Report from Iran

I've wanted to go to Isfahan for decades, ever since I first saw pictures of its architectural masterpieces, long before I'd ever set foot outside North America. As I've gotten to other places, Isfahan has been left near the top of my personal lifetime travel "wish list".

Today I got a message about my dear friend John Lindsay-Poland (author of Emperors In the Jungle and much other fine writing), who is travelling in Iran:

I spoke a short while ago with John and his co-leader of FOR's fourth delegation to Iran , Leila Zand. They are well and John asked me to send warm greetings to all his contacts.... Currently, the delegation is in the city of Yazd. John, who as you know has traveled widely, described it as one of the most beautiful places he's ever been.

If you are interested in what it's like to be an American in Iran right now, in the midst of American government sabre-rattling, reports from the FOR delegation are being posted here .

I'm jealous of John, although perhaps not quite as much as I am of another writer friend, Jeff Greenwald , who was in Isfahan during the total eclipse of the sun in 1999. Jeff wrote more about his trip to Iran in his book, "Scratching the Surface", and sometimes includes stories about it in his stage performance, "Strange Travel Suggestions". You can hear him read an excerpt in this segment from NPR's "The Savvy Traveler". The warm and generous welcome Jeff received from ordinary Iranians is actually typical of what I've heard from many other American visitors over the last 15 years.

Next month I'm leaving on a year-long trip around the world with my partner, who will be on sabbatical from her teaching job. Parts of our itinerary are more certain than others: We've rented an apartment in Buenos Aires for the first couple of months, but we're waiting to decide whether to go to Iran until we get closer to the time and place.

In the meantime, I'll be doing what I can to try to keep the government of the USA from invading or bombing Iran in my name. When we travel, we confront the past, present, and future of war. I've seen what American bombs did to the historically and culturally significant monuments of Hue, Vietnam, for example. I don't want that to happen to Isfahan, Tehran, or anywhere else. And it's as important for Iranians to know that Americans (if not the American government) are their friends as it is for Americans to know about the friendship Iranians have for us.

.travel registry near death

Aside from any of the other problems with the way that the franchise to "sponsor" the ".travel" top-level Internet domain name was awarded by ICANN to what is now the Tralliance division of TheGlobe.com, a travel business would have to be run by a real speculator to risk their Internet brand on a registry run by a company this close to liquidation:

Fort Lauderdale firm, once a high-flying dot-com, is set to go out of business

By Ian Katz, South Florida Sun-Sentinel, May 18, 2007

... In a quarterly report filed with the Securities and Exchange Commission last week, theglobe.com said management does not think the company can fund its operations beyond this month unless it receives more money. As of May 4, the company had a cash balance of $480,000. Last quarter it reported a net loss of $2.8 million on revenues of $431,742....

The company's finances took a big hit in April when it paid $2.55 million to settle allegations that it sent 400,000 spam e-mail messages to users of MySpace, the popular social networking Web site....

Theglobe has abandoned Voiceglo, an Internet phone business, and a computer games operation. It now runs Tralliance, a wholesale seller of Internet domain names ending in dot-travel. Theglobe acquired Tralliance in 2005....

Does ICANN have a plan to deal with a registry liquidation?

I raised questions about the finances of both Tralliance and TheGlobe.com before ICANN's decision to create .travel. ICANN kept me out of their press conferences, and never answered my questions. ICANN also has never explained whether they approved the acquisition of Tralliance and .travel by TheGlobe.com as should have been required by the .travel contract.

My request for an independent review of the (lack of) transparency of ICANN's original decision to create a .travel domain with Tralliance as registry remains pending after more than two years. All of ICANN's mechanisms for so-called accountability have proven meaningless when I've actually tested them.

[Addendum:] Dugie Standeford picks up the story in the 22 May 2007 edition of Washington Internet Daily :

There isn't enough interest in .travel to save TheGlobe, said travel writer Edward Hasbrouck, who has battled unsuccessfully for years with ICANN on behalf of an independent review of its decision to approve the domain and delegate it to [Tralliance], later bought by TheGlobe. Travelers aren't drawn to the name for several reasons, he said. They want information independent of travel services suppliers, not a service guaranteed to be restricted to such companies. So they use Google or other search engines to trawl for travel services, he said.

And since very few travelers use .travel, it offers little value to suppliers of travel services, Hasbrouck said. Large travel outfits will register a .travel name even if they don't use it, but smaller ones "won't waste the $100." Moreover, he said, potential registrants are wary of TheGlobe.com and TheGlobe because they’re "interested in their own profits, not those of .travel registrants." Word of a possible bankruptcy could frighten off even more would-be registrants, said Hasbrouck.

[Further addendum:] Discussion of this issue by ICANN's At-Large Advisory Committee (ALAC). According to this message "the [ICANN] Board [of Directors] is already aware and discussing it", but that discussion is, as usual, going on in secret, in violation of ICANN's bylaw requiring the maximum feasible openness and transparency.

