data." Two of the four GDS firms did not return messages left yesterday about the issue.

Cendant Travel Distribution Division chairman and CEO Sam Katz last November said he wished he could answer a question from Hasbrouck about CAPPS II, but could not because it [CAPPS II] was no more than "an idea."

DHS did not immediately respond today to a request for additional information...

Link | Posted by Edward, 13 February 2004, 12:03 (12:03 PM) | Comments (0) | TrackBack (0)

40 members of Congress call for CAPPS-II delay or suspension

In two different letters sent this week, a total of 40 members of the USA House of Representatives have asked that the CAPPS-II airline passenger surveillance and profiling system not be implemented unless and until their, and their constituents', privacy and civil liberties concerns are addressed.

The first letter was sent Wednesday to President Bush, signed by 24 members led by Democratic Minority Leader Nancy Pelosi, and said in part:

Many of our constituents have contacted our Congressional offices concerned that their privacy rights have been violated by airlines turning over personal consumer information to the federal government without their knowledge or consent....

Before the Computer-Assisted Passenger Pre-Screening Program (CAPPS II) is implemented, we urge the adoption of a specific policy that makes clear the role of airlines in sharing consumer information with the federal government. Such a policy should articulate what information can be shared by airlines and how such information is to be shared. First, we would anticipate a clear explanation as to the boundaries of any information-sharing between airlines and the federal government. Second, consumers must be clearly informed at the time they purchase their airline tickets as to how their personal information will be used.

Currently there are no such policies at all, so by urging that they be adopted before CAPPS-II is implemented, the letter implictly calls for an indefinite postponement of CAPPS-II implementation.

The CAPPS-II Privacy Act Notice includes some limited restrictions on TSA contractors and providers of commercial data other than reservation data . But DHS Chief Privacy Officer Nuala O'Connor Kelly told me specifically that airlines, travel agencies, computerized reservation systems, and other providers of information in reservations will not be considered "contractors" or "commercial data sources" and will not be subject to those restrictions. In fact, they would be subject to no legal restrictions whatsoever, under either current USA law or the CAPPS-II proposals, on their use or sharing, commercially and/or with any government agency, of any data in travel reservations.

Since travellers can purchase tickets up to a year prior to their intended travel date, requiring notice at the time of ticket purchase would imply waiting at least a full year after implementing such a notice requirment before all passengers showing up for flights could be counted on to have received notice when they bought their tickets that their reservation data might be provided to the government.

The second, much stronger, Congressional letter was initiated by Republican Rep. Ron Paul, and sent today to Rear Admiral (Retired) David M. Stone, Acting Administrator of the TSA. It was signed by 6 of the signatories of the earlier letter, and 16 additional members of Congress (making a total of 40 signers of one or both of the letters):

In today's letter, the 22 Representatives say:

We write to you out of concern regarding recent reports that, despite broad opposition from across the political and business spectrum, the Transportation Security Administration (TSA) will push forward with plans to implement the Computer Assisted Passenger Prescreening System II (CAPPS II), a vast computerized network to probe the backgrounds of the 100 million Americans who fly each year in order to determine their "risk" to airline safety....

... We have serious concerns about the effectiveness and powerful dangers this system will pose to the civil rights and liberties of millions of Americans....

Members of Congress and the public also have reason to fear that CAPPS II will eventually be expanded to the further detriment of civil liberties. Former TSA Director Loy explicitly indicated that the agency envisions utilizing CAPPS II at other transportation hubs. If the system is indeed broadened for use in venues such as bus stations, highway toll-booths, or public events, the current proposal for CAPPS II appears to set the initial ground-work for the eventual implementation of a system of internal government checkpoints reminiscent of totalitarian regimes....

... One wonders if once implemented, the program will continue to morph into something similar to the Pentagon's "Total Information Awareness" concept, an over-arching system to monitor all available data sources in search of suspicious patterns of activity. The Congress soundly rejected this proposal.

New powers granted to government anti-terror initiatives must require that the power is necessary to thwart future attacks, and that the benefit of the new power outweighs its adverse effect on liberty. In its current form, CAPPS II fails both of these requirements. We ask that the program be suspended indefinitely until these serious concerns are addressed.

We await your prompt response to these issues.

With any further government spending on CAPPS-II prohibited by Congress (except for testing) as a result of yesteday's GAO report that seven out of eight Congressional criteria have not been met by the TSA, the ball is in the TSA's court to jusify any continuation of the testing, or to come back to Congress to seek permission and funding to proceed. And the responsibility is on Congress, if the TSA continues to ignore their concerns, to cut off funds for CAPPS-II testing, end the program entirely, and enact meaningful privacy protections against both commercial and government misuse of personal information in travel reservations.

[Addendum, 13 February 2004: Full text of today's letter, as released by signatory and Presidential candidate Rep. Dennis Kucinich.]

Link | Posted by Edward, 13 February 2004, 11:20 (11:20 AM) | Comments (0) | TrackBack (0)

Thursday, 12 February 2004

GAO report on CAPPS-II released

Aviation Security: Computer-Assisted Passenger Prescreening System Faces Significant Implementation Challenges.
(GAO-04-385, 12 February 2004)

Link | Posted by Edward, 12 February 2004, 08:43 ( 8:43 AM) | Comments (0) | TrackBack (0)

Wednesday, 11 February 2004

Most useful languages for world travel

A reader writes:

I enjoy your blog, especially your focus on privacy issues, and your coverage of The Amazing Race.

What do you consider to be the most useful languages for a world traveller to know?

Certainly the most useful language to know, if you want to travel to a wide variety of countries around the world, is English. There are few large cities or heavily-touristed places anywhere in the world where you can't find some people who speak at least a little basic tourist English.

There are places where no one speaks any language except the local one(s), but it's possible to communicate basic travel needs ("food", "toilet", "place to sleep", "transport to the place I'm pointing to on this map") with no mutual language at all. A well-designed set of pictographs helps -- the best are the laminated Kwikpoint cards, and I'd rate them an absolute "must", if they are allowed, for contestants on The Amazing Race. You'll get more out of a visit if you know a language understood by at least some of the locals, but not knowing any locally-understood language shouldn't stand in the way of going wherever you really want to go.

That said, the most useful languages other than English for world travellers are those that are:

  1. Used by at least a significant subset of people
  2. Throughout a large area
  3. Where English isn't widely used (which is especially likely to be the case where some language other than English is the dominant second language, so that only a small number of trilingual or polyglot people know English)

Depending on the region of the world in which you are most interested (and leaving aside the varying difficulty of learning different languages), that would include the following:

  • Spanish (useful throughout Latin America -- even in Brazil spoken Spanish is widely understood, and knowledge of written Spanish is adequate for understanding much written Portuguese)
  • Mandarin (useful throughout East Asia, and to a lesser degree in many other places)
  • Russian (English is not widely spoken in the former USSR; some people speak Russian in surprisingly many other places, although fewer than in the Soviet era)
  • Arabic (used as a second language by the literate classes throughout the Islamic world, even where Arabic isn't the primary language)

Other less widely useful but still significant possibilities (either less widely spoken, or spoken in places where English is more common) would include:

  • French (mainly useful in north, west, and central Africa, but losing ground to English)
  • Hindi or Urdu (useful in a large region of South Asia, but in most of that region it's relatively easy to get around in English)
  • Swahili (ditto in eastern and east-central Africa)
  • German (the lingua franca and most common second language of much of central Europe, having largely displaced Russian in that role over the last decade; also useful in Turkey, the Balkans, and some other places where people may speak English or German, but not necessarily both)

Most of these, it should be noted, are at least as useful to travellers because of their role as regionally dominant second languages, rather than solely for travel to places where they are the most common mother tongue.

I invite readers to add their additional suggestions in the comments.

Link | Posted by Edward, 11 February 2004, 20:53 ( 8:53 PM) | Comments (20) | TrackBack (0)

"Big business joins fight against new airport screening"

Big business joins fight against new airport screening
(Christian Science Monitor, 12 February 2004)

Corporate America has joined privacy advocates in raising alarm over the Transportation Security Agency's (TSA) plans to put a massive airline-passenger screening system in place by this summer....

