Jan 07 2019

Amtrak thinks it’s OK to spy on passengers because it makes the trains run on time

Buried in the final 500-page PDF file of redacted and munged e-mail messages released by Amtrak in December 2018 in response to a FOIA request we made in 2014, we got the first hint at an answer to one of the questions that originally prompted our request:

What did Amtrak  think was its legal basis for requiring passengers to show ID and provide other information, and for handing this data over to DHS components and other police agencies for general law enforcement purposes?

When US Customs and Border Protection (CBP) asked Amtrak to start transmitting passenger data electronically, it described this as a request for “voluntary” cooperation, noting that while the law requires airlines to collect and transmit this data to CBP, “these mandates do not currently extend to land modes of transportation” (as they still don’t today).

Despite this statement from CBP, someone at Amtrak came up with a way to describe the changes to Amtrak’s systems and procedures to require ID information in reservations for all international trains, and to transmit this data to CBP,  as “required by the U.S. Department of Homeland Security (DHS)” and as “being mandated by the US Border Inspection Agencies [sic].”

In 2004, an Amtrak technology manager was asked, “Do you know if such a [Federal] mandate [to collect information about passengers] exists, or is Amtrak not obliged to participate in this program?”

The unnamed Amtrak IT manager’s response was that:

By statute, the federal government … in cooperation with Amtrak “shall maintain, consistent with the effective enforcement of immigration and customs laws, en route customs inspections and immigration procedures for international intercity rail passenger transportation that will (1) be convenient for passenger; and (2) result in the quickest possible international rail passenger transportation.” 49 USC 24709.

In other words,someone at  Amtrak thinks it’s not merely permitted but required by this provision of Federal law to implement whatever level of intrusiveness of data collection and data sharing will make international trains run more quickly.

It’s arguable, to say the least, whether Congress intended this law as a mandate for ID credentials or data collection, whether collection of passenger data prior to ticketing actually expedites international trains (compared to, as used to happen, conducting customs and immigration  inspections onboard while trains are in motion), or whether demands for ID and passenger information are consistent with the clause of this section requiring that measures taken be “convenient for passengers”. But someone at Amtrak seems to have interpreted this statute as such a mandate, and represented it as such to other Amtrak staff and contractors.

Are there any limits to what information or actions Amtrak would think is required of passengers on international trains, if  that would keep US and Canadian border guards from stopping or delaying trains at the border for customs inspection?

Questions about whether Advance Passenger Information (APIS) was required had been asked not only within Amtrak but by Amtrak-appointed travel agencies, as was relayed to Amtrak by a product manager  for the “Worldspan by Travelport” reservation system:

There’s no indication in the documents we received as to whether this Worldspan subscriber, or any other travel agency, was given any answer to this question.

Notably, no legal basis whatsoever for requiring ID from passengers on domestic trains was mentioned anywhere in the records we’ve received from Amtrak. Nor were any records released that related to Amtrak’s privacy policy, or the legal basis for it, although such records were covered by our request.  We’re still following up with Amtrak on this and other issues, and will file administrative appeals if necessary.

As part of Amtrak’s response to a separate FOIA request, however, we’ve received a redacted copy of Amtrak’s internal directive to staff regarding passenger ID requirements. According to this document, Amtrak stopped requiring passengers to show ID in order to buy tickets as of October 25, 2017.  But no records related to this change, or the reasons for it, were released in response to our request.

Amtrak train crews are supposed to check ID of a randomly selected 10% or 20% of passengers. In our experience, however, Amtrak staff rarely require any passengers to show ID.

Although Amtrak is a Federal government entity, Amtrak’s of list of acceptable ID is much more inclusive than the list of ID that comply with the REAL-ID Act. Amtrak’s list of ID acceptable for train travel includes, among other acceptable credentials, any ID issued by a public or private middle school, high school, college, or university, and drivers’ licensed issued by US states and territories to otherwise undocumented residents.

Amtrak even accepts a “California state issued medical marijuana card“, which doesn’t have the cardholder’s name, only their photo. We’ll leave it as an exercise to our readers to figure out what relationship Amtrak thinks there is between being being eligible for medical cannabis and being eligible for Amtrak train travel.

The most reasonable inference is that someone at Amtrak has decided that Amtrak should make a show of requiring ID, but that others at Amtrak don’t really want to turn away travelers without ID. Perhaps they recognize that travellers who don’t have or don’t want to show ID are a valuable Amtrak customer demographic.

Most of the latest tranche of records released in response to our FOIA request about Amtrak passenger data sharing with law enforcement are email messages between Amtrak IT staff and product managers for Sabre, Galileo/Apollo, Worldspan, and Amadeus, the  major computerized reservation systems (CRSs) or global distribution systems (GDSs) used by travel agencies and tour operators to make reservations and issue tickets for Amtrak trains as well as for hotels, rental cars, and some other travel services.

