Schneier on Security
A blog covering security and security technology.
« DHS Biometric ID Cards |
| CIA's View of the Future »
January 20, 2005
American Airlines Data Collection
Last week on a trip from London to the US, American Airlines demanded that I write out a list of the names and addresses of all the friends I would be staying with in the USA. They claimed that this was due to a TSA regulation, but refused to state which regulation required them to gather this information, nor what they would do with it once they'd gathered it. I raised a stink, and was eventually told that I wouldn't have to give them the requested dossier because I was a Platinum AAdvantage Card holder (i.e., because I fly frequently with AA).
The whole story is worth reading. It's hard to know what's really going on, because there's so much information I don't have. But it's chilling nonetheless.
Posted on January 20, 2005 at 9:28 AM
• 25 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
It will be a lot more chilling once they stop asking... because they no longer need to.
I've been asked by quite a few countries where I'm staying before they would let me enter or sometimes board transportation. From memory, these countries include Indonesia, Israel, Malaysia, Kiribati,New Zealand, Belize, as well as a rash of others.
This is a very common question on Visa applications, isn't it? So if a Visa isn't required I suppose its not unreasonable that you get asked in person.
What is unreasonable is a transportation company demanding it for no apparent reason.
But personally, I consider it to be no ones F^&&&* business but my own!
I agree with Ted. I would say "it's none of your business". Similar to the answer I gave when I was asked my religion by US Customs officers when entering from Canada. Or where my parents were from or what they do for a living.
Wait a minute, you've always been asked where you are staying, but you could usually put the primary residence down.
If you are visiting your relatives, then most people would say "I am staying with family" and put one address down, no?
I never thought there was any need to say "first I'll be at my Uncle's for his birthday, and then I'll be down the street at my Mother's house for a day or two, and after that I'll be at Grandma's house for one day, etc.
It simply makes sense that if you mention more than one location to a security officer, then you should expect them to ask for details on more than one location. There's a practical aspect to this as well, since I believe security officers are likely trying to profile risks and take down information you give them; they are not actually trying to build a huge database of passenger information based on the little paper forms, are they?
I have always observed that wise travellers provide no more than the information that is directly relevant to the question being asked -- the "most accurate" answer -- which has neither too little nor too much detail. It's a fine balance, but part of the usual business of crossing International boundaries, obviously compounded by different cultural views of what constitutes suspicious or risky behavior.
The connection to American Airlines is odd until you put yourself in the officer's shoes, facing a barage of questions from the passenger. I would guess, if you could ask the officer, she would say it was an unfortunate reaction as she was unprepared to explain security policy. So she reached for straws and pulled out a story about American Airlines.
Here's a guy who, like most of us, must be tired and cranky from flying. Add that to the fact that he's more than willing to pick an argument (call if "defending his rights" if you will) about personal information. After I read his letter I imagined him waving his arms and saying things like "Do you know who I am? I have Platinum status and I blog! Do you want me to call my friends? Have you heard of the EFF? Don't push me or I'll blog you!"
Davi, I've read more of Cory's words than this little segment and I can't see him doing that. He wasn't tired from flying. He lives in the UK these days and was in the UK flying out to the US. He works for the EFF, so that explains the EFF mention.
So, this was a situation involving an AA employee in a British airport asking for irrelevant information from a Canadian traveler flying to the US.
I agree that it is fairly common to be asked where you are staying when you arrive in a country, but this was before he left. And they wanted written names and adresses, it wasn't just the INS guy trying to make sure that you weren't planning on staying illegally.
I think that your characterisation of Cory is unfair.
Do they think that only irregular fliers might intend to blow up a plane? Weren't several of the individuals involved in 9/11 flying/using AA-advantage or similar memberships, passports or tickets?
Lie to them.
Tell them you're staying at someone's house, or a hotel, or whatever. They don't have the resources to follow it up (what with thousands of passengers per day), so if you look serious, they'll take it.
And if everybody starts lying, and people are known to do so, the value of this particular countermeasure will drop.
Friendster or Badster--just think about how well it will work! Terrorists will write down the names of all the terrorists they are going to stay with and visit. Similarly, non-terrorists will only stay with non-terrorists. Soon you will have two sets with no members in common and can reduce the size of government by closing DHS.