[Further addendum} John Levine notes that documents filed with the SEC disclose that the backers of .travel -- Michael Egan, Chairman of tour operator Certified Vacations , and Ed Cespedes , CEO of the Tralliance Corp. since its original Presdent, fromer NHL hockey player Ron Andruff, was laid off -- are providing just enough of a trickle of funding to keep the parent company, TheGlobe.com, afloat. TheGlobe has been through several (failed) business plans, but the company's latest press release makes clear that the .travel franchise is its only potentially significant remianing asset: "theglobe.com ... now consists mainly of our Tralliance operations."

Does the Chicago Convention authorize government demands for PNR's? No.

In his testimony before the European Parliament on Monday, USA Secretary of Homeland Security Michael Chertoff claimed that the authority for governments to demand access to passenger name records (PNR's) is expressly provide by the Chicago Convention (the 1944 fundamental international civil aviation treaty).

I was surprised by Chertoff's statement, since I had never heard such a claim before. Today I read through the entire treaty, and confirmed that Chertoff was wrong: The Chicago Convention doesn't require that governments have access to PNR's.

The only related provision of the treaty is in Article 29 (pages 12-13 of this PDF document):

Documents carried in aircraft

Every aircraft of a contracting State, engaged in international navigation, shall carry the following documents in conformity with the conditions prescribed in this Convention,...

(f) If it carries passengers, a list of their names and places of embarkation and destination;

This provision of the Chicago Convention falls far short of what Chertoff claimed. It requires that a manifest (list of passengers) be carried on board the aircraft, not that the government have access to PNR's.

• The required fields (3 per passenger) in the manifest are specified in the treaty: name, place of embarkation, and destination. None of the multitude of other data in PNR is required to be included in the manifest.
  
  
• The manifest is required to be physically carried on board the aircraft. The treaty is silent on when or if any government has authority to search the aircraft or obtain the manifest. The treaty doesn't require, in and of itself, that the manifest be provided to any government.
  
  
• Since the manifest is only required to be carried on board, nothing in the treaty requires that it be subject to search or seizure by the government of the destination country until the aircraft itself is within the jurisdiction (i.e. the airspace) of that country.

The Chicago Convention is thus surprisingly precise, even to the enumeration of required fields and the manner of transmission of the data (physically onboard the aircraft). It cannot be used as a basis for a demand by governments for PNR data, and does not override the other treaties that guarantee the right to travel .

Nothing in this provision of the Chicago Convention requires that any additional information be collected beyond the name, place of embarkation, and destination of each passenger. Nothing in this this provision of the Chicago Convention requires that any information be provided to any government, much less that any information be provided to the government of the destination country prior to departure from any other country.

Chertoff used to be a Federal judge. He ought to know better, or to read the law more carefully.

Chertoff pledges to prosecute crimes against the Privacy Act

Thanks to the heroic efforts of EFF's Erik Josefsson and others in Brussels to obtain and upload gigabytes of video, I've been able to watch the entirety of USA Secretary of Homeland Security Michael Chertoff's testimony before the LIBE Committee of the European Parliament on Monday.

Chertoff's actual testimony was significantly different from what was described in the Europarl's official press release and in news reports.

He didn't actually say anything directly about private or commercial use of passenger name record (PNR) data, but only about data from the Automated Targeting System (ATS), as follows:

It would be against the law [in the U.S.] for ... private parties to be given the data in the ATS. If it were done willfully, it would result in someone going to jail. And if I ever find anybody smuggling that kind of information to a private entity, they will be punished, and I will do my level best to send them to jail.

Unlike what Chertoff was reported to have said, this isn't exactly a lie, and it remains to be seen whether it will be true. It is, however, misleading and largely irrelevant, since much of the information in the ATS -- including all the PNR data -- is obtained by the government from private entities (airlines and CRS's), which are allowed to retain and use it after passing it on to the government. So there is no need for anyone to "give" or "smuggle" this data to the private thrid parties to whom the government has already compelled travellers and others to "give" their personal information. Chertoff's comments would be relevant only if the government collected ATS and other PNR data directly from travellers, rather than forcing them to give this data to private travel companies subject to no data protection law.

The Privacy Act does have, as Chertoff told the European Parliament, criminal provisions. Mostly those relate to operating a system of records (records about U.S. citizens or residents) without proper notice. In practice, it's been almost unheard of for anyone to be prosecuted, much less to go to jail, for violation of these provisions.

The day after Chertoff's appearance before the European Parliament, auditors from the USA Government Accountability Office released a redacted version of a report concluding that Chertoff's own Department of Homeland Security had operated the ATS without the notice required by law . The original, unredacted version of the GAO report was given to the DHS in November 2006, so Chertoff's department has known about this for months. That means that the operation of ATS constituted a crime against the Privacy Act on the part of the responsible DHS officials.

In dealing with these criminals, will Chertoff keep his promise to European legislators?

I'll be watching closely to see if this "will result in someone going to jail", and to see Secretary Chertoff fulfill his public commitment to "do his level best to send ... to jail" those responsible for operating the ATS without giving data subjects the notice required by the Privacy Act.

[Follow-up: Video of the hearing and press conference in a more compact format is now available online, thanks to Erik Josefsson of EFF. For more on Chertoff's testimony that wasn't mentioned in the official report, see: Does the Chicago Convention authorize government demands for PNR's? No. ]

Who will police the privacy police?

