USA requires passenger details from international airlines

Advance Passenger Information System (APIS)

Effective today airlines, cruise ships, and other vessels operating on international routes to or from the USA are required to provide the Customs and Border Protection (CBP) division of the USA Department of Homeland Security (DHS), electronically, in a standard format, with detailed information on all passengers and crew members, including information well beyond anything contained in their passports or travel documents:

[E]ach electronic arrival or departure manifest must contain certain information for all passengers or crew members of air and vessel carriers. Air carriers must provide the following information: (a) Complete name; (b) date of birth; (c) citizenship (country of document issuance); (d) gender; (e) passport number and country of issuance, if a passport is required; (f) country of residence; (g) United States visa number, date, and place of issuance (arrivals only); (h) alien registration number; (i) United States address while in the United States; (j) International Air Transport Association (IATA) arrival port code; (k) IATA departure port code; (l) flight number, date of flight arrival, date of flight departure; (m) airline carrier code; (n) document type (e.g., passport; visa; alien registration); (o) date of document expiration; and (p) a unique passenger identifier, or reservation number or Passenger Name Record (PNR) locator number.

Some of these Advance Passenger Information System (APIS) items are merely absurd and useless, such as the requirement of an address in the USA. I’m reminded of the number of times when, obliged to enter a local address on a visa application or immigration form, I’ve copied the name and address of a suitably respectable (but not implausibly expensive) hotel from a guidebook.

Others are more intrusive and subject to potential abuse by both of the recipients: the airline and the CBP.

The CBP final rule and analysis of comments and the DHS Privacy Impact Assessment (PIA), published in the Federal Register 5 April 2005 (70 F.R. 17819-17861) and effective 180 days thereafter (i.e. today), discuss and dismiss the implications of requiring travellers to submit personal information to the CBP .

[A] large majority of the 328 commenters to the INS NPRM [Notice of Proposed Rulemaking] expressed concern with respect to the right to privacy of travelers and the protection of data by the agency.

Although a passenger’s refusal to supply the information required by the regulatory text will result in denying that person access to international travel on commercial vessels and aircraft, the new provisions will not violate a constitutional right to travel…. [N]o government interest is more compelling than the security of the nation. Haig v. Agee, 453 U.S. 280, 307 (1981). The government may place reasonable restrictions on the right to travel in order to protect this compelling interest.

But that’s not what the rule requires: the rule gives travellers no option to provide the required information directly to the CBP. Instead, the rule requires airlines to provide passengers’ personal information to the CBP, effectively requiring travellers — if the airlines are to be able to comply, without which airlines’ passengers won’t be allowed to travel — to turn over their information to the airlines as well as the government.

Both the final rule and the PIA entirely ignore the implications of requiring passengers to provide detailed personal information to, at a minimum, airlines (and, in most cases, other companies such as Computerized Reservation Systems (CRS’s) and travel agencies), under government order, without imposing any restrictions whatsoever on the ability or authority of the recipient airlines and other companies to use, rent, or sell the information that passengers will be forced to give them, without any requirement for notice or consent. This government-compelled transfer of rights in personal data to unregulated private entities is the real violation of privacy rights in the new rule.

This is also what makes the new rules incompatible with the data protection rules of European Union and other countries with similar laws. While the transfer of information to the USA government, if required by law, probably fits within the exception in the EU law for data transfers to government agencies mandated by law, the transfer of personal information by EU travel agencies, tour operators, and CRS’s to airlines in the USA that aren’t subject to any “adequate” data protection regime almost certainly violates EU law, national laws in EU member countries, and the (never yet enforced) privacy clause in the EU Code of Conduct for CRS’s.

Some were surprised when I first suggested, in my September 2003 comments to the DHS on its CAPPS-II airline passenger screening and surveillance scheme, that requiring airlines to provide this sort of additional personal data on each passenger would cost the airline industry a billion U.S. dollars in IT infrastructure changes.

But the DHS now admits that its current proposals would cost exactly that, a billion U.S. dollars, just for international flights to and from the USA, which carry far fewer passengers than domestic flights in the USA. According to the CBP final rule:

We estimate that the cost of this final rule will be approximately $1 billion over a 10-year period…. In the first year this rule is in effect, we estimate the cost will be $166 million (undiscounted) as companies reprogram existing systems and purchase necessary equipment.

The CBP figure actually appears to be a significant under-estimate. It considers IT infrastructure and programming costs to airlines (presumably including the changes required by CRS’s, which presumably would be passed on to their airline customers), and data-entry labor costs, but omits from its otherwise detailed itemization any estimate of the costs to more than a hundred thousand travel agents (online and offline) around the word who book travel to or from the USA, as well as other travel services providers and intermediaries, to reprogram their business process automation scripts, quality control systems, Web user interfaces and Web site back-end databases and systems, API’s for CRS access and airline data interchange, and third-party software that interacts with any of these.

The CBP and DHS try to have it both ways: they argue that few changes will be required because most of the data requested is already available from machine-readable passports and travel documents, while also arguing that much more information is needed than is presently available from passports and other travel documents.

The latest notice from CBP implicitly concedes that much of the necessary IT and business process changes have yet to be made, and that compliance is still impossible even for airlines making a good-faith effort.

The DHS began talking about demanding additional Advance Passenger Information (API) — though not, it would appear, talking to the airlines, and not with any understanding of what it would require — in late 2001 or early 2002 as part of CAPPS-II. It took two years, until early 2004, before standards to support the inter-airline and inter-CRS transfer of API data were added to the AIRIMP interline messaging protocol. And it took another 18 months, until this month, for the CRS’s to add the ability to enter and store this data in PNRs.

For those who are interested, I’ve posted section 3.14 of the AIRIMP (28th edition, effective 1 June 2004) containing the API interchange formats, and the command-line formats being rolled out this month by the big four CRS’s (Sabre, Amadeus, Worldspan, and Galileo/Apollo) for entering API data in their PNRs. (You can order the complete AIRIMP book from IATA.)

The command-line formats aren’t pretty (nor are the earlier IATA / World Customs Organization suggested guidelines for the transmission of API data from airlines to governments), and so far as I can tell, none of the CRS’s and no major third-party software vendor has yet implemented them in any of the graphical interfaces now used by most travel agents and airline reservations staff. My guess is that it will take another year, even with government coercion and substantial spending, for them to be implemented throughout the reservations data entry and processing “food chain”.

Because airline reservations can be made up to 11 months (a year with some systems) prior to the date of travel, and because airlines and travel agents may have no way to contact ticketed passengers between the time they make their reservations and the time they present themselves for check-in, it will take a full year, after API data starts being entered in all new PNRs, before it is present in all PNRs any earlier than check-in.

As the Air Transport Association of the USA testified to Congress in June of this year:

[I]t must be clear that all participants in the reservation process share data-collection obligations, including travel agents and Global Distribution Systems [GDS’s or CRS’s]; ….it must be clearly understood that this is a massive, very challenging undertaking and that sufficient time and resources must be available to bring a successful outcome…. This cannot work with unreasonable timelines or mandates.

[Update: Revisions to the API rules to change them from an advance information reporting system to an advance permission system. More on travel and privacy, surveillance, civil liberties, and human rights.]