More than 100 members of the Business Travel Coalition sent a letter to Congress this month urging more hearings. "The awesome new power of linked and mined public- and private-sector databases" demands more scrutiny, they wrote....

For longtime critics of CAPPS, like Barry Steinhardt of the American Civil Liberties Union, the addition of the business community to the roster of concerned flyers is "pivotal." "It's crucial that business travelers who make up the backbone of the traveling public, the travel agencies, and the airlines themselves begin to wake up and realize this enormous surveillance system is going to be built and we - the traveling public - will be asked to foot the bill," says Mr. Steinhardt. "The TSA has not demonstrated that it can actually make it work or make us any safer."

[Addendum, 13 February 2004: Business Travel Coalition Statement Regarding CAPPS II, from the new BTC CAPPS II Watch]

Link | Posted by Edward, 11 February 2004, 15:30 ( 3:30 PM) | Comments (0) | TrackBack (0)

AP, UPI say the GAO will give "thumbs down" on CAPPS-II

A draft of the forthcoming General Accounting Office (GAO) report on CAPPS-II obtained by the Associated Press and UPI reportedly says that the Transportation Security Administration (TSA) has failed to meet seven of the eight tests (see section 519) specified by Congress last fall as the prerequisites for any further spending on CAPPS-II, "except on a test basis".

Unless President Bush disregards the Congressional mandate, as he threatened when he signed the law requiring the GAO audit and restricting CAPPS-II spending, or unless Congress changes its mind, CAPPS-II deployment will be a dead issue as soon as the GAO report is formally submitted to Congress this Friday.

Congressional concern about the surveillance and monitoring of travellers, the privacy of travel records, and the "sharing" of travel data, has been focused -- quite properly -- on CAPPS-II. With the release of the GAO's failing report card, it's time for Congress to put a stake through the heart of CAPPS-II.

Congress should, of course, move promptly to block any resumption of wasteful and privacy-invasive tests of CAPPS-II (currently suspended pending talks with Canada on the protection of personal information collected in Canada and included in reservations to be used in the tests).

But it's also time for Congress to move forward on the underlying, and larger, issues.

As I discuss in What's wrong with CAPPS-II? And what should be done about it?, Congress should now:

  1. Investigate and hold public hearings on the privacy and personal information handling and usage practices of the travel industry, including what really happened with the jetBlue Airways and Northwest Airlines passenger records and the role of government agencies and corporations including the DHS/TSA, DOT, NASA, the military, Torch Concepts, SRS Technologies, Acxiom, other airlines, and the CRS's/GDS's.
  2. Enact a comprehensive consumer privacy law (which I would suggest be modeled on the successful Canadian example) requiring fair information practices in the handling of personal information -- including travel records -- by both government agencies and private companies. At a minimum, Congress should enact travel data privacy rules (focused on the CRS's/GDS's as the principal repositories of travel records) giving travel data as least as much protection as is currently given to medical and financial data.
Link | Posted by Edward, 11 February 2004, 14:41 ( 2:41 PM) | Comments (0) | TrackBack (1)

Tuesday, 10 February 2004

CAPPS-II director "retires" on eve of GAO audit report

Not waiting to face the music when the General Accounting Office reports on its audit of his CAPPS-II airline passenger surveillance and profiling program later this week, the director of the Transportation Security Adnministration's "Office of National Risk Assessment" (ONRA), whose principal task was to develop CAPPS-II, has submitted his resignation, according to this article in today's Washington Post .

The resignation of Ben H. Bell II leaves the TSA's ONRA, and the attempt to get funding for implementation of CAPPS-II from an increasingly skeptical Congress, in the hands of ONRA Deputy Director Stephen Thayer , whose greatest previous political success was in escaping his own impending impeachment or criminal prosecution.

Thayer was allowed to resign his previous job as Justice of the New Hampshire Supreme Court in the midst of an investigation of his attempts to influence his colleagues in their consideration of his appeal of the judgement in his divorce. The Chief Justice, whom Thayer had tried to influence improperly, refused to resign and was impeached. "On March 29, 2000, Justice Thayer offered to submit his resignation from the Supreme Court in return for the Attorney General's forebearance from presenting criminal charges against him to the grand jury," according to the Attorney General's report on the case.

One has to take Bell's intent to "retire" with a grain of salt: the last time he "retired", after a career as a Marine Corps "intelligence" (surveillance) officer, he turned right around and went back to work in a series of jobs managing intelligence programs for nominally-civilian government agencies including the INS and most recently the TSA.

Given the prevalence of (former?) Navy, Coast Guard, and Marine Corps officers in the leadership of the TSA, perhaps it's appropriate to ask if the rats are leaving the sinking CAPPS-II ship: the heads of both the TSA and the ONRA have now resigned, and their deputies are functioning as acting directors. No replacement directors have been nominated at either level, probably because Senate hearings on their confirmation would provide a forum for unwanted questions about CAPPS-II.

The ONRA and CAPPS-II have recently come under increasing suspicion for their possible ties to the military's "Total Information Awareness" program.

The Post also reports that the TSA's schedule for CAPPS-II testing has been postponed again, but without any postponement of the planned deployment date: "Testing of the [CAPPS-II] system is scheduled to begin in late spring. If successful, officials expect to start phasing in CAPPS II this summer." If true, that probably means that the recently-begun talks with the Canadian government have quickly revealed that CAPPS-II testing can't start without Canadian approval for the inclusion of legally protected data collected in Canada. But the lack of commensurate postponement of CAPPS-II deployment makes the schedule even less realistic or feasible that ever. There's a limit to how fast software changes can be implemented, no matter how much money you're prepared to throw at the problem.

As for the cost of CAPPS-II, I didn't know whether to laugh or cry when I came across a job posting dated January 2004 for a "CAPPS II Cost Analyst" for the ONRA. If, as indeed seems likely from everything else they have said, the TSA is only now beginning to investigate the likely cost of their plans, they are in for a rude awakening -- if it doesn't come sooner in the GAO audit report, which is due by this Sunday, 15 February 2004 (probably meaning that it will be releases Friday afternoon).

Link | Posted by Edward, 10 February 2004, 08:29 ( 8:29 AM) | Comments (0) | TrackBack (1)

Monday, 9 February 2004

House, Senate members call for action on travel privacy

Prompted by grassroots outrage at CAPPS-II and the jetBlue Airways and Northwest Airlines privacy scandals, especially from business travellers, members of both the House and Senate have begun calling for Congressional action.

The Oakland Tribune reports that 16 members of the House of Representatives have signed a letter to TSA Acting Administrator David M. Stone listing some of the problems and unanswered questions about CAPPS-II, and asking, "that the program be suspended indefinitely until these serious concerns are addressed." The joint Congressional appeal to the TSA was initiated by a Dear Colleague letter from Congressmen Ron Paul, Gerald Kleczka, and Presidential candidate Dennis Kucinich.

Republican Senator Gordon H. Smith of Oregon last week asked Chairman John McCain of the Senate Committee on Commerce, Science, and Transportation to hold a Committee hearing on privacy issues, particularly, "the sharing of customers' private information between domestic companies and federal agencies."

In his letter to Sen. McCain, Sen. Smith said he had recently written to both the Administrator of NASA and the CEO of Northwest Airlines, "requesting information about the NASA aviation security study which gathered private Northwest Airlines passenger information and may have failed to account for ... privacy considerations." Sen. Smith's letter also referred to the Committee's privacy concerns about "the submission of passenger records for the new Computer Assisted Passenger PreScreening Program (CAPPS II) by airlines and airline reservation companies."

Meanwhile, Business Travel News reports on interviews with corporate travel managers questioning whether they can trust airlines or the government with confidential business data in travel reservations, and the latest polls of travel managers on CAPPS-II, the Northwest and jetBlue scandals, and related travel privacy issues by the Business Travel Coalition and the Association of Corporate Travel Executives .

And, hard on the heels of the latest release of an internal TIA e-mail message casting more suspicion on the relationship between Acxiom Corp., the Transportation Security Administration, and the "Total Information Awareness" program, there are detailed investigations of Acxiom's involvement with these projects in Fortune magazine, "Never Heard Of Acxiom? Chances Are It's Heard Of You." (summary; news release; full text available online only to paid subscribers) and Salon.com , Acxiom is watching you .

