Papers, Please!

The Identity Project

Category Archives: Surveillance State

Aug 21 2012

San Antonio public schools plan to make students wear radio tracking beacons

Unless the school board changes its mind, public school students at Jay High School and Jones Middle School in San Antonio, Texas, will be required to wear ID badges containing RFID chips (radio tracking beacons broadcasting unique ID numbers) when they come back to school next week.

Each of these schools has installed an array of “100 or more” RFID readers so that students’ movements can be tracked whenever and wherever they are on school premises. [Update: Interviewed on the Katherine Albrecht radio show, the president of the company supplying the equipment says that the chips have a read range of 70 feet, and that there are readers at least every 100 feet in the schools as well as in school buses.] To make sure students actually carry their RFID badges, they’ll have to use them for all purchases of school lunches as well as for mandatory attendance checks.

This will be one of the first times that anyone in the U.S. who isn’t a prisoner or a government employee or contractor has been compelled by any government agency to carry an RFID chip.

Tonight the elected Board of Trustees of San Antonio’s Northside Independent School District is hearing from students, parents, and other community members opposed to the RFID tracking scheme.

At the same time, a coalition of privacy and civil liberties organizations and experts including the Identity Project has issued a Position Paper on the Use of RFID in Schools calling for a moratorium on the use of the RFID chips for tracking of people. The position paper thus reiterates a point made by many of the same signatories in a 2003 Position Statement on the Use of RFID on Consumer Products. “RFID must not be used to track individuals absent informed and written consent of the data subject,” according to the 2003 statement.

Compulsory tracking by a government agency (a public school district) of the movements of individuals who cannot opt out or withdraw consent, and who are required to be in the school building where RFID readers have been deployed, is a worst-case scenario of how RFID technology shouldn’t be used.

Read More

Aug 04 2012

Will the TSA ever follow any rules?

The TSA is a lawless agency, and its checkpoints are a domestic counterpart of Guantanamo:

A formal rulemaking wouldn’t prevent the TSA from adopting unconstitutional rules. But it would provide an opportunity for public review of proposed checkpoint rules or procedures, public submission of comments on them (such as, “These are unconstitutional and violate our human rights”), public knowledge of what rules have been adopted, and a (relatively) straightforward procedural pathway for judicial review of those rules. This last, presumably, is why the TSA has avoided the formal rulemaking process, instead either issuing secret administrative “directives” to airlines and checkpoint staff, or standardless ad hoc administrative orders for which no basis at all is disclosed.

Three years ago, we were among the signers of a petition to the TSA requesting that it conduct a formal rulemaking concerning its deployment of “virtual strip-search” machines as a primary “screening” mechanism, and its requirement that travelers submit either to these “whole-body” scanners or to even more intrusive whole-body groping by checkpoint staff.

Two years ago, after that petition was ignored, EPIC filed suit to compel the TSA to conduct such a formal rulemaking concerning the “naked scanners”. (That’s separate, of course, from the logical protest response of getting naked ourselves to show the checkpoint  staff that we pose no threat.)

A year ago, the Court of Appeals for the D.C. Circuit upheld EPIC’s complaint, ruling that the TSA must “act promptly” to conduct such a formal rulemaking:

[T]he TSA has advanced no justification for having failed to conduct a notice-and-comment rulemaking. We therefore remand this matter to the agency for further proceedings. Because vacating the present rule would severely disrupt an essential security operation, however, … we shall not vacate the rule, but we do nonetheless expect the agency to act promptly on remand to cure the defect in its promulgation.

For more than a year since then, the TSA has done nothing to even begin the rulemaking process.

Our friend Jim Harper at the Cato Institute has started a petition asking President Obama to order his executive-branch underlings at the TSA to obey the court’s order and start the rulemaking. If it gets 25,000 signatures by August 8th (it currently has 18,000 and counting), White House policy is to provide a public “reply” to the petitioners.

We’re not too optimistic as to what that reply will be, judging from the response from the TSA on behalf of the White House to last year’s petition by more than 30,000 people calling for the TSA to be entirely abolished, not just subjected, at least in part, to the rule of law.

EPIC has supported the petition campaign, but has also continued to litigate: Last month EPIC asked the Court of Appeals to set a date certain by which the TSA’s “whole-body imaging” program would be “vacated” by the Court if the TSA hasn’t begun a formal rulemaking for it. On Wednesday of this week, the Court ordered the TSA to respond to EPIC’s latest motion by the end of August.

Slowly, slowly, with the government resisting at every step, we crawl toward subjecting the homeland-security state and its attacks on our rights to the rule of law.

