New excuse for travel surveillance: medical quarantine

Public comments are due by 17:00 (5 p.m.) Washington time (GMT - 5) next Monday, 30 January 2006, on the latest proposal from the USA government for mandatory surveillance of travellers’ movements.

I’ve been puzzling for weeks about how to respond.

The current proposal (70 Federal Register 71892-71948, 30 November 2005) comes from the USA Centers for Disease Control, a generally competent and benign technical division of the Department of Health and Human Services. I can’t tell if the CDC sincerely believes that a police state is necessary to prevent the spread of epidemic diseases (the example of China might cast doubt on such an argument), or if other government entities with interests in surveillance are merely using the more recent fear of epidemic — just as they have been using the fear of terrorism since 11 September 2001 — as an excuse for similar mandates to the travel industry to collect, and give the government, comprehensive logs of travellers’ movements.

Along with the proposed regulations, the CDC published several fact sheets on its claimed “legal authority for isolation and quarantine”, but little or no justification for the proposed “Passenger Information” rules (proposed 42 CFR 70.4). Those rules look remarkably similar to those previously proposed — under a completely different rationale — by the Transportation Security Administration (TSA) as part of its CAPPS-II and “Secure Flight” airline passenger “screening” (surveillance) schemes.

Under the CDC proposal, each airline (whether based in the USA or elsewhere) operating domestic or international flights to or from any of the 67 airports in the USA designated by the FAA as large or medium “hubs”, would be required to (a) solicit from each traveller or family group, and (b) pass on to the government, the following information about each passenger:

1. Full name (first, last, middle initial, suffix);
2. Emergency contact information;
3. E-mail address;
4. Current home address (street, apartment #, city, state/province, postal code);
5. Passport number or travel document number, including the issuing country or organization (in the case of foreign nationals only);
6. Names of traveling companions or group;
7. Flight information;
8. Returning flight (date, airline number, and flight number);
9. At least one of the following current phone numbers (in order of preference): mobile, home, pager, or work.

The CDC claims this will cost US$793.8 million. I suspect that this seriously underestimates both the value of the additional waiting time for travellers in slower check-in lines, and the implications of space limitations on airports’ ability to add more check-in counters or kiosks. And it will come on top of Department of Homeland Security regulations that have already — by the Department’s own estimate — imposed a billion US dollars in unfunded mandates to build surveillance functionality into airline reservation systems. Just as the USA has, under the Communications Assistance to Law Enforcement Act (CALEA), required the telecommunications industry to hard-wire surveillance capabilities into its infrastructure.

On their face, the proposed regulations are in direct violation of the USA Privacy Act, in two respects:

First, the Privacy Act provided that Federal agencies shall “maintain no record describing how any individual exercises rights guaranteed by the First Amendment unless expressly authorized by statute or by the individual about whom the record is maintained or unless pertinent to and within the scope of an authorized law enforcement activity”. Clearly the records to be collected under this proposal would describe how individuals exercise their First Amendment right to assemble. While the CDC attempts to derive implicit authority for the proposed regulations from its authority to order medical quarantines, it does not claim any explicit statutory authority.

Second, the Privacy Act requires each agency to “collect information to the greatest extent practicable directly from the subject individual when the information may result in adverse determinations about an individual’s rights, benefits, and privileges under Federal programs.” It’s unclear, as discussed below, exactly what sanctions may be imposed on the basis of passenger information, but it appears that they could include, at a minimum, loss of various rights, benefits, and privileges due to the imposition of quarantine restrictions.

Airlines will be required to solicit this information when passengers check in. Since all such passengers will also be required to be “screened” by TSA personnel at departure airports, there is no apparent reason why any information desired from the CDC could not be solicited from them directly by TSA staff as they are screened, rather than by airline personnel. The CDC proposal does not even purport to offer any justification for outsourcing the solicitation of this information to the airlines.

About all I can say in favor of the CDC proposal is that it could be dramatically worse, again in two significant respects:

One, “Information collected solely in order to comply with this regulation may only be used for the purposes for which it is collected.” This is in marked contrast to the CAPPS-II, Secure Flight, and APIS schemes, under which airlines and other travel companies are (or would have been, or would be) free to use or sell, without passengers’ knowledge or consent, personal information provided to them by passengers under government order.

Inexplicably, there’s no requirement for airlines to destroy the data, even after they’ve turned it over to the government and when they are supposedly forbidden in perpetuity to use it for any other purpose. And there’s nothing in the proposal about any system of monitoring or enforcement of airline compliance with this section. That means vigilance by passengers, in perpetuity, will be required to ensure that airlines don’t misuse this data.

