[Home] [Databases] [WorldLII] [Search] [Feedback] EPIC --- Privacy and Human Rights Report

EPIC --- Privacy and Human Rights Report 2006

Travel Privacy

Since the terrorist attacks of September 11, 2001, one of the greatest fears of security officials in the world has been that would-be terrorists would board commercial airline flights without their malicious intentions being detected in advance. As a result, several countries have placed a high priority on identifying, tracking, and profiling travelers, especially air travelers.

Travelers and workers at transportation facilities such as airports have come to be regarded as objects of suspicion, potential terrorists, and targets of surveillance. Security agencies have sought access to reservations and other travel data collected for commercial purposes; compulsory identification of travelers and travel and transportation workers; mandatory collection of additional traveler data and compilation of personal travel dossiers; and deployment of new technologies for real-time tracking and logging of travelers' movements. For example, officials at the United Kingdom's Manchester Airport are requesting the permanent application of a recently completed a six-month trial where 50,000 people were tracked with RFID technology.[582] All passengers would receive RFID-enabled boarding passes; even those who print out boarding passes at home would have RFID tags attached at the airport. Officials say this would improve security by making it possible to detect any entering an unauthorized area; however, it would be easy for a criminal to merely throw away the boarding pass to avoid being tracked.

Fear is not necessarily proportional to actual danger,[583] and it is not clear that these policy and procedural changes are the outcome of a considered evaluation of risks, benefits, and trade-offs.[584] But whatever the motivation or effectiveness for their declared purposes, these aviation and transportation "security" measures create substantial potential for both commercial and government misuse of personal travel data. Taken together, they could – if successful – lead to the creation of a global infrastructure of surveillance of the movements of persons, incorporating both the travel industry and government agencies.

Privacy Protection for Commercial Travel Records

The privacy of travel records has been less well protected than that of any comparably sensitive category of commercial data. Existing travel industry norms for personal data handling fail to provide the level of protection provided for other categories of data, and required by generally accepted norms of data protection. Even in jurisdictions where data protection laws include travel data, enforcement against violations by the travel industry has been lax.

Reservation and transaction records created by travel companies for commercial purposes contain intimate personal information about airline (and sometimes intercity train and bus) travelers and their movements, as well as personally identifiable information about third-party ticket purchasers, travel industry personnel involved in making and changing reservations, and other business and personal associates of travelers.[585]

Reservation data or one or more people traveling on the same itinerary is stored in a Passenger Name Record (PNR), which typically contains names of travelers and details of flights, hotels, car rentals, and other travel services. PNRs can also contain residential and business postal and e-mail addresses and phone numbers, credit card details, and names and personal information of emergency contacts. Through billing, meeting, and discount eligibility codes, PNRs contain information about memberships and organizational affiliations. Since a single PNR typically is used for an entire travel party, PNRs contain detailed information on patterns of association between travelers. PNRs can contain religious meal preferences and special service requests that describe intimate details of physical and medical conditions (e.g., "Uses wheelchair, can control bowels and bladder") – categories of information that have special protected status in the European Union and some other countries as "sensitive" personal data.

Airlines and travel agencies around the world, even those that compete with each other, have long been part of an integrated global network of reservation systems. Most of these systems predate current norms of data protection. While PNR formats vary, "interline" agreements between airlines, joint industry ticketing and financial clearinghouses, and industry-standard protocols[586] facilitate easy global sharing of PNR data.

Most of the world's airlines and travel agencies outsource hosting of their PNR databases to one of four companies: Sabre, Galileo (a division of the Cendant Corp.), Worldspan, and Amadeus. These Computerized Reservation System (CRS) or Global Distribution System (GDS) companies function both as data warehouses and data aggregators, and have a relationship to travel data analogous to that of credit bureaus to financial data. After the completion of a trip, copies of PNRs are "purged" from live to archival storage systems, and can be retained indefinitely by CRSs, airlines, and travel agencies.

Unlike medical and financial data, travel data has not generally been legally recognized as posing special privacy issues, or afforded any special protection. PNRs and ticketing records had been regarded as simply another category of commercial transaction data.

In many countries airlines and travel agents are overseen by different government agencies than other businesses, and few if any aviation regulatory agencies include data protection divisions or enforcement staff. In the US, for example, most consumer privacy policies are enforced by state and local consumer protection authorities and the Federal Trade Commission (FTC). But enforcement of privacy policies by airlines and travel agencies, and of compliance by airlines and travel agencies with the EU-US Safe Harbor arrangement,[587] is under the exclusive jurisdiction of the Department of Transportation (DOT). The DOT has no staff dedicated to consumer privacy or data protection, and has never brought an enforcement action for violation of a privacy policy or of the Safe Harbor arrangement.

The International Civil Aviation Organization (ICAO) has adopted a model Code of Conduct on the Regulation and Operation of Computer Reservation Systems (CRS) that aims at safeguarding privacy.[588] However, the ICAO Code of Conduct on the Regulation and Operation of Computer Reservation Systems has not been widely adopted by ICAO member states. CRSs operate under government regulations in the US[589] and Canada,[590] but those regulations include no provisions related to privacy or data protection.