I've read the full text of the letter as well (http://craphound.com/aadossierletter.txt) and it is abundantly clear that if Cory had said "I am staying with a friend" then he would have had one form to fill-out, rather than three.
This brings us back to Bruce's "behavioral assessment" blog entry on November 24, 2004 (http://www.schneier.com/blog/archives/2004/11/profile_hinky.html)
I agree with the general concerns in the letter regarding privacy, and it's easy to see how the screening system could use some improvement (the trigger seems too sensitive to be used without correlative data -- flying with a passport that doesn't come from either the origin or destination of the flight).
But after reading the entire letter, I still do not see how it could be such a big surprise, let alone invasion of privacy, to tell an officer "I will stay in three places" and then get handed three pieces of paper to provide details.
If anything, it's unfair to characterize the original request (where will you be staying in the USA) as "American Airlines demanded that I write out a list of the names and addresses of all the friends I would be staying with in the USA".
And not to be too nitpicky, but I wonder if three addresses of friends really constitutes "personal" information under the UK Data Protection Act.
There is an argument that the names and addresses of friends are the personal data of those friends, though. I think this is the point he was making in the letter, that the Airline was holding not just his own personal information, but also the personal information of three others (his 'friends') and that they also should have free access to that information under the Data Protection Act.
I haven't read the act, so don't take my word for it, but I assume that my personal information is still my personal information, even if it wasn't me who gave it to you. Otherwise there would be no need to protect it (since the first time I give it away, it is no longer mine. A situation that exists in the USA but not in Europe AFAIK.)
In this Act "sensitive personal data" means personal data consisting of information as to-
(a) the racial or ethnic origin of the data subject,
(b) his political opinions,
(c) his religious beliefs or other beliefs of a similar nature,
(d) whether he is a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992),
(e) his physical or mental health or condition,
(f) his sexual life,
(g) the commission or alleged commission by him of any offence, or
(h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.
You quote the definition of "sensitive personal data" from the DPA.
A couple paragraphs above there is a definition of "personal data" this means "data which relate to a living individual who can be identified- (a) from those data" which clearly covers the friends.
The act distinguishes between personal data and sensitive personal data. It has an overriding principle that you must only collect data that you need with stronger protection for sensitive data, the fact that AA backed down shows they did not *need* the data, therefore it is likely they were breaching the act.
I still don't understand how asking where someone is staying makes an airplane any safer, except perhaps as part of a larger interview designed to detect people who are "acting hinky", which doesn't seem to be the case here. If that person is a bad guy, he'll have a prepared lie ready anyhow. I'm starting to agree with Ann Coulter that the way to make the airlines "safe" is to abolish the Dept. of Transportation and FAA. Open up the skies, and airlines that have shoddy security will find themselves with fewer customers flying at cheaper prices. People who want to feel completely safe in the skies will be able to pay more to fly on El Al or similar high-security airline.
What is odd in this story is the role of the airline employee. Travellers to the US have to fill in a standard form (among others, you have to specify whether you plan a terrorist attack against the USA, yes or no) and hand it to the border control agent who may ask any questions he thinks fit. But this was never the business of the airline. Their business is to make sure that travellers have the necessary visa.
Moreover, an airline employee in London, unlike a US border control agent, is clearly bound by UK and EU privacy laws, thus they have to justify any collection of data. They would have to provide written information about what data they are collecting, why they are collecting it and who may have access to that data. If they intend to pass personal data on to third parties, they would have to ask the traveller for a written permission. At least that's what the law requires.
Thanks for the clarification. I think AA "backed down" because there was a simple miscommunication. Again, they asked for general information, not specific. Cory gave them information for three locations, thus implicating his friends. It therefore follows reason that they would ask for addresses for the places HE told them he would be staying. Adding data retention policies to the little card that you fill out doesn't change the fact that he basically prompted them to ask for more information.
This really is more about passenger profiling, the irregularity of border crossings, and one cranky passenger who wants to make a fuss than it is about institutional espionage.
As Pete pointed out there is a difference between "Personal Information" and "Sensitive Personal Information". There is also a difference between Immigration officers in the US (whose job is to ask where you will be staying and decide whether you shuld be allowed to enter the country based on the answers that you provide) and Airline Employees.
