Sunday, April 30, 2017

Germany introduces warrantless surveillance of travel patterns of all airline passengers

As usual, the main news out of the surveillance world this week was centered on the US. Much was written about the NSA halting a small sub program of under Section 702, specifically the controversial upstream part that collects Americans' emails "about" foreign terror suspects. If you want details, the blog of the brilliant Marcy Wheeler is where you should go.

But this very same week, the German federal parliament quietly passed a bill that vastly expands warrantless surveillance of airline passengers. Mandated by EU Directive 2016/861, storing passenger name records (PNR) is now implemented under the German FlugDaG law. The EU directive applies to flights from and to countries outside of the EU, but Germany added intra European flights to its law. 

The US has long required PNR data from airlines, and one reason for the Europeans to mandate collection of these data was simply the "me too" so familiar in the surveillance and security industry. The main argument by proponents of the measure was, of course, the danger of terrorism and "serious crimes".

The list of offenses that constitute "serious crimes" is found in Annex II of the EU directive and contains the expected high profile crimes like sabotage and trafficking of nuclear materials but also fraud and product piracy. The item fraud comes with the added clause 'including that against the financial interests of the Union', a somewhat hilarious addition if you think about it for a second.

The term 'serious crimes' has been abused so much that it has become next to meaningless outside of its propaganda value. A shorter, much more honest version of a list of serious crimes would be "anything beyond parking tickets and a simple DUI".

The data points collected include expected items, such as name, address, identification document, and payment method, as well as more intrusive data, such as details about luggage, the seat number, and meal preference, for a total of about 60 data points. The data are stored for five years, with an extension to 15 years in certain cases. After six months, the data are "minimized" (depersonalised) but they can be "deminimized" upon order of a judge, which, as far as the technical implementation goes, means they are not really being "depersonalized" at all.

Critics call the measure too invasive and claim it violates the German constitution, with one use called out as particularly egregious: law enforcement will conduct warrantless pattern searches of the data to find previously unknown criminals based on travel patterns.
Law enforcement will analyze your travel data for suspicious activities even though they have no indication of you doing or planning anything illegal.

The algorithms used to sift through the data in order to find suspicious travel habits and flag you to law enforcement as well as intelligence agencies are, of course, largely unknown.

Paying for a flight in cash is definitely a red flag, that much we know. Traveling with too little luggage is likely another one based on the simpleton law enforcement thinking that a terrorist wouldn't prepare his luggage with the same enthusiasm as a vacation traveler.

The same simple thinking applies to meal choices. So, don't order Halal food unless you want to be flagged as a Muslim. Vegetarian, or gluten free are very likely the best choices to avoid being red flagged. After all, these two show you care about eating healthy and have a harmless disposition. Vegan might get you labeled as potential eco-terrorist, so go easy on that one if you fly into Iowa or some other wingnut state.

Critics of the warrantless search had previously warned that airline travel passenger data collection could be a first step, with other modes of transport to follow.

They were dismissed as alarmist.

Until Belgium, freshly motivated by terror attacks, decided to extend the same surveillance measures to trains, buses, and travel by ship starting in 2018.

Austria is also planing to extend data collection to train and boat passengers.

The logical next steps are more pervasive license plate readers to get vehicle traffic under improved surveillance.

And, the blogster is willing to bet its* still unclaimed Susan B. Anthony dollar coin, Germany will follow with measures for trains and maritime travel, soon.

* Gender neutral. 
[Update 5/1/2017]  Improved readability of title. Fixed typos.

No comments:

Post a Comment