A newly-released report by the Government Accountability Office finds that, as I've been complaining, the DHS has failed to give the public the notices required by the Privacy Act as to what information the government is keeping about U.S. citizens and residents, and how that information is being used. Without such notice, keeping these records is a crime. But who is responsible for enforcing the Privacy Act, when the people responsible for the missing or deficient notices are the "Privacy Officers"?

Details from the Identity Project.

Did Chertoff lie to the European Parliament?

USA Secretary of Homeland Security Michael Chertoff was in Brussels Monday to testify before a hearing of the European Parliament's LIBE [Civil Liberties] Committee about Chertoff's department's desire for access to Passenger Name Records (PNR's) for flights between the USA and the European Union.

After initially trying to ignore the questions raised by Members of the European Parliament (MEP's) and exclude them from debate on USA government access to PNR data collected in the EU -- and after having the Europarl bring a successful lawsuit to have the initial "agreement" between the DHS and the European Commission invalidated by the European Court of Justice -- the DHS has gradually recognized the necessity to extend its diplomacy to European legislators if it wants a new PNR agreement, to give at least a fig leaf of legality to its systematic monitoring of European travellers after the present "interim" agreement expires at the end of July.

Chertoff's personal mission to Brussels came in the wake of a high-profile March hearing on PNR transfers by the LIBE Commitee, a rare April visit to Congress by a delegation of MEP's from the LIBE Committee (largely snubbed by official Washington), and most recently an attempt at fence-mending in Brussels by tag team of DHS Privacy Officers.

Chertoff's prepared statement is a mix of the untrue, the irrelevant, and the unresponsive (to the questions MEP's on the LIBE Committtee have been asking). What comes through most clearly is Chertoff's presumption of administrative authority to make, and to enforce, conclusive extra-judicial determinations of "dangerousness", and to use them as the basis for denial of fundamental human rights .

Anyone suspected by the DHS, on the basis of PNR data and/or any other (secret) information, is presumed to have been guilty. The words "suspected" and alleged" do not appear in Chertoff's statement, and there is no mention of whether any of the suspects and allegations he uses as examples has ever been brought before a court of law. Indeed, the very idea of subjecting any of these allegations to normal judicial process appears never to have occurred to Chertoff. His approach is that of a battlefield commander administering martial law, not a civilian official of a democratic state. According to one report :

He was asked to consider the oft-repeated criticism of the US "war on terror", that it was being fought at the expense of the fundamental rights of the citizens it claims to protect.

In answer, Chertoff ... suggested the Anglo-Saxon legal principle that "it is better that a thousand guilty go unpunished lest one innocent man be wrongly punished" might be outmoded.

Of course, if you watch all of the people (or all of the travellers) all of the time, you will eventually observe some crimes. Many of Chertoff's examples, however, relate to drug smuggling and other ordinary crimes, and fail to respond to LIBE Committee Vice-Chair Stavros Lambrinidis point that "Thievery is not terrorism, illegal immigration is not terrorism," and fundamental rights should not be sacrificed for less-than-fundamental ends.

In addition, several of Chertoff's examples relate to use of PNR data related to people who had already been arrested. Chertoff failed to exaplain why, in these cases, the DHS or other agencies couldn't have obtained subpoenas or warrants for the PNR data.

Chertoff claimed that "PNR data is protected under the U.S. Privacy Act and the Freedom of Information Act, among other laws, as well as the robust oversight provided through ... American courts." But the Privacy Act applies only to U.S. persons, not EU citizens and residents. The DHS has exempted the Automated Targeting System (ATS), the database in which it stores PNR's, from most requirements of both FOIA and the Privacy Act. EU or other non-USA citizens and residents have no standing under these laws in any American courts. And since the PNR "agreement" has not (and apparently isn't intended to be) ratified as a treaty by the U.S. Senate, it can't be enforced in U.S. Courts or provide a cause of action even for U.S. citizens. Chertoff's testimony on all of this is disingenous at best, if not mendacious.

The most disturbing of the statements attributed to Chertoff came in his responses to questions from MEP Sophie in't Veld, not his prepared written statement.

According to the official news release on the hearing:

Sophia in't Veld (ALDE, NL), wondered if PNR were being used for purposes other than counter-terrorism, such as to control infectious diseases, or for private purposes by employers and insurance companies....

Mr Chertoff replied that it is illegal for any private company to use data from PNR, and all those whose [sic] transgressed this law would be brought to justice.

I wasn't able to watch the Webcast of the hearing, and the Europarl and LIBE Committee press officers haven't yet had an opportunity (given the time different between San Francisco and Brussels) to respond to my request for the relevant portion of the transcript.

But if the official report of Secretary Chertoff's dialogue with MEP in't Veld is accurate, his statement is an outrageous and eliberate lie, utterly unsupportable by any possible interpretation of the facts or the law, and which he must have known full well to be false.

On its face, Chertoff's claim is absurd.

PNR's are primarily commercial records, which were created, maintained, and used for commercial purposes by travel companies, long before governments took any interest in them. It's hard to imagine how airlines and other private travel companies could operate if they were actually prohibited -- as Chertoff claimed -- from using PNR data. And nothing in U.S. law restricts them from passing on any or all of that data to other private third (or fourth, or fifth) parties, or using it for undisclosed, nonconsensual purposes entirely unrelated to those for which it was originally collected.