The European Union Code of Conduct for Computerized Reservation Systems, Article 5(d), provides that, "personal information concerning a consumer and generated by a travel agent shall be made available to others not involved in the transaction only with the consent of the consumer."[591] But there is no record of any enforcement action ever having been taken under this section, despite a history of widespread and systematic violations by all four major CRSs.

National data protection authorities in Belgium (on the complaint of data subjects, including a Member of the European Parliament)[592] and France[593] have ruled that transfers of PNR data by airlines to US government agencies without passengers' consent are illegal. Additional citizen complaints against airlines for violations of national data protection laws have been made in Spain[594] and the Netherlands.[595] However, no corrective action or change in data sharing practices has been ordered as a result of any of these enforcement proceedings.

Like the ICAO standards, the recommendations of the Passenger Services Conference of the International Air Transportation Association (IATA) are only advisory. In addition, they relate only to the conduct of IATA member airlines and not to travel agencies or CRSs. Even if followed, the IATA recommendations serve more to legitimate than to limit airlines' transfers of passenger data to government agencies.[596]

Privacy of Travel Records Since September 11, 2001

Almost immediately after September 11, 2001, airlines and the US government – often in collaboration, and of necessity involving the CRSs in their work – began accessing and using archived PNRs to investigate the hijackings and to test the possibility of identifying "suspicious" travelers through PNR profiling. Most of the major US-based airlines and CRSs, and a variety of US government agencies and contractors, were involved in these investigations and experiments over the next two years.[597] All of these tests were conducted at the time in secret, without notice to, or consent of, the data subjects, and in most cases – except the initial investigation of the events leading up to September 11 – without warrants or subpoenas. They were gradually revealed to the public as a result of US Freedom of Information Act (FOIA) requests and lawsuits, Congressional questioning, investigative journalism, and admissions by airlines. Governments, airlines, and CRSs in other countries were pressured by the US to cooperate in providing reservation data for these programs, irrespective of national data protection laws against such use without travelers' prior consent.

These profiling systems and tests have not been shown to be effective in identifying would-be terrorists from reservation data, either alone or in conjunction with other databases.[598] It's impossible to identify from a PNR in what country (or countries) the data it contains was collected, so each of these tests probably included data subject to many international jurisdictions. The US government proceeded with these tests without waiting for any of the legal changes needed to harmonize them with any other countries' laws. Nonetheless, the US and some other governments have, after the fact, sought to modify existing data protection rules and industry standards to mandate – or failing that, at least to permit – government access to PNR data in order to attempt to identify "suspicious" travelers.

As of June 2006, 34 countries had CRS/API sharing systems, in various stages of implementation.[599] Currently, only the United States, Canada, Australia and New Zealand have legislation in place that makes government access to airline reservation data mandatory. A number of other States are exploring this process.[600]

In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) was amended in 2001 by Bill C-44 to allow Canadian airlines to provide foreign governments with "any information . . . relating to persons on board or expected to be on board the aircraft and that is required by the laws of the foreign state."[601] The PIPEDA was further amended in 2004 by Bill C-7 to expand the exemption of travel data.[602] Bill C-7 in particular provoked considerable criticism, including opposition from the Canadian Bar Association.[603] Both bills were widely characterized as Canada's counterparts to the USA PATRIOT Act. In May 2004, the European Commission approved a conditional finding that the level of protection afforded to PNR data transferred to the US Department of Homeland Security (DHS) Bureau of Customs and Border Protection (CBP) satisfies the standard of "adequacy" required by the EU Data Protection Directive,[604] on the basis of which the Council of the European Community signed an agreement purporting to authorize PNR transfers to the US, if certain conditions were met.[605]

The finding of adequacy was contrary to the formal opinion of the working party of EU national data protection officers.[606] Both the agreement and the finding of adequacy of protection of PNR data in the US prompted extraordinary public controversy within the EU and conflict between EU institutions. Privacy advocates on both sides of the Atlantic denounced both.[607] In June 2004, the President of the European Parliament moved the Court of Justice of the European Communities, on behalf of the Parliament, to annul both the agreement and the adequacy finding.[608]

The stated goal of the US government is the adoption of permanent international standards overriding existing national data protection laws, and mandating access to PNR data by all governments worldwide.[609] In June 2007, the US and the EU formed a new PNR sharing agreement that reduces the amount of personal data collected by US law enforcement, and sets out some redress for EU citizens. However, the agreement still contains a lengthy retention period for the data.[610] The agreement has been met with sharp criticism from the European Parliament.[611] In a letter to the EU's Minister of the Interior, European Data Protection Supervisor Peter Hustinx outlined four areas of “grave concern” with the new agreement: the lengthened retention period for PNRs, the US' use of letters to avoid a binding agreement, the lack of a “robust” system of redress, and the possibility of US data sharing between an undisclosed number of agencies.[612]

The new EU-US agreement reduces the 34 pieces of data on passengers previously collected by US law enforcement authorities to 19 data fields, including name, contact data, payment details, and itinerary information. The agreement also extends access to PNR information to EU citizens consistent with the provisions in the US Privacy Act and the Freedom of Information Act. The agreement does not, however, go so far as to extend the full protections of the Privacy Act. In a letter attached to the agreement, the US states that the Department of Homeland Security “had made a policy decision to extend administrative Privacy Act protections to PNR data” of non-US citizens and that all individuals have access to the DHS' redress system developed for travelers. Finally, a US letter sent with the agreement states that PNR data will be retained for a minimum of 15 years.

