[Note: An earlier version of this article won a 2003 Lowell Thomas Travel Journalism Award for investigative reporting from the Society of American Travel Writers Foundation. This version has been updated to reflect events through September 2003, when I started my blog. For further events in 2003-2004, see my chapter on Travel Privacy in the Privacy and Human Rights 2004 yearbook from Privacy International and the Electronic Privacy Information Center. For more recent information, see my articles on travel data, privacy, and surveillance, the Privacy and Travel category of my blog, and my articles for The Identity Project (PapersPlease.org).]
As I wrote in 2001 in The Practical Nomad Guide to the Online Travel Marketplace, “Privacy is the Achilles heel of travel planning.”
Travel data is the largest, most sensitive, most intimately revealing, most heavily computerized and name-identified, and for all these reasons the most significant category of personal information not yet subject, in the USA, to any sector-specific Federal privacy regulations (such as apply to legal, financial, and medical information). This is in marked contrast to other countries, most of which:
Canada, for example, included airlines (and, to the extent they function as agents of the airlines, travel agencies) in the first phase of its ongoing implementation of its Personal Information Protection and Electronic Documents Act — three years earlier than entities in most other sectors deemed less critical to personal privacy were required to have complied with that Act.
Passenger Name Records (PNRs) maintained by airlines, computerized reservations systems or “global distribution systems” (CRS’s/GDS’s), and travel agencies don’t just contain flight reservations and ticket records. They include car, hotel, cruise, tour, sightseeing, and theater ticket bookings, among other types of entries.
PNRs show where you went, when, with whom, for how long, and at whose expense. Behind the closed doors of your hotel room, with a particular other person, they show whether you asked for one bed or two. Through departmental and project billing codes, business travel PNRs reveal confidential internal corporate and other organizational structures and lines of authority and show which people were involved in work together, even if they travelled separately. Particularly in the aggregate, they reveal trade secrets, insider financial information, and information protected by attorney-client, journalistic, and other privileges.
Through meeting codes used for convention and other discounts, PNRs reveal affiliations — even with organizations whose membership lists are closely-held secrets not required to be divulged to the government. Through special service codes, they reveal details of travellers’ physical and medical conditions. Through special meal requests, they contain indications of travellers’ religious practices — a category of information specially protected by many countries.
As discussed in this article and my other writings, travel records and reservation data are vulnerable to abuse and invasion of travellers’ privacy in at least three major ways:
Why is the USA the place where the privacy of travel data is most threatened, both by government agencies and corporations?
The basic reason is that the USA has lagged substantially behind the relevant international norms: both emerging international norms of privacy protection, and well-established international norms of airline and airport security.
The privacy of personal information has come to be recognized around the world as a fundamental right, and more and more countries have incorporated data privacy rights in their laws. The European Union Data Protection Directive, enacted by the European Parliament, requires each EU member state to adopt a national data privacy law, and similar principles are embodied in Canada’s Personal Information Protection and Electronic Documents Act and the laws of more and more other countries. The USA, on the other hand, simply has no general law protecting the privacy of personal information. Only a few special categories of information, such as certain medical and financial records — but not travel data — are protected by law in the USA.
In aviation security, the difference between the USA and most other countries has been that in the USA only selected airline passengers and bags have been subjected to the sort of search that all passengers and bags receive in most countries.
Human security screeners in some countries (Israel being the best known) question all passengers individually, looking for certain passenger “profiles”, in addition to universal searches. But neither Israel nor, so far as I’ve been able to determine, any other country in the world except the USA even tries to use robotic profiling (such as CAPPS or CAPPS-II), much less relies on automated selection instead of universal screening.
There’s a close connection between lack of privacy law and use of selective profiling: The absence of legal protection for the privacy of travel data in the USA has made it much easier and more tempting for airlines and the government to substitute privacy-invasive profiling and selection systems for universal searches. Lack of legal protection for travellers’ privacy thus contributed directly to the adoption of less secure passenger inspection systems.
Whether to implement universal or selective passenger and baggage inspection in the USA was a major issue for the Presidential “Commission on Aviation Safety and Security” chaired by Vice-President Gore in 1996-1997.
Many experts recommended to the commission, and the commission itself included in some of its draft reports, universal security measures such as more careful inspection of all checked and carry-on baggage, and positive matching of all checked baggage with passengers (so that, as is the case in most of the world, flights are not allowed to depart if baggage has been checked in by a passenger who has not actually boarded the plane). Prior to 11 September 2001, the most deadly act of terrorism against civil aviation was committed by means of a bomb in checked luggage, which could have been prevented by bag matching on connecting flights. The clear consensus of the security community was that positive passenger-bag matching on all flights was the single most important step that could be taken to protect air travel against terrorism.
But the airline industry lobbied strenuously (and, ultimately, successfully) against any measures that might inconvenience or delay the majority of passengers. Universally more rigorous inspections would slow check-in, requiring travellers to show up at the airport earlier. Positive passenger-bag matching would require airlines to allow more time between connecting flights (to allow for the possibility that a bag might have to be found and removed if a passenger with a checked bag didn’t show up for the onward flight). Longer connecting times would be particularly costly to the larger airlines with hub-and-spoke operations. The main result of all this would be to make trains, buses, and cars more competitive in door-to-door time over longer distances, and thus to reduce airlines’ share of the overall intercity transportation market.
Airlines developed the CAPPS profiling and selection system, and sold it to the government, in response to the Gore Commission proposals for mandatory passenger-bag matching. The final report of the Gore Commission, and measures adopted in its wake, emphasized profiling and selective scrutiny rather than universal inspections. Although the final report still strongly favored positive passenger-bag matching, airlines were allowed to use CAPPS instead, as an interim measure only, until passenger-bag matching could be implemented. That interim deadline has been repeatedly extended, and as of 2003 passenger-bag matching is still not required on connecting flights in the USA. From the airlines’ point of view, CAPPS has been a success: not because it increased safety or security (which was never its raison d’etre), but because it headed off the “threat” that they might be required to implement passenger-bag matching.
As this history makes clear, CAPPS was not developed to increase safety or security. It’s often claimed that we have to choose between safety and civil liberties, but that’s not true. For more on why that’s a fallacy, and the real issues of airline safety and security, see my articles on Travel Safety and Civil Liberties: Fear vs. Danger and Should We Still Travel, After What Happened 11 September 2001?.
In reality CAPPS was developed by airlines to protect themselves against the perceived threat to their market share if they were required to adopt standard international security procedures . And CAPPS is directly responsible for the non-implementation in the USA of one of the most important (and, as it happens, non-invasive) of those procedures.
But the CAPPS (“Computer Assisted Passenger Pre-Screening”) system was, at the airlines’ request, adopted by the government as a requirement. This system was first described as “Computer Assisted Passenger Screening”, abbreviated CAPS. Later the name and acronym were changed to CAPPS. (The extra “P” signifies, “Pre-Screening” instead of “Screening”.) Today this system — still in use — is often referred to as “CAPPS 1” to distinguish it from the various “CAPPS-II” or “CAPPS 2” proposals made since 11 September 2001.
Starting in 1998, the government began supplying the airlines with a secret CAPPS profiling algorithm, and all airlines based in the USA have been required to pass passenger data from their reservation systems through the system each time a passenger checks in. At first, CAPPS was applied only to passengers with checked luggage. Since 11 September 2001 CAPPS profiling has been extended to all airline passengers.
If your reservation fits the CAPPS profile, you and your luggage are set aside for “secondary security screening” comparable to normal international screening. The airlines retain the reservation data (and, it appears, make it available to the government without requiring a warrant and without notifying travellers that the government is reviewing their travel histories), whether or not you fit the profile. Those who don’t fit the profile, and their luggage, have otherwise been largely ignored. Even since 11 September 2001, passengers and luggage not selected by CAPPS for secondary screening are much less carefully checked than is the norm in most other countries.
The events of September 11th clearly demonstrate that this profiling doesn’t work. Advocates of security and civil liberties share an interest in abolition of the CAPPS profiling system and its replacement with universal passenger and baggage inspection and passenger-bag matching. That would be fairer, safer, and less vulnerable to abuse.
The original system for selecting passengers, which might be called “CAPPS 1.0”, was based solely on the contents of your reservation, combined with an element of randomness to try to make it harder to figure out the profiling algorithm. Some time after 11 September 2001, as discussed further below, a change was made to what might be called “CAPPS 1.1”, in which the airlines were also required to consult new “no-fly” and “permanent selectee” lists of names provided by the government. If your name “matches” or is sufficiently similar to a name on the “selectee” list, you are sent to secondary screening, regardless of whether your reservation fits the CAPPS profile. If your name is similar to a name on the “no-fly” list, the airline is required to notify federal law enforcement authorities, usually the FBI, and is not permitted to allow you to board the plane unless the Feds give it case-by-case permission. This CAPPS 1.1 system remains in effect pending development and deployment of some form of CAPPS-II.
As discussed above, the government and the airlines ought to be getting rid of CAPPS. Instead, the government is moving forward on several fronts, including CAPPS-II, to make even more privacy-invasive use of travel records. Because travel data is incredibly revealing about people’s behavior, but legally unrestricted in the USA, it’s natural that it has drawn the attention of government agencies interested in closer monitoring, tracking, and record-keeping about people’s activities.
