Data mining and the government

Data Debase: The powerful technology known as data mining -- and how, in the government's hands, it could become a civil libertarian's nightmare
by Max Blumenthal (The American Prospect Online, December 19, 2003)

A nice survey of data mining pojects by Federal and state governments and government contractors, citing my research and reporting on jetBlue Airways and CAPPS-II and putting it in larger context.

Where's Hot, and Where's Not?

"The World's Top 20 Destinations for Air Trekkers"
(Airtreks.com news release, 18 December 2003)

Wanderlust is alive and well, according to complex international airfare specialists Airtreks.com , with continued strong interest in travel to every major region of the world.

Following are the top 20 overseas destinations (outside the USA and Canada) requested by air trekkers, as measured by trips constructed on the Airtreks.com Web site last month:

1. London, UK
2. Bangkok, Thailand
3. Sydney, Australia
4. Auckland, New Zealand
5. Singapore
6. Athens, Greece
7. Hong Kong SAR, China
8. Denpasar (Bali), Indonesia
9. Rome, Italy
10. Cairo, Egypt
11. Capetown, South Africa
12. Johannesburg, South Africa
13. Nadi, Fiji
14. Brisbane, Australia
15. Kathmandu, Nepal
16. Mumbai (Bombay), India
17. Papeete (Tahiti), French Polynesia
18. Delhi, India
19. Rio de Janeiro, Brazil
20. Paris, France

"It's easy to get the impression that no one is travelling abroad, or that no one is going to the Middle East, Africa, or Asia," says Edward Hasbrouck, Airtreks.com staff Travel Guru. "But that's clearly not true. We're seeing continued strong interest in all those regions." Perennial favorites of independent travellers like Thailand, Egypt, India, and Nepal remain as welcoming, as wonderful, and as popular as ever. And after a brief downturn, Hong Kong has already returned to the top 10, with Beijing not far behind.

As for recent shifts in popularity of different regions, Airtreks.com says the biggest trend is a major shift in interest from the Northern Hemisphere to the Southern.

Right now, the South Pacific is the most popular region of the world, with 5 of the top 20 overseas destinations in Oceania compared with only 4 in Europe. Just keep in mind that this means flights to this part of the world are filling up much further in advance than usual, especially now as we head toward summer vacation season Down Under.

Other than ever-enchanting and infinitely diverse India, South Africa was the only country with two cities in the top twenty. And overall, not just with air trekkers, South Africa had the largest percentage increase in international visitor arrivals of any country in the world this year. (Nairobi, the most common gateway to East Africa, was not far behind at #24.)

The shift of travellers to more Southern destinations has also been apparent in the Americas. While only perennial favorite Rio de Janeiro made the top 20, Latin American cities showed rapidly growing popularity, with 4 others (Lima, Peru; Buenos Aires, Argentina; Santiago de Chile; and Sao Paulo, Brazil) in the top 35.

Visitors to the Airtreks.com Web site can customize their own multistop international trips and get instant online price estimates , unlike most Web sites that list only simple one-way and round-trip tickets, or a limited menu of packages. That gives Airtreks.com a constant finger on the poularity pulse of destinations around the world.

More voices in European Parliament against transfer of passenger data to the USA

Despite widespread reprinting in the USA of Department of Homeland Security propaganda claiming that an "agreement" has been reached with the European Union that permits USA government access to airline reservation data collected in the EU, reports from the EU, and especially from members of the European Parliament, make clear that the proposed agreement is far from assured of approval.

The European Parliament press office headlined its summary of the EP committee meeting at which the issue was discussed Tuesday evening, 17 December 2003, MEPs divided over Commission deal on airline passenger data :

Several MEPs voiced sharp criticism, questioning above all the compatibility of the agreement with current EU law. "At the moment, we are still in an illegal situation", said rapporteur Johanna BOOGERD-QUAAK . "We have repeatedly asked for negotiations to be based on our policies, but how do you fit that policy with the result of this negotiation?" she asked. According to Kathalijne BUITENWEG (Greens/EFA, NL), the three and a half year storage period was "disproportionately long". "The Commission is well aware that it is breaking the law but I assume that Member States will defend it for the reciprocity we're being offered", she said. "We can't break an EU law simply because everyone wants to!" she added. Marco CAPPATO (IND, I) shared this view, believing the data would be collected illegally. "Laws are to be obeyed and not to be interpreted politically", he said.

Hubert PIRKER (EPP-ED, A), while acknowledging that "some progress has been made" expressed concern about the number of information fields for which data would be collected. "Do these 34 types all serve the need of combating terrorism?" he questioned. "And who would have access to this data?" he asked. In the view of Elmar BROK (EPP-ED, D), the practical differences for EU citizens entailed by this arrangement must be established, and this was aside from reflecting on its effect on transatlantic relations. Raising the principle of reciprocity, Timothy KIRKHOPE (EPP-ED, UK) questioned whether the EU would derive any benefit from the data it would be entitled to receive. "How best can we make use of this information, if we want to use it at all?" he asked.

In a further statement today, MEP and rapporteur Boogerd-Quaak (who has spoken out on this and related issues in the past) joined the call made yesterday by MEP and committee member Cappato to take the matter to the European Court of Justice:

Transfers of passenger data continue to breach EU laws

"Transfers of airline passenger data to the US remain in breach of EU law despite claims to the contrary by the US authorities and the Commission", according to Dutch Liberal MEP Johanna Boogerd (D66), Parliament's rapporteur on this issue. Mrs Boogerd asked for a ruling by the European Court of Justice on the issue at an unprecedented hearing with Commissioners Vitorino, Patten, de Palacio and Bolkestein on Tuesday.

Refuting statements this week by the US Department of Homeland Security that it has an agreement with the Commission affirming that the data transfers are legal, Mrs Boogerd said:

"I realise that Commissioner Bolkestein has fought hard to find a solution to the unlawful transfer of passenger data to the US. However, the so called 'adequacy finding' that the Commission has made is neither a binding agreement between the US and EU, nor does it stop the transfer of passenger data to the US which are in blatant breach of EU data protection laws."

"The adequacy finding means that the Commission believes that the US provides adequate protection of the passenger data, despite the fact that the transfer is without the consent of the passengers, that the transfer in itself is illegal according to EU data protection laws and that the US has no proper data protection laws nor a fully independent Data Protection Officer with an enforcement mechanism."

Commenting on what actions Parliament might take, Johanna Boogerd added:

"The Treaty of Nice gives the Parliament the right to seek the opinion of the European Court of Justice to examine the legality of a contemplated agreement. I have urged the Comission on its own accord to seek this opinion, but if not, Parliament shall certainly seek to obtain this opinion. Moreover, I am considering asking the newly appointed European Data Protection Supervisor for his opinion."

"The only permanent solution is an international agreement between the EU and the US, with full involvement of the European Parliament and the US Congress. In the interim period, the unlawful transfer of passenger data must be stopped and I deplore this failure of the Commission to immediately enforce EU data protection laws", Johanna Boogerd commented.

[Addendum, 19 December 2003: More on this story: Air data decision faces legal challenge (EUpolitix.com)]

[Addendum, 22 December 2003: And still more: EU Travel Privacy Battle Heats Up (Wired.com)]

European privacy watchdogs denounce airline reservation data transfers to the USA

Leading European privacy watchdog organizations are denouncing the European Commission's acquiscence to ongoing wholesale transfers of airline reservation data to the USA, in violation of European Union laws and in defiance of a directive from the European Parliament to take action to bring airlines and computerized reservation systems operating in the EU into compliance with EU law.