Aug 02 2012

Police pay $200K to settle lawsuit for illegal roadblock

On December 20, 2002, Terry Bressi was arrested at a roadblock in Arizona being operated by a joint task force including tribal police and agents of the US Department of Homeland Security.

After all of the trumped-up charges brought against Mr. Bressi were dismissed , he sued the tribal police department, the DHS, and the individuals who were responsible for establishing and operating the illegal roadblock for violating his civil rights.

Almost ten years of litigation later, the tribal police defendants have now paid Mr. Bressi $210,000 to reimburse his legal expenses (including some of those related to the work of attorneys associated with the Identity Project and our parent organization, the First Amendment Project) and settle his claims against the police.

The police tried to justify the roadblock as having been solely a sobriety checkpoint, but the police on the scene admitted to Mr. Bressi that they had no reason to doubt his sobriety or suspect him of any other violation of law. He wasn’t an Indian subject to tribal law, and the roadblock was on a state highway and public right-of-way through the reservation.

In reality, as evidence revealed in the course of Mr. Bressi’s lawsuit made clear, the “sobriety check” by tribal police was merely the pretext being used to try to justify the suspicionless search and seizure of innocent travelers, for general Federal law enforcement purposes.

This settlement is far from sufficient to fully compensate Mr. Bressi for the damages he suffered and the years of work he invested in the pursuit of justice for himself and others similarly denied their right to move freely within the U.S., including on public rights-of-way.

The settlement is, however, an important reminder that even police and others acting with and at the behest of the DHS can be held personally liable for their role in violations of travelers’ rights.

We hope that other police officers and civilian DHS collaborators (such as airport checkpoint staff and contractors) will get the message, and start to question illegal orders from the DHS and other Federal agents.

We congratulate Mr. Bressi on obtaining this settlement, and commend him for his diligence in pursuing his case for the last decade.

Jul 18 2012

John Brennan, “Naked American Hero”, found not guily

John Brennan, who took off all his clothes while being detained by the TSA at the Portland [OR] International Airport (PDX) in protest of his continued detention and the TSA’s excessively intrusive “screening”, was found not guilty today of indecent exposure at the conclusion of a bench trial (during which Mr. Brennan testified, clothed, in his own defense) in Multnomah County Court. According to an Associated Press report on the trial:

A Multnomah County prosecutor said if Brennan’s actions are considered protected by the First Amendment, then anyone who is arrested while nude can also claim that their actions are a protest.

That leaves Mr. Brennan out of pocket for the legal expenses of defending his innocence. The “not guilty” verdict in the criminal case brought against Mr. Brennan leaves open the possibility, as already threatened by the TSA, of a civil action to fine Mr. Brennan for “interfering” with TSA screeners in the performance of their duties. On the other hand, the “not guilty” verdict also leaves open the possibility of a civil suit by Mr. Brennan against the checkpoint staff and police who violated his rights.

Jul 16 2012

Hasbrouck v. CBP dismissed. What have we learned?

We have stipulated to the dismissal of the remaining claims in Hasbrouck v. U.S. Customs and Border Protection, the Federal lawsuit in which the Identity Project had sought records of U.S. government surveillance and “targeting” of international travelers through the CBP “Automated Targeting System” (ATS).

The dismissal follows a ruling by U.S. District Court Judge Richard Seeborg in January of this year, dismissing some of our claims but ordering CBP to provide additional information about ATS records and to conduct additional searches to find more of the records we had requested or determine if they exist. (See our earlier analysis of the substance and significance of Judge Seeborg’s decision.)

Since January, as directed by Judge Seeborg, we have engaged in extensive negotiations with the government’s lawyers from CBP and the office of the local U.S. Attorney in San Francisco.

As a result of Judge Seeborg’s order:

  1. CBP provided us, in redacted form as shown on this supplemental Vaughn index, with several additional redacted documents which it had previously claimed didn’t exist or couldn’t be found, or which they had failed to search for despite our request for and entitlement to those records. These newly disclosed records include additional records related to Mr. Hasbrouck’s travels, in which his name was misspelled. The most recently-released of these are from 1997, and others released to Mr. Hasbrouck earlier in the case go back to 1992, long before any public disclosure of the existence of ATS. CBP had claimed that it was unlikely that a name in a Passenger Name Record (PNR) could be misspelled, but these new disclosures show that it can happen, that CBP is capable of “wildcard” searches for variant spellings, and that such a search is necessary for it to be reasonably likely to identify all records responsive to a request for PNR or other ATS data pertaining to an individual. All of these new records also cast doubt on CBP’s claims as to the completeness of its past responses. Prior CBP responses to requests for such records were likely incomplete, and should be renewed with a specific request to include possible misspellings in the search.
  2. After previously claiming that there were no records of the processing of Mr. Hasbrouck’s original Privacy Act requests and appeals, CBP provided us with “correspondence tracking sheets” showing that these Privacy Act requests (1) were logged and tracked solely as FOIA requests, not Privacy Act requests, (2) were logged as “closed” even while appeals were pending, and (3) do not mention some of the appeals, even when those appeals were received and signed for by CBP. Assuming that CBP is telling the truth, and these are the only records of Mr. Hasbrouck’s requests and appeals, they show that no record is kept of Privacy Act requests and that records of FOIA requests and appeals are incomplete and inaccurate. As a result, CBP’s records and reports cannot be relied on as accurate statements of how many such requests have been received; whether they have been granted, denied, or ignored; how long it has taken to process them; how many of them remain pending and unanswered; whether they have been appealed; or what, if any, action has been taken on those appeals.
  3. CBP provided two additional declarations purporting to explain why no other records responsive to our requests exist or could be found.  In part, these declarations are simply not credible, and would appear to be false and probably perjured. For example, CBP’s Shari Suzuki claims that it is impossible for CBP to search for PNR or other ATS data associated with a particular phone number without also supplying a name as part of the query. Although the software specifications and user guides were withheld from us pursuant to Judge Seeborg’s ruling that they are exempt  from disclosure, it’s unlikely that CBP would be using software that doesn’t permit that sort of query. And Assistant Secretary of Homeland Security testified to Congress on October 5, 2011, about exactly this sort of search: “Early in this investigation, the Federal Bureau of Investigation (FBI) learned of Shahzad’s cell phone number, but had little additional information…. [T]he FBI asked DHS if it had encountered any individual who reported this phone number during border crossings. DHS searched its PNR database for the phone number, identified Shahzad, and learned other information he had provided to DHS.”  We are confident that, if CBP were searching for records as part of an investigation rather than in response to a FOIA request, it could have, and would have, searched for all records containing phone numbers associated with Mr. Hasbrouck, regardless of whether his name appeared in those PNRs. Unfortunately, the extreme “deference” given by the Federal courts to the credibility of agency declarations in FOIA cases, and our lack of access to the software specifications, makes it almost impossible to challenge even such obviously incredible claims about why the records we have requested can’t be found. But let’s be clear: CBP lied about its data mining capabilities rather than actually search for records linking Mr. Hasbrouck to other individuals through phone numbers or other identifiers. What were they trying to hide? Presumably, they were trying to avoid calling attention to the primary function of ATS as a suspicion-generating and guilt-by-association system, designed and used primarily for “social network analysis”..
  4. After first claiming that it processed Mr. Hasbrouck’s requests and appeals only under FOIA and not the Privacy Act, CBP now claims that these requests were made only under the Privacy Act and not FOIA, on the basis of false declarations about what Mr. Hasbrouck said in telephone calls inquiring about the status of his requests and appeals. In light of the “deference” given to the agency declarations in which these false claims are made, it will be easier to make new requests under FOIA for this information than to try to disprove the false claims in the declarations that Mr. Hasbrouck had agreed to abandon or withdraw his FOIA requests. But here again, CBP officials were willing to lie in sworn  declarations made to Federal courts, in order to avoid or delay judicial review of their withholding of information.
  5. During our negotiations, CBP promulgated a new System Of Records Notice (SORN) for ATS, a Notice of Proposed Rulemaking (NPRM) to exempt even more ATS records from the Privacy Act, and an updated and expanded Privacy Impact Assessment for ATS. CBP would no doubt say that some of these documents provide “additional transparency” about ATS. But any transparency is offset, of course, by the broadening of exemptions. And under the interpretation of the Privacy Act adopted by Judge Seeborg’s ruling in our case, additional Privacy Act exemptions could be promulgated at any time in the future, and applied even to requests that had already been made. Nobody can rely on any “rights” under the Privacy Act that could be retroactively revoked at any time. In addition, the new notices fail to give any additional detail about the data-mining or search-and-retrieval capabilities of the software (which Judge Seeborg ruled that CBP does not have to disclose, notwithstanding the specific requirement of the Privacy Act law that a SORN include the “practices of the agency regarding … retrievability” of records) or the algorithms used for processing data and making “targeting” decisions. (In its comments on the new SORN, EPIC correctly points out that the use of secret algorithms makes it impossible for airlines or other travel companies subject to European Union jurisdiction, but which provide PNR or other data to CBP for ATS, to fulfill their duty under EU law to inform data subjects how their data is processed — a point we’ve made in complaints against airlines to European data protection authorities.) Perhaps most importantly, what these new filings provide is more transparency about the unprecedented scale, scope, and secrecy of ATS as a system of suspicionless surveillance and control of all international travelers and their associates.

