What the Passenger Name Record Report Really Says

The DHS Privacy Office works overtime to ensure privacy protections at the department for Americans and those who travel to the U.S.  News of our efforts doesn’t always get out.  Recently, my office issued the Passenger Name Record (PNR) Data Report (download PDF), a public document that is a requirement of the joint U.S./EU agreement on PNR.  In fact, I encourage you to check out a previous Leadership Journal where I discussed this. On December 18, I pointed out that the department, including U.S. Customs and Border Protection (CBP), actually complied with the agreement and privacy documentation issued by my office.  Any statements to the contrary are mischaracterizations. I invite you to read the report for the truth.

Yes, the Privacy Office review did find areas for operational and policy improvement – I would be remiss in my statutory duties had I overlooked areas where privacy protections could be better integrated into DHS operations. Specifically, CBP needs to improve its handling of Freedom of Information Act/Privacy Act requests, a key component of redress generally, and with respect to PNR data.  I note, however, that for every recommendation made in the report, there was a concrete and actionable response that CBP began to implement before the report was even issued.  As with any program, improvements can always be made and so is the case here.  CBP did not fail in meeting its commitments to the Agreement and Letters between DHS and the Council of European Union.  CBP actively contributed to the review, opening itself up to criticism while still trying to operationally meet the requirements of the 2007 Agreement and Letters.  Moreover, CBP and the Privacy Office have been working together closely to improve CBP’s handling of FOIA and Privacy Act requests.  I am proud of my office’s hard work and I commend CBP for its efforts and its improvements.

The other half of the story is the one that has been ignored, so I will make it quite clear. The U.S. has upheld its commitments, but the Europeans, to date, have not.  On July 25, 2008, the European Commission vice president wrote to Secretary Chertoff suggesting the first review take place in "late 2008" and that questionnaires be exchanged beforehand.  The Secretary confirmed our intent to participate in order to review "the effective operation and privacy protection" of both U.S. and European systems.

My report was originally intended to provide the basis for a Joint Review in December 2008, which the European Commission unfortunately postponed for unknown reasons. The Joint Review is meant to illustrate the effective oversight and to promote further transparency of activities in both the U.S. and the EU. This is particularly important given that the EU is now considering use of PNR as a screening tool, and some Member States have already begun national PNR programs.

Only through effective oversight and real transparency, here and in Europe, can we truly gauge the effectiveness and impact on individual freedoms resulting from any single approach.

Hugo Teufel III
Chief Privacy Officer

Principles for Implementing Privacy Protections in Research Projects

The Department is often in the headlines for our high-profile efforts to protect the nation, but there are mission-critical activities going on behind the scenes to advance homeland security—including a recent achievement of our Science and Technology Directorate (S&T) and the Privacy Office. Although many of S&T’s activities, such as our work to develop vaccines for dangerous animal diseases, do not impact personal privacy, some of our efforts—like the development of new physical screening technologies—have potential privacy implications.

As we carry out the S&T mission to encourage innovation in the development and use of new technologies in support of homeland security, we have made it a priority to protect the privacy of individuals. To ensure that goal, the Privacy Office and S&T have just developed "Principles for Implementing Privacy Protections in S&T Research." Working together on this new guidance has been a natural fit, enabling us both to contribute our particular expertise. These Principles enable us to provide advanced tools, technologies, and systems to those working to protect our nation while incorporating privacy protections into privacy-sensitive S&T research.

Key Principles

• Privacy Assessment. An assessment of privacy impacts, conducted jointly by S&T and the Privacy Office, will be an integral part of the design, development and implementation of any S&T research project that is privacy-sensitive or involves or impacts personally identifiable information (PII).
• Purpose Specification. The scope and purpose of any specific S&T project will be clearly articulated and documented through a process that includes reviews of its effectiveness by internal experts (S&T staff other than the project’s proponents) and external experts (with appropriate security clearances).
• Transparency. S&T will conduct Privacy Impact Assessments (PIAs) in conjunction with the Privacy Office, as required by the E-Government Act of 2002, for all research projects that involve or impact PII, and will publish PIAs for all non-classified research.
• Data Quality and Integrity. Projects will endeavor to use only data that is reasonably considered both accurate and appropriate for the project’s documented purpose(s).
• Data Minimization. Projects will use the least amount of PII consistent with their documented purpose(s). Where practicable, S&T will use data minimization techniques to accomplish this goal.
• Use Limitation. Projects will only use data in a manner that is consistent with disclosures in all applicable PIAs and Privacy Act System of Records Notices, and consistent with privacy notices and policies that apply to data originally collected by the private sector.
• Data Security. Researchers will take all reasonable steps necessary to maintain the security of the data they use.
• Training. Personnel involved in a project will receive training on DHS privacy policy and on the privacy protections built into individual research projects.
• Audit. Projects will use automated or non-automated audit procedures to ensure compliance with project access and data usage rules.
• Redress. The Privacy Office, together with S&T’s Privacy Officer, will develop and administer a redress program to handle inquiries and complaints regarding any S&T research project and to provide relief where warranted.