Following are excerpts from some of their comments:

• Andreas Dietl, EU Affairs Director of European Digital Rights , a Brussels-based international non-profit association of NGO's:
  

  If this is how Commissioner Bolkestein understands "enforcing European law", it is time for him to resign. The decision to transfer 34 fields of personal data to the U.S. for every single passenger crossing the Atlantic is a manifest breach of these very laws. The fact that the U.S. initially wanted even more data to be stored for a de facto unlimited period does not make this deal any more acceptable.
  

  What remains fact is: There is no way for airline passengers to verify that their personal data is not used for any puposes other than those specified in the agreement with the EU; that it is not being transfered to any other authorities of the U.S. and deleted after 42 months.
  

  As the U.S. have no data protection or privacy law applying to non-U.S. citizens, it is more than likely that the data will be transmitted generously to the most different U.S. government agencies, in the databases of which it may be retained for many
  decades.
  

  It would be the task of the EU Commission to prevent such an abuse of EU citizen's personal data. The Commission has failed to fulfill that task. The European Parliament should now draw the consequences and bring the Commission before the European Court of Justice for breach of the EU Data Protection Directive.

• Gus Hosein, Privacy International , a London-based global human rights organization and sponsor of the worldwide Big Brother Awards :
  

  This is a significant victory for the U.S. Department of Homeland Security, and a loss for Europeans. The EU Commission claims that the U.S. is going to treat the data as adequate are unbelievable and offensive to Europeans who value their privacy. This move by the EU will lead every other jurisdiction to adhere to U.S. wishes even against their own sensibilities.
  

  This is the EU privacy regime being circumvented and rewritten based on the wishes of the U.S. authorities. The U.S. law on this matter is very simple and undemanding; the expansive interpretation of the law by U.S. law enforcement authorities is the issue at stake. The EU has therefore relinquished the privacy rights of Europeans based on mere interpretations and bullying from U.S. agencies, not the will of the American people or American legal requirements.

• Tony Bunyan, editor of Statewatch , the research and education operation of a UK non-profit association monitoring the state and civil liberties in the European Union:
  

  What is quite unforgivable is that the European Commission thinks that the EU-USA deal -- with a state which has no data protection laws and no intention of adopting them -- is a better basis for a global standard than the EU's data protection laws which have served as a model for many countries around the world.

I've also been told, by a journalist who was in attendance at the USA Department of Homeland Security press briefing yesterday in Washington, DC, that the DHS said that what it was describing as an "agreement" with the EU (actually a proposal by the European Commission to the European Parliament) would permit the use of data collected in the EU for testing of the CAPPS-II airline passenger profiling and surveillance system.

But there was no mention of CAPPS-II testing in the proposal itself, or in any press statement by the USA made in writing or disseminated outside the USA. And the proposal explicitly excludes CAPPS-II, with no exception for testing or anything else:

The Department of Homeland Security was keen to see the Transportation Security Administration's CAPPS II (Computer Assisted Passenger Pre-Screening System) scheme covered by the agreed legal framework. The Commission has successfully resisted this pressure on the grounds that it can only take a position once internal US processes have been completed and once it is clear that Congress's privacy concerns regarding CAPPS II have been met. CAPPS II will thus be addressed only in a second round of talks.

It appears that the DHS is attempting to distort the EC proposal to avoid having the lack of agreement with the EU, and the incompatibility of CAPPS-II with existing EU law, stand in the way of CAPPS-II testing.

Let's hope that Memebers of the European Parliament and the European Commission speak up promptly to correct any DHS "misunderstanding", and let the DHS and other USA agencies know that no EU agency has approved or authorized the use of EU data for any CAPPS-II purpose, including testing.

Even if approved, the EC proposal would not authorize use of EU data for CAPPS-II, which would require an entire separate agreement. Any batch of real reservations will include some data from the EU, and any airline, CRS, or other company that operates in the EU and provides or uses reservation data for CAPPS-II testing will be violating EU law.

European Parliament member says passenger data transfers to the USA still violate EU law

MEP Marco Cappato, one of the members of the European Parliament's Committee on Citizens' Freedoms and Rights, Justice and Home Affairs (LIBE) to which the European Commisison reported yesterday on the status of airline passenger data transfers from the European Union to the USA, today issued a statement making clear:

1. That the European Commission (EC) proposal does not and cannot constitute an "agreement" between the EU and the USA;
2. That pending any binding agreement, the ongoing transfers of passenger data to the USA continue to be in violation of EU law; and
3. That the EC itself remains in breech of EU law for failing to carry out the explicit directive voted by Parliament on 9 October 2003 to bring about compliance with the law by 9 December 2003.

According to MEP Cappato, "The (tentative) agreement is just a proposal; the violation of EU law is currently the reality," despite misrepresentations of the proposal made by the USA Department of Homeland security in its press release announcing an agreement. Cappato continues:

According to what Commissioners Palacio, Bolkestein, Vitorino and Patten affirmed yesterday in the European Parliament during a joint legal affairs and citizens'rights committees meeting, there is still no definitive agreement with the US on the transfer of passenger data collected in the EU and consequently accessed by U.S. authorities in breach of EU law...

The reality is that the current practice of data transfer is in breach of EU regulation 2299/89 on computerized reservation system (which prohibits the access to personal data by third parties without the consent of the person) and of Directive 95/46 (that foresees that any exception to privacy rules should be based on a specific legislative measure of a Member State). This means that the personal data, before being illegally accessed and transferred, are illegally collected.

It is now up to the EP to continue with the procedure launched on the 9th of October and to immediately take the Commission to the European Court of Justice for failure to act (the deadline expired on December the 9th) and for violation of EU law.

More on EU passenger data transfers to the USA

I've been studying the full Communication from the Commission to the Council and the Parliament (thanks to EDRI for the link; the final document is essentially identical to the draft I received yesterday, and that was actually distributed at the meeting) concerning yesterday's meeting between the European Commission and the European Parliament on transfers of airline passenger data from the EU to the government of the USA.

Most reporting on yesterday's meeting, especially in the USA, seems to be based primarily on the USA Department of Homeland Security spin control press release and the DHS fact sheet that mis-states the most fundamental facts about what has happened.

The report in the New York Times is among the most misleading, referring repeatedly to what "the European Union" has supposedly done, and making no distinction between the European Commission, the European Parliament, and EU national Data Protection Authorities. Since yesterday's meeting was between the Commission and the Parliament, as the latest round in their ongoing dispute on this issue, the over-simplistic conflation of all the various EU entities into "the European Union" makes it impossible for Times' readers to discern the real story.

The full communication from the Commission makes two key points concerning issues yet to be resolved, although both are relegated to the footnotes:

1. "A decision making a finding of adequate protection is limited to doing just that. The proposed international agreement is therefore necessary to address the other legal issues." (footnote 5, page 6)
   

   Crucially, the Commission did not find that current protections for EU-originating travel data in the USA are adequate. It found that that they will be adequate, at some future time, if a binding agreement is entered into with the USA.
   

   Read closely, the language of the communication is quite clear that the Commisison has not (yet) made a finding of adequacy. Rather, "The Commission proposes to deliver this legal framework in the form of an adequacy finding, accompanied by an international agreement with the US. The European Parliament will be consulted on both elements of this solution." (page 10) Parliament has already made clear its dissatisfaction with Commission (in)action on this issue, so such an agreement (once it is drafted and proposed) is by no means assured of Parliamentary approval.
   

   Although not mentioned by the EC, such an agreement would also have to be ratified by two-thirds of the U.S. Senate in order to be binding on the USA as a treaty. It will be interesting to see how the Senate will respond to a proposal to ratify a treaty giving EU citizens privacy rights in the USA (including, for example, the right to notice of the fact that their reservation data will be passed on to the government) which the USA has to date been unwilling to extend to its own citizens.
   

   And since the ongoing transfers of passenger data will continue to be in violation of EU law until the entry into force of such a treaty, the complaints and demands for enforcement of the law have not been rendered moot: both the EC and EU national data protection authorities can and, by law, must continue to pursue them unless and until an agreement to cure the violations is signed, ratified by both sides, and put into effect.

