Jan 12 2015

Wikileaks publishes CIA reports on travel ID checks

Wikileaks has published two internal briefing documents produced for the use of CIA undercover agents, describing the methods used by airlines and governments to identify international travelers.

Both of these reports were produced as part of the CIA’S previously-unknown CHECKPOINT program of travel ID-related activities:

This product has been prepared by CIA’s CHECKPOINT Identity and Travel Intelligence Program. Located in the Identity Intelligence Center (i2c) within the Directorate of Science and Technology, CHECKPOINT serves the Intelligence Community by providing tailored identity and travel intelligence products. CHECKPOINT collects, analyzes, and disseminates information to help US intelligence personnel protect their identities and operational activities while abroad.

One of the reports, “Surviving Secondary“, describes ID-related “secondary screening” procedures at international airports, with examples from the US, EU, and other countries around the world.  The other report is an overview of, “The European Union’s Schengen biometric-based border-management systems.”

Most of the airline and government profiling and “screening” activities described in the reports, are already well-known.  These include many of the ways that governments obtain and use Passenger Name Record (PNR) and Advance Passenger Information (API or APIS) data derived form airline reservations.

But these newly-released reports also confirm that the CIA (and the other agencies with which the reports have been shared within the US government) are aware of some airline and government activities and some vulnerabilities for travelers which we and others have complained about, but which the US government has not previously acknowledged.

One problem confirmed by the CIA report on secondary screening is that government agencies can, and routinely do, obtain and use PNR, API, and other airline data, without legal authority or due process:

Security services lacking APIS or PNR information may have other arrangements to receive passenger manifests ahead of time. For example, the Airport Police Intelligence Brigade (BIPA) of the Chilean Investigative Police does not routinely obtain advance passenger manifests but can request the information from airlines on an ad hoc basis to search for targets of interest. Strict privacy laws covering Danish citizens extend to all passengers traveling through Copenhagen airport such that the Danish Police Intelligence Service (PET) cannot legally obtain routine access to flight manifests. However, if one of PET’s four cooperative airline contacts is on duty, the service can unofficially request a search on a specific name, according to August 2007 liaison reporting.

Airline data obtained by government agencies through these extrajudicial channels is used for profiling and targeting of searches, questioning, and other adverse actions against travelers.

This practice is illegal in many of the countries where it is routine, but typically occurs without leaving a trace.  Many airline staff are willing to betray their customers’ privacy to government agencies. And because no records are kept of who accesses PNR data, both government agents and their airline collaborators know that they are unlikely to be held accountable unless they confess or are caught in the act.

The persistence of routine “informal”, often illegal, and almost always unrecorded government access to airline data about travelers highlights a crucial issue we’ve been talking about for years: the complete absence of access logging in the architecture of the computerized reservation systems (CRSs) which host airlines’ PNR databases.  CRSs have PNR change logs, but no PNR access logs.

Governments and travelers must demand that CRSs add comprehensive access logging to their core functionality for PNR hosting. That won’t stop the problem. Airline staff will still be able to show government agents printouts or let them look at displays, with only the airline personnel’s  access being logged. But access logs will help, and are an essential first step toward control of PNR data “leakage”.

The CIA report on secondary screening also confirmed that the CIA is aware of the sensitivity and use by European governments (and presumably other governments) of associational information contained in fare basis codes, ticket designators, and travel agency IDs:

April 2007 reporting resulting from a liaison exchange with the Hungarian Special Service for National Security (SSNS) provides insights into factors considered by officers at Ferihegy airport in Budapest, Hungary when examining tickets. Officers check … whether the ticket fare code represents a government or military discount, or whether a government travel agency booked the ticket. Hotel and car reservations are similarly examined for unusual discounts or government affiliation.

Of course, the same PNR data elements and pricing and ticket designators can reveal other, non-governmental, affiliations between travelers and with other individuals and groups. If an airline gives a discount to members of a political organization, trade union, or other group attending a convention or meeting, for example, each PNR and ticket for a member who receives the discount typically includes some unique code.

Despite complaints, including ours, both US and European officials have denied that ticket designators and similar codes in PNRs can reveal sensitive associational data.  Now we know that this information is already being used by European governments, and that the CIA is aware of these uses.  There’s no more excuse for pretending that these data elements are innocuous or that they can be “shared” without risk to travelers.