Caslon Analytics elephant logo link to home page title for Passports note

home | about | site use | services | guides | profiles | papers | timeline || Analysphere | Ketupa | Cinetext


overview

issues

travel

Australia

studies












related pages icon
related
Guides:

Privacy

Security
& Infocrime




related pages icon
related
Profiles:

Surveillance

Forgery &
Forensics

Identity
Theft

Australia
Card  

RFIDs


section heading icon     travel surveillance

This page considers databases, networks and legal frameworks for the surveillance of domestic and international travellers, such as the US CAPPS II and Secure Flight schemes.

It covers -

  • introduction
  • paper walls, princes and police - the shape of travel surveillance before the internet
  • legal frameworks and human rights
  • digital issues - key issues at a glance and some questions about their significance
  • from CAPPS II to Secure Flight - the evolution of contemporary 'total information awareness' schemes in the US and other countries
  • locational privacy and commuter travel

section marker icon     introduction

One aspect of the 'digital revolution' has been a substantial increase in the capacity of governments to monitor travel by their nationals and foreigners, in particular travel across borders and using commercial airlines.

In contrast to past regimes, which were predicated on official authorisation to move between jurisdictions and on registration of the traveler's presence (whether by a bureaucrat or by an agent such as an innkeeper), much of that monitoring is 'non-invasive'. It relies on government agencies accessing information held on private sector databases (eg the computerised reservation systems noted on the preceding page of this note) and information extracted from travellers as the price of passage (eg drawn by migration officers from their passports or from passenger manifests and flight cards).

Readers of Victorian and Edwardian fiction will be aware that it was possible to thwart pre-1914 monitoring schemes through ingenuity, adoption of false moustaches or other disguises and provision of bogus personal particulars - whether for a romantic assignation in a railway hotel or to evade the attention of the Okhrana and Sureté. Undermining those schemes was possible because of

  • delays in collecting, transmitting and collating information
  • problems in interpreting information
  • the absence of effective personal identification documentation.

As we enter the age of biometrics unique identification should, in principle, be more achievable and the mining of travel information from comprehensive CRS and payment systems should enable what one enthusiast characterises as 'surveillance at a distance', detecting malefactors while freeing the innocent traveller from the whiff of garlic as an official or hotel clerk peers over his/her shoulder.

In practice some claims for 'total information awareness' seem fantastic, given theft or corruption of official documentation, problems with the disambiguation of information, concerns about privacy principles and administration, the very patchy nature of data sources and difficulties with integration of systems across jurisdictions and agencies. Some criminals - or would-be criminals - are for example in possession of legitimate identity documents. Monitoring travel payments tracks payments; in an environment of credit card fraud that is not necessarily the same as tracking people.

section marker icon     paper walls, princes and policemen

 Well into the industrial era, most law enforcement was local. Government officials concentrated their identity verification and data collection at the ward/suburb, city and provincial level rather than building effective national databases. Their activity involved co-opting the private sector, with an emphasis on residence rather than comprehensive surveillance of what tickets were being sold and who was on a particular vessel or train.

That emphasis included requirement that foreign travellers display passports or other identity papers to the hotelier (signing a hotel register, which in some instances was periodically inspected by an official). Some regimes additionally required foreigners and nationals to register their presence with a local/provincial government agency.

Economic growth after 1945, globalisation, technological advances such as the jumbo jet and market developments such as Laker's transatlantic budget Skytrain resulted in a second age of mass tourism and business travel. The World Tourism Organisation notes that the number of international tourist arrivals rose from 25 million in 1950 to over 700 million in 2002, with over half of the destinations being in Europe.

section marker icon     legal frameworks and human rights

International legal frameworks regarding travel have attempted, with varying success, to accommodate sometimes conflicting demands regarding human rights, commerce and the integrity of the nation state.

Agreements under the auspices of the League of Nations and its successor the United Nations have accordingly emphasised freedom of residence, freedom of movement and freedom of non-interference ('the right to be left alone') as human rights. Acceptance of those rights - and articulation of exceptions - in bills of rights, case law, statute law and administrative practice has varied.

Nations have exercised the capacity to administer their own travel regimes, including

  • cancellation or denial of passports to criminals, bankrupts and perceived subversives (eg Paul Robeson in the US)
  • denial of entry visas and residence documentation to disturbers of the peace (eg Egon Kisch in Australia during the 1930s and David Irving in the 1990s)
  • 'internal exile' schemes, with dissidents (and some nationalities) in the Soviet Union being sent to particular locations in the East, an echo of the Tsarist Pale restricting Russian and Polish Jews
  • 'house arrest' schemes, with dissidents such as Sally Aung San Suu Kyi in Burma being restricted to a particular building or suburb
  • restrictions on the entry of those fleeing political, ethnic, cultural or religious persecution, those who have been expelled and those who have been displaced by war or other calamities
  • restrictions on the entry of 'economic refugees', with denial of access or internment while claims for refugee status are determined.