2. "Although the comments of DPAs [national Data Protection Authorities] have been sought and many have been incorporated, the Article 29 Working Party [of DPA's] declined to adopt or approve the text, on the grounds that the transfers of PNR to the US are in any case illegal and nothing should be done to blur that fact." (footnote 7, page 7)
   

   In addition to the dispute between the USA and the EU, there has been ongoing disagreement between the various EU institutions (the Commission, Parliament, and national DPA's) about how to proceed, and in particular about the limits of the Commission's authority to "agree" to a compromise with EU law as determined by Parliament and national governments.
   

   In its formal communication yesterday, the Commission explicitly ackowledged that continuing disagreement. Parliament will still need to be consulted on any agreement with the USA. And EU member goverments, through their national data protection authorities, retain independent jursidiction over violations of EU and national privacy laws (even if national laws grant further rights than the minimum required by the EU).
   

   "The European Parliament and European Data Commissioners didn't like the US requirements earlier this year, so should now be considering what it might be about the new 'renegotiated' requirements that might make them acceptable," suggests my favorite UK technology news source, The Register .

Perhaps the most disturbing detail of the EC proposal (as should by now be clear, it's a proposal, not yet an agreement) is section 3.5 (pp. 9-10) calling for, "The creation of a multilateral framework for PNR Data Transfer within the International Civil Aviation Organisation (ICAO).... In September 2003, the Commission decided to accelerate work on developing an international arrangement for PNR data transfers within ICAO. The Commission services have prepared a working paper to this effect that will be submitted by the Community and its Member States to ICAO shortly."

Tony Bunyan, editor of Statewatch , gets the significance of this exactly right :

This deal heralds the beginning of an EU-USA axis to impose the exchange of passenger data globally through the ICAO. This will be the first step to vetting all passengers before they board a plane, boat or cross-border train -- denying boarding to those considered an immigration or security risk. The global surveillance of travel will not be limited to combating terrorism but will extend to other serious crimes.

The EC says that, "The Commission has taken the view that the best solution would be a multilateral one and that the ICAO would be the most appropriate framework to bring forward a multilateral initiative." Unfortunately, ICAO includes no privacy-protection or civil liberties advocates or organizations (except to the extent those roles are taken on by ICAO member governments, which they usually aren't). ICAO decision-making procedures provide minimal, if any, opportunity for direct participation by the public, public-interest NGO's, and civil society.

With a mandate for RFID biometric passports already on the agenda, and now a forthcoming proposal from the EU for sharing of PNR data with governments worldwide (doesn't that make you feel safer already?), the next meeting of ICAO's Facilitation Division scheduled to be held in Cairo 22 March - 2 April 2004 warrants close attention from privacy and travel consumer advocates worldwide.

European Commission reports to Parliament on airline passenger data

European Commissioner Frits Bolkestein is reporting back at this hour today in Strasbourg to an extraordinary joint meeting of the European Parliament's Committee on Citizens' Freedoms and Rights, Justice and Home Affairs (LIBE) and the Committtee on Legal Affairs and the Internal Market concerning the transfer of airline passenger data from the European Union to the USA.

Bolkestein's speech to Parliament announces his proposal that, "The Commission make a finding of adequate protection with regard to transfers of PNR to the US Bureau of Customs and Border Protection. The Commission gave its agreement to this proposal today."

A close reading of Bolkestein's speech reveals that the finding of "adequacy" is based on a number of highly questionable assumptions about what the USA Department of Homeland Security has done and will do.

Among other things, the DHS has represented to the EC, according to Bolkestein, that "the [DHS] Privacy Officer's rulings on complaints will be binding on the Department", a claim with no legal foundation, no apparent enforcement mechanism, and which has yet to be tested. (It will be interesting to see whether the DHS extends its promise to respect its Chief Privacy Officer's rulings to complaints by USA citizens, or whether only rulings on European complaints will be treated as binding.)

More importantly for the European Parliament, Bolkestein explicitly argues that, "ultimately political judgements will be needed". Bolkestein and the Commission appear to have taken it upon themselves, rather than Parliament, to make those decisions -- an approach strongly criticised in Parliament's previous resolutions threatenting to haul the Commission into the European Court of Justice if it doesn't carry out its duties in accordance with Parliament's directives and EU law.

Member of the European Parliament (and of the LIBE Committee) Marco Cappato made a formal complaint to the Commission last month concerning the transfer of his own personal data to the USA, and last week reiterated his and Parliament's criticism of the Commission for failing to enforce EU data privacy laws against such transfers.

(Perhaps MEP Cappato and other concerned EU citizens should test the DHS's new promises by taking their complaints concerning their perosonal travel data -- and its transfer both to USA corporations and the DHS -- directly to the DHS Chief Privacy Officer.)

Two major aspects of the use of travel data in the USA are explicitly excluded from the recommended finding of "adequacy" of privacy protection, and remain under active consideration by both the Commission and the Parliament:

1. The DHS has not agreed to any restrictions on commercial use of travel data in the USA, which can continue unrestricted regardless of whether or not the data is also given to the DHS or other government agencies. The DHS couldn't do so even if it wanted to: the authority of the DHS to govern how data is used, or to protect its privacy, extends only to use by the DHS, and not to commercial use in the USA of the same data.
   

   The transfer of travel reservation data from the EU to commercial entities in the USA, in the absence of any legal protections (much less "adequate" ones) for its privacy in the USA, thus continues to violate the EU data protection directive and the EU code of conduct for CRS's and remains subject to possible enforcement action by the EC. Only a USA Federal privacy law governing commercial use of travel data could cure the violation of EU law inherent in these (routine and ongoing) transfers of reservation data from the EU to the USA.

2. The proposed EU-USA "arrangement will not cover the US Computer Assisted Passenger Pre-Screening System (CAPPS II). The latter will only be considered in a second round of discussions yet to come. In any case, such discussions can only conclude once Congress' privacy concerns have been met, and so far they have not."
   

   Since it is impossible reliably to determine from current airline reservations which ones (including reservations made in Europe for domestic flights within the USA) contain data originally collected in the EU, this implies that the DHS will not conduct any CAPPS-II tests with real passenger data until after the conclusion both of the report ordered by Congress from the GAO (due 14 February 2004) and a further agreement with the EU on the use of EU data in the CAPPS-II system.
   

   The DHS promise to the EU on CAPPS-II isn't self-enforcing, but any claim or admission by the DHS that CAPPS-II has been tested with real data (as in fact it has, repeatedly, and as I and other have been reporting for months) would be an admission of breach of the DHS promise to the EC.

Military retains top post at the TSA

"Retired" former U.S. Navy Admiral David M. Stone has been appointed acting Administrator of the USA Transportation Security Administration. Ex-Admiral Stone replaces former Coast Guard Commandant and Admiral James M. Loy, who was promoted to the position of Deputy Secretary of Homeland Security.

Stone joined the TSA last year (with no disclosed background or knowledge whatsoever of civil aviation or transportation) as TSA director of security for Los Angeles International Airport (LAX).

Despite still having a military officer in charge, the TSA is still considered, of course, a "civilian" agency under Stone's acting command, as it was from its creation under Admiral Loy's.

No one has yet been nominated as permanent TSA administrator, possibly because confirmation hearings for any such nominee would provide an opportunity for Senators to ask questions about privacy and civil liberties that the TSA and the Bush Administration have been trying to avoid. Senate aides have told me that written questions from Senators to the TSA concerning CAPPS-II and the government's role in the use of jetBlue Airways reservation data haven't been given even the courtesy of a reply -- an unusual breech of protocol.

