More details on airline, CRS, and USA government data "sharing"

Documents newly obtained by the Electronic Privacy Information center (EPIC) under the Freedom of Information Act, and reporting by the New York Times following the documents’ release, have revealed new details about the use of airline reservations both by the FBI in its investigation of the 11 September 2001 attacks and by NASA in its 2002-2003 airline passenger profiling experiments.

(I’m mentioned in the Times front-page story as “a privacy advocate”, but not named or identified as a journalist, which is something of a breach of journalistic courtesy when referring to a story first uncovered and reported by someone else.)

EPIC’s requests were directed at information concerning the use of 3 months (October-December 2001) of Northwest Airlines reservations by NASA. In response to EPIC’s requests, NASA released an internal e-mail message discussing the volume of data that would be involved, and mentioning that “When we were at NWA [Northwest Airlines], they said that they gave the FBI one year’s data on 6000 CD’s.” The Times says that, confronted with this disclosure, Northwest Airlines, United Airlines, and American Airlines each confirmed having turned over large volumes of archived reservation data to the FBI after 11 September 2001.

The Times says that, “The first hint of the large-scale data hand over came in January [2004] during hearings of the 9/11 commission.” But that’s nonsense. It was apparent much earlier.

It has been considered self-evident by everyone in the airline industry that the investigation of the 11 September 2001 attacks began with, and relied heavily on, airline reservation records. It would have been shocking had it not done so, and I’m surprised to learn that anyone folowing the issue didn’t realize this.

Teams of FBI agents installed themselves shortly after 11 September 2001 in the offices not just of airlines but of CRS’s and some travel agencies like Travelocity.com (through which some of the highjackers were suspected to have bought their tickets). Some of the agents stayed for months, and the travel companies gave them all possible assistance and access to their data. If anything was under attack (other than USA military and economic imperialism, and its respective economic and military command posts in the World Trade Center and the Pentagon), it was air transportation, and the airlines welcomed the Federal assistance in trying to figure out what had happened and what they might do to try to keep it from happening again.

In a written statement to the Joint Congressional Intelligence Committee released on 26 September 2002, FBI Director Robert S. Mueller III described in detail the flights taken by the suspected highjackers in the months before the attacks, including domestic flights within the USA (for which there would have been no immigration or customs records) for which tickets were paid for in cash (and thus for which there would have been no credit or debit card records), including even flights on smaller airlines like Airtran (the former Valuejet).

The Times itself featured the details of Mueller’s statement in a lengthy front-page story the next day, 27 September 2002, F.B.I. Account Outlines Activities Of Hijackers Before 9/11 Attacks, and it was reported at the time by many other news outlets.

The hijackers were dead, and left behind no computerized or other digital records or devices of their own (according to Mueller’s statement) and few paper records. Unless travel agents or airline staff recognized and remembered the hijackers, the only possible source of the information reported by Mueller was airline passenger reservation archives.

I’m no fan of Bob Mueller, who as a junior Assistant U.S. Attorney in Boston prosecuted me for organizing resistance to draft registration (against his instructions from Department of Justice headquarters in Washington) and personally tried the case against me (the case that first got him noticed for his political ambitions) with militarist zeal and smug efficiency. It doesn’t make me feel safer to know that the Director of the FBI has a personal animus against me that goes back more than 20 years (although I’m certainly not the first person to have been in that position with various FBI Directors over the years). But Mueller and the FBI would have been derelict not to subpoena all the reservations of passengers on the flights that were hijacked, or that could be identified as pertaining to the hijackers’ other travels.

The only questions that weren’t answered in Mueller’s 2002 statement were whether the Feds bothered to formalize their requests for reservation data with subpoenas (the airlines, CRS’s, and most travel agencies would have turned the data over anyway, of course, but the Times’ new report says they got subpoenas, as they should have), and exactly how wide a dragnet they cast (the Times says Northwest Airlines has now confirmed that they turned over reservations from an entire year of flights preceding 11 September 2001, and that’s likely to be what other airlines, CRS’s, and travel agencies did as well).

The documents obtained by EPIC from NASA also show how difficult the task of extracting data from airline records into relational databases proved to be, and foreshadow the difficulties already being faced in development and implementation of CAPPS-II. NASA researchers were surprised to find that most of the raw data wasn’t in ASCII — it’s not clear if they ever considered the possibility that it might have been in EBCDIC — and were surprised that fixed field lenghts had caused many names and other data items to be truncated, greatly complicating name matching. They assumed that there would be PC software tools for reading the PNR data dumps, or that they would be able to build such tools relatively easily. But in the end, the documents reveal, they were unable to make any sense out of most of the Northwest data until they were given access to expert consultants on PNR formats from within Northwest.