Link | Posted by Edward, 9 February 2004, 15:41 ( 3:41 PM) | Comments (0) | TrackBack (0)

Sunday, 8 February 2004

"Last-minute travel: Does it pay to wait?"

I'm featured today in the travel section of USA Weekend , the Sunday magazine supplement to Gannett newspapers throughout the USA:

Last-minute travel: Does it pay to wait?

It used to be a steadfast rule of travel: Plan ahead, save a bundle. But more and more vacationers are waiting until the last minute to book their trips, often with the hope of saving money. A poll taken by the Travel Industry Association of America found that nearly two-thirds of 2002's leisure travelers planned their vacation within two weeks of departure. And the United States Tour Operators Association says 86% of its members have reported an increase in last-minute bookings. So why the change?

It's largely a post-9/11 misconception, says Edward Hasbrouck, author of "The Practical Nomad: How to Travel Around the World." When travel fell sharply after the 2001 terrorist attacks, hotels and airlines reacted by lowering prices at the last minute. "This was exacerbated when travel suppliers were reluctant to acknowledge the extent of the decline in demand," he says. "Acting on exaggerated hopes for speedy recovery, they left advance prices high and kept being forced to lower them at the last minute when the recovery didn't materialize. As a result, travelers got the idea that prices will always get lower at the last minute."

Sometimes that's true, but often it's not....

The article in USA Weekend is mainly about hotels, but the same goes for airline tickets. For more of my advice on this topic, see "The Practical Nomad Guide to the Online Travel Markeplace" and the airfare chapter of "The Practical Nomad: How to Travel Around the World".

Link | Posted by Edward, 8 February 2004, 22:21 (10:21 PM) | Comments (0) | TrackBack (0)

Friday, 6 February 2004

E-mail hints at use of jetBlue Airways reservations for Total Information Awareness

A newly-released e-mail message to John Poindexter, director of the USA military's "Total Information Awareness" (TIA) program, heightens my suspicion that the use of jetBlue Airways passenger reservation archives by a military contractor in 2002 was related to -- perhaps even central to -- the TIA program.

The 26 May 2002 e-mail message from "rpopp" (presumably Poindexter's Deputy Director at the Information Awareness Office, Dr. Robert L. Popp ) in reply to Lt. Col. Doug Dyer of the IAO, was provided to the Electronic Privacy Information Center (EPIC) last month in response to a Freedom of Information Act request.

A few days earlier, Lt. Col Dyer had submitted a set of recommendations (copied in the reply message that was released) for how the TIA program could make use of the data aggregation and data mining company Acxiom Corp. Dr. Popp replied, "Doug, did you broach w/ Acxiom the costs of performing #1 and #2??"

The items on Dyer's list that Popp referred to were:

  1. "Engage Acxiom .. to identify all the relevant [commercial] databases."
  2. "Have Acxiom provide us with a statistical data set ... for use in the TIA critical experiment (I don't know if we have a name for this one yet, but it's the one which involves discovering the red-team signature, discerning bad behavior form odd or normal behavior. We can use this real, large, but private data set to accelerate our critical experiment."

Both Dyer's message and Robb's reply were copied to only one other person, Poindexter himself.

There's no mention of jetBlue Airways in the recently-released e-mail message. But the next month, April 2002, DARPA selected SRS Technologies as "the single prime contractor to support DARPA's Information Awareness Office."

The month after that, May 2002, SRS Technologies awarded Torch Concepts, Inc. a "subcontract to apply its ACUMEN technology for intelligent pattern recognition in identifying latent relationships and behaviors that may help point to potential terrorist threats. Torch will perform a Security Enhancement Study that the Government plans to use in identifying abnormal events or activities that may indicate rebel actions before damaging events occur."

That sounds very similar to the "TIA critical experiment" as Dyer had explained it to Poindexter and Robb.

Even before the contract was awarded, according to a Torch presentation that I found on the Web in September 2003, Torch had been working on getting access to "the necessary data base being used by CAPPS II contractors". In the end, Torch didn't get exactly the same data that was being used in the summer of 2002 by the 4 competing teams of contractors testing CAPPS-II prototypes. (That data included several million of real reservation records from major USA-based airlines.) Instead, Torch was given the entire reservation archives (about 5 million reservations) of a single, smaller airline, jetBlue Airways.

Torch sent the jetBlue reservations to Acxiom, which matched as many of them as it could with Acxiom files. Torch then purchased these Acxiom records, merged the reservation and Acxiom records, and experimented with trying to identify "normal" demographic patterns and "anomalous" data in the composite passenger data.

This, too, sounds like exactly the sort of use for Acxiom data and "commercial databases" that the TIA office now turns out to have been considering.

Ever since I called attention to Torch's use of jetBlue reservations in its work, Torch has been extremely anxious to avoid having its project associated with SRS Technologies. The day after I first publicized the Torch-SRS connection, and the possibility that it indicated that the Torch research using jetBlue and Acxiom data had been subcontracted under the TIA program, the reference to SRS Technologies as the source of the Torch contract was removed from the press release on the Torch Web site. Later, the entire press release was removed from the press relase archive on the Torch Web site.

SRS Technologoes is the most prominent link in the chain of suspicion between Torch's use of jetBlue and Acxiom data, and the TIA program. The most plausible explanation for the attmept to hide the Torch-SRS Technologies relationship from public notice would be that the Torch project was actually part of the TIA program, subcontracted to Torch by SRS Technologies under its TIA prime contract -- and that someone doesn't want the jetBlue scandal publicly linked with the Poindexter and TIA.

The recently-released e-mail heightens those suspicions, and goes further in suggesting that the Torch work with jetBlue and Acxiom data may in fcat have been part of "the TIA critical experiment" in profiling and categorizing people and the identification of relevant databases for doing so.

While the TIA office has been disbanded, many of its projects continue under the auspices of other departments and agencies. The March 2002 e-mail to Poindexter quoted a "key suggestion" of Acxiom's chief privacy officer, Jennifer Barrett:

People will object to Big Brother, wide coverage databases, but they don't object to use of relevant data for specific purposes that we can all agree on. Rather than getting all the data for any purpose, we should start with the goal, tracking terrorists to avoid attacks, and then identify the data needed (although we can't define all of this, we can say that our templates and models of terroroists are good places to start). Already, this guidance has shaped my thinking.

Is CAPPS-II in part a stalking horse for continuation of the "TIA critical experiment" by the Transportation Security Administration's shadowy Office of National Risk Assessment (ONRA)? We don't yet know, but my travel industry sources all say that the point when the CAPPS-II project became an entirely "black" program, cut off even from the aviation security community, was when it was transferred to the newly-created ONRA. And the ONRA has reportedly been at the center of government stonewalling on requests for information about the jetBlue scandal.

We still aren't likely to get to the bottom of the jetBlue Airways and Northwest Airlines data "sharing" scandals without a full Congressional investigation, including public hearings. But the latest disclosures make it seem more and more likely that the experiments with jetBlue reservations were central to the TIA program, and that airline reservation records, to be obtained by the government through CAPPS-II, were expected to be one of the key data inputs to the TIA program.

Link | Posted by Edward, 6 February 2004, 07:51 ( 7:51 AM) | Comments (0) | TrackBack (0)

Thursday, 5 February 2004

Newly revised and updated 3rd edition of "The Practical Nomad: How to Travel Around the World" now in bookstores


book cover


If you've pre-ordered a copy, you should have it within days; some people already have received their copies. If you've ordered a copy and it doesn't arrive soon, or your local bookstore has trouble getting copies in stock, please let me know and I'll work with my publisher to make it right.

The first opportunity to get signed copies of the new edition will be at Easy Going Travel Shop and Bookstore in Berkeley, CA, on Thursday, 19 February 2004, at 7:30 p.m. They've already gotten their shipment of the new book, and have plenty of copies on hand. See you there!

Link | Posted by Edward, 5 February 2004, 23:04 (11:04 PM) | Comments (0) | TrackBack (0)

US Airways may be liquidated.

Airline news is often unduly alarmist, especially when it comes to safety issues. But recent headlines like, US Airways losing altitude quickly and US Airways in trouble again are for real, and should be taken seriously by US Airways passengers.