More on Czech airline data dispute with the USA

The Prague Post has more details on the ongoing Czech Republic-USA dispute over USA demands for passenger data from Czech Airlines (IATA code "OK") flights to and from the USA, and the absence of legal protection for that data once in the USA.

The Czech objections to the USA demands largely parallel those from the European Union. But there's also this quote from Hana Stepankova of the Czech Office for Personal Data Protection (UOOU) -- a government agency, with, of course, no counterpart in the USA:

"Privacy is one of the basic values of human life, and personal data is the main gate enabling entry into it," Stepankova said. "Besides, the citizens of countries that experienced a period of totalitarian regimes have behind that a hard experience -- when privacy was not considered of value and was sacrificed to the interest of the state."

DHS calls for proposals for US-VISIT visitor tracking system

As reported here , here , and here , the USA Department of Homeland Security (DHS) has published its request for proposals for the US-VISIT system database and tracking system for foreign visitors. The US-VISIT prime contract will cover the database itself, integration with other government and private information technology, equipment for digital fingerprinting and photography at international entry and exit points, and RFID sensors for remote reading of next-generation travel documents .

The RFP has already brought questions from the Senate and the House of Representatives as to whether a privacy impact assessement must first be completed. In response, DHS Chief Privacy Officer Ms. Nuala O'Connor Kelly says a privacy assesment isn't required because, so she reportedly claims, digital fingerprinting and photography of visitors don't involve any "new" technology or equipment purchases.

The RFP will no doubt come under especially close scrutiny in the European Union, as part of the ongoing debate on DHS access to EU-originating reservation data.

Today European Parliament Member and rapporteur on privacy Marco Cappato issued a statement pointing out the expiration of the deadline set by Parliament for the European Commission to bring about compliance with EU privacy law by airlines and computerized reservation systems (CRS's), and holding the European Commission legally responsible for this ongoing "violation of the fundamental right to privacy ... as implemented by EU law, and of the principle of democracy and of the rule of law in the EU."

Parliament had previously voted to threaten action against the Commisison in the European Court of Justice unless it brought about compliance with the law -- either by stopping the data transfers to the USA, or getting the USA to agree to adequate data privacy protections -- by 9 December 2003.

In an effort to delay action by the EP, an unnamed U.S. official leaked a statement to Reuters that a deal on airline passenger reservation data has been agreed to with the EC. But the official spokesperson for the lead EC negotiator denied it, saying that, "There are still several outstanding issues". And as Parliement has repeatedly made clear, the Commision has no authority to "compromise" on enforcement of laws enacted for the EU by its Parliament.

The RFP makes clear (pp. 20, 22, 35) that the US-VISIT database will include the information obtained from airline reservations through the Advance Passenger Information System (APIS), the system currently at the center of the USA-EU data transfer dispute. As with the DHS/TSA CAPPS-II proposals, the US-VISIT RFP ignores the many intermediaries involved in collecting, entering, and forwarding that data, especially travel agents and CRS's -- neither of which are mentioned in the list of US-VISIT stakeholders (p. 19).

Privacy concerns -- including concerns in the EU about how widely US-VISIT data will be disseminated -- are likely to be exacerbated by the scope of the proposal: "This program is no longer an entry-exit project encapsulated within a single agency (the former Immigration and Naturalization Service) but is now a cross-government program with a large number of stakeholders." (p.16)

While one of the requirements in the RFP is that the prime contractor, "Deploy the program in accordance with existing privacy laws and policies" (p. 16), there's no mention in the RFP of the possibility that the unprecedented scope of the program might require any new privacy policies.

The estimated total cost of the system -- potentially as much as US$10 billion, including an initial $60 million for RFID sensors in fiscal year 2003 (pp. 121-122) -- should also raise questions about the DHS/TSA budget of US$35 million for CAPPS-II deployment, and the likely extent of the unreimbursed costs that will be imposed on the travel reservations industry to implement CAPPS-II.

[Addendum, 13 December 2003: A further report from EUpolitix.com makes even more clear that the USA still hasn't agreed to adequate protection for EU-originating travel reservation data:

"There is no agreement ... there are still a number of obstacles," said a spokesman for Bolkestein, indicating that not much had even moved during talks since the beginning of the month, when the commissioner outlined the sticking points still holding up an accord.

"If Bolkestein is going to make a statement [announcing an agreement] on the 16th, then something's going to have to move between now and then."

European Commissioner Bolkestein is currently scheduled to report back to the European Parliament with what the agenda diplomatically terms an exchange of views at an extraordinary joint committee meeting in Strasbourg this Tuesday, 16 December 2003.]

CAPPS-II will require 3 new directives

Over the past month, I've spent a lot of time -- at the PhoCusWright Executive Conference in Orlando, in interviews in Washington, DC, and by phone and e-mail -- talking with people in various government agencies (in Congressional offices, at the European Commission, and in the TSA and DHS) and all segments of the travel reservations or "travel distribution" industry (travel agencies, CRS's , and travel software companies and consultants) about what it will actually take in time, money, information technology, and business process changes to implement the DHS/TSA CAPPS-II proposal for airline passenger surveillance and monitoring.

A consistent picture emerges from my interviews with all these sources:

While CAPPS 1 (1998) and the first conceptualization of CAPPS-II (2001 - early 2002) were managed by Department of Transportation staff who had longstanding working relationships with the travel industry, CAPPS-II was taken out of their hands with the creation first of the TSA and then the DHS.

Since then, CAPPS-II has become an essentially "black" (secret) program directed by people from the military and "intelligence" (surveillance) backgrounds, and with little familiarity and no ongoing dialogue with the travel reservations industry.

If the DHS Chief Privacy Officer has done poorly at fulfilling her promises of consultation with stakeholders in CAPPS-II privacy issues, the TSA Office of National Risk Assessment (which has primary responsibility for the CAPPS-II project) and other operational divisions of the TSA have done dramatically worse than the Chief Privacy Officer in their failure to consult with stakeholders in CAPPS-II implementation issues.

As I've reported earlier, I eventually did get an interview last month about CAPPS-II with the DHS Chief Privacy Officer, Ms. Nuala O'Connor Kelly. But when we met, Ms. O'Connor Kelly told me (quite properly) that she is a policy officer, not a spokesperson, and that her responsibility or ability to comment on CAPPS-II extends only to its privacy implications -- not its cost or feasibility.

The day before that interview, TSA spokesperson Mr. Nico Melendez had assured me that Ms. O'Connor Kelly, "has been the public spokesperson for CAPPS-II, and she will be able to answer all your questions." Mr. Melendez declined to answer any of my questions himself, and when I later contacted him to see if he could provide any information on TSA estimates of CAPPS-II costs he told me that was "an absurd question" and that I was "harassing" him even to ask. To date, the TSA has been unable or unwilling -- despite my repeated requests to a revolving-door succession of staff flacks -- to make anyone available to me who admits any knowledge of CAPPS-II cost or implementation issues.

If the TSA had done their job, the CAPPS-II auditors from the General Accounting Office would have been merely double-checking work the TSA had already done. But in my survey of industry sources, I've found that the GAO seems to have consulted a far wider range of critical industry stakeholders than the TASA has ever bothered to talk to about CAPPS-II.

And in my own interviews, I've repeatedly found that industry sources -- even with some of the organizations and companies without whose active collaboration CAPPS-II can't possibly be implemented -- have been unable to comment on CAPPS-II costs or implementation becasue they don't yet know what the TSA/DHS will require them to do. I've known much more from my investigatory research than anyone at the TSA or DHS has been willing to tell these key industry players.

Even those who might stand to profit from CAPPS-II, particularly the CRS's (or GDS's, as they often prefer to call themselves), continue to claim -- perhaps truthfully -- that they don't know what changes the TSA will order them to make to their data structures, interfaces, API's, and protocols.

