Dec 24 2008

DHS admits problems in disclosing travel surveillance records

On Friday, December 19th, the Privacy Office of the U.S. Department of Homeland Security released A Report Concerning Passenger Name Record Information Derived From Flights Between The U.S. and the European Union.

This is a very important report for both US and European travelers, but not for the reasons the DHS claims:

The authors of the report conclude that DHS handling of Passenger Name Record (PNR) data is in compliance with both US law (particularly the Privacy Act) and the DHS-EU agreement on USA access to, and use of, PNR data related to flights between the EU and the USA.

In fact, the report contains multiple admissions that support exactly the opposite conclusion: The DHS has complied with neither the agreement with the EU, nor US law (especially, but not only, the Privacy Act), in its use of PNR data concerning US citizens as well as Europeans and other foreigners.

The DHS has legal obligations to US citizens and residents under the Privacy Act, and commitments to travelers from the EU under the PNR agreeement, to allow individuals timely access to PNR data about them held by the DHS. According to the report:

DHS policy allows persons (including foreign nationals) to access and seek redress under the Privacy Act to raw PNR data maintained in ATS-P.

Despite this, the DHS Privacy Office has now reported that:

  1. Requests for PNR data have typically taken more than a year to answer — many times longer than the legal time limits in the Privacy Act and Freedom of Information Act: “The requests for PNR took more than one year to process.”
  2. When individuals have requested “all data” about them held by the DHS, often they have not been given any of their PNR data: “If an individual requests ‘all information held by CBP’ the FOIA specialist generally does not search ATS because PNR was not specifically requested.”
  3. Because of this, the vast majority of requesters who should have received PNR data did not: “The PNR specific requests are a small percentage of the total requests based on the statistics provided to the Privacy Office, but if ATS-P were searched in all cases in which an individual asks for ‘all information held by CBP,’ the percentage would increase more than seven [sic]”
  4. PNR data has been inconsistently censored before it was released: “The requests for PNR … were inconsistent in what information was redacted.”
  5. A large backlog from the initial requests for PNR data remains unanswered, more than a year later: “Management noted that they have been understaffed and are bringing on new staff to reduce the backlog and period of time it takes to respond to requests. Additionally, management stated that part of the delayed response was due to the large number of requests initially submitted for PNR.”

To understand the full meaning and significance of the report, let’s quickly review the history of US government use of PNR data:

The US has no general law protecting the privacy of “commercial” data, and the Privacy Act of 1974 only protects personal information when it is stored by the government.  So PNR data has been considered the legal property of airlines, Computerized Reservation Systems (CRSs) and other travel companies, over which travelers have no control.  Those travel companies could, and did, routinely allow police and other US government agencies to look at PNRs, without the knowledge or consent of the data subjects and without violating any US law (as long as the government didn’t retain the data, which would implicate the Privacy Act).

A single PNR can contain data from many sources (travelers, travel companies, and others), collected and entered by multiple intermediaries in multiple jurisdictions at multiple times.  It is impossible to tell, from any of the information in a PNR, where the data in it was collected, or which countries’ data protection laws apply to it.  PNRs from domestic flights within the US, for example, routinely contain data collected in the EU (for example, by European travel agents and tour operators and by European offices of US airlines) and protected by EU law.  As a result, access to PNR data — even for domestic US flights by US airlines — has always and inevitably included data collected in the EU.

From the first adoption of EU data protection laws, travel companies that allowed PNR data to be sent to the US, that outsourced the storage of their PNRs to CRSs based in the US, or that allowed the US government to access PNRs without the knowledge and consent of data subjects (including travelers, travel agency and airline staff, and third parties mentioned in PNRs) have been in ongoing, systematic, routine, and flagrant violation of the EU Data Protection Directive, EU national data protection laws, and the data privacy provisions of the EU Code of Conduct for CRSs.

At least as early as 1999, the US Customs Service (predecessor of DHS Customs and Border Protection) not only “routinely” accessed PNRs, but also began secretly keeping copies of some of them in what eventually came to be known as the “Automated Targeting System-Passenger” (ATS or ATS-P).  In doing so secretly, the Customs Service and later the CBP violated the Privacy Act, which requires prior notice in the Federal Register, in specific form, of the existence, content, and usage of each system of records of personal information maintained by a US Federal agency.

