Jan 06 2011

DHS says they should get our PNR data, but we shouldn’t

Secretary of Homeland Security Napolitano is in Brussels today, lobbying the European Union to allow the DHS to access airline reservation Passenger Name Record (PNR) data on the same day that DHS lawyers will be facing us in court in San Francisco to argue that nobody — not even US citizens — should have the right to access their own PNR data held by DHS.

Napolitano is reportedly stopping in Brussels on her way back from Israel, where she “visited Ben Gurion International Airport to meet with airport officials to discuss ways both nations are enhancing global aviation security while streamlining legitimate travel and trade,” i.e. expanding the use of Israeli-style ethnic profiling and discrimination at US airports.  According to one report on Napolitano’s trip, that’s one of the outcomes of the ongoing DHS policy laundering through ICAO:

Following the attempted terrorist attack on a Detroit bound airliner on Dec. 25, 2009, the Department of Homeland Security worked with the International Civil Aviation Organization (ICAO) and international partners including the Israeli government, as well as the private sector on a global initiative to strengthen the international aviation system against the evolving threats posed by terrorists.

Following five regional aviation summits across five continents, 190 countries adopted a historic Declaration on Aviation Security at the ICAO Triennial Assembly in October, forging a historic new foundation for aviation security.

In response to our lawsuit, US Customs and Border protection (the division of DHS that keeps PNR dossiers and other international travel records) has claimed that our initial request wasn’t signed or dated, that it didn’t include a declaration attesting to the requester’s identity and authorizing release of his records to our attorney, that they didn’t receive our administrative appeal, and that they didn’t learn of the existence of our 2007 appeal until February 2009, even though they signed a postal receipt for it in 2007 and we queried them repeatedly as to its status and called it to their attention in a formal filing with them (see page 5) in August 2008.

DHS is also claiming in response to our lawsuit that there are no logs showing what queries were made to search for or retrieve our PNR and other data, despite the repeated claims in their Privacy Impact Assessments that all such access is logged. See, for example, page 13 of the PIA for ATS (the system of records that includes PNRs) “ATS retains audit logs for all user access,” and page 16 of the PIA for TECS (one of the other systems of travel records), “Extensive audit logs are maintained showing who has accessed records and what changes, if any, were made to the records.”

We don’t yet know why DHS has lied about the facts and contradicted their prior claims.  But they have more reasons to do so than simple incompetence or disorganization.  And this is part of a pattern that isn’t limited to the particular Privacy Act and FOIA requests at issue in this case. We’ve had consistent difficulty in getting our requests and complaints acknowledged and docketed.


One of the highest priorities for the DHS policy and “privacy” offices is lobbying the European Union, Canada, and other countries to approve DHS access to PNR data, without amending the Privacy Act to give any rights to non-US persons. That requires persuading other countries of the adequacy of internal DHS administrative procedures.

DHS and other administration officials have hinted recently that DHS is considering some sort of formal regulation giving administrative but not judicial Privacy Act rights to non-US persons for data in mixed systems of records.

Of course, the persuasiveness of that argument rests on how those administrative “rights” are perceived. The DHS Privacy Office has reported to the EU review teams that (a) all requests for access to PNR data have been granted and (b) there have been no complaints of misuse of PNR data.

How can that be true? Only in the sense that there have been no docketed Privacy Act requests, docketed denials, or docketed complaints.

We and people using the templates (recently updated) we’ve provided have made many such requests and complaints, but we have never been able to get confirmation that any of them have been docketed as such.

Complaints have been either ignored or dealt with as “letters expressing concerns“, rather than as formal complaints.

With respect to Privacy Act requests, DHS has, apparently, adopted the position that all PNR, APIS, and ATS data is exempt from the Privacy Act. We’ll find out in our lawsuit what argument they will make for this.

