Oct 17 2010

Europeans start asking questions about the role of reservation systems

We’re pleased to see that — perhaps as part of the fallout from publicity in Europe (see the links in these comments) for our lawsuit against the DHS — questions are finally being asked in the European press about the role of Computerized Reservation Systems (CRSs, also known as Global Distribution Systems or GDSs) in passing travel reservations to the US and other governments.

We’ve pointed out repeatedly that most airlines, travel agencies, and tour operators have outsourced their PNR database hosting to the major CRSs, including Sabre and Travelport (Galileo and Worldspan) in the USA and Amadeus in Europe.  Earlier this month the Süddeutsche Zeitung became the first major European news organization to publicly question Amadeus about its (illegal) role in granting DHS access to Passenger Name record (PNR) data stored with Amadeus. Amadeus falsely claimed that “We are not involved in the decision” to pass data from the EU to the DHS.  But that claim is unlikely to stand up to an inquiry such as the one we’ve been told the Article 29 Working Group of European national data protection officers is currently conducting.  And more and more other Europeans are beginning to ask similar questions as well.

Overly simplistic usage of the term “European PNRs” has contributed to an erroneous conflation with “PNRs for flights operated by European airlines”, and an even more erroneous conflation with “PNRs stored in Europe”. PNRs are, by design, globally accessible in ways similar to that of data “in the cloud”, so this is a largely meaningless concept.  In practice, a single PNR routinely contains data collected in multiple locations. EU data protection laws apply to all PNRs that include data collected in the EU, even PNRs for flights within the USA if the reservations are made, or some of the data is entered, by travel agencies or tour operators in the EU or by European ticket offices of USA-based airlines.  Those laws apply equally to Amadeus and its USA-based competitors Sabre and Travelport, each of which has thousands of airline, travel agency, and tour operator subscribers in the EU.

As we pointed out in our testimony at the European Parliament in April, Amadeus’ location of its main servers in Erding, Germany (Europe’s largest private data center)  doesn’t mean that it complies with EU data protection law or shields its PNRs from US or other authorities (or other threats) outside the EU. In fact, Amadeus offices as well as Amadeus subscribers (including airlines, travel agencies, and tour operators) in the USA and around the world have full access to Amadeus reservation data including data collected in Europe.

There are no access logs in PNRs, so neither Amadeus nor its subscribers actually know who has retrieved PNRs, or from which countries.  But we’ve seen a growing number of examples, as we first reported more than three years ago, of DHS records of flights within the EU, operated by EU-based airlines, that could only have been obtained through “root” access by the DHS to the CRSs.

For example, portions of a PNR showing root access to the Galileo CRS by DHS/CBP were reproduced on page 5 of our initial 2007 report on our research into DHS travel records. This was a real PNR for a real person obtained from the DHS. The traveller went from the USA (SFO) to Berlin (TXL) on United Airlines. She stayed six days in Berlin. Then she went from Berlin to Prague to London on Czech Airways (IATA code “OK”). Then she stayed for another 6 days in London. Then she returned from London to SFO on United. The flights on Czech Air were entirely within the EU. They did not connect to or from flights to or from the US, or on a US airline. The PNR shows that travel agent issued a separate ticket, and a separate fare, for the Czech Air flights — they weren’t on same ticket with the United flights. But the travel agent followed standard travel agency procedures and made all the reservations for the entire journey in the same CRS, in this case Galileo (the CRS used by United). When DHS pulled the PNR, they didn’t just pull the portion on United, but pulled the entire travel agency PNR, including the flights on Czech Air. This confirms that DHS had root access to Galileo, not just access through United, since United would not have been able to see the details of the Czech Air flights and ticket.

Meanwhile, the US government is growing increasingly worried that the European Parliament might no longer capitulate to their bullying.  In a recent white paper, former CBP director Jayson Ahern, now an influence-peddler working with his former boss Michael Chertoff oas a lobbyist for various DHS contractors, pleads with European parliamentarians not to “pull back” from continuing to give DHS/CBP free access, in violation of EU law, to PNR data collected in the EU.  Ahern says that, “In 2009 … PNR data together with APIS helped identify one-third of all known and suspected terrorists ultimately denied entry to the US.”  But since none of those denials were ever reviewed by any US judge, it’s impossible to tell whether this statistic is evidence of the successful use of PNR data… or of the number of PNR-based violations of travelers fundamental human and civil rights.

[Update: While Amadeus offices and subscribers in the USA and around the world already have unlogged access to data stored on Amadeus servers in the USA, Amadeus is reportedly considering opening a data center in the USA, which would make it even more difficult to comply with EU law.]