Advanced Passenger Information (API) data is identifying data required by governments in addition to the information already collected and maintained by travel companies for their commercial purposes. But even when API data is required by governments, and provided and obtained involuntarily by travel companies solely because of that government mandate, no law in the USA restricts the ability of those travel companies to retain, use, and/or sell this data, for commerical or other purposes, before or after passing it on to the government.

If the official report is correct, the blatancy of Chertoff's lies about this nonexistent U.S. law restricting commercial use of PNR's by travel companies betrays complete contempt for the truth, for the European Parliament and its committees and members, for European public opnion, and perhaps most importantly for justice and human rights. If Chertoff's boss, President Bush, or the U.S. Congress care about any of these things, they should demand that he apologize, retract his false statements, and return to Brussels with a full and accurate accounting of the real legal and factual situation -- or resign or be fired.

If Chertoff had told such a lie under oath before a Congressional committee, it would have constituted perjury. Unfortunately, no U.S. law restricts the ability of U.S. government officials to lie before foreign government bodies. MEP's, and the European public, will have to rely on their their own judgement of Chertoff's credibility. They should give Chertoff's unverifiable claims about the "effectiveness" of universal PNR surveillance exactly the credence his lies about verifiable questions of law deserve: None.

[Follow-up: Chertoff's testimony was different from what was reported. It was misleading and irrelevant, but it remains to be seen whether it will prove to be true or false. See: Chertoff pledges to prosecute crimes against the Privacy Act and Does the Chicago Convention authorize government demands for PNR's? No. . Video of the hearing and press conference is now available online, thanks to Erik Josefsson of EFF.]

TSA shows how well it protects personal data

Public Statement on Employee Data Security Incident

WASHINGTON -- On Thursday, May 3, the Transportation Security Administration (TSA) became aware of a potential data security incident involving approximately 100,000 archived employment records of individuals employed by the agency from January 2002 until August 2005. An external hard drive containing personnel data (including name, social security number, date of birth, payroll information, bank account and routing information) was discovered missing from a controlled area at the TSA Headquarters Office of Human Capital. It is unclear at this stage whether the device is still within headquarters or was stolen. TSA immediately reported the incident to senior DHS and law enforcement officials and launched an investigation. TSA is treating this incident as a criminal matter and has asked the FBI to investigate. The U.S. Secret Service is also assisting in the forensic review of equipment and facilities. TSA is cooperating fully.

CLICK HERE for TSA's website dedicated to the Employee Data Security Incident.

It's an interesting comparison with the TSA's disinterest in how travellers personal data has been misused, or in the criminal violations of the Privacy Act that has entailed. I'm still waiting for an answer to any of my questions about those crimes, or any indication form the TSA and DHS privacy offices that they have been treated as criminal matters or are being investigated.

USA-EU "Open Skies" agreement signed but won't go to the Senate

On 30 April 2007, representatives of the USA and the European Union signed a so-called Open Skies agreement revising the rules for airline flights between the USA and the EU.

As I've noted in my analysis of the agreement and in my testimony to EU legislators and data protection authorities in Brussels in March, the "Open Skies' agreement contains dangerous provisions which, if put into effect, would prevent any Congressional oversight of measures imposed in the name of "aviation security" by secret administrative or executive directives, and give the force of law to ICAO recommendations, effectively delegating to ICAO "technical" bodies the authority to legislate for the USA on political, civil liberties, and human rights issues.

But the impact of those provisions depends on their legal status, which has been cast into doubt by the apparent decison of the executive agencies that signed the agreement (the Deaprtments of State and Transportation) not to present it to the Senate for ratification as a treaty, in accordance with the U.S. Constitution. As a non-treaty, it grants no individual any rights and can't be invoked as binding or as a cause of action in any U.S. court, but it also means it doesn't have the status of "supreme law" that the Constitution accords to treaties, and can't be held to override or preempt Congressional action or oversight. That's the same indeterminate status that any agreement on PNR transfers will have, if (as now appears likely) it isn't presented to the Senate for ratification either.

There's nothing in the announcement of the signing or the
text of the agreement to indicate whether it will be ratified, or what its legal status would be (as an international "agreement" that isn't a treaty) in the absence of Senate ratification.

A widely-reprinted Associate Press report says categorically but without attribution or explanation that "The agreement does not require the approval of Congress." There's nothing about ratification or the legal character of the agreement in the transscript and audio of the press conference following the signing.

In answer to a question about about the PNR agreement the USA is now trying to negotiate with the EU, C. Boyden Gray, U.S. Ambassador to the European Union, told the press conference that PNR transfers had been discussed in the summit immediately preceding the signing of the "Open Skies" deal, but that, "what's happening now is up to Congress. And the President's made his proposal. Congress is now looking at it.... And I -- in some ways, I want to say direct your questions to the Congress because they're the ones who control the outcome. They write the rules in this instance and we are living under rules that have been written by the Congress and the Congress has to change them.... So you really ought to direct your questions to the relevant congressional committees."

