Our reply brief and a supporting declaration were filed yesterday in Hasbrouck v. CBP, our Privacy Act and Freedom of Information Act (FOIA) lawsuit seeking records from and about the DHS “Automated Targeting System” of individualized government dossiers about each of the the millions of international travelers to and from the USA, including US citizens.

ATS includes complete copies of airline reservations (“Passenger Name Records” or PNRs), as well as a “risk assessment” for each would-be traveler that is used to decide whether or not to give the airline permission to transport them into, out of, or through the airspace of the USA. As Mr. Hasbrouck’s supplementary declaration supporting our latest reply brief explains:

Tens of thousands of travel agencies, airline offices, and offices of other travel companies around the world, and a million or more individual employees and contractors of these companies, have access through CRSs [Computerized Reservation Systems] or otherwise to PNR databases and the ability to enter data in PNRs. PNRs thus can, and do, contain an unlimited quantity and variety of data originating with numerous third parties around the world, some of it in the form of unstructured free text. CBP requires that, in all cases where a PNR contains a flight between a point in the U.S. and a foreign point, or overflying U.S. airspace, the entirety of the PNR — including the free-text general remarks and whatever other data has been entered by anyone with access to the PNR — must be made available to CBP for import into ATS.

PNRs can contain information about aspects of a journey other than air transportation, such as hotel reservations and other travel services, even in what are considered in travel industry jargon to be “air-only” PNRs. Information about these other travel services can be included in the “OSI” (Other System Information), and “SSR” (Special Service Request) elements of the PNR. For example, in reviewing records from ATS released to another requester by CBP, I have seen a PNR for two people, for whom the airline had reserved a hotel for an involuntary overnight layover, which included an SSR entry with a code showing whether a room with one bed or two had been requested for those two travelers. This is a normal and expected example of standard travel industry practices.

The SORNs [System Of Records Notices, required by the Privacy Act] for ATS specifically mention OSI, SSR, and “General Remarks” 10 among the “Categories of Information in the [ATS] System” and among the types of data derived from PNRs and included in ATS. “OSI” entries can be used by travel agency or airline staff with access to PNRs to enter, and to send to airlines, arbitrary free-text messages. “Remarks” in PNRs are intended to be used for an unlimited range of free-text data entry. This information can — and in some cases does — include remarks about the personal foibles of the traveler (to assist other travel agency or airline staff in dealing with the traveler), and/or derogatory descriptions of interactions with customer service staff. Travelers do not normally see the PNRs that contain information pertaining to them, and do not know or control what information has been entered about them.

Our reply brief also notes that:

Acknowledging the sensitivity of the data in PNRs, Canadian and European Union laws require that private entities that control or host PNRs allow individuals to inspect their own PNRs and obtain information about how they are used. However, U.S. law contains no such requirement.

The focus of our latest arguments is on the government’s claim that — after receiving Mr. Hasbrouck’s Privacy Act request and his appeal of the government’s failure to respond — CBP had the right to issue new regulations retroactively exempting itself from any obligation to respond to the pending request or appeal, to provide Mr. Hasbrouck any of the ATS or other records about him and his travels, to provide him with any accounting of the disclosures of those records to third parties, or to correct inaccurate records or expunge irrelevant ones. As our brief notes:

The retroactive application of the ATS and BCIS exemptions is especially egregious in this case where the processing of Hasbrouck’s Privacy Act requests was completed by CBP’s Office of Intelligence and Operation Coordination on April 2, 2009, but was then sat on for 17 months until after the exemption rules were finalized.

We also contest CBP’s failure to search for Mr. Hasbrouck’s records, in response to his request, in the same way they would if they were searching for records about him as a suspected terrorist. And we contest their refusal to disclose even the records about Mr. Hasbrouck that they admit to having found.