At the PhoCusWright conference, I asked Cendant CEO Sam Katz about the impact of CAPPS-II on Cendant's bottom line: CAPPS-II will require expensive changes to Cendant's Galileo CRS, which costs Cendant might have to absorb. But Galileo and all the other Cendant subsidiaries will be free, under the current CAPPS-II proposal, to retain, use, and sell the additional data travellers will be required to provide.

On balance, will CAPPS-II be a net cost or benefit for Cendant?

"I can't answer that," Katz replied, "Because there is no CAPPS-II business model" and the TSA still hasn't told Cendant their requirements.

When I pressed her, however, Ms. O'Connor Kelly was considerably more forthcoming about what will be required than the TSA has been. She freely conceded that -- as I (and others) had pointed out in comments on the CAPPS-II Privacy Act notices -- those notices could not create any new obligations on the public or private companies (other than government contractors) to provide, collect, store, or forward data or documents. A Privacy Act notice merely describes what the government will do with personal data.

Ms. O'Connor Kelly also freely conceded that for CAPPS-II to be put into effect, the government will have to give 3 new sets of orders to travellers and travel companies:

1. All airline passengers will be ordered to have reservations (or, equivalently, airlines will be forbidden from transporting anyone who doesn't have reservations).
   

   This would outlaw unreserved shuttle services, "open" tickets, and use of full-fare freely-changeable tickets on flights other than those originally reserved. And it would invalidate or retroactively impose an advance reservatiuon requirement on tickets already issued. In addition to their cost, both of these changes appear to be in violation of the Airline Deregulation Act of 1978. Ms. O'Connor claimed to be surprised when I raised these issues, in spite of the detailed discussion of them in my prior written comments.

2. Each reservation (even for a group) will have to contain the following 4 pieces of information about each passenger: "full name", "home address", "home telephone number", and date of birth.
   

   My interviews and sources suggest that the TSA is only just beginning to figure out how expensive this will be. (The cost would have become apparent sooner, of course, had the TSA been less secretive about its plans, or made any effort to solicit feedback from industry stakeholders.) This also raises a plethora of issues about the definitions of these terms, and the sanctions for those unwilling or unable to provide them (or providing a different name, phone number, and/or address than the TSA considers "correct" for CAPPS-II purposes). For what it's worth, Ms. O'Connor Kelly professed similar surprise at all of these issues, which had also been raised in detail in my written comments.

3. Each airline passenger will be required to produce and display, to TSA and/or airline staff, documentary evidence of their identity.
   

   Aside from the definition of what sort of ID documents will be acceptable for air travel, this raises particularly strong Constitutional, legal, and policy issues, especially in light of the history of vehement public and Congressional antipathy to any sort of national ID card or, more precisely in this context, "domestic passport".

Since these are not privacy rules, it wasn't clear what, if any, role the Chief Privacy Officer would have in formulating or promulgating them. Ms. O'Connor Kelly said neither the content nor the form of these 3 orders had yet been finalized. In particular, she said that the DHS and TSA had not yet decided whether to impose these requirements through a regulation promulgated through a public rulemaking process (as is, I suspect, her preference), or through a secret "security directive" to the airlines (as is likely to be the inclination of Admiral Loy, Admiral Stone, the ONRA, and others in the TSA and DHS with military and intelligence backgrounds and outlooks).

Even if the USA enacts privacy protections for travel data sufficient to satisfy European Union standards of adequacy , EU laws will still require consent for use of reservation data for CAPPS-II purposes, including testing. But Ms. O'Connor Kelly said that people whose data would be used in CAPPS-II tests will "almost certainly not be given any opportunity to opt out" of having their data used for those tests.

Unless the USA intends to flout EU law and risk interrruption of USA-EU flights, this means that CAPPS-II tests can't legally begin until after travellers start being informed, before they make reservations, that their reservation data will be used for CAPPS-II tests.

So if the TSA/DHS choose to impose these CAPPS-II rules through a secret security directive, the first notice of these rules that we would receive would be either that airlines start demanding dates of birth in reservations, or that airlines start giving notice in the EU that subsequent reservations will only be accepted if consent is given for their use in CAPPS-II testing.

Some might wonder about the costs for the travel industry in the USA of compliance with EU privacy laws . At PhoCusWright, I asked a panel of CEO's of the leading European Internet travel companies -- eBookers.com, Lastminute.com, Opodo.com, Online Travel Corp., and the European divisions of Expedia.com and Travelocity.com -- what lessons they had about privacy protection and regulatory compliance for their counterparts in the USA.

Their response: A collective shrug. That's a great deal more significant than, I suspect, most of the audience realized: respect for privacy isn't difficult, and needn't be costly. It's just good business. Lack of respect for privacy, on the other hand, can be very costly, as Delta, Cendant, and jetBlue have found out.

Priceline.com will now name its price -- sometimes

Priceline.com's US$100M startup blitz of television and other advertising in 1998 was the first time most people in the USA had heard of the discounts available on airline tickets through consolidators . Even five years later, Priceline.com remains the name-recognition (if not customer-service or customer-satisfaction) leader and largest-volume retailer in the USA of consolidator tickets.

So it's no wonder that the general attributes of consolidators (travel agencies that have agreements with airlines to pay less than published prices for tickets, enabling them to mark tickets up for resale and still sell them for less than the prices offered directly by airlines) are often lumped together with the peculiarities of Priceline.com's business model in the public conception of what a consolidator is.

Priceline.com does things differently from most retail consolidators in two ways:

1. Priceline.com sells tickets on a so-called "opaque" basis: Priceline.com buys you a ticket on whichever airline and flights it can get most cheaply, so as to maximize its profit (you pay the same amount regardless), and only tells you the airline and a schedule after you have committed to buy.
   

   Some people think all consolidators work this way, but that's not true: in most cases (and in all cases except on automated Web sites), a consolidator's unwillingness to identify the airline until after they've taken your money is a red flag for probable fraud. Most consolidator ticket sellers aren't allowed to advertise names of airlines or list them on their Web sites, but will provide them with your confirmed itinerary before you have to pay.
   

   When Priceline.com started selling tickets, there was only one other legitimate seller of "white label" airline tickets, OneTravel.com , which pioneered the concept a year earlier. Even now, there are only a few legitimate opaque consolidator ticket outlets, the other major one being Hotwire.com -- now owned by the same conglomerate that owns Expedia.com, but offering lower prices that aren't shown on Expedia.com.
   

   (The original logo was an unadorned "Hotwire", to please investors who were turning away from any company called ".com". But recently, putting marketing and brand recognition first, they have changed their logo to "Hotwire.com" and added an airplane icon and a tagline to make clear at a glance what they sell: "Fly. Sleep. Drive. Cheap.")
   

   Opaque sales do result in lower prices, if price is really your only concern. (Keep in mind that you'll be put on whichever airlines and flights are cheapest, which means whichever are least popular -- usually for a reason. So you have to be prepared to be at the airport at 4:00 a.m. for a 6 a.m. flight, or arrive at your destination after midnight.) Airlines want to fill seats with "incremental" passengers who wouldn't otherwise fly on their airline at all, but don't want to make it possible for people who would pay high published fares to get away with paying less for the same tickets. So airlines are willing to offer lower prices on an opaque basis than to consolidators who might sell tickets to brand-loyal customers or those willing to pay more for a specific schedule.

2. From its start, Priceline.com has required you to "name your own price". Priceline.com determines a minimum offer that they will accept, based on how much their consolidator contracts require them to pay the cheapest airline for your tickets. But Priceline.com doesn't tell you that price. You have to guess, and if you offer more than necessary, Priceline.com keeps the difference as a windfall of pure profit. This is, quite clearly, the system of price "negotiation" most disadvantageous to the consumer.
   