Measures for Tracking and Monitoring of Travelers

In addition to seeking access to existing PNRs, some governments have sought to require data in PNRs beyond that which would otherwise be entered for commercial purposes; to modify PNR formats to facilitate desired government uses of PNR data; and/or to require airlines to transmit additional Advance Passenger Information (API) data collected solely to satisfy government demands.[613] While API data is typically described as corresponding to the information that could already be gleaned from travelers' tickets and passports, the majority of the categories of PNR and API data sought by the US cannot be obtained from current travel documents.[614]

These governmental initiatives have been led primarily by the US and, within the EU, by Spain.[615] In April 2004, a Spanish proposal that all airlines operating to, or within, the EU be required to collect and transmit to the governments of destination countries information concerning all passengers, was adopted by the Council of the European Union over the objections of the European Parliament committees that had considered it.[616]

Canadian customs and immigration agencies have developed and deployed their own airline reservation profiling software and algorithms, but use "risk management criteria that are common to both countries" to determine what travel data to share with the US.[617]

Australia has mandated that all airlines provide the government with continuous real-time access to their reservations systems, and has implemented an automated profiling system, based on certain elements of PNR and API data, which selects certain reservations for review and possible action by customs officers.[618] In New Zealand, government access to PNR and API data has been limited to international flights, and law enforcement authorities have used the advance passenger processing system developed by Australia. The New Zealand government has sought, but has not yet obtained, legal authority to issue "do not board" orders to airlines on the basis of automated analysis of PNR and API data.[619]

The US has imposed a requirement for collection and automated transmission of API data on all international flights to the US, and has pursued multilateral agreements on API data transfers with the EU (as part of the PNR agreement), the G-8[620] and, globally, through ICAO.

The US has also proposed to use secret security directives to impose both the requirement for travelers to display evidence of their identity and the requirement for airlines and travel agents to create a PNR containing specified identifying information for each traveler, concealing the details of the requirements from the public and frustrating judicial review. A federal court has found that such identification requirements do not violate constitutional guarantees against unreasonable search and seizure.[621]

Government Watch Lists and Passenger Profiling

Watch lists and databases were used before the September 11, 2001 attacks, but they have grown immensely since that time. The lists and databases are created in the belief that if you know the person, then you can predict whether he will commit a crime. This has been disproved many times.[622]

Since 2004, the Canadian government has been developing a National Security Policy to prepare for "current and future threats."[623] The Policy includes an "Integrated Threat Assessment Centre" to collect and analyze intelligence regarding national security, a Cyber-Security Task Force; and a Real Time Identification (RTID) Project for fingerprint identification. Included in the Canadian National Security policy is a system of watch lists of undesirables.

In the US, the Transportation Security Administration (TSA) administers two lists: a "no fly" list and a "selectee" list.[624] The lists are sent to the airlines, which run passenger names against the lists. When a passenger checks in for a flight, he may be labeled a threat if his name matches an entry on one of the watch lists, even if he is not the person actually on the list. Many travelers, including US senators, have reported problems with being mistakenly matched to names on watch lists. An April 2006 report by the Department of Homeland Security's Privacy Office on the impact of the watch lists explained that "individuals who are mistakenly put on watch lists or who are misidentified as being on these lists can potentially face consequences ranging from inconvenience and delay to loss of liberty."[625]

In February 2006, there were 325,000 names on the watch lists, according to the National Counterterrorism Center, and the director of TSA's redress office has revealed that more than 30,000 people who are not terrorists have asked the agency to remove their names from the lists since September 11, 2001.[626] In January 2007, the head of TSA said that the watch lists were being reviewed, and he expected to cut the list of names in half.[627] However, he has not disclosed details, such as what the criteria would be for removing a name or when the review would be complete. These reports show that the watch lists are rife with mistakes and "false positives."

The watch lists and risk assessments of passengers remain shrouded in secrecy. In 2004, a civil liberties activist in the US filed a lawsuit against the US government after he was denied the ability to board a plane after he refused to provide a photo identification card to airport security.[628] TSA also refused to reveal the "secret" regulations governing passenger identification. Gilmore sued, claiming his right to travel anonymously and a due process right to know the regulations he was expected to follow. A federal appeals court denied his claim in 2006, and the US Supreme Court refused to hear the case in 2007.[629]

Passenger Prescreening Programs

A variety of passenger prescreening systems use the watch lists to try to guess whether travelers are terrorists. In Canada, there is the Passenger Protect program. In the US, such programs include CAPPS II, Secure Flight and the Automated Targeting System.

In June 2007, Transport Canada began the Passenger Protect program. It is described as "an aviation security initiative aimed at keeping people who may pose an immediate threat to aviation security from boarding a flight," and includes four key elements, namely, identity screening regulations, specified persons list, reconsideration and appeals, privacy and human rights.[630] The Passenger Protect Program has been severely criticized. In June 2007, the federal and all provincial and territorial Privacy Commissioners released a joint statement calling on the federal government to "suspend the new no-fly list program, Passenger Protect, until it can be overhauled to ensure strong privacy protections for Canadians, ... [as it i]nvolves the secretive use of personal information in a way that will profoundly impact privacy and other related human rights such as freedom of association and expression and the right to mobility." The Commissioners also asked for an assurance that names of individuals identified on its no-fly list will not be shared with other countries.