On its face, that would seem to suggest that the PNR agreement not only will be, but already is being, considered by Congress. In fact, it isn't yet, and doesn't appear likely to be. Gray's statement appears to Be nothing more than an attempt to evade responsibility for "agreements' unilaterally being negotiated by the executive branch, without the Senate ratification required by the Constitution.

While I was away

I had a great time with Evan Korth's students at NYU, and at CFP in Montréal. But the hard disk on my home computer failed while I was out of town, and I'm still working on recovering as much as possible of my data. A friendly reminder: How recent are the backups in your safe deposit box? (Mine were several months old, unfortunately.) If your hard disk crashed / your ISP went out of business / your house burned down tomorrow, what would you do?

If you want something to print out and read while you are making those off-site backups you haven't gotten around to in too long, here are some of the articles mentioning my work that appared in the news in the last couple of weeks while I was gone:

• Companies: Some EU CRS Rules Needed
  (by Mary Ann McNulty, "The Transnational: A Multinational Travel Newsletter", 2 May 2007)
  
• Who do you think you are? A week at CFP draws to a close
  (by Wendy M. Grossman, The Register, 8 May 2007)
  
• Debate Revived Over Private Use Of Terror Watch Lists
  (by Kelley Beaucar Vlahos, FoxNews.com, 1 May 2007)

More updates to come, as I catch up.

The Amazing Race 11 (All-Star Edition), Episode 12

Fort Soledad (U.S. Territory of Guam) - Honolulu, HI (USA) - Lanai, HI (USA) - Oakland, CA (USA) - San Francisco, CA (USA)

The All-Star season of The Amazing Race finished this week once again in my adopted home town of San Francisco. The decisive final task required one member of each team of two racers to guess how their partner would have answered a series of questions about the other teams they met on the race.

Despite its hokey staging, which used the numbered answers to the four questions as the combination to a standard hotel-room safe set up in a basement room of the Old Mint (hotel safes in a bank vault?), the "roadblock" tested a real-world travel skill: the ability to guess, when you aren't able to consult your travel companion(s), what they would choose.

In the real world, when you have to make a decision without being able to consult your partner, it matters less whether you think the same than whether you understand the differences in each other's thinking. That can be especially challenging if you've grown accustomed to being able to consult your partner quickly by cell phone or e-mail, wherever you are in the country, but don't have those means of communication as readily available when you are separated (however briefly) during an international trip, and one of you needs to make an immediate decision, on the spot and on your own, that will affect you both.

Perhaps it's not surprising that Danielle and Eric, who met (as members of different teams) during an earlier season of "The Amazing Race", were the ones who did best at guessing each other's travel preferences, thereby finishing this final task first and winning this season of the race. People are different when they travel, and it can be hard to know what someone will be like as a traveller until you actually travel with them. People who know each other well "at home" often find that their partner has different tastes in travel, or behaves differently "on the road" than they had expected. People who meet while travelling may not get along at all when they try to settle down somewhere (regardless of what may happen with Danielle and Eric) but they can get a much quicker, and more accurate, impressioin of each other's manner of travel.

That's why I recommend that people considering long-term travel together, no matter how well they think they know each other or how long they have lived or worked together or been married, (1) spend some time, before they commit to a long trip together, describing to each other (and listening to each other!) what they expect their travel life together will be like, and (2) if at all possible, take a shakedown trip together before committing to a longer one (or to one to a place or under conditions where they wouldn't both feel comfortable splitting up en route).

"Your Reputation Precedes You" (CFP 2007)

I'm on a panel entitled "Your Reputation Precedes You: The Transfer of European Union Passenger Name Records to the U.S. and Canada" today at the conference on Computers, Freedom and Privacy .

Here are links to some of the topics and previous articles I may mention in my talk:

• Freedom to travel as a human right
  
  
• Background on PNR's and CRS's
  
  
• Testimony to the European Parliament and data protection commissioners on PNR transfers from the EU to the USA
  
  
• Report and analysis of Europarl hearing and data protection commissioners' meeting
  
  
• Open Skies treaty
  
  
• European Union CRS regulations
  
  
• Sample letters to request PNR's from European airlines, CRS's, travel agencies, and tour operators
  
  
• Advance Passenger Information and permission to travel
  
  
• Examples of indirect transfers of PNR data via Sabre and Airline Automation
  
  
• ICAO and machine-readable travel documents
  
  
• The Automated Targeting System and PNR data from the EU
  
  
• Questions about the Automated Targeting Syatem
  
  
• Identity Project comments on the Automated Targeting System
  
  
• Identity Project supplemental comments on the Automated Targeting System
  
  
• Western Hemisphere Travel Initiative and travel between Canada and the USA
  
  
• Identity Project comments on the Western Hemisphere Travel Initiative
  
  
• The Identity Project

Update: Here's a slightly revised version of my presentation:

Since September 11, 2001, the assumption of the people setting travel-related "security" policies -- most of whom have come from outside the travel industry and have little or no actual knowledge of travel industry information technology or business processes -- has been that the technology of travel is quite ordinary ("Reservations are just databases, right?") but that the policy issues are somehow an exception to normal principles of civil liberties or human rights. ("Obviously, we have to make some exceptions when we are talking about airplanes , right?")

