Tuesday, 9 May 2017
European Commission to investigate airline reservation (in)security
Fifteen years after I published my first critique of the extreme insecurity of airline reservations stored by computerized reservations systems (CRSs) and made available without passwords or access logs on public Web sites, and four months after the continued existence 15 years later of those same vulnerabilities was publicly demonstrated by hackers inspired in part by reading an interview with me on a German IT news site, I’ve finally found the right unit of the European Commission to investigate my complaint that these CRS practices violate the privacy and data protection provisions of the European Union’s Code of Conduct for CRSs.
In the U.S., there is no general Federal privacy law requiring businesses to protect personal data about their customers or other individuals. But there are general requirements for this in the European Union(and many other jurisdictions including in Canada), as well as specific requirements for the protection of travellers’ personal data in the EU Code of Conduct for CRSs.
The European Commission has the authority to enforce the Code of Conduct for CRSs, and the responsibility to investigate complaints of violations. But I have never been able to find any public indication of how or to whom to submit such a complaint. Saying, “You can complain to the European Commission” is like saying, “You can complain to the U.S. government.” Exactly how, and to whom, are you supposed to complain? Knock on the door of the White House or the nearest U.S. Embassy? Try that in the U.S., and you are likely to be arrested, if not shot, if you even manage to get within shouting distance of the door. The European Commission has published procedures for complaints against EU member states, but not for complaints against commercial entities such as the CRSs which are regulated directly by the Commission rather than, or in addition to, by the national governments of EU member states.
I’m not the only person to have asked this question.
In 2011, MEP Martin Ehrenhauser, an independent Member of the European Parliament, submitted a written question to the European Commission asking, “Has the Commission designated a point of contact or established procedures for handling complaints from individuals of violations of the Code of Conduct for CRSs? If so, how has the Commission made public this point of contact and the procedures for handling such complaints? If not, why not?”. The eventual written response from the Commission ignored this part of the question entirely, and didn’t mention the Code of Conduct for CRSs.
More recently, on 20 March 2017, MEPs from three different countries and political groups — MEPs Jan Philipp Albrecht (Verts/ALE), Birgit Sippel (S&D), and Sophie in ‘t Veld (ALDE) — submitted a new question to the Commission:
Article 11 of the Code of Conduct for Computerised Reservation Systems (Regulation (EC) No 80/2009 of 14 January 2009) requires that ‘technical and organisational measures shall be taken … to ensure that personal data are only accessible for the specific purpose for which they were collected.’ The Commission has the power to investigate and enforce the code under Section 6 of the regulation.
Personal data in the passenger name records (PNR) hosted by Computerised Reservation Systems (CRS) are available through CRS-operated public websites, just by using a name and the short ‘record locators’ displayed on items such as boarding passes and baggage labels. Due to a lack of access logs, data subjects are unable to gather from CRSs, whether their PNR data have been disclosed and to whom. Security researchers demonstrated these and other vulnerable aspects of CRSs at the Chaos Communication Congress held on 27 December 2016.
1. Does the Commission believe that giving access to PNR data on the basis of a name and record locator, with no password nor access logging, is compliant with Article 11 of the Code of Conduct?
2. Does it intend to investigate these vulnerable aspects and possible violations of the code?
3. Has it established procedures for handling complaints from individuals about violations of the code?
If a written question such as this from an MEP is not answered by the Commission within six weeks, the MEP who submitted the question is entitled to place it on the agenda of the next meeting of the responsible committee of the European Parliament. More than seven weeks have passed, but there has been no answer from the Commission to this question.
Meanwhile, however, I made contact while I was in Brussels with Mr. Paul Nemitz, Director of the unit for Fundamental Rights and Union Citizenship of the European Commission Directorate-General for Justice and Consumers (DG JUST). Mr. Nemitz and I agreed that his unit was probably not the one responsible for investigating my complaint, but he generously offered to accept my complaint, find out what unit was supposed to be responsible for dealing with it, and forward it to them.
To my pleasure, Mr. Nemitz did as he said he would. I have now received a letter from the Head of Unit (Acting) of the Directorate General for Mobility and Transport (DG MOVE), Directorate E.1, advising that “my unit is in charge at the European Commission of the implementation of the Code of Conduct and deals with any alleged infringements of the Code of Conduct. There is no specific form or procedures to be used for lodging a complaint for an alleged violation of the Code of Conduct.”
[Update: On 17 May 2017, I received a follow-up message from DG MOVE: “We will now assess your allegations on an infringement of the Code of Conduct and the information provided by you…. I will of course keep you informed on our assessment.”]
I have not yet received any indication of how long the investigation of my complaint may take.
For those who may wish to submit their own complaints of violations of the Code of Conduct for CRSs, these can be directed to:
European Commission
Directorate General for Mobility and Transport (DG MOVE)
Unit E.1 - Aviation Policy
Rue J.-A. Demot, 24, 5/76
B - 1049 Brussels
BELGIUMtelephone +32-22991111
MOVE-INFOS@ec.europa.eu
Many thanks to former MEP Ehrenhauser; current MEPs Albrecht, Sippel, and in ‘t Veld; their assistants; and Mr Nemitz for helping to uncover this information and finally get my complaint accepted and (I hope) investigated.
