Sep 19 2017

Amtrak lied to travel agents who questioned ID requirements

The encouraging disclosure in the latest installment of documents released by Amtrak in response to one of our Freedom Of Information Act (FOIA) requests is that some travel agents resisted Amtrak demands that they collaborate in surveillance, profiling, and control of train travelers by entering passport or ID numbers and details in each reservation for cross-border Amtrak travel.

According to an email message to Amtrak from a product manager at Worldspan (one of the major computerized reservation systems), “We have one subscriber [i.e. a travel agency that uses Worldspan] that has checked the Federal Register and is quoting ‘chapter and verse’ that it is not mandated … to provide the data”:

Some travel agents pushed back repeatedly, read the official notices and instructions to travel agents about the rail API program carefully (and correctly), and made a travel agency “policy decision of non-provision” of ID data about their customers:

Kudos to the unnamed travel agencies that refused to help the government spy on their customers and called Amtrak on its lies that this was required.

Read More

Oct 03 2016

How the DEA uses travel company spies to confiscate travelers’ cash

A report by the Office of the Inspector General (OIJ) of the U.S. Department of Justice (DOJ) sheds more light on how the Drug Enforcement Agency (DEA) pays workers for airlines, Amtrak, bus companies, and package delivery services to spy on their customers, troll through reservation and shipping records, and finger travelers and senders and recipients of packages to the DEA in exchange for a share of the cash which can be seized and “forfeited” to the government even if no drugs are found and no criminal charges are brought.

This practice was first reported in August 2016 by Brad Heath in USA  Today, based on case-by-case review of court filings describing the basis for DEA searches that led to “civil forfeiture” proceedings. And the DOJ OIG had released brief interim summaries of its investigations into DEA relationships with one Amtrak employee and one TSA employee who were paid to inform on travelers.

The new OIG report released last week provides much more detail about the scope of the DEA’s use of travel and transportation staff as paid “confidential sources” to target travelers and parcels for cash seizures on the basis of travel reservations and shipping records. The OIG found that the DEA is paying employees of Amtrak, airlines, bus companies, and other transportation companies millions of dollars for individual tips and copies of entire passenger manifests:

[DEA] Special Agents have various ways of receiving these “tips,” but generally receive the information on a daily basis via email or text message, some of which are sent to government accounts and others to non-government private accounts that are established and controlled by the Special Agents. Additionally, we found that although some Special Agents estimated receiving up to 20 “tips,” or passenger itineraries, per day from their… commercial airline confidential sources, the DEA does not maintain a record of receipt of the totality of the confidential source “tips.”….

[S]ome Agents requested that sources provide them with suspicious travel itineraries that met criteria defined by the Agents, and in some cases requested entire passenger manifests almost daily….

Read More

Sep 27 2016

Proposed laws would expand travel controls from airlines to passenger railroads

Legislation has been introduced in both the USA and Belgium to subject rail travelers to the same sorts of travel surveillance schemes that are already being used to monitor and control air travelers.

If these proposals are enacted into law, passenger railroads would be required to collect and enter additional information such as passport or ID numbers and dates of birth (not currently required or routinely included in US or European train reservations) in Passenger Name Records (PNRs), and transmit rail travel itineraries and identifying information about passengers to the government, in advance.

As is already the case for all airline travel in the USA, including domestic travel, railroads would be forbidden to allow any passenger to board unless and until the railroad receives an explicit, affirmative, individualized, per-passenger, per-flight permission-to-board message (“Boarding Pass Printing Result”) from the government.

In both the USA and Belgium, the proposed legislation would create legal conflicts with civil liberties and human rights, and practical conflicts with railroad business processes and IT capabilities.

Read More

Aug 10 2016

DEA recruits airline & travel industry staff to inform on travelers

Brad Heath reports in USA Today that the Drug Enforcement Administration (DEA) has been recruiting airline and other travel industry staff to inform on travelers. The DEA has been using these tips from industry insider informers with access to travel reservations as the basis for searches, seizures, and “civil forfeiture” proceedings to confiscate cash from travelers on the basis of allegations that it was somehow associated with illegal drugs:

USA TODAY identified 87 cases in recent years in which the Justice Department went to federal court to seize cash from travelers after agents said they had been tipped off to a suspicious itinerary. Those cases likely represent only a small fraction of the instances in which agents have stopped travelers or seized cash based on their travel patterns, because few such encounters ever make it to court.

Those cases nonetheless offer evidence of the program’s sweep. Filings show agents were able to profile passengers on Amtrak and nearly every major U.S. airline, often without the companies’ consent. “We won’t release that information without a subpoena,” American Airlines spokesman Ross Feinstein said.