Computer Assisted Passenger Screening System (CAPPS II), a system of automated identity- and reservation-based profiling, was proposed by the US government in January 2003 for flights to, from, and within the US.[631] In 2004, the US government announced its decision to abandon the program.[632] CAPPS II would have profiled each passenger and assigned them a risk or "suspiciousness" score on the basis of their identity as determined from their PNR. Department of Homeland Security Secretary Tom Ridge said that privacy concerns surrounding the pilot program coupled with ongoing Congressional doubts about the effectiveness of the program contributed to the decision.[633] However, civil liberties organizations and air travel experts expressed skepticism about the announcement and said that CAPPS II was simply being renamed or merged into other programs, and that the US government would continue to pursue its essential functionality: mandatory identification of all air travelers, entry of identifying data into reservations, and government access to those reservations.[634]

Critics said that many of the privacy and security problems of CAPPS-II remain in its successor, passenger-prescreening program Secure Flight.[635] On August 26, 2004, The Department of Homeland Security Transportation Security Administration announced that the government would begin testing Secure Flight, a new passenger prescreening system, in November.[636] Secure Flight will compare PNRs against information maintained by the FBI’s Terrorist Screening Center, which includes expanded "selectee" and "no fly" lists. TSA will also seek to identify "suspicious indicators associated with travel behavior" in passengers' itinerary PNR data. Furthermore, the agency is testing the use of commercial databases to verify the accuracy of information provided by travelers.[637] TSA will administer the program, removing all passenger screening responsibility from the airlines. The agency also ordered 72 airlines to turn over their passenger records from June 2004 for Secure Flight testing.[638]

Though TSA plans to implement a redress process for travelers improperly flagged by Secure Flight, it is unclear how this process will work. The government has long used "selectee" and "no fly" lists for aviation security purposes, but passengers have experienced great difficulty clearing their names when improperly flagged. In 2002, EPIC obtained through the Freedom of Information Act dozens of complaint letters sent to TSA by irate passengers who felt they had been incorrectly identified for additional security or were denied boarding because of the watch lists. The complaints describe the bureaucratic maze passengers encounter if they happen to be mistaken for individuals on the list, as well as the difficulty they encounter trying to exonerate themselves.[639] Secure Flight was expected to be tested live with two airlines beginning in August 2005. However, Secure Flight was suspended in 2006 after two government reports detailed security and privacy problems. One report found 144 security vulnerabilities.[640] In February 2006, the head of the Transportation Security Administration announced that implementation of Secure Flight would be delayed until 2010, at least five years behind schedule.[641]

In December 2006, it was reported that the Automated Targeting System, which was designed to assign risk ratings to cargo entering the United States, was also being used to assign terrorist ratings to travelers.[642] Such profiling of travelers was reminiscent of now-defunct CAPPS-II and would violate Section 514 of the Department of Homeland Security Appropriations Act. According to one report, "The Homeland Security Department's newly revealed computerized risk assessments of international travelers may violate a specific ban that Congress imposed as part of the agency's budget over the past three years."[643] The U.S. Customs and Border Protection agency disputes this interpretation of the law,[644] and the Department of Homeland Security has described the Automated Targeting System as "one of the most advanced targeting systems in the world."[645]

"Trusted Traveler" Programs

A number of countries have begun using "trusted traveler" programs. Generally, in these programs, travelers submit a great deal of biographic and biometric data to a government agency or a private contractor in exchange for faster, and in some cases less thorough, processing through airport security lines. These programs are "based on the dangerous myth that terrorists match a particular profile and that we can somehow pick terrorists out of a crowd if we only can identify everyone. That's simply not true. Most of the 9/11 terrorists were unknown and not on any watch list," explained security expert Bruce Schneier.[646] He and other critics have contended that these programs are worse for national security because it creates four categories of people: trusted, untrusted, good guys who aren't trusted and bad guys who are trusted. The US government has defined this last category as "'clean skin’ terrorists, those who are not known to authorities and who have no obvious identifiable risk factors," which would make it easy for these terrorists to obtain "trusted traveler" status.[647] Frequent traveler programs involving the collection and use of biographic and biometric data (such as iris scans) include: Amsterdam's Privium,[648] the US's Registered Traveler,[649] the UK's miSenseplus.[650]

[582] David Millward, "Airports to Track Passengers With Radio ID Tags," Telegraph, April 11, 2007 <http://www.telegraph.co.uk/news/main.jhtml?xml=/news/2007/04/10/nair10.xml>.

[583] Edward Hasbrouck, "Travel Safety and Civil Liberties: Fear vs. Danger" (last updated May 2003) <http://hasbrouck.org/articles/fear.html>; Frank Furedi, "The Only Thing We Have to Fear Is the 'Culture of Fear' Itself," April 4, 2007 available at <http://www.frankfuredi.com/pdf/fearessay-20070404.pdf>.
[584] Bruce Schneier, Beyond Fear: Thinking Sensibly about Security in an Uncertain World (New York 2003).