Individuals and governments abroad should also take due note of the U.S. government’s claims in this case, and judge their collaboration with ATS accordingly. Individuals — even U.S. citizens — have no right under U.S law to see what ATS records are being kept about them, and no right to know how or according to what algorithms data about themselves is mined, processed, or otherwise used.  No records are kept of requests for access to records, and no logs are kept of who retrieves records.

Clearly, the Automated Targeting System is exactly what the Privacy Act was intended to prohibit: a system of persistent secret government dossiers about the legal activities of people who are not suspected of any crime. The reason for the enactment of the Privacy Act was the recognition that such surveillance systems, regardless of their purposes or the benign intentions of their creators, are inherently likely to be be misused.

At the end of the day, the (unsurprising) lesson of Hasbrouck v. CBP is that U.S. courts continue to place the “airport exception to the First Amendment” above our right to travel and our right as citizens, presumed innocent until guilty, to be free from dragnet surveillance.

If the courts won’t upheld the intent of the Privacy Act by ruling against the maintenance of systems such as ATS, it’s up to the public to say, “No”, and to demand that Congress enact legislation explicitly mandating that ATS be shut down and all ATS records about innocent individuals be destroyed.

We are not surprised by the outcome of this lawsuit, which revealed more than we had expected about the contents of ATS records and the the nature and functioning of the ATS system. We are pleased and proud of whatever role this lawsuit may have played in exposing the lack of respect by the executive and judicial branches of the U.S. government for our fundamental rights.

We are grateful to attorneys David Greene, Lowell Chow, Jim Wheaton, and Geoff King; to the staff and interns of the First Amendment Project (our parent organization) and Bryan Cave; and to John Gilmore and the other supporters who made possible this challenge to the secrecy of DHS surveillance of international travelers.

May 08 2012

US retaliates against tortured “no-fly” exile with trumped-up criminal charges

For two years, FBI agents tried to recruit Yonas Fikre — a US citizen who came to the US with his family as refugees when he was 12 years old — to infiltrate and inform on members of the congregation of a mosque he attended in Portland, Oregon, as part of an FBI entrapment “sting”.

When Fikre declined to become an FBI snitch or “agent provacateur”, the FBI had him put on the US “no-fly” list while he was overseas, and told him he would only be taken off the list so he could return to the US if he “cooperated” with their investigation of his fellow worshipers. Fikre again said, “No.”

Then the US government tightened the screws on Fikre, more or less literally, by having its “friends” in the dictatorial monarchist government of the United Arab Emirates arrest Fikre, who was in the UAE on business, torture him, and again tell him that the only escape from his predicament was to cooperate with the FBI.  Eeven under torture, Fikre stkill said, “No.”

Eventually Fikre’s torturers in the UAE gave up, released him from prison, and kicked him out of their country.  We can only assume that they decided he was innocent, or at least knew nothing incriminating about anyone to reveal, and wasn’t going to talk to the FBI no matter what they did.

Unable to return to the US because he was still on the “no-fly” list, Fikre then went to Sweden, where he has relatives (refugees who went to Sweden when his immediate family went to the US).

Throughout all this, Fikre was never charged with any crime in any country, as we presume would have happened if the FBI had evidence of any crime to use as leverage in their recruiting of Fikre as an informer.

Now Fikre has been indicted in the US, less than three weeks after he went public with his story of exile by, and torture at the behest of, the government of his own country, and announced that he has sought asylum in Sweden in order to remain there, since he can’t come back to the US.

“Frankly, I think it’s retaliation and retribution,”  one of Fikre’s US attorneys is quoted as saying. Another of his lawyers calls the charges retaliation and “specious”. From everything we’ve seen about the case, we agree.

Fikre is charged with the pettiest of purely procedural violations of Federal law. Allegedly, when he transferred money from the US to Dubai to fund a business he was starting there, he had the money sent in smaller increments rather than all at once, in order to keep each of the amounts below the $10,000 threshold above which he would had to report them to the US government.

For having “structured” his legal personal business so as to avoid having to inform on himself to the Feds who he knew already wanted him to inform on his associates, Fikre has now been indicted for the Federal crime of “structuring”.

Fikre’s brother and another alleged associate, but not Fikre, were also indicted for alleged violations of tax laws.

