Comments from USA:
The Practical Nomad blog: "Undertakings" by the USA on use of reservation data


Edward Hasbrouck's blog

Monday, 2 February 2004

"Undertakings" by the USA on use of reservation data

... Statewatch has posted the complete text of the 12 January 2004 draft "Undertakings of the [USA] Department of Homeland Security Bureau of Customs and Border Protection (CBP)" on transfers of airline reservations data (passenger name records, or PNR's) from the European Union to the USA.....

But it's obvious on inspection to any travel agent or airline reservation representative that the "Undertakings" were written by people who've never seen a PNR, and have no idea what it contains, how the data is structured, or how it is entered.

Since I work with PNR's on a daily basis at Airtreks.com , and since my readers include Congressional and Parliamentary staff in several countries who need to evaluate the "Undertakings", it seems worth taking a few extra electrons hear to explain how the "undertakings" depart from reservation realities.

All this points to the need for a much more open process, in which privacy advocates with expertise in reservation data are involved in developing policies like these to govern their use.

The following numbered paragraphs are quoted from the "Undertakings", followed by my comments on each. The detailed breakdown of PNR data categories (Attachment "A" of the "Undertakings") is at the very bottom.

Legal Authority to Obtain PNR [2]

1) By legal statute (title 49, United States Code, section 44909© (3)) and its implementing (interim) regulations (title 19, Code of Federal Regulations, section 122.49b), each air carrier operating passenger flights in foreign air transportation to or from the United States, must provide CBP (formerly, the U.S. Customs Service) with electronic access to PNR data to the extent it is collected and contained in the air carrier's automated reservation/departure control systems ("reservation systems");

This is a correct statement of the law, but the data proposed to be transferred substantially exceeds that required by the law, in 2 respects:

The portion of the undertakings related to non-passenger PNR's, and to access to PNR's in advance of "wheels up", must be evaluated as providing for transfer of data not required by any USA law or regulation. It does not come under the exceptions to EU law or regulations for data required by law.

Use of PNR Data by CBP

2) Most data elements contained in PNR data can be obtained by CBP upon examining a data subject's airline ticket and other travel documents pursuant to its normal border control authority, but the ability to receive this data electronically will significantly enhance CBP's ability to facilitate bona fide travel and conduct efficient and effective advance risk assessment of passengers;

The point of this clause is to minimize the violation of rights inherent in mandatory government access to PNR's, by claiming that only the manner, not the content, of data access is changing from current inspection of tickets and travel documents by border control officers.

But this statement is false and deeply misleading. It betrays either gross technical incompetence or deliberate intent to mislead.

The majority of the data to be transferred cannot be determined from paper tickets.

(An electronic ticket is included in the PNR, and there is no standard definitions as to which portions of the PNR are included in the "electronic ticket". So it's unclear what "inspection of tickets" would even mean in the case of electronic tickets. But paper tickets remain common.)

A couple of lines of free text can be printed in the "endorsement" box on paper tickets. Theoretically it could be used for anything (for a while, one nationalist travel agency in Athens was endoring every ticket they issued, "Macedonia is only Greek"), but normally the endorsement box isn't used for any of the other listed items.

Other that that, of the 34 categories of personal information listed in Attachment "A":

5) With respect to the data elements identified as "OSI" and "SSI/SSR" > (commonly referred to as general remarks and open fields),...

Actually, OSI/SSR data and general remarks are distinct, and are correctly distinguished as separate items on Attachment "A" (items 19 and 27).

... CBP's automated system will search those fields for any of the other data elements identified in Attachment "A". CBP personnel will not be authorized to manually review the full OSI and SSI/SSR fields unless the individual that is the subject of a PNR has been identified by CBP as high risk in relation to any of the purposes identified in paragraph 3 hereof;

Actually, as I have reported previously, I have been told by a source familiar with the CBP access logs, and have seen some sample extracts from the logs which confirm, that this is not happening -- CBP routinely reviews entire PNR's, including OSI/SSR data, remarks, and history.

6) Additional personal information sought as a direct result of PNR data will be obtained from sources outside the government only through lawful channels, and only for legitimate counterterrorism or law enforcement purposes.

In the absence of data protection law in the USA, almost any imaginable technique is a "lawful channel", so this seeming reassurance is hollow.

For example, if a credit card number is listed in a PNR, transaction information linked to that account may be sought, pursuant to lawful process, such as a subpoena issued by a grand jury or a court order, or as otherwise authorized by law.

The key to the emptiness of this assurance is the clause, "as otherwise authorized by law". In the absence of any data protection law, the USA government or any private actor is "authorized by law" to ask the airline, CRS, or anyone else in possession of data to hand it over, and they are "authorized by law" to hand it over -- without notice to, or consent of, the data subject.