This was not an Immigration officer asking where he was staying in the US (I've had that question before and I accept that they wanted to see if I had a ready answer. They didn't write down the answer anywhere, they just wanted to see my response.) This was an Airline employee who was asking the same question. What business is it of the Airline where I am staying once I've left the plane? Do you see the distinction now? If you were to take a ferry or a train, or a bus would you like to have to tell someone where you were going to be staying every time you did? What use would the local bus company have for a pile of records that said "passenger A boarded the bus at stop 1252, got off at stop 2705 and was going to visit a store to buy some underwear" Yes, this is an argument reductio ad absurdum, but I think it's valid. The Bus company might want to know that a passenger rode from 1252 to 2705, but who and why is irrelevant to their business. They would be more interested in the aggregate information for route planning. The people who might want to know the specific information are probably the people that you don't want to know that.
I guess my main point here is that it's not the specific information that was being requested, it is WHO was requesting that information. The airline doesn't need that information, if the government wants it then the government can ask for it themselves.
Just another sign of US government agencies having airlines remove passengers freedoms whilst at the same time dear little George is telling the world the US is taking freedom to the world ! God help us !
These airlines are just asking for everything they can get these days from passengers, wrong for sure however I suspect they are doing it to shut the DHS/TSA up, or at least to second guess what these fools will want next ! Within a few years half the worlds population will be on TSA no fly list, they are a joke !
And the people wonder why airlines are slowley but regularly going belly up ?
Trust me, there will be some big airlines to fall over in the US in the near future, simply because sane people around the world trying to do business are just not going to go to or deal with companies in the US.
They would rather do business elsewhere. Thats why Airbus in Europe and huge deals of all sorts are being done in Asia and Europe.
People are just looking at the US and saying "to hell with going there its too hard" and whilst the US is a huge economy if US government agencies continue to treat people entering the US like crimminals &terrorists it wont be long before it aint the economy it was and is now !
You have a point that there are numerous distinctions to be made between a government employee and an airline employee, but if both are engaged in "behavior assessments" of passengers, then I suspect they would appear more similar than different. Should a transportation company be allowed to screen its passengers? I believe this blog entry answers your questions:
Clever. Someone wrote directly to AA. Here's their official response:
"Mr. Doctorow exhibited specific behaviors and cues before and during our initial security screening that caused our screener to initiate a secondary screening process. We will not publicize those behaviors because to do so might hamper the effectiveness of the screening process in the future.
That said, our contracted screener veered from standard procedure when she asked for Mr. Doctorow to write the addresses of his destinations in the United States. She did clearly state that once the interview was completed, the address list would be destroyed in front of Mr. Doctorow or that he could have the list to keep. American Airlines absolutely does not register or record that type of personal data."
Mr. Doctorow has stated that the airlines response is factually incorrect and that neither the orignal employee, the supervisor or the terminal manager informed him the document would be destroyed:
"At no time did the screener or her supervisor ever state that the list would be destroyed in front of me, nor that I could keep the list."
Bummer for Cory. I guess we should all want to rally behind Cory against this big bad security screener. But instead I have to give big kudos to the airline for an open disclosure making it clear that they care about handling things properly and they respect consumer rights. This can obviously be verified hundreds of times a day.
If we acknowledge Cory's latest complaint that he was not told at the time what would happen to a piece of paper with his friends' addreses; now he knows. And he also knows now that the overzealous security officer was not following procedure and will be dealt with. End of argument, no?
Is Cory really defending something at this point (other than pride) or is he tilting at windmills, or (who could imagine) trying to build notoriety as a freedom fighter? Let's be reasonable here. AA clarified the situation, as requested, they apologized for an employee's behavior, and perhaps now it is time for Cory to show he is capable of the same before he erodes any more of his own (and EFF's) credibility.
Again, the lesson here should be that if an officer asks you a simple question and you give a complex answer ("I'll be staying here and here and here and here"), then do not be surprised to be asked follow-up questions or have to provide more detail.
All I can say to Cory is thanks for trying, but please accept some responsibility for your actions. Lets put this one to bed and move on to the more pressing issues.
The bottom line is AA stinks.
There is still "things" going on with AA. They behave a way that that for Europeans are scandalous.
I just posted some lines from my daughters excperience yesterday in Miami. She will blog the full story when, she hopefully arrive here in Oslo on Friday.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..