Tuesday, January 25, 2005

Airport Security From Hell

Airport security checkpoint

Just read this interesting account of FUD gone mad in a post 911 world:

American Airlines Customer Relations
P.O. Box 619612 MD 2400
DFW Airport, TX 75261-9612Ê

14 January, 2005

To whom it may concern,

On Sunday, January 9th, I flew AA51 from London Gatwick to
Dallas-Fort Worth. At Gatwick, I was confronted with a security
check that exceeded sense and decency and, I feel, creates a
terrible potential liability for your airline.

At Gatwick, I was directed to a security podium before I checking
in for my flight. The security officer asked me a series of
questions, such as:

* Where are you flying?

* How long have you owned your luggage for?

* Have any of your electronics been serviced recently?

* Why are you flying this route?

This last one was a little weird: the route I was flying had been
selected for me by the computer running www.aa.com's reservation
system, but I answered anyway, wanting to be cooperative. Then
the officer asked me where I would be staying in the USA:

"I will be staying with a friend tonight, at a hotel near LAX
tomorrow, and with a different friend in Tarzana for the rest of
the week."

The security officer then handed me a blank piece of paper and
said, "Please write down the names and addresses of everyone
you're staying with in the USA."

I actually began to write this out when I was brought up short.
"Wait a second -- since when does AA compile a written dossier on
the names and addresses of my friends? Why are you asking me
this? Do you have a privacy policy and a data-retention policy I
can inspect prior to this?"

The security officer told me that this was a Transport Security
Agency (TSA) regulation. I asked for the name or number of the
regulation, its text, and the details of the data-retention and
privacy practices in place at AA UK. The security officer wasn't
able to answer my questions, and she went to get her supervisor.

After several minutes, her supervisor appeared and said, after
introducing himself, "Sir, this is for your own protection."

I think it's pretty hard to argue that making passengers produce
written dossiers on their friends' home addresses makes planes in
the sky secure. I asked again if this was really a TSA regulation
and what AA's privacy and data-retention policies are.

The officer said, "This is a TSA regulation."

I said, "Why didn't I have to provide this information when I
flew out of Gatwick on US Air in December then?"

He said, "Well, you know that American Airlines has had some
terrible things happen to it in the past."

I asked "So the TSA wrote a special regulation for AA? What is
the name of this regulation, and what is your data-retention and
privacy policy?"

He didn't know the answer and went off to fetch the terminal
supervisor for AA.

Several more minutes passed, and then the supervisor appeared. He
had looked over my documents and said, "Sir, I'm sorry, you are a
Platinum AAdvantage member and shouldn't have been asked this
question." I thanked him and asked him if he knew what AA's
privacy and data-retention policies were. He didn't.

In the past few days, I've told this story to many friends in the
US and the UK and they've all been shocked by it. It's really
stuck in my craw, and left me with three questions for your

1. What is the AA privacy and data-retention policy?

2. Do non-Platinum flyers have to provide dossiers on their
friends on demand from an AA officer? Why?

3. Is there a TSA regulation that requires you to gather this
information? What is the number or name of that regulation and
where can I get a copy of it?

Under the UK Data Protection Act, AA is required to be
accountable for the personal information it collects from the
public. On presentation of a nominal fee of ten pounds, AA is
expected to provide a reasonable accounting of what information
it has gathered from me and how it uses that information. I
believe gathering these dossiers means that you incur this
liability not only to me, but to all of my friends, too -- in
other words, if you require me to give you my friends' name and
address, my friends also have the right to find out how you use
that information. This explodes your data-retention liability,
potentially by an order of magnitude.

I was told that I came under extra scrutiny at the podium because
I was flying from the UK to the US on a Canadian passport; that
is, a passport that doesn't come from either the origin or
destination of my flight. I fly a lot to the USA, and other
airlines don't seem to have this policy. Should I take this to
mean that if I continue to fly AA on this customary UK-US voyage
of mine, I can expect to be given a hassle every time I fly?

I'm cc'ing this note to my colleagues at the Electronic Frontier
Foundation, to my friend John Gilmore who is currently suing the
TSA over some of its regulations, and to the website I co-edit,
Boing Boing (boingboing.net), which has over 200,000 daily
readers. I will be very interested to hear your reply.

I would appreciate a response by February 1, 2005.

Thank you,

Cory Doctorow

AAdvantage Number: XXXXXXX

Now this is just going too far. I wonder how long it will take for the United States to get off it's paranoid ass and rejoin the "free" world again.


Post a Comment

<< Home