Since 5 march 2003, United States authorities have had access to most European airlines' passenger databases. According to this agreement – justified by the need to fight international terrorism – the European commission gives the USA online access to passenger name record (PNR) data of all Europe-based airline carriers for flights that go to, from or through the USA.
Photo credit: Eduard Kachan
The PNR data consist of all relevant information related to a passenger's flight: departure and return flights, connecting flights, special services required on board the flight (meals such as kosher or halal), payment information (such as the credit cards used to purchase the ticket) and e-mail address.
EU forbids the transfer of personal data to other countries that do not have laws protecting individuals' privacy, unless the individual consents to the transfer of her data. Most passengers, when they book a flight to the USA, are not even notified that their data is directly sent to US authorities, who also retain the right to forward it to American intelligence agencies.
But that is not the point.
Let’s pretend we could “supersede” the fact that our credit card information and journey-related data is supplied to the American authorities for anti-terrorism purposes; what really concerns me is the fact that airlines are requested to unleash also the e-mail addresses of travelers, which eventually might end up in the hands of FBI.
A recent report by the U.K. Telegraph states that British travelers using a credit card to purchase their tickets may now have their credit card and e-mail accounts inspected by US authorities.
At this point, the question is: why do American need the e-mail addresses of travelers going to the US to protect themselves against terrorism? Perhaps they want to e-mail them welcome messages?
It is hard to avoid paranoia in today’s world; however the possibility that our personal e-mail addresses are stored by US government for hidden purposes is not so unlikely as it may seem.
Although the agreement between US and EU has been signed in 2003, the details about what information the US could demand from airlines have been agreed only in October 2006 and they came to light only recently, following a freedom of information request.
The US says it will "encourage" US airlines to reciprocate to any requests by European governments. But, in this case, no law obliges American carriers to release passengers’ information to EU. This makes the act of buying a ticket a gateway to a host of personal email and financial information. While there are safeguards, it appears passengers would have to go to a US court to assert their rights.
It is important to specify that such amount of information (especially e-mail address) can be collected only when travelers purchase their tickets online, and not when they buy them from the airlines or the agencies.
However, while paying cash gives you the impression that you are saving your privacy, it actually puts you under another magnifier, as people who pay cash are routinely profile-examined because of that (and it is even worse if it's cash on a one-way ticket).
The requested information
Here is the information that US authorities ask to airlines that bring passengers from EU to US:
"Information about the passenger: name, address, date of birth, passport number, citizenship, sex, country of residence, US visa number (plus date and place issued), address while in the US, telephone numbers, e-mail address, frequent flyer miles flown; address on frequent flyer account; the passenger’s history of not showing up for flights
Information about the booking of the ticket: date of reservation; date of intended travel; date ticket was issued; travel agency; travel agent; billing address; how the ticket was paid for (including credit card number); the ticket number; which organization issued the ticket; whether the passenger bought the ticket at the airport just before the flight; whether the passenger has a definite booking or is on a waiting list; pricing information; a locator number on the computer reservation system; history of changes to the booking
Information about the flight itself: seat number; seat information (e.g. aisle or window); bag tag numbers; one-way or return flight; special requests, such as requests for special meals, for a wheelchair, or help for an unaccompanied minor
Information about the passenger's itinerary: other flights ticketed separately, or data on accommodation, car rental, rail reservations or tours.
Information about other people: the group the passenger is traveling with; the person who booked the ticket."
Source: What the US knows about visitors
What citizens say
Given for granted that the largest part of passengers traveling to US are not aware of this agreement (and the websites of the airlines do not show it up clearly in the booking procedure), it is easy to imagine that only few people have actually tried to fight against this US-EU deal.
Here is what the staff at The Identity Project suggests to do to those travelers who want to stand against this agreement:
“The only way to find out what’s in your travel records, and what is being done with them, is to request them under your country’s data protection laws. Then, if the data protection law has been broken, you can complain to the authorities, or bring a lawsuit. First, request your travel records from the travel agency or tour operator that booked your flights to the U.S., and the airline you flew on.
When they respond, they should tell you which computerized reservation system (CRS) they use. Then you can request your records from the CRS as well. There might be records in two different CRS’s, with different data, if the travel agent uses one CRS to make the booking and send it to the airline, and the airline hosts its database in another CRS.”
Source: Europeans: Time to ask for your travel records
The website of the European Digital Rights association (EDRI) also made available two sample letters for European citizens and residents (available in eight European languages) to request their travel records from travel agencies, tour operators, airlines, and CRS’s.
Possible consequences of this agreement
As I have already anticipated, the biggest concern regarding this agreement (which seems to be not highlighted by other critics) is related to the use of passengers’ e-mail addresses.
It is very hard to figure out which could ever be the use of storing e-mail addresses of European travelers for anti-terrorism purposes if those addresses can’t provide any information… Unless FBI or CIA don’t want to hack those people’s e-mail accounts and read their personal mail.
This scenario is not unlikely to happen: in a recent video published also here on MasterNewMedia, the possibility that major e-mail providers such as Google might have secret boundaries with CIA is clearly taken into account, along with the declarations of ex CIA agent Robert David Steele.
At this point, some questions rise up: why would the US want to have those e-mail addresses? And, more importantly: do you think there is the possibility that those e-mail addresses could be used for other purposes that go even beyond the interests of American intelligence agencies?
Originally written by Livia Iacolare for Master New Media as: E-Mail Privacy: What You May Be Gviging In When You Are Flying Out