FOIA appeals reveal problems with PNR data
We’ve noticed a disturbing pattern in how the DHS, and specifically US Customs and Border Protection (CBP), has responded to people who have asked the DHS for its files about themselves.
Eventually — typically months later than the statutory deadline for responding to a FOIA request — CBP has sent the requester a file of information about their international travel, including a log of entries, exits, and borders crossings.
But even when the requester has explicitly asked for the Passenger Name Record (PNR) data that CBP has obtained from their airline reservations, or has asked CBP for “all” its records about their travel, or for all data about themselves from the CBP “Automated Targeting System” (most of which consist of CBP copies of PNRs), CBP has completely omitted PNR data — or any mention of it — from its response.
People who don’t work in the air travel industry typically don’t know what PNRs look like. So it isn’t obvious to most recipients of these incomplete responses that what they’ve been given doesn’t include any PNR data. Only when these people showed us copies of the responses they received from CBP have we been able to point out, or confirm, that PNR data was completely absent from the initial CBP response.
When these people have filed administrative appeals, specifically pointing out that their requests included PNR data, CBP has responded to their appeals by sending them redacted copies of CBPs mirror archive of airline PNRs, as contained in ATS. But there’s been no apology, and explanation in any of these responses to appeals of why the PNR data wasn’t included in the initial response. It seems likely that CBP didn’t even bother to search its PNR database in response to the initial requests, either out of gross negligence, gross incompetence, malice, and/or bad faith. (CBP has refused to disclose how PNR data and other information in ATS is indexed, queried, or retrieved. Even though the Privacy Act requires this information to be published in the Federal Register, the judge hearing our lawsuit ruled that it was exempt from disclosure.)
We’ve seen this pattern even in responses to requests from journalist and public figures which, according to DHS policy, would have been subject to pre-release review and approval by the DHS “front office”. The DHS front office has been intimately involved in international disputes related to PNR data, and is fully aware of the existence of this component of DHS dossiers about innocent travelers. So the incomplete responses to FOIA requests can’t be blamed on low-level staff or a lack of oversight or awareness by senior officials.
One of those high-profile cases was that of Cyrus Farivar, Senior Business Editor at Ars Technica. As Mr. Farivar reported earlier this year, CBP’s initial response included no PNR data, even though he specifically included PNR data in his request. After Mr. Farivar appealed, CBP gave him the PNR data he had originally requested.
There was nothing Mr. Farivar’s DHS file that we haven’t seen in other DHS copies of PNRs. But his report about what he received highlights some of the problems with the contents of these DHS records.
Mr. Farivar found that his credit card numbers and other “sensitive security information” (using that phrase to refer to threats to individuals’ security, not the sense in which the TSA uses it to hide its misdeeds) were being stored unencrypted in PNRs in airlines’ computerized reservation systems and in the DHS mirror of PNR data:
Fred Cate, a law professor at Indiana University, said that my story raises a lot of questions about what the government is doing.
“Why isn’t the government complying with even the most basic cybersecurity standards?” Cate said. “Storing and transmitting credit card numbers without encryption has been found by the Federal Trade Commission to be so obviously dangerous as to be ‘unfair’ to the public. Why do transportation security officials not comply with even these most basic standards?”
Prof. Cate (and Mr. Farivar) could equally have asked why airlines and travel agencies don’t do so. Both airlines and travel agencies declined to respond to Mr., Farivar’s request for comment.
Mr. Farivar also received PNR data showing clear violations of the data retention time limits in the non-binding DHS “agreement” with the European Union regarding PNR data receieved from the EU:
CBP publicly states that PNR data is typically kept for five years before being moved to “dormant, non-operational status.” But in my case, my earliest PNR goes back to March 2005. A CBP spokesperson was unable to explain this discrepancy.
That the violation of the data-retention provisions of the DHS-EU agreement was so flagrant also casts serious doubt on the reviews that have been conducted of DHS compliance with the agreement. It seems likely that these reviews have been limited to comparing DHS claims of what it has done with the agreement. Even a cursory audit of actual PNR data from the DHS databases would have revealed these breaches of the “undertakings” made to the EU by the DHS.
The PNR data disclosed by DHS to Mr. Farivar also included airline and travel agency business-process records including notes on his conversations with customer service call center staff. Julia Angwin, in her recent book Dragnet Nation, expressed similar concern about the commingling of government and commercial data in the file of PNR data she obtained from CBP.
That’s a routine and inevitable consequence of the DHS regulations and orders that require airlines to provide CBP with complete copies of any data that these companies include in PNRs for their own business purposes. ICAO’s white paper on government access and copying of PNR data, Document 9944, explicitly acknowledges that “Some innformation, such as the internal dialogue or communication between airline staff and reservation agents, may be stored in the PNR, in particular in the ‘General remarks’ field. The remarks may include miscellaneous comments and shorthand.”
PNRs are commercial records, and airlines and travel agencies use the computerized reservation systems in which PNRs are stored as their primary customer relationship management systems. There is little or no consciousness on the part of airlines, travel agencies, their contractors (such as ground handling companies) or their employees of data minimization principles, even though anything they include in a PNR goes directly and irretrievably into the passenger’s permanent file with the government.
What should you look for in a CBP response to your request for its file about you? If you’ve traveled internationally to or from the USA, the CBP files about you typically contain at least two, and sometimes three, distinct types of records: (1) a summary log of entries, exits, and border crossings from the TECS database, (2) “secondary inspection” or other notes recorded by border inspectors about individual events in this log, also from TECS (these detail pages aren’t always created, but can be even if you aren’t subjected to secondary screening and nothing seemingly untoward happens), and (3) copies of airline PNR data for each flight to, from, or overflying the USA since CBP got access to that airline’s PNR hosting system.
Other DHS components may have files about your travels in the DHS mirror copy of the Terrorist Screening Database (TSDB) and in the TSA’s Transportation Security Enforcement Record System (TSERS), the latest version of the TSA’s own supplemental travel blacklist/watchlist. But these files are generally exempt form disclosure under both the Privacy act and FOIA. DHS and TSA will typically respond to requests for these records — if the bother to respond at all, which they often don’t — with a “Glomar” response refusing to confirm or deny whether any such records even exist.
If all you receive from CBP or DHS in response to a request for records about yourself is a TECS log and maybe some secondary inspection notes or TECS detail pages, and some of your exits or entries from or to the USA were by air, CBPs response is incomplete, and you should appeal. Every CBP response to a request like this that we have reviewed has been incomplete in some way. In most cases, even when people received some PNR data in an initial CBP response, CBP has mysteriously “found” more PNRs after they appealed. So we recommend that you appeal any initial CBP response, on the assumption (firmly supported by our experience) that the initial response is likely to be incomplete.
Pingback: Key U.S. Senator questions airways on privateness practices | Posts