The next step in the case will be oral arguments on the cross-motions for summary judgment on Thursday, August 25, September 15, 2011, 1:30 p.m., before Judge Richard Seeborg (Courtroom 3, 17th Floor), U.S. District Court for the Northern District of California, Phillip Burton Federal Building and U.S. Courthouse, 450 Golden Gate Ave. (between Polk and Larkin, near Civic Center), San Francisco, CA. [Note revised hearing date of September 15th.]

It’s unlikely that any decision will be announced on the spot at the oral argument. Judge Seeborg will most likely take the written submissions and oral arguments under advisement, and issue an initial decision on the motions for summary judgment some weeks or months later. (There is no mandatory deadline for most Federal judicial decisions.)

The public is welcome to attend the oral argument, although the guards at the entrance to the courthouse require visitors to show government-issued ID. See the specific rules for electronic devices in the courthouse and additional rules and information for journalists.

Our main briefs were filed last Friday in the Privacy Act and Freedom of Information Act (FOIA) case of Hasbrouck v. CBP.

In this case, we are seeking to compel U.S. Customs and Border Protection (one of the components of the DHS) to disclose:

1. The CBP/DHS “travel history” dossier  about Mr. Hasbrouck, compiled from airline reservations (PNRs) and other commercial and government data and contained in the (illegal) CBP “Automated Targeting System” (ATS), including “risk assessments” of Mr. Hasbrouck and the rules used to determine those risk assessments;
2. An “accounting of disclosures”, as required by the Privacy Act, showing which other government agencies or other third parties have been given access to which of this data, and when; and
3. General information about how ATS data is indexed and retrieved.

Our main argument for summary judgment in our favor (and in opposition to CBP’s cross-motion) is contained in our proposed order, supporting brief, and Mr. Hasbrouck’s supporting declaration. Additional supporting declarations and exhibits are linked here.  Following reply briefs to be filed next month by each side, oral argument is scheduled for August 25th in Federal District Court in San Francisco.

A leaked copy of the latest draft of a proposed “Agreement between the United States of America and the European Union on the use and transfer of Passenger Name Record [PNR] data to the United States Department of Homeland Security” has been published by the civil liberties watchdog and investigative reporting group Statewatch.

The leaked draft “agreement” fails to satisfy the criteria set by the European Parliament for its ratification of such an agreement, including that any PNR agreement should:

1. Take the form of a duly ratified international treaty binding on all parties. (The draft “agreement” is not a treaty, and would not be binding on the U.S., as discussed in more detail below.)
2. Recognize and respect fundamental rights including the freedom of movement guaranteed by Article 12 of the International Covenant on Civil and Political Rights. (The draft “agreement” does not mention freedom of movement, the ICCPR, or any fundamental rights other than those related to privacy and data protection.)
3. Require that the use of PNR data for law-enforcement and security purposes must be in line with European data protection standards. (There is no mention of these standards in the draft “agreement”.)
4. Prohibit the use of PNR data for data mining or profiling. (There is no mention of data mining or profiling in the draft “agreement”.  The draft claims that the U.S. will not make decisions that produce significant adverse actions affecting the legal interests of individuals based solely on automated processing of PNR. But all other data mining and profiling is permitted, as long as there is the slightest element of non-automated human rubber-stamping before adverse actions are taken against an individual.)
5. Take into consideration “PNR data which may be available from sources not covered by international agreements, such as computer reservation systems located outside the EU.” (There is no mention in the draft “agreement” of computerized reservation systems, indirect transfers of PNR data, or any of the other means by which, as we have testified to members of the European Parliament, the DHS and other U.S. government agencies could bypass the “agreement”.)
6. Provide for independent review and judicial oversight. (The only review provided for under the draft “agreement” is self-review by the DHS Privacy Office, which is directly controlled by the DHS itself, has no independence, and is the subject of an ongoing scandal and attempted cover-up involving political interference with requests — including ours — for DHS records. The only judicial oversight contemplated in the draft “agreement” is limited to violations of laws that contain no protections for privacy or other substantive fundamental rights.)