US Airways (IATA code "US" -- they bought the code from the USA government a few years back, after changing their name from Allegheny Airlines to escape the "Agony Airlines" sobriquet) was reorganized under bankruptcy protection in 2002-2003. Since the reorganization, they've continued to lose money, and have been operating on loans guaranteed by USA government. US$900 million of these loans come due in June 2004. If US defaults on the loans, it will go bankrupt again. This time, the likely fate would be liquidation, not reorganization.

In a last-ditch effort to meet the loan repayment deadline, US has invited offers to sell off its most valuable assets: the Boston-New-York-Washington shuttle and its hub operations (facilities, equipment, leases, and gate and takeoff/landing "slot" allocations) in Philadelphia, Pittsburgh, and Charlotte. But the offers for those assets reportedly total only US$300 million , which may not be enough to stave off default. And since US Airways has only been able to make money from price-is-no-object business shuttle travellers (and even there has been losing ground to Amtrak's excellent Acela Express service) or from hubs where its dominant position allows it to extort higher-than-average fares, selling those off would leave US even weaker. The result, as with TWA, would be a downward spiral that would only delay, not escape, the eventual "controlled flight into terrain".

Even if US keeps its hubs, its monopoly position won't last. Southwest Airlines has announced that they will start service to and from Philadelphia this May, and US has already admitted that they expect to have to reduce average prices 30 percent to compete with Southwest.

The question is no longer, "Will US Airways survive?" It won't, at least not in anything resmbling its present form. (Since the name itself is a saleable asset, there might be another airline called "US Airways" even if the present corporation is liquidated, as happened with the Pan Am name.)

The real question for travellers is whether some portion of US Airways will be acquired by another airline that willl continue to honor US tickets (as happened when American Airlines bought the last remnants of TWA), or whether it will go out of business like Pan Am, leaving ticket-holders and frequent flyers S.O.L.

I'm not a gambler, and I'm not going to speculate on which fate for US Airways is more likely. But my advice to ticket-holders, potential ticket buyers (don't), and holders of frequent flyer mileage credits (use them up ASAP) is in my FAQ on Airline Bankruptcies . Note especially that the US Federal law requiring other USA-based airlines serving the same route to transport passengers holding tickets on insolvent airlines (under extremely limited conditions) expired entirely in January 2004. Other airlines now have no legal obligation whatsoever to holders of tickets on bankrupt airlines.

[Addendum, 10 September 2004: That law was later extended, but only through 18 November 2004.]

Link | Posted by Edward, 5 February 2004, 17:12 ( 5:12 PM) | Comments (1) | TrackBack (0)

"EU Commission plots global travel surveillance system"

EU Commission plots global travel surveillance system
(John Lettice, The Register , 4 February 2004)

So actually, we're not talking about a battle between US Big Brother on the one hand and freedom and privacy loving Europe on the other; we are talking about a general, and effectively global, effort to neuter, circumvent or overthrow privacy protection legislation. As the Privacy International report says, "Starting with a simple law in the US, the European Commission has negotiated a global surveillance system tracking the movement of people."...

ICAO, the International Civil Aviation Organization, is the chosen vehicle for taking the surveillance system international. The US and EU plan to take the issue to ICAO with a view to constructing an international regime... Privacy International argues that the Commission, by abandoning the protection of European privacy rights will remove Europe as an ally for other countries coming under pressure from the US to weaken their privacy regimes, and that the result will be "a race to the bottom for global privacy protection."

The Register points out that the USA Department of Homeland Security currently has unrestricted access to the airlines' host CRS's. "So for example they could access free text data in the comments field [footnote], and data on flights which neither go to nor come from the US." That's not just a possibility, but a fact, as I reported last month and as will be exposed if the EU or anyone else ever obtains an independent, technically competent audit of the logs of DHS use of their CRS access.

In the footnote, Lettice recounts an experience a few years back at LAX airport, shoulder-surfing the "content of the free text section of the database BA staff were using as part of the wait-list collation process. 'Africa correspondent of the Financial Times,' one said (right, we thought, and I'm Lech Walesa...), while another pithily noted: 'Hopelessly out of control.'

That sort of thing is still routine. The "remarks" field in each PNR (item 19 of 34 in the list of PNR data categories in the proposed USA Undertakings on PNR transfers) can be, and is, used for pretty much anything any travel agent or airline employee feels like, including unverified and/or derogatory personal opinions from "VIP" TO "TROUBLEMAKER". Watch out: give the gate agent too much grief, and they could flag your PNR for the rest of your trip, or your frequent flyer record with that airline for the rest of your travelling life. All of which, under CAPPS-II, US-VISIT, and similar systems, will be grist for the mill of the global surveillance state.

(FWIW, I've cleaned up my previously posted analysis of the categories of possible data in PNR's today to make it a more useful reference, and corrected the categorization of a couple of items. Keep in mind, though, that usage of PNR fields varies widely, and there are no formats in the AIRIMP messaging protocol for the transfer between CRS's and host systems of many fields in those individual hosts.)

Link | Posted by Edward, 5 February 2004, 12:33 (12:33 PM) | Comments (0) | TrackBack (0)

Wednesday, 4 February 2004

Many questions, few answers on jetBlue scandal

What's come out of the inquiries into the jetBlue Airways privacy scandal four months ago?

Nothing , Ryan Singel concludes today after investigating the investigations for Wired News .

After my report in September 2003 that jetBlue had given their entire archive of reservation data to a subcontractor to the USA military's "Total Information Awareness" program, both the Department of Homeland Security's Chief Privacy Officer and the Army's Office of the Inspector General promised to investigate and report on what had happened.

Members of Congress sent lists of written questions to the DHS and the Department of Defense, and requested briefings on the results of those departments' internal investigations.

Freedom of Information Act (FOIA) requests by EPIC were promised "expedited prcessing". And EPIC made a formal complaint to the Federal Trade Commission, requesting that they investigate jetBlue's deceptive business practices for publishing a privacy policy contrary to their actual data handling practices.

To date, no report on the jetBlue scandal by any agency has been made public. Not a single document has been released in response to Congressional or FOIA requests. And so far as can be determined, no sanctions have been imposed on any of the parties to the misuse of millions fo jetBlue passengers', ticket buyers', and reservation agents' personal information.

Which all goes to prove, as I've been saying since the start, that we're unlikely to get to the bottom of the scandals related to the use of airline reservation data (from jetBlue, from Northwest, and from other airlines) for passenger profiling experiments without a Congressional investigation and public Congressional hearings.

It's an instructive example to European and Canadians who are being asked to accept these internal "oversight" ("self regulation") mechanisms as sufficent to assure the privacy of reservation data sent from their countries to the USA. The history of corporate and government self-restraint with respect to opportunities for misuse of personal data isn't promising. And the healthy scepticism of European observers toward the "Trust us" claims of USA corporations and intelligence agencies is well founded.

That skepticism appears to have led to a widening rift, not between the USA and the European Union but within the EU between those willing to acquiesce to USA surveillance demands (mainly in the European Commission) and those insisting -- as they should -- on compliance with existing EU privacy norms (in the European Parliament and national data protection authorites).

An EC "staff working paper", An EC-U.S. Agreement on Passenger Name Record, PNR (21 January 2004), posted today with an analysis and commentary by Statewatch, is dramatically at odds with EP staff drafts on the same topic I've seen recently. Stay tuned for more fireworks when the EP LIBE Committee revisits the issue later this month following the release date of the GAO report on CAPPS-II .

Link | Posted by Edward, 4 February 2004, 18:16 ( 6:16 PM) | Comments (0) | TrackBack (0)

Whatever you do, don't call 911

Moroccan lawmakers detained at Portland airport
The Oregonian , 1 February 2004

Seven members of the Moroccan parliament, visiting Portland as part of a goodwill tour of the United States, were removed from a Delta Air Lines flight Saturday morning and detained at the Portland International Airport...

Speaking through an interpreter, the visitors said they ... carried diplomatic passports and Delta officials were aware of their status....

