"Your Reputation Precedes You" (CFP 2007)

I’m on a panel entitled “Your Reputation Precedes You: The Transfer of European Union Passenger Name Records to the U.S. and Canada” today at the conference on Computers, Freedom and Privacy .

Here are links to some of the topics and previous articles I may mention in my talk:

• Freedom to travel as a human right
• Background on PNRs and CRS’s
• Testimony to the European Parliament and data protection commissioners on PNR transfers from the EU to the USA
• Report and analysis of Europarl hearing and data protection commissioners’ meeting
• Open Skies treaty
• European Union CRS regulations
• Sample letters to request PNRs from European airlines, CRS’s, travel agencies, and tour operators
• Advance Passenger Information and permission to travel
• Examples of indirect transfers of PNR data via Sabre and Airline Automation
• ICAO and machine-readable travel documents
• The Automated Targeting System and PNR data from the EU
• Questions about the Automated Targeting Syatem
• Identity Project comments on the Automated Targeting System
• Identity Project supplemental comments on the Automated Targeting System
• Western Hemisphere Travel Initiative and travel between Canada and the USA
• Identity Project comments on the Western Hemisphere Travel Initiative
• The Identity Project

Update: Here’s a slightly revised version of my presentation:

Since September 11, 2001, the assumption of the people setting travel-related “security” policies — most of whom have come from outside the travel industry and have little or no actual knowledge of travel industry information technology or business processes — has been that the technology of travel is quite ordinary (“Reservations are just databases, right?”) but that the policy issues are somehow an exception to normal principles of civil liberties or human rights. (“Obviously, we have to make some exceptions when we are talking about airplanes , right?”)

The real situation, I think, is just the reverse: Travel technology is its own “parallel universe”, with its own protocols and norms that impose more, and different, practical constraints than people outside the industry tend to realize. But the policy issues raised by data about the movements of people are much more similar than is generally recognized to the issues with data about movements of messages, movements of money, movements of data, and other types of traffic data.

I’ve argued previously — particularly in a workshop Stephanie Perrin organized here at CFP 2 years ago in Seattle — that the prevailing “exceptionalism” about air travel is largely a result of unresolved societal as well as individual post-traumatic stress, from which the United States continues to suffer. In the same vein, I think that a large part of the dispute both with and within the European Union on aviation and border security is that, as people begin to move past the post-9/11 trauma — a process in which, in general, Europeans are well ahead of most Americans — they begin to look at aviation in more “normal” terms, and to subject travel-related policies to some of the same critical scrutiny, and the same standards, that they apply in other areas.

I welcome this development, and it’s in this spirit that I offer these remarks.

Stavros Lambrinides, vice-chair of the civil liberties committee of the European Parliament, put this very clearly last month both in Brussels (at hearings that Bob Davidson [vice president of the airline association IATA, who had been scheduled to be part of the panel at CFP] and I both attended) and as part of a European Parliamentary delegation to Washington to discuss these issues with members of Congress. “We’re as fanatical as anyone about terrorism,” he said. “But most of the use of these so-called anti-terrorist measures is not against terrorism. Drug smuggling is not terrorism. Illegal immigration is not terrorism. We shouldn’t even be talking about sacrificing fundamental freedoms for less than fundamental ends.”

So what’s “fundamental” here?

The fundamental right at issue here is first and foremost the liberty of movement guaranteed by Article 12 of the International Covenant on Civil and Political Rights — a treaty ratified by Canada, by all of the members of the European Union, and even (perhaps surprisingly) by the United States.

In addition, airlines are required in all of these countries to operate as “common carriers”. That means they can’t pick and choose their customers, but must, by law, accept and transport equally all passengers paying the fare and complying with the rules in their published tariff.

The root of the dispute about “Passenger Name Record (PNR) data is that airlines and police have failed to recognize this. Instead of acting within the framework of a presumption of a right to travel, they have operated from an equally fundamental — if often unstated and legally unsupportable — presumption of their right to control who can and who can’t travel.

Nowhere is this more clear than in the “Noticed of Proposed Rule-Making” (NPRM) published last year for “Advance Passenger Information” (API), for international flights to, from, or overflying the US.

Without getting bogged down in the distinctions between API and PNR data, API data is more limited but more standardized than PNR data. API data is intended more to identify the traveller and enable correlations with other databases, while PNR data is more descriptive of the current journey.