The real situation, I think, is just the reverse: Travel technology is its own "parallel universe", with its own protocols and norms that impose more, and different, practical constraints than people outside the industry tend to realize. But the policy issues raised by data about the movements of people are much more similar than is generally recognized to the issues with data about movements of messages, movements of money, movements of data, and other types of traffic data.

I've argued previously -- particularly in a workshop Stephanie Perrin organized here at CFP 2 years ago in Seattle -- that the prevailing "exceptionalism" about air travel is largely a result of unresolved societal as well as individual post-traumatic stress, from which the United States continues to suffer. In the same vein, I think that a large part of the dispute both with and within the European Union on aviation and border security is that, as people begin to move past the post-9/11 trauma -- a process in which, in general, Europeans are well ahead of most Americans -- they begin to look at aviation in more "normal" terms, and to subject travel-related policies to some of the same critical scrutiny, and the same standards, that they apply in other areas.

I welcome this development, and it's in this spirit that I offer these remarks.

Stavros Lambrinides, vice-chair of the civil liberties committee of the European Parliament, put this very clearly last month both in Brussels (at hearings that Bob Davidson [vice president of the airline association IATA, who had been scheduled to be part of the panel at CFP] and I both attended) and as part of a European Parliamentary delegation to Washington to discuss these issues with members of Congress. "We're as fanatical as anyone about terrorism," he said. "But most of the use of these so-called anti-terrorist measures is not against terrorism. Drug smuggling is not terrorism. Illegal immigration is not terrorism. We shouldn't even be talking about sacrificing fundamental freedoms for less than fundamental ends."

So what's "fundamental" here?

The fundamental right at issue here is first and foremost the liberty of movement guaranteed by Article 12 of the International Covenant on Civil and Political Rights -- a treaty ratified by Canada, by all of the members of the European Union, and even (perhaps surprisingly) by the United States.

In addition, airlines are required in all of these countries to operate as "common carriers". That means they can't pick and choose their customers, but must, by law, accept and transport equally all passengers paying the fare and complying with the rules in their published tariff.

The root of the dispute about "Passenger Name Record (PNR) data is that airlines and police have failed to recognize this. Instead of acting within the framework of a presumption of a right to travel, they have operated from an equally fundamental -- if often unstated and legally unsupportable -- presumption of their right to control who can and who can't travel.

Nowhere is this more clear than in the "Noticed of Proposed Rule-Making" (NPRM) published last year for "Advance Passenger Information" (API), for international flights to, from, or overflying the US.

Without getting bogged down in the distinctions between API and PNR data, API data is more limited but more standardized than PNR data. API data is intended more to identify the traveller and enable correlations with other databases, while PNR data is more descriptive of the current journey.

API data is often stored in the PNR -- IATA has, in fact, worked hard to facilitate this by adding support for API data to the AIRIMP protocol -- but API transmissions to government agencies are nominally independent of PNR access, and are not regulated by the PNR agreement (between the USA and the EU) or the undertakings of the US Department of Homealnd Security with resepct to PNR's.

The API proposal, which has not yet been finalized but remains pending -- would replace the current US requirement for ex post facto notice with a system of prior restraint. Instead of having to notify the destination country of who is on the plane, once the flight is on its way, the airline would have to get permission from the destination government before each passenger is allowed to board the plane. The default would be that, unless the airline has received individualized prior permission, they may not permit you to board.

A similar global goal to transform advance passenger information systems into advance travel authorization systems (with a presumptive default of "no"), was articulated by government representatives at the ICAO meetings Bob Davidson and I both attended here in Montreal last fall.

So we aren't just talking about privacy. The issue is not solely, or primarily, government access to data about your movements. Governments -- and not just that of the USA -- want to use that data: they want to associate your physical body with a data cloud, and make decisions about where they "permit" you to move -- in an explictly permission-based system -- on the basis not of attributes of your physical person (such as criminal acts or possession of weapons), but on the basis of the data cloud that they have created and they have associated with you. Association in their systems with what they regard as a criminal (or insufficiently innocence-proving) data cloud becomes under such a permisison regime a bar to the exercise of your human right to freedom of movement -- in flagrant contravention of the ICCPR and the common carrier statutes.

But the pending API rulemaking is only one of a series of efforts to evade or bypass the PNR agreement. As a result of these other initiatives, the terms of the PNR agreement -- even if it were enforceable in US courts, which it isn't -- would be unlikely to set the boundaries of government access to and use of airline reservation data. It's these measures, not the PNR agreement, that call for our closer attention. In addition to (1) the API rules, which are also under discusion by ICAO and within the EU, these include the following:

(2) The proposed "Open Skies" agreement on civil aviation between the USA and the EU has been discussed in the press primarily in terms of the allocation of gates and landing/takeoff "slots" at Heathrow Airport and of whihc airlines will be authorized to fly between which airports in Europe and the USA.

But hidden within the Open Skies agreement are insidious provisions that would require compliance by all parties to the agreeement (i.e. the USA and the members of the EU) with any "security measures" adopted by the other party -- with no requirement that those "measures" be adopted democratically or acccording to any standard of due process, or that they be justified under any particular standard (or, indeed, that any justification at all be offered for them, other than the simple assertion that their purpose is "security").