Even if the party in possession of the data declines to turn it over, the USA government can compel disclosure of data (specifically including airline reservation data) by issuing a "national security letter" under the Patriot Act, which does not require any action or review by any officer of the judicial branch, and which can order that the disclosure be kept secret form the data subject or anyone else.

In order to review the "adequacy" of the CBP undertakings, the European Union must thus review the "adequacy" of the Patriot Act provisions for access to personal data incluf\ding airline reservations through non-judicial "national security letters".

In addition, access to records related to e-mail accounts derived from a PNR will follow U.S. statutory requirements for subpoenas, court orders, warrants, and other processes as authorized by law, depending on the type of information being sought;

As above, under the Patriot Act, and in the absence of data protection, there is in general no USA statutory requirement for subpoenas, court orders, or warrants -- there are "other processes as authorized by law".

8) CBP may transfer PNRs on a bulk basis to the Transportation Security Administration (TSA) for purposes of TSA's testing of its Computer Assisted Passenger Prescreening System II (CAPPS II).

This isn't a side agreement (which would have required separate approval and consultation with the European Parlieament and the Article 29 Working Party pof national data protection authorities. This is an integral part of the basic agreement, and Commissioner Bolkestein once again appears to have tried to mislead the EP in his categorical statement that "the agreement" does not cover CAPPS-II.

12) With regard to the PNR data which CBP accesses (or receives) directly from the air carrier's reservation systems for purposes of identifying potential subjects for border examination, CBP personnel will only access (or receive) and use PNR data concerning persons whose travel includes a flight into, out of, or through the United States;

I've been told by a source familiar with the access logs that the CBP has accessed PNR data on other flights, including flights entirely within the EU.

14) CBP will pull PNR data associated with a particular flight no earlier than 72 hours prior to the departure of that flight,

I've been told by a source familiar with the access logs that the CBP has accessed PNR data as much as several weeks before the flight date.

18) Details regarding access to information in CBP databases (such as who, where, when (date and time) and any revisions to the data) are automatically recorded and routinely audited by the Office of Intemal Affairs to prevent unauthorized use of the system;

A critical question is whether the months of logs of the illegal access to date have been, or will be, subjected to such an audit before an agreement is finalized. From what I've been told by my source about the logs, and the excerpts I've received, they would not stand up to a sufficiently through and technically competent audit.

21) Unauthorized access by CBP personnel to air carrier reservation systems or the CBP computerized system which stores PNR is subject to strict disciplinary action

In theory, maybe, but the violations to date have not been punished. Theway the the CBP has been using its access to reservation systems is scandalous, and the EU should insist on an independent audit before any finding that the purported internal CBP oversight provides "adequate" protection against.

31) For purposes of regulating the dissemination of PNR data which may be shared with other Designated Authorities, CBP is considered the "owner" of the data and such Designated Authorities are obligated by the express terms of disclosure to: (1) use the PNR data only for the purposes set forth in paragraph 29 or 34 herein, as applicable; (2) ensure the orderly disposal of PNR information that has been received, consistent with the Designated Authority's record retention procedures;

Here again, one must keep in mind that, since there is no general data protection law in the USA, the "Designated Authority's record retention procedures" may not exist, or may provide for indefinite retention.

39) CBP will undertake to rectify data at the request of passengers and crewmembers, air carriers or Data Protection Authorities (DPAs) in the EU Member States (to the extent specifically authorized by the data subject),

The undertakings here fail to take into consideration the rights of other data subjects, including airline, travel agency, and other reservation staff; persons from whom reservations are received for others; persons paying for tickets for others. Here again, it's not entirely clear if the negotiators of the undertakings were technically incompetent, or deliberately trying to evade acknowledgment of the scope of the data transfer and the range of data subjects it would implicate. (I discussed the other categories of data subjects at some length in my comments to the DHS on the CAPPS-II Privacy Act notice.)

Keep in mind that I am not a lawyer. Lawyers may well have additional criticisms. I've tried to focus on the technical problems, as an expert on travel reservations and their privacy implications.

The following 18 of the 34 PNR fields listed in Attachment "A" are never printed on or identifiable from inspection of paper tickets:

The following 7 fields could sometimes or partially, but not fully or reliably, be determined from inspection of tickets ((sometimes in conjunction with other indexes, e.g. a lookup table of travel agency names and addresses by IATA/ARC accreditation number to determine the travel agency and travel agent name and address from the agency number on the ticket):

Only the following 9 of the 34 fields could usually be determined from inspection of tickets:

Posted by Edward on Monday, 2 February 2004, 21:20 (09:20 PM)

update: 4.2.04: EU planning to nod through use of PNR data for use by CAPPS II: Report and documentation


Statewatch News online | Join Statewatch news e-mail list | Download a free sample issue of Statewatch bulletin

Statewatch does not have a corporate view, nor does it seek to create one, the views expressed are those of the author.
Statewatch is not responsible for the content of external websites and inclusion of a link does not constitute an endorsement.