In almost none of these cases has the DEA actually brought any criminal charges against the travelers whose cash has been confiscated:

A DEA group assigned to Los Angeles’ airports made more than 1,600 cash seizures over the past decade, totaling more than $52 million, according to records the Justice Department uses to track asset seizures. Only one of the Los Angeles seizure records included an indication that it was related to a criminal indictment…. Of the 87 cases USA TODAY identified in which the DEA seized cash after flagging a suspicious itinerary, only two resulted in the alleged courier being charged with a crime. One involved a woman who was already a target of a federal money-laundering investigation; another alleged courier was arrested a month later on an apparently unrelated drug charge.

According to USA Today, “The DEA would not comment on how it obtains records of Americans’ domestic travel, or on what scale.” USA Today wasn’t able to identify any of the travel industry informers who have been tipping off the DEA about customers they thought might be carrying cash. But DEA spokesman Russ Baer said DEA agents “receive information from employees at ‘airlines, bus terminals, car rental agencies, … or other businesses.'”

Because airlines and computerized reservation systems don’t keep any access logs, it’s impossible for anyone to tell, after the fact, which travel industry personnel looked at a reservation and might have been DEA informers (or any other sort of attacker or threat: identity thief, stalker, industrial spy, etc.).

Some of the examples reported in USA Today relate to DEA access to Amtrak reservations. In court filings quoted in the USA Today story, DEA agents described their review of reservations for domestic Amtrak travel within the US as “routine”. From one of Amtrak’s responses to our FOIA requests, we know that Amtrak has a special “police GUI” for police to use in mining and reviewing data from Amtrak’s “Arrow” reservation system. We’ve asked Amtrak for all records pertaining to access to reservations by law enforcement agencies. After more than a year and a half, Amtrak is still continuing to process responsive records, as discussed in our previous articles about Amtrak. But Amtrak hasn’t yet disclosed anything to us about DEA access to Arrow or other Amtrak data.

The story in USA Today notes that the DEA isn’t supposed to have access to the information about travelers on domestic flights that airlines are required to transmit to the TSA before they can get permission to issue boarding passes. The TSA has defended the Secure Flight passenger surveillance and control scheme as an administrative search for the limited purpose of aviation safety. But we’ve heard rumors that the TSA is under pressure from other law enforcement agencies to open up the Secure Flight database of domestic air travel itineraries for general law enforcement uses. Those uses would likely include both arrest warrants and lookouts derived from NCIC, and profiling for forfeiture targeting by the DEA.

 

Jun 07 2016

How hard was it for Amtrak to require names in reservations?

Since the start of the post-9/11 shift from case-by-case government access to travel reservations to dragnet surveillance of all reservations and pre-crime profiling of all travelers, the government has claimed repeatedly that the information to which it has demanded access was already “routinely” provided by travelers to airlines and other travel companies.

We’ve recently received some details of just how untrue those claims are, through the latest installment of a continuing trickle of responses by Amtrak to a Freedom Of Information Act request we made in 2014. (See our previous reports on government surveillance of Amtrak passengers.)

Anyone familiar with travel industry practices and reservation data has known all along that the government’s demands for data about airline, train, bus, and cruise ship passengers have exceeded what was needed by common carrier for commercial purposes. Until after September 11, 2001, walk-up customers could buy tickets for cash, for themselves or anyone else, at airline or Amtrak or Greyhound ticket counters, without providing any information at all except an (unverified) name.  No address, phone number, or other identifying or contact information was required.

The government has demanded not just access to existing travel industry databases, but the logging of additional details about travelers that were never previously required. The travel industry worldwide has had to spend billions of dollars modifying every layer and component of their IT systems, and of all the systems that interact with them, to collect and store this additional information and deliver it to the government in standardized government-dictated formats.

Even names of travelers weren’t required for reservations, tickets, or travel.  Space could be reserved for a group of travelers with only a group identifier or lead contact. Sometimes dummy or placeholder names would be entered for group members, but they could be and often were omitted.

The latest file we’ve received from Amtrak is a PDF of images of printouts or views of email messages (we haven’t received the raw “message source” files we requested, and will eventually be appealing Amtrak’s failure to release them) within Amtrak and between Amtrak, the big four CRS/GDS companies (Sabre, Amadeus, Worldspan, and Galileo/Apollo — then owned by Cendant) and possibly their contractors or other “partners” (names redacted).

