Data-Mining Gone Wild...
By Desi Doyen on 7/28/2007, 4:12pm PT  

The Washington Post reports that the United States and the European Union signed an agreement this week detailing the amount of private information the U.S. can obtain on EU citizens traveling to and from the United States, what kinds of information can be gathered, and for how long the data may be stored.

Privacy advocates in the U.S. and the E.U. immediately questioned the agreement's sweeping expansion of data mining of travelers’ private information, including such data fields as medical history, religious affiliation, trade union membership, sexual orientation, and sexual partners.

According to WaPo:

Peter Hustinx, the E.U.'s privacy supervisor, expressed "grave concern" over the plan, which he said is "without legal precedent." He wrote to E.U. officials on June 27, "I have serious doubts whether the outcome of these negotiations will be fully compatible with European fundamental rights."

U.S. Homeland Security Secretary Michael Chertoff praised the pact as an "essential screening tool for detecting potentially dangerous transatlantic travelers." If available at the time of the Sept. 11, 2001, attacks, Chertoff said, such information would have, "within a matter of moments, helped to identify many of the 19 hijackers by linking their methods of payment, phone numbers and seat assignments."

Paul Rosenzweig, Homeland Security’s deputy assistant secretary for policy, explained that the broad categories of information gathered are due to U.S. authorities' fears of risks they haven't yet imagined. Rosenzweig justified the unusual data fields if, for example, U.S. officials learned of an alert about passengers who request wheelchairs hiding bombs in leg casts.

While the Washington Post article offers some history on the agreement and the nature of data to be collected, VNUnet.com offered some different details:

(The agreement) allows the DHS to keep passenger name record (PNR) data for seven years in an active database and then another eight years in 'non-operational' storage....

Information will be used only for preventing terrorism and "other serious offences that are transnational in nature", according to a statement from the Commission. But it will be accessible by any US law enforcement agency in pursuit of " serious crimes".

The agreement has been accompanied by an Exchange of Letters wherein the DHS sets out to the Commission how the data will be handled.

However, procedures for monitoring the agreement to ensure that the US is not misusing the data will not be proposed by the Commission until October.

"I can't see any valid reason why [DHS] would need to retain PNR data for that length of time," said Graham Titherington, principal analyst at Ovum. "But the primary concern is not the length of time but that the data is being exchanged at all."

"This information will be hacked; it will leak at some point," Titherington warned.

The Center for Democracy and Technology policy director, Jim Dempsey, told the Post:

"What Americans should be concerned about is it is now here in black and white: The government will maintain a database of all travelers --- including travelers of U.S. citizenship, including people who are believed to be no risk or threat . . . the government will maintain that and data-mine it."

The agreement does not yet include limitations on the use or sharing of the data, although there are some general guidelines:

Washington assured the European Union that its citizens will continue to have the same administrative protections as Americans to obtain information collected about them and to seek to correct errors.

Although Homeland Security has said it will move passenger information to "dormant" status after seven years and "expects" to erase it after 15 years, it notified the E.U. that expiration of data will be subject to "further discussions."

Dutch lawmaker Sophia in't Veld, the European Parliament's standing rapporteur on Passenger Name Records, said the agreement gives a green light to U.S. authorities to use confidential information for unstated purposes. Stavros Lambrinidis of Greece, vice chairman of the parliament's civil liberties, justice and home affairs committee, warned that it allows extra data collection not just in counterterrorism cases but for "a vast and in some cases unidentified number of crimes. So we have function creep."

The Electronic Privacy Information Center has more on the development of the agreement between the E.U. and the U.S. here.