The DHS Secretly Shares European Passenger Data in Violation of Agreement

From the ACLU:

In 2003, the United States and the European Union reached an agreement under which the EU would share Passenger Name Record (PNR) data with the U.S., despite the lack of privacy laws in the United States adequate to ensure Europeans' privacy. In return, DHS agreed that the passenger data would not be used for any purpose other than preventing acts of terrorism or other serious crimes. It is now clear that DHS did not abide by that agreement.

Posted on May 8, 2006 at 6:34 AM • 32 Comments

Comments

StupotUKMay 8, 2006 7:12 AM

...so the EU will now sue the US, and charge extra for bent banana's...there is nothing like a bit of trust...the safe harbour agreements are just so...well....water tight.

Swiss connectionMay 8, 2006 7:18 AM

Are you sure?

According to new draconian law, just about every action, every person and every organization in the US nowadays can be construed by the government as being terrorist related. So in that sense perhaps, they are acting within the agreement!

VickiMay 8, 2006 7:18 AM

Were I an EU citizen who'd flown to the U.S., I'd be concerned not only that my data had been shared without my knowledge, but that they might have gone beyond the CDC. Also over what the CDC might be planning to use them for.

(Even without this, I have European friends who won't visit me/New York anymore, because they don't trust the current administration. This is not going to help me convince them otherwise.)

VickiMay 8, 2006 7:26 AM

Were I an EU citizen who'd flown to the U.S., I'd be concerned not only that my data had been shared without my knowledge, but that they might have gone beyond the CDC. Also over what the CDC might be planning to use them for.

(Even without this, I have European friends who won't visit me/New York anymore, because they don't trust the current administration. This is not going to help me convince them otherwise.)

Matthew X. EconomouMay 8, 2006 7:31 AM

The reasons for sharing the PNR data seem sound. Infection control is an important step in preventing pandemics. With such a reasonable, er, reason, I don't understand why the U.S. government couldn't just go back to the E.U. to amend the PNR data sharing agreement.

dlgMay 8, 2006 8:04 AM

@Matthew: It wouldn't have be such a big deal if they had done that before silently ignoring the agreement. Considering the state the EU is in right now, it is easy to convince them of arbitrary terms (the original terms were pretty arbitrary, anyway).

This will only get harder now, trust in the US (administration) is at an all time low. Nobody believes their vows, and for good reasons. The safe haven rules are ridiculous as they are lacking effective control mechanism (taking the word of the US/the companies is not enough, obviously).

@StupotUK: I wonder if there will be any reaction at all. The EU has not been very vocal in protecting its citizens' rights lately. Banana sizes are more important.

dhasenanMay 8, 2006 8:06 AM

Matthew--

Why do we need to know a person's name before telling if they have an infectious disease? It seems that the CDC could request names as needed whenever an outbreak starts, iff they reasonably believe that the infection can be traced to a foreign visitor to the US. And that's such an obvious and basic need that an agreement to share information in those circumstances would practically be waved through the EU Parliament.

This seems a lot like Bush's directive that federal agencies should order wiretaps without requesting warrants--there was a legal way to handle this possibility, but the US government ignored them. The question is why. The only real effect is to eliminate accountability, which would be an attractive goal.

NocturnMay 8, 2006 8:24 AM

As a European, I find this very alarming indeed.

I would already avoid the US as far as I possibly can (don't want to end up in Guantanamo bay because my laptop looks suspicous or something draconian like that).
This just makes it even safer not to go there.

HugeMay 8, 2006 8:26 AM

If it weren't for the fact that my (elderly, ailing, widowed) mother lives there, I'd never set foot in the USA ever again. After all, the Government of the USA provably lies (+), operates extra-territorial concentration camps and specifically allows the "disappearing" of non-citizens. My great-great-great-great-great-great-grandfather (*) must be spinning in his grave.

Huge.

(+ Not that that makes them anything special. Lying is what Governments do.)
(* Patrick Henry. And no, I'm not joking.)

icarusMay 8, 2006 9:10 AM

> Were I an EU citizen who'd flown to the U.S.

It's flying ANYWHERE that counts. When booking flights internal flights in the UK the small print refers to sending your data to "the relevant government department".

PaeniteoMay 8, 2006 9:37 AM

This proves exerybody right who was against this whole data-surrendering to the US in the first place.

Besides this, it is an old point: Once data is collected, it will be abused (loss is a form of abuse, too).

AGMay 8, 2006 9:38 AM

Solution:
A law needs to be passed making an individuals personal information their personal property.
Companies could then only legally use your information if they paid you for it.
That would solve 90% of these privacy problems.
Companies have no respect for your personal information because to them it is free.
Charge them money make personal information an asset and then and only then will they respect it.

NocturnMay 8, 2006 9:49 AM

@AG

100% correct. And for people allowing the use of their information, it would be a nice financial bonus ;-)

JungsonnMay 8, 2006 9:55 AM

@ Swiss connection

Even without it, i'm sure they will look into this data if they want to. One can finds many reasons to look into this data and say: Well, we have some clues that this data contains information about terroristic acts, so we have the right to look into it. And i don't think that US intelligence will ask persmission for it, hence, that in itself will undermine its own intelligence. So it is naive to asume this isn't happening. For real...

