Travel Data and Privacy

by Edward Hasbrouck, "The Practical Nomad"

1. Why does the privacy of travel data matter?
2. Current USA government proposals for access to travel data
3. What will happen next?
4. What can be done?
5. Links to documents and background material

Why does the privacy of travel data matter?

As I wrote in 2001 in TThe Practical Nomad Guide to the Online Travel Marketplace, "Privacy is the Achilles heal of travel planning."

Travel data is the largest, most sensitive, and most significant category of personal information not yet subject, in the USA, to any sector-specific Federal privacy regulations (such as apply to legal, financial, and medical information). This is in marked contrast to other countries, most of which (A) have comprehensive national privacy legislation (which the USA does not) and (B) have recognized the significance of travel data by putting it in the forefront of their privacy-protection systems. Canada, for example, included airlines (and, to the extent they function as agents of the airlines, travel agencies) in the first phase of its ongoing implementation of its Personal Information Protection and Electronic Documents Act -- three years earlier than entities in most other sectors deemed less critical to personal privacy were required to have complied with that Act.

Passenger Name Records (PNR's) maintained by airlines, computerized reservations systems or "global distribution systems" (CRS's/GDS's), and travel agencies don't just contain flight reservations and ticket records. They include car, hotel, cruise, tour, sightseeing, and theater ticket bookings, among other types of entries.

PNR's show where you went who went, when, with whom, for how long, and at whose expense. Behind the closed doors of your hotel room, with a particular other person, they show whether you asked for one bed or two. Through departmental and project billing codes, business travel PNR's reveal confidential internal corporate and other organization structures and lines of authority and show which people were involved in work together, even if they travelled separately. Particularly in the aggregate, they reveal trade secrets, insider financial information, and information protected by attorney-client, journalistic, and other privileges.

Through meeting codes used for convention and other discounts, PNR's reveal affiliations -- even with organizations whose membership lists are closely-held secrets not required to be divulged to the government. Through special service codes, they reveal details of travellers' physical and medical conditions. Through special meal requests, they contain indications of travellers' religious practices -- a category of information specially protected by many countries.

Current USA government proposals for access to travel data

Efforts are ongoing by three different agencies of the government of the USA to gain access to airline and other travel reservation data. (Although these agencies were part of three different Federal agencies, all three were transferred to the new Department of Homeland Security, DHS, effective 1 March 2003.)

The U.S. Customs Service has demanded the ability to view any Passenger Name Record (PNR) of interest, on all inbound international flights to the USA. This demand has been the subject of extensive negotiations with the European Union (EU) working group on data privacy. While the U.S. Customs Service has announbced a (tentative and reluctant) agreement for acccess to PNR's for flights from the EU to the USA, the agreement has yet to be ratified by the European Parliament or any of the EU legislatures, and would require assurances and safeguards on release of information that Customs has yet to implement. In interviews with the New York Times in late February 2003, after the tentative agreements were announced, both the Privacy Commissioner of Canada and the president of the Data Protection Authority of the Netherlands continued to criticized the U.S. Customs Service proposals as an invasion of their countries' citizens' privacy, and contrary to their countries' privacy laws. And on 3 March 2003, the President of the EU Working Group on Data Protection requested that access to PNR's by the USA government be postponed until the matter could be considered further by the EU Data Protection Working Group.

The U.S. Bureau of Citizenship and Immigration Services, BCIS (formerly the Immigration and Naturalization Service, INS), has proposed to require all international airlines to provide the BCIS with passenger manifests. Although the manifest is not the complete PNR, and includes only a few specified fields, the BCIS proposal has been opposed by the International Air Transport Association (IATA) as potentially incompatible with the EU Data Privacy Directive.

By far the most sweeping of these travel data access proposals, however, are those made on behalf of the Transportation Security Administration, TSA (formerly part of the Department of Transportation, DOT), for an "Aviation Security Screening Records (ASSR)" system. Despite the name, neither the data incorporated into the system, nor its uses, would be limited to those relevant to security screening. Under these proposals, the TSA would be given access to all data in PNR's of all passengers on all flights to, from, or within the USA, along with a wide range of other data including "associated data", "financial and transaction data; public source information; [and] proprietary data".

Tens of millions of airline PNR's, involving a significant fraction of the citizens and residents of the USA as well as vast numbers of current and prospective foreign residents and visitors, are active at any given time. The proposed ASSR system would almost certainly contain data on more people than any other system of records exempt from the Privacy Act, and result in one of the largest, and most intimately revealing, government databases about individuals and their movements, activities, interests, associations, and behaviors.

Under the ASSR proposals, this data would be freely disclosable to any "agency of the Intelligence Community" or any foreign government (with no obligation on them ever to purge the information), would be exempted from the Privacy Act (so that those about whom records are kept would be unable to determine that fact), and could be used, apparently, as the basis to deny transportation to people determined (by secret procedures, based on this data) to constitute a "potential" risk to air transportation.