The Amtrak records we’ve received are interesting in themselves, and as clues to what similar issues have been faced by airlines in integrating their business processes and IT systems with DHS requests and demands. Amtrak is a Federal government agency subject to FOIA.  Airlines, while Federally licensed, are private. Their policies and procedures as well as their contracts and communications with GDSs/CRSs are proprietary and not subject to FOIA.

Many of the problems  discussed in this email correspondence between Amtrak and the CRSs/GDSs are typical of software development projects.  The project took longer than expected, and there was pressure to deploy the requirements for names and ID numbers in Amtrak Passenger Name Records  (PNRs) before they were adequately tested and documented and before users (travel agents) could be given adequate notice or training on the newly required line-command formats.

Other problems were characteristic of those involving interfaces between the airline and CRS/GDS parallel universe and other IT sectors.

CRS/GDS programmers, for example, initially assumed that CBP would accept messages in EBCDIC. That’s the normal character encoding for SITA messages — an airline-industry predecessor to Telexes — over which Amtrak sends passenger data to CBP.  But CBP wanted the data converted to ASCII.

CBP got its own SITA address, “DCAUCCR”, just for APIS data transmissions. But although the volume of data CBP wanted sent for the passengers on one train or plane routinely exceeded the allowable length for a single SITA message, CBP wasn’t able to handle industry-standard protocols for dividing long SITA messages into multiple packets.

CBP wanted dates of birth transmitted in day/month/year format, while airlines and CRSs/GDSs all use month/day/year date format in PNRs.

There were nuances that hadn’t been worked out in the original vague mandate to require passenger names and ID numbers. Would children under a certain age be required to have ID, and if so,  what would the cut-off age be? When would ID be required? Before making a reservation? Before issuing a ticket? Before boarding a train? Onboard?

New standards had to be developed, such as for entering the name of an infant,  previously indicated by appending “WITH INFANT”  to the name of an accompanying adult, who couldn’t be given their own name field in a PNR without reserving a separate seat.

There were problems with reservations that had been made, perhaps months in advance, by travel agents accustomed and trained to enter only surnames and first initials, not full given names. And what about people with single-character first names, or only one name?

Other problems were a result of the fact that Amtrak is not an airline, but was being required to supply data to CBP in formats developed for airline use.  Some Amtrak three-letter station codes, such as “NYP” for Penn Station, don’t match IATA airport or city codes (“NYC” for the New York City metropolitan area including  JFK, LGA, and EWR).

As noted above, Amtrak has a different list of acceptable forms of ID than most airlines, some of which don’t map (at least not in any obvious or unambiguous way) to the document-type indicators in the IATA AIRIMP and PAXLIST standards.

Anyone who was familiar with travel industry and CRS/GDS usage and other business practices — unlike the people in the DHS who came up with these schemes — could have anticipated these problems.

One of the most signficant facts confirmed in the latest FOIA releases is that Amtrak did not require any passenger names at all until CBP asked the Amtrak Police Department (APD) to get Amtrak to add names to PNRs for passengers on international trains.

Reservations for groups, for example, were routinely made without names. As long as a a tour operator or group coordinator  paid for the group, and the number of passengers who boarded the train matched the number for which seats or compartments had been reserved and paid for,  Amtrak had no need to know, and no reason to ask, for a list of the names of members of the group:

Passenger names in group PNRs served no Amtrak business purpose, were not required by Amtrak until 2005, and were first requested solely for police purposes.

This conclusively puts the lie to the persistent DHS claims that information about travelers on common carriers demanded by DHS is limited to information that was already being provided to common carriers for commercial purposes.

We also recetly received a redacted copy of Amtrak’s interline agreement with Greyhound . Curiously, it says nothing about passenger data collection or sharing, or about compliance with the laws applicable to data collected in Canada, the European Union, or other countries where Amtrak has agents who make reservations and sell tickets.

We specifically asked Amtrak for any email messages mentioning the Canadian “Personal Information Protection and Electronic Documents Act” or “PIPEDA”, but received no responsive records. This strongly suggests that Amtrak doesn’t have the necessary binding contractual commitments in place to insure compliance with PIPEDA. Our latest follow-up FOIA request includes records about Amtrak’s compliance with both PIPEDA (Canada) and the GDPR (European Union). We suspect that Amtrak has ignored these laws.

One thought on “Amtrak thinks it’s OK to spy on passengers because it makes the trains run on time

  1. I actually have a fair amount of sympathy for Amtrak on this one. They clearly felt the post-9/11 pressure from the government to step up security measures, and have reacted by caving on the issue they were going to lose on no matter what (the international train travel) and essentially handwaving past on domestic travel.

Leave a Reply

Your email address will not be published. Required fields are marked *