Abbassi was detained when he ... tried to board, and the other members of parliament protested to the flight crew.... The pilot, using his authority, ordered the Moroccans off the flight, and the Transportation Security Administration became involved.

The visitors' luggage was removed from the plane, and officials became alarmed when they saw documents in Arabic with 911 written on them. It turned out that one of the group's host in Dallas, a previous stop, had given them instructions to call the 9-1-1 emergency number if they got into trouble, but it was mistaken for a reference to the Sept. 11 terrorist attacks.

Link | Posted by Edward, 4 February 2004, 18:03 ( 6:03 PM) | Comments (0) | TrackBack (0)

Tuesday, 3 February 2004

Bush boosts CAPPS-II budget in face of growing opposition

The Bush Administration has reportedly proposed to increase funding for the CAPPS-II airline passenger profiling and and surveillance system from US$45 million (previously reported as US$35 million, so this may be in error) in fiscal year 2004 to US$60 million in 2005.

The proposed budget is still only a tiny fraction of the likely billion-dollar cost of CAPPS-II, suggesting that either:

  1. The Administration still has no idea what CAPPS-II would really cost;
  2. The Administration is deliberately understating CAPPS-II costs in the budget;
  3. The real costs of CAPPS-II are being hidden in other line items or the budgets of other departments or agencies; and/or
  4. The Administration intends to force the travel industry (and, through higher airfares, the travelling public) to absorb most of the cost of CAPPS-II.

If I had to bet, I'd put my money on, "All of the above."

The budget proposal comes less than two weeks before the due date for a General Accounting Office audit and report on CAPPS-II ordered by Congress last year (see Section 519 of the law), after which no further funds can be spent on CAPPS-II unless the GAO finds that CAPPS-II satisfies the Congressionally specified criteria. Since such a finding by the GAO appears highly unlikely, the new budget proposal seems like wishful thinking on the part of the Administration.

On the other hand, the President said that, "the executive branch shall construe such section [conditioning CAPPS-II expenditures on GAO findings] as advisory", even as he signed the act, including that section, into law. So he may intend simply to ignore Congress' directive, although that would certainly lessen the chances for Congressional approval of any future funding.

The budget proposal also comes in the midst of growing opposition to CAPPS-II and other government traveller-surveillance schemes from business travellers , privacy advocates, and government privacy-protection authorities in the USA and abroad.

Either agreement from the European Union and Canada, or the cessation of flights between the USA and those countries, is a prerequisite for any testing, much less deployment, of CAPPS-II. The proposed agreement with the EU for CAPPS-II testing has come under intense attack, which continued today, as soon as the draft became public yesterday.

Following on the wide range of criticism and complaint of the government's plans released yesterday, Statewatch today reposted my analysis of the draft Undertakings of the USA Department of Homeland Security with respect to airline reservation data transferred to the USA from the European Union, as well as an additional statement from the ACLU making points very similar to mine:

European passenger data that is shared with the United States will receive little or no protection. Individuals targeted for scrutiny by U.S. officials will have no recourse as their most personal medical and financial is examined and processed in ways they never imagined and never contemplated when they purchased an airline ticket. We urge the European Commission on Privacy to state that United States laws are not adequate to safeguard the privacy rights of European citizens and block the implementation of this proposed privacy sharing agreement.

Two months ago, I wrote :

If the USA-EU negotiations fall through, blame will belong squarely on the DHS Chief Privacy Officer, Ms. Nuala O'Connor Kelly, for failing to propose federal travel privacy legislation that would satisfy international (including EU) standards of adequacy....

When I asked Ms. O'Connor Kelly why she didn't propose travel data privacy legislation as the solution to the dispute with the EU, she told me, "That isn't the only thing they [the European Commission] asked for". That's true -- the EC has also, quite properly, asked that the DHS demand for access to data in PNR's data be limited to information relevant to determining security risks -- but the EC negotiators have made clear that they have considerably more flexibility in negotiating which data is passed to the USA than in approving any "deal" that failed to include any legal privacy guarantees for that data once it's in the USA.

The sole legal barrier to CAPPS-II testing today (not,of course, that the DHS and its predecessors have concerned themselves with legal niceties in past CAPPS-II tests) is the need for EU, Canadian, and other international approvals, for which the key issue is the absence of any adequate privacy law protecting travel data in the USA.

Those such as Ms. O'Connor Kelly who claim so vociferously to believe that CAPPS-II need not conflict with privacy protection, and would even "help us preserve privacy", as her boss Tom Ridge said Sunday, should be the first people to endorse strong Federal legislation to apply international standards of privacy protection to travel data -- as the essential precondition to the international agreements that would be necessary for CAPPS-II.

Link | Posted by Edward, 3 February 2004, 18:49 ( 6:49 PM) | Comments (0) | TrackBack (0)

Monday, 2 February 2004

"Undertakings" by the USA on use of reservation data

As mentioned in an earlier article, Statewatch has posted the complete text of the 12 January 2004 draft "Undertakings of the [USA] Department of Homeland Security Bureau of Customs and Border Protection (CBP)" on transfers of airline reservations data (passenger name records, or PNR's ) from the European Union to the USA.

Normally I wouldn't go into such point-by-point technical and legal analysis. If it doesn't interest you, there are lots of other sorts of travel advice, tips, and consumer information elsewhere in this blog -- note the indexes of articles by category in the right-hand column -- on the rest of my Web site, and in my books .

But it's obvious on inspection to any travel agent or airline reservation representative that the "Undertakings" were written by people who've never seen a PNR, and have no idea what it contains, how the data is structured, or how it is entered.

Since I work with PNR's on a daily basis at Airtreks.com , and since my readers include Congressional and Parliamentary staff in several countries who need to evaluate the "Undertakings", it seems worth taking a few extra electrons here to explain how the "Undertakings" depart from reservation realities.

All this points to the need for a much more open process, in which privacy advocates with expertise in reservation data are involved in developing policies like these to govern their use.

The following numbered paragraphs are quoted from the "Undertakings", followed by my comments on each and lastly a detailed breakdown of PNR data categories ("Attachment A" of the "Undertakings").

The gory details are as follows (including minor updates and corrections to the list of PNR fields made 5 February 2004):

Legal Authority to Obtain PNR [2]

1) By legal statute (title 49, United States Code, section 44909( c ) (3)) and its implementing (interim) regulations (title 19, Code of Federal Regulations, section 122.49b), each air carrier operating passenger flights in foreign air transportation to or from the United States, must provide CBP (formerly, the U.S. Customs Service) with electronic access to PNR data to the extent it is collected and contained in the air carrier's automated reservation/departure control systems ("reservation systems");

This is a correct statement of the law, but the data proposed to be transferred substantially exceeds that required by the law, in 2 respects:

  1. The requirements of USA law and regulations are limited to data on passengers . But the draft "Undertakings" provide for transfer of all PNR's associated with the flight, including those related to those who never actually become passengers: PNR's that were never ticketed, cancelled PNR's , PNR's that were changed to other flights (and may have been changed to routings not touching the USA), no-show PNR's, etc.
  2. Neither the USA law nor regulations makes any mention of data transfer in advance of flights. Implicitly, they apply only from the time of flight departure ("wheels up"), since only at that time can it be determined who is a passenger, and who is merely a potential passenger.

The portion of the undertakings related to non-passenger PNR's, and to access to PNR's in advance of "wheels up", must be evaluated as providing for transfer of data not required by any USA law or regulation. It does not come under the exceptions to EU law or regulations for data required by law.

Use of PNR Data by CBP

2) Most data elements contained in PNR data can be obtained by CBP upon examining a data subject's airline ticket and other travel documents pursuant to its normal border control authority, but the ability to receive this data electronically will significantly enhance CBP's ability to facilitate bona fide travel and conduct efficient and effective advance risk assessment of passengers;

The point of this clause is to minimize the violation of rights inherent in mandatory government access to PNR's, by claiming that only the manner, not the content, of data access is changing from current inspection of tickets and travel documents by border control officers.

But this statement is false and deeply misleading. It betrays either gross technical incompetence or deliberate intent to mislead.

The majority of the data to be transferred cannot be determined from paper tickets.

An electronic ticket is included in the PNR, and there is no standard definition as to which portions of the PNR are included in the "electronic ticket". So it's unclear what "inspection of tickets" would even mean in the case of electronic tickets. But paper tickets remain common.