   It's also highly unusual: Priceline.com was the first to try it, and only one other company, Expedia.com, has tried to copy it (briefly and unsuccessfully). Today, every other bona fide "name your own price" airline ticket Web site that I know of is actually a "private label" or "co-brand" portal to the Priceline.com service.

Consolidator tickets are, by nature, cheaper than published fares, and airline have proven willing to offer lower prices to "opaque" than traditional non-opaque consolidators. But the jury is still out on whether forcing buyers of those tickets to "name your own price" is a sustainably profitable business model.

As a consumer advocate, I hope not. Priceline.com claims that "name your own price" gives "greater opacity" that leads airlines to offer even lower prices to Priceline.com than to its principal disclosed-price opaque competitors, Hotwire.com and OneTravel.com. But my research doesn't support that claim, and Priceline.com has been unable to provide me with any evidence to back it up.

From the start, even without careful analysis of pricing and negotiation theory, a lot of people had an (appropriate) gut reaction that they were somehow being taken advantage of by Priceline.com's refusal to name its price.

But as long as Priceline.com was the only source of consolidator tickets they knew about (and, in particular, the only source of opaque consolidator tickets on domestic flights within the USA), many of those people were willing to put up with Priceline.com's hidden pricing as the price of access to consolidator tickets. And Priceline.com advertising has done its best to mislead consumers into equating "name your own price" with "cheap", as though it made prices lower rather than, effectively, higher. (Leaving aside the fallacy that Priceline.com is some sort of "auction", as I debunk in much more detail in The Practical Nomad Guide to the Online Travel Marketplace.)

As consumers have discovered that they could get consolidator tickets, even opaque ones, at fixed and disclosed prices, they've ditched Priceline.com in droves for Hotwire.com. In doing so, customers have been voting with their feet, computer mice, and dollars against Priceline.com's core "name your own price" concept. Despite a two-year head start and dramatically larger capitalization and advertising spending for Priceline.com, Hotwire.com is catching up fast in sales. And OneTravel.com -- one of the first profitable Internet travel agencies -- continues to attract customers with scarcely any advertising at all.

So what does it mean that last month Priceline.com started disclosing prices, airlines, and flight schedules for some of its consolidator airline tickets, as well as offering to sell tickets at published fares? Priceline.com's marketing director, Brian Ek, says the new fixed-price offerings are an "experiment" and a "supplement", not a replacement, for "name your own price". Ek also says that the disclosed prices are higher than the minimum offers Priceline.com will accept, since Priceline.com still sells its cheaper opaque tickets only on a "name your own price" basis.

The fixed prices are some sort of mix of published fares -- excluding two of the airlines likely to have the cheapest published fares, Southwest and jetBlue -- and Priceline.com consolidator prices under separate agreements from prices Priceline.com has negotiated for opaque, "name your own price" sales.

Whether it's as half-hearted and/or desperate an experiment as it appears, I'm as interested as Ek and the rest of Priceline.com's management in what percentage of Priceline.com customers will choose to guess at "name their own price" when they are offered a fixed-price alternative right below it.

More important for Priceline.com will be whether these fixed-price offerings will slow, much less reverse, the exodus of customers to Hotwire.com and other fixed-price consolidator ticket outlets.

[Addendum, 19 December 2003: The jury is still out on whether "name your own price" will eventually prove to be a sustainably profitable business model. In its latest filing with the Securities and Exchange Commission , Priceline.com reports that, "As of September 30, 2003, we had an accumulated deficit of approximately $1.6 billion" in operating losses, which to date has been borne by investors.]

Focus on competition at PhoCusWright conference

As in years past, the 10th PhoCusWright Executive Conference in Orlando, Florida, 17-18 November 2003, brought together the CEO's of the most influential companies at the intersection of travel, technology, and the Internet, providing those of us who observe those industries with one of our most important annual opportunities for stock-taking.

The buzz phrases du jour seemed to be online corporate travel, the maturation of dynamic travel packaging technology, the perceived unprofitability for agencies or intermediaries of travel service with a fixed commission and selling price set by the supplier, and the first serious interest by USA companies and investors in travel markets outside the USA.

The real story of the conference however, was open and cutthroat competition within the Internet and travel industries.

In its early years, even before the dot-com bubble, PhoCusWright was a place of boundless optimism. Conference chairman Philip C. Wolf has retained that optimism even through the dot-bomb and the travel downturn of the last two years. Not without justification: I share Philip's view (and that of most of the participants in the conference) that usage of the Internet for travel is far from "saturated", for all but a few companies.

(The exceptions are mainly those airlines who already get the vast majority of their reservations through their Web sites, including Southwest Airlines -- by far the most significant Internet success story in the travel industry in the USA, although not perceived as a technology leader and never yet a focus of attention at PhoCusWright -- as well as jetBlue and easyJet.)

According to PhoCusWright's latest research, approximately 30 percent of the dollar value of travel reservations in the USA in 2003 were made on the Internet. The percentage could actually be much higher, depending on how you define "made on the Internet", since most people who make reservations over the phone or face-to-face with a travel agent have done at least some of their research first on the Internet. But that still leaves room for substantial growth in the share of reservations made online.

Certainly that remained the party line at PhoCusWright 2003, repeated explicitly by several speakers: "There's still plenty of room for growth, and for us all to get rich as long as we make the right decisions and read the tea leaves right." The shift in market share from offline to online bookings will allow the Internet sector of the travel industry to continue to grow, even if total travel spending continues to decline, as it has for the last two years.

But far too many of the CEOs on the platform came out swinging at each other for, "There's room for us all," to be their real belief. The fear -- even in the executive offices -- that there isn't room in the industry for all the present players to survive was palpable and only barely below the surface throughout the event.

The hostility was most apparent between suppliers of travel services (especially hotel companies) and distributors (especially IAC/InterActiveCorp ; see also my comments before the conference in Business Week in Marriott vs. Diller: It's a Brawl), between IAC's Expedia.com and other Internet travel agencies, and between Priceline.com and IAC's Hotwire.com (as I'll discuss in a separate posting in this blog).

Customers don't care what fraction of their travel dollar goes to intermediaries and what fraction to service providers (airlines, hotels, etc.). Consumers just care about the (total) price and the quality of service. But there was little if any discussion at PhoCusWright about offering lower prices, making them easier to find, or improving customer service. Tant pis pour les voyageurs!

PhoCusWright has always been notable as much for what isn't talked about as for what is on the agenda. The unspoken cause of the CEO's fear, of course, is the aforementioned continued decline in travel. Travel industry decision-making for the last two years has been dominated by the management of a succession of crises: the events of 11 September 2001 and their aftermath, the downturn in the economy and the collapse of the dot-com bubble, the drastic reductions in business travel budgets, the wars in Afghanistan and Iraq, continued fears of terrorism, SARS.

Yet, astonishingly, no one at PhoCusWright mentioned crisis management, disaster planning, or market contraction in their discussion of the issues facing managers of travel companies. Sabre's Sam Gilliland, for example, boasted of how quickly his company had recovered from war, SARS. etc., this year, but there was no acknowledgment of any recognition that any such things could ever happen again. The closest anyone came to this issue was when Erik Blachford explained how US$900M in planned marketing spending in 2004 by InterActiveCorp's "IAC Travel" division (which includes Expedia.com, Hotels.com, and Hotwire.com, among other brands) would benefit the entire industry by encouraging people to travel more. Until the emergence of Internet travel companies, he pointed out, there were few national retail travel brands (AmEx being the obvious exception), and none that were, "Spending a billion dollars a year to tell people, 'Travel is fun, and it's not as expensive as you think.'"