Efforts are ongoing by three different bureaus of the USA Department of Homeland Security to gain access to airline and other travel reservation data. (Although these organizations were part of three different Federal agencies, and their original proposals for access to travel data were made independently, all three agencies were transferred to the new Department of Homeland Security on 1 March 2003.) Different provisions for each of these three agencies to get access to different information about travellers were all included in the Aviation and Transportation Security Act, which became law in December 2001. Although some of these proposals actually predated 11 September 2001, each of these agencies is now relying on the Aviation and Transportation Security Act of 2001 as the authority for their current demands for travel data.
(Most of the proposals discussed below, including CAPPS-II, concern only airline passengers. But the government has explicitly left open the possibility that CAPPS-II and other airline passenger profiling and surveillance systems might eventually be extended to other modes of transportation. Already, the U.S. Coast Guard — the only former branch of the military now incorporated, in its entirety, into the Department of Homeland Security — has proposed requirements for profiling, mandatory identification, and access to reservation information for all domestic and international ferry and cruse ship passengers. And the Transportation Security Administration (TSA) has announced grants for profiling (“screening”) of intercity bus passengers.)
Different aspects of the USA travel surveillance proposals have gotten attention in different countries. In Europe and Canada, attention focused first on the incompatibility of European Union (EU) and Canadian privacy laws with the demands by USA customs and immigration authorities, which are limited to data about passengers on international flights to and from the USA. In the USA, debate has centered instead on the proposed “CAPPS-II” system, which would be used for all flights to, from, or within the USA, including domestic as well as international flights.
But airlines flying between two countries must, of necessity, comply with both countries’ laws. If the laws governing their operations are fundamentally incompatible, flights are impossible., and no one wants to shut down all flights between the USA and Canada or the EU. So it should be no surprise that the debates on the privacy of travel data in the USA, EU, and Canada are converging rapidly. As Europeans and Canadians learn about CAPPS-II, they have begun to object to the application of CAPPS-II to flights to and from their countries, and to question whether use of CAPPS-II on flights to and from their countries will comply with their privacy laws. And, because EU and Canadian citizens have so much more extensive privacy rights than citizens of the USA, it now appears that — unless Congress intervenes — the best chance for protection of travellers’ privacy, even for travellers within the USA, may be through European and Canadian, not American, law enforcement agencies.
These proposals for government use of travel data are all being described by the government of the USA as “security” measures. But just as CAPPS (CAPPS 1) wasn’t really intended for security purposes, and in fact was responsible for the absence of internationally standard protective measures, so CAPPS-II and the other current proposals don’t appear likely to improve security, but seem intended much more for surveillance and monitoring: as a “conveyor belt” to get travel data from the airlines into the military’s “Terrorism Information Awareness” (originally called “Total Information Awareness”) system, and as a mechanism for forcing travellers to identify themselves so that than travel records can be positively associated in government dossiers with particular individuals and with data about them from other sources.
The Bureau of Customs and Border Protection (formerly the Customs Service) has demanded the ability to view any Passenger Name Record (PNR) of interest, on all inbound international flights to the USA. This demand has been the subject of extensive negotiations with the European Union (EU) working party on data privacy, the European Commission, the European Parliament Committee on Citizens Freedoms and Rights, and the European Parliament itself.
In interviews with the New York Times in late February 2003, both the Privacy Commissioner of Canada and the president of the Data Protection Authority of the Netherlands had criticized the U.S. Customs Service proposals as an invasion of their countries’ citizens’ privacy, and contrary to their countries’ privacy laws. And on 3 March 2003, the President of the EU Working Group on Data Protection requested that’ access to PNRs by the USA government be postponed until the matter could be considered further. The talks continued, and an additional joint statement with minor concessions by the USA was released 4 March 2003, but it remained unacceptable to European authorities.
Talks were held between USA and European Commission officials in early 2003 concerning the conflicts between the privacy requirements of EU law and the disclosure demand of the Customs Service. A joint statement concerning the talks was issued in February 2003, shortly before the Customs Service demand for PNR access was scheduled to go into effect.
The Customs Service (now part of the Department of Homeland Security) represented the joint statement as an “agreement”, but it was not: the European Commission participants had no authority to overturn or modify the laws already enacted by the European Parliament and by EU member nations. In a speech on behalf of the EU negotiating team in the European Parliament plenary session on 12 March 2003, Frits Bolkestein, Member of the European Commission and leader of the European negotiating team, said that, “Many reports referred to an ‘agreement’ or ‘decision’. There is no ‘agreement’ or ‘decision’… Clearly, we need more time and information from the US before we can say that we have a solution.” In response to written follow-up questions from members of the European Parliament, Commission Bolkestein reiterated in a further official statement 21 March 2003, that, “This requirement [by the USA] conflicts with [European] Community and Member States’ legislation on data protection and also with certain provisions of the Community Regulation on Computer Reservation Systems…. The Commission has not entered into any agreement with the United States.” And in a letter sent 12 June 2003 to Tom Ridge, Secretary of Homeland Security for the USA, Commissioner Bolkestein reiterated that:
Data protection authorities here take the view that PNR data is flowing to the US in breach of our Data Protection Directive…. As things stand today, I have to say that the draft undertakings provided by the US so far are not such as to convince me…. On a number of important points, the US undertakings fall short of what we need… Without a better result on these issues, I shall… have great difficulty in recommending a positive decision to the Commission [that the protection provided for PNR data in the US meets our “adequacy” requirement].
There is a strong consensus … in the EU that only a tightly worded undertaking both about the way that US Customs and Border Protection (CBP) will use the data and about the conditions under which the data may be shared with and used by other agencies is acceptable….
I would therefore ask you to consider the introduction of an independent arbiter outside the US Government. Failing this, we shall have to insist that the undertakings as a whole be made legally binding, either via departmental regulations or possibly via an international agreement.”
Following the parliamentary debate on 12 March 2003, by a decisive vote of 414 to 44, the European Parliament adopted a resolution rejecting the joint statement as incompatible with EU law, strongly criticizing the European Commission participants in the talks, and inviting enforcement action by national Data Protection Commissioners, should they receive complaints by EU citizens of disclosure of PNR data to the Customs Service.
The European Parliament was guided in its decision by the recommendations of the European Parliament Committee on Citizens Freedoms and Rights following its emergency meeting on 12 March 2003. The committee reported that the so-called agreement “lacks any legal basis but could be interpreted as an indirect invitation to the national authorities to disregard Community law” by transferring data to the USA without waiting for proper approval from the appropriate EU authorities. The resolution questions the compatibility of the “agreement” with the relevant EU laws, and recommends further negotiation and greater restrictions on the transfer of passenger manifest and PNR data to the USA. The matter then returned to the Committee on Citizens Freedoms and Rights, which held another public seminar 25 March 2003, at which CAPPS-II was also discussed, on what to do next.
“The EU-US passenger data disclosure agreement violates EU data protection laws, not only because it gives US authorities full access to data that is collected originally only for travel purposes…, but also because the information is surreptitiously gathered without properly notifying passengers and giving them an opportunity to consent”, Marco Cappato, a member of the European Parliament and of the Committee on Citizens Freedoms and Rights, told a news conference at the National Press Club in Washington, DC, on 30 April 2003.
Despite the legal uncertainty, most airlines flying between the EU and the USA began giving the U.S. Customs Service access to PNRs as of 5 March 2003. With the draft “agreement” having been rejected by the European Parliament, those airlines are now at risk of enforcement action by EU national data privacy agencies as soon as any EU citizen brings a complaint. On 5 May 2003, the European Digital Rights initiative (EDRi) began a campaign to encourage such citizen complaints against airlines that provide passenger data to the government of the USA, making available model complaint letters in 8 languages on the EDRi.org Web site.
The next day, senior officials of the Bureau of Customs and Border Protection and the Transportation Security Administration, along with the Department of Homeland Security’s new chief privacy officer, Ms. Nuala O’Connor Kelly (formerly the chief privacy spokesperson for the much-criticized Internet banner-ad serving company Doubleclick), appeared personally before yet another hearing of the European Parliament Committee on Citizens Freedoms and Rights. No new vote was taken, and there was no evidence that their arguments had changed the minds of European legislators.
The EU has continued its attempts to negotiate an agreement by the USA to respect EU data protection law and what were described by EU authorities, in a 12 June 2003 letter to USA Secretary of Homeland Security Tom Ridge, as “fundamental rights and liberties.” But according to a report of a press briefing by the spokesperson for the European Commission 2 September 2003, “The U.S. side has refused to limit the use of data.” That description was repeated in more detail in a report to the European Parliament on 9 September 2003 by European Commissioner Frits Bolkestein, the principal European negotiator with the USA on the PNR data transfer issue. In response to questions from European Union authorities as to what data might be included in PNRs, the DHS provided a list of 39 types of data that might be included in PNRs, in addition to the four additional items (name, home address, home phone number, and date of birth) proposed to be required for CAPPS-II, as discussed below. The DHS didn’t say that all 39 of these data elements are, or would have to be, in every PNR. The DHS wants the entire PNR, whatever it includes. The point of the list was to disclose all the types of information that might be transferred to the DHS if the DHS gets the entire PNR, in order to satisfy the requirement of EU law that such data transfer be disclosed. (The list was released in response to requests from European passengers for information on how their travel records had been used, and what information had been transferred to the USA. In the USA, there is no comparable privacy law requiring disclosure to passengers of how their travel records are used.)