COOWMay 8, 2006 9:58 AM

I think that the use by the CDC may come in point 34 of the original Annex:

"No statement herein shall impede the use or disclosure of PNR data to relevant
government authorities, where such disclosure is necessary for the protection of the vital interests of the data subject or of other persons, in particular as regards
significant health risks"

zibeliMay 8, 2006 10:02 AM

From the article: "Second, it undermines the respect and credibility of our government when it makes promises as a result of careful negotiations among different stakeholders and then breaks those promises."

My question: What "respect and credibility"?

AnonymousMay 8, 2006 10:07 AM

While I don't disagree with some of the sentiments expressed above about the US, as someone who lives in the US but grew up in the UK, I have to say I have the same sentiments about returning to the UK. What's with all the cameras? And the US government compared to the UK government is a paragon of openness and accountability. The UK government has a long and notorious history of using 'security' and the Official Secrets Act to hide scandalous and nefarious activities from public view.

I suspect most Europeans who claim they don't want to come to the US because the US is governed by such wicked people compared with their own humble, wise and honest public servants are just too cheap to buy a transatlantic ticket.

Erik NMay 8, 2006 11:23 AM

As European I have known this for years. My prime concern really, is that US authorities retains the right to transfer these data to third countries, meaning once you've been to the US, you may as well asume your data is everywhere - they don't even exclude countries on the so-called "evil of axis".

The "Safe Habour" agreement came into effect december 1, 2001, I went on transit january 2002, before I became aware of this. I haven't been back since and have no plans to return.

Only five countries have been acknowledged to provide the same legal protection of personal data as the EU: Argentina, Canada, Switzerland, Guernsey and Isle of Man.

And with EU moving onto more surveillance, I wonder if I should go to one of the mentined countries.

quincunxMay 8, 2006 2:03 PM

Governments violate their own rules, shocking!

---

"A law needs to be passed making an individuals personal information their personal property."

Uhm, we had this law. We kinda adopted common law, ya know. We just passed a bunch of laws during the 20th century eliminating this tradition. So the solution is not to create another law - but remove the ones that violate it in the first place.

"Companies could then only legally use your information if they paid you for it.
That would solve 90% of these privacy problems. "

Exactly. Private information is in the domain of private property rights.

A simple example: I can register a domain name and have my address held by a proxy company. They ensure that they will not give away this info, by stipulating that they would return my money, pay damages, and obviously jeopardize their business in doing so.

How about the US postal service? Anyone ever seen a proxy service for your address?

Wouldn't it be nice to send mail to:
PROXY HANDLE - PROXY IDENTITY CODE.

as opposed to Name, #_Street, City, Zip-Code.

There are many ways to implement solutions of this kind - the problem is that the postal service is not private, and laws strictly forbid this kind of service.

Pat CahalanMay 8, 2006 2:04 PM

@ zibeli

> My question: What "respect and credibility"?

No kidding. Of all the current issues facing us USAmericans, our complete and utter lack of credibility in the international community is the one that is going to cause the most problems in the long term.

dhasenanMay 8, 2006 2:12 PM

COOW--

You may well be correct. I take the statement to mean that, in an emergency, DHS can share personal information about EU citizens if necessary; and all other agreements allowing the sharing of information are still valid.

If, on the other hand, that clause enabled the CDC to obtain passenger information, why did the CDC enter a secret agreement with the DHS? Again, the major issue isn't the fact that the CDC got the information; it's that they did so in an illegitimate manner, especially when a legitimate means to the information either was already available or could easily be made available. And the issues with illegitimate means are a lack of accountability and an indication that the organizations involved will likely be less than scrupulous in their future dealings with personal information.

Moreover, since this information was released, it's an indication of the incompetence of those involved. If it was revealed that the data is being shared, then it's likely that the data itself isn't as secure as it should be. People who leave incriminating documents around for the ACLU to FOIA probably aren't the sort to meticulously plan systems of access limitation for personal information.

AGMay 8, 2006 2:18 PM

@Nocturn
Thank you...
It seems to me the ideas of the "individual" and "self" have become blurred in recent years.
My name is my property. My address is my property. My phone number is my property. The list of websites I visit is my property.
No, you may not use them without my consent and NO I DO NOT CONSENT.

dhasenanMay 8, 2006 2:20 PM

Quincunx--

I was under the impression that such services existed in the US. A cursory search turned up the following mail forwarding services:
http://www.myus.com/about/
http://www.nymail.com/postalMail.html

Granted, it isn't the exact format you requested--it's an address analogous to those used for large apartment buildings, but you can specify any name for the recipient, as long as it's the appropriate number.

quincunxMay 8, 2006 4:22 PM

"Granted, it isn't the exact format you requested--it's an address analogous to those used for large apartment buildings, but you can specify any name for the recipient, as long as it's the appropriate number."