Two, the proposed regulations would impose an obligation on airlines to “solicit” information from passengers, but do not impose any obligation on passengers to respond in any way to such solicitations of information, and would not authorize, much less require, airlines to impose any sanctions or deviate from their obligation as common carriers to transport qualified passengers who are unable (e.g., they don’t have an e-mail address) or unwilling to respond to airlines’ solicitations of information for the CDC.

I have no confidence, unfortunately, that airlines will respect that distinction. The CDC rule parallels the security directive which requires airlines to solicit identity credentials from all passengers (and to identify to the TSA as “selectees” for more intrusive “secondary screening” those who are unable or unwilling to produce and display such credentials), but imposes no obligation on passengers to respond to that solicitation of credentials. Despite their lack of legal authority, and in direct contravention of their obligations as common carriers, airlines have nonetheless frequently chosen to refuse transportation to those who can’t or won’t display ID credentials. And both the airlines and the TSA systematically lie to the public about the content of the regulations, such as through TSA printed posters in every airport falsely claiming that passengers are required to display ID credentials on demand.

So I expect that airlines will probably misrepresent the CDC rules to passengers as requiring passengers to answer the questions which, in fact, airlines will be required to ask, but passengers will be fully entitled, without penalty, not to answer. And I suspect that litigation will be necessary to defend the right to travel without responding to the CDC-mandated questions, especially if airlines add this requirement (as they have recently been adding the requirement to produce ID credentials) to their conditions of carriage, in contravention of their obligations as common carriers and under the First Amendment.

If you are ever denied transportation by an airline, ask them for a copy of their conditions of carriage, which they are required to have available at every check-in counter. Ask them to tell you under which specific clause of the conditions of carriage you are being denied transportation. Try to get them to put that in writing, preferably either on airline letterhead over the signature and legibly printed name of the station manager for the airline at that airport, or as part of a complete printout of your passenger name record (PNR), in which the reason you were denied transportation, citing the specific clause of the conditions of carriage, has been entered. (If you made your reservations from Canada, the European Union, or certain other countries, you are entitles to see what’s in your PNR. But not, unfortunately, if you made your reservations in the USA.) If the airline balks at giving you reasons, point out that your eligibility (or not) for a refund of your ticket is dependent on the reasons and the clause of the conditions of carriage under which you were denied transportation. So you need documentation of the reasons for their denial, in order to establish your refund claim. (If the airline refuses to transport you because you refuse to consent to being searched, you are entitled to a full and unconditional refund, even if your ticket would otherwise have been entirely nonrefundable. Presenting yourself at the airport, and refusing to consent to search, is perhaps the most foolproof way to obtain a refund of an otherwise nonrefundable ticket.) The airline cannot refuse to transport you, except as provided by specific terms of their published conditions of carriage, without grave liability under the common carrier clause of the Airline Deregulation Act of 1978.

[Addendum, 15 February 2006: Check the airline’s current condiitons of carriage before you try this: Northwest Airlines has changed its rules to deny refunds to people who are refused transportation because they won’t “provide identification” or permit themselves and their belongings to be searched.]

I hesitate to submit comments on the CDC rules, lest they modify them to impose on travellers a purported obligation to respond to airlines’ requests for additional personal information. But they are certainly objectionable. If you choose to submit comments, you can send them by e-mail to qrulepubliccomments@cdc.gov until 17:00 (5 p.m.) Washington time (GMT - 5) next Monday, 30 January 2006.

[Addendum, 2 February 2006: Comments were submitted at the deadline by Privacy Activism and the Privacy Rights Clearinghouse and by the Electronic Privacy Activism Center , both raising, inter alia, the need to make explicit in the regulations that travellers don’t have to answer the CDC questions, and cannot be denied passage or otherwise penalized for declining to answer. Also worth looking at are the airlines’ comments on the cost and difficulty of modifying their information technology and business processes to comply: Qantas (“onerous … entirely separate database … substantial cost and effort … increased processing time at checkin and the gate (for transfer passengers) … ongoing operational impacts … arduous”), British Airways (“unreasonable — and in some cases impossible — burdens on air carriers … completely new data-base … huge economic burden … disruption at departure airports … potential inconsistencies with international law”), Virgin Atlantic (“serious implications … entirely new databases … considerable operational problems … additional time at check-in … adding to passenger queues”).]