A couple of lines of free text can be printed in the "endorsement" box on paper tickets. Theoretically it could be used for anything (for a while, one nationalist travel agency in Athens was endoring every ticket they issued, "Macedonia is only Greek"), but normally the endorsement box isn't used for any of the other listed items.

As detailed at the end of this article , of the 34 categories of personal information listed in "Attachment A", PNR Data Elements Required by CBP from Air Carriers:

  • 17 of the 34 PNR fields listed in "Attachment A" are never printed on, nor identifiable from inspection of, paper tickets.
  • 9 of the 34 fields could sometimes or partially, but not fully or reliably, be determined from inspection of tickets.
  • Only 8 of the 34 fields could usually be determined from inspection of tickets.

5) With respect to the data elements identified as "OSI" and "SSI/SSR" (commonly referred to as general remarks and open fields),...

Actually, OSI/SSR data and general remarks are distinct, and are correctly distinguished as separate items on "Attachment A" (items 19 and 27).

... CBP's automated system will search those fields for any of the other data elements identified in "Attachment A". CBP personnel will not be authorized to manually review the full OSI and SSI/SSR fields unless the individual that is the subject of a PNR has been identified by CBP as high risk in relation to any of the purposes identified in paragraph 3 hereof;

Actually, as I have reported previously, I have been told by a source familiar with the CBP access logs, and have seen some sample extracts from the logs which confirm, that this is not happening -- CBP routinely reviews entire PNR's, including OSI/SSR data, remarks, and history.

6) Additional personal information sought as a direct result of PNR data will be obtained from sources outside the government only through lawful channels, and only for legitimate counterterrorism or law enforcement purposes.

In the absence of data protection law in the USA, almost any imaginable technique is a "lawful channel", so this seeming reassurance is hollow.

For example, if a credit card number is listed in a PNR, transaction information linked to that account may be sought, pursuant to lawful process, such as a subpoena issued by a grand jury or a court order, or as otherwise authorized by law.

The key to the emptiness of this assurance is the clause, "as otherwise authorized by law". In the absence of any data protection law, the USA government or any private actor is "authorized by law" to ask the airline, CRS, or anyone else in possession of data to hand it over, and they are "authorized by law" to hand it over -- without notice to, or consent of, the data subject.

Even if the party in possession of the data declines to turn it over, the USA government can compel disclosure of data (specifically including airline reservation data) by issuing a "national security letter" under the Patriot Act, which does not require any action or review by any officer of the judicial branch, and which can order that the disclosure be kept secret form the data subject or anyone else.

In order to review the "adequacy" of the CBP undertakings, the European Union must thus review the "adequacy" of the Patriot Act provisions for access to personal data, including airline reservations, through non-judicial "national security letters".

In addition, access to records related to e-mail accounts derived from a PNR will follow U.S. statutory requirements for subpoenas, court orders, warrants, and other processes as authorized by law, depending on the type of information being sought;

As above, under the Patriot Act, and in the absence of data protection, there is in general no USA statutory requirement for subpoenas, court orders, or warrants -- there are "other processes as authorized by law".

8) CBP may transfer PNRs on a bulk basis to the Transportation Security Administration (TSA) for purposes of TSA's testing of its Computer Assisted Passenger Prescreening System II (CAPPS II).

This isn't a side agreement (which would have required separate approval and consultation with the European Parlieament and the Article 29 Working Party of national data protection authorities. This is an integral part of the basic agreement, and Commissioner Bolkestein once again appears to have tried to mislead the European Parliament in his categorical statement that "the agreement" does not cover CAPPS-II.

12) With regard to the PNR data which CBP accesses (or receives) directly from the air carrier's reservation systems for purposes of identifying potential subjects for border examination, CBP personnel will only access (or receive) and use PNR data concerning persons whose travel includes a flight into, out of, or through the United States;

I've been told by a source familiar with the access logs that the CBP has accessed PNR data on other flights, including flights entirely within the EU.

14) CBP will pull PNR data associated with a particular flight no earlier than 72 hours prior to the departure of that flight,

I've been told by a source familiar with the access logs that the CBP has accessed PNR data as much as several weeks before the flight date.

18) Details regarding access to information in CBP databases (such as who, where, when (date and time) and any revisions to the data) are automatically recorded and routinely audited by the Office of Intemal Affairs to prevent unauthorized use of the system;

A critical question is whether the months of logs of the illegal access to date have been, or will be, subjected to such an audit before an agreement is finalized. From what I've been told by my source about the logs, and the excerpts I've received, they would not stand up to a sufficiently thorough and technically competent audit.

21) Unauthorized access by CBP personnel to air carrier reservation systems or the CBP computerized system which stores PNR is subject to strict disciplinary action

In theory, maybe, but the violations to date have not been punished. The way the the CBP has been using its access to reservation systems is scandalous, and the EU should insist on an independent audit before any finding that the purported internal CBP oversight provides "adequate" protection against.

31) For purposes of regulating the dissemination of PNR data which may be shared with other Designated Authorities, CBP is considered the "owner" of the data and such Designated Authorities are obligated by the express terms of disclosure to: (1) use the PNR data only for the purposes set forth in paragraph 29 or 34 herein, as applicable; (2) ensure the orderly disposal of PNR information that has been received, consistent with the Designated Authority's record retention procedures;

Here again, one must keep in mind that, since there is no general data protection law in the USA, the "Designated Authority's record retention procedures" may not exist, or may provide for indefinite retention.

39) CBP will undertake to rectify data at the request of passengers and crewmembers, air carriers or Data Protection Authorities (DPAs) in the EU Member States (to the extent specifically authorized by the data subject),

The undertakings here fail to take into consideration the rights of other data subjects, including airline, travel agency, and other reservation staff; persons from whom reservations are received for others; persons paying for tickets for others. Here again, it's not entirely clear if the negotiators of the undertakings were technically incompetent, or deliberately trying to evade acknowledgment of the scope of the data transfer and the range of data subjects it would implicate. (I discussed the other categories of data subjects at some length in my comments to the DHS on the CAPPS-II Privacy Act notice.)

Keep in mind that I am not a lawyer. Lawyers may well have additional criticisms. I've tried to focus on the technical problems, as an expert on travel reservations and their privacy implications.

Details of PNR data categories listed in "Attachment A" of the 12 January 2004 draft Undertakings of the [USA] Department of Homeland Security Bureau of Customs and Border Protection, CBP) on transfers of airline reservations data (passenger name records, or PNR's ) from the European Union to the USA, as compared with the information available from inspection of tickets:

The following 17 of the 34 PNR fields listed in "Attachment A" are never printed on or identifiable from inspection of paper tickets:

  • 2. Date of reservation
  • 5. Other names on PNR
  • 6. Address
  • 8. Billing address
  • 9. Contact telephone numbers
  • 11. Frequent flyer information (limited to miles flown and address(es)) [frequent flyer number might be shown on tickets, but never miles flown and never address on frequent flyer account]
  • 16. Split/Divided PNR information
  • 17. Email address
  • 19. General remarks
  • 23. No show history
  • 25. Go show information [Update: Since writing this article, I've learned that this term is used by some airlines to describe a "walk-up" passenger, that is, someone who presents themselves without a ticket or reservation, and buys a ticket to travel immediately. Some airlines create a reservation on the spot for such a passenger. Other airlines simply sell them a ticket -- possibly an "open" ticket -- and board them as a stand-by passenger.]
  • 26. OSI information
  • 27. SSI/SSR information
  • 28. Received from information [This identifies the person who requested the reservation, who might not be the traveller, e.g. a business associate, personal assistant, friend, family member, etc. This is a whole additional category of data subject whose rights must be considered and provided for, but haven't been.]
  • 29. All historical changes to the PNR [The "history" is the audit travel, which includes every entry, change, or deletion to or from the PNR. The "history" thus includes every field in the PNR, and access to the history implies access to all PNR fields, whatever they might be, not just the list specified in Attachment "A". For there to be any meaningful limitation of which portions of the PNR are accessible, or any meaningful "filtering" of sensitive or other data, it is essential that the history be excluded from access or subjected to the same filtering by field and "sensitivity" of types of the information. But for technical reasons filtering the history would be significantly more difficult than filtering the rest of the PNR.]
  • 30. Number of travelers on PNR
  • 33. Any collected APIS information

