[Infowarrior] - Travelers Face Greater Use of Personal Data

[Richard Forno]

Travelers Face Greater Use of Personal Data
Pact Covers Passengers Flying From Europe to U.S.

By Paul Lewis and Spencer S. Hsu
Washington Post Staff Writers
Friday, July 27, 2007; A07

http://www.washingtonpost.com/wp-dyn/content/article/2007/07/27/AR2007072700
159_pf.html

The United States and the European Union have agreed to expand a security
program that shares personal data about millions of U.S.-bound airline
passengers a year, potentially including information about a person's race,
ethnicity, religion and health.

Under the agreement, airlines flying from Europe to the United States are
required to provide data related to these matters to U.S. authorities if it
exists in their reservation systems. The deal allows Washington to retain
and use it only "where the life of a data subject or of others could be
imperiled or seriously impaired," such as in a counterterrorism
investigation.

According to the deal, the information that can be used in such exceptional
circumstances includes "racial or ethnic origin, political opinions,
religious or philosophical beliefs, trade union membership" and data about
an individual's health, traveling partners and sexual orientation.

Airlines do not usually gather such data, but officials say it could wind up
in passenger files as a result of requests for special services such as
wheelchairs, or through routine questioning by airline personnel and travel
agents about contacts, lodging, next of kin and traveling companions. Even a
request for a king-size bed at a hotel could be noted in the database.

The data now stored includes names, addresses and credit card information as
well as telephone and e-mail contacts, itineraries, and hotel and rental car
reservations.

The deal, signed yesterday by the United States and approved Monday in
Europe, provoked alarm from privacy and civil-liberties groups on both sides
of the Atlantic. "What Americans should be concerned about is it is now here
in black and white: The government will maintain a database of all travelers
-- including travelers of U.S. citizenship, including people who are
believed to be no risk or threat . . . the government will maintain that and
data-mine it," said Jim Dempsey, policy director for the Center for
Democracy and Technology, a Washington-based advocacy group.

Peter Hustinx, the E.U.'s privacy supervisor, expressed "grave concern" over
the plan, which he said is "without legal precedent." He wrote to E.U.
officials on June 27, "I have serious doubts whether the outcome of these
negotiations will be fully compatible with European fundamental rights."

U.S. Homeland Security Secretary Michael Chertoff praised the pact as an
"essential screening tool for detecting potentially dangerous transatlantic
travelers." If available at the time of the Sept. 11, 2001, attacks,
Chertoff said, such information would have, "within a matter of moments,
helped to identify many of the 19 hijackers by linking their methods of
payment, phone numbers and seat assignments."

U.S. customs officials began collecting Passenger Name Record data in 1992
for inbound international flights and enforced the requirement after the
2001 attacks. The government now stores data on nearly all 87 million
passengers who arrive in the country by air each year, most of them from
Europe, in a master border security database, Homeland Security officials
said.

The government combines such information with terrorist watch lists, other
databases and sophisticated computer algorithms to detect high-risk
travelers, in ways that watchdog groups say it has not adequately explained.

The agreement announced yesterday extends and expands a 2004 arrangement
between the United States and the European Union. That pact was struck down
on a technicality in May by Europe's highest court, which gave both sides
until July 31 to negotiate a new deal. The United States had threatened to
turn back flights otherwise.

Paul Rosenzweig, Homeland Security's deputy assistant secretary for policy,
said sensitive information that is subject to extensive restrictions in
Europe, such as data on religious beliefs and sex partners, is routinely
filtered out by U.S. computer systems. To his knowledge, he said, the U.S.
government has never invoked its authority to use such information.

On the other hand, Rosenzweig said, such data might be important if U.S.
authorities learn of an alert about passengers who request wheelchairs
hiding bombs in leg casts, or a warning about a threat to a political
gathering, or a health emergency affecting people with communicable diseases
such as tuberculosis.

Mostly, Rosenzweig said, it is threats that authorities have not thought
about that worry them. "We are just not going to bind ourselves not to have
full access to information that might be in Passenger Name Records if there
is a severe predication and reason to do that," he said.

Under the new accord, which will take effect in August and continue through
July 2014, Europe allowed the United States to extend how long it can store
data -- to 15 years from 3 1/2 years. Beginning in January 2008, airlines
will be required to send, or "push," data from their reservation systems to
the Homeland Security Department 72 hours before a flight departs, expanding
an existing "pull" system in which the department retrieves information from
carriers.

Washington won the authority to share data liberally within the government
and with third countries at the discretion of Homeland Security officials,
but agreed to E.U. demands to limit its uses to counterterrorism, probes of
serious crimes, public health emergencies and flights from custody.

The United States reduced the number of fields from which it will collect
information about each passenger, from 34 to 19, but expanded the amount of
data covered by some fields. Washington assured the European Union that its
citizens will continue to have the same administrative protections as
Americans to obtain information collected about them and to seek to correct
errors.

Although Homeland Security has said it will move passenger information to
"dormant" status after seven years and "expects" to erase it after 15 years,
it notified the E.U. that expiration of data will be subject to "further
discussions."

Dutch lawmaker Sophia in't Veld, the European Parliament's standing
rapporteur on Passenger Name Records, said the agreement gives a green light
to U.S. authorities to use confidential information for unstated purposes.
Stavros Lambrinidis of Greece, vice chairman of the parliament's civil
liberties, justice and home affairs committee, warned that it allows extra
data collection not just in counterterrorism cases but for "a vast and in
some cases unidentified number of crimes. So we have function creep."

U.S. officials said the agreement with Europe -- which has stronger
data-protection laws than many countries, including the United States -- is
likely to serve as a template for similar U.S. agreements covering travelers
from Asia, South America and other regions, and for Europeans to set up
their own, similar system.

Staff writer Ellen Nakashima contributed to this report.