The first “interim” release of documents responsive to our FOIA request for records of police and other government access to Amtrak reservation data show that Amtrak is not only giving police root access and a dedicated user interface to mine passenger data for general state and local law enforcement purposes, but also lying to passengers about this, misleading Amtrak’s own IT and planning staff about the legal basis for these actions, and violating Canadian if not necessarily US law.
Our FOIA request was prompted by Amtrak’s obviously incomplete response to an earlier FOIA request from the ACLU. That response omitted any mention of government access to Amtrak reservation data, even though we’ve seen records of Amtrak travel in DHS files about individual citizens obtained in response to previous Privacy Act and FOIA requests. The documents we have just received were clearly responsive to the ACLU’s request, and should have been, but weren’t, included in Amtrak’s response to that request.
Amtrak is still working on our request, but has begun providing us with responsive records as it completes “processing” of them: search, retrieval, and redaction. (Amtrak is even further behind in responding to some other FOIA requests, such as this one for certain disciplinary records related to misconduct by Amtrak Police.)
The first “interim” release to us by Amtrak includes just a few documents: a 2004 letter from US Customs and Border Protection (CBP) to the Amtrak Police legal department, requesting “voluntary” provision by Amtrak to CBP of Advanced Passenger Information System (APIS) identification data about all passengers on international Amtrak trains, and a 2004-2005 project summary and scoping document for the work that would be required by Amtrak’s IT department to automate the collection, maintenance in Amtrak’s “ARROW” passenger reservation database, and delivery to CBP of this data.
The letter from CBP notes that as of 2004, Amtrak was faxing passenger manifests for its international trains to CBP. The letter notes that legal mandates for provision of passenger information to CBP “do not currently extend to land modes of transportation, such as rail”, but also points out that, “The law does include a requirement that the government assess the feasibility of extending the requirements to land transportation.”
At least one Senator has called for the extension to Amtrak of the Secure Flight system of surveillance and control of air travelers, and DHS has said that “CBP is pursuing ‘All Modes‘ APIS legislative authority to clarify its broad authority to mandate the transmission of manifest information, including all international rail and bus travel.” But no such legislation has been approved, and any participation in such a scheme by Amtrak, like the ongoing provision of APIS data about Amtrak passengers to CBP, remains voluntary according to CBP’s latest official regulatory notices.
The project summary prepared by Amtrak’s IT department says categorically, however, that, “Information pertaining to passengers and crewmembers traveling across the U.S./Canadian border is required by the U.S. Department of Homeland Security (DHS).”
Was Amtrak’s IT department lying about whether this was required? Or were they misled by Amtrak Police about the state of the law? We look forward to learning more about this as Amtrak releases more records in response to our FOIA request. There would have been little reason, however, for programmers to lie, in their internal IT planning documents, about what they thought the law required. It’s much more likely that the Amtrak Police misled other Amtrak departments as to what the law required — probably fearing that Amtrak programmers and other operational staff might resist “voluntarily” spying on their customers and passengers.
There is a similar false statement, “The United States and Canada both require advance manifests for rail passengers entering their territories,” in a 2009 report by Amtrak to Congress. It’s unclear which Amtrak department prepared this report, but it appears that the Amtrak Police and its legal department — who knew that no law required or requires Amtrak, even today, to hand over any passenger data to CBP — successfully misled even Amtrak planning staff responsible for reporting to Congress!
It’s unclear from the initial interim release of Amtrak documents whether the IT project they describe was approved or implemented. The spaces for approval signatures and dates on the copy we received are all blank. The plan is interesting, however, both for what it says Amtrak was already doing to make passenger data available to police, and for its outline of how Amtrak would need to modify its IT systems, and at what cost, to support the passenger surveillance functionality desired by CBP: “Extensive programming by Amtrak Technologies to multiple Amtrak systems is required.”
The one-time costs were projected as $300,000 just for Amtrak’s IT department, not including ongoing operating and maintenance expenses, training or data entry time for reservations and ticketing staff, or costs to travel agencies, tour operators, and Global Distribution Systems (GDSs) or Computerized Reservation Systems (CRSs) through which Amtrak receives reservations from travel agencies.