But even if that view were correct, the proper response to a Privacy Act request would be, “We acknowledge receipt of your Privacy Act request, which we have assigned docket number XXXXX. We have denied your request because the requested records are exempt from the access provisions of the Privacy Act pursuant to [statute or regulation]. This determination (is/is not) subject to administrative and/or judicial review as follows…”

Instead, DHS seems to assume that because it believes there are no Privacy Act rights to such data, such data is releasable (if at all) solely under FOIA. So these requests aren’t treated as Privacy Act requests at all, but as FOIA requests. Instead of notice of a denial of a Privacy Act request, they send (if anything) a notice of receipt of a FOIA request, and never any formal Privacy Act determination.

Attempts to appeal the constructive denial of such Privacy Act requests are either ignored (presumably on the basis that there is, in their minds, no Privacy Act request, denial, or determination to appeal, since in their minds all that was made was a FOIA request) or treated as FOIA appeals.

We’re fairly certain that we’ve seen more of the responses to such requests that anyone else outside DHS. (We’ve heard from many other people who’ve gotten no answer at all to their requests and/or appeals.) None of them contain explicit determinations with respect to the Privacy act. None of the responses we’ve seen from DHS contain the information, such as an accounting of disclosures to other agencies and third parties, that is required by the Privacy Act but not by FOIA. All of them contain redactions based on FOIA exemptions that don’t apply to material required to be released pursuant to the Privacy act.

Of course, docketing such a Privacy Act request, appeal, or complaint would be a lose-lose choice for the DHS and the Privacy Office. They aren’t going to grant such a request, particularly for an accounting of disclosures of PNR or other ATS data to other agencies, or for the ATS risk assessments and rules for generating risk assessments. If they did, it would encourage more people to make such requests. But if they docket and formally deny such a request, appeal, or complaint, they would have to admit publicly — including to the EU — that not all access requests have been granted (even from US citizens) or that there have been complaints of misuse of PNR data.

In addition, if DHS admits to having docketed our complaints, they know that we will immediately publish complaint templates for others to use. Then they will have to deal with — and either grant or admit denying — many more such complaints. This is exactly what happened when we first published templates for Privacy Act requests, and samples of the responses to the first such requests. Before long, CBP staff were pleading with us to remove these forms from our website!

So DHS has a strong policy interest in avoiding docketing or issuing formal adverse determinations. It’s not just a “customer service” problem.

In the same sense, our lawsuit is a lose-lose proposition for DHS, which is why they’d rather dispose of it by any means possible, even lying, rather than get a ruling on the legal issue. We’d rather get a finding that DHS broke the law, of course. But if they get a ruling that DHS isn’t required to release any of this data, it will send a devastating message (a) that there are no Privacy Act rights to PNR data, even for US citizens, and (b) that granting EU citizens the same administrative “rights” as US citizens means granting them… no rights at all.

Today in court, lawyers for IDP and the government agreed to confer informally to try to resolve the factual issues and to determine if formal discovery will be requested. A second case management conference to set a schedule for filing of preliminary motions will be held on Thursday, March 17, 2011, at 10 a.m., either in court in San Francisco or by telephone with the judge and lawyers for both parties.

6 thoughts on “DHS says they should get our PNR data, but we shouldn’t

  1. “i.e. expanding the use of Israeli-style ethnic profiling and discrimination at US airports”

    I’d prefer the Israeli method of security over our current security theater. Israel has arguably the best airport security in the world. And no groping, funny x-ray machines, or any of that other TSA garbage.

    Would you not agree?

  2. Pingback: Twitter Trackbacks for Papers, Please! » Blog Archive » DHS says they should get our PNR data, but we shouldn’t [papersplease.org] on Topsy.com

  3. Pingback: Papers, Please! » Blog Archive » Feds got NY Times reporter’s PNR data in search for his sources

  4. Pingback: Papers, Please! » Blog Archive » European Commission wants to immunize DHS collaborators in travel surveillance and control

  5. Pingback: Papers, Please! » Blog Archive » DHS moves to dismiss our Privacy Act lawsuit

  6. Pingback: DHS moves to dismiss my Privacy Act lawsuit for PNR data » Travel Insights 100

Leave a Reply

Your email address will not be published. Required fields are marked *