Fikre’s business was legal. Fikre paid his taxes. The money transfers were themselves legal, and each of them was small enough that Fikre wasn’t required to report them individually. If Fikre had filed an aggregate report on the total of the transfers, everything he did would have been legal.

Fikre had good reasons to fear additional interrogation or worse retaliation if he told the Feds any more about his affairs. If he was “structuring” his finances to avoid self-surveillance requirements, he was also structuring them to try (unsuccessfully, it turns out) to avoid exposing himself to further persecution by the US government. Should this be a crime?

It’s hard to avoid the conclusion that Fikre’s real “crime” is exposing US torture and exile of its own citizens, and embarrassing the US by seeking asylum abroad. Not that he had much choice about seeking asylum somewhere, since he couldn’t come back to the US, or live and work anywhere else indefinitely as a tourist or temporary visitor.

It remains to be seen whether the US will seek to have Fikre arrested and extradited from Sweden, or will merely hold the threat of criminal prosecution over him for life (the clock stops on the statute of limitations while you are out of the country) if he ever manages to return to the US or visits another country sufficiently “friendly” to the US government to arrest him.

Shame on  the US, and best wishes to Mr. Fikre for success in his application for asylum in Sweden.

Apr 25 2012

European Parliament approves PNR agreement with the US. What’s next?

[MEPs picket outside the plenary chamber to ask their colleagues to say “No” to the PNR agreement with the US. (Photo by greensefa, some rights reserved under Creative Commons license, CC BY 2.0)”]

Last week — despite the demonstration shown above (more photos here) by Members of the European Parliament as their colleagues entered the plenary chamber for the vote — the European Parliament acquiesced, reluctantly, to an agreement with the US Department of Homeland Security to allow airlines that do business in the EU to give the DHS access to PNR (Passenger Name Record) data contained in their customers’ reservations for flights to or from the USA. (See our FAQ: Transfers of PNR Data from the European Union to the USA.)

The vote is a setback for civil liberties and the the fundamental right to freedom of movement, in both the US and Europe.

But the vote in the European Parliament is neither the definitive authorization for travel surveillance and control, nor the full grant of retroactive immunity for travel companies that have been violating EU data protection rules, that the DHS and its European allies had hoped for.

Many MEPs voted for the agreement only reluctantly, in the belief (mistaken, we believe), that it was “better than nothing” and represented an attempt to bring the illegal US surveillance of European travelers under some semblance of legal control.

Whatever MEPs intended, the vote in Strasbourg will not put an end to challenges to government access to airline reservations and other travel records, whether in European courts, European legislatures, or — most importantly — through public defiance, noncooperation, and other protests and direct action.

By its own explicit terms, and because it is not a treaty and is not enforceable in US courts, the “executive agreement” on access to PNR data provides no protection for travelers’ rights.

The intent of the US government in negotiating and lobbying for approval of the agreement was not to protect travelers or prevent terrorism, but to provide legal immunity for airlines and other travel companies — both US and European — that have been violating EU laws by transferring PNR data from the EU to countries like the US.  The DHS made this explicit in testimony to Congress in October 2011:

To protect U.S. industry partners from unreasonable lawsuits, as well as to reassure our allies, DHS has entered into these negotiations.

But because of the nature of the PNR data ecosystem and the pathways by which the DHS (and other government agencies and third parties outside the EU) can obtain access to PNR data, the agreement does not provide travel companies with the full immunity they had sought.

Most of the the routine practices of airlines and travel companies in handling PNR data collected in the EU remain in violation of EU data protection law and subject to enforcement action by EU data protection authorities and private lawsuits by travelers against airlines, travel agencies, tour operators, and CRS companies in European courts.

Why is that?

Read More

Mar 07 2012

All US police to get access to international travel records?

This just in from the “All international travelers are suspected terrorists” department:

In response to questions (see the video at approx. 37:00-38:30) from members of a House Homeland Security subcommittee during a hearing yesterday, DHS Deputy Counter-Terrorism Coordinator John Cohen said that, as part of the Orwellianly-named “Secure Communities” program, local police will soon be receiving the result of a check of DHS international travel logs, automatically, for every person arrested anywhere in the US for even a minor offense. Local police will be able to run checks of travel records for “nonoffenders” — innocent people — as well.

According to one report:

Under the forthcoming plan, authorities will be able to instantly pull up an offender’s or nonoffender’s immigration records and biometric markers, he said. The government already is able to vet visitor records from multiple databases for national security and public safety threats, Cohen added.

