Parliament rejects mandate for airlines to give European governments access to reservations

Applying the same standard to mandatory handovers of airline passenger data to European Union governments that it had applied a day earlier in its vote rejecting mandatory access to PNR data by the USA government, the European Parliament today voted to reject a Spanish proposal that would require airlines operaitng within the EU to provide "Advance Passenger Information" to the government of the destination country when each flight departs.

The Spanish proposal was ostensibly intended as a measure to reduce illegal immigration, but the Europarl resolution rejecting found that, "It is doubtful whether the proposal in its present form can make a useful contribution to reducing illegal immigration."

The proposal rejected by European Parliament had earlier this week been approved by the Council of Ministers of EU members, leading to some erroneous reports that the EP had applied a double standard to intra-European and EU-USA flights and government demands for passenger data. In fact, the EP took a consistent view in rejecting both, sending a clear signal to Spain, to the USA, and to ICAO (where Spain and the USA were the sponsors of two proposals to extend worldwide the PNR and API standards and mandates they had previously proposed for the EU).

As with the proposed "agreement" with the USA, the status of the Spanish proposal for intra-European flights remains complicated and uncertain following today's Europarl vote.

But whatever happens next, it's clear that European legislators have given in neither to panic at the risk of terrorism and illegal immigration, nor to intense lobbying by the USA, and have remained unwilling to sell out their consituents' freedom.

ICAO session concludes early after finalizing passport and reservation standards

The International Civil Aviation Organization (ICAO) Facilitation Section meeting in Cairo adjourned today, a day earlier than scheduled, after a session with little controversy between the delegates and, it would appear from the early adjournment, little serious debate or discussion on the issues raised by the privacy, civil liberties, and data protection organizations that weren't represented in the delegations.

According to Mr. Denis Gagnon, spokesperson for ICAO at its headquarters in Montréal, "Biometrics on passports have been under study by ICAO since at least 1997." But to the best of Gagnon's knowledge, no privacy or civil liberties organization or agency has ever been consulted by ICAO or invited to attend an ICAO meeting. Nor, so far as Gagnon knows, did any of the government delegations to the just-concluded ICAO session include any representatives of those governments' privacy or data protection authorities.

Gagnon says, probably quite correctly, that ICAO evaluated the RFID and biometric passport requirements, and the proposals for standardization of PNR and "Advanced Passenger Information" (API) data and their sharing with governments, solely on the basis of ICAO's mandate to facilitate "efficiency" and "security".

"ICAO is a technical standards-setting body, and efficiency and security are ICAO's mandate from governments," Gagnon says.

But aside from whether RFID and biometric passports will actually increase anyone's security, there's a larger question: If ICAO's mandate isn't to consider anything other than efficiency and security, who's responsibility is it to consider other factors like civil liberties? Universal tattooing of people with numbers corresponding with those on implanted RFID chips might be efficient and, by some measures, secure, but that doesn't mean that it would be good public policy.

If ICAO considers that its mandate forbids it from considering the implications for civil liberties of its technical standards, what does ICAO think is the proper forum in which those issues should be considered? And who should decide whether, on these and other grounds, ICAO's technical recommendations for efficiency and security shoiuld or should not be adopted as public policy?

"I know what you're getting at, and that's a very interesting question," Gagnon told me. He promised to try to get an answer to that question from ICAO officials at the Cairo meeting, and I'll be interested to hear where they think their critics should turn.

Today's announcement from ICAO of the conclusion of the Cairo session said that it had agreed to recommend that all countries begin including machine-readable digitized photos on passports by 2010 -- a compromise between earlier dates desired by the USA and some European countries seemingly more interested in surveillance, and later dates preferred (to delay the greater cost of producing the new passports) by less wealthy countries.

In a disturbing hint at the potential for abuse of these biometric passports, ICAO say, "This makes possible rapid comparison, either one-to-one with the person and document, or one-to-many using a database to positively identify an individual."

Today's announcement was unclear on what exactly had been agreed regarding the proposals by the USA for standarization of PNR and API data to facilitate government access to passenger information, and didn't mention RFID (which had been proposed as the standard method of storing the digitized facial image and/or otyher biometric identifier) at all. I hope to have more details of the decisions on these issues tomorrow.

RFID chips to be used to track airline passengers and baggage

At a panel on "RFID In the Airline Industry" at the RFID Journal Live! Executive Conference which concluded yesterday in Chicago, USA government and airline speakers announced major steps toward the widespread deployment of RFID (radio-frequency identification) chips for tracking of both passengers and baggage within the USA, according to two reports here and here by Bob Brewin in Computerworld.

