Politico.com reported yesterday that Federal investigators obtained “certain travel records” of New York Times reporter and author James Risen, as part of their attempt to identify Risen’s confidential sources. According to Politico.com:
The scope and intrusiveness of the government’s efforts to uncover reporter James Risen’s sources surfaced Thursday in the criminal case of Jeffrey Sterling, a former CIA officer facing federal criminal charges for allegedly disclosing classified information [to] Risen… In a motion filed in federal court in Alexandria [VA], Sterling’s defense lawyers .. reveal that the prosecution … “has produced … Mr. Risen’s credit card and bank records and certain records of his airline travel.” [emphasis added]
What were these “certain records” of Mr. Risen’s air travel? How did the Feds obtain them? And how were they used? We assume that the records in question included Passenger Name Records (PNRs) for Mr. Risen’s own travel, and perhaps also travel agency or airline “customer profiles” (which at least for travel agencies are typically stored in the same Computerized Reservation Systems as PNR data).
It’s possible that these “certain records” consisted only of, say, frequent flyer account records, which would show only limited data beyond trip dates, destinations, ticket numbers, and record locators. But no competent and diligent investigator would have stopped there. Once they had the record locators, their next step would have been to try to obtain the corresponding complete PNRs.
PNRs are especially useful in this sort of fishing expedition because of the information they contain about how people exercise their rights of association with other people. PNRs contain all sort of relationship and social network data such as friend’s and client’s phone numbers, who paid for who else’s ticket, who was on the same sequence of flights or sat next to whom even if they bought tickets separately, and so forth. PNRs created by corporate travel agencies routinely include billing and tracking codes and remarks that identify the purpose of the trip, the client and/or customer, and so forth. For lawyers, this may include attorney-client or otherwise privileged information.
U.S. Customs and Border Protection (CBP) would already have had copies of all of the PNRs for Mr. Risen’s international airline travel to and from the U.S. in the Automated Targeting System (ATS). (See samples of ATS data and how to request your own ATS files.)
Did the agents investigating Mr. Risen’s sources get his ATS file, including his international PNRs, from CBP? We may never know. In its Privacy Impact Assessment (PIA) for ATS, CBP claimed that all access to ATS, and all access by other agencies in particular, is logged. But in their initial response to our pending Privacy Act lawsuit for ATS records, CBP’s lawyers have claimed that no such logs exist.
What about PNR data for domestic airline travel within the U.S., most of which isn’t in ATS?
Because of the way PNR data from multiple travel companies is pooled in the same globally-accessible CRSs, the Feds (or local police, or government agencies in other countries worldwide) could have gotten the same PNR data from any of three major categories of travel companies: (1) the travel agencies that made the reservations, (2) airlines, or (3) CRSs — including, for all three of these categories of companies, any of their offices worldwide.
The Feds could have obtained Mr. Risen’s PNRs from any of these companies, without the others of these companies even knowing this had happened. PNRs themselves contain change logs (“history”) but no access logs, and no separate access logs are normally kept by CRSs.
What, if any, legal authority and process was used? And what would have been required?
The Feds could have obtained a subpoena directed to one one or more of these travel companies, or used National Security Letters directed to CRSs. But under U.S. law they wouldn’t have needed to do that. In the U.S., PNRs and other travel data are considered to be solely the informational property of the travel companies that create and/or store them, in which travelers have no interest. Travel companies’ privacy policies (when they have publicly-disclosed privacy policies, which they aren’t required to have) routinely purport to permit those companies to disclose PNR data “when requested” by government agencies (not just when “required”) or “as otherwise permitted by law”, which in the U.S. permits anything. So travel companies might have “voluntarily” handed over Mr. Risen’s PNRs, or handed them over in response to a non-binding “request” from government agents.
One of the most important things to note about this is that Mr. Risen didn’t have to be notified or given a chance to object before this data about him was turned over to Federal investigators. Presumably he wasn’t notified. Even if a court approved a subpoena, Mr. Risen wouldn’t have had to be notified and wouldn’t have been a party to the proceedings, since any subpoena wouldn’t have been directed to him but to a travel company for records considered to be that company’s property (although of course the reason they were sought is that they pertained to Mr. Risen).
It’s also important to note that these records might have contained information collected in Canada or the European Union — for example, phone numbers in those countries provided to offices in those countries when reconfirming return international flights. CRSs don’t even try to keep records of where the data in PNRs was collected, or what data protection jurisdiction(s) apply to which portions of any particular PNR. It’s impossible to determine that from anything in a PNR.
In practice, once data is transferred to the U.S. — as it is, line by line, each time a travel agent or airline staff person presses the “enter” key on a terminal anywhere in the world connected to a U.S.-based CRS — the CRSs and other companies treat it as “U.S. data” and ignore any other countries’ laws. Once it gets to the U.S., which for PNRs is typically from the moment of their creation in a U.S.-based CRS, PNR data is exposed to access by the U.S. government. Certainly nobody with a company in the U.S. would have thought, in responding to a request or demand for Mr. Risen’s PNR data, that they might need to comply with requirements (such as for notice to Mr. Risen) that might apply as a result of the laws applicable in other countries where this data might have been collected.