Airlines should have been defending their customers against government demands for information. Instead, they have chosen to collaborate with governments not just in surveillance and violation of the rights of their customers, but in the cover-up of those practices and the attempt to keep travelers from realizing their extent.
If we didn’t know better, this would be reassuring. But it’s not true.
As it happens, we had gotten another letter earlier this week from the Canadian Border Services Administration (CBSA), containing portions of its records of Passenger Name Record (PNR) and Advance Passenger Information (API) data about our flights on Air Canada, which CBSA had obtained from computerized reservation systems and Air Canada’s Departure Control System (DCS):
[Excerpt from Air Canada API and PNR data from the CBSA “Air Targeting” system]
The information in the CBSA Air Targeting files includes both PNR and API data for Air Canada flights, despite the “claim”: that, “Air Canada is not in a position to provide you with APIs records and logs for the flights listed in your Request since no such APIs records were created.”
And earlier this year, in the last batch of information disclosed by US Customs and Border Protection in response to our Privacy Act and FOIA lawsuit for records from the CBP Automated Targeting System, we received copies of two PNRs that CBP had obtained from different reservation systems for those same Air Canada flights:
[Excerpt from Air Canada PNR from the USCBP Automated Targeting System]
[Excerpt from Air Canada & Swiss International PNR from the USCBP Automated Targeting System]
The airline tickets for this trip to Europe last fall by identity Project consultant Edward Hasbrouck were fairly typical of the confusion and complexity fostered by airline alliances and codesharing.
Air Canada issued a single electronic ticket for the entire journey, including outbound flights from Boston to Montréal to Brussels with Air Canada flight numbers (one of which was actually operated by the Air Canada “Jazz” division), and return flights from Ljubljana to Zürich to San Francisco with Swiss International flight numbers (one of which was actually operated by the Slovenian national airline, Adria).
We bought these tickets from Air Canada through the Vayama.com Web site (a/k/a Airtrade International), which is operated by a large Netherlands-based travel agency, Travix International, itself a subsidiary of the still larger Dutch travel conglomerate BCD Holdings. To the extent that our dealings with Air Canada were carried out through Vayama.com, our personal information is protected by Dutch as well as Canadian law.
In making my reservations and issuing tickets, Vayama.com/Airtrade/Travix acted solely as an agent of the airlines by which it had been appointed — in this case, Air Canada. The ticket correctly shows that it was issued by Air Canada. Air Canada was the principal in my contract of carriage, with the travel agency acting as the airline’s agent.
Air Canada’s claims in its letter that it has no control over its agents, and that its agents are “independent”, are entirely untrue. Each airline has complete control over whether to appoint agents (some airlines such as Ryanair don’t appoint any agents), what authority to give those agents to act on behalf of the airline, and what conditions to place on agents’ exercise of their delegated authority to act on behalf of the airline. Airlines can and routinely do revoke the appointments of agencies’ that violate the conditions of their appointments.
Air Canada’s disclaimer of responsibility for the actions of its agents, its claim that “travel agencies… are independent from Air Canada”, and its repeated references to “your travel agency” (i.e my travel agency), when the agency acted as Air Canada’s agent and not as my agent, stand the law of agency on its head.
Legally, what is done by a duly appointed agent is considered to have been done by the principal. The principal is responsible for the acts of its agents, whether those agents are employees at a ticket counter or corporations appointed by the airline to act as its agents in making reservations, accepting payments, and issuing tickets in the name of the airline.
When PIPEDA first came into effect for airlines, and thus for their agents, it should have notified travel agencies of their new obligations, whenever they acted as an agent for Air Canada, to comply with PIPEDA.
So far as we know, that never happened. But Air Canada has just as much of a duty to ensure that corporations that act as its agents accept and are conversant with their obligations under PIPEDA, before Air Canada appoints them to act as its agents, as Air Canada has to ensure that its employees accept and are conversant with their obligations under PIPEDA before those employees are authorized to start handling personal information subject to PIPEDA on Air Canada’s behalf.
Air Canada’s further claim that records associated with a unique ticket number “are not personal information per PIPEDA” flies in the face of the law’s definitions of such information.
Another major problem revealed by Air Canada’s letter is the admission that no record is kept of incoming or outgoing interline messages and that “the system used by Air Canada does not track consultations of a PNR record. Only accesses resulting in a transaction are recorded.”
This is true, and makes it impossible for Air Canada or any other airline which uses these systems to comply with the law. Both Canadian and Dutch privacy and data protection law requires a business to disclose, on request, the third parties and third countries to which personal information has been transmitted. It is thus a clear violation of both Canadian and Dutch law for Air Canada and its Dutch agent Vayama.com to use systems that lack access logs.
In practice, governments have been given root access to the computerized reservation systems used by airlines and their agents. These government departments including CBP can pull any PNR. Without access logs it’s impossible to know which PNR’s have been retrieved by which governments.
You can see this in the two PNR’s for this trip which CBP had in their ATS database. The first, #10 in their list, shows only the Air Canada flights, and presumably was obtained from Air Canada’s host system or host partition in a CRS. The second PNR, #11 in the CBP list, is labeled as an “LX” (Swiss International Airlines) PNR, but includes both the flights with Swiss flight numbers and the Air Canada flights.
In the absence of some bilateral or multilateral (Star Alliance?) codesharing or data sharing agreement, Swiss wouldn’t have been able to see the Air Canada flights in this PNR. What this suggests is that, when CBP retrieved what it considered the “Swiss” PNR, it had root user privileges to pull the entire multi-airline PNR created in the CRS by the travel agency.
To date, none of the airlines from which we have requested records of what they have done with our reservations, and to whom they have disclosed them — KLM, Air France, Lufthansa, and now Air Canada — has complied with their legal obligations. Air Canada has proved to be even worse than the others, not just failing to keep records of disclosures and withholding information it was required to provide, but denying that known disclosures to both the Canadian and US governments had occurred.
We will be pursuing these issues — the lies, the misinterpretations of the law, and the admissions of failures to comply with the law — with Air Canada, its agent Travix International, Amadeus (the source of the references in the PNR’s to “1A” for Amadeus, and “MUC” and “MUCRM1A” for the Amadeus data center or “Reservations Mainframe” near Munich in Erding, Germany) and other reservation systems, the Privacy Commissioner of Canada, and data protection authorities in the Netherlands (Travix International) and Spain (Amadeus).