In reality, few PNRs contain all of the 39 listed items, and many PNRs contain other items. So the list of 39 items serves more to show the DHS’s ignorance of what data is contained in real PNRs, rather than as a comprehensive list of possible PNR contents or as any list of “required” data. It’s noteworthy that the list includes the “Received From” field, which is a part of every PNR and which indicates who requested the reservation (typically a travelling companion, friend, family member, business associate, or assistant), even if they aren’t travelling. The DHS also recognizes that the identity of the travel agent making the reservation (usually a sign-in code) could also be in the PNR.
The inclusion of the “received from” and “travel agent” fields in the list of items specified by the DHS makes clear that the DHS is knowingly receiving personally identifiable data on these categories of individuals, in addition to travellers. But as I pointed out in my comments on the CAPPS 2.1 proposal, as discussed below, the Privacy Act notice and the notices being supplied under the EU Data Directive never disclose that the DHS systems will, include data on anyone other than travellers.
At minimum, to comply with USA and EU law, both CAPPS-II (as discussed further below) and the transfer of data from the EU to the USA should be stopped until the Privacy Act notice and the EU data protection notices are is republished to include all the people who will be included in the system: travellers, travel agency and airline staff, people who request reservations for others, people who pay for other people’s tickets, etc.
With complaints being filed by EU citizens, the next step is likely to be enforcement action against airlines by EU national Data Protection Commissioners. In the first ruling on the question by any of the EU national Data Protection Commissioners, Austria’s Data Protection Commission (Datenschutzkommission) issued a statement 27 August 2003 that any transfer of PNR data from Austria to the USA would be in violation of Austrian law, since the USA does not provide adequate protection for the privacy of such data.
While enforcement of the EU Data Protection Directive is left up to individual EU member nations, the European Commission itself also has authority to enforce the privacy provisions of the EU regulations governing CRS’s. The European Union code of conduct for computerized reservation systems (Council Regulation (EEC) No. 2299/89, 24 July 1989), provides in Article 6(d) that:
personal information concerning a consumer and generated by a travel agent shall be made available to others not involved in the transaction only with the consent of the consumer.
(CRS’s also operate under Federal regulations in the USA. But unlike the EU regulations, the CRS regulations in the USA, currently under revision by the Department of Transportation, have never contained any consumer privacy provisions at all. See the links at the end of this article for details of the CRS regulations in the USA.)
In his report to the European Parliament on 9 September 2003, Commissioner Bolkestein said that the European Commission is already seeking more information from the CRS’s as to whether their transfer of PNR data to the USA has violated the CRS regulations of the EU. An analysis by Statewatch, a European civil liberties monitoring organization, cites several specific provisions of the EU CRS regulations that would appear to be violated by any transfer of PNR data to the USA government.
The fact that, even in the EU, enforcement of privacy rights for travel data is moving more rapidly under the EU CRS regulations, rather than the general data protection law, points up the importance, in the USA, of including privacy provision in the USA regulations governing the CRS’s, and including the CRS’s in any federal travel privacy law.
(And if the much more limited Customs and Border Protection proposals are incompatible with EU law, it’s clear that the much broader CAPPS-II proposal, as discussed further below, stands even less chance of being found to satisfy EU privacy requirements.)
Further discussions were held 22 September 2003 in Brussels between European Commissioner Bolkestein and Asa Hutchinson, DHS Undersecretary for Customs and Border Protection. In another letter sent by Commissioner Bolkestein to Secretary Ridge following those discussions, it was revealed that the USA had sent letters to several European airlines threatening sanctions against them and their passengers if they didn’t start turning over their reservation information to the DHS by 12 September 2003. In reply, Commissioner Bolkestein told Secretary Ridge that, even as a practical matter, “providing the data within that deadline would present very considerable difficulties”.
On 29 September 2003, a draft resolution was brought before a meeting of the European Parliament Committee on Citizens Freedoms and Rights. The draft refers to, “the fact that it is currently not possible to consider the data protection provided by the US authorities to be adequate”, citing specific inadequacies. That draft was adopted, essentially unchanged, by a plenary session of the full European Parliament on 9 October 2003. The final resolution as adopted retains that language, and directs EU authorities, by 1 December 2003, either to obtain a commitment by the USA to adequate protection of passenger data, or to “deny airlines and computerised reservation systems any access and/or transfer which is not in accordance with the principles laid down” in the resolution and in EU data protection law.
The crux of the EU complaint is not per se the transfer of data to the USA. Huge volumes of personal data (including travel data) are transferred across international boundaries between EU countries every day. But EU laws require that personal data can only be transferred to countries that provide minimally adequate privacy protections for that data once it leaves the EU >— which the USA does not.
All that the EU has asked is that, before demanding data from Europe and about European citizens, the USA put in place a framework of privacy protection — consistent with international norms — comparable to that which is already in place in the EU, Canada, and many other countries. Once that is done, data can be transferred freely, with privacy protection assured.
It’s common, although mistaken, to assume that more security inevitably requires less privacy. But there is no conflict on this issue between privacy and security. Both can be protected, just as they are in Europe (which has long had much more airline and airport security systems than the USA.
If the DHS, and especially its Chief Privacy Officer, were sincere about being committed to privacy as well as security, they’d be taking the lead in pressuring Congress to enact a travel privacy law, so that they could move forward with any truly necessary security measures that require access to reservation data. Instead, the DHS is leading the opposition to the privacy legislation that is the prerequisite to cooperation with the EU and Canada on aviation security. It’s hard to escape the conclusion that the real interest of the DHS is in surveillance, not security. (and that its privacy office is staffed with privacy invasion apologists, not privacy advocates.)
Following passage of the European Parliament resolution, European Commissioner Fritz Bolkestein met in Washington 13-15 October 2003 with Secretary of Homeland Security Tom Ridge. According to this report in the Financial Times, Ridge agreed to postpone enforcement action against airlines that don’t turn over their passenger records to the USA until 14 October 2003. But by all accounts Ridge and the DHS remained unwilling either to scale back their demands for data, or to agree to enact meaningful privacy protection for travel data in the USA. (And the demands of the DHS for irrelevant data have become the butt of jokes like this in the European press.)
The Bureau of Citizenship and Immigration Services, BCIS (formerly the Immigration and Naturalization Service, INS) has proposed to require all international airlines to provide passenger manifests as part of the enhanced “Advance Passenger Information System (APIS)”. Although the manifest is not the complete PNR, and includes only a few specified fields, the APIS proposal has been opposed by the International Air Transport Association (IATA) as potentially incompatible with the EU Data Privacy Directive. Because it is similar to, but less extensive than, the demand by Customs for the entire PNR, it has taken a back seat to the Customs initiative in the disputes between the USA and the EU and Canada.
By far the most sweeping of the travel data access proposals are those made on behalf of the Transportation Security Administration, TSA (formerly part of the Department of Transportation, DOT), for an “Aviation Security Screening Records (ASSR)” system. Despite the name, neither the data incorporated into the system, nor its uses, would be limited to those relevant to security screening. Under these proposals, the TSA would be given access to all data in PNRs of all passengers on all flights to, from, or within the USA, along with a wide range of other data including “associated data”, “financial and transaction data; public source information; [and] proprietary data”.
Tens of millions of airline PNRs, involving a significant fraction of the citizens and residents of the USA as well as vast numbers of current and prospective foreign residents and visitors, are active at any given time. The proposed ASSR system would almost certainly contain data on more people than any other system of records exempt from the Privacy Act, and result in one of the largest, and most intimately revealing, government databases about individuals and their movements, activities, interests, associations, and behaviors.
The ASSR proposal and Federal Register notice didn’t mention CAPPS-II. But the TSA has since described this as “the CAPPS-II proposal”, and has avoided any further mention of the label “Aviation Security Screening Records” or the term “database”. The TSA now claims they won’t really be keeping any “records” on travellers or creating a “database”, although that’s what they said they would do in their only formal legal or regulatory filing to date on their proposal. I’ve dubbed the proposal in the 15 January 2003 notice in the Federal Register “CAPPS 2.0”, to distinguish it from the revised “CAPPS 2.1” proposal described in later TSA briefings and statements.
The ASSR database would be held by the new “Office of National Risk Assessment” in the TSA, which might more accurately be described as the office of “Total Travel Information Awareness”. The TSA Office of National Risk Assessment is directed by retired Marine officer — and National Security Agency cryptology school graduate — Ben H. Bell, III, formerly Deputy Director of the Foreign Terrorist Tracking Task Force of the Department of Justice, and before that Deputy Assistant Commissioner for Intelligence for the INS. Mr. Bell’s resume touts his “intelligence community partnerships and notes that, “Mr. Bell’s foreign intelligence experience stretches from the beaches of the Caribbean and the tropical forests of Central America to the Far East.” TSA spokesperson Brian Turmail said the CAPPS-II project is really an “agency-wide effort”, however, overseen by TSA Associate Undersecretary and Chief Technology Officer Randal Noll (formerly director of mergers and acquisitions for Intel Corporation).
Under the TSA proposals, travel records from the ASSR database would be freely disclosable to any “agency of the Intelligence Community” or any foreign government (with no obligation on them ever to purge the information), would be exempted from the Privacy Act (so that those about whom records are kept would be unable to determine that fact), and could be used, according to documents obtained in April 2003 by EPIC under the Freedom of Information Act, as the basis to deny transportation to people determined (by secret procedures, based on this data) to constitute a “potential” risk to air transportation.