[585] Hasbrouck, "What's in A Passenger Name Record (PNR)?," <http://hasbrouck.org/articles/PNR.html>.

[586] Such as the ATA/IATA Reservations Interline Message Procedures - Passenger (AIRIMP). Published annually by the International Air Transportation Association (IATA), Montreal and Geneva; available from IATA at <https://www.iataonline.com/Store/Products/Product+Detail.htm?cs_id=9098%2D28&cs_catalog=Publications>. The 28th edition of the AIRIMP, effective June 1, 2004, for the first time added standard formats for transmission between travel agencies, airlines, and CRSs of personal data collected solely for government purposes (see Section 3.14).

[587] <http://www.export.gov/safeharbor/>.

[588] See Article 11: Safeguarding the Privacy of Personal Data: a) States shall take appropriate measures to ensure that all parties involved in CRS operations safeguard the privacy of personal data; b) Air carriers, system vendors, subscribers and other parties involved in air transportation are responsible for safeguarding the privacy of personal data included in CRSs to which they have access, and may not release such data without the consent of the passenger. ICAO Code of Conduct on the Regulation and Operation of Computer Reservation Systems (CRS), adopted by the Council of ICAO June 25, 1996, effective November 1, 1996, available at <http://www.icao.int/icao/en/atb/ecp/CodeOfConduct.htm>; see also Notes on the Application of the Code of Conduct, available at <http://www.icao.int/icao/en/atb/ecp/notes.htm>.
[589] Computer Reservations System (CRS) Regulations, 14 CFR Part 255, 69 FR 975, January 7, 2004, available at <http://www.dot.gov/affairs/Computer%20Reservations%20System.htm>.
[590] Canadian Computer Reservation Systems (CRS) Regulations, SOR/95-275, June 6, 1995, available at <http://laws.justice.gc.ca/en/A-2/SOR-95-275/>, as amended by Regulations Amending the Canadian Computer Reservation Systems (CRS) Regulations, October 23, 2003), available at <http://canadagazette.gc.ca/partI/2003/20031025/html/regle15-e.html>.

[591] Council Regulation (EEC) No 2299/89 of July 24, 1989 on a Code of Conduct for Computerized Reservation Systems, Official Journal L 220 of July 29, 1989, as amended by Council Regulation (EEC) No 3089/93 of 29 October 1993, Official Journal L 278 of November 11, 1993, and Council Regulation (EC) No 323/1999 of 8 February 1999, Official Journal L 40 of February 13, 1999.

[592] Letter from P. Thomas, Président, Commission de la Protection de la Vie Privée, Royaume de Belgique, to Marco Cappato, MEP; January 19, 2004, available at <http://www.radicalparty.org/privacy/etats_un.pdf>.
[593] Commission Nationale de l'Informatique et des Libertés, "PNR: la position de la CNIL sur le transfert de ces informations nominatives," February 24, 2004, available at <http://www.cnil.fr/index.php?id=1017>.
[594] Arturo Quirantes, "Don't Fly My Data," <http://www.cripto.es/nofly.htm>.
[595] Letter from Ulco van de Pol, Vice-President, College bescherming persoonsgegevens, to Northwest Airlines, April 6, 2004, available at <http://www.cbpweb.nl/downloads_uit/z2004-0310.pdf>.

[596] See IATA Recommended Practice 1774, Protection of Privacy and Processing of Personal Data Used In International Air Transport of Passengers and Cargo, defines the purposes for which personal data is presumed to have been provided as including "facilitating immigration and customs procedures, and providing such facilitating data to government agencies." The standard contract terms in IATA Recommended Practice 1724, General Conditions of Carriage (Passenger and Baggage), Article 5.3, Personal Data, grant even broader permission for airlines to transfer reservation data to government agencies: "You recognise that personal data has been given to us for the purposes of . . . making available such data to government agencies, in connection with your travel. For these purposes, you authorise us to retain and use such data and to transmit it to . . . government agencies."

[597] John Schwartz and Micheline Maynard, "F.B.I. Got Records on Air Travelers", New York Times, May 1, 2004, available at <http://www.nytimes.com/2004/05/01/politics/01AIRL.html>; American Airlines, "American Airlines Passenger Data Released In June 2002," press release, April 9, 2004, available at <http://www.aa.com/content/amrcorp/pressReleases/2004_04/09_aai.jhtml>; Electronic Privacy Information Center (EPIC), Northwest Airlines' Disclosure of Passenger Data to Federal Agencies <http://www.epic.org/privacy/airtravel/nasa/>; US Senate Committee on Governmental Affairs, Pre-hearing Questionnaire for the Nomination of Admiral David Stone to be Assistant Secretary of Homeland Security, Transportation Security Administration, June 24, 2004, answer to question 16 available at <http://a257.g.akamaitech.net/7/257/2422/27sep20041200/www.access.gpo.gov/congress/senate/pdf/108hrg/95192.pdf>; see also responses to additional questions <http://www.epic.org/privacy/airtravel/stone_answers.pdf>; Hasbrouck, "Total Travel Information Awareness" (last updated 25 June 2004), <http://hasbrouck.org/articles/travelprivacy.html#testing>.