Privately-owned airlines aren’t subject to FOIA, and no comparable data about IT system modifications to support DHS surveillance and control of passengers has been disclosed by any airline. The Amtrak estimates seem low, and Amtrak international passenger volumes are small compared to those of airlines. Amtrak has only three international trains per day in each direction, to and from Canada.
As part of its cost-benefit analysis for the project, the project summary reported that, “Amtrak trains entering the US and processed at the border by CBP incur an average 87-minute delay.”
The scoping document described the proposed CBP interface and related functionality as an enhancement to, “The existing Police Gui” [Graphical User Interface] used by the Amtrak Police Department (APD). The project proposal included data mining and reporting tools for users of the Police GUI to search for, retrieve, sort, and view reservations by passenger name, PNR “record locator”, address, phone number, date of birth, or ID document (drivers license, passport, etc.) number.
Who are the Amtrak Police, and what are their powers?
Like many components of Amtrak as a parastatal entity, the Amtrak Police are an anomaly. Contrary to what one might naturally assume, they are not Federally commissioned and have no jurisdiction over violations of Federal law. Each Amtrak Police officer is commissioned by a state or locality. But on Amtrak trains or premises anywhere in the US, Federal law gives Amtrak Police unusual if not unique interstate jurisdiction to enforce any applicable state or local laws.
Regardless of whether the Amtrak-CBP interface project was approved, funded, or implemented, the Amtrak project documents we have now received show that Amtrak Police already had access to passenger reservations through a dedicated “Police GUI”. Amtrak Police have no authority to enforce Federal customs or immigration laws. Their only use of passenger reservation data would be to enforce other state and local laws applicable in the places where Amtrak operates.
But compare what Amtrak says on its website about how this data will be used:
The information you provide when you make your reservation will be entered into your reservation record and supplied to Customs and Immigration officers to facilitate your clearance. Neither Amtrak nor VIA Rail Canada will use this information for any other purpose.
We now know that this statement to passengers is false. This information is also used by Amtrak Police. They aren’t customs or immigration officers and have no jurisdiction over immigration or customs “clearance”. Their only possible use of this information is for other, general, state and local law enforcement purposes.
Amtrak’s peculiar legal status makes it unclear what agency in the US, if any, has jurisdiction over false statements by Amtrak to its customers and passengers.
In Canada, this disclosure of Amtrak passenger data to Amtrak Police for use as part of a general law enforcement dragnet, contrary to the express written representation to the contrary on Amtrak’s website, is a clear violation of the Personal Information Protection and Electronic Documents Act (PIPEDA). Anyone who bought a ticket in Canada for travel on Amtrak to the US, and who objects to having had their information turned over to Amtrak police for these undisclosed purposes, has the basis for a complaint to the Office of the Privacy Commissioner of Canada, and/or to the Canadian courts.
There has been one previous complaint to the Privacy Commissioner of Canada in 2001 regarding what information is collected from purchasers of Toronto-New York train tickets and passed on to the Canadian and US government, and what ticket purchasers are told about whether this is required or voluntary. The Privacy Commissioner’s report on this complaint doesn’t name the companies involved, but the complaint appears to have been brought against VIA Rail Canada and one of its ticket sales agencies. The compliant was resolved when “the company” — this appears to have been VIA Rail Canada — issued a directive to all its sales agents, “to the effect that passengers’ provision of date of birth and citizenship must be represented as voluntary and that agents may, after booking a ticket, ask customers whether they would be willing to provide this information in order to facilitate customs clearance at the border.” It’s unclear from the Privacy Commissioner’s report whether there was any direct communication between the office of the Privacy Commissioner and Amtrak about this complaint.
As part of our FOIA request to Amtrak, we asked for any Amtrak records pertaining to compliance with PIPEDA, and any Amtrak email messages mentioning PIPEDA or the Privacy Commissioner of Canada. We look forward to learning what any such records say, or whether Amtrak has entirely ignored its obligations, when operating in Canada, to comply with Canadian law.