In an interview 3 March 2003 concerning the ASSR proposals, DOT spokesperson Chet Lunner confirmed to me that there is already a “no-fly list”, and that one of the criteria used to determine who is on that list is what countries they have visited in the past. And in response to EFF co-founder John Gilmore’s pending lawsuit in federal court in San Francisco challenging the requirement for air travellers to show government-issued photo ID, the government has argued that the reason for the ID requirement is to enforce the no-fly list. Another Freedom of Information Act lawsuit seeking further information about the “no-fly list” was filed in the same court in San Francisco in April 2003. Documents filed with the complaint in that case, obtained from local police at San Francisco International Airport, clearly establish the existence and regular use of the “no-fly list” and of a second “watch list” or “selectee list” — despite the TSA’s claim, in response to the plaintiffs’ original FOIA request, that they had no records related to those lists. (See the links at the bottom of this page for documents from and about these cases.)
As my comments filed on the CAPPS 2.0 proposals discuss in more detail, the proposals incorporate, in the guise of an aviation security system, most of the features and types of data which were to have been included in the “Total Information Awareness” program killed by the U.S. Congress in early February 2003. The proposals are also incompatible with Canadian, European Union, and possibly other countries’ privacy laws, and could thus make it impossible to operate flights between the USA and Canada, or the USA and the EU, without violating the laws (and the rights of citizens) of one or the other (or both) of the jurisdictions — a point which was raised by British Airways in their attorneys’ comments on the TSA proposals. The TSA proposals have not yet been submitted to the Canadian or EU privacy authorities, and are unlikely to meet with their approval unless drastically modified.
According to DOT spokesperson Chet Lunner, the proposed TSA database would be the basis for the enhanced “version 2”, CAPPS-II, of the Computer-Assisted Passenger Pre-Screening (CAPPS) system — winner of the 2002 USA “Big Brother Award” from Privacy International as “Most Invasive Proposal” — as well as the basis for the government’s enforcement of the “no-fly list” and the “watch list” for travellers.
Every public comment filed with DOT concerning the ASSR and CAPPS 2.0 proposals requested that the proposals be entirely withdrawn. In addition to my detailed comments opposing the proposal and those of British Airways, comments opposing the proposals were filed by more than 250 individuals and organizations, including the Electronic Privacy Information Center (EPIC), the Center for Democracy and Technology (CDT), Privacilla.org, the American Civil Liberties Union (ACLU), the Attorney General of Massachusetts, John Gilmore, an airline pilot, retired air force and other U.S. military officers, a victim of identity theft, at least one state legislator, and a coalition of privacy organizations including the Electronic Frontier Foundation (EFF), Privacy Activism, the Privacy Rights Clearinghouse, the Cyber Privacy Project, and CASPIAN.
Unless postponed by the Department of Transportation (which published the original proposals on behalf of the TSA, although the TSA is now part of the DHS), or enjoined by a court, the ASSR proposal was scheduled to take effect Monday, 24 February 2003. But it was replaced by a revised proposal published 1 August 2003 by the TSA’s new parent organization, the DHS. (Any new commentsshould be filed with the DHS and addressed to the revised proposal, as discussed in more detail below.)
From statements by government spokespeople, companies involved in CAPPS-II testing, and other sources familiar with the tests, it appears that there have been at least 4 rounds of CAPPS-II tests involving real, name-identified PNR data on real passengers, mostly data from archives of past flights:
Any large sample of airline passengers, even on domestic flights within the USA on USA-based airlines, would include some European Union citizens who had made their reservations through airline offices, travel agencies, or Web sites in the EU. Since EU citizens whose data was processed in CAPPS-II tests were never notified that their data would be processed for this purpose, all of these phases of CAPPS-II testing directed violated EU law.
(Since March 2003, I’ve been asking the TSA for copies of any notice that was given to EU citizens whose data was used in any of these CAPPS-II tests, or any procedures that were used to identify and exclude from the tests data protected by EU law. To date, I’ve had no response at all, presumably because there was no such notice or attempt to exclude protected EU data.)
The government has been talking out of both sides of its mouth as to its plans for the latest round of testing and deployment of the ASSR and CAPPS-II systems. Under the law cited as authority for the official CAPPS 2.0 proposal in the Federal Register in January 2003, the final regulations must be published, and Congress must be notified at least 30 days before the rules take effect. But in the same interview with me on 3 March 2003, DOT spokesperson Chet Lunner told me (1) that the ASSR proposal would be revised and republished for another round of comments (which would delay its legally effective date for at least 30 days), and (2) that CAPPS-II tests, including use of the ASSR database, would begin by the end of March 2003 (less than 30 days later). I can’t find a way to interpret his statements, read in conjunction, as anything other than a deliberate statement of intent to defy the law requiring 30 days notice to Congress and the public of the final rule.
Mr. Lunner at DOT said that CAPPS-II, including the ASSR database, would be deployed and tested by Delta Air Lines at San Jose (CA) International Airport and two other unspecified airports by the end of March 2003. Mr. Lunner had no comment on the apparent contradiction in his statements, referring that question to the TSA. In any event, there’s been no official or legal notice that the proposal has been withdrawn.
Mr. Lunner told me that Delta would be providing Privacy Act notices to all passengers subject to CAPPS-II, and whose reservation and other data might be stored by the TSA in the ASSR system. Two months later, after repeated promises to provide me with a copy of the Privacy Act notice given to people whose data was given to the TSA in the CAPPS-II tests, another TSA spokesperson, Heather Rosenker, told me that in fact CAPPS-II test subjects were given no notice. Ms. Rosenker told me that the CAPPS-II test system didn’t constitute a “records system” within the meaning of the Privacy Act, notwithstanding the governments’ Federal register filing for it under the Privacy Act.
As applied to the tests, that’s an arguable interpretation of a loophole in the Privacy Act. But Ms. Rosenker conceded that eventually, as testing proceeded, Privacy Act notices will be required. Under the Privacy Act, such notices must be provided before the information is collected, which won’t be possible for reservations that have already been made. (Mr. Lunner said that the information will be transferred to the TSA as soon as the reservation is completed.) Privacy Act notices must indicate exactly what information is actually required, and the consequences of not proving that information, neither of which has yet been spelled out by the TSA, either in their legal filings or their press briefings.
I’ve been unable to find any Privacy Act notice on the Delta Air Lines or jetBlue Web site, in any CRS/GDS, or in the privacy disclosures or policies of any online travel agency that sells Delta or jetBlue tickets. So far as I can tell, neither Delta nor jetBlue has not yet informed travel agencies and agents that information they provide to Delta or jetBlue could be passed on to the government of the USA. Neither the potential disclosure of information to the government (or by them to others) nor the Privacy Act was mentioned when I called Delta to make reservations for an April flight from San Jose (CA) International Airport, or when I flew on jetBlue from Oakland that same month. The privacy policies on the Delta and jetBlue Web sites don’t mention CAPPS-II, the ASSR/PASSR system, or any possible disclosure of information to the government.
According to an e-mail message sent by Delta in response to consumer complaints about CAPPS-II, “Delta’s role in the CAPPS II pilot program will be limited to providing data to the TSA that Delta already collects from passengers.” But Delta and jetBlue ignore the fact that:
Delta refers questions to the TSA, as though Delta were “only following orders.” But the TSA has not yet given Delta any orders, and couldn’t do so until 30 days after the current comment and rulemaking process and the publication and notice to Congress of the final rules. Delta’s disclosure of passenger information is not in response to any government order: it’s Delta’s own choice to deploy and test CAPPS-II, and to disclose passenger data to the government.
By implementing the CAPPS-II systems and passing data to the TSA for inclusion in ASSR/PASSR databases, before the completion of the Federal rulemaking and comment period, Delta and jetBlue are risking catastrophic liability for breach of privacy and breach of contract, particularly for reservations already made under confidentiality agreements between travellers, travel agencies, CRS’s/GDS’s, and airlines. If the proposals prove incompatible with EU and/or Canadian privacy law, as is overwhelmingly likely, Delta could lose the right to operate flights to the European Union and/or Canada. By volunteering to test the CAPPS-II system, and to transfer passenger data to the TSA, before the rulemaking and approval process for the data transfer has been completed in the USA, Canada, or the EU, Delta and jetBlue are — if the law is enforced in any of these jurisdictions — committing financial suicide.
TSA spokesperson Brian Turmail finally called me back 14 March 2003, two full weeks after I started leaving messages for the TSA public affairs staff. Mr. Turmail reiterated that the TSA “could be expected to republish” its proposals, but couldn’t say when that would happen, or what authority the TSA had to continue testing and transfers of passenger data from the airlines to the government in the meantime. (In early May 2003, another TSA spokesperson, Heather Rosenker, finally told me that the TSA would publish a new proposal “within a couple of months”.) Mr. Turmail said that the March 2003 CAPPS-II tests would use sample data about past Delta passengers, but didn’t know whether those people are being notified or asked for permission to use their data. He claimed that the TSA “talks regularly” with Canadian and EU privacy authorities, but couldn’t say whether those officials know that data from Delta reservations made in Canada and the EU will be used in the CAPPS-II tests, or how Canadian or EU reservations will be identified. He said the TSA plans to have CAPPS-II “in effect” sometime after 1 January 2004, but didn’t know whether the effective date would be based on the travel date or the date the reservation was made, whether reservations being made now for 2004 travel would be subject to CAPPS-II (reservations can be made up to 11 months, sometimes a year, in advance), or how Privacy Act notices would be provided or consent obtained for reservations already made.
“These are all good questions, but no one has asked any of them before,” Mr. Turmail told me. Many months later, I’m still waiting for answers. But if no one had asked these basic questions before, that tells me that the TSA proposals haven’t yet been subjected to nearly the degree of scrutiny that they deserve, from technical experts like myself or from the public.
