The latest installment in Amtrak’s response to one of our FOIA requests confirms our suspicion that Amtrak has given US Customs and Border Protection (CBP) access to all Amtrak reservations including those for purely domestic passengers and trains — but in an additional and harder-to-track manner than we had previously been aware of.

In October 2014, we asked Amtrak for its records related to data-sharing and other collaboration with the Department of Homeland Security (DHS) and other US and foreign law enforcement agencies. Amtrak is still in the process of searching for and censoring responsive records, more than a year after the legal deadline for its full response. In the mean time, however, Amtrak has been providing intermittent “interim” responses, which we’ve been analyzing and reporting on as we receive them. Because Amtrak is a Federal government entity subject to FOIA, unlike commercial airlines or bus lines, we’ve been able; to find out much more about Amtrak collaboration with DHS and other law enforcement agencies than about the parallel practices of private transportation carriers.

We’ve learned that Amtrak’s own police — who are commissioned by individual states, but have unusual multi-state jurisdiction — have root access to Amtrak’s “ARROW” computerized reservation system, and even a special “Police GUI” (graphical user interface) to mine passenger reservations for police purposes.

We’ve also learned about Amtrak’s transmission to DHS of information about all passengers on Amtrak trains that cross the US-Canada border.

What we didn’t know, until the latest interim release of Amtrak documents this month, was whether DHS or any other Federal police agency also has access to complete reservation details for the much larger number of passengers on domestic Amtrak trains within the US.

Now we know: Agents of US Customs and Border Protection (CBP) have the same access to all Amtrak reservations as Amtrak onboard train conductors, in such a way that their access evades ever being logged or associated with CBP, but appears to Arrow and Amtrak as though it was carried out by Amtrak staff.

It works like this:

In 2012, Amtrak switched from paper tickets to electronic tickets stored in passenger name records (PNRs) in ARROW and accessed by Amtrak conductors through a special app on special Amtrak iPhones.  CBP immediately complained to Amtrak that it no longer could check passengers’ paper tickets during CBP inspections of Amtrak cross-border trains. CBP threatened (completely without legal authority, so far as we can tell) not to allow Amtrak trains to enter the US from Canada (!) if CBP wasn’t given access to tickets or complete e-ticket and reservation records for cross-border trains, even though (a) no law requires Amtrak (unlike airlines) to share any information with DHS, except in response to a warrant or other legal demand, and (b) Amtrak was already voluntarily faxing and emailing CBP daily with lists of all passengers (APIS data) for each of these trains.

The previous installment of email messages and other documents we received from Amtrak ended with Amtrak offering to set up unique individual user IDs for a limited number of authorized CBP staff for Web-based Citrix remote access to reports on cross-border passengers generated by Amtrak from ARROW.  Meanwhile, Amtrak field staff reported that what CBP really wanted as “the ultimate solution” was to get their hands on some of the Amtrak iPhones with the app for ARROW access.

The latest interim release from Amtrak contains an internal Amtrak email message that reveals the arrangement that was made to deal with this.  According to a report by someone (name redacted, of course) from Amtrak headquarters who visited the border and observed the procedures when an Amtrak train was stopped and inspected at the border checkpoint (an otherwise closed station where no passengers embark or disembark) a few weeks later:

The station building itself is closed with asbestos warnings all over it. The Border Patrol has a small separate secure office train side where they can do some research on passengers who were not on the manifest as needed. This is separate from the station. They showed us the office but they don’t go in there unless they need to. It has a computer and small printer. The agent was able to pull up his email and saw the report but didn’t look at it because he had to work the train.

When they do their inspections the conductors only open the front door on the first coach. The agent’s board there worked from to the back of the train. If they need to pull someone off they do so and the train continues without them.

Now with eTicketing in place they are still perform the above, however when they get on board they borrow the device from the conductor and use the 2+2 screen select the on board button to access the passenger list. They also utilize the HNF information for those who did not have reservations and spend more time on these folks….

I did explain the risk of giving them a device and explained that they can have access toi the reports and they will be able to pull them at their digression.  They are happy with that but at this point they cannot access the Citrix site due to their firewall restrictions. [sic; emphasis added]

We doubt that Amtrak conductors are looking over the shoulders of CBP agents whenever they are using the conductors’ iPhones, especially if a CBP agent takes the iPhone with them when they take a passenger off the train for additional questioning in their trackside office. But any Amtrak conductor’s iPhone has access to any reservation in ARROW. (That’s necessary, for example, to enable conductors to check tickets on those Amtrak on reservations aren’t required.)  We also doubt that any logs are kept of which users access which PNRs in ARROW. But even if logs were kept, whatever the CBP agent does on the conductor’s iPhone, while logged in as the conductor, appears to ARROW to have been done by that conductor. Nobody at Amtrak HQ knows, or has any way to find out after the fact, which other PNRs — perhaps for other passengers on other trains entirely — have been retrieved and viewed by CBP inspectors.

Stalking someone, and want to know the details of their Amtrak travel plans? Have your buddy at CBP retrieve that information for you, without leaving a trace, the next time they have an Amtrak conductor’s iPhone in their hands.

The same set of Amtrak records includes email messages from CBP complaining that they didn’t have “the same quality of service” with respect to ticketing and reservation information from VIA Rail Canada as from Amtrak. We’re still wanting for responses to the portion of our FOIA request that concerns Amtrak compliance with Canadian privacy law, including in sales of Amtrak tickets in Canada and Amtrak-VIA Rail Canada joint train operations.