(In an interview concerning the ASSR proposals, DOT spokesperson Chet Lunner confirmed to me that there is already a "no-fly" list, and that one of the criteria used to determine who is on that list is what countries they have visited in the past. And in response to EFF co-founder John Gilmore's pending lawsuit in federal court in San Francisco challenging the requirement for air travellers to show government-issued photo ID, the government has argued that the reason for the ID requirement is to enforce the no-fly list.)

As my comments filed on the TSA proposals discuss in more detail, the proposals incorporate, in the guise of an aviation security system, most of the features and types of data which were to have been included in the "Total Information Awareness" program killed by the U.S. Congress in early February 2003. The proposals are also incompatible with Canadian, European Union, and possibly other countries' privacy laws, and could thus make it impossible to operate flights between the USA and Canada, or the USA and the EU, without violating the laws (and the rights of citizens) of one or the other (or both) of the jurisdictions -- a point which was raised by British Airways in their attorneys' comments on the TSA proposals. The TSA proposals have not yet been submitted to the Canadian or EU privacy authorities, and are unlikely to meet with their approval unless drastically modified.

According to DOT spokesperson Chet Lunner, the proposed TSA database would be the basis for the enhanced "version 2", CAPPS-II, of the Computer-Assisted Passenger Pre-Screening (CAPPS) system -- winner of the 2002 USA "Big Brother Award" from Privacy International as "Most Invasive Proposal" -- as well as the government's "no-fly list" and "watch list" for travellers, whose constitutionality is currently under challenge in a Federal lawsuit brought by Electronic Frontier Foundation co-founder John Gilmore.

To date, every public comment filed with DOT concerning the ASSR and CAPPS proposals has requested that the proposals be entirely withdrawn. In addition to my detailed comments opposing the proposal and those of British Airways, comments opposing the proposals have been filed by more than 100 individuals and organizations, including the Electronic Privacy Information Center (EPIC), the Center for Democracy and Technology (CDT), Privacilla.org, the American Civil Liberties Union (ACLU), and a coalition of privacy organizations including the Electronic Frontier Foundation (EFF), Privacy Activism, the Privacy Rights Clearinghouse, the Cyber Privacy Project, and CASPIAN.

Unless postponed by the Department of Transportation (which published the original proposals on behalf of the TSA, although the TSA is now part of the DHS), or enjoined by a court, the ASSR proposal was scheduled to take effect Monday, 24 February 2003. But it was only filed in the DOT online docket on Friday, 21 February 2003, so the comment period will probably have to be extended. As of 3 March 2003, comments are still being accepted and docketed.

What will happen next?

The government is talking out of both sides of their mouth as to their plans for the ASSR and CAPPS-II systems. Under the law cited as authority for the proposals, the final regulations must be published, and Congress must be notified, at least 30 days before the rules take effect. But in the same interview with me on 3 March 2003, DOT spokesperson Chet Lunner told me (1) that the ASSR proposal would be revised and republished for another round of comments (which would delay its legally effective date for at least 30 days), and (2) that CAPPS-II tests, including use of the ASSR database, would begin by the end of March 2003 (less than 30 days later). I can't find a way to interpret his statements, read in conjunction, as anything other than a deliberate statement of intent to defy the law requiring 30 days notice to Congress and the public of the final rule.

Mr Lunner at DOT had no comment on the apparent contradiction in his statements, referring that question to the TSA. In any event, there's been no official or legal notice that the proposal has been withdrawn. The TSA has now been transferred from DOT (which published the original proposals on behalf of the TSA) to the new Department of Homeland Security. The TSA hasn't returned my calls, and I haven't yet gotten any statement from the DHS or TSA as to how they intend to proceed. Mr. Lunner at DOT said that CAPPS-II, including the ASSR database, will be deployed and tested by Delta Airlines at San Jose (CA) International Airport and two other unspecified airports by the end of March 2003.

According to Mr. Lunner, Delta will be providing Privacy Act notices to all passengers subject to CAPPS-II, and whose reservation and other data might be stored by the TSA in the ASSR system. Under the Privacy Act, such notices must be provided before the information is collected, which won't be possible for reservations that have already been made. (Mr. Lunner said that the information will be transferred to the TSA as soon as the reservation is completed.) Privacy Act notices must indicate exactly what information is actually required, and the consequences of not proving that information, neither of which has yet been spelled out by the TSA, either in their legal filings or their press briefings.

By implementing the CAPPS-II systems and passing data to the TSA for inclusion in ASSR databases, before the completion of the Federal rulemaking and comment period, Delta would be risking catastrophic liability for breach of privacy and breach of contract, particularly for reservations already made under confidentiality agreements between travellers, travel agencies, CRS's/GDS's, and airlines. If the proposals prove incompatible with EU and/or Canadian privacy law, as is overwhelmingly likely, Delta could lose the right to operate flights to the European Union and/or Canada. By volunteering to test the CAPPS-II system, and to transfer passenger data to the TSA, before the rulemaking and approval process for the data transfer has been completed in the USA, Canada, or the EU, Delta is -- if the law in enforced in any of these jurisdictions -- committing financial suicide.

