Independent legal experts commissioned by the Council of Europe (COE) to assess proposals for surveillance and profiling of air travellers throughout the European Union have returned a detailed and perceptive critique of the proposed EU directive on government access to, and use of, Passenger Name Record (PNR) data from airline reservations.
Before the revelations by Edward Snowden and other whistleblowers about dragnet surveillance of telephone and Internet communications, few people appreciated the nature of the threat to freedom posed by government acquisition and use of PNR data for dragnet travel surveillance.
The expert report to the Council of Europe marks a breakthrough in the “post-Snowden” understanding of the nature and significance of government demands for PNR data. The report reframes the PNR debate from being an issue of privacy and data protection to being part of a larger debate about suspicionless surveillance and pre-crime profiling. The report also focuses the attention of European citizens, travellers, and policy-makers on the decisions made (in whole or in part) on the basis of PNR data: decisions to subject travellers to search, interrogation, or the total denial of transportation (“no-fly” orders).
The report specifically cites the Kafkaesque case of Dr. Rahinah Ibrahim as an example of the way that decisions made on such a basis tend to evade judicial review or effective redress.
The PNR directive under consideration by the European Union would require each EU member to establish a Passenger Analysis Unit (PAU), if it doesn’t already have one. These PAUs would function as new national surveillance and pre-crime policing agencies. Each PAU would be required to obtain PNR data for all air travellers on flights subject to its jurisdiction, “analyze” this data (i.e. carry out algorithmic pre-crime profiling of air travellers using PNR data as one of its inputs) and share the raw PNR data with its counterparts throughout the EU.
The United Kingdom already has such a Passenger Analysis Unit. It’s not clear which, if any, other EU members already have such units, although staff of the US Department of Homeland Security, based in Germany and elsewhere in Europe, already perform similar functions as “advisors” making “recommendations” to their European counterparts regarding the treatment of European travellers, based on US profiling of PNRs and other travel history and surveillance data.
The COE expert report on Passenger Name Records, Data Mining & Data Protection was commissioned by the COE Directorate General Human Rights and Rule of Law, and prepared by Douwe Korff (Emeritus Professor of International Law at London Metropolitan University, Associate at the Oxford Martin School of the University of Oxford, and currently Visiting Fellow at Yale University in the USA) and Marie Georges (independent expert formerly on the staff of the French national data protection authority, CNIL). The report was presented and discussed at a meeting last week of the “Consultative Committee of the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (T-PD)”.
According to the introduction to the report:
Much has been said and written about Passenger Name Records (PNR) in the last decade and a half. When we were asked to write a short report for the Consultative Committee about PNR, “in the wider contexts”, we therefore thought we could confine ourselves to a relatively straightforward overview of the literature and arguments.
However, the task turned out to be more complex than anticipated. In particular, the context has changed as a result of the Snowden revelations. Much of what was said and written about PNR before his exposés had looked at the issues narrowly, as only related to the “identification” of “known or [clearly ‘identified’] suspected terrorists” (and perhaps other major international criminals). However, the most recent details of what US and European authorities are doing, or plan to do, with PNR data show that they are part of the global surveillance operations we now know about.
More specifically, it became clear to us that there is a (partly deliberate?) semantic confusion about this “identification”; that the whole surveillance schemes are not only to do with finding previously-identified individuals, but also (and perhaps even mainly) with “mining” the vast amounts of disparate data to create “profiles” that are used to single out from the vast data stores people “identified” as statistically more likely to be (or even to become?) a terrorist (or other serious criminal), or to be “involved” in some way in terrorism or major crime. That is a different kind of “identification” from the previous one, as we discuss in this report.
We show this relatively recent (although predicted) development with reference to the most recent developments in the USA, which we believe provide the model for what is being planned (or perhaps already begun to be implemented) also in Europe. In the USA, PNR data are now expressly permitted to be added to and combined with other data, to create the kinds of profiles just mentioned — and our analysis of Article 4 of the proposed EU PNR Directive shows that, on a close reading, exactly the same will be allowed in the EU if the proposal is adopted….