The Principles appear in an appendix to Data Mining: Technology and Policy, the Privacy Office’s 2008 report to Congress on Department data mining activities. The report is available on the Privacy Office website.

We are proud of the collaborative work that led to the creation of these principles, and look forward to continuing to work together in our common mission to protect the American people and our homeland.

Hugo Teufel III
Chief Privacy Officer

Jay M. Cohen
Under Secretary, Science and Technology Directorate

Winter Fire Safety

As we change seasons from fall to winter and progress into the holiday season, the United States Fire Administration, a component of the Federal Emergency Management Agency, asks you to take a few minutes to review the following fire safety tips to help ensure you and your family remain fire safe.


Video demonstration showing how flammable a dry Christmas tree can be as opposed to a tree watered regularly.

The cold weather brings with it the need for heating at around the same time the holiday season starts; along with the celebrations comes an increase in home fires, fire deaths and fire related injuries. Each year, an estimated 3,700 Americans die in fires and about 20,000 are injured. Approximately, eighty percent of all fire deaths occur in the home. Not including arson-related deaths, from April 2007 through September 2007 at least 589 people were killed in home fires and when it became cooler, from October 2007 through March 2008, at least 982 people were killed in home fires. Many of those killed might still be alive today if they had known how to prevent a fire and how to survive once a fire starts.

According to the Consumer Product Safety Commission (CPSC), dried out Christmas trees are involved in an estimated 200 fires, 10 deaths and $10 million in property damage each year. CPSC also estimates that there are about 14,000 candle-related fires annually, resulting in 170 deaths and $350 million in property damage. Following some simple fire safety tips can boost survival rates dramatically.

• Install and maintain smoke alarms. These are the single most effective tool for protecting you should fire occur.
• Keep your holiday decorations away from heat sources, including fire places and space heaters. If using a live tree, keep it watered; when the tree dries out, discard it.
• Inspect holiday lights each year for frayed wires, bare spots, gaps in the insulation, broken or cracked sockets, and excessive kinking or wear.
• Do not leave lit holiday lights unattended. If your holiday celebrations involve the use of lit candles, never leave them unattended.
• Chimneys, furnaces and wood stoves should be inspected and cleaned annually by a professional. When using indoor fireplaces or wood stoves, use only seasoned hardwood.
• Always use a metal mesh or glass screen in front of your fireplace. Never use flammable liquids to start a fire. Extinguish the fire in the fireplace before going to bed or leaving the house. Soak hot ashes in water and place them in a metal container outside your home. Stack firewood outdoors at least 30 feet away from your home, and not in a garage.
• Use only space heaters evaluated by a nationally recognized laboratory, such as Underwriters Laboratories (UL). Make sure heaters have an automatic switch to turn them off if the heater falls over. Leave at least three feet of space around all sides of your space heater.
• Have your furnace inspected annually by a professional. Keep trash and other combustibles away from the heating system.

Fire departments respond to numerous house fires daily, and all firefighters know most of these fires could have been prevented. As America’s Fire and Emergency services leader, the USFA provides a wide range of safety information, checklists and pamphlets to ensure a fire safe nation. For more information, visit www.usfa.dhs.gov.

Gregory B. Cade
Fire Administrator, U.S. Fire Administration (USFA)

Passenger Name Record Data and Privacy

In July 2007, the U.S. Department of Homeland Security (DHS) and the Council of the European Union (Council) signed an agreement and exchanged letters regarding the transfer of Passenger Name Record (PNR) data to DHS by air carriers operating flights between the U.S. and the European Union (EU). Included was a provision to “periodically review the implementation of this agreement, the DHS letter, and U.S. and EU PNR policies and practices” to assess the “effective operation and privacy protection of their systems.” In a series of communications between the European Commission and the Department, the parties agreed that a Joint Review would be conducted this December.

In preparation for the Joint Review, my team conducted a review of DHS PNR processing practices, the results of which are published in A Report Concerning Passenger Name Record Information Derived From Flights Between The U.S. And The European Union, posted on the privacy website. In short, we found that the Department complies with the representations made in the Agreement and Letters, as well as those representations made in the System of Records Notice for the Automated Targeting System (published in the Federal Register on August 6, 2007), the system where PNR resides.