What can be done?

• Anyone (whether or not they are a citizen or resident of the USA) can still file comments on the DOT/TSA proposals.
• Delta Airlines passengers -- especially those travelling to or from San Jose (CA) International Airport, the only airline and airport revealed to be part of the initial deployment of CAPPS-II -- should insist on a complete Privacy Act notice, explaining what information will be transferred to the government, what they will do with it, the basis for requiring the information, and the consequences of not providing the information -- before your reservation is completed. If you don't receive such a notice when you make a reservation with Delta for travel to or from San Jose after 1 April 2003 (by which time they have said CAPPS-II will be in operation), you may be able to sue under the Privacy Act.
• Travel agencies should demand that Delta provide them with Privacy Act notices to provide their customers before they make reservations on Delta, and should advise Delta that until they receive those notices they will not be legally allowed to make bookings on Delta, especially to or from San Jose for travel after 1 April 2003.
• Corporations, travel agencies, and individual travellers can let Delta and the CRS's/GDS's know that their corporate travel records are subject to nondisclosure agreements, and that if Delta will not respect those contractual commitments not to disclose confidential travel records, they will be contractually precluded from doing business with Delta.
• Citizens of Canada or the European Union should ask your national data privacy protection authorities to refuse to allow airlines and CRS's/GDS's that transfer data to the USA government in violation of your national and EU privacy laws to continue to operate in your country.
• Canadian and EU privacy law enforcement agencies, and enforcers of nondisclosure contracts and the Privacy Act in the USA, can seek appropriate sanctions against Delta and the TSA -- including revocation of licenses for Delta to operate in Canada and the EU, and invalidation of the ASSR regulations -- for implementing the CAPPS-II and ASSR systems in defiance of the law.

Links to documents and background material

• Transportation Security Administration (TSA) Proposals on Travel Data:
  • Proposal to Establish the "Aviation Security Screening Records "(ASSR) System
    (Docket No. OST-1996-1437-11, 68 Federal Register 2101-2103)
  • Proposal to Exempt the ASSR System from the Privacy Act
    (Docket No. OST-1996-1437-9, 68 Federal Register 2002)

• Comments of Edward Hasbrouck, travel consumer privacy advocate and author of "The Practical Nomad"
  (Docket No. OST-1996-1437-81)
• Comments of the Electronic Frontier Foundation (EFF), Privacy Activism, Privacy Rights Clearinghouse, Cyber Privacy Project, CASPIAN, and Michael Stollenwerk
  (Docket No. OST-1996-1437-12)
• Comments of British Airways
  (Docket No. OST-1996-1437-87)
• Comments of the American Civil Liberties Union (ACLU)
  (Docket No. OST-1996-1437-98)
• Comments of John Gilmore
  (Docket No. OST-1996-1437-105)
• Comments of the Electronic Privacy Information Center (EPIC)
  (Docket No. OST-1996-1437-107)
• Comments of the Center for Democracy and Technology (CDT)
  (Docket No. OST-1996-1437-108)
• Comments of Christopher Effgen
  (Docket No. OST-1996-1437-117)
• Comments of Privacilla
  (Docket No. OST-1996-1437-127)
• Complete Index of Public Comments
  (Docket No. OST-1996-1437; includes more than 100 other individual comments)
• Comment Submission Form
  (enter "OST-1996-1437" as the "Docket ID", and "OST" as the "Operating Administration")

• Comments of the International Air Transportation Association (IATA) on the INS (now Bureau of Citizenship and Immigration Services, BCIS) Proposal for Access to Passenger Manifests on International Flights to the USA:
• 3 January 2003

• Electronic Privacy Information Center (EPIC):
  • Air Travel Privacy
  • EU-USA Airline Passenger Data Sharing
• Privacy Activism:
  • CAPPS
  • CAPPS-II: What's New?
• American Civil Liberties Union (ACLU):
  • ACLU news release on ASSR comments
  • ACLU news release on CAPPS-II
• Privacilla
• Cryptome: Gilmore v. Ashcroft -- FAA ID Challenge
• Boycott Delta
• Statewatch: monitoring the state and civil liberties in the European Union
• European Commission -- Data Protection
• Office of the Privacy Commissioner of Canada

• Who's Watching You While You Travel?
• Travel Safety and Civil Liberties: Fear vs. Danger
• Flying on 11 September 2002: "They couldn't give the tickets away."
• Should we still travel, after what happened 11 September 2001?
• Key advice about consumer protection, privacy, and security in Internet travel planning and purchasing
  (from "The Practical Nomad Guide to the Online Travel Marketplace")

updated version of this article:
http://hasbrouck.org/articles/travelprivacy.html

Contact for media interviews and more information:
Edward Hasbrouck
author, The Practical Nomad
San Francisco, CA, USA
telephone +1-415-824-0214 edward@hasbrouck.org http://hasbrouck.org

Copyright (c) 2003 Edward Hasbrouck