[598] General Accounting Office, Aviation Security: Computer-Assisted Passenger Prescreening System Faces Significant Implementation Challenges, GAO-04-385, February 12, 2004, available at <http://www.gao.gov/new.items/d04385.pdf>.

[599] Thomas Marten, “Straightforward Transportation Security: Using Technology to Facilitate Better Business,” International Airport Security Conference, June 1, 2006, available at <http://64.233.169.104/search?q=cache:lHiCcwNTCSYJ:www.iaae.org/meetings/london/martenSITAIntAirportSecurityPresentation.ppt+PNR+and+API+new+zealand&hl=en&ct=clnk&cd=3&gl=us&client=firefox-a>.
[600] Airline Reservation System and Passenger Name Record (PNR) Access by States, Working Paper FAL/12-WP/74, presented by IATA to the 12th Session of the ICAO Facilitation (FAL) Division, Cairo, March 15, 2004, available at <http://www.icao.int/icao/en/atb/fal/fal12/documentation/fal12wp074_en.pdf>.

[601] An Act to Amend the Aeronautics Act, S.C. 2001, c.38, enacted December 18, 2001, available at <http://www.canlii.org/ca/as/2001/c38/whole.html>.
[602] Public Safety Act, 2002 (enacted May 6, 2004), available at <http://www.parl.gc.ca/37/3/parlbus/chambus/house/bills/government/C-7/C-7_3/C-7TOCE.html>.
[603] F. William Johnson, President, Canadian Bar Association, Letter to the Senate Committee on Transport and Communications, March 17, 2003 <http://www.cba.org/CBA/submissions/pdf/04-09-eng.pdf>; also see generally Office of the Privacy Commissioner of Canada, Key Issues – Advance Passenger Information/Passenger Name Record <http://www.privcom.gc.ca/keyIssues/ki-qc/mc-ki-api_e.asp>.
[604] Commission Decision of 14 May 2004 on the Adequate Protection of Personal Data Contained in the Passenger Name Record of Air Passengers Transferred to the United States' Bureau of Customs and Border Protection, available at <http://eur-lex.europa.eu/smartapi/cgi/sga_doc?smartapi!celexapi!prod!CELEXnumdoc&lg=EN&numdoc=32004D0535&model=guichett>.
[605] Council Decision of 17 May 2004 on the Conclusion of an Agreement Between the European Community and the United States of America on the Processing and Transfer of PNR Data by Air Carriers to the United States Department of Homeland Security, Bureau of Customs and Border Protection, 2004/496/EC, Official Journal L/2004/183/83, May 20, 2004, available at <http://eur-lex.europa.eu/smartapi/cgi/sga_doc?smartapi!celexapi!prod!CELEXnumdoc&lg=en&numdoc=32004D0496&model=guichett>; Agreement Between the European Community and the United States of America on the Processing and Transfer of PNR Data by Air Carriers to the United States Department of Homeland Security, Bureau of Customs and Border Protection, Official Journal L/2004/183/84, May 28, 2004, available at <http://ec.europa.eu/justice_home/fsj/privacy/docs/adequacy/pnr/2004-05-28-agreement_en.pdf>.

[606] Article 29 Data Protection Working Party, Opinion 2/2004 on the Adequate Protection of Personal Data Contained in the PNR of Air Passengers to Be Transferred to the United States' Bureau of Customs and Border Protection (US CBP), January 29, 2004, available at <http://ec.europa.eu/justice_home/fsj/privacy/workinggroup/wpdocs/2004_en.htm#wp87>.
[607] Privacy International, et al., Transferring Privacy: The Transfer of Passenger Records and the Abdication of Privacy Protection; The First Report on "Towards an International Infrastructure for Surveillance of Movement," with a Commentary from the American Civil Liberties Union on "A Perspective from America," February 2004 <http://www.privacyinternational.org/issues/terrorism/rpt/transferringprivacy.pdf>; Trans Atlantic Consumer Dialogue (TACD), Resolution on Passenger Name Records, Doc No. Internet-30-04, June 2004 <http://www.tacd.org/docs/?id=254>; also see generally Statewatch, Observatory on the Exchange of Data on Passengers (PNR) with USA <http://www.statewatch.org/pnrobservatory.htm>; EPIC, EU-US Airline Passenger Data Disclosure <http://www.epic.org/privacy/intl/passenger_data.html>; Hasbrouck, "Privacy and Travel," The Practical Nomad blog <http://hasbrouck.org/blog/archives/cat_privacy_and_travel.html>.
[608] EU, Press Release, "European Parliament Asks Court of Justice to Annul EU-US Passenger Data Deal," June 25, 2004, available at <http://ec.europa.eu/idabc/en/document/3130/330>.