API data is often stored in the PNR — IATA has, in fact, worked hard to facilitate this by adding support for API data to the AIRIMP protocol — but API transmissions to government agencies are nominally independent of PNR access, and are not regulated by the PNR agreement (between the USA and the EU) or the undertakings of the US Department of Homealnd Security with resepct to PNRs.

The API proposal, which has not yet been finalized but remains pending — would replace the current US requirement for ex post facto notice with a system of prior restraint. Instead of having to notify the destination country of who is on the plane, once the flight is on its way, the airline would have to get permission from the destination government before each passenger is allowed to board the plane. The default would be that, unless the airline has received individualized prior permission, they may not permit you to board.

A similar global goal to transform advance passenger information systems into advance travel authorization systems (with a presumptive default of “no”), was articulated by government representatives at the ICAO meetings Bob Davidson and I both attended here in Montréal last fall.

So we aren’t just talking about privacy. The issue is not solely, or primarily, government access to data about your movements. Governments — and not just that of the USA — want to use that data: they want to associate your physical body with a data cloud, and make decisions about where they “permit” you to move — in an explictly permission-based system — on the basis not of attributes of your physical person (such as criminal acts or possession of weapons), but on the basis of the data cloud that they have created and they have associated with you. Association in their systems with what they regard as a criminal (or insufficiently innocence-proving) data cloud becomes under such a permisison regime a bar to the exercise of your human right to freedom of movement — in flagrant contravention of the ICCPR and the common carrier statutes.

But the pending API rulemaking is only one of a series of efforts to evade or bypass the PNR agreement. As a result of these other initiatives, the terms of the PNR agreement — even if it were enforceable in US courts, which it isn’t — would be unlikely to set the boundaries of government access to and use of airline reservation data. It’s these measures, not the PNR agreement, that call for our closer attention. In addition to (1) the API rules, which are also under discusion by ICAO and within the EU, these include the following:

(2) The proposed “Open Skies” agreement on civil aviation between the USA and the EU has been discussed in the press primarily in terms of the allocation of gates and landing/takeoff “slots” at Heathrow Airport and of which airlines will be authorized to fly between which airports in Europe and the USA.

But hidden within the Open Skies agreement are insidious provisions that would require compliance by all parties to the agreeement (i.e. the USA and the members of the EU) with any “security measures” adopted by the other party — with no requirement that those “measures” be adopted democratically or acccording to any standard of due process, or that they be justified under any particular standard (or, indeed, that any justification at all be offered for them, other than the simple assertion that their purpose is “security”).

If the Open Skies agreement is ratified as a treaty, secret adminitrative security directives, essentially immune by their secrecy from judicial review, would thus be incorporated into treaty law that would take precedence over any Congressional or European legislative enactment, or the unilatereral “undertakings” or non-treaty “agreement” on PNR transfers.

Similarly, the Open Skies agreement would require compliance with all “security recommendations” of the International Civil Aviation Organization (ICAO). For historical reasons, ICAO (whose headquarters is across the street from the CFP venue here in Montréal), is the global standard-setting body for personal identification credentials (“travel documents”, i.e. passports) as well as more narrowly aviation-related matters.

ICAO explicitly decribes itself as a “purely technical” body that only makes “recommendations”, not a body with the charter or competence to legislate or even consider political or policy questions. Yet under the Open Skies agreement, those “technical recommendations” will acquire the force of law, preempting any oversight that national authorities might try to exercise.

Within the memory of those I have consulted at ICAO and during the ICAO meetings I attended, no national data protection office or civil liberties or human rights ministry has ever been included in the membership of any country’s delegation to any ICAO meeting. Here at CFP, I have urged the Office of the Privacy Commisioner of Canada to take the lead in changing this, by insisting on the inclusion of the Commissioner or someone from her office in Canada’s delegations to future ICAO plenary and Facilitation Division meetings and, perhaps more importantly, in ICAO’s New Technologies Working Group (NTWG) and Task Force on Machine-Readable Travel Documents.

The USA has, as CFP-ers well know, no comparable government privacy or hiuman rights ministry. But citizens of Canada and other countries should demand that these departments within their national government take a direct participatory role, not merely one of advisors to national security and law enforcement agencies, in ICAO decision-making.

I also urge the U.S. Senate to consider the implications of this delegation of power to ICAO if (as it should) it holds hearings and conducts a full debate on ratification of the Open Skies treaty.