The following 9 fields could sometimes or partially, but not fully or reliably, be determined from inspection of tickets (sometimes in conjunction with other indexes, e.g. a lookup table of travel agency names and addresses by IATA/ARC accreditation number to determine the travel agency and travel agent name and address from the agency number on the ticket):

  • 1. PNR record locator code [Tickets don't always show any record locator, especially if issued "open". The record locator on the tickets is typically that of the CRS record from which the tickets were issued, which isn't necessarily the same as the record in the airline's host CRS, or of the record containing the "live" reservations and additional data, especially if the agent and airline use different CRS's, or if reservations are made by a retail travel agency but tickets are issued by a wholesaler.]
  • 3. Date(s) of intended travel [The tickets could show only "open" in place of airlines, dates, and flight numbers, even if specific flights have been reserved in the PNR. And the PNR could include flights other than those included in the tickets used for the flight to or from the USA. It's also unclear if "All travel itinerary" is interned to include non-air travel segments that might be included in the same PNR, such as hotel or car hire reservations, tour or cruise bookings, etc., but these obviously wouldn't be indicated on airline tickets. Whether transfer of non-air PNR segments to the CBP is contemplated by the undertakings is a major question.]
  • 7. All forms of payment information [If the person making payment is not the passenger, this would include information on yet another category of data subject]
  • 10. All travel itinerary for specific PNR [In addition to the reservations for current flight, a PNR can and often does include reservations for other flights not yet ticketed, or ticketed separately, as well as non-air components of the traveller(s)' itnirary such as accommodations, car rental or rail reservations, tours, cruises, etc.]
  • 12. Travel agency [Only the agency and agent issuing the ticket could be determined from the ticket; the agency(s) and agent(s) making the reservations could not -- frequently reservations are made by a retail agency, but tickets actually are issued by a wholesale consolidator.]
  • 13. Travel agent [see above; this is also significant because it means that personal data on airline and travel agency staff, not just passengers and prospective passengers, will be transferred to the USA. There is the same problem with CAPPS-II: the DHS has falsely described it as implicating personal data of travellers only, ignoring its effect on other categories of data subjects including airline and travel agency workers.]
  • 14. Code share PNR information
  • 24. Bag tag numbers [Not on tickets, but baggage tags could be considered part of "travel documents", so this item is questionable.]
  • 34. ATFQ fields

Only the following 8 of the 34 fields could usually be determined from inspection of tickets:

  • 4. Name
  • 15. Travel status of passenger
  • 18. Ticketing field information
  • 20. Ticket number
  • 21. Seat number [Actually often determined at check-in, and only determined from boarding pass, not ticket, so this item reinforces the point that real passenger data is only available on departure of the flight, and no sooner]
  • 22. Date of ticket issuance
  • 31. Seat information
  • 32. One-way tickets
Link | Posted by Edward, 2 February 2004, 21:20 ( 9:20 PM) | Comments (1) | TrackBack (7)

Complaint filed against KLM in the Netherlands

A complaint (in Dutch) against KLM Royal Dutch Airlines for the transfer of KLM reservation data to the USA space agency NASA (for use in passenger profiling experiments) by KLM's code-share partner Northwest Airlines was filed with the Dutch College Bescherming Persoonsgegevens (CBP), or Data Protection Authority last Friday by Dutch privacy and digital rights organization Bits of Freedom .

As best I can understand a machine translation of the complaint, it asks for (1) an investigation by the CBP of what (if any) action KLM has taken to ensure that personal data given to Northwest by KLM will be properly protected from disclosure, (2) an order from the CBP to KLM to identify and notify all those about whom information was given to NASA, and (3) an order from the CBP to KLM to take measures to ensure that personal information given to KLM won't be transferred to third parties without the consent of the data subject.

Multiple lawsuits are already pending against Northwest Airlines in the USA, and mulitple complaints are pending in Europe against airlines for giving USA government agencies direct access to passenger data. But this is, so far as I can tell, the first formal request for enforcement action against a travel company for failing to ensure the protection of personal information in reservations transferred between private companies, and as such could have an impact throughout the global travel reservations industry.

[Follow-up: KLM claims it doesn't know what happens with passengers' data (8 August 2007)]

Link | Posted by Edward, 2 February 2004, 16:45 ( 4:45 PM) | Comments (11) | TrackBack (0)

Privacy watchdogs unite against travel surveillance. Tom Ridge replies with lies.

Both a coalition of leading European privacy advocates and NGO's, and the Article 29 Working Party of national data privacy protection authorities of European Union members, today released new joint critiques of current USA-led global schemes for international surveillance and monitoring of the movements of travellers. Their statements drew strong support in the USA, where over 100 travel industry leaders brought together by the Busienss Travel Coalition today sent a joint letter to Congress calling for hearings and Congressional action on CAPPS-II and the privacy of travel data.

The report by European privacy NGO's, Transferring Privacy: The Transfer of Passenger Records and the Abdication of Privacy Protection , was issued by Privacy International , the European Digital Rights initiative (EDRi) -- itself a coalition of NGO's from around Europe, the Foundation for Information Policy Research , and Statewatch .

The report focuses on the failure of the European Commission to enforce EU privacy law with respect to airline reservation data transferred to the USA. As Statewatch quotes Simon Davies, Director of Privacy International: "The European Parliament and the people of Europe have been deceived by the [European] Commission. A full-scale investigation is now necessary. We believe legal action should be taken against the Commission to ensure that this dangerous subterfuge does not occur in the future."

But the report, which describes itself as, "The first report on 'Towards an International Infrastructure for Surveillance of Movement'", also places the transfer of PNR data to the USA in the context of parallel traveller tracking initiatives at pan-European and global levels.

The report's principal author, Dr Gus Hosein, Senior Fellow at Privacy International, said: "This is a case of opportunism by the [European] Commission. The EU is blam[ing] the U.S. for an admittedly unjust law, but then going further than the U.S. to establish a global system of surveillance of movement."

The report also included a commentary from the American Civil Liberties Union, A Perspective from America :

In fact, the report makes it clear that we are not witnessing a battle between Europeans and Americans, but a battle between those in Europe and America who would like to construct an infrastructure for the global tracking and surveillance of individuals' movements, and those in Europe and America who believe that such a course is dangerous to freedom.

Also today, the Article 29 Working Party published its formal Opinion 2/2004 on the Adequate Protection of Personal Data Contained in the PNR of Air Passengers to Be Transferred to the United States' Bureau of Customs and Border Protection" .

By vote of the highest privacy protection law enforcement authorities of EU member states the Working Party determined that the Undertakings of the USA Department of Homeland Security on PNR data transfers (more on those to come in a separate article) "...do not allow a favourable adequacy finding to be achieved" with respect to the protection of reservation data once given to the USA government.

The opinion was especially critical of the use of EU data in the CAPPS-II system, making clear that any suggest use is and will ocntiunue to be in violation of EU laws, and subject to enforcement action at the national level by the members of the Working party:

The Working Party recommends the Commission to make clear, through a specific clause in the decision, that US authorities shall refrain from using passenger PNR data transmitted from the EU not only to implement the CAPPS II system but also to test it. It is the Working Party?s opinion that this should also apply to any other further use of European passengers? data transmitted by airlines in relation with other programmes such as Terrorism Information Awareness and US VISIT, or entailing the processing of biometric data.

At the same time, the Working Party released its Opinion 1/2004 on the level of protection ensured in Australia for the transmission of Passenger Name Record data from airlines as adopted 16 January 2004. Despite the much greater privacy protections afforded under Australian law, the Working Party was able to make only a highly conditional, time-limited, and "transitional" finding that they meet the EU standard of "adequacy". It's instructive as to how far the gap remains between the USA undertakings and meaningful privacy protection.

Last week TSA Administrator and (ex?)-admiral James M. Loy testified before the National Commission on Terrorist Attacks Upon the United States that, "We must be honest in dealing with the traveling public" (Loy also admitted in response to questions that CAPPS-II can be "gamed", according to a brief note about the hearing from EPIC ).