The announcement of the plans for use of RFID chips in airline boarding passes to track passengers movements through airports in the USA and for "more tests of RFID chips in baggage tags" at USA airports coincides with ICAO's consideration of proposed standards which would mandate use of RFID chips for international air travellers by requiring them to be included in all new passports.

The result would be to give RFID chips a central role worldwide in "the conversion of travel systems into a global infrastructure of surveillance", as forecast earlier this week in a joint letter from privacy, civil liberties, and consumer orgnizations questioning the planned uses of RFID and biometrics in travel documents.

As I reported in November, McCarran International Airport in Las Vegas has already contracted for comprehensive use of RFID chips in all baggage tags beginning this year. And Brewin has written extensively in Computerworld about previous smaller-scale RFID baggage tag tests by Delta and other airlines in the USA and abroad.

What's different about the tests by Delta Air Lines, according to the latest report on the conference presentation by Delta manager for baggage planning and development Pat Rary, is that, "Delta will write information to the RFID bag tags at the request of the Transportation Security Administration, which has backed both tests, Rary said. That information will include the flight number, passenger name and what Rary called a 'license plate' -- a serial number that identifies each bag."

On the same panel, Anthony "Buzz" Cerino, communications security technology lead at the TSA, reportedly said that the TSA plans its own tests of RFID baggage tags "later this year".

Plans and initiatives to use RFID chips in consumer products have come under widespread criticism from privacy, consumer, and civil liberties advocates and organizations, and Delta itself became the target of a consumer boycott for vounteering its passengers' reservation data for tests of the CAPPS-II airline passenger profiling and monitoring system. One might think that Delta would have learned their lesson about the extent to which Delta passengers value the privacy of their travel records. But apparently not.

Personally identifiable baggage details in airline databases (number of pieces, weight, time and place of check-in, routing, destination, and, if insured or hazardous, detailed descriptions of the contents) are clearly the sort of personal information which is subject to the USA Privacy Act if maintained in a database controlled by the TSA or another Federal agency.

But there's been no Privacy Act notice, either in the Federal Register or provided to passengers checking bags with or to Delta, that their baggage records could wind up in a database contructed at the TSA's behest. So the TSA's role in both rounds of RFID bagage tag testing with Delta, as well as the tests the TSA plans on its own, raise serious questions of possible Privacy Act violations. Those questions should immediately be added to the agendas of the Congressional and other ongoing investigations of the TSA's privacy practices.

The TSA's newly reported interest in using RFID chips in boarding passes for participants in a possible "trusted traveller" or "registered traveller" program, in order to enable them to "know people's whereabouts" as they move through airports (a useless suggestion from any bon fide security perspective, since a would-be terrorist could easily give their boarding pass to a decoy, abandon it, and/or steal someone else's) raises even more serious privacy and surveillance concerns.

In testimony before Congress last month, TSA Acting Administrator david Stone reportedly called the trusted/registered traveller program a "high priority with us and one we're eager to move forward with."

But that can't begin -- at least not without the certainty that it would be shut down by the courts -- until after the TSA publishes a Privacy Act "System of Records Notice" for the traveller registration database, and conducts a privacy impact assessement on the program. Presumably, those will be either the first tasks for incoming TSA Chief Privacy Officer Lisa Dean or the next tasks for DHS Chief Privacy Officer Nuala O'Connor Kelly.

Remotely-readable RFID chips have been chosen over less-invasive and less easily-abused technologies (such as magnetic strips and 2-dimensional bar codes, which are already commerically available for encoding biometric identifiers on baggage tags) for the Transit Worker Identification Credential (TWIC), the first prototypes of which are being delivered this month to workers at Florida ports, and which up to 12 million workers thoughout the USA will eventually be required to carry.

Magnetic stripes and 2-dimensional bar codes were also considered, but are also being passed over, by ICAO in its search for a supplement to the current optical character recognition (OCR) standard for machine-readable passports.

RFID chips have unique privacy problems and potential for abuse, since the data stored on them can be read not only remotely but also secretly. And the trusted traveller program, which was originally intended to assuage the concerns of business travellers about possibly being caught up in the heightened scrutiny given "untrusted" travellers (what happened to the presumption of innocence?) now seems to be getting some of its strongest opposition from precisely those business travellers.

It remains to be seen whether, and how, the TSA will proceed with a trusted/registered traveller program, and how it will justify RFID tagging in its Privacy Act notice and privacy impact assessment for the trusted/registered traveller program.

But if the USA government is insisting on RFID chips in each piece of baggage, each airport worker (through TWIC), and each international passenger (through ICAO's addition of RFID to its machine-readable passport standard), its not surprising that they would want to seize any excuse (such as the trusted/registered traveler program) to be able to use RFID chips to track domestic passengers as well.

Unless, of course, they plan to require implanted RFID chips as identification tokens for travellers.