These messages date from 2006, when Amtrak “voluntarily” decided to start sending data about all passengers on cross-border Amtrak trains and buses between the USA and Canada to the DHS Advance Passenger Information System (APIS).  In order to populate the API data fields, Amtrak decided to make “Passenger ID” (PID) a required field in all Amtrak reservations.  That took some work in itself, but it also caused a cascade of new problems for reservations without names, especially those for as-yet-unknown members of groups:

Read More

Feb 23 2016

US border guards have root access to all Amtrak domestic reservations

The latest installment in Amtrak’s response to one of our FOIA requests confirms our suspicion that Amtrak has given US Customs and Border Protection (CBP) access to all Amtrak reservations including those for purely domestic passengers and trains — but in an additional and harder-to-track manner than we had previously been aware of.

In October 2014, we asked Amtrak for its records related to data-sharing and other collaboration with the Department of Homeland Security (DHS) and other US and foreign law enforcement agencies. Amtrak is still in the process of searching for and censoring responsive records, more than a year after the legal deadline for its full response. In the mean time, however, Amtrak has been providing intermittent “interim” responses, which we’ve been analyzing and reporting on as we receive them. Because Amtrak is a Federal government entity subject to FOIA, unlike commercial airlines or bus lines, we’ve been able; to find out much more about Amtrak collaboration with DHS and other law enforcement agencies than about the parallel practices of private transportation carriers.

We’ve learned that Amtrak’s own police — who are commissioned by individual states, but have unusual multi-state jurisdiction — have root access to Amtrak’s “ARROW” computerized reservation system, and even a special “Police GUI” (graphical user interface) to mine passenger reservations for police purposes.

We’ve also learned about Amtrak’s transmission to DHS of information about all passengers on Amtrak trains that cross the US-Canada border.

What we didn’t know, until the latest interim release of Amtrak documents this month, was whether DHS or any other Federal police agency also has access to complete reservation details for the much larger number of passengers on domestic Amtrak trains within the US.

Now we know: Agents of US Customs and Border Protection (CBP) have the same access to all Amtrak reservations as Amtrak onboard train conductors, in such a way that their access evades ever being logged or associated with CBP, but appears to Arrow and Amtrak as though it was carried out by Amtrak staff.

It works like this:

Read More

Sep 23 2015

Does CBP have access to domestic Amtrak reservations?

Documents released to us by Amtrak suggest that since 2012, US Customs and Border Protection (CBP) has had direct access to Amtrak’s reservation system, possibly including access to reservations for Amtrak passengers traveling entirely within the USA.

What do these documents show? And why would an immigration and border patrol agency want access to records of travel by US citizens and other residents within the borders of the US?

Read More

Jun 21 2015

More on Amtrak passenger data requirements

Amtrak has released a third batch of records (1st interim response, 2nd interim response) in response to our Freedom of Information Act (FOIA) request for information about Amtrak’s collection and “sharing” with the US and Canadian governments of information about Amtrak travelers on international routes between the US and Canada:

  1. Amtrak-FOIA-29OCT2014-signed.pdf (note that this file is actually in .doc format, and is not a copy of our request, as the filename might imply, but a collection of responsive records)
  2. date of birthAM.doc
  3. Function summary.doc
  4. IDPFOIARequest.pdf (another collection of responsive records, beginning with a list of all of Amtrak’s cross-border routes including both trains and Amtrak feeder buses)
  5. Regression User testing 9222305 (4).doc
  6. TheIdentityProject_InterimResponse3.pdf (cover letter from Amtrak’s FOIA office accompanying the interim response)
  7. wspBORDER.doc

The files with “.doc” filenames all appear to be from Amtrak’s IT department, and relate to the implementation by Amtrak of requirements for inclusion of passenger ID data desired by the US government in each Amtrak reservation for travel across the US-Canada border. As we have noted previously, this “requirement” was imposed internally and “voluntarily” by Amtrak, and was not a requirement of any law, regulation, or order from any other US or Canadian government agency.  It remains unclear from the records released to date whether anyone in Amtrak’s IT department was aware that this was solely an Amtrak requirement and not an externally imposed obligation.

According to these records, Amtrak began requiring a date of birth in the reservation, before a ticket could be issued, for each passenger on any international route, including infant passengers, beginning in November or December of 2000. (There are some inconsistencies in the dates in different records.)  Beginning in July or August 2005, Amtrak began also requiring a nationality and passport or other ID number in each such reservation, as part of Amtrak’s “voluntary” participation in the DHS “Advanced Passenger Information System” (APIS) also used by airlines.

These records include the formats used by Amtrak sales agents working directly in Amtrak’s own “ARROW” reservation system, as well as the formats used by travel agents making Amtrak reservations through each of the four major CRSs/GDSs: Amadeus, Galileo, Sabre, and Worldspan.  Amtrak’s software testing staff noted the complexity of these formats (which is indicative of how burdensome they are for the travel agents who have to learn and use them) and the likelihood of errors by travel agents. The Amtrak records include information provided to travel agents and travelers, describing these “requirements” but giving no clue that these requirements were voluntarily self-imposed by Amtrak itself.

