Papers, Please!

The Identity Project

Monthly Archives: October 2010

Oct 29 2010

DHS Privacy Office ordered TSA not to answer our FOIA request

Records posted online by the DHS in response to one of our FOIA requests confirm that, as we suspected, DHS headquarters has been illegally blocking release of documents we have requested, and to which we are entitled, under the Freedom of Information Act, in order to subject them to higher-level political review and an illegal requirement for higher-level political approval prior to any response.

In an email message (pp. 24-26 of this larger PDF) to the Chief FOIA Officers of all DHS component agencies on December 23, 2009, Catherine Papoi, DHS Deputy Chief FOIA Officer and Director of Departmental Disclosure and FOIA, included one of our requests for information about TSA policies in a list of requests to be reported to the DHS White House liaison and reviewed by the “DHS HQ Front Office” prior to any response or release of records, regardless of the deadlines for responses and release of responsive records set by FOIA.

According to this email message, underlined and in boldface for double emphasis, “It is very important that your office not send the response to the requester until I notify you that the response has been reviewed and is cleared to be sent to the requester.”

Read More

Oct 18 2010

Airlines to cancel reservations and deny passage to travelers who won’t provide “Secure Flight” info

Airlines are moving rapidly toward global industry standards, effective November 1, 2010, that could lead to cancellation of reservations — including already ticketed reservations — without notice to travelers and in violation of the contractual conditions in effect when tickets were sold, and denial of transportation to would-be passengers in violation of airlines’ operating licenses and international aviation treaties that require them to operate as “common carriers”.

We’ve previously noted the impossibility of knowing how the TSA will enforce its Secure Flight passenger surveillance and control scheme, since the enforcement of “Secure Flight” demands for information will, presumably, be carried by airlines acting on secret TSA Security Directives.  And in one of their most recent non-responses to our FOIA requests, the TSA reiterates their claim that all such Security Directives are by definition exempt from disclosure, regardless of whether their disclosure would have any actual effect on safety or security.

But we’ve also noted the recent announcements by some airlines, apparently starting with American,  that they plan to cancel or inhibit the creation or ticketing of reservations that don’t contain the additional personal information that the TSA wants each traveler to provide to both the airline (who is free to retain, use, sell, or otherwise disclose it) and the TSA: “full name” (whatever that means — there’s no definition in the Secure Flight regulations), gender, and date of birth.

Now airlines are going even further, with more airlines announcing their intent to cancel ticketed reservations if passengers don’t, on their own initiative, come forward with Secure Flight passenger Data (SFPD), and the airline trade association (and sometimes cartel) IATA reportedly expected to pass a global standard this week mandating inhibition of ticketing of all reservations without SFPD.

Read More

Oct 17 2010

Europeans start asking questions about the role of reservation systems

We’re pleased to see that — perhaps as part of the fallout from publicity in Europe (see the links in these comments) for our lawsuit against the DHS — questions are finally being asked in the European press about the role of Computerized Reservation Systems (CRSs, also known as Global Distribution Systems or GDSs) in passing travel reservations to the US and other governments.

We’ve pointed out repeatedly that most airlines, travel agencies, and tour operators have outsourced their PNR database hosting to the major CRSs, including Sabre and Travelport (Galileo and Worldspan) in the USA and Amadeus in Europe.  Earlier this month the Süddeutsche Zeitung became the first major European news organization to publicly question Amadeus about its (illegal) role in granting DHS access to Passenger Name record (PNR) data stored with Amadeus. Amadeus falsely claimed that “We are not involved in the decision” to pass data from the EU to the DHS.  But that claim is unlikely to stand up to an inquiry such as the one we’ve been told the Article 29 Working Group of European national data protection officers is currently conducting.  And more and more other Europeans are beginning to ask similar questions as well.

Overly simplistic usage of the term “European PNRs” has contributed to an erroneous conflation with “PNRs for flights operated by European airlines”, and an even more erroneous conflation with “PNRs stored in Europe”. PNRs are, by design, globally accessible in ways similar to that of data “in the cloud”, so this is a largely meaningless concept.  In practice, a single PNR routinely contains data collected in multiple locations. EU data protection laws apply to all PNRs that include data collected in the EU, even PNRs for flights within the USA if the reservations are made, or some of the data is entered, by travel agencies or tour operators in the EU or by European ticket offices of USA-based airlines.  Those laws apply equally to Amadeus and its USA-based competitors Sabre and Travelport, each of which has thousands of airline, travel agency, and tour operator subscribers in the EU.

As we pointed out in our testimony at the European Parliament in April, Amadeus’ location of its main servers in Erding, Germany (Europe’s largest private data center)  doesn’t mean that it complies with EU data protection law or shields its PNRs from US or other authorities (or other threats) outside the EU. In fact, Amadeus offices as well as Amadeus subscribers (including airlines, travel agencies, and tour operators) in the USA and around the world have full access to Amadeus reservation data including data collected in Europe.

There are no access logs in PNRs, so neither Amadeus nor its subscribers actually know who has retrieved PNRs, or from which countries.  But we’ve seen a growing number of examples, as we first reported more than three years ago, of DHS records of flights within the EU, operated by EU-based airlines, that could only have been obtained through “root” access by the DHS to the CRSs.

For example, portions of a PNR showing root access to the Galileo CRS by DHS/CBP were reproduced on page 5 of our initial 2007 report on our research into DHS travel records. This was a real PNR for a real person obtained from the DHS. The traveller went from the USA (SFO) to Berlin (TXL) on United Airlines. She stayed six days in Berlin. Then she went from Berlin to Prague to London on Czech Airways (IATA code “OK”). Then she stayed for another 6 days in London. Then she returned from London to SFO on United. The flights on Czech Air were entirely within the EU. They did not connect to or from flights to or from the US, or on a US airline. The PNR shows that travel agent issued a separate ticket, and a separate fare, for the Czech Air flights — they weren’t on same ticket with the United flights. But the travel agent followed standard travel agency procedures and made all the reservations for the entire journey in the same CRS, in this case Galileo (the CRS used by United). When DHS pulled the PNR, they didn’t just pull the portion on United, but pulled the entire travel agency PNR, including the flights on Czech Air. This confirms that DHS had root access to Galileo, not just access through United, since United would not have been able to see the details of the Czech Air flights and ticket.

Meanwhile, the US government is growing increasingly worried that the European Parliament might no longer capitulate to their bullying.  In a recent white paper, former CBP director Jayson Ahern, now an influence-peddler working with his former boss Michael Chertoff oas a lobbyist for various DHS contractors, pleads with European parliamentarians not to “pull back” from continuing to give DHS/CBP free access, in violation of EU law, to PNR data collected in the EU.  Ahern says that, “In 2009 … PNR data together with APIS helped identify one-third of all known and suspected terrorists ultimately denied entry to the US.”  But since none of those denials were ever reviewed by any US judge, it’s impossible to tell whether this statistic is evidence of the successful use of PNR data… or of the number of PNR-based violations of travelers fundamental human and civil rights.

[Update: While Amadeus offices and subscribers in the USA and around the world already have unlogged access to data stored on Amadeus servers in the USA, Amadeus is reportedly considering opening a data center in the USA, which would make it even more difficult to comply with EU law.]