If the Open Skies agreement is ratified as a treaty, secret adminitrative security directives, essentially immune by their secrecy from judicial review, would thus be incorporated into treaty law that would take precedence over any Congressional or European legislative enactment, or the unilatereral "undertakings" or non-treaty "agreement" on PNR transfers.

Similarly, the Open Skies agreement would require compliance with all "security recommendations" of the International Civil Aviation Organization (ICAO). For historical reasons, ICAO (whose headquarters is across the street from the CFP venue here in Montreal), is the global standard-setting body for personal identification credentials ("travel documents", i.e. passports) as well as more narrowly aviation-related matters.

ICAO explicitly decribes itself as a "purely technical" body that only makes "recommendations", not a body with the charter or competence to legislate or even consider political or policy questions. Yet under the Open Skies agreement, those "technical recommendations" will acquire the force of law, preempting any oversight that national authorities might try to exercise.

Within the memory of those I have consulted at ICAO and during the ICAO meetings I attended, no national data protection office or civil liberties or human rights ministry has ever been included in the membership of any country's delegation to any ICAO meeting. Here at CFP, I have urged the Office of the Privacy Commisioner of Canada to take the lead in changing this, by insisting on the inclusion of the Commissioner or someone from her office in Canada's delegations to future ICAO plenary and Facilitation Division meetings and, perhaps more importantly, in ICAO's New Technologies Working Group (NTWG) and Task Force on Machine-Readable Travel Documents.

The USA has, as CFP-ers well know, no comparable government privacy or hiuman rights ministry. But citizens of Canada and other countries should demand that these departments within their national government take a direct participatory role, not merely one of advisors to national security and law enforcement agencies, in ICAO decision-making.

I also urge the U.S. Senate to consider the implications of this delegation of power to ICAO if (as it should) it holds hearings and conducts a full debate on ratification of the Open Skies treaty.

(3) The easiest and most common way the PNR agreeement is bypassed is through commercial international transfers of PNR data, which make possible indirect government access to that data once it is in the USA.

The PNR agreement applies only to PNR data accessed directly from airlines by the DHS Bureau of Customs and Border Protection. But that ignores the industry norm: Most airlines and travel agents outsource hosting of their reservations (PNR's) as well as their customer profile (CRM) data to "Computerized Reservation Systems" (CRS's) that are based in the USA or process this data in the USA.

Once that data is in the USA, it can be transferred to, or accessed by, CBP or any other govdernmental or commercial entity, through a variety of mechanisms (subpoenas, sealed warrants, National_Security Letters, commercial sale, or "voluntarily" by those CRS's and other intermediaries) without the knowledge or consent of the airline, much less the passenger, and entirely outside the terms of the PNR agreement..

This is a routine practice, not a purely hypothetical risk. For example, when the US government wanted data to test the first version of the CAPPS-II airline passenger sureveillance and profiling system in 2002, millions of real reservations (including reservations made in the EU and Canada) were provided to the CAPPS-II contractors through a series of commercial intermediaries in the USA who were already in possession of that data.

This happened in 2002, and I first reported it in 2003, but not until 2004 did American Airlines admit that it had happened. There has still been no public inquiry into which other airlines' reservations may have been involved.

In the absence of government inquiry, I encourage those of you who live in the EU, or who fly on EU-based airlines, to exercise your rights under EU law to request an accounting from travel agencies, tour operators, airlines, and CRS's of what they done with your data . I've provided sample request forms for that purpose on my Web site.

American Airlines stores its reservation s (PNR's) in the Sabre CRS. From Sabre, they are transferred for other processing to a company formerly called Airline Automation, Inc., now Amadeus Revenue Integrity (and still located in the USA although now entirely subject to EU jurisdiction as a division of the Amadeus CRS based in the EU).

American Airlines claimed that Airline Automation provided PNR's to the CAPPS-II contractors at the "request" of the government, and without the knowledge or consent of the airline. Sabre refused to comment, so we still don't know whether even the CRS was aware of what had happened. Travellers whose data was used in the tests were the last to know: the airline still has taken no action to inform those whose data was used.

The key thing about this tortured tale is that since none of the data was obtained directly form the airline -- the airline claims it didn't even know about it -- this would not violate the PNR agreement or any US law if it were to recur today. Once PNR data is in the hands of a commercial entity in the USA, there is no control on where or to whom it goes, and the PNR agreement does not apply to either coerced or "voluntary" disclosures of the data.

This is exactly the sort of consequence of data outsourcing, and of commercial transfers of personal data to countries without adequate data protection regimes, thatthe EU Data Protection Directive is supposed to prohibit. Standard operating procedures in the travel industry routinely violate EU Data Protection Directive.

(4) In addition to the Data Protection Directive, EU law regulates the practices of the CRS's through a "Code of Conduct for CRS's" which includes very strong -- although entirely unenforced -- privacy and data protection provisions. But the European Commission is currently considering revising or repealing that Code of Conduct, which could potentially result in the repeal of those protections.

It has yet to be established whether the "data controller" for PNR's is the travel agency, the airline, or the CRS, or at what point in the reservation process PNR data is considered to be "transferred" to the USA. This makes it easy for each of the companies involved to evade accountability under the Data Protectin Directive. The Code of Conduct for CRS's closes that loophole by requiring the CRS's who actually store most PNR's to protect the data, and to provide travellers with access to their own PNR's, regardless of who is considered the owner or controller.