Collection of PNR data also violated several other provisions of the Privacy Act, including the prohibition on collection or maintenance, except with explicit statutory authorization which was lacking for ATS, of records about how individuals exercise First Amendment rights such as their right to assemble. And because it would have been impossible for the DHS to identify which PNR data had been collected in the EU (or anywhere else in the world), this Customs Service/CBP/DHS access to PNRs necessarily entailed further violations of EU law by the travel companies that allowed it without requiring the US government to obtain warrants or court orders for this data.

After at least seven years of entirely illegal operation outside the Privacy Act and EU laws and regulations, the existence of the ATS and US government retention of PNR data was first disclosed by the CBP in late 2006.

The Identity Project and others immediately complained that the ATS and its use of PNR data violated numerous US laws, and requested that the DHS Privacy Office and other enforcement agencies take action.  According to the DHS Privacy Office report, “DHS and CBP have clear authority under the Privacy Act, Title 18, and Title 19 to enforce any security, privacy, or other administrative, civil, or criminal penalties against individuals for unauthorized use or disclosure of PNR and other CBP data.”

We were surprised to find, in the latest report from the DHS Privacy Office, the statement that, “The Privacy Office received no reports of misuse of PNR since the last review, conducted in 2005.”  In fact, our specific formal complaints of misuse of PNR data in the ATS, in violation of US law including the Privacy Act, were filed with the DHS Privacy Office in their regulatory docket on the ATS, and are available here, here, and here.  We have received no acknowledgment or response to these complaints, and we are aware of no action having been taken on them.  We are aware of no criminal charges having been brought against any of the DHS, CBP, or Customs Service officials responsible for the illegal creation and maintenance of ATS or other PNR records or systems of records.

After they disclosed the existence of ATS in 2006, DHS officials claimed that this PNR and other data had been considered part of another system of records, the “Treasury Enforcement Communications System” (TECS), which perhaps coincidentally is also currently being revised and further exempted from the Privacy Act. But if that were true, PNR data would have been searched, and disclosed, as part of TECS, in response to requests for “all records held by CBP.”  The latest DHS Privacy Office report shows that, in practice, PNR data was kept in a separate database and was not treated as part of TECS, or part of any other system of records subject to the Privacy Act. That’s typical of the way policies, practices, and information related to air travel have often, since September 11th, been treated as sui generis and secret. But that’s exactly the sort of “off-the-books”, undisclosed keeping of government dossiers which the criminal provisions of the Privacy Act are intended to prohibit and punish.  Whether the DHS or Department of Justice will now bring criminal charges against the DHS (and predecessor Customs Service) officials responsible for this decade-long pattern of criminal activity with respect ot PNR data is now the litmus test of whether they are able or willing to act as meaningful or effective oversight, compliance, and enforcement bodies.  Europeans as well as US citizens should watch closely to see what, if any, action is now taken to enforce the law.

(The DHS Privacy Office report doesn’t mention it, but like all other Federal agencies the DHS is also required, by standing order of the President, to respond to complaints about violations of human rights obligations.  Our repeated, specific, formal complaints that DHS programs for the surveillance and control of travellers internaitonal and domestic movements violate Article 12 of the International Covenant on Civil and Political Rights have received no response whatsoever.)

At the same time as we were filng our complaints with the DHS Privacy Office, the Identity Project assisted several  individuals to make an initial set of requests for ATS data from the CBP, including PNR data, and assisted them in interpreting the responses (based on our expertise and experience with PNRs and travel industry practices).   We appealed some of the cases in which the responses were obviously incomplete and/or the redactions were obviously unjustified.  Some of those appeals are now also over a year old, without having been acknowledged or acted on.

We published the results of our analysis of the responses to those first requests in September of 2007, along with forms that members of the public could use to make their own requests for their ATS records, including PNR data.  Widely-distributed news stories about our report prompted a surge of Privacy Act requests from which the CBP apparently has yet to catch up.

Meanwhile, the DHS was seeking to legalize the longstanding, ongoing, and until then unquestionably illegal inclusion in its PNR dragnet of data collected in the EU.  An initial “agreement” between the DHS and the EU (nonbinding and unenforceable in the US, because it was neither enacted into US law nor ratified by the US Senate as a treaty) was ruled invalid by the European Court of Justice, without the court even reaching any of the issues of fundamental rights.  A new agreement — equally unenforceable in the US for the same reasons, and vulnerable to a new challenge before the ECJ — was signed by the DHS in August 2007.

