False, incomplete "Privacy Statement" on PNR access by USA Homeland Security Dept.

The USA Department of Homeland Security (DHS) has released a Customs and Border Protection Privacy Statement For PNR Data Received in Connection with Flights Between the U.S. and the European Union that grossly misstates the actual content and usage of the data in passenger name records (PNRs), and misleadingly fails to mention critical aspects of PNR data and how it is handled.

The “Privacy Statement” was posted without comment, explanation, or any press announcement on the Web page of the DHS Privacy Office , but appears to be intended to satisfy clause 36 of the Undertakings made by the DHS to induce the European Union to approve access by the DHS to PNR data from the EU:

36) CBP [the DHS Bureau of Customs and Border Protection] will provide information to the traveling public regarding the PNR requirement and the issues associated with its use (i.e., general information regarding the authority under which the data is collected, the purpose for the collection, protection of the data, data sharing, the identity of the responsible official, procedures available for redress and contact information for persons with questions or concerns, etc., for posting on CBP’s website, in travel pamphlets, etc.).

What’s wrong with the claims in the DHS “Privacy Statement”?

• “2. Who is affected by the program? All persons traveling on flights to, from or through the United States will be affected by this program.”
  Actually, PNRs also contain, and the DHS has access to, data on many more people than just travellers on those flights. PNRs contain personally identifiable data, protected by the EU Data Protection Directive and other countries’ laws, concerning:

1. Travel agency and airline staff (identifiable from the unique “Agent Sine” in the audit trail or “history” portion of the PNR for each addition, deletion, or change to PNR data);
2. People who make reservations for others, such as personal assistants, business associates, family members, etc. (identifiable from the “Received From” field in each entry in the PNR history);
3. People for whom reservations were made (with or without their knowledge), but who aren’t on those flights because they never bought tickets, cancelled or changed their reservations, etc. (identifiable because even totally cancelled PNRs are still displayed in , and retrievable from, the “passenger manifest”, and because cancelled names and other details can never be deleted from the PNR history);
4. People who pay for tickets for others, even if they aren’t travelling themselves (identifiable from “Form Of Payment” details in PNRs); and
5. Friends, relatives, business contacts, and hosts or contacts of travellers (identifiable from “Local Contact” and “Reconfirmation” data in PNRs).
   

• “3. What information will CBP receive? CBP will receive certain PNR data concerning persons traveling on flights to, from, or through the U.S.”
  Actually, when the CBP requests a PNR, they receive all data in the PNR, not just “certain” data. The DHS claims it will only use certain data, but a self-limitation on what data it uses is fundamentally different from a technical or policy limitation on what data it receives in response to “pull” queries.
  
  
• “Airlines and central reservation agencies create these PNR files in the reservation and air carrier departure control systems for each itinerary booked for a passenger.”
  Actually, most PNRs are created by travel agents and agencies. That’s significant because the transfer of PNR data from the EU to commercial entities in the USA, particularly from travel agencies and airlines in the EU to airlines and CRS’s in the USA, is not covered by the “Undertakings” or the adequacy decision and the purported (but unratified) DHS-EU agreement based on them, and remain subject to enforcement action for violation of the EU Data Protection Directive, the privacy clause of the EU Code of Conduct for CRS’s , and EU national data protection laws.
  
  
• “The PNR data contain a variety of information provided routinely by a customer…. The PNR may include other information voluntarily provided by a customer during the booking process.”
  Actually, most of the data in the PNR is entered (either manually or automatically) by travel agencies, airlines, and other suppliers of travel services (hotel and car rental companies, etc.), and is not “provided by a customer”, even if the customer is the same as the traveller. Even when information is voluntarily provided by the traveller to the airline or travel agency, there is a distinction the DHS fails to recognize between voluntarily providing it to e.g. the travel agency, and consenting to have it entered in a PNR. Travel agencies vary widely in which customer information they enter in PNRs, and which they store independently. Airtreks.com where I work, for example, puts as little customer information as possible in PNRs. But I know of no Internet travel agency that discloses which customer information will be entered in PNRs, at what point in the booking and purchasing process this will (irrevocably) be done, in which CRS the information will be entered, or in most cases even the fact that data will be entered in a CRS. Of course, this flagrantly violates the privacy policies of some of these travel agencies, including the largest, Expedia.com (note that you have to agree to accept cookies before you can even read their privacy policy — which they don’t follow anyway — to see if you want to accept their cookies). But in the USA those policies usually state that they aren’t part of the contract, and are effectively unenforceable in the absence of a Federal travel privacy law.
  
  
• “4. Who will have access to the information? CBP will have access to PNR data from flights between the U.S. and EU.”
  Actually, the DHS has access to all PNRs of all airlines operating international flights to, from, or via the USA. Whether or not one believes the DHS claims that they won’t access PNRs not associated with USA flights, the fact is that they have the ability to access them (and I’ve previously reported that they’ve used that ability, as a sufficiently competent and through audit would show).
  
  
• “5. How will the information be protected? CBP will keep PNR data secure and confidential, consistent with applicable U.S. law. Careful safeguards, including appropriate data security and access controls, will ensure that the PNR data is not used or accessed improperly.”
  Actually, CBP doesn’t keep, and won’t keep, most PNR data, and has made no attempt to “ensure” that the airlines and CRS’s that keep it will exercise any safeguards whatsoever over how it is used. Even if it wanted to do so, the DHS probably has no authority to require any safeguards in airline or CRS handling of PNRs unless and until Congress passes a new law to protect the privacy of reservations and travel records.

I’ve previously analyzed the inaccuracies and distortions in the “Undertakings” and their description of PNR data elements, to which the new DHS “Privacy Statement” refers those seeking further details.

All these lies and distortions aside, the latest DHS “Privacy Satament” is too little, too late. Too little, because the commercial entities in the USA that actually receive PNR data from the EU before the USA government, and retain it longer, remain subject to no privacy or data protection law whatsoever in the USA. Too late, because the CBP has already had access to this data for well over a year. Since personal data can be (irrevocably) entered in PNRs a year in advance of travel, a requirement that notice be provided prior to reservations (for which there is still no mechanism or requirement) would need to be put into effect at least a year before the flights for which PNRs would be accessed, not (as has happened) a year after those flights.

It’s not entirely clear whether the falsehoods in the “Privacy Statement” are the result of incompetence or deliberate deception . But if the DHS Privacy Office were staffed or run by Privacy Protection Officers rather than Privacy Invasion Apologists, they’d stop publishing soothing nonsense like this and get to work lobbying Congress to pass some real travel privacy protection legislation protecting PNR data in both commercial and government hands.

Citizens and residents of Canada or the European Union obviously aren’t going to find out from the DHS what has really been done with your personal data once it’s been sent to the USA. If you want to know, you can and should request copies of your travel records — including archived PNRs from your past air travel — as well as a report on who has been given access to your data, from each airline or CRS that might have information about you. It’s particularly important to make such requests of the four major global CRS’s, not just airlines.

Ask each of the four major CRS’s for complete copies including the “history” (audit trail) of all PNRs in their system, whether in live or archival storage and whether created by travel agencies or airlines, that contain personal information about you. Ask for a complete log of what portion of each of those PNRs has been provided to what commercial or governmental entities, under what if any contractual restrictions on its use or further dissemination by them. Make sure your request to the Amadeus CRS includes its Airline Automation, Inc. subsidiary in the USA, which has the most diverse PNR archive and has been a major provider of data for both government and commercial passenger profiling tests.

(If anyone tries this, please let me know what happens: CRS’s have told me that no one has ever made a request like this, so they haven’t yet had to figure out how to respond.)