Today, Loy's boss, Secretary of Homeland Security Tom Ridge, uses an Op-ed in USA Today to repeat the same old lies about CAPPS-II that his underlings -- from TSA spokespeople to the DHS Chief Privacy Officer -- have been telling for months. To whit:

  • Lie number 1: "CAPPS II uses routine passenger information.
    In fact, the DHS Chief Privacy Officer admitted to me that CAPPS-II would require a directive compelling all would-be air travellers to provide additional information never before required or routinely entered in reservations.
  • Lie number 2: "CAPPS II will help us preserve privacy."
    Say what? One could argue (although I weouldn't do do) that invasion of privacy is only a "side effect" of CAPPS-II, not its primary purpose. But only those with a blind faith in, "We're from the government, and we're here to help you," could be expected to swallow the whopper that CAPPS-II is meant as some sort of "privacy protection" measure.
  • Lie number 3: "Credit card purchases would not be accessed."
    Actually, details of credit card ticket purchases (including the names and other details of people paying for tickets for others, but not themselves travelling) are routinely entered in reservations, and would be accessed by the government under CAPPS-II.
  • Lie number 4: "Almost all passengers' data would be deleted immediately after a flight."
    Exactly the opposite: no passenger data is ever deleted from airlines', CRS's, and/or travel agencies' electronic and microfiche archives until at least several years after a flight. For financial, tax, and accounting reasons (including the need to document credit card charges and tickets used in case of billing disputes), airlines wouldn't be permitted to delete reservation records even if they wanted to -- which they don't, especially since (as Ridge neglected to mention), there is nothing in USA law or the CAPPS-II proposal to limit their use, sale, or disclosure of passenger data to whomever and for whetver purposes they plase. Forever. When airlines say that PNR's are "purged" after the last flight in the itnerary, that's industry jargon for, "moved to permanent offline storage", not "deleted. And the airlines have said they want to feed reservation data from CAPPS-II into the US-VISIT system, under which it could be incorporated into "biometric and biographic travel histories" to be kept for up to 100 years .
Link | Posted by Edward, 2 February 2004, 12:47 (12:47 PM) | Comments (0) | TrackBack (0)

Sunday, 1 February 2004

More illegal USA advance snooping in EU PNR data leads to more flight cancellations

Yet again yesterday flights from the European Union to the USA have been cancelled at the orders of the USA Department of Homeland Security on the basis of information illegally obtained by the DHS from European airline reservations.

A month ago, when last this happened, it was later widely reported to have resulted from the perceived similarity of a name on a passenger manifest, "Abdul Haye Mohammad Illyas", to the name of a suspect wanted by the USA, "Maulvi Abdul Hai". That was enough, in the eyes (or perhaps ears) of the DHS to warrant cancelling flights on that route for several days.

Agence France-Press explains what happened next:

The suspicions of international intelligence agencies seemed confirmed when Illyas failed to show up for the flight to Los Angeles [on December 24], which was ultimately canceled at the request of Washington due to fears of an attack.

A similar alert was re-issued by Air France on January 7, informing the U.S. and French intelligence that Illyas was booked on Paris-Los Angeles flight four days later.

He had been expected to land in Paris January 7 on an Air France flight from Bombay and had a reservation on January 11 for a flight to Los Angeles.

But this time too, Illyas failed to arrive at Charles de Gaulle airport in Paris where French police were waiting for him to check his identity....

According to the Indian Express newspaper, Illyas had won frequent flier tickets for travel on the Paris-Los Angeles sector. When Air France asked him for his dates of travel, Illyas randomly chose December 24 without really intending to use the ticket [on that date].

As the Hindustan Times editorialized :

Notoriously insular and apathetic about any culture that doesn't emanate from their backyard, Americans have transformed themselves into a nation that is prepared to shoot at the enemy, but without knowing who the enemy is. In the process, more and more cases suggest that the "enemy" may have become anyone with a "Middle-Eastern appearance" and/or with an Islamic nomenclature. Which is a bit like thinking that every Fritz or Otto or Adolf is a neo-Nazi....

What was strange was that even after initial fact-checking with Indian intelligence agencies -- which pointed out that the suspect was a bona fide leather exporter who was a frequent traveller -- the Americans were still intent on believing otherwise. It's just as well that the rest of the world is a bit more clued in on cultures other than their own. Otherwise, who knows, we would have been extremely suspicious of Anglo-Saxon names that could have links with the Ku Klux Klan or the IRA or the Baader-Meinhof or the Red Brigade or...

Yesterday, flights scheduled for today and Monday were cancelled, once again on the basis of names on reservations. The New York Times cited unnamed "officials" in reference to what names did or didn't appear on "passenger lists" for the cancelled flights, while the Guardian similarly says that, "US authorities were understood to be scouring UK passenger lists for future flights from London to America as attempts were made to see if more flights will be grounded in the coming days." And Agence France-Press likewise reports that, "the US Federal Bureau of Investigation found names on passenger lists."

Reinforcing continued concern about the differential treatment by the USA of USA-based and foreign airlines, and its impact as trade protectionism, The Guardian also quoted an "industry source" as saying, "There is a widespread and deep-held concern among British pilots that America is using these intelligence reports for its own commercial ends, maybe to even protect the very survival of its airlines," i.e. by raising alarms about foreign airlines to frighten timid American into deciding to "fly American".

Regardless of what name showed up in a reservation this time, the question remains whether it was legal for the USA authorities on Saturday to be reviwing PNR's for Sunday and Monday flights from the European Union and perhaps other countries.

The simple and obvious answer is that it wasn't legal, and wouldn't be even if the proposed USA-EU agreement were to be approved in its present form.

The USA-EU agreement hasn't been finalized, but January 2004 drafts I've seen rely on one or both of two exceptions to the EU data protection directive and code of conduct for computerized reservation services : that passengers have consented to having their reservations given to the USA, and/or that the data is required by USA law.

But neither is true, as this weekend's events show.

People could have made reservations for these flights as much as 11 months to a year ago, long before any airline started warning passengers about USA government demands for reservations.

Since British Airways, like several other airlines, no longer requires reconfimation of reservations on flights to and from the USA, the first time these people could possibly be asked for their consent to give their reservations to the government of the USA would be when they check in. And if, like the ill-fated Mr. Illyas, they don't check in, they will never be asked for their consent, but their cancelled PNR's will still be included, and accessible to the USA, along with the "live" PNR's for passengers on the flight.

Even if an airline ordered all its agents to obtain consent for government access to reservations before they are allowed to make reservations -- something none has yet done -- it would be another full year before everyone holding a reservation could be assumed to have given their consent.

As for the requirement of USA law, that is clearly limited (even assuming that it would withstand Comnstitutional challenge) to information concerning passengers . Mr. Illyas is an excellent example of how common it is for people to hold reservations on flights on which they don't end up travelling. But in his case, the government got his reservations, and made him an unwittingly wanted man, well before he had become an actual passenger.

So any government access to reservations prior to the completion of check-in, or for those no-show or cancelled names who don't check in and consent, inevitably will scoop up in its dragnet personal information about people:

  1. Who aren't yet, and might never become, "passengers";
  2. Whose information, since they aren't passengers, isn't required by USA law; and
  3. From whom there has not yet been any opportunity to ask for, much less obtain, consent.

But that's _exactly what did happen yesterday, when flights were cancelled for Monday, 48 hours in advance, on the basis of information in European reservations (illegally) turned over to the USA.

That should give pause to European authorities who have been planning to rely on consent and the compulsion of USA law to excuse their departure from their own laws. And Canadian law, as I discussed yesterday , is similiarly limited to information "relating to persons on board or expected to be on board the aircraft and that is required by the laws of the foreign state."

Both Canadian and EU authorities need to make sure that, in order to provide an opprtunity for consent and to ensure that the data in limited to that which is actually required by USA laws (which only cover passengers, not other data subjects), no reservation data is available to the USA government until the passenger list is finalized, which is when the plane takes off -- "wheels up".

Link | Posted by Edward, 1 February 2004, 12:34 (12:34 PM) | Comments (0) | TrackBack (2)