Because of multiple airline journeys within a year by the same frequent travellers, it’s imposible to say how many people’s travel records may have been included in the subpoenas. But assuming that each of the major USA-based airlines turned over a year of passenger name records (PNRs), the Feds probably got personal information on tens of millions of unique individuals, perhaps even as much as a hundred million.

In theory, subpoenas ought to present an opportunity for those whose information is requested to contest the request, and to require the agency demanding the information to justify its request in an adversary proceeding before an independent judicial officer.

But that didn’t and couldn’t, happen in this case, because of two critical differences between privacy and data protection law (or the lack thereof, at least with respect to travel records) in the USA, and international norms:

First, travel records (like most other personal data) in the USA are considered to belong to travel companies, not to the people whose movements and activities they describe. You may think that your travel records, mine, and those of everyone else who travelled by air in the USA or on a USA-based airline in 2001 were turned over to the FBI, but the law in this country doesn’t see it this way: in the USA, those records about us aren’t “yours” or “mine”, but belong exclusively to the travel companies that obtained them in the course of our travels.

When we provide personal information in the course of a commercial transaction, USA law assumes that we are making an unrestricted, irrevocable, grant of permission to that company to use, sell, or rent that information to anyone, at its sole discretion, without our knowledge or consent. Forever.

That’s probably not what most of us intend (if we think about it), but it’s what the law in the USA presumes we intend, in the absence of binding contract terms (most corporate privacy policies are explictly not part of contract terms) to the contrary.

It doesn’t have to be this way: in the European Union, Canada, and many other countries, “data subjects” are considered to have certain inalienable rights in personal information about them, and the law makes a different, more realistic, set of assumptions about what is intended (in the absence of explicit provisdions to the contrary) when personal information is provided to a business.

The consequence of all this is that only the airlines, CRS’s, and travel agencies, who were considered the sole owners of “their” passenger files, had standing in the USA to challenge the subpoenas for travel records. The people whose personal information was at stake weren’t considered party to the proceedings, and their interests wouldn’t have been considered — even if they had known what was happening, and sought to challenge it. So there was never any judicial consideration of whether the demand for all reservation information for all travellers worldwide on USA-based airlines for an entire years was overly broad.

Second, no law in the USA requires travel companies to obtain permisison from or even notify travellers, travel agents and airline staff (whose entries are identifiably tracked by their unique user ID’s in the audit trail or “history” of each reservation), or anyone else, when reservations containing personal information about them are transferred to the government or other third parties. Nor are they required to disclose those releases or transfers of personal data, even if the “data subject” specifically asks what information has been given out, or to whom. Since it isn’t legally considered “your” information, the entities that store and control these records about you are legally entitled, in the USA, to tell you that what they’ve done with “their” information about you and tyour travels is, “none of your business”, or simply ignore your questions about what they’ve done.

That’s not the case in the EU or Canada, and it doesn’t have to be the case in the USA if we get Congress to bring our travel privacy law (which currently doesn’t exist) into conformity with international privacy and data protection norms.

In the meantime, there’s still the question of what laws in other countries (where reservation data was collected) may have been violated in the wholesale disclosure and use of those reservations for investigatory and passenger profiling purposes:

1. by at least three (and almost certainly more) airlines and other travel companies to the FBI after 11 September 2001;
2. by Airline Automation (using data from multiple airlines) for its own profiling test in late 2001 and again to four teams of TSA contractors for CAPPS-II tests in mid-2002;
3. by American and other airlines in mid-2002 for those CAPPS-II tests;
4. by Northwest and Worldspan to NASA in 2002-2003; and
5. by jetBlue and Acxiom in 2002 to military contractor Torch Concepts (probably for a Total Information Awareness subcontract).

Each of those five data handovers, which I have discussed previously, may have been legal under USA law, and it may have been legal even under EU and other countries’ laws for travel companies to comply with the FBI subpoenas. But the companies involved still were, and are, required under the EU Data Protection Directive and national data protection laws to disclose, on request of data subjects from those jurisdictions, what data pertianing to those data subjects they have released, to whom, and for what purpose.

If, for example, someone who made reservations from the EU for travel on Northwest Airlines during the relevant time periods in 2001 and 2002 asked, or asks, Northwest was and is required to tell them about each of the five disclosures I’ve just described, including exactly what data was given, to whom, when, for what purpose, and under what if any restrictions.