(The DHS-EU agreement applies only to data obtained from PNRs for flights between the US and the EU.  DHS access to, or transfer to commercial entities in the US of, data collected in the EU and contained in PNRs for other flights — such as domestic US flights booked in the EU — continues to be in blatant violation of EU law.)

That second, 2007 DHS-EU agreement provides for periodic joint US-EU reviews of compliance with its terms. As the post in the offical DHS blog about the latest report makes clear, the report released Friday by the DHS is the result of a unilateral internal review conducted within the DHS, which included neither EU representatives nor any outside experts in PNR data (such as from the travel industry, consumer organizations, or privacy and civil liberties NGOs). Without EU participation, the DHS review is not the joint US-EU review required by the DHS-EU agreement, which has yet to be conducted. And without outside expertise in the meaning, encoding, and usage of PNR data, it is unlikely that either US or EU officials would be competent to conduct an effective audit of DHS handling of PNR data.

But considering that it was produced entirely within the DHS, the latest report is remarkable in the degree to which it reveals facts showing that the DHS has not fulfilled its commitments to either US or EU travelers.

Now that the DHS itself has confirmed its lack of compliance with both US and EU laws, Europeans should demand that transmissions of PNR data to the US, and access by the DHS to CRSs and other PNR hosting systems that contain data collected in the EU, be stopped until a joint review (including the necessary outside experts) finds that the DHS has:

  1. Cleared the backlog of requests for access to PNR data, and of appeals related to those requests.
  2. Reviewed all previous requests for “all data”, and provided any responsive PNR data not previously provided.
  3. Reviewed all previous redactions of PNR data, and provided any information previously improperly redacted.
  4. Demonstrated that it is responding to all requests for PNR data or “all data”, and any appeals related to those requests, within the time limits mandated by the Privacy Act (which are also, by extension, the time limits mandated by the PNR agreement).
  5. Demonstrated that complaints of legal violations involving DHS use of PNR data are being investigated and responded to, and that the applicable laws — including the criminal provisions of the Privacy Act as well as the applicable international human rights treaties — are being enforced.

Europeans should also oppose any general agreement on the transfer of personal data from the EU to the US until the DHS has demonstrated that it is complying with the current PNR agreement.

In the meantime, Europeans (or anyone who has flown on an EU-based airline, or made their reservations or purchased their ticket through an airline office, travel agency, or tour operator located in the EU — even an EU office of a US airline, or a travel agency in the US that stored their PNRs in the EU-based Amadeus CRS) can exercise their right under EU law to request their PNRs and other travel records from these travel companies.  Even if the DHS doesn’t tell you what information about you they have obtained, travel companies are required to tell you who they have allowed to access your records, and what information they have given to government agencies or other third parties.  If they don’t, you can complain to national data protection authorities, or bring your own lawsuit in a European court.

In addition, we have updated our forms for you to use to request your international travel records from the DHS/CBP and we are preparing new forms to request your Secure Flight records from the DHS/TSA.  If you previously requested your travel records, you will probably need to do so all over again, since the DHS has admitted that most of those who asked for “all” of their records received none of their PNR data, and there’s no guarantee that the DHS will re-open or review these earlier requests on its own initiative (although clearly they should).  In the responses we’ve reviewed, some people received only PNR data, some people who made identical or very similar requests received only non-PNR data, and very few received both, even though in essentially all cases both types of records exist in CBP files about the same international airline journey.

None of this, of course, should be necessary.  This travel surveillance dragnet, and these lifetime “travel history” dossiers, should not exist. We continue to urge Congress and the new Presidential Administration to explicitly forbid the continued collection and maintenance of ATS or other PNR records, and to mandate the destruction of those records already collected by the government or at its behest.

[On December 31st, the author of the DHS report, Chief Privacy Officer Hugo Teufel III, posted an article in the DHS “Leadership Journal” blog apparently prompted by our analysis of his report, and news stories prompted by our comments.  We encourage you to read his comments for yourself, but what seems most noteworthy to us is that he neither denies nor even mentions any of the specific DHS compliance failings to which we called attention, or any of the other facts in our description and analysis of the history of DHS use of PNR data.]