Documents released to us by Amtrak suggest that since 2012, US Customs and Border Protection (CBP) has had direct access to Amtrak’s reservation system, possibly including access to reservations for Amtrak passengers traveling entirely within the USA.
What do these documents show? And why would an immigration and border patrol agency want access to records of travel by US citizens and other residents within the borders of the US?
Amtrak has released a third batch of records (1st interim response, 2nd interim response) in response to our Freedom of Information Act (FOIA) request for information about Amtrak’s collection and “sharing” with the US and Canadian governments of information about Amtrak travelers on international routes between the US and Canada:
The files with “.doc” filenames all appear to be from Amtrak’s IT department, and relate to the implementation by Amtrak of requirements for inclusion of passenger ID data desired by the US government in each Amtrak reservation for travel across the US-Canada border. As we have noted previously, this “requirement” was imposed internally and “voluntarily” by Amtrak, and was not a requirement of any law, regulation, or order from any other US or Canadian government agency. It remains unclear from the records released to date whether anyone in Amtrak’s IT department was aware that this was solely an Amtrak requirement and not an externally imposed obligation.
According to these records, Amtrak began requiring a date of birth in the reservation, before a ticket could be issued, for each passenger on any international route, including infant passengers, beginning in November or December of 2000. (There are some inconsistencies in the dates in different records.) Beginning in July or August 2005, Amtrak began also requiring a nationality and passport or other ID number in each such reservation, as part of Amtrak’s “voluntary” participation in the DHS “Advanced Passenger Information System” (APIS) also used by airlines.
These records include the formats used by Amtrak sales agents working directly in Amtrak’s own “ARROW” reservation system, as well as the formats used by travel agents making Amtrak reservations through each of the four major CRSs/GDSs: Amadeus, Galileo, Sabre, and Worldspan. Amtrak’s software testing staff noted the complexity of these formats (which is indicative of how burdensome they are for the travel agents who have to learn and use them) and the likelihood of errors by travel agents. The Amtrak records include information provided to travel agents and travelers, describing these “requirements” but giving no clue that these requirements were voluntarily self-imposed by Amtrak itself.
The files linked above are posted here exactly as we received them by email from Amtrak’s FOIA office. The filenames are not indicative of the actual file contents, and some of the filename extensions don’t correspond to the file formats. One of the “.pdf” files, for example, is actually in MS-Word “.doc” format (also readable in Libre Office among other programs) rather than in PDF format.
We requested that all records found in digital form be released as bitwise copies of the files as found in Amtrak’s filesystems, but some of the files we received appear to be derivative, modified versions of copies of the original files, in some cases in completely different formats.
Most of the the records responsive to our request that we believe are likely to exist have not yet been released. Amtrak is continuing to process our request, and we expect further responses.
Eight pages of command-line formats for users of Amtrak’s ARROW computerized reservation system have been made public in the second of a series of interim responses to our Freedom of Information Act request for records of Amtrak’s collaboration with police and other government agencies in the US and Canada in “dataveillance” of Amtrak passengers.
The ARROW user documentation covers syntax and codes for entering ID information into Amtrak passenger name records (PNRs), generating reports (“passenger manifests”) by train number and date or other selection criteria, and transmitting these “manifests” or “API data” to the US Customs and Border Protection (CBP) “Advance Passenger Information System” (APIS).
Amtrak extracts “manifest” (API) data from PNRs, formats it according to CBP standards, and pushes it to CBP in batches using EDIFACT messages uploaded through the CBP Web-based online eAPIS submission portal.
Although Amtrak knows it isn’t actually required by law to do any of this, it “voluntarily” (and in violation of Canadian if not necessarily US law) follows the same procedures that CBP has mandated for airlines. The sample EDIFACT headers in the Amtrak documentation refer to Amtrak by its usual carrier code of “2V”.
Travel agents — at least the declining minority who use the command-line interface — will find nothing particularly surprising in these formats. ARROW formats for train reservations are generally comparable, although not identical, to the AIRIMP formats used for API data by the major computerized reservation systems (CRSs) or global distribution systems (GDSs) that host airline PNRs.
CRS/GDS companies and US airlines are private and not subject to FOIA, however, and CRS/GDS documentation is proprietary to the different systems and restricted to their users. There is no freely and publicly-available guide to commercial CRS/GDS data formats. Because Amtrak is a creature of the federal government subject to FOIA, we have been able to obtain more details of its internal procedures than we can for airlines or CRSs/GDSs
The ARROW user documentation shows — again, unsurprisingly — that the “data-mining” capabilities built into ARROW for retrieving and generating reports on selected PNR or manifest (API) entries are quite limited. This is why, despite having access to an ARROW “Police GUI” with additional data-mining functionality, CBP wants to import and retain mirror copies of API and PNR data in its own, more sophisticated TECS and Automated Targeting System databases and its new integrated data framework.