As discussed further later on in this article, many of the TSA claims — both in their statements to me and in their news release on CAPPS-II, are demonstrably false, and won’t stand up to informed criticism.
The most misleading statement in the TSA news release is that “once a passenger’s travel is complete, TSA will not retain any information whatsoever about that traveler”. By the time your travel is complete, the TSA could already have passed your data on to others, with no requirement that they purge it when or if the TSA does, rendering it moot whether the TSA itself retains the information.
Finally, the most egregious lie in the TSA news release is the claim that “commercial databases… are already subject to legal and privacy protections”. Mr. Turmail couldn’t say what legal protections those might be, but I can help him out: there aren’t any. The USA has no travel privacy law, and no general privacy law that covers commercial databases such as those maintained by CRS’s and airlines. That’s exactly why we need a comprehensive national privacy law that covers travel data.
On 24 September 2003, Congress enacted H.R. 2555, the “Department of Homeland Security Appropriations Act, [fiscal year] 2004”, which was signed into law by the President on 1 October 2003. It included the following provisions on CAPPS 1, CAPPS-II, and the “selectee” and “no-fly” lists:
H.R.2555, Public Law 108-90
Department of Homeland Security Appropriations Act, 2004SEC. 519.
- (a) None of the funds provided by this or previous appropriations Acts may be obligated for deployment or implementation, on other than a test basis, of the Computer Assisted Passenger Prescreening System (CAPPS II) that the Transportation Security Administration (TSA) plans to utilize to screen aviation passengers, until the General Accounting Office has reported to the Committees on Appropriations of the Senate and the House of Representatives that—
- a system of due process exists whereby aviation passengers determined to pose a threat and either delayed or prohibited from boarding their scheduled flights by the TSA may appeal such decision and correct erroneous information contained in CAPPS II;
- the underlying error rate of the government and private data bases that will be used both to establish identity and assign a risk level to a passenger will not produce a large number of false positives that will result in a significant number of passengers being treated mistakenly or security resources being diverted;
- the TSA has stress-tested and demonstrated the efficacy and accuracy of all search tools in CAPPS II and has demonstrated that CAPPS II can make an accurate predictive assessment of those passengers who may constitute a threat to aviation;
- the Secretary of Homeland Security has established an internal oversight board to monitor the manner in which CAPPS II is being developed and prepared;
- the TSA has built in sufficient operational safeguards to reduce the opportunities for abuse;
- substantial security measures are in place to protect CAPPS II from unauthorized access by hackers or other intruders;
- the TSA has adopted policies establishing effective oversight of the use and operation of the system; and
- there are no specific privacy concerns with the technological architecture of the system.
- (b) During the testing phase permitted by paragraph (a) of this section, no information gathered from passengers, foreign or domestic air carriers, or reservation systems may be used to screen aviation passengers, or delay or deny boarding to such passengers.
- (c) The General Accounting Office shall submit the report required under paragraph (a) of this section no later than February 15, 2004.
When he signed the bill, the President issued a statement that he considered the requirement for certification by the GAO (a Congressional agency, not part of the executive branch of government), to be solely “advisory”:
The executive branch shall construe as calling solely for notification the provisions of the Act that purport to require congressional committee approval for the execution of a law. Any other construction would be inconsistent with the principles enunciated by the Supreme Court of the United States in 1983 in INS v. Chadha…. To the extent that section 519 of the Act [concerning CAPPS-II] purports to allow an agent of the legislative branch [i.e. the GAO] to prevent implementation of the law unless the legislative agent reports to the Congress that the executive branch has met certain conditions, the executive branch shall construe such section as advisory, in accordance with the Chadha principles.
If the President, and the DHS and the TSA as executive agencies, abide by the law, the GAO audit and certification requirement may eventually prove significant. But it’s important not to allow this law to be used as an excuse for a relaxation of pressure on the TSA and DHS.
Given the implementation problems, there’s little chance that the TSA would have been ready for deployment of CAPPS-II by February 2004 anyway. So the temporary postponement of deployment authorization is highly unlikely to cause any delay in how fast CAPPS-II is put into effect. The law allows testing with real passenger data, and transfer of passenger data to the TSA (and by the TSA to whatever other agencies and private entities it chooses) to continue unabated. And CAPPS-II contractors could, and possibly would, continue preparations for CAPPS-II deployment on speculation, at their own expense, in the hope of getting a head start on lucrative CAPPS-II contracts if and when the program resumes.
The TSA and DHS continue to claim, disingenuously, that they haven’t (yet) conducted any CAPPS-II tests with real data. That might be true, but it’s irrelevant, since repeated tests with real passenger data have been conducted by the contractors who are likely to operate the CAPPS-II system once it is deployed. TSA/DHS’s misleading denials serve only to highlight the need for any effective CAPPS-II oversight or travel privacy measures to include private entities as well as government agencies.
But by requiring an independent audit of the CAPPS-II program and plans, and an assessment of whether it would actually be effective in identifying terrorist threats, this is a welcome step toward Congressional oversight over CAPPS-II.
Enactment of this law sets the terms of future Congressional debate on CAPPS-II: CAPPS-II has absolutely no base of grassroots or Congressional support, many questions about CAPPS-II remain unanswered, and no additional funding or approval for CAPPS-II is likely unless and until those questions are answered. In the minds of most members of Congress, the burden of proof is now clearly on the TSA and the DHS to justify the CAPPS-II program — not on CAPPS-II critics to point out any more problems with it than are already apparent.
None of this, however, addresses the fundamental problems: the absence of any comprehensive national privacy legislation in the USA (the Privacy Act only applies to information collected by the government), the absence of any specific Federal privacy rules for the travel industry (the Department of Transportation’s regulations governing the operation of the CRS’s are undergoing their first review and revision in a decade, but there’s nothing in any of the drafts to add any privacy requirements), and the lack of public awareness of the significance of travel data in the wrong hands or used for the wrong purposes (although that’s starting to change as a result of my widely-publicized revelations about the misuse of jetBlue Airways reservation data).
The real problem in the TSA proposals is that travel data is inherently sensitive — whether in corporate or governmental hands. That problem requires a broader privacy solution from Congress, for travel as for other sensitive categories of data, that would apply to the public and the private sector.
So this is a start, but only a start, towards a Congressional investigation and hearings on current privacy and personal information handling and usage practices in the travel industry, and passage of a comprehensive Federal privacy law for travel records.
Further Congressional hearings and debate on Terrorism Information Awareness (TIA, originally called “Total Information Awareness”, but renamed to make it sound less ominous) are expected now that DARPA’s report to Congress under the Wyden TIA Amendment of 20 May 2003 has been delivered. In the section of the report on “Laws and Regulations Governing Federal Government Information Collection” (beginning on page 21), “airline reservations” are the first and, in fact, the only specific category of data mentioned as potentially being scanned or monitored by TIA programs. But DARPA’s own exhaustive list of laws and regulations potentially relevant to its operations, in the rest of that section of the report, fails to find any that would restrict TIA access to airline reservations or other travel data.
At Senate hearings on TIA in May 2003, DARPA and DHS officials said TIA will avoid using privacy-sensitive medical or financial data, and will instead rely primarily on travel data (which Congress and the public are presumed to regard as less privacy-sensitive). According to a report of the hearing in the New York Times, DARPA’s witness “said the main area of private data that might be useful in anticipating terrorist attacks would be transportation records”, and that TIA “would rely mostly on information already held by the government, especially by law enforcement and intelligence agencies.”
It’s hard to escape the conclusion that travel data is central to the government’s current conception of TIA, that CAPPS-II may be the key data-acquisition mechanism for TIA, and that the use of data obtained through CAPPS-II has been the subject of specific TIA research and testing.
In September 2002, at the height of the first round of TIA research and development contracts, 5 million jetBlue PNRs were provided to Torch Concepts, Inc., at the request of the TSA, for development and testing of systems for “Homeland Security - Airline Passenger Risk Assessment”, according to a conference presentation by Torch Concepts which I discovered and first reported on this Web site, in one of my newsletters, and to the Infotec-Travel mailing list on Monday, 15 September 2003, and which was removed from the original conference Web site 2 days later.
(Two days after I sent copies of my original story to several other journalists, including reporters for Wired.com and the New York Times, the story was picked up by Wired.com, properly acknowledging me as the original source, on Thursday, 18 September 2003. By Saturday, 21 September 2003, the story had made it to the front page of the New York Times, although the Times and most of the other wire service and follow-up stories incorrectly attributed the original source to Wired.com, rather than to my Practical Nomad Web site and newsletter.)
I wasn’t surprised to uncover a scandal like this. The level of awareness and protection of consumer privacy in the travel industry that there are undoubtedly many other travel privacy scandals waiting to be exposed. I didn’t know I’d be the one to discover it, but I’d been expecting a travel privacy scandal: On a panel of journalists at the eTravelworld conference of travel industry executives New York in 2001, I predicted to conference chair Henry Harteveldt that the next big issue for the travel industry would be privacy — but that it wouldn’t become an issue until there was a major privacy scandal to call consumers’ attention to the importance of the privacy of travel records. And this wasn’t the most scandalous thing I’ve reported about privacy practices in the travel industry, or the first time real passenger data was used for CAPPS-II testing. But whatever the reason, this was the first of my stories on this topic to be picked up and reported in publications with wider readership than my Web site or newsletter.