There is substantial variation in responses to those regimes and in their active enforcement. Belgium for example mandates all adult nationals carrying identity papers but in practice there is little checking except when the bearer engages in a transaction. In Australia all states/territories mandate carrying of driver licences while driving a vehicle, with display of that document when requested by law enforcement personnel. Most Australian hotels require display of a driver's licence (or of a passport, as a substitute for the de facto national identity document) when registering for accommodation. As we discuss in the following page of this note that information however is not systematically provided to authorities; it provides the basis for action if there is a payment default or the room is damaged.

One of the foundation myths of the US is that of the moving frontier, with the intrepid, independent - or merely indebted - traveller leaving the constraints of 'civilisation' in search of freedom and opportunity away from the big cities. That myth emphasises the anonymity of travellers and freedom from government interference.

It has been reflected in disagreement since 2001 about the appropriateness of passengers presenting identification to use US domestic commercial airlines. In Australia that requirement has been largely unremarked since at least the 1980s, with commercial airlines now enforcing a 'no fly without photo ID' policy. (The cursory nature of inspection in detecting falsified documents means that its effectiveness is uncertain.) In the US the Supreme Court ruled in Gilmore v Ashcroft that the federal government could mandate provision of ID for domestic flights. In both countries there is no corresponding requirement for travel by rail or road.

section marker icon     digital issues

In the digital environment issues include -

  • low awareness among government agencies, businesses and travellers about privacy-related aspects of domestic and international travel
  • perceptions that data mining and other technologies will allow government agencies to accurately identify substantive threats or build effective electronic borders by using information about who is travelling, where they have been, where they are going and even what they are doing
  • consequent government demands for systematic access to commercial travel-related information (including airline reservations, accommodation and restaurant payments), with and exemption of that data and associated analysis from existing privacy protection regimes
  • associated comprehensive profiling of travelers, reflected in restrictions on freedom of travel (eg Do Not Fly lists), differential treatment of travellers on the basis of Recognised Flyer lists and intrusive searches
  • compulsory provision by travellers of a range of information during reservations and by financial institutions or other entities
  • mandatory identification of travellers, including carrying/display of identity documents and use of biometric identifiers
  • integration of commercial and government databases about travellers, with what critic Edward Hasbrouck condemns as "integration and conversion of travel industry infrastructure into an infrastructure of surveillance"

In some jurisdictions activists have warned about -

  • use of RFID tags on a secure or unsecure basis, with for example claims that tagging will facilitate identity theft or convert the bearer of a tag into a target
  • corporate and government construction of "lifetime personal travel dossiers" from travel bookings and payments, with that information potentially being accessed by or even sold to third parties without the consent or awareness of the traveller
  • inadequate legal protection for travel information, particularly for travel across borders and for information that is silently shared by governments and businesses

Perceptions of those issues differ widely, depending on factors such as occupation, cultural background, personal experience and even position in a queue for security screening at an airport. Gilmore's lament about provision of ID would, we suspect thus appear misplaced to many Australians, who have become accustomed to providing photo ID for entry to a domestic flight. Tensions among privacy advocacy organisations are reflected in comments that not all concerns are equal: producing ID to board a flight is less offensive than being mauled by an unskilled security contractor during an intimate search, particularly if the passenger is confidence that information in that ID will be safeguarded.

Some concerns may be displaced, with regulatory issues being addressed through a strengthening and systematisation of data protection legislation underpinned by effective industry protocols and greater awareness about the commoditisation of personal information.

section marker icon     from CAPPS II to Secure Flight

The Computer Assisted Passenger Pre-Screening System (CAPPS II) was proposed by the federal Transportation Security Administration (TSA) in the US following 9/11 but tacitly abandoned in the face of legal and technical criticisms, being replaced by plans for a Secure Flight scheme.

The new scheme has been promoted as complementary to the Defense Department's Total Information Awareness (TIA) - later Terrorism Information Awareness - program, criticised as a successor of the unfocussed, wildly ambitious and horrendously expensive Reagan-era starwars program.

Predecessors of CAPPS II sought to match the names of intending passengers with one or more government watchlists, in particular a list of names of terrorists. That matching proved problematical, as many names are not unique, the names of terrorists and others may have been incorrectly captured (particularly if they were expressed in Arabic, Chinese or other non-Roman characters) and those on watchlist might choose to use an invented name or assume someone else's name. Presumably Osama Bin Laden would not take a US commercial flight under his own name. US senator Ted Kennedy - who shares a surname with someone on a wanted list - was recurrently stopped because of that disambiguation problem.