We’re continuing to await more releases from Amtrak of information about its policies for collaboration with law enforcement and other government agencies, and its apparent violation of Canadian privacy law.
[Passenger Name Record (PNR) view from Amtrak “Police GUI”. Click image for larger version.]
The first “interim” release of documents responsive to our FOIA request for records of police and other government access to Amtrak reservation data show that Amtrak is not only giving police root access and a dedicated user interface to mine passenger data for general state and local law enforcement purposes, but also lying to passengers about this, misleading Amtrak’s own IT and planning staff about the legal basis for these actions, and violating Canadian if not necessarily US law.
Our FOIA request was prompted by Amtrak’s obviously incomplete response to an earlier FOIA request from the ACLU. That response omitted any mention of government access to Amtrak reservation data, even though we’ve seen records of Amtrak travel in DHS files about individual citizens obtained in response to previous Privacy Act and FOIA requests. The documents we have just received were clearly responsive to the ACLU’s request, and should have been, but weren’t, included in Amtrak’s response to that request.
Amtrak is still working on our request, but has begun providing us with responsive records as it completes “processing” of them: search, retrieval, and redaction. (Amtrak is even further behind in responding to some other FOIA requests, such as this one for certain disciplinary records related to misconduct by Amtrak Police.)
The first “interim” release to us by Amtrak includes just a few documents: a 2004 letter from US Customs and Border Protection (CBP) to the Amtrak Police legal department, requesting “voluntary” provision by Amtrak to CBP of Advanced Passenger Information System (APIS) identification data about all passengers on international Amtrak trains, and a 2004-2005 project summary and scoping document for the work that would be required by Amtrak’s IT department to automate the collection, maintenance in Amtrak’s “ARROW” passenger reservation database, and delivery to CBP of this data.
[Excerpt from DHS “TECS” travel history log showing API data extracted from the reservation for a passenger on Amtrak (carrier code 2V) train 69 from Penn Station, New York (NYP) to Montreal (MTR). “QYRSLT” redacted by DHS (at left on second line from bottom) is result of pre-crime risk score query to DHS profiling system. Click on image for larger version.]
Amtrak has admitted to profiling its passengers, while improperly withholding any mention of its transmission of railroad passenger reservation data to DHS for use in profiling and other activities.
In response to a Freedom Of Information Act (FOIA) request from the ACLU, Amtrak has disclosed profiling criteria that Amtrak staff are instructed to use as the basis for reporting “suspicious” passengers to law enforcement agencies. As the ACLU points out in an excellent analysis in its “Blog of Rights”, pretty much everyone fits, or can be deemed to fit, this profile of conduct defined as “indicative of criminal activity”.
It’s suspicious if you are unusually nervous — or if you are unusually calm. It’s suspicious if you are positioned ahead of other passengers disembarking from a train — or if you are positioned behind them.
Normal, legal activities are defined as suspicious: paying for tickets in cash (Amtrak and Greyhound are the common carriers of last resort for the lawfully undocumented and unbanked), carrying little or no luggage (how many business day-trippers on the Acela Express are carrying lots of luggage?), purchasing tickets at the last minute (also the norm for short-haul business travelers), looking around while making telephone calls (wisely keeping an eye out for pickpockets and snatch thieves, as Amtrak police and notices in stations advise passengers to do), and so forth.
“Suspicion” based on this everyone-encompassing profile is used to justify interrogations and searches of Amtrak passengers, primarily for drugs but also for general law-enforcement fishing expeditions. Suspicion-generation is a profit center for Amtrak and its police partners: The documents obtained by the ACLU from Amtrak include agreements with state and local police for “equitable sharing of forfeited assets” seized from passengers or other individuals as a result of such searches.
The ACLU requested, “procedures, practices, agreements, and memoranda governing the sharing of passenger data with entities other than Amtrak, including but not limited to… other… federal… law enforcement agencies;” and, “Policies, procedures, practices, agreements, and memoranda regarding whether and how passenger data is shared with any law enforcement agency.”
But Amtrak’s response included no records whatsoever concerning the provision of passenger data obtained from Amtrak reservations to DHS or any other government agency.
We know that DHS obtains information from Amtrak about all passengers on all international Amtrak trains. DHS has disclosed this in public reports, and we have confirmed it from DHS responses to FOIA and Privacy Act requests. The example at the top of this article is of a DHS “TECS” travel history log showing Advance Passenger Information (API) data extracted from a record in Amtrak’s ARROW computerized reservation system for a passenger traveling on Amtrak (carrier code 2V) train number 69 in the outbound direction from the US (“O”) from Penn Station, New York (station code NYP) to Montreal (MTR). The entry in the “QYRSLT” column redacted by DHS is the result for this passenger and trip of the pre-crime risk score query to the DHS profiling system.