For the first time, the PhoCusWright conference included panels on both the European and the Asia/Pacific online travel marketplaces. Even more significantly, many of the participants in the conference -- traditionally the most USA-centric of the major Internet travel industry events -- actually seemed interested in what's happening in the rest of the world. To some degree, that's a sign of real recovery: companies that last year were focused on surviving the crises and the travel downturn in their original core USA market can now think about expansion abroad. But the fact that most of the potential for expansion (and likely an increasing share of PhoCusWright Inc.'s consulting revenues) is now oversees is symptomatic of the fact that the decline in travel has been much more severe, and more sustained, in the USA than elsewhere (on top of the fact that people in the USA get so much less vacation time and travel so much less than people in any other comparably wealthy country).

Thus the (belated) interest being shown by USA travel companies in capturing some of the money spent on travel by people outside the USA also reflects, I think, the same sub rosa fear of market shrinkage and approaching Internet saturation in the USA. That was perhaps clearest in the panel of investment analysts, who pointed out that the greater penetration of the Internet in the USA means that the return on earlier-stage investment in Internet travel companies elsewhere in the world is now likely to be higher. The largest venture capital investment discussed at PhoCusWright, for example, was approximately US$15M recently received by eLong , a Chinese-language Internet travel service that makes most of its money on hotel bookings by domestic travellers within China.

The closest these issues came to the surface was the appearance (a first for PhoCusWright) by Jean-Claude Baumgarten, former Air France executive and current president of the World Travel & Tourism Council (WTTC). Baumgarten's pitch focused on WTTC's role as the global travel industry's collective voice to governments. Interestingly, however, he made no mention of the proposal for a .travel top-level Internet domain -- even though less than a month earlier he had signed a letter to ICANN in his other role as chairman of the Travel Partnership Corporation in which he claimed that, "travel industry constituents ... have embraced the concept of .travel ... We have gathered the travel and tourism constituency together behind our application" for Tralliance Corp. to "sponsor" a .travel domain.

Tralliance Corp. and IATA have relied heavily on Baumgarten and the Travel Partnership Corporation to create a veneer of nonprofit legitimacy and broad industry support for reconsideration by ICANN of their .travel sponsorship application. But if anyone in the travel industry (other than IATA) actually was interested in or supportive of .travel, it would have been exactly the people gathered at the PhoCusWright conference. In fact, none of them care at all -- except for IATA and Tralliance Corp., who would stand to profit from their role as gatekeeepers to .travel as a credentialling scheme. Baumgarten didn't think it worth mentioning in his talk, and none of the Internet travel CEO's in the audience thought it worth asking about.

When I talked about this with Baumgarten, following his presentation, he seemed surprised that anyone would ask about .travel, or think it important -- much less relevant to an audience of leaders of the Internet travel industry. So far as he knew, .travel was "something IATA was doing", not something of general industry concern, and he had lent his (nominal) participation to the "Travel Partnership Corp." and signed the letter to ICANN (drafted by Tralliance Corp.) merely as a "favor" to his friends at IATA. I wasn't surprised at any of this, in light of my past reporting on .travel , but I was a little surprised that he didn't realize that it was being portrayed very differently to ICANN. Let's hope that the next time IATA and Tralliance Corp. trot out the TPC as evidence of "travel industry consensus" in support of .travel, ICANN asks enough questions to see through the sham.

How to manage customer relations to wring more money out of each traveller was a major theme throughout the conference. (In a growth industry, you might expect more attention to customer acquisition. A focus on maximizing profits from existing customers seems to me more typical of a flat or shrinking market.) The best-received of the keynote presentations was a lecture by Gary Loveman of Harrah's on the integration of customer data and pricing systems in the casino gambling industry. ("Of course, I represent an industry that's illegal here in Florida," he began. "How come we can go down the street and buy semi-automatic weapons, but if I said, 'Lets go gambling', we'd have to go at least as far as Cherokee, North Carolina [or leave the country]?")

What disappoints me, however, is how little of the attention being paid to "understanding the customer" for profit maximization is being applied to product or service improvements. There was virtually nothing at PhoCusWright, aside from Priceline.com's new named-price airfares (see my separate posting on that topic), that offered any real improvement for consumers.

User interfaces, for example, are being modified to increase up-sell and cross-sell revenues. ("Would you like fries with that hamburger? A hotel reservation with that airplane ticket?") And increasingly sophisticated customer preference dossiers are being compiled for that purpose. But the most elementary sorts of customer preference mapping aren't being implemented if they won't lead to buying a more expensive product. No airline ticket Web site, for example, yet allows you to assign a cents-per-mile value to frequent flyer credits on particular airlines, and have that valuation incorporated in the effective price in determining which flights are displayed. That's one of my pet peeves, but I mention it only as an example of what could be done if more online travel intermediaries saw themselves as agents of travel consumers, not as agents of suppliers of travel services.

On that point, at least, we've finally gotten some clarity: travel intermediaries that until recently were boasting of how they advanced the interests of consumers are now falling over themselves to proclaim their real allegiance to the interests of travel suppliers. Both Karl Peterson of Hotwire.com and Erik Blachford of Expedia.com, now under the common ownership of IAC, ruled out any integration of Hotwire.com's "opaque" consolidator prices with Expedia's published-fare displays. Why? Blachford: "It doesn't work well for suppliers." Peterson: "It's bad for price discrimination" [i.e. getting each traveller to pay as much as possible]. Whether an integrated fare display would be good for consumers (which it would -- if there's one thing consumers want, and expect from the Internet, it's a single integrated display of prices of all types from all sources) wasn't even deemed worthy of mention as a factor in their decisions.

Five years ago at PhoCusWright 1998, when I asked Blachford's predecessor Rich Barton whether Expedia.com saw itself as a sellers' or buyers' agent, he disengenuously claimed that they could be both without conflict of interest. Right: just like one real estate agent can protect the interests of both the buyer and seller in the same transaction. This year, on the same question, Blachford left no question where Expedia.com stands:

We don't think of ourselves as a travel agency... We think of our sites as marketing vehicles to bring new customers to travel suppliers. Don't think of us as a distributor: Think of us as a customer acquisition channel bringing you new business.

That's the sort of gem that makes PhoCusWright worthwhile for me. I doubt he'd say the same thing about his goals if he were speaking to an audience of consumers, or in a one-on-one interview with a consumer travel journalist like myself.

Orbitz.com's Jeff Katz can't admit to being purely a suppliers' agent because of the anti-trust investigations his company has undergone as a result of being supplier-owned. But even he admitted that, "Balancing customer and supplier needs [is] is getting, duly, quite a lot of attention" and getting harder. He tried to justify Orbitz.com's not siding with consumers by saying that, "taking sides to break the suppliers isn't in consumers' overall interest", but gave no explanation of why he thinks that is so. And he still fell back in Orbitz.com's defense on, "our unbiased nature", ignoring the bias inherent in displaying only the minority of published and Web airfares, excluding the majority of airline ticket prices that are set by consolidators.

Orbitz.com has also changed its pricing system for international flights, replacing pricing provided by the Worldspan computerized reservation system with a new international flight pricing module from ITA Software .

But Orbitz.com has crippled the pricing software by setting it to display only through fares, even when ITA Software is able to find lower prices by breaking the itinerary into separate tickets at an intermediate connection or fare construction point.

ITA Software went to considerable expense and difficulty to include the capability to calculate and compare prices for combinations of separate tickets. When CEO and co-founder Jeremy Wertheimer demonstrated it to me, turning on this module (with a simple command-line toggle in the debugging mode of the user interface) reduced the price of the identical flights by as much as US$1000 per person.

It's hard to avoid the inference that -- on top of its exclusion of consolidator prices -- Orbitz.com doesn't even want to show the lowest available published fares. And whatever Orbitz.com's motives, their deliberate suppression of the display of the lowest available published fares, when they involve multiple tickets (as is typical for international itineraries), makes a mockery of their "lowest fare" claims.