“So, today, if someone is arrested for any type of offense, part of the query that will take place will be an automatic check of immigrations systems — it will be a check of TECS as well,” he said. “The chances are greatly enhanced that today if somebody were to be booked on a minor drug offense or a serious traffic violation even, the person’s immigration status would come to our attention.”

Here’s what the result of a TECS check might look like: logs of (legal) international travel, and notes from customs inspectors about whatever events they considered noteworthy (again, including events that were entirely legal).  We got these linked examples before DHS exempted TECS from most of the access requirements of the Privacy Act. You no longer have any legal right in the US to find out what’s in the TECS records about yourself. And while TECS was being described to Congress as an immigration enforcement system, these examples are from TECS records about a US citizen. Logs are kept in TECS of everyone who travels to, from, or via the US — even US citizens.

TECS used to include complete airline reservations (Passenger Name Records). PNR data has been re-categorized as a separate DHS system of records, the “Automated Targeting System”. But TECS records include the traveler’s name and the airline code, flight number, and date of each flight, which is sufficient information to retrieve the complete PNR from the airline or the computerized reservation system (CRS) that hosts it. This airline data is obtained from APIS transmissions, which the US has claimed to the European Union are used only for a narrow range of purposes.

Soon, it will be as easy for any local law enforcement officer anywhere in the US to run a “TECS check” of these records about you as it is today for them to run a check of your criminal record from NCIC. Except that the records in TECS are records of your exercise of First Amendment rights of freedom of assembly, not records of criminal convictions.

Or should we be asking if the DHS now thinks that foreign travel has become tantamount to a crime?

Mar 05 2012

New questions from European Parliament about “bypass” of EU-US agreement on PNR

Important new questions about how the US government can bypass the proposed EU-US agreement on access to PNR data have been asked by a key Member of the European Parliament.

These new questions by MEP Sophie in ‘t Veld (the Europarl “rapporteur” or floor leader on the proposed PNR agreement) follow up on evasive, misleading, and incomplete responses by European Commissioner Cecilia Malmström’s to previous questions from MEPs about PNR data.

The proposed EU-US agreement would pertain only to DHS copies of PNR data obtained directly from airlines, but would not regulate the master copies of PNRs held by Computerized Reservation Systems (CRSs) such as Sabre, Galileo/Apollo by Travelport, Worldspan by Travelport, and Google in the US or Amadeus in Europe (each of which is used by travel companies in the US, EU, and other countries).

Two sets of questions (here and here) about US government access to CRS databases of PNRs were tabled today by MEP in t’ Veld, with a request that the European Commission respond before the LIBE Committtee of the EP vote on the proposed EU-US agreement, currently scheduled for March 27th.

The first set of these questions focuses on US government access to PNR data held on servers in the US (such as whenever a European travel agency or tour operator uses one of the US-based CRSs).

The second set of questions concerns the ways that US law allows the US government to bypass the proposed agreement and obtain PNR data through CRS offices in the US — even when the data is stored on servers in the EU:

US access to PNR data in Computer Reservation System Amadeus II

Computer Reservation System Amadeus has its headquarters in Madrid (Spain) and its central database in Erding (Germany). Additionally, it has several offices outside the EU, including an office in Miami, in US jurisdiction. All Amadeus offices around the world have access to the PNR data base in Erding.

  1. Is the Commission aware that the US authorities may retrieve PNR data stored in Europe (Erding) through the Amadeus office in the US, for example by using National Security Letters? Is the Commission aware that such retrievals are not being logged, and that Amadeus may be sworn to secrecy by the US authorities?
  2. Does the Commission consider this would allow the US authorities to get access to PNR data, at least on an ad hoc basis, at any given moment? Does the Commission agree that this is not only equivalent to the PULL method, but that it even exceeds PULL, as it allows for the retrieval of all PNR data, not just the fields specified in the EU-US Agreement, without the obligation to log the retrievals? Does the Commission agree that this leaves the clauses on PUSH and PULL and logging, in the EU-US agreement completely meaningless in practice?
  3. Does the Commission agree that data retrieved by the authorities of a third country from an EU located data base would constitute a transfer of data to a third country? Is the Commission aware if Amadeus or similar CRS are keeping logs of such retrievals? If not, does the Commission consider that such retrievals are a violation of EU data protection rules?
  4. If no logs are being kept of the retrievals described above, would the Commission agree that citizens would have no means to exercise their rights to verify and correct their data?
  5. Can the Commission provide an overview of other Computer Reservation Systems with a presence in the US, that would be in the same position as Amadeus? Can the Commission provide an overview of PNR data stored in Europe by CRS, that are thus available to third countries other than the US?