We’re quoted on the front page of today’s New York Times in a story by Susan Stellin, “Security Check Now Starts Long Before You Fly”:
The Transportation Security Administration is expanding its screening of passengers before they arrive at the airport by searching a wide array of government and private databases that can include records like car registrations and employment information….
“I think the best way to look at it is as a pre-crime assessment every time you fly,” said Edward Hasbrouck, a consultant to the Identity Project, one of the groups that oppose the prescreening initiatives. “The default will be the highest, most intrusive level of search, and anything less will be conditioned on providing some additional information in some fashion.”
More:
The TSA refused to say anything to the Times on the record, but published a blog post today (with the misleading title “Expediting Screening for the Traveling Public”) responding to the Times’ story with a succession of lies and prevarications.
We call “bullshit” on the TSA:
[TSA Pre-Crime graphic from Leaksource]
In the latest step in the implementation of the REAL-ID Act and the establishment of a de facto national ID card and database, the Department of Homeland Security has requested OMB approval for the collection of additional information from states and individuals.
The public response to the DHS request, particularly these comments submitted by the Electronic Privacy Information Center (EPIC), highlight the important unanswered questions about how REAL-ID Act implementation will affect the right to travel:
EPIC’s comments focus on the widely-publicized recent case of Lewis Brown, a former high school and college basketball star who died on a street in Southern California homeless, earlier this month:
EPIC writes today to draw the agency’s attention to the death of Lewis Brown, a former college basketball prodigy, who died on the streets of Los Angeles because he could not scrape together the money to obtain a state-issued identity document…. According to the New York Times, Brown, a basketball legend at the University of Nevada at Las Vegas, planned to fly to visit his family in New York and could not. Homeless and destitute, living on the sidewalks of Hollywood, Brown had developed cancer and planned to go to the hospital. Brown’s mother learned about his condition and stated that she wanted to see him “before he died.” Brown’s sister, Anita, told him to visit New York. Brown told confidants that he lacked funds to qualify for a California identification card, and was taking donations and borrowing money.
Earlier this month Sen. Chuck Schumer (D-NY) proposed that the TSA’s “Secure Flight” system be extended to passengers on domestic Amtrak trains. That would mean that Amtrak would be required to send passenger information to the government, and receive a “cleared” message for each passenger before allowing them to board a train.
Summary denial of transport by a common carrier, much less a government-operated carrier like Amtrak, would violate both the First Amendment right to assemble and the right to freedom of movement guaranteed by Article 12 of the International Covenant on Civil and Political Rights.
But extending “Secure Flight” to train travelers would be a stupid idea even if it were legal. Rail sabotage has often been a tactic of war, but it has rarely been carried out by passengers. Sabotage can be carried out anywhere along the tracks, or anywhere saboteurs can get access to rolling stock, including freight cars.
Even the Chicago Tribune, the conservative and usually hawkish newspaper-of-record of Amtrak’s main hub and the hub of America’s freight rail system, immediately responded to Schumer’s proposal with an editorial characterizing it as “security theater for Amtrak.”
Most press reports incorrectly characterized Schumer’s proposal as calling for the “creation” of a no-ride list for Amtrak trains. That’s indicative of how little awareness there is of the scope of existing systems of ID-based prior restraint on common carrier travel, including international Amtrak trains.
Under the “Advance Passenger Information System” (APIS) used for international flights, passenger trains, and cruise ships, Amtrak already requires passengers on its international trains to and from Canada to provide personal information (beyond anything needed by Amtrak for operational purposes), and passes that information on to U.S. Customs and Border Protection (CBP) for inclusion in the Automated Targeting System (ATS) which is used to decide whether or not to give each passenger government permission to travel. Read More
On December 21, 2008, Amtrak police arrested a photographer taking pictures on a public platform at Penn Station in New York … in response to an Amtrak photo contest calling for the public to submit photos of Amtrak trains.
We had heard about this story before, but now the Colbert Report has the story including an interview with the photographer, Duane Kerzic, and a reenactment of the incident, in the form of a great parody of the new Homeland Security USA “reality” show. Kerzic’s own Web site includes his own description of what happened and actual photos before and after his arrest (including his injuries from the police).
Full episodes of the “real” Homeland Security USA are available in a peculiar streaming video format on the ABC television Web site. (The player will only work if it thinks you are running Windows XP or Vista, but you can get it to work in Linux by using Firefox for Windows in the Wine environment.)
Episodes of the show broadcast to date, and available online, include such incidents as the warrantlesss “dump” of the data in a cell phone carried by a person trying to enter the U.S. from Canada, and their (and their companions’) being refused entry to the US based on a phone number in the cell phone believed to match a number associated with an entry for a different person on the no-fly list. All without any hearing or involvement by a judge, of course, and without their being told anything about the data in the no-fly list entry used as the basis for refusing to allow them into the U.S.