Wertheimer says it's up to ITA Software licensees such as Orbitz.com to decide whether or not to use the software's capability to price combinations of separate tickets. But ITA Software has inhibited the pricing displays on its own Web site in the same way. I don't know if they did so at Orbitz.com's request, or in a deliberate attempt to reduce the likelihood that Orbitz.com's decision not to show separate-ticket prices would be exposed. But it's rare for a software company to remove from its demonstrations a feature available in the production version of the software that could save consumers thousands of dollars.

I've been wanting to write a comparative review of airline ticket price "search" software, including Sidestep and Travelogia. But my attempts to test these services still lead me to recommend against installing either of these programs, regardless of what fares they might find.

When I installed Travelogia Boarding Pass , I entered a unique e-mail address, so I could track how my personal information was used. It turned out that Travelogia automatically signed that address up to receive airline spam, and a year after I alerted Travelogia to the problem they still haven't figured out to unregister me with the airline to stop the spam. If that's how they deal with privacy complaints from journalists, I can scarely imagine how ordinary users are treated.

Sidestep's service is available only for MS Internet Explorer users, and only through an ActiveX plug-in. In typical Microsoft fashion, ActiveX was designed with no concern for security: once you enable ActiveX, you can't prevent it from reformatting your hard disk or sending any or all of your files and data over the Internet. I've discussed the problem repeatedly with Sidestep CEO Brian Barth, who insists his ActiveX controls do nothing malign. But the license one must accept to install Sidestep forbids monitoring of what the software actually does. And depite my repeated requests, Sidestep still hasn't been willing to waive those standard terms for me as a journalist to permit me to test their claims about their software.

Notably absent from the conference program was any substantive discussion of technology or technological innovation. As the Internet has moved from the margins the center of the travel industry, and travel has become the center of e-commerce, PhoCusWright has completed the transition from technical conference for geeks to, as it now styles itself, an "executive" conference.

There are some other lingering issues I'll report on separately , such as the travel industry's attitudes toward CAPPS-II and privacy regulations. But for now, that's all my PhoCusWright news for this year, from Disney World. See you again next November, in Hollywood.

USA demands for airline passenger data violate Czech privacy law

Czech airlines must give USA personal data of its passengers-CT (CTK Czech News Agency, 4 December 2003)

The USA demands that the Czech air carrier CSA provide it with data on all its passengers citing terrorism, which the Czech Personal Data Protection Office (UOOU) says causes the CSA to breach people's privacy, the public television broadcaster CT said.

CSA provides passengers' personal data to the United States under a temporary exception from the respective law, which however will cease to be valid as soon as the Czech Republic enters the European Union in May next year.

So even before the Czech Republic joins the EU, travellers there already have more legal protection than do travellers in the USA. And rather than endorsing the enhancement of Czech privacy protections to equal those of the EU, the USA has gotten the Czech government to make an exception to its human rights laws for the USA government (an exception that, fortunately, wouldn't be permitted in the EU, where all members are required to implement EU-recognized fundamental rights in their national laws.

A fine example the USA sets for global norms of human rights.

(Thanks for the citation to Geoff Goodfellow in Prague, via Dave Farber's Interesting People list.)

UK follows USA into surveillance and control of airline passengers

Mimicking the CAPPS-II scheme in the USA, the UK government has mooted (in the UK sense of "to moot", meaning, "to propose", not the opposite USA sense of "to moot", meaning, "to render no longer relevant"; the difference is similar to the opposite UK and USA meanings of "to table") a proposal to require airlines to turn over copies of reservations and travel documents to the government and to use them to decide whom the government will allow to travel. Like an earlier Spanish proposal, the UK proposal appears contrary to the European Union data directive, which is binding on all EU memebr states.

Details from Statewatch:

UK takes lead on surveillance of passengers

EU plan for wholesale security checking of every traveller

Beware of confusing Philippine Pesos with USA quarters

People in more cosmopolitan countries than the USA are used to watching out for all sorts of different coins and currencies showing up in their change.

(At least with paper money -- what the rest of the world calls "notes" and the USA calls "bills" -- most countries make it easier by using different colors for different denominations. But that's another story.)

"Foreign" money hasn't usually been an issue in the USA, however: we get few visitors, we force them to use US dollars (try to find a storefront currency exchnage in most USA cities), and we only have land borders with two other countries. Mexican pesos are easily distinguished from USA currency, people near the Canadian border learn to tell the few designs of Canadian coins from the even more invariant USA ones, and the difference in value was modest if you occasionally accepted a Canadian quarter (CAD0.25) in lieue of a USA one (USD0.25).

But the ongoing gradual introduction of 50 different quarter-dollar USA coins in designs chosen by easch of the 50 states has made it impossible to know what to expect the back of a quarter to like like.

Today when I tried to buy a cup of coffee (no, not for just a quarter), I was barely registering, "Gee, that must be from a state whose quarter I haven't seen before" when the barista handed it back, saying, "That's not a quarter."

It turned out to be a Philippine 1 peso coin, exactly the same size and with the same flanged and corrugated rim as a USA quarter dollar coin -- but worth only 1.8 cents (USD0.018)! And no, it dosen't work in vending machines made for USA quarter-dollar coins -- I guess it's a slightly different metallic composition.

USA still won't agree to legal protection for travel data

This week European Commissioner Frits Bolkestein was called before a joint meeting of the European Parliament's Committees on Citizens' Freedoms and Rights, Justice and Home Affairs, and Legal Affairs and the Internal Market to give his report on the USA/European Union talks on transfers of airline passengers' personal data from the EU to the USA.

The Commision faces a 9 December deadline previously set by Parliament to bring airlines and computerized reservation systems into compliance with EU law on international transfers of personal data. That could be achieved either by ending data transfers to countries like the USA without adequate data privacy laws (a possibility Bolkestein refused even to contemplate in his reprt to Parliament) or by getting the USA to enact "adequate" protections (of which his report gives little hope).

It isn't clear from Bolkestein's report whether he and the other members of the Commission want Parliament to extend the deadline (possible, although more time seems unlikely to result in fundamental change in the position of the USA against enacting any legally enforceable privacy rights for travellers), change the law (highly unlikely, given the recognition in the EU of privacy as a fundamental human right), or approve an agreement with the USA inconsistent with EU law (which would be subject to legal challenge in EU courts).

Even some of the USA "concessions" that Bolkestein reports as successes for the EU negotiators raise questions of their own:

The second important success we achieved is that the arrangement will not cover the US Computer Assisted Passenger Pre-Screening System (CAPPS II). The latter will only be considered in a second round of discussions yet to come. In any case, such discussions can only conclude after Congress has signed off on CAPPS II. And this first requires the US General Accounting Office to complete its study on the effectiveness and privacy implications of CAPPS II, as recently requested by the US Congress.

That would be great, if the USA had agreed to postpone any use of data from the EU in CAPPS-II tests until after the GAO report to Congress, whihc is due by 14 February 2004. But the law requiring the GAO report explicitly allows testing -- including tests with real reservations -- to continue in the interim. And President Bush, in signing the law, said he considered it only "advisory", not binding.

As I've discussed earlier here and here , any CAPPS-II tests on a significant scale will inevitably include data from the EU: there's nothing in current PNR's that would enable the identification and exclusion form the tests of those for which data was collected in the EU. (Not that that was even attempted in the previous CAPPS-II tests, about which the DHS and TSA continue to lie but which certainly violated EU privacy and data protection rules.)

There's a larger problem, though, in the USA/EU negotiations on PNR data transfers. The USA and the EU have been using the words, "personal data transfers from the EU to the USA" to mean two quite different things, leaving the most important privacy vulnerabilities in the gap between those two meanings.

The USA has been talking about "personal data transfers from the EU to the government of the USA", but EU laws and regulations apply to any "personal data transfers fro