The proposed “agreement” has been negotiated in secret between the European Commission (on behalf of the EU) and an interagency Executive Branch working group led by the DHS (on behalf of the USA).

Just as the U.S. Constitution requires that any international treaty negotiated and signed by the President must be ratified by the Senate before it becomes effective, international agreements negotiated by the European Commission and approved by the Council of the European Union must be ratified by the European Parliament.

Some people and groups who ought to know better, including lobbyist and former DHS Assistant Secretary for Policy Stewart Baker — the principal architect of an earlier US-EU “agreement” on PNR data — and the Heritage Foundation, have suggested that for the European Parliament not to ratify whatever the Commission and Council propose would be to “renege” on their agreement with the US. That’s nonsense, obviously. The European Parliament has no more obligation to ratify treaties proposed by the European executive than the U.S. Senate is obligated to ratify every treaty proposed by the President.

(Writing in the Heritage Foundation blog, Baker’s former assistant Paul Rosenzweig also repeats the bogus claim that the Chicago Convention treaty provisions for flights arriving at U.S. airports somehow give the U.S. extra-territorial jurisdiction over foreign citizens boarding foreign-flag aircraft at foreign airports. This clearly false claim by Baker and Rozenzweig was first made by their then boss, Secretary of Homeland Security Chertoff, in a speech to the European Parliament in 2007, and we debunked it in detail at that time. The proposed agreement goes far beyond the explicitly detailed and narrow specifications in the Chicago Convention for what data elements are required to be provided to governments, how, when, and where. )

Both the European Parliament and the U.S. Senate have approved resolutions intended to provide guidance to their respective negotiators as to what sort of agreement they would or would not ratify. Neither legislative body is any more or less out of line in doing so.

The draft “agreement” does not appear to be intended to constitute a treaty, and would not be binding on the U.S., so it would not need to be presented to the U.S. Senate for ratification. The recent Senate resolution, however, makes clear that even if the “agreement” were presented to the Senate, the Senate is unwilling to make any concessions to privacy or human rights, or to enact any new or expanded protections for privacy or for any of the other fundamental rights at stake.

The European Parliament resolution is less intransigent. While it starts from the explicit (and proper) premise that fundamental rights must be respected, and provides details of how that might be done, it still leaves open the possibility of compromise with the U.S. and of modifying existing EU data protection rules.

The key problem is that as long as both the DHS and the U.S. Senate (with, so far as we can tell, the full backing of the Obama Administration, and the concurrence of the U.S. House of Representatives) are completely unwilling to compromise or to provide travelers with any additional rights, any “agreement” will inevitably result only in more infringement of those rights.

No good can come of any such “agreement”. It would serve only to give airlines, Computerized Reservation Systems (CRSs), and other travel companies impunity from EU legal sanctions for ongoing transfers of PNR data to the U.S. that are currently in violation of EU data protection laws, and to remove EU authorities’ current responsibility, which they have been improperly shirking, to enforce those laws against travel companies.

If it is presented to the European Parliament in its present form, the draft “agreement” should be debated, and rejected, not as a “data protection” agreement but as a grant of immunity from EU data protection law to travel companies that are currently making their reservations (PNR) databases accessible to the U.S. government, and the EU authorities who have deliberately refrained from enforcing EU data protection laws against those companies.

The draft “agreement” would not be binding on the U.S., according to the U.S. Constitution, because it would not be a treaty and would not be presented to the U.S. Senate for ratification.  (That’s why we use the term “agreement” in quotation marks.)  By its own explicit terms, the draft “agreement” would not create any enforceable individual rights.  The “agreement” does not purport to contain any enforcement mechanisms or sanctions for breach of the agreement.

But if the “agreement” would not be a binding treaty, and would not provide any enforceable individual rights, what is it? What, if anything, would it accomplish? What purpose, and whose interests, would it serve? Read More →