In his presentation to the military contractors’ conference, Bill Roark, now CEO of Torch Concepts’ subsidiary for military work, Torch Technologies, said that the “first DOT-TSA meeting addressed [the] proposed project” in June 2002, and in July 2002 Torch Concepts was “given assurance that we would receive the necessary data base being used by CAPPS II contractors.”
In August 2002, when Torch Concepts was “informed we would receive the JetBlue data base, we indicated that this would probably be very limited”, presumably because it contained data from only one airline — by that same time, other CAPPS-II contractors had been provided with PNRs from multiple airlines, through CRS’s including Sabre and/or through third-party PNR-processing systems such as IBM’s Airline Control System (ALCS).
The TSA has admitted that they asked jetBlue to turn over passenger data to Torch Concepts, which sent the passenger records to Acxiom Corp. to “augment” with data from Acxiom’s data warehouse of financial and residence information, Social Security Numbers, etc. But the TSA and jetBlue both claim the jetBlue PNRs were provided for a “threat identification” subcontract funded by Department of Defense, not the TSA or DHS, and that had nothing to do with CAPPS-II. According to a press release on the Torch Concepts Web site, dated 8 May 2002, Torch Concepts, Inc. Wins Contract to Develop Technologies to Identify Terrorist Threats, “This effort will be performed under a subcontract to SRS Technologies (“SRS”).” That sentence was removed from the copy of the press release on the Torch Concepts Web site on 19 September 2003, presumably to avoid having the use of jetBlue Airways reservation data, and the involvement of the TSA, linked to SRS Technologies.
So who is SRS Technologies? According to a 19 April 2002 news release by SRS Technologies, DARPA IAO Awards SRS Technologies Prime Support Contract, “SRS Technologies was recently selected as the single prime contractor to support DARPA’s Information Awareness Office.” DARPA (the Defense Advanced Research Projects Agency), and its Information Awareness Office, is a branch of the Department of Defense. But in describing the Torch Concepts subcontract to the sole prime Total/Terrorism Information Awareness (TIA) contractor as simply “a Department of Defense subcontract”, jetBlue and the TSA are telling substantially less than the whole truth.
I’m not yet convinced that we should believe jetBlue Airways and the TSA, given the explicit indication in the Torch Concepts conference presentation that they believed that the same data, and more (probably involving other airlines as well), had been provided to CAPPS-II contractors. But even if they are to be believed, and the jetBlue reservation data was used in a study funded under a by the Department of Defense (DARPA Information Awareness Office) under a TIA subcontract, rather than by the TSA or its predecessor DOT under a CAPPS-II contract (despite the TSA and DOT meetings with the subcontractor), the implication is that the real story is one or more of the following:
Should we be “reassured” that our data might “only” have been used to test how useful obtained through CAPPS-II could be to the Total/Terrorism Information Awareness (TIA) program, and/or other military programs, and not necessarily for CAPPS-II tests funded by the TSA? I don’t think so, and I don’t think many of my fellow jetBlue passengers (I’ve been one of their regular customers) will think so either. And we aren’t likely to find out what the government’s real role was in the jetBlue scandal without a Congressional investigation and hearings.
On 22 September 2003, the Electronic Privacy Information Center (EPIC) filed a complaint with the Federal Trade Commission against both jetBlue Airways and Acxiom for deceptive practices in releasing and using passenger information without consent and in violation of their privacy promises. EPIC also filed requests under the Freedom of Information Act with the TSA, DOT, and DoD for the details of their work with jetBlue, Acxiom, and Torch Concepts. A class action lawsuit against jetBlue was filed the same day in state court in jetBlue president David Neeleman’s home state, Utah. Another customer lawsuit against jetBlue was filed the next day in Federal court in Los Angeles, and a third class action lawsuit was filed that same day in Federal court New York. Yet another lawsuit has been filed in San Diego, California, by Privacy Activism and the Privacy Rights Clearinghouse. More lawsuits by jetBlue passengers are reportedly being prepared.
A Freedom of Information Act lawsuit by EPIC seeking information about the relationship between CAPPS-II, TIA, and the Pentagon was filed in June 2003 in Federal District Court in Washington, DC. Given the admissions already made by DARPA and the DHS of the central role travel data (obtained, presumably, through CAPPS-II) will play in TIA, the next round of Congressional consideration of CAPPS-II will likely occur in the context of the inquiry into TIA. Intriguingly, the Army has referred other FOIA requests related to the use of jetBlue reservation data to the office that handles FOIA requests related to TIA and other DARPA programs.
Congress is beginning to ask questions as well. In a letter sent 17 October 2003 to Secretary of Defense Rumsfeld, three members of the U.S. Senate ask about how, for what purposes, and as part of what government program the jetBlue reservation data was used by the Department of Defense and its contractors.
Among the questions not asked in the Senators’ letter are those about the relationship of the Torch Concepts subcontract to DARPA’s TIA program. Also not yet asked by the Senators are any of the questions about the other CAPPS-II tests with real passenger data, as admitted to by Airline Automation, Inc. and as reported by myself and the Times of London.
We aren’t likely to get to the bottom of the jetBlue scandal, or the (thus far less widely publicized) scandal about the other CAPPS-II tests with real passenger data in 2001-2002 (and perhaps right now) without a full-fledged Congressional investigation. It remains to be seen if the Senators will be content merely to ask questions, or will actually insist on real answers.
Whatever turns out to have happened with the jetBlue data, the most important lesson in this scandal may be that even travel companies with the best privacy policies have virtually no control over, or concern for, who gets access to their passenger data once it is passed on to third parties, and don’t necessarily know or care how or by whom it is being used. Travelers, of course, know even less, and have no control at all over how, to whom. or for what purposes data about them is “shared” or used. I could scarcely imagine clearer evidence of the need for Federal legislation to give travelers the control that most people think they should have, and probably expect that they already have a right to have, over their personal travel records — whether in private, corporate, or government hands.
When I finally reached him on 14 March 2003, TSA spokesperson Brian Turmail dismissed the official ASSR proposals published in the Federal Register as “a deliberately aggressive proposal” intended merely as a starting point for discussion. As part of what Mr. Turmail described as an “aggressive outreach” program, “TSA officials continue to meet with stakeholders to discuss privacy and civil liberties issues related to the security program.” As I and others pointed out in our comments on the TSA proposals, we’re not convinced that this is a system that would make travellers any safer, or that could properly be described as a “security”, rather than a “surveillance”, system. And at the time that announcement was made, there hadn’t actually been any meetings with any privacy or consumer stakeholders. But at least the first TSA meeting with civil liberties groups — a three-day closed-door invitation-only “summit” with, among others, representatives of the ACLU and the CDT — was held a few days later, in late March 2003, at a military conference center in Wye River, Maryland.
According to several people I’ve talked to who were at that meeting, the TSA presented a very different proposal from the “CAPPS 2.0” proposal published in the Federal Register in January 2003. I’ve dubbed the proposal outlined at that briefing, and in less detail in subsequent TSA and DHS public statements and testimony to Congress and the European Parliament, “CAPPS 2.1”.
While CAPPS 2.0 was limited to information already in PNRS’s, CAPPS 2.1 would require airlines to provide the TSA with additional data which travellers aren’t currently required to provide at all, and which can’t be contained in current airline databases — creating a whole new set of problems. The difference between TSA/DHS claims and the underlying reality has been reflected in reporting on the CAPPS 2.1 Privacy Act notice: the Washington Post headlined their story on the CAPPS 2.1 proposal “Surveillance Proposal Expanded” , while the New York Times headlined their story on the same announcement, “U.S. Agency Scales Back Data Required On Air Travel”.
In a news release on CAPPS-II, the TSA says that airlines “would provide TSA only with the information all airlines will collect during the normal reservation and ticketing process,” and Mr. Turmail of the TSA said that would initially consist of each passenger’s name, date of birth, address, and phone number. “Airlines already require three of these four items,” he claimed. Similarly, in a Congressional briefing on CAPPS-II on 7 March 2003, Ben H. Bell III, the director of the program, said that CAPPS-II would use “data currently in the reservation”.
But that’s just not true: airlines don’t, in general, require any of these items. And airlines don’t collect most passenger information — travel agents do. Most passengers never deal with the airline until they check in for their flight at the airport. If a travel agent enters an address in a reservation at all, which they don’t have to do, the default is to enter the agency’s address, not the passenger’s address.
Airline Automation, Inc., one of the leading reservations-processing companies and apparently one of the early-stage CAPPS-II concept development contractors, has previously reported that 80% of PNRs have no passenger address at all. The passenger’s address is an additional, optional item, and not necessarily sent to the airline even when it’s entered in the agency’s records. Likewise the passenger’s phone number: the default entry in a reservation made by a travel agency is the agency’s phone number, with the passenger’s phone number an additional, optional item. (In technical terms, travel agents thus are able to function as “anonymizing proxies” for travellers.) Only one address and phone number is generally entered for each reservation, even if the travellers have different addresses and phone numbers.
In my interviews with them, both Mr. Turmail and Ms. Rosenker at the TSA were adamant that each passenger’s address and phone number are already required by the airlines, so they didn’t feel it necessary to explain by what technical means, or on what authority, travel agents would be required to collect this additional information before they could create a new reservation, or how this data would be added to existing reservations. In an op-ed column in USA Today on 25 June 2003, Admiral James Loy, the head of the TSA, described this as “routine passenger information”.