[609] For fiscal year 2004, the goal is "to negotiate an agreement with the EU that gives CBP and TSA permanent access to PNR data," and for fiscal year 2005 to "[e]nsure access to PNR data for border and passenger screening on a global basis" as, "Opinions by the public and political leadership in Europe and Eurasia soften on US government] use of PNR." US Department of State, "FY 2005 Performance Summary, Strategic Goal 3: Secure the Homeland by Strengthening Arrangements that Govern the Flows of People, Goods, and Services Between the United States and the Rest of the World," February 2004 <http://www.state.gov/m/rm/rls/perfplan/2005/html/29302.htm>.
[610] Processing and transfer of passenger name record data by air carriers to the United
States Department of Homeland Security - "PNR," June 28, 2007, available at <http://www.epic.org/privacy/pdf/pnr-agmt-2007.pdf>.
[611] Joint Resolution on the PNR Agreement with the United States, July 10, 2007, available at <http://quintessenz.org/doqs/000100003894/2007_07_11_EU-parl_PNR_joint%20resolution.pdf>.
[612] Letter from European Data Protection Supervisor, Peter Hustinx, to the German Council Presidency on Proposed PNR Data Sharing Agreement, June 27, 2007, available at <http://www.epic.org/privacy/pdf/hustinx-letter.pdf>.

[613] Advance Passenger Information (API) – A Statement of Principles, Working Paper FAL/12-WP/60, presented by IATA to the 12th Session of the ICAO FAL Division, Cairo, March 10, 2004, available at <http://www.icao.int/icao/en/atb/fal/fal12/documentation/fal12wp060_en.pdf>.
[614] Hasbrouck, "'Undertakings' by the USA on Use of Reservation Data," February 2, 2004 <http://hasbrouck.org/blog/archives/000131.html>.

[615] Council of the European Union, Initiative of the Kingdom of Spain with a View to Adopting a Council Directive on the Obligation of Carriers to Communicate Passenger Data, January 9, 2004, available at
<http://register.consilium.eu.int/pdf/en/04/st05/st05183.en04.pdf>; also see generally
<http://www.statewatch.org/eu-pnrobservatory.htm>.
[616] Council Directive on the obligation of carriers to communicate passenger data, April 27, 2004, available at <http://www.statewatch.org/news/2004/apr/8078pnr.pdf>.

[617] Canadian Advance Passenger Information Program, Working Paper FAL/12-WP/38, presented by Canada to the 12th Session of the ICAO FAL Division, Cairo, December 11, 2003, available at <http://www.icao.int/icao/en/atb/fal/fal12/documentation/fal12wp038_en.pdf>.

[618] Article 29 Data Protection Working Party, Opinion 1/2004 on the level of protection ensured in Australia for the transmission of Passenger Name Record data from airlines, January 16, 2004, available at <http://ec.europa.eu/justice_home/fsj/privacy/workinggroup/wpdocs/2004_en.htm>.
[619] Introduction of Advance Passenger Screening (APS) in New Zealand, Working Paper FAL/12-WP/81, presented by Canada to the 12th Session of the ICAO FAL Division, Cairo, March 20, 2004, available at <http://www.icao.int/icao/en/atb/fal/fal12/documentation/fal12wp081_en.pdf>.

[620] US Office of the President, Press Release, "G-8 Secure and Facilitated International Travel Initiative (SAFTI)," June 9, 2004 <http://www.whitehouse.gov/news/releases/2004/06/20040609-51.html>.

[621] Gilmore v. Ashcroft, 2004 U.S. Dist. 4869 (N.D. Ca. March 24, 2004), appeal docketed, No. 04-15736 (9th Cir. April 19, 2004), case documents available at <http://www.freetotravel.org/legal.html>; See also Frontier Travel v. TSA, (D. Alaska, filed May 24, 2004), case documents available at <http://www.alaskafreedom.com/akn/case.html>.

[622] In a recent example, two men allegedly entered restricted areas in an airport in the US, bypassed security screeners and carried a duffel bag containing 14 guns and drugs onto a commercial plane. They avoided detection, because they were airline baggage handlers who used their uniforms and legally issued identification cards. Both men had passed federal background checks before they were hired, according to a spokesman for Comair, the airline that employed the men. The men were only investigated and caught after receiving an anonymous tip. In this case, the men were well-known, but their intentions were not. Jim Ellis, "Feds: Bag of Guns Smuggled onto Plane," Associated Press, March 9, 2007.

[623] Transport Canada, Passenger Project <http://www.passengerprotect.gc.ca/home.html>.

[624]Documents obtained in 2002 by EPIC from TSA under the Freedom of Information Act established that the agency administered the two watch lists. EPIC, "Documents Show Errors in TSA’s “No-Fly” Watch List" <http://www.epic.org/privacy/airtravel/foia/watchlist_foia_analysis.html> (last updated March 23, 2006).
[625] Department of Homeland Security, Privacy Office, "Report Assessing the Impact of the Automatic Selectee and No Fly Lists on Privacy and Civil Liberties as Required Under Section 4012(b) of the Intelligence Reform and Terrorism Prevention Act of 2004," (April 27, 2006) at 4-5, available at <http://www.dhs.gov/xlibrary/assets/privacy/privacy_rpt_nofly.pdf>.

[626] Walter Pincus & Dan Eggen, "325,000 Names on Terrorism List," Washington Post, February 15, 2006, available at <http://www.washingtonpost.com/wp-dyn/content/article/2006/02/14/AR2006021402125.html>; Anne Broache, "Tens of Thousands Mistakenly Matched to Terrorist Watch Lists," CNet News.com, December 6, 2005, available at <http://news.com.com/2102-7348_3-5984673.html>.
[627] Edmund S. "Kip" Hawley, Assistant Secretary, Transportation Security Administration, Department of Homeland Security, "Testimony at Hearing on Aviation Security: Reviewing the Recommendations of the 9/11 Commission Before the S. Comm. on Commerce, Science & Transportation," 110th Congress (Jan. 17, 2007), available at <http://commerce.senate.gov/public/_files/TestimonyofMrHawley.pdf>.

