Papers, Please!

This week Travelport — the holding company that owns two of the big four Computerized Reservation Systems (CRSs) or Global Distribution Systems (GDSs) — announced that it has “certified” that it complies with “Safe Harbor” privacy and data protection principles for companies that want to be eligible to receive transfers to the US of personal data collected in the EU or Switzerland.

As travel industry technology news site Tnooz reports, quoting Identity Project consultant Edward Hasbrouck:

Travelport’s headline on its press release about the issue, “Travelport is First GDS Provider to be Safe Harbor Certified,’ may be true, but can easily be misconstrued because Safe Harbor is a self-certification process.

Privacy expert Edward Hasbrouck, who has written extensively about the issue, notes that what Travelport’s Safe Harbor designation “means is that Travelport has made a formal claim … that Travelport complies with certain Safe Harbor principles. That claim has not been vetted, audited or verified by anyone.”…

“None of the GDS companies comply with EU data protection law, or have made any effort even to pay lip service to it until now,” Hasbrouck says. …

(more…)

After two months, we’ve gotten an initial round of non-responses from the DHS and TSA to our complaint that their procedures for subjecting holders of certain passports to more intrusive search and/or interrogation as a condition of domestic common-carrier air travel violate published TSA civil rights policies, Federal laws, Constitutional rights, and rights guaranteed by international human rights treaties.

The Director of the TSA’s Office of Civil Rights and Liberties refers vaguely and inaccurately to “our letter expressing concerns about recent press reports” (in fact, our letter said nothing about any press reports), but makes no mention of our complaint that specific TSA practices and procedures are illegal, or what if anything any TSA or DHS compliance, oversight, or enforcement office intends to do about it.

The closest they come to engaging with the basis of our complaint is a sentence only a lawyer could love: “Please note that a passport-issuing country is not coextensive with a person’s national origin.”  It remains to be seen what they think is better evidence of national origin than a passport.  Will they issue yet another new travel credential by which someone with a Pakistani passport can establish, for example, that their nation of “origin” is India, and thus that they are not “from” a “country of interest”?  Or vice versa? What are they thinking?

They also completely ignore our mention of international treaties, which are likely to become a growing issue not just for the DHS and TSA but for their counterparts imposing similar restrictions on freedom of movement in other countries, such as mandatory submission to virtual strip searches.

We’ve sent the TSA and DHS a follow-up letter reminding them that we still expect, and are entitled to, a response.

Meanwhile, the DHS has announced similar procedures for more intrusive search and perhaps interrogation of travelers “coming from” a larger list of “countries of interest”.    It’s unclear — since of course the procedures aren’t enforceable rules and are being kept secret, whether “coming from” means having flown directly from, having visited earlier on the same trip, having visited within a specified time period (the life of the current passport?), having ever in one’s life visited, or carrying a passport issued by any of these countries.  These new procedures have prompted a more recent joint complaint similar to ours from a broad coalition of civil rights organizations, as well as separate complaints from some of these groups.