In fact, as I outlined in my comments on the ASSR proposal and in my presentation at the Computers, Freedom, and Privacy 2003 conference , this would require sweeping changes to travel industry technical systems and procedures. (See my unpublished letter to the editor in response to Admiral Loy’s column.)
Personal data about travellers passes through a long “food chain” of people and information systems, in many cases, before it gets to the airline. In a typical case, it might go like this: You give your travel information to a travel arranger (travelling companion, family member, business associate, assistant, etc.). They provide your information, perhaps through a Web site (user interface, Web server, and booking engine) to an offline or online travel agency. They enter it (through a GUI, command-line interface, booking engine API, or third-party CRS interface) into a computerized reservations system (CRS), also known as a global distribution system (GDS). (The USA Department of Transportation regulations governing their operations refer to them as “CRS’s”, and that’s the term usually used by travel agents. The companies themselves prefer to describe themselves as “GDS’s”.) The travel agent’s CRS sends the relevant portions of the information (using bilaterally agreed inter-CRS data protocols, or the standard AIRIMP protocol) to the CRS of the airline on whose flight you are booked. If your trip involves travel on multiple airlines, or a “codeshare” flight actually operated by a different airline, your information is passed on again, perhaps to yet another CRS (again using bilaterally agreed protocols or the AIRIMP).
None of these systems, interfaces, or protocols provide any way, much less any standard way, that the data the TSA plans to require under CAPPS 2.1 could be entered. Each of these systems and interfaces will have to be modified — all in consistent and compatible way, and while continuing to handle millions of reservations every day — to support the TSA’s plans for CAPPS 2.1. There is no evidence that the TSA has even considered the cost (or who would pay it) or time required for these changes.
Airlines have put the cost of even much smaller IT infrastructure changes, limited to airlines’ own internal systems, in the hundreds of millions of dollars. The best clue of likely CAPPS-II costs are the estimates, and commentary on them, in the comments of IATA, the international airline trade association, on the BCIS proposals to require airlines to collect passenger manifest data at check-in:
“IATA advised that the figures it was providing were estimates only and likely to be extremely conservative. The figures … indicate that the estimated cost of the program’s implementation will be approximately $164 million dollars. We believe now, based on a sampling of additional estimates now being reported by various airlines, that the actual costs for both initial implementation and data collection / airport operations will rise significantly higher.”
Because data collection for the BCIS scheme would only occur at check-in, and would be done directly by the airlines, there would be no impact on travel agents, and no need to modify the interfaces between airlines. CAPPS 2.1 would implicate many more systems, interfaces, and protocols, and be much costlier.
IT implementation costs of CAPPS 2.1 would likely exceed a billion dollars, and even with funds in hand the work would likely take several times longer than the TSA has budgeted. Since the TSA’s budget for CAPPS-II is only US$35 million in fiscal 2004, during which CAPPS-II is supposed to be put into full operation, it appears that the TSA expects the travel industry — airlines, CRS’s, and travel agencies — to foot the bill themselves. That’s unlikely to be possible, given the state of their cash reserves in the current travel climate. In effect, CAPPS 2.1 will conscript travel agents, airlines, and other travel data intermediaries into service as involuntary, unpaid servants of the government’s surveillance, monitoring, and data collection agenda.
Collecting the additional data the TSA wants for CAPPS 2.1 will also require changes to business procedures, and require additional labor, especially for travel agents and airline reservations and ticketing staff. Travel agents will bear most of the burden of collecting and entering information about travellers, as well as complying with requirements to provide notice and obtain consent for disclosure of passenger data to the government (and keeping records that this has been done). CAPPS-II, in any of its variants, will also invade the confidentiality of travel agents’ relationships with their clients: travel agents would be required to provide specified passenger data to the government, even if that information is subject to a contractual non-disclosure agreement and wasn’t previously entered in PNRs.
The TSA hasn’t said how much it expects CAPPS-II to cost airlines, travel agencies, CRS’s, or other travel companies, or who it expects to pay those costs. The Office of Management and Budget requires Federal agencies to submit “Capital Asset Plan and Business Case” (Exhibit 300) materials, including an evaluation of privacy and security risks that a project might pose, with each budget request. And the E-Government Act of 2002 requires agencies to prepare a privacy impact assessment before developing or procuring information technology that collects, maintains or disseminates identifiable information — which obviously applies to CAPPS-II.
The TSA failed to respond to FOIA requests for release of the “Exhibit 300” materials (if any) on CAPPS-II that it provided to the OMB, or the privacy impact assessment (if any) on CAPPS-II that it prepared under the E-Government Act. On 4 September 2003, EPIC filed a Federal lawsuit to compel the TSA to release these documents — essential to oversight of the TSA’s plans, and to informed criticism of its proposal — before the close of the public comment period on the CAPPS 2.1 Privacy Act notice. The next day, in response to the lawsuit, the TSA and DHS promised the Court that they would expedite release of these documents, by 25 September 2003 at the latest. But when the agreed-upon deadline for disclosure arrived on 25 September 2003, the TSA response to the FOIA request revealed that the required privacy impact assessment had “not yet been finalized,” and withheld from disclosure all 273 pages of cost and “business case” documents on the grounds that all information concerning “security procedures” is exempt from disclosure. So it’s impossible to tell if the TSA’s cost estimates are realistic.
In an op-ed in USA Today on 25 June 2003, “Admiral” James Loy, the Administrator of the TSA, repeated the false claim that CAPPS-II (CAPPS 2.1) would use only “routine passenger information — name, date of birth, home address and home phone number.”
(That such an Orwellian scheme as CAPPS-II is being implemented under the direction of someone who insists on using his military title, while administering what purports to be a civilian agency, is, of course, symptomatic of the extent to which the “war on terrorism” has become a war — waged by soldiers with a military mindset — on civilian civil liberties.)
Contrary to Admiral Loy’s claim, the data which the TSA would require airlines and travel agents to collect and compile under CAPPS-II is not “routinely” required from airline passengers. The primary effect of CAPPS 2.1 would be to mandate travellers within the USA — who previously have not needed a domestic passport — to provide detailed identifying information for the government’s use, and to prove our identity with government issued identity papers. This is a surveillance system and national ID requirement, not a security system.
And unless Congress enacts a travel data privacy law, the new information we will have to provide under CAPPS-II will become the sole property of the airlines, which they will be free to use or sell to whomever they please, with no obligation to tell us or ask our permission. While it would be costly for the airlines to implement, CAPPS 2.1 would also be a government-mandated windfall for airlines as marketers of data archives about us and our travels.
Even if no data is retained by the government, the requirement that travellers provide additional identification information and show ID documents will fundamentally change the nature of travel reservation records — and their potential for abuse by both governmental and corporate entities.
Right now, airlines, travel agencies, and CRS’s are free to retain records of reservations for as long as they like, and do whatever they please with them. But those records are of limited use and limited potential for abuse: there’s no practical easy way, in most cases (absent frequent traveller numbers) to identify which historical PNRs pertain to a particular person, and which to unrelated people with the same or a similar name. In order to find out a subject’s travel history — whether for marketing, law enforcement, or surveillance purposes — they have to search through billions of PNRs looking for clues to the travellers’ identities.
The additional identifying information required under CAPPS-II will enable CRS’s to index all PNRs by the name, date of birth, home address, and home telephone number of each traveller. Retrieving your complete travel history will be a simple matter of querying the 4 major CRS’s, who can turn over their records about you to whomever they please, with or without a warrant or court order. It will be as easy for a federal agent who takes an interest in you to find out your travel history from the CRS’s as it is now to find out your criminal and arrest history from the FBI’s National Criminal Information System (NCIC).
But travel is a right, not a crime. Travel records are very different form criminal records. Should it be as easy for anyone in the government (or a marketing firm) to find out from the CRS’s that on 15 January 1983 I flew from Boston to Miami, who my travelling companion was, and where I stayed, as it is for them to find out from NCIC that on 15 December 1982 I was convicted of refusal to submit to registration with the Selective Service System? CAPPS-II would treat all travellers like criminals, and enable the CRS’s to keep dossiers on them for life.
Following jetBlue’s announcement that it would no longer participate in CAPPS-II testing or deployment unless ordered to do so by the government, Admiral Loy issued an appeal on 26 September 2003 for airlines to join together to collectively provide “historical” reservation data for further CAPPS-II testing. (That’s apparently what already happened in the 2002 round of CAPPS-II tests, except that in those cases the data — including real reservations from multiple airlines — was provided by Sabre, and perhaps other CRS’s, so the airlines may not even have known about it.)
Since the whole point of CAPPS 2.1 is that it would rely on info not now in PNRs, it’s not clear what possible value further tests with past PNRs could be. And I don’t think the public will be pleased to hear that the records of their past travels have been archived and are available after the fact for uses like this, or for anything else, without their consent.
Following the rollout of the CAPPS 2.1 proposal at the Wye River “summit” in March 2003, I was invited to what was to be the next TSA briefing on CAPPS-II, which was scheduled for 26 March 2003 in Washington, DC. But that meeting was cancelled at the last minute. After a long hiatus, the meeting was rescheduled for Thursday, 29 May 2003, in San Francisco. (Many of the technology-centric activists and organizations who filed comments on the TSA proposals are based in San Francisco and Silicon Valley.) Once again, the meeting was cancelled the weekend before it was to happen. The next word I received was that it would be rescheduled sometime in June, then in July, then in August, then in September 2003, in San Francisco. The organizers have confirmed that DHS chief privacy officer Nuala O’Connor Kelly and CAPPS-II director Ben H. Bell, III, will be coming to San Francisco to participate in this meeting (if it ever happens) with us, and the latest schedule changes were ostensibly to accommodate Ms. O’Connor Kelly’s schedule.