Enthusiasts for CAPPS II justified the scheme as a mechanism for combatting terrorism, in particular by preventing hijacking of large civilian aircraft. It has been characterised as a model for travel databases in other jurisdictions and for screening rail or other modes of transport.

It was envisaged that CAPPS II would draw on information from government and commercial databases, including 'life data' such as age and place of birth and activity data such as information about the frequency and departure/destination points of past travel. A 2004 Australian parliamentary committee report on aviation safety sagely comments that "hijackers have tended not to be
frequent fliers".

That data would be used to assign each passenger a color-coded score -

  • 'Green' flags that the passenger does not appear to pose a threat to safety and is free to board the plane
  • 'Yellow' flags that the passenger appears to pose a potential threat and should accordingly undergo further security checks before being allowed to board
  • 'Red' flags that the passenger is likely to pose an "imminent threat" and will thus not be allowed to board the flight, with some likelihood that the person will be required to undergo official questioning.

Statistics about the number of people whose profiles have resulted in a red or yellow score are contentious, as is the effectiveness of models used in generation of those profiles.

Concerns identified by privacy and consumer advocacy groups include -

  • data accuracy, with questions about the validity of information in some government and industry databases (particular those maintained by credit reference services) and about updating those databases in the event that an inaccuracy is detected
  • sharing of source data or individual profiles with federal/state agencies and with other governments
  • inappropriate use of data sources, in particular financial and medical records
  • network integrity, in particular fears that personal information collected by the TSA will be improperly accessed (eg for identity theft)
  • uncertain or ineffective mechanisms for public access and redress, with US politicians, ordinary citizens and foreign nationals complaining that they had been improperly prevented from flying, couldn't find out why they had been prevented and weren't able to ensure that faulty data was corrected
  • mission creep, with inappropriate sharing of information collected by the TSA
  • comments that screening could be circumvented by 'borrowing' an impeccable life/activity history and using forged identity documents to get past undertrained, demotivated and harried security staff

In response to those criticisms the TSA has sought to expand its data collection, leading critics to comment that it is 'solving' the problem of muddy data by doubling the amount of muddy data. The Secure Flight scheme will apparently receive the entire Passenger Name Record (PNR) from airline reservation systems encompassing name, address, phone number, email address, credit card details and special medical or religious dietary requirements. Subject to meeting EU data protection requirements, Secure Flight will also draw on PNR data from EU-based airlines.

Another response has been to buttress the system by requiring use of biometric identifiers, with passengers for example undergoing retina scans or palm scans.

The TSA is also exploring 'trusted traveller' schemes.

Those schemes typically involve frequent travellers gaining a smart card after undergoing a background check. Information on the card would include the traveller's flight booking history (their PNR) and print patterns from two fingers as a biometric identifier. Security personnel at a screening point would receive information about
the passenger as the card was read, subject to a match between the biometric data on the card and the traveller's fingerprint patterns. If the system indicated that the person represented a "lower security risk" that individual would be fast tracked for
boarding.

Privacy issues are supposedly addressed by the traveller retaining the card "and therefore the personal information it contained", with personal and flight information on the system becoming unreadable after 24 hours "unless needed for government investigations" and deleted after 30 days. US proponents envisage use of kiosks for self-check-in by passengers, with a staff member "always in attendance ... to watch for signs of nervousness indicating whether a particular passenger posed a security risk".

section marker icon     locational privacy and commuter travel

Much of the advocacy literature about travel surveillance has focussed on international and domestic travel via commercial airlines, rather than by ship, rail, bus or car. That reflects government concentration on air travel after '9/11' - aircraft as mechanisms of destruction and as vehicles for delivering terrorists - and perceptions that it is easier to capture and integrate data about flyers than about people using different modes of transport.

However, it is useful to recognise that there is scope for tracking terrestrial travel, including short-range commuter travel. We have highlighted some locational privacy issues and resources here.

They include -

  • use of closed circuit television (cctv) monitoring in public places such as streets and in spaces such as shopping malls that some people consider to be public
  • RFID-based transit management systems that identify vehicles (eg cars and trucks equipped with e-tag tollway payment systems) and individuals (eg smartcards used in some rail, bus and ferry commuter networks)
  • GPS schemes for tracking vehicles or high-value freight consignments
  • fixed and handheld imaging systems that recognise vehicle registration numbers and are linked to traffic violation and other databases
  • bracelet/anklet systems for locating refugees and criminals

In discussing security and surveillance we have suggested that seamless Enemy of the State style surveillance is not yet feasible and is unlikely to be in the future, other than in exceptional circumstances. Use/abuse of more limited surveillance schemes does, however, pose issues for policymakers, advocates, solution vendors and ordinary citizens.





icon for link to next page   next page (Australia) 



any word
all words
 phrase
 

version of December 2004
© Caslon Analytics