(3) The easiest and most common way the PNR agreeement is bypassed is through commercial international transfers of PNR data, which make possible indirect government access to that data once it is in the USA.

The PNR agreement applies only to PNR data accessed directly from airlines by the DHS Bureau of Customs and Border Protection. But that ignores the industry norm: Most airlines and travel agents outsource hosting of their reservations (PNRs) as well as their customer profile (CRM) data to “Computerized Reservation Systems” (CRS’s) that are based in the USA or process this data in the USA.

Once that data is in the USA, it can be transferred to, or accessed by, CBP or any other govdernmental or commercial entity, through a variety of mechanisms (subpoenas, sealed warrants, National_Security Letters, commercial sale, or “voluntarily” by those CRS’s and other intermediaries) without the knowledge or consent of the airline, much less the passenger, and entirely outside the terms of the PNR agreement..

This is a routine practice, not a purely hypothetical risk. For example, when the US government wanted data to test the first version of the CAPPS-II airline passenger sureveillance and profiling system in 2002, millions of real reservations (including reservations made in the EU and Canada) were provided to the CAPPS-II contractors through a series of commercial intermediaries in the USA who were already in possession of that data.

This happened in 2002, and I first reported it in 2003, but not until 2004 did American Airlines admit that it had happened. There has still been no public inquiry into which other airlines’ reservations may have been involved.

In the absence of government inquiry, I encourage those of you who live in the EU, or who fly on EU-based airlines, to exercise your rights under EU law to request an accounting from travel agencies, tour operators, airlines, and CRS’s of what they done with your data . I’ve provided sample request forms for that purpose on my Web site.

American Airlines stores its reservation s (PNRs) in the Sabre CRS. From Sabre, they are transferred for other processing to a company formerly called Airline Automation, Inc., now Amadeus Revenue Integrity (and still located in the USA although now entirely subject to EU jurisdiction as a division of the Amadeus CRS based in the EU).

American Airlines claimed that Airline Automation provided PNRs to the CAPPS-II contractors at the “request” of the government, and without the knowledge or consent of the airline. Sabre refused to comment, so we still don’t know whether even the CRS was aware of what had happened. Travellers whose data was used in the tests were the last to know: the airline still has taken no action to inform those whose data was used.

The key thing about this tortured tale is that since none of the data was obtained directly form the airline — the airline claims it didn’t even know about it — this would not violate the PNR agreement or any US law if it were to recur today. Once PNR data is in the hands of a commercial entity in the USA, there is no control on where or to whom it goes, and the PNR agreement does not apply to either coerced or “voluntary” disclosures of the data.

This is exactly the sort of consequence of data outsourcing, and of commercial transfers of personal data to countries without adequate data protection regimes, thatthe EU Data Protection Directive is supposed to prohibit. Standard operating procedures in the travel industry routinely violate EU Data Protection Directive.

(4) In addition to the Data Protection Directive, EU law regulates the practices of the CRS’s through a “Code of Conduct for CRS’s” which includes very strong — although entirely unenforced — privacy and data protection provisions. But the European Commission is currently considering revising or repealing that Code of Conduct, which could potentially result in the repeal of those protections.

It has yet to be established whether the “data controller” for PNRs is the travel agency, the airline, or the CRS, or at what point in the reservation process PNR data is considered to be “transferred” to the USA. This makes it easy for each of the companies involved to evade accountability under the Data Protectin Directive. The Code of Conduct for CRS’s closes that loophole by requiring the CRS’s who actually store most PNRs to protect the data, and to provide travellers with access to their own PNRs, regardless of who is considered the owner or controller.

The Identity Project, with which I work, has submitted comments to the European Commission explaining the continued need for the privacy provisions of the Code of Conduct for CRS’s, and urging that they be retained, strengthened, and enforced — not weakened or repealed.

Since this panel was to have included the principal representaive of the world’s airlines when they lobby the world’s governments (Robert Davidson, vice-preseident of IATA), I feel obliged to note that airlines have been part of the privacy problem with PNRs, not part of the solution.

Objections by airlines to schemes for government surveillance and control of travellers have been made on the basis of their costs to the airlines, not their impact on airlines’ customers’ rights.

