Since the start of the post-9/11 shift from case-by-case government access to travel reservations to dragnet surveillance of all reservations and pre-crime profiling of all travelers, the government has claimed repeatedly that the information to which it has demanded access was already “routinely” provided by travelers to airlines and other travel companies.
We’ve recently received some details of just how untrue those claims are, through the latest installment of a continuing trickle of responses by Amtrak to a Freedom Of Information Act request we made in 2014. (See our previous reports on government surveillance of Amtrak passengers.)
Anyone familiar with travel industry practices and reservation data has known all along that the government’s demands for data about airline, train, bus, and cruise ship passengers have exceeded what was needed by common carrier for commercial purposes. Until after September 11, 2001, walk-up customers could buy tickets for cash, for themselves or anyone else, at airline or Amtrak or Greyhound ticket counters, without providing any information at all except an (unverified) name. No address, phone number, or other identifying or contact information was required.
The government has demanded not just access to existing travel industry databases, but the logging of additional details about travelers that were never previously required. The travel industry worldwide has had to spend billions of dollars modifying every layer and component of their IT systems, and of all the systems that interact with them, to collect and store this additional information and deliver it to the government in standardized government-dictated formats.
Even names of travelers weren’t required for reservations, tickets, or travel. Space could be reserved for a group of travelers with only a group identifier or lead contact. Sometimes dummy or placeholder names would be entered for group members, but they could be and often were omitted.
The latest file we’ve received from Amtrak is a PDF of images of printouts or views of email messages (we haven’t received the raw “message source” files we requested, and will eventually be appealing Amtrak’s failure to release them) within Amtrak and between Amtrak, the big four CRS/GDS companies (Sabre, Amadeus, Worldspan, and Galileo/Apollo — then owned by Cendant) and possibly their contractors or other “partners” (names redacted).
These messages date from 2006, when Amtrak “voluntarily” decided to start sending data about all passengers on cross-border Amtrak trains and buses between the USA and Canada to the DHS Advance Passenger Information System (APIS). In order to populate the API data fields, Amtrak decided to make “Passenger ID” (PID) a required field in all Amtrak reservations. That took some work in itself, but it also caused a cascade of new problems for reservations without names, especially those for as-yet-unknown members of groups:
The standard procedure for tour operators is to reserve space for the maximum anticipated group size before any passenger names are known. Without first holding reservations for space for the group, a tour operator can’t ethically (or legally, in many states) take individual reservations or payments for the tour.
Neither Amtrak nor any transportation company can require a name list for a group at the time that group space is reserved. Instead, Amtrak decided to allow group reservations without names, but to inhibit the acceptance of payment for tickets on any cross-border train or bus unless and until names are entered for all members of the group.
Amtrak tickets, including tickets for groups, can be issued by travel agencies using any of the big four CRS/GDS systems. So each of the CRS/GDS companies had to work with Amtrak to implement this inhibition on acceptance of payments for unnamed group members, and to alert and train tens of thousands of travel agents and tour operator staff on the new protocols.
There were still more problems to be solved, however. Tour operators or other purchasers of group tickets typically are required to pay deposits to hold the space, starting long before passenger names are known or tickets are issued. A group contract typically includes a schedule of percentages of the total ticket price to be paid at specified intervals before the date of travel, starting with 10-25% of the total fare as an initial deposit to hold the group block of seats.
There’s no commercial need for carriers to know passengers’ names. As long as the carrier can verify that payment was received for the number of tickets corresponding to the number of group members who were boarded and transported, what business is it of a common carrier what the passengers’ names were?
But if payment toward tickets — which normally would be associated in the PNR with reservations for specific travel segments, and would have to be associated with specific segments to identify whether it was for international travel subject to the new rule — couldn’t be accepted without names, how could payments for group deposits on international routes be accepted? The inhibition on acceptance of payment for tickets without passenger names was incompatible with well-established business practices and commercial (and in some states legal) requirements.
Amtrak and CRS/GDS product managers and IT staff struggled to resolve this conflict within the constraints of legacy databases in which adding new fields or data structures could be prohibitively costly. One suggestion was to train Amtrak and travel agency staff to create a “dummy” itinerary segment for a nonexistent train between fictitious stations. A group deposit could be associated with this dummy segment in the PNR, without triggering the inhibition on accepting payments of unnamed group members on the real international segment(s) in the itinerary.
It’s a workaround that would naturally occur to someone familiar with CRS/GDS-based ticketing and accounting procedures and software. “Dummy” itinerary segments are commonly created in order to be associated with other payments, such as service fees, that can’t be linked with an air or rail travel segment without interfering with ticketing protocols or ticket accounting.
It’s not clear what solution Amtrak, CRSs/GDSs, and travel agencies ended up implementing, but this workaround could have caused yet more problems.
Amtrak staff or contractors suggested a dummy train “GRU-DPS” to be used for “Group Deposit”. Neither GRU nor DPS is the actual code for any Amtrak station, but they are the codes for major international airports in Sao Paulo Brazil (GRU), and Denpasar, Bali (DPS). It’s not clear what collisions, confusion, or erroneous reporting might have ensued, especially when Amtrak payments were processed in CRS/GDS systems also used for airline reservations.
All of this was just for Amtrak, and just for part of one of the U.S. government’s requests for more, and more comprehensive, data about all travelers.
Unlike Amtrak, airlines in the US are private companies and not subject to FOIA. But every airline that flies to the US, or has a codeshare on a flight to the US, or has a ticketing agreement with any airline that flies to the US or has a codeshare to the US, has been forced to jump through a series of hoops like this to comply with successive requests and/or demands from the US and other governments. We can extrapolate from Amtrak’s troubles to those of the world’s hundreds of scheduled airlines by multiplying by a couple of orders of magnitude.
Airlines have complained repeatedly about the burden of these changing, inconsistent, and sometimes incompatible government demands, sometimes unsupported by any legal authority. It’s hardly surprising that airlines think it would be cheaper for them — even if it’s worse for their customers and passengers — to accept a single unchanging standard for universal government access to a standardized dataset of information about all travelers than to cope with the current piecemeal approach.