USA snooping on airline reservations violates so-called "deal" with EU

One of the major concerns of the European Union (and other countries) about the demands by the USA for access to airline reservations has been how that access could be limited and controlled.

In its report last month to the European Parliament, the European Commission noted the urgency of, “Replacing ‘pull’ (direct access by US authorities to airlines’ data bases) with a ‘push’ method of transfer… The Commission is of the opinion that the rapid development and introduction of filter and ‘push’ technology is necessary.” But, as the EC also noted, “It would be difficult to envisage obliging airlines, including US airlines, to adopt such a system, without creating a legal obligation for them to do so. There is currently no EU law or Community policy that obliges airlines to transfer PNR data in this way.”

Unlike the USA authorities, the EC has actually consulted, to a degree, with industry: “The Commission’s services held a second technical meeting with industry experts and various technology providers on 13 November. We learnt that these systems were technically feasible, but it is still unclear how they could best be implemented or supervised. It was also made clear at that meeting that implementation of a ‘push’ system could not solve the problem alone. Filters would also need to be installed. These filters entail significant costs for the airlines.”

Under a “pull” system, the DHS has access to the CRS hosting each airline’s database, and can query or “pull” any data in any PNR for any flight, at any time. Under a “push” system, a batch process by the airline or CRS when the flight departs would collect the PNRs for passengers actually on board (after any no-shows, last-minute cancellations, boarding of standby passngers, etc.), “filter” them to remove all data except that required and authorized for the DHS to receive, and “push” the filtered data for the flight to the DHS. Under a “push” system, the DHS would have no way to access any data except when it was pushed by the airline or CRS, on departure and after filtering.

In any event, a “push” system hasn’t (yet) been implemented. Instead, the USA Department of Homeland Security has been given direct access to each of the CRS’s hosting reservations on international flights to or from the USA. There are no (technical or security) limits on that access: DHS staff with access to the CRS’s have the capability to review the entire contents of any reservation in any of those CRS’s, at any time.

In theory, the USA has agreed to policy limits on what data they will view. In particular, the DHS only claims the right to review PNRs for flights to, from, or within, the USA, and only once incoming flights depart their origin for the USA.

But the unique CRS “set addresses” (the CRS counterpart of IP addresses) assigned to the DHS make it possible to track and log each query they make to the CRS. And I’ve learned from a source familiar with those records of DHS use of their CRS terminals that the agreed-upon limits have not been observed:

“They [the DHS] pull flights to the US days, weeks before departure and list all PNRs. Then they pull each PNR and names that are “odd” they pull the history. It’s bizarre! Their entries are: List the flight and all PNRs, then they start displaying each PNR, then they start looking at histories.”

The “history” of a PNR is the “audit trail” that shows each addition, deletion, or change to a PNR (reservation, cancellation, confirmation, service or action request or acknowledgement, message form another CRS, etc.), who made each entry (by sign-in ID, travel agency or airline office “pseudo-city code”, and set address), and the name of the person who requested the change to the reservation (the “received from” field).

I’ve also been told that DHS set addresses have been used to access PNRs for flights entirely within the European Union, and not touching the USA, in even more clear violation of EU law and USA government promises.

Workers with airlines and CRS’s who are aware of this are, quite justifiably, concerned that they may be subject to legal liability, especially in the EU, for complicity in facilitating this illegal access to personal data protected by EU law.

The lesson here is that neither EU citizens nor anyone else can rely on the DHS to police its own practices or to comply voluntarily with self-imposed limits on access to, or use of, sensitive personal data. Citizens of the EU, other countries, and of course the USA itself should insist on both stong technical limits on access to personal information, and independent oversight authority with full investigative and enforcement powers to ensure DHS compliance with its legal commitments in the USA and abroad.