We’ve been asking exactly these questions for years, and we’re pleased to see that MEPs are demanding answers from the European Commission before they vote on an agreement that, in fact, would do little to reign in the US government’s demands to PNR data because it could so easily be bypassed.

Some of these questions are easily answered, although the EC may not want to admit the answers.

EU-based airlines including KLM, Air France, and Lufthansa have each told us, in response to our requests for access to our PNR data, that Amadeus has no logs of who has accessed our PNRs. And in response to our lawsuit seeking access to PNR data held by DHS, the US government has claimed that it has no logs of who has accessed the DHS copies of PNRs with information about us.

We presented diagrams of the information architecture of the PNR data ecosystem, and the pathways for PNR data flows which bypass the EU-US agreement, in our testimony to MEPs in Brussels in 2010. A representative of the EC attended and spoke on the same panel with us at that hearing, so the Commission can’t claim that they were unaware of these issues. We also explained this bypass pathway in our FAQ on Transfers of PNR Data from the EU to the USA, which was first distributed to MEPs in 2010 and which we’ve just updated and re-posted.

The possibility for the US government to bypass the EU-US agreement and obtain PNR data directly from CRS servers or offices in the US was also explicitly raised by the US government in its negotiations with European governbments.  European authorities, including the German data protection commissioner and chair of the Article 29 working party, have been fully aware of the US ability to bypass the agreement in this way since at least 2006, when the US pointed this bypass channel out to European authorities.

Many of the US diplomatic cables made public by Wikileaks relate to US access to PNR data. Perhaps the most interesting of these PNR-related Wikileaks cables was sent to Washington from the US Embassy in Berlin on  October 31, 2006. This cable reports on two days of meetings between Assistant Secretary (“A/S”) of Homeland Security Stewart Baker  — the chief drafter and negotiator for the US of the original PNR agreements — and various German government officials. (Baker’s own self-serving account of these meetings is included in his memoir, Skating on Stilts, which he has kindly made available for free download.

But Baker’s account omits some of what he reported to his bosses in Washington:

A/S Baker warned that in many cases the actual airline databases reside in the United States, and the airlines of many EU countries do not have flights to the United States, and so in this light, from the U.S. perspective, it was difficult to see why an EU government and parliament should have any influence on the access of U.S. agencies to data in the United States.

This is why the DHS recently testified to Congress that the reason for the proposed agreement was to “To protect U.S. industry partners from unreasonable lawsuits.” The US government doesn’t need any “agreement” with the EU to obtain PNR data collected in the EU, as long as EU travel companies continue to outsource the storage of PNR data to CRSs based in, or with offices in, the US.

It’s also important to note that the DHS referred to the need to “protect U.S. industry partners”, not European companies. The US govenrment doesn’t care whether European companies comply with European law, or are disadvantaged by US law. the US government wants to protect US companies that are at risk of liability for violating EU law.

Who are those companies? Clearly, the principal violators of EU law in this case are the US-based CRSs, which shouldn’t be allowed to operate or serve travel agencies, tour operators, or airlines in the EU unless they comply with EU law — which they don’t.

It’s not illegal to transfer PNR data from a travel agency in the EU to a CRS in the US. but it is illegal to do so without being able to ensure that the data transferred will be protected, and without the knowledge or consent of the data subject.

No travel agency or tour operator in the EU ever says to a customer, “Is it OK if I store your PNR for this flight from Berlin to Brussels on a server in Denver (or Dallas)?” But that’s what happens whenever a Sabre or Travelport subscriber in the EU makes a reservation, regardless of whether the itinerary involves any destination in the US. And that’s the question any such travel agency is required to ask, under current EU data protection laws, before they can outsource their customers’ data to the US.

The fact that this practice is flagrantly illegal, but so widespread, is one of the clearest examples of the failure of EU authorities and the so-called “Safe Harbor” scheme to protect the personal information of either European or US travelers.

We hope to see these issues addressed not just by the EC and the European Parliament, in response to MEP in ‘t Veld’s questions, but also by EU policy-makers reviewing “Safe Harbor” and the protection of personal data stored by “cloud services” (of which CRSs are one of the first examples).

We’ve been invited to attend the EC’s trans-Atlantic conference on Privacy and Protection of Personal Data later this month, and hope to raise these issues there and see them made part of the ongoing review of “Safe Harbor”, the EU Data Protection Directive, and privacy policy for cloud services.

Mar 01 2012

Google is now in the PNR hosting business

Today Google and Cape Air announced that Cape Air has migrated its reservations and Passenger Name Records (PNRs) to a new computerized reservation system (CRS) provided by Google’s ITA Software division.