Yes, I am aware that these fringe services exist. Which is a good thing - but it doesn't eliminate the fact that your mail is delivered by a monopolist. All first class mail services are channeled through this monopoly. And as for the various private mail carriers - they are highly regulated and controlled (this is evident in the fact that the legal barriers to entry are so high, that only a handful of these companies exist) to use the present system and not be allowed to change. They also have to compete with a subsidized inefficient monopoly.

"Of all the current issues facing us USAmericans, our complete and utter lack of credibility in the international community is the one that is going to cause the most problems in the long term."

This is a collectivist outlook - not very useful for identifying the problem. It is not "our" complete failure - but that of the people that reign over us. And if you think it's a problem for them - you are dead wrong. They are not accountable and don't care - and in fact engage in political profiteering.

Also, when you say "international community" you really mean foreign governments. They are likewise the same in behavior as our own. They both lie and steal. The 'international community' has no problem trading trillions of dollars of goods and services. The rulers have a problem with this - they need their share of booty.

Cooperation comes from trade - not politicians and their pointy-headed intellectual body guards.

LoitumaMay 8, 2006 6:08 PM

All governments do this. The only difference with the U.S. government is that they are far more transparent about it than all the others. Where's the French or German equivalent of the ACLU filing suit for abuses of their government? It's not that the other governments aren't doing abusing privacy, it's that it is hidden behind bureaucracy and secretiveness and so therefore their citizens are largely unaware of it. In the U.S. the dirty laundry is hung out for all to see and therefore comes under extra scrutiny.

TillMay 8, 2006 8:32 PM

@Loituma:

I can tell you were the German equivalent is: It pretty much doesn't exist! We simply don't have a Freedom of Information , and that sucks.

quincunxMay 8, 2006 9:13 PM

" In the U.S. the dirty laundry is hung out for all to see and therefore comes under extra scrutiny."

Only the dirty laundry they want you to see.

They also flood public opinion with too much nonsense dirty laundry.

The ACLU files politically popular cases. They also usually advocate 'reform' as opposed to returning our freedoms. I don't recall the ACLU claiming that the income tax & federal reserve are unconstitutional, even though they are.

---

Frankly I prefer to have a government of two politicans operating with a $100 budget in secret, as opposed to 21 million people in the public sector openly destroying civilization (albeit their ignorance in doing so) on a $2.7 trillion budget.

pigletMay 9, 2006 5:42 PM

Letter to the European Ombudsman, 'euro-ombudsman@europarl.eu.int'

"There is evidence that the US government is violating the US-EU agreement on passenger data sharing. “In 2003, the United States and the European Union reached an agreement under which the EU would share Passenger Name Record (PNR) data with the U.S., despite the lack of privacy laws in the United States adequate to ensure Europeans’ privacy. In return, DHS agreed that the passenger data would not be used for any purpose other than preventing acts of terrorism or other serious crimes. It is now clear that DHS did not abide by that agreement.��?

The European Commission is under obligation to protect the privacy rights of European citizens. It has in the past, with respect to passenger data sharing, repeatedly asserted that the agreement provided sufficient safeguards for the protection of the data concerned. There now appears to be proof that the US government does not honour its privacy obligations under the agreement. Therefore, the European Commission must take the necessary action to reassert the protection of our privacy. The European Ombudsman should act on behalf of the citizens to make sure that the Commission fulfills its duty, as laid down in European privacy laws, in the data sharing agreement and in the Commission’s various public announcements.

As an EU citizen who has visited the US in the relevant period, I am personally concerned by this matter, as are many millions of Europeans."

pigletMay 9, 2006 5:56 PM

"All governments do this. The only difference with the U.S. government is that they are far more transparent about it than all the others."

That's rubbish. The US government is not transparent about what they are doing with those data. To put it bluntly, they have been lying repeatedly. The ACLU is referring to a "secret agreement". Let's see whether their FOIA request succeeds. FOIA is an admirable achievement. Nevertheless, the Bush administration has been quite successful in lying to the people (and have them believe the lies), misrepresenting and hiding facts. Remember the dispute about Cheney's policy meetings with energy executives? The protocols have remained secret, with Supreme Court approval. That's just one example of many. Don't fool yourself!

HugeMay 10, 2006 8:53 AM

To all the Americans rising up to defend their country; How many Western democracies operate extra-territorial concentration camps? How many Western democracies specifically allow non-citizens to be arrested and detained indefinitely without trial?

There'd be a lot more respect for the USA if they weren't at the same time trumpeting about what a bastion of truth and justice it was. Excuse me while I piss myself laughing.

(Oh, and yes, other Governments are no better. So what?)

JoeMay 15, 2006 8:38 PM

Matthew X. Economou wrote:
> The reasons for sharing the PNR data seem sound. Infection control is an important step in preventing pandemics.

Pandemics means direct human-to-human infection, which means that by the time the CDC gets into full gear, something like 90+% of the infected on U.S. soil don't have any PNR attached to them for lack of having been a P lately. They tend to have driving licenses and own a car, though.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..