Can you really see what records are kept about your travel?

One of the big differences between American and European attitudes is that people in the USA tend to be much less willing to trust that the government is doing its job in accordance with the law. Many Europeans have told me this, and it’s also what I’ve observed in the feedback and reactions to my work on issues of privacy, surveillance, and control of travellers.

European debate has focused on rules and policies, and has paid little attention to practices. Europeans seem to have trusted that travel compnaies and the government will comply with whatever rules are adopted, and that their public statements accurately describe what they really do, such as what records they keep about travellers and how they use those records.

As a suspicious, mistrustful American, I pay much more attention than my European friends to compliance, enforcement, and oversight mechanisms. Based on years of insider experience with travel companies, and a lifetime of experience with government agencies in the USA, I don’t trust either type of organization (governments or corporations) to police themselves.

I believe that I can do something when I have actually tried it and have succeeded in doing it, not when some law says that I am supposed to be allowed to do it. As a litigious American (actually, I’ve never sued anyone, nor been sued), I think it’s essential for people to be able to enforce their own rights through private action, not to have to rely on the government for protection — especially when when it comes to protection against the excesses and abuses of governments themselves.

As a result of these (typically American) attitudes, I’ve been part of the most extensive set of private tests of what rights travellers actually have, in practice, to see what records travel companies and governments are keeping about our movements. These tests have been much more extensive — even with respect to rights supposedly guaranteed to Europeans and under European law — than any undertaken by Europeans themselves.

The results are significant for Americans, Europeans, and anyone concerned about the right to travel in the face of a growing surveillance state (corporate and/or governmental):

Under EU law, travellers are supposed to have the right to see all of the records about them kept by travel or other companies, and to be told what data about them has been sent to other countries or third parties (including governments).

But when I asked the airline to see the records of one of my trips from the USA to the EU and back, and to be told what third parties (especially in the USA) had accessed my records, they told me that no one had ever asked any European airline for these details before! KLM Royal Dutch Airlines — one of the largest airlines in Europe, with records about tens of millions of travellers — had never developed any procedures for actually complying with the law regarding access to those records, and took months to figure out what to do.

Eventually, KLM told me that they had outsourced the handling of my data to companies in the USA, in spite of the fact that there is no data protection law in the USA. KLM told me they didn’t know what data their contractors and agents had collected or retained, or with whom they might have “shared” my data. KLM said they had no provisions in their contracts that would enable them to force their contractors to provide me with this information.

When I asked the Dutch Data Protection Authority to intervene, they too told me that mine was the first such formal request that they had received in any case involving airline reservations. They also admitted that they had no staff with the technical competence or industry knowledge to interpret the limited data that KLM had disclosed, or to assess the truth of KLM’s claims. A year after my original request to KLM for my travel records, the Dutch authorities told me that they couldn’t help me, and that I could do nothing more unless, within 45 days, I could hire a lawyer in the Netherlands to prepare and file a private lawsuit, at my own expense, in Dutch, in Dutch court, against the airline (which of course I wasn’t able to do, especially since I was travelling in Africa at that time).

So much, in real-life practice, for my greater “rights” under European data protection law.

Under US law, citizens and permanent residents of the USA have the right under the Privacy Act to advance notice from the US government (although not from private companies) of what systems of personal records each government agency keeps, and how it uses those records. We also have the right, with many exceptions, to request copies of those records from the Federal government (but again, not from private companies).

When the existence of US government databases of Passenger Name Records (PNRs) going back to at least 1999 was revealed in 2006, the Identity Project immediately requested those records on behalf of ourselves and some of our friends. The responses were obviously incomplete, and inconsistently and inappropriately redacted. They also included information contrary to what the DHS had promised in its “agreement” with the EU, such as personal data about non-travelling third parties and records of flights entirely within the EU, on European airlines, ticketed separately from any flights to or from the USA or on US-based airlines.

I helped analyze the responses, and we published the first report of what we learned in September of 2007, along with forms that members of the public could use to make their own requests for their PNR data. Widely-distributed news stories about our report prompted a surge of requests from which the DHS apparently has yet to catch up. We also appealed some of the omissions and redactions from the responses to our initial requests. My own appeal is more than a year old, and has received no acknowledgement or response (in violation of the Privacy Act time limits for appeals).

As part of an “agreement” between the DHS and the EU, the DHS has promised to allow all passengers on airline flights between the USA and the EU the same access as US citizens and permanent residents to DHS records of their

I know of only one attempt to test whether the DHS is honoring that promise to the EU: a Member of the European Parliament, who had travelled to the USA, requested her records from the DHS. The first response from the DHS was a (false) claim that the DHS had no record of her trip. When she appealed (to a higher officer within the DHS), she was told that the DHS “might” have records about her. But she didn’t receive any of those records within the time limit for a response under the Privacy Act or Freedom Of Information Act (FOIA).

Only after lawyers in the USA filed a Federal lawsuit on her behalf did this MEP receive any of her records from the DHS. (At her lawyers’ request, and after review of the documents, I submitted a declaration in her lawsuit as an expert in PNRs and their content.) As with US citizens who requested their records, what was eventually released to this MEP by the DHS was late, clearly incomplete, and inconsistently and inappropriately redacted.

Now the DHS has released its own report on its “compliance” with the PNR agreement. As analyzed in detail by the Identity Project, the DHS report admits to practices that systematically violate the Privacy Act (for US citizens and residents) and the PNR agreement (for other subjects of data in PNRs from EU-USA flights). Responses to requests for PNR data, according to the DHS’s own report, typically have taken a year or longer, and remain backlogged. People who have asked for “all” their records typically weren’t given any of their PNRs. Redactions from what data was released were inconsistent and often inappropriate.

All these real-world experiences suggest that neither American nor Europeans should trust the DHS or travel companies to police themselves, or rely on existing compliance, enforcement, or oversight mechanisms. Legal rights and promises with respect to travel records have proven unenforceable both in the US and the EU, for both US and EU citizens.

A dialogue about what restrictions should be placed on government and corporate surveillance and control of our movements, while essential, will be hollow unless it is accompanied by an equally vital dialogue about how to provide for enforcement of those restrictions — and unless it starts from a recognition that existing compliance, enforcement, or oversight mechanisms have entirely failed, in practice, to protect trans-Atlantic travellers.

[Update: Giant US air travel data suck fails own privacy tests , by John Lettice, The Register (UK), 29 December 2008. Response in the DHS “leadership Journal” blog, 31 December 2008. The Chief Privacy Officer for the DHS claims that the DHS is “trying” to follow the law, but neither denies nor even mentions any of the specific DHS compliance failings to which the Identity Project called attention, or any of the other facts in our description and analysis of the history of DHS use of PNR data.]

[Further update: In addition to the earlier excerpts from DHS travel records published last year in the Identity Project report , the Washington Post story, and the records released to me by KLM , Sean O’Neill of Budget Travel has published some excerpts this month from the DHS response to his request, including a page from a TECS index of Border Crossing Information System entries and a page from a PNR.]

[Further update: How to request your travel records (with updated forms)]