That may be true, but it’s not at all obvious to me that this delay is worthwhile. I’m not aware that Ms. O’Connor Kelly has yet announced any changes to the CAPPS-II program, nor is it clear that she has the authority to order such changes. Since her appointment, her role has seemed to be primarily that of a public apologist for the DHS’s privacy practices, and not yet as an ombudsman or oversight officer.
I am, however, gravely concerned that the delay is likely to render our discussions moot. If the TSA and the DHS are sincerely interested in our input, it seems logical to expect that they would want that input as early as possible in the system specification, development, and deployment process. Continued development, on a fixed deployment schedule, while at the same time postponing these “consultative” meetings repeatedly, tends to suggest that TSA and DHS don’t seriously contemplate making any basic changes as a result of our input, but will merely be presenting us with a fait accompli. That’s not the way these meetings have been advertised.
Since the first (and to date only) meeting with CAPPS-II critics and stakeholders at Wye River, Maryland, in March 2003, both the DHS and the TSA have said publicly and repeatedly that they are placing the highest priority on CAPPS-II. There has been no further public comment on the status of CAPPS-II testing and deployment (and my longstanding and specific questions about the testing seem likely to remain unanswered until the next meeting), but it appears likely, given that prioritization, to be on the fast track.
Ms O’Connor Kelly’s appointment was advertised as a sign of DHS’s commitment to address privacy concerns more promptly, and earlier in the project development process — not as something that would serve as an excuse to further delay any action on concerns that have been public for many months.
If Ms. O’Connor Kelly is in fact the responsible higher authority over CAPPS-II, and if discussion of CAPPS-II is to be delayed further in order to permit her to participate, she should demonstrate her good faith by ordering a standstill in CAPPS-II testing until privacy concerns can be addressed.
The renewed postponement also calls into question the credibility of the TSA and DHS claims that they are “consulting” or “working with” critics of CAPPS-II, or other stakeholders. One meeting was held, months ago, and no further communication of any sort has occurred since.
Based on that record, I do not believe that it can truthfully be said that the TSA or DHS are currently involved in any active “discussions” with outside parties on CAPPS-II. I certainly hope that the dialogue which began at Wye River will resume, and I am eager to hear what changes Ms. Kelly and others in the TSA have ordered in the CAPPS-II plans, in response to the concerns raised at the Wye River meeting in March. But at this point I think the most accurate description of the state of the “consultation” process is that it was unilaterally suspended by the TSA almost as soon as it had begun, and has not yet resumed, in any meaningful sense.
If the promised meeting ever happens, I’ll be — so far as I know — the first outsider briefed on the CAPPS-II plans who’s ever seen a PNR, much less worked with PNRs as a travel agent, or who is technically competent to evaluate the proposals. So it should be interesting, and I continue to look forward to it.
TSA staff contact for the CAPPS-II briefings is Barbara Huie, Director of Stakeholder Issues for the TSA Office of National Risk Assessment. But the meetings are actually being organized by TSA consultant and contractor Dr. Robert L. Bach, who worked with Director Bell of the TSA Office of National Risk Assessment both as an INS official and on the adjunct faculty at Trinity College in Washington, DC, where Bell teaches “Competitive Intelligence” and Bach teaches “International Migration” and “Transnational Immigrant Communities”. (In an earlier version of this article, I wondered if this was any indication of who the CAPPS-II system is designed to profile as a “potential threat”. In response, Dr. Bach has assured me that he has “spent most of my academic and government life promoting legal immigration and defending the rights of migrants and minorities…. I led an office at INS that was formed specifically to reach out to immigrant communities to involve them in various policy discussions and voice their concerns…. I’m sure that when we actually meet … you will have no doubt of my past, present, and future commitment to defending the rights of immigrants.”)
“All views will be carefully considered,” says the TSA news release. “Our intent here is to consult with the widest possible range of involved parties,” according to TSA spokesperson Mr. Turmail. Certainly the fact that a consumer advocate for travellers’ privacy such as myself is being included is a positive sign.
I hope the TSA is really willing to listen, and I hope they get the message from me and others that they need to bring the USA into line with international norms for protection of privacy as a human right, as have been enacted into law in Canada and the European Union, among other places. But if they were serious about incorporating their critics’ views in their plans, they’d be talking to us before the start of CAPPS-II testing, not after: the first thing the TSA needs to do, if they are serious about respecting privacy, is to publish a notice withdrawing their original travel database proposal, and make a public commitment that no travel records will be turned over to the government until after the consultation and rulemaking process is complete. And before they start talking about turning more travel records over to the government, they need to put in place an enforceable framework of privacy protection for existing “private” and commercial travel databases, especially the centralized ones maintained by CRS’s/GDS’s.
The final TSA briefing on CAPPS-II before the official publication of the revised proposal in the Federal Register was an invitation-only briefing, on one day’s notice, in Washington the last week of July, 2003 — only a day or two before the Federal register publication (and clearly too late to incorporate any suggestions from attendees into the new proposal). Mr. Clint Fischer of the TSA, who called the meeting, described it as a meeting with “stakeholders”. But it would appear to have been simply an attempt by the TSA to brief the press and put their spin on the forthcoming Federal Register notice.
On 31 July 2003, the TSA released the text of a revised Privacy Act notice for CAPPS-II, which was published in the Federal Register the following day, 1 August 2003.
The “new” notice was mostly just a formalization of the same CAPPS 2.1 proposal that has been on the table — and under active development and testing — since before the Wye River meeting in March 2003. There’s nothing to suggest that the TSA has actually redressed any of my, or anyone else’s, privacy, civil liberties, consumer, industry, cost, or feasibility complaints. The “Aviation Security Screening Records” (ASSR) systems has been re-named the “Passenger and Aviation Security Screening Records” (PASSR) system. And the uses of the CAPPS-II system have been expanded from passenger profiling to criminal warrant checks. But no major or substantive improvements appear to have been made in response to the many criticisms raised at the March meeting with privacy advocates, or subsequently. And in announcing the new proposal, the TSA’s 31 July 2003 press release and a later statement issued 25 August 2003 by Admiral Loy of the TSA and Ms. O’Connor Kelly of the DHS repeated many of the same false and misleading claims they’ve been making for months:
The Privacy Act notice for the PASSR (CAPPS 2.1) system purported to be effective immediately on publication in the Federal Register 1 August 2003, notwithstanding the requirement in the Aviation and Transportation Security Act for 30 days advance notice to Congress of final regulations under the relevant sections of that act before they can be effective. Comments on the latest proposed rules can be submitted by e-mail to privacy@dhs.gov. Comments should reference “docket number DHS/TSA-2003-1” in the subject line of the e-mail; the deadline for comments is 30 September 2003 (60 days after the publication date).
I filed preliminary comments with the DHS/TSA immediately on 1 August 2003 concerning their failure to give Congress 30 days’ notice before putting the new regulations into effect, as they are required to do. On 30 September 2003, I filed my complete comments on the CAPPS 2.1 proposal.
The DHS promised in its notice in the Federal Register that “DHS will make the comments available online at www.dhs.gov.” As of 21 October 2003, following the close of the comment period, there was still no link to the comments at that address. But through a link on the CDT Web site, I found that some of the first comments have been posted on a page deep within the DHS organization chart, not listed (under any category) in the DHS Web site map, and not linked from the pages for legislation and regulations or the pages describing the CAPPS-II notice and request for comments.
The comment period ran through 30 September 2003. As of 21 October 2003, the DHS has only posted the comments received by e-mail through 20 August 2003 (only a third of the way through the comment period, and by snail-mail dated 19 August 2003 - 2 September 2003 (still long before I broke the jetBlue Airways story which first brought widespread public attention to privacy issues with travel data).
The comment period didn’t end until , but there’s still no sign of any of the comments filed by e-mail after 20 August 2003, or any of the comments filed after I exposed the jetBlue Airways scandal 16 September 2003. (And extra credit to everyone who can figure out how to find the comments from the DHS home page at www.dhs.gov, where they had promised they would be posted.)
Undoubtedly there are thousands more critical comments yet to be posted. But even before the jetBlue scandal, individual comments filed with DHS were running 5,847 to 1 against CAPPS-II. (There were actually 2 comments in support of CAPPS-II, but one was from a data aggregation company hoping to make money selling access to its archives of personal information for use in the CAPPS-II system, not from an individual member of the public.) With the public opposed to the program by more than 5,000 to 1, even before the jetBlue scandal, it’s time for the DHS to withdraw the CAPPS-II proposal entirely — and for Congress to hold hearings on the privacy of travel records and enact a Federal privacy law to give travellers in the USA the same privacy protections that they already have in Canada, the European Union, and elsewhere.
About | Bicycle Travel | Blog | Books | Contact | Disclosures | Events | FAQs & Explainers | Home | Mastodon | Newsletter | Privacy | Resisters.Info | Sitemap & Search | The Amazing Race | The Identity Project | Travel Privacy & Human Rights
This page published or republished here 5 October 2020; most recently modified 15 February 2021. Copyright © 1991-2024 Edward Hasbrouck, except as noted. ORCID 0000-0001-9698-7556. Mirroring, syndication, and/or archiving of this Web site for purposes of redistribution, or use of information from this site to send unsolicited bulk e-mail or any SMS messages, is prohibited.