Airlines have, to their credit, opposed being deputized involuntarily as enforcers of immigration rules, but not to the basic principle of government control. Airlines have failed to assert their obligation as common carriers to transport all would-be passengers, or their customers’ right to travel. At the ICAO meetings I attended here in Montréal last fall, I heard Bob Davidson tell the assembled government delegations, “As soon as someone says the words, “political asylum”, you lose.” That’s wrong: asyslum should be seen as a victory for human rights, not a “loss” of control by government.

The theme of Bob’s message to governments, in his role as lobbyist for the world’s airlines, was, “Don’t treat us as adversaries. Let us help you.” Airlines are willing, even eager, partners in surveillance of travellers, as long as (A) governments reimburse the cost, instead of imposing it on airlines as an unfunded mandate, and (B) airlines get a free ride to use this data too, even when it is collected under government coercion.

Airlines have claimed to care about their customers, but they haven’t suited their actions to their words. Here are some of the things airlines could have done, and still could do, but haven’t (yet) done:

(1) Incompatible European and US legal obligations have put airlines in an impossible double bind, with which I sympathize. But when they’ve had to choose, airlines have — without exception — complied with US law, even when that has meant violating EU privacy and data protection law.

(2) Airlines have (sometimes, usually quietly) complained about government impositions and demands for data in the name of “secuiorty”. But no airline has challenged the lgal basis for those requests or demands, or litigated either government demands for PNR information or government orders not to transport particular passengers. That’s especially significant because, as we heard yesterday, the US government will neither confirm nor deny that any particular person is on its “no-fly list”. And since the “do not transport” order is issued to the airline, not the would-be traveller, the airline has a much easier time establishing the necessary standing to get the order reviewed by a court.

(3) Airlines have not disclosed to customers when PNR data is disclosed to commercial or governmental third parties. As I noted earlier, even when airlines have admitted that their PNRs were used for improper purposes, they have made no effort to notify the people whose data was thus misused, in violation of all norms for data breaches in other industries.

As for the DHS, what we have is a complete lack of enforcement of existing laws.

The most serious violations of the Privacy Act are crimes. That sounds great, except that it means that there is no “private right of action”. Neither those whose rights are violated, nor third-party watchdogs, can sue to enforce the law. Presumably, the responsibility for enforcing the criminal provisions of the Privacy Act rests with the departmental Privacy Officers — which is a problem, since most fo the criminal violations of the Privacy act have been committed by those same Privacy Officers, when they have knowingly published false and/or incomplete Privacy Act notices, and allowed the systems of records to operate in spite of their knowledge of the lack of proper notice.

The Privacy Act requires notice, in advance, that describes all the categories of individuals about whom records will be kept. That was violated with the use of real PNRs for testing of the CAPPS-II and Secure Flight airline passenger profiling and surveillance schemes, when the “System of Records Notices” (SORN’s) falsely claimed that the only “data subjects” would be airline passengers. In fact — as the Privacy Officers promulgating those notices knew from comments I and the Identity Project filed with them — those PNRs also included personally identifiable data on other categories of individuals, such as airline and travel agency personnel and people paying for other people’s tickets. The notices also falsely claimed that European Union or “international” PNRs would be excluded, when in fact, as the DHS has admitted, it is impossible to tell from anything in a PNR in which jurisdictions) the data it contains was collected.

(The important distinctions between PNRs for flights that touch the EU, PNRs for flights on airlines based in the EU, and PNRs that include data collected in the EU have often been lost in the catch-all usage of the term “European PNRs”. This and the false or nonexistent SORN’s have also helped obscure the violations of both the EU Data Protection Directive and the EU Code of Conduct for CRS’s.)

The same criminal violations were repeated with the “Automated Targeting System” (ATS), with the additional and even more serious problem that PNRs were being stored in the ATS at least as early as 2003, but the notice of this wasn’t published until 2006.

Neither I nor the Identity Project have received any response to our specific written requests to the DHS Privacy Office and the DHS Inspector General’s office for enforcement of the criminal provisions of the Privacy Act against those responsible for collecting and processing PNR data without proper notice. And the TSA’s Privacy Officer has specifically refused to respond to my requests for information concerning the procedures, if any, available to those seeking redress under this and other laws. I invite the DHS’s respresentative here today [Kenneth P. Mortensen, Acting Chief of Staff, DHS Privacy Office] to explain how the DHS Privacy Officers police their own violations of the Privacy Act, or who else is responsible for policing them.