If Northwest — or any of the other airlines similarly situated — failed or fails to do so on request, it’s in violation of EU law.

The same goes even more strongly for the major computerized reservation systems (CRS’s), four of whom between them host the vast majority of the world’s airline reservations.

The Netherlands national data protection authority (“College Bescherming Persoongegevens”) last month declined to pursue its investigation of a complaint by Dutch civil liberties organization Bits of Freedom against Northwest Airlines, despite having “serious doubts as to whether… the data were provided on a justified basis,” on the grounds that, “the CBP considers this to have been a once-only event”. That’s obviously no longer true, and it will be interesting to see how the Dutch CBP and its counterparts throughout the EU deal with renewed complaints from EU citizens who have requested their complete historical PNR archives, and the records of their use, from airlines and CRS’s.

One of the most interesting revelations in the latest documents provided to EPIC by NASA is the line in this e-mail message about Worldspan, the CRS that actually hosts Northwest’s reservation database:

Worldspan determined that it would be easier for them to give us CD’s rather than tapes.

That confirms that, as would have been suspected anyway, Worldspan was aware of, and actively involved in, the reservation data transfers to NASA — and is required to disclose them, if Worldspan is asked by Northwest passengers from the EU. Simliar requests from EU citizens, particularly those who travelled in 2001 and 2002, directly to the CRS’s, would create similar disclosure obligations for Sabre, Galileo, and Amadeus.

The CRS’s face even more serious problems under the European Union Code of Conduct for Computerized Reservation Systems:

Article 6

A [CRS] system vendor shall provide information, statistical or otherwise, generated by its CRS, other than that offered as an integral part of the distribution facilities, only as follows:…

(d) personal information concerning a consumer and generated by a travel agent shall be made available to others not involved in the transaction only with the consent of the consumer.

To the extent that any of the CRS’s (each of which has a substantial presence and accepts reservations in the EU) was complicit in any of the transfers of PNRs to the USA government or any other third parties (Acxiom, Torch Concepts, CAPPS-II contractors, etc.), especially if they have failed to inform data subjects of what they did, they probably violated this clause of the EU regulations, and are liable to enforcement action and sanctions from the European Commission.

Worldspan itself isn’t talking: sold by its former airline owners to a private equity group in 2003, it’s currently in the “quiet period” after filing notice of a forthcoming initial public stock offering. But it will be hard for Worldspan to avoid amending its IPO filing with the USA Securities and Exchange Commission to disclose its potential liability in the EU for violations of data protection laws and the CRS regulations, particularly if passenger requests to Worldspan for PNR archive information, and complaints against Worldspan to the European Commission and national data protection commission, are filed promptly by EU residents.

The bottom line? As I’ve said before about previous episodes in this still-growing scandal:

There’s no telling how many more cases like these there may have been, or how many other companies you’ve never dealt with directly, or even heard of, may have received your travel records.

Nonconsensual “sharing” of customer data within the industry, and with government agencies, is the rule, not the exception, in the travel industry.

Regulatory authorities and the public in the EU have, until now, focused their attention on transfers of passenger data to the government of the USA. But the larger and more routine violations of EU data protection laws and the EU CRS regulations occur when travel data collected in the EU is transferred — without the privacy safeguards required by EU law — to commercial entities in the USA, including USA-based airlines and CRS’s. These violations of EU privacy law are flagrant, large-scale, long-standing, and ongoing….

The primary problem this episode reveals is not the need for enforcement of existing USA law, but the need for new USA federal law and enforcement of EU and other countries’ laws until the USA brings its privacy protection legislation into line with international human rights norms….

Travellers whose privacy may have been compromised are unlikely to get answers without a full-fledged Congressional investigation, including public hearings, on protection, sharing, and privacy practices and policies for travel reservation data….

The latest revelations reinforce a pattern of unconcern for privacy, breach of public promises, and widespread unauthorized dissemination of sensitive passenger data, both within the travel industry and between industry and government. Clearly the problem, and the need for Congressional scrutiny and action, extends beyond these few well-publicized scandals.

What can be done?

Write to Congress — today. Tell them you want:

1. A Congressional investigation of privacy practices throughout the travel industry [not just data sharing with government];
2. Public Congressional hearings;
3. Termination of CAPPS-II and any other government programs to mandate collection of data on travellers or turn that data over to the government; and
4. A Federal law protecting the privacy of travel data.