The Identity Project, with which I work, has submitted comments to the European Commission explaining the continued need for the privacy provisions of the Code of Conduct for CRS's, and urging that they be retained, strengthened, and enforced -- not weakened or repealed.

Since this panel was to have included the principal representaive of the world's airlines when they lobby the world's governments (Robert Davidson, vice-preseident of IATA), I feel obliged to note that airlines have been part of the privacy problem with PNR's, not part of the solution.

Objections by airlines to schemes for government surveillance and control of travellers have been made on the basis of their costs to the airlines, not their impact on airlines' customers' rights.

Airlines have, to their credit, opposed being deputized involuntarily as enforcers of immigration rules, but not to the basic principle of government control. Airlines have failed to assert their obligation as common carriers to transport all would-be passengers, or their customers' right to travel. At the ICAO meetings I attended here in Montreal/ last fall, I heard Bob Davidson tell the assembled government delegations, "As soon as someone says the words, "political asylum", you lose." That's wrong: asyslum should be seen as a victory for human rights, not a "loss" of control by government.

The theme of Bob's message to governments, in his role as lobbyist for the world's airlines, was, "Don't treat us as adversaries. Let us help you." Airlines are willing, even eager, partners in surveillance of travellers, as long as (A) governments reimburse the cost, instead of imposing it on airlines as an unfunded mandate, and (B) airlines get a free ride to use this data too, even when it is collected under government coercion.

Airlines have claimed to care about their customers, but they haven't suited their actions to their words. Here are some of the things airlines could have done, and still could do, but haven't (yet) done:

(1) Incompatible European and US legal obligations have put airlines in an impossible double bind, with which I sympathize. But when they've had to choose, airlines have -- without exception -- complied with US law, even when that has meant violating EU privacy and data protection law.

(2) Airlines have (sometimes, usually quietly) complained about government impositions and demands for data in the name of "secuiorty". But no airline has challenged the lgal basis for those requests or demands, or litigated either government demands for PNR information or government orders not to transport particular passengers. That's especially significant because, as we heard yesterday, the US government will neither confirm nor deny that any particular person is on its "no-fly list". And since the "do not transport" order is issued to the airline, not the would-be traveller, the airline has a much easier time establishing the necessary standing to get the order reviewed by a court.

(3) Airlines have not disclosed to customers when PNR data is disclosed to commercial or governmental third parties. As I noted earlier, even when airlines have admitted that their PNR's were used for improper purposes, they have made no effort to notify the people whose data was thus misused, in violation of all norms for data breaches in other industries.

As for the DHS, what we have is a complete lack of enforcement of existing laws.

The most serious violations of the Privacy Act are crimes. That sounds great, except that it means that there is no “private right of action”. Neither those whose rights are violated, nor third-party watchdogs, can sue to enforce the law. Presumably, the responsibility for enforcing the criminal provisions of the Privacy Act rests with the departmental Privacy Officers – which is a problem, since most fo the criminal violations of the Privacy act have been committed by those same Privacy Officers, when they have knowingly published false and/or incomplete Privacy Act notices, and allowed the systems of records to operate in spite of their knowledge of the lack of proper notice.

The Privacy Act requires notice, in advance, that describes all the categories of individuals about whom records will be kept. That was violated with the use of real PNR’s for testing of the CAPPS-II and Secure Flight airline passenger profiling and surveillance schemes, when the “System of Records Notices” (SORN’s) falsely claimed that the only “data subjects” would be airline passengers. In fact – as the Privacy Officers promulgating those notices knew from comments I and the Identity Project filed with them – those PNR’s also included personally identifiable data on other categories of individuals, such as airline and travel agency personnel and people paying for other people’s tickets. The notices also falsely claimed that European Union or “international” PNR’s would be excluded, when in fact, as the DHS has admitted, it is impossible to tell from anything in a PNR in which jurisdictions) the data it contains was collected.

(The important distinctions between PNR’s for flights that touch the EU, PNR’s for flights on airlines based in the EU, and PNR’s that include data collected in the EU have often been lost in the catch-all usage of the term “European PNR’s”. This and the fale or nonexistent SORN’s have also helped obscure the violations of both the EU Dat Protection Directive and the EU Code of Conduct for CRS’s.)

The same criminal violations were repeated with the “Automated Targeting System” (ATS), with the additional and even more serious problem that PNR's were being stored in the ATS at least as early as 2003, but the notice of this wasn’t published until 2006.

Neither I nor the Identity Project have received any response to our specific written requests to the DHS Privacy Office and the DHS Inspector General’s office for enforcement of the criminal provisions of the Privacy Act against those responsible for collecting and processing PNR data without proper notice. And the TSA’s Privacy Officer has specifically refused to respond to my requests for information concerning the procedures, if any, available to those seeking redress under this and other laws. I invite the DHS’s respresentative here today [Kenneth P. Mortensen, Acting Chief of Staff, DHS Privacy Office] to explain how the DHS Privacy Officers police their own violations of the Privacy Act, or who else is responsible for policing them.