[628] See generally, Gilmore's Web site on the case <http://www.papersplease.org/gilmore/>; EPIC's Air Travel Privacy Web Page <http://www.epic.org/privacy/airtravel/>.
[629] Gilmore v. Gonzales, 435 F.3d 1125 (9th Cir. 2006), cert. denied, 127 S. Ct. 929 (US 2007), available at <http://www.epic.org/privacy/airtravel/gilmore_opinion.pdf>.

[630] Transport Canada, supra.

[631] System of Records Notice, 68 Fed. Reg. 2101 (January 15, 2003).
[632] Transportation Security Administration, Press Release, "TSA to Test New Passenger Pre-Screening System," August 26, 2005, available at <http://www.tsa.gov/public/display?theme=44&content=09000519800c6c77>.
[633] Mimi Hall & Barbara DeLolli, "Plan to Collect Flier Data Canceled," USA Today, July 14, 2004, available at <http://www.usatoday.com/news/washington/2004-07-14-fly-plan_x.htm>.
[634] Hasbrouck, "CAPPS-II Is Dead. Long Live CAPPS-II!" <http://hasbrouck.org/blog/archives/000282.html>.

[635] See generally, Transportation Security Administration, "TSA: Secure Flight Program," <http://www.tsa.gov/what_we_do/layers/secureflight/editorial_1716.shtm>; EPIC's Secure Flight Web page <http://www.epic.org/privacy/airtravel/secureflight.html>.
[636] Transportation Security Administration, Press Release, "TSA to Test New Passenger Pre-Screening System," August 26, 2005, available at <http://www.tsa.gov/press/releases/2004/press_release_0496.shtm>.
[637] System of Records Notice, 69 Fed. Reg. 57345, 57346 (September 24, 2004), available at <http://a257.g.akamaitech.net/7/257/2422/06jun20041800/edocket.access.gpo.gov/2004/04-21479.htm>.
[638] Notice of Final Order for Secure Flight Test Phase, 69 Fed. Reg. 65619 (November 15, 2004), available at <http://a257.g.akamaitech.net/7/257/2422/06jun20041800/edocket.access.gpo.gov/2004/04-25396.htm>.

[639] See EPIC FOIA documents on "selectee" and "no fly" watch lists, available at <http://www.epic.org/privacy/airtravel/foia/watchlist_foia_analysis.html>. See generally, EPIC, "Passenger Profiling Page," available at <http://www.epic.org/privacy/airtravel/profiling.html>.
[640] Cathleen Berrick, Director, Homeland Security and Justice, Government Accountability Office, "Statement at a Hearing on TSA's Secure Flight and Registered Travelers Programs Before the S. Comm. on Commerce, Science & Transportation," 109th Congress. February 9, 2006, available at <http://www.gao.gov/new.items/d06374t.pdf>.
[641] Edmund S. "Kip" Hawley, Nominee for Assistant Secretary of Homeland Security, Transportation Security Administration, Department of Homeland Security, "Testimony at Hearing on TSA's Secure Flight and Registered Travelers Programs Before the S. Comm. on Commerce, Science & Transportation," 109th Congress, February 9, 2006.

[642] See generally, EPIC's Automated Targeting System Web page <http://www.epic.org/privacy/travel/ats/>.
[643] "Traveler Risk System May Violate Ban," Associated Press, December 7, 2006.
[644] US Customs & Border Protection, Press Release, "Facts Concerning the Automated Targeting System," December 8, 2006, available at <http://www.cbp.gov/xp/cgov/newsroom/highlights/cbp_responds/facts_automated_targeting_sys.xml>.
[645] Department of Homeland Security, "Privacy Impact Assessment for the Automated Targeting
System," November 22, 2006, available at <http://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_cbp_ats.pdf>.

[646] Bruce Schneier, Editorial, "An Easy Path for Terrorists," Boston Globe, August 24, 2004, available at <http://www.schneier.com/essay-051.html>.
[647] Kip Hawley, Administrator, Transportation Security Administration, "Testimony Before the
Subcommittee on Transportation Security and Infrastructure Protection of the Committee on Homeland Security of the U.S. House of Representatives," 110th Congress, July 31, 2007, available at <http://www.tsa.gov/assets/pdf/rt_testimony.pdf>.
[648] "New Tricks with Biometrics," CNN, September 28, 2006, available at
<http://www.cnn.com/2006/TRAVEL/09/27/biometrics.SAS/index.html>.
[649] See generally EPIC, Spotlight on Surveillance, "Registered Traveler Card: A Privatized Passenger ID," October 2005 <http://www.epic.org/privacy/surveillance/spotlight/1005/>.
[650] Dean Irvine, "Heathrow Tests Biometrics," CNN, December 6, 2006 <http://www.cnn.com/2006/TRAVEL/12/06/heathrow.fingerprints/index.html>.