ITA Software was working on a CRS even before it was acquired by Google last year, but had appeared to lack a launch customer to fund the project after its original partner, Air Canada, backed out. In his first public statement last November after the Google acquisition was completed, Google Vice President and former ITA Software CEO Jeremy Wertheimer anticipated today’s announcement and said that with Google’s new backing, his division was “burning the midnight oil” to complete the project.

Cape Air, Google’s CRS launch customer, is a very small US airline that mainly flies 9-seat piston-engined propeller planes to small resort islands. Most of what might look like “international” destinations on their route map are actually US colonies. But Cape Air does serve some British colonies in the Caribbean, including Anguilla and Tortola. All reservations for those flights, as well as any reservations for Cape Air’s domestic US and other flights made through travel agencies, tour operators, or “interline” airline partners in the European Union, are subject to EU data protection laws.

So as of today Google should have in place an airline reservation system, including PNR hosting functionality, which fully complies with EU laws including in particular UK data protection law and the EU Code of Conduct for Computerized Reservation Systems.

We’re doubtful that Google (or Cape Air) have complied with these requirements of EU law. Cape Air’s privacy policy says, “CapeAir does not fly routes within Europe, so this Privacy Policy is not adapted to European laws.” It appears to be true that Cape Air doesn’t fly within Europe, but it does operate flights to and from UK territories that are legally part of the EU. Cape Air also says, “By agreeing to Cape Air’s Privacy Policy, you consent to Cape Air applying its Privacy Policy in place of data protections under your country’s law.” It’s not clear whether such a waiver of rights is valid. The “Privacy Policy” link  on ITAsoftware.com goes directly to Google’s new global privacy policy, which appears to say that Google may merge information from all Google services, presumably including Google’s new PNR-hosting service.

At the same time, in accordance with the Advance Passenger Information System (APIS) and PNR regulations of US Customs and Border Protection (CBP, a division of the DHS), that also means that Google has connected its system to CBP’s Automated Targeting System (ATS).  Whether Google has given CBP logins to “pull” data whenever CBP likes (as the other CRSs have done), or whether Google “pushes” PNR data to CBP, remains unknown until some Cape Air passenger requests their PNR data under EU law.

In accordance with the US Secure Flight rules, the Google CRS for Cape Air must also have a bi-directional connection to the US Transportation Security Administration to send passenger data to the TSA and receive permission-to-board (“cleared”) fly/no-fly messages in response.

This is, so far as we can tell, an unprecedented level of direct connection between Google’s databases and any government agency.  Has Google complied with EU law? Probably not, but we can’t tell. We invite Google to allow independent verification of how it handles PNR data, and whether its CRS system and its connections to the US government comply with EU rules.

[It’s also important to note that the privacy and data protection practices of CRSs, including Google’s “ITA Software” division, are outside the jurisdiction of the Federal Trade Commission and subject to policing only by the do-nothing Department of Transportation.]

There are also interesting questions about what profiling and data mining capabilities are built into Google’s CRS system. “Legacy” CRSs store PNRs in flat files in which PNRs for different trips by the same traveler can be difficult to link. But a report on the new Google CRS in the online trade journal Tnooz says it “enables … call center agents ‘to see customers’ history,’ including past trips and upcoming flights, ‘right in front of them’.” Greater designed-in profiling and data mining capabilities are selling points of Google’s CRS compared to its “legacy” competitors.

EU oversight and enforcement bodies should have demanded answers as well. Last May the European Parliament approved a resolution calling on the European Commission to carry out, “an analysis of … PNR data which may be available from sources not covered by international agreements, such as computer reservation systems located outside the EU.” In November, shortly after Google’s announcment that they were moving forward with their CRS project, a Member of the European Parliament submitted written follow-up questions to the Commission as to whether the EC has conducted such an analysis, as well as whether the EC has “considered the technical or policy implications of potential new CRS providers such as Google, which may use different technology platforms from those of legacy CRS vendors?”

As we’ve noted, the “response” to these questions by Commission Cecilia Malmström said nothing about Google or other new CRS providers, contradicted the statements that have been made by European airlines, and largely ignored the issues raised by the European Parliament.

Cape Air is a small first step into the CRS industry by Google, but it won’t be the last.  Everyone concerned with how PNR data is stored and processed, including data protection authorities in countries that (unlike the US) have such entities, should carefully scrutinize and demand satisfactory, verifiable answers as to what this means about Google’s relationship to US government agencies and the need for oversight and enforcement of privacy data protection rules applicable to all CRS companies.