FOIA appeals reveal problems with PNR data
We’ve noticed a disturbing pattern in how the DHS, and specifically US Customs and Border Protection (CBP), has responded to people who have asked the DHS for its files about themselves.
Eventually — typically months later than the statutory deadline for responding to a FOIA request — CBP has sent the requester a file of information about their international travel, including a log of entries, exits, and borders crossings.
But even when the requester has explicitly asked for the Passenger Name Record (PNR) data that CBP has obtained from their airline reservations, or has asked CBP for “all” its records about their travel, or for all data about themselves from the CBP “Automated Targeting System” (most of which consist of CBP copies of PNRs), CBP has completely omitted PNR data — or any mention of it — from its response.
People who don’t work in the air travel industry typically don’t know what PNRs look like. So it isn’t obvious to most recipients of these incomplete responses that what they’ve been given doesn’t include any PNR data. Only when these people showed us copies of the responses they received from CBP have we been able to point out, or confirm, that PNR data was completely absent from the initial CBP response.
When these people have filed administrative appeals, specifically pointing out that their requests included PNR data, CBP has responded to their appeals by sending them redacted copies of CBPs mirror archive of airline PNRs, as contained in ATS. But there’s been no apology, and explanation in any of these responses to appeals of why the PNR data wasn’t included in the initial response. It seems likely that CBP didn’t even bother to search its PNR database in response to the initial requests, either out of gross negligence, gross incompetence, malice, and/or bad faith. (CBP has refused to disclose how PNR data and other information in ATS is indexed, queried, or retrieved. Even though the Privacy Act requires this information to be published in the Federal Register, the judge hearing our lawsuit ruled that it was exempt from disclosure.)
We’ve seen this pattern even in responses to requests from journalist and public figures which, according to DHS policy, would have been subject to pre-release review and approval by the DHS “front office”. The DHS front office has been intimately involved in international disputes related to PNR data, and is fully aware of the existence of this component of DHS dossiers about innocent travelers. So the incomplete responses to FOIA requests can’t be blamed on low-level staff or a lack of oversight or awareness by senior officials.
One of those high-profile cases was that of Cyrus Farivar, Senior Business Editor at Ars Technica. As Mr. Farivar reported earlier this year, CBP’s initial response included no PNR data, even though he specifically included PNR data in his request. After Mr. Farivar appealed, CBP gave him the PNR data he had originally requested.
There was nothing Mr. Farivar’s DHS file that we haven’t seen in other DHS copies of PNRs. But his report about what he received highlights some of the problems with the contents of these DHS records.