Yet it is obvious (indeed, even from the information about PNR use that we describe) that these are used not only to “identify” known terrorists or people identified as suspects in the traditional sense, but that these data mountains are also being “mined” to label people as “suspected terrorist” on the basis of profiles and algorithms. We believe that that in fact is the more insidious aspect of the operations.
The report develops these key points about government access to and use of PNR data as a suspicionless dragnet surveillance system and as part of predictive pre-crime policing (outside of normal mechanisms for penal sanctions or for review and redress for police action) in detail.
In addition, the report endorses and highlights the point we have been making for many years that because most PNR data for flights worldwide is hosted by, and communicated through, reservation databases accessible from the USA and worldwide without purpose or geographic access limitations or access logs, the USA and other governments can already obtain and use this data, entirely bypassing putative controls on access to PNRs directly from airlines.
The report specifically directs the attention of European officials to testimony by Edward Hasbrouck of the Identity Project at a European Parliament hearing in 2010 (hearing agenda and witness list, slides, video):
“Europe” must also examine the highly credible claims by Edward Hasbrouck … that the USA has been systematically violating previous agreements, and is still systematically by-passing European data protection law, by accessing the CRSs used in global airline reservation systems hosted in the USA to obtain full PNR data on most flights, including most European flights (including even entirely intra-European ones), outside of any international agreements….
[W]e believe that the supposed safeguards against such further — dangerous — uses of the data are weak and effectively meaningless, both in their own terms and because, as Edward Hasbrouck has shown, the USA can in any case obtain access to essentially all (full) PNRs, through the Computerized Reservation Systems used by all the main airlines, as described next.
IV.ii How the USA by-passes the EU-US PNR Agreements
In April 2010, Hasbrouck produced a series of slides for his presentation on the global PNR systems to the European Parliament hearing on the proposed EU-US Agreement in that month. It must suffice here to only set out the summary information on the last slide (but anyone seriously concerned about what happens to PNR data globally should look at the presentation and the slides in full):
PNR bypass and “leakage”
- Standard airline business processes completely bypass the DHS-EU “agreement”.
- Most PNRs follows paths that are not controlled by the DHS-EU agreement.
- Most PNRs are not stored or controlled by airlines. They are hosted by CRSs [Computerized Reservation Systems].
- In most cases, data in PNRs is transferred to a CRS in the USA, and a PNR is created in the USA, before the data reaches an airline or CRS in the EU. Once the data is in the USA, it can “leak” or bypass the agreement, without legal controls.
- CRSs are not mere messengers. The CRS in the USA retains a copy of the PNR.
- There is no US data protection law for CRSs or other travel companies. CRSs can legally share PNR data with other companies and government agencies worldwide.
- Government agencies or other third or fourth parties in the USA or other countries can obtain PNR data, in secret, from CRSs or other travel companies.
- CRSs do not keep access logs. Nobody knows who has retrieved your PNR.
- None of these activities are regulated or controlled by the DHS-EU [agreement.]
In our opinion, plugging this massive “hole” in the EU-US PNR arrangements should be a top priority for anyone concerned about the uses of these big datasets by the US “intelligence” agencies. Until this is done, and strong safeguards are in place that actually in practice prevent the transfer of PNR data by European airlines to the USA — and to other countries… — the existing EU-US PNR Agreement is simply window-dressing: it is meaningless in practice.
Without a very serious tightening-up of the rules on transfers of PNR data to other domestic authorities (in particular national security authorities, more in particular the UK’s GCHQ) and to third-country authorities, and unless the “hole” in the system exposed by Edward Hasbrouck is closed, the EU PNR scheme will simply feed more bulk data into the massive surveillance and data mining/profiling schemes revealed by Edward Snowden, and replicate and perpetuate them in the EU. [emphasis in original]
We commend the authors for this insightful report, and hope it received the attention it deserves before the European Union decides to mandate the creation of a new surveillance, profiling, and pre-crime policing agency, with a comprehensive mirror database of airline metadata about our travels, in every EU member country.