The files linked above are posted here exactly as we received them by email from Amtrak’s FOIA office. The filenames are not indicative of the actual file contents, and some of the filename extensions don’t correspond to the file formats. One of the “.pdf” files, for example, is actually in MS-Word “.doc” format (also readable in Libre Office among other programs) rather than in PDF format.

We requested that all records found in digital form be released as bitwise copies of the files as found in Amtrak’s filesystems, but some of the files we received appear to be derivative, modified versions of copies of the original files, in some cases in completely different formats.

Most of the the records responsive to our request that we believe are likely to exist have not yet been released. Amtrak is continuing to process our request, and we expect further responses.

Apr 23 2015

Amtrak formats for passenger ID data dumps to governments

Eight pages of command-line formats for users of Amtrak’s ARROW computerized reservation system have been made public in the second of a series of interim responses to our Freedom of Information Act request for records of Amtrak’s collaboration with police and other government agencies in the US and Canada in “dataveillance” of Amtrak passengers.

The ARROW user documentation covers syntax and codes for entering ID information into Amtrak passenger name records (PNRs), generating reports (“passenger manifests”) by train number and date or other selection criteria, and transmitting these “manifests” or “API data” to the US Customs and Border Protection (CBP) “Advance Passenger Information System” (APIS).

Amtrak extracts “manifest” (API) data from PNRs, formats it according to CBP standards, and pushes it to CBP in batches using EDIFACT messages uploaded through the CBP Web-based online eAPIS submission portal.

Although Amtrak knows it isn’t actually required by law to do any of this, it “voluntarily” (and in violation of Canadian if not necessarily US law) follows the same procedures that CBP has mandated for airlines. The sample EDIFACT headers in the Amtrak documentation refer to Amtrak by its usual carrier code of “2V”.

Travel agents — at least the declining minority who use the command-line interface — will find nothing particularly surprising in these formats. ARROW formats for train reservations are generally comparable, although not identical, to the AIRIMP formats used for API data by the major computerized reservation systems (CRSs) or global distribution systems (GDSs) that host airline PNRs.

CRS/GDS companies and US airlines are private and not subject to FOIA, however, and CRS/GDS documentation is proprietary to the different systems and restricted to their users. There is no freely and publicly-available guide to commercial CRS/GDS data formats. Because Amtrak is a creature of the federal government subject to FOIA, we have been able to obtain more details of its internal procedures than we can for airlines or CRSs/GDSs

The ARROW user documentation shows — again, unsurprisingly — that the “data-mining” capabilities built into ARROW for retrieving and generating reports on selected PNR or manifest (API) entries are quite limited. This is why, despite having access to an ARROW “Police GUI” with additional data-mining functionality, CBP wants to import and retain mirror copies of API and PNR data in its own, more sophisticated TECS and Automated Targeting System databases and its new integrated data framework.

We’re continuing to await more releases from Amtrak of information about its policies for collaboration with law enforcement and other government agencies, and its apparent violation of Canadian privacy law.

Mar 20 2015

Amtrak lies about police use of passenger data

Passenger Name Record (PNR) view from Amtrak “Police GUI”. (Click image for larger version.)

The first “interim” release of documents responsive to our FOIA request for records of police and other government access to Amtrak reservation data show that Amtrak is not only giving police root access and a dedicated user interface to mine passenger data for general state and local law enforcement purposes, but also lying to passengers about this, misleading Amtrak’s own IT and planning staff about the legal basis for these actions, and violating Canadian if not necessarily US law.

Our FOIA request was prompted by Amtrak’s obviously incomplete response to an earlier FOIA request from the ACLU.  That response omitted any mention  of government access to Amtrak reservation data, even though we’ve seen records of Amtrak travel in DHS files about individual  citizens obtained in response to previous Privacy Act and FOIA requests. The documents we have just received were clearly responsive to the ACLU’s request, and should have been, but weren’t, included in Amtrak’s response to that request.

Amtrak is still working on our request, but has begun providing us with responsive records as it completes “processing” of them: search, retrieval, and redaction. (Amtrak is even further behind in responding to some other FOIA requests, such as this one for certain disciplinary records related to misconduct by Amtrak Police.)

The first “interim” release to us by Amtrak includes just a few documents: a 2004 letter from US Customs and Border Protection (CBP) to the Amtrak Police legal department, requesting “voluntary” provision by Amtrak to CBP of Advanced Passenger Information System (APIS) identification data about all passengers on international Amtrak trains, and a 2004-2005 project summary and scoping document for the work that would be required by Amtrak’s IT department to automate the collection, maintenance in Amtrak’s “ARROW” passenger reservation database, and delivery to CBP of this data.

Read More