Background on CRS/GDS insecurity:
- Who’s watching you while you travel? (18 April 2002)
- How safe is airline passenger data? Not secure at all. (20 April 2016)
- “Travel data: fraud with booking codes is too easy” (27 December 2016)
- CRS/GDS companies and travellers’ privacy (30 December 2016)
- “What can I do to protect my PNR data?” (12 January 2017)
- Unresponsive “comments” from Amadeus (18 January 2017)
Background on EU CRS regulations and enforcement:
- EU Code of Conduct for CRSs
- Parliamentary Question: Implications for the EU/US PNR agreement on CRSs, including new CRS providers such as Google (30 November 2011)
- Answer on behalf of the Commission (9 February 2012)
- Parliamentary Question: Enforcement of the Code of Conduct for CRSs (20 March 2017)
- Letter from the European Commission, DG MOVE, Directorate E.1 (27 April 2017)
I've received no further news as to the status of the investigation of my complaint, but the same unit of the European Commission has launched a review of the Code of Conduct for CRSs:
https://ec.europa.eu/info/law/better-regulation/initiative/120003/attachment/090166e5b594463f
You can give feedback on this "Roadmap" here through 2 November 2017:
https://ec.europa.eu/info/law/better-regulation/initiatives/ares-2017-4870475_en
My feedback on the Evaluation Roadmap is here:
The "Evaluation Roadmap" for this review notes that, "Since the adoption of the Code of Conduct in 2009 there have been a limited number of complaints or own-initiative investigations.... To date, there is no ruling of the European Court of Justice linked to the application of the Code of Conduct."
The Evaluation Roadmap is dated September 2017, and indicates that the evaluation is planned to start in February 2018 and to be completed in February 2019:
"The roadmap will be open for feedback for 4-weeks and main stakeholders will be contacted directly to draw their attention to it. The feedback will be used where appropriate to revise the approach to the evaluation.
The stakeholders to be consulted for the purposes of this evaluation include: CRS providers and their trade associations (ETTSA), airlines and their trade associations (A4E, ERA, IATA); rail operators and their trade associations (CER, AllRail); travel agents and their trade associations (ECTAA), technology companies, including meta-search engines, and consumer protection organisations (BEUC).
An extensive consultation process will be undertaken structured around two main axes of actions:
* A 12-weeks internet-based public consultation provisionally planned to take place in the first quarter of 2018. It will give the opportunity to individual companies and consumers to express their views on the topic. The questionnaire will be available in French, German and English. Replies can be given in any of the official
EU languages.
* A set of targeted consultation activities tailored for particular stakeholders' groups, including surveys, interviews and case studies to be conducted in the context of the evaluation study run by a consultant."
Posted by: Edward Hasbrouck, 8 October 2017, 15:23 ( 3:23 PM)"Sought-After Travel Data Protection Code Not Forthcoming Despite GDPR" (by Jay Campbell, The Company Dime, 26 January 2018):
https://www.thecompanydime.com/data-protection-code-standard-gdpr/
(subscribers only; discusses the status of this complaint and the issues it raises)
Posted by: Edward Hasbrouck, 2 February 2018, 14:41 ( 2:41 PM)Message from the European Commission, 5 February 2018:
"I refer to your e-mail ... in which you ask for information on the status of your complaint.
"We are currently still assessing your complaint but I hope that we will be able to give you a reply on the substance of your complaint in the coming weeks."
Posted by: Edward Hasbrouck, 5 February 2018, 07:23 ( 7:23 AM)As the next publicly-visible stage of its review of the EU Code of Conduct for Computerised Reservation Systems, the European Commission is conducting a "Public consultation on the evaluation of the regulation on a code of conduct for computerised reservation systems" through 10 December 2018:
https://ec.europa.eu/info/consultations/2018-crs-code-conduct_en
Posted by: Edward Hasbrouck, 1 December 2018, 10:45 (10:45 AM)Update on the review of the E.U. Code of Conduct for reservation systems (10 December 2018):
https://hasbrouck.org/blog/archives/002330.html
On 10 December 2018, after submitting my comments to the European Commission for its review of the CRS Code of Conduct, I received a message from DG-MOVE, "I hope... that we will be able to come back to you on your complaint in the coming weeks."
Posted by: Edward Hasbrouck, 10 December 2018, 05:46 ( 5:46 AM)First response from the European Commission to my complaint, 18 June 2019: European Commission doesn't want to enforce its CRS rules
https://hasbrouck.org/blog/archives/002355.html
Posted by: Edward Hasbrouck, 29 December 2019, 12:08 (12:08 PM)"The Sabre Breach: What we can learn from large-scale backend systems" (by Prof. Dr. Eric Bodden, 15 May 2017):
Travel booking systems are old. They still rely on data structures and protocols designed in the 1960s – including restrictions on character sets originating from the use of punch cards. These systems used to be closed systems where the clients use dedicated connections and are well known. To allow for reduced costs and novel applications (e.g., self-booking through Internet services), CRS were opened up to access from the Internet.
What was left out was fine-grained access control. Every client can see the complete record of your travel booking, including personal information and payment information, based on very weak authentication credentials. Questions regarding privilege escalation or leaking data flow cannot even be applied here, as the systems are so open already. They will continue to be that way until a fundamental architectural change can be forced. This, however, is a gigantic undertaking as it involves the whole travel industry… all airlines, all hotels, all car rental companies, etc. The European Commission is currently investigating the security of central reservation systems, which will hopefully move the vendors to implement more defenses and more privacy measures for their system.
Posted by: Edward Hasbrouck, 29 April 2021, 14:35 ( 2:35 PM)On 29 June 2021, the European Commission notified me that (without investigating or making any findings of fact) it has rejected my complaint:
https://hasbrouck.org/blog/archives/002616.html
Posted by: Edward Hasbrouck, 14 July 2021, 15:05 ( 3:05 PM)