I am proud that our team was able to complete this important task in my final days as Chief Privacy Officer, but I am disappointed that our European counterparts chose to postpone participation in this exercise. The Joint Review is meant to illustrate a common commitment to effective oversight and to promote further transparency. The review DHS hopes to hold with the European Commission in early 2009 will be of considerable value to DHS, as it will identify areas for improvement and confirmed best practices.

The EU is now considering use of PNR as a screening tool, and some Member States have begun national PNR programs. In the spirit of reciprocity and transparency, and to contribute to our shared goals of protection of citizens and their personal information, we look forward to a comparable review of European PNR systems.

Hugo Teufel III
Chief Privacy Officer

Community Prep: Emergency Operating Centers

Today’s roll-out of the grant application guidance for building or renovating emergency operating centers (EOC) around the country was personally satisfying for me. I know that EOCs are an integral part of disaster preparedness and response. A well-equipped EOC with a trained staff provides the coordination and communication needed to knit resources together during a disaster.

Last year, $14.6 million was made available by appropriators for 22 EOCs in 19 states and the District of Columbia. And this year, we had a breakthrough. Congress appropriated approximately $34 million for the EOC grant program, enough to build or renovate more than 40 EOCs around the country.

Over the past two years, FEMA has found that, to do our job really well, we have to rely on tribal, state and local, public and private partnerships. The better prepared those partners are, the better our response will be.

Thanks to the EOC grants, a lot of places in the country are going to be better prepared to deal with disasters in their communities.

R. David Paulison
Administrator, FEMA

U.S. and EU Agree on Data Protection Principles

Data protection and data sharing took a big step forward yesterday at the U.S.-EU Justice and Home Affairs Ministerial meeting in Washington. The French EU Presidency, the European Commission, and the U.S. Departments of Homeland Security, Justice, and State agreed to a Statement on Information Sharing and Privacy and Personal Data Protection and recorded progress on a set of principles that will advance both data privacy and data sharing in a law enforcement context. (download PDF)

The U.S. and the European Union have long been seeking common ground on data protection and data sharing principles. The U.S. proposed the discussion after divisive negotiations over airline reservation data (“PNR”) finally resulted in an agreement between the U.S. and the EU. The PNR agreement did two things: on the one hand, the U.S. set forth data protection rules for PNR, and on the other hand the EU agreed to approve the sharing of PNR with the U.S., thus protecting from penalty airlines and third countries that cooperate with U.S. antiterrorism measures by providing such data.

Noting that U.S. and EU standards for law enforcement data protection we in fact quite similar, the U.S. proposed a broader set of talks, with a view to reaching a broader agreement with the same basic structure as the PNR arrangement: (1) an agreed set of data protection principles and (2) protections so that private companies and third countries are not punished for cooperating with antiterrorism data gathering measures. A High Level Contact Group was formed to explore this possibility.

The talks began to bear fruit this year. In May, the two sides disclosed that they had reached substantial agreement on twelve data protection principles that both EU and U.S. law enforcement agencies observe.

More progress was made, as the parties took up the remaining job of reaching agreement on ways to protect those who cooperate in data gathering measures. The parties accepted an experts’ report that disclosed broad agreement on matters such as private entities’ obligations, preventing undue impact on third countries, and procedures for resolving questions arising under the principles. For example, the third country provision states that “when the European Union or the United States has international agreements or arrangements for information sharing with third countries, each should use their best endeavors to avoid putting those third countries in a difficult position because of differences relating to data privacy.” These principles demonstrate both sides’ willingness to avoid penalizing private entities and third countries because of possible U.S.-EU differences over data protection.

More negotiations lie ahead, of course. In particular, the parties noted that they have not reached agreement on redress (how to handle individuals’ complaints about how their data was treated) and reciprocity (making sure that the U.S. and EU do not demand higher data protection standards from others than they demand of themselves and their member states).

But, while negotiations are in progress toward a binding agreement that will mutually recognize both privacy regimes, the U.S. and the EU are already providing some comfort to those whose data is collected and to those who help to collect or share such data. Along with the principles, the parties issued a statement promising that, while negotiations continue, the U.S. and EU will “use best endeavours to refrain from activities which undermine these principles.” This statement means that the U.S. and EU will discourage deviations from the agreed law enforcement data protection provisions, which should reassure those whose data is collected for law enforcement purposes. At the same time, the parties’ undertaking should encourage law enforcement agencies, private entities, and other countries to provide data without fear of being drawn into conflicting demands by U.S. and EU data protection regulators.

Stewart Baker
Assistant Secretary Policy

International Consensus on Small Boats

DHS policymakers spend a lot of time worrying about threats that haven’t happened yet. We also take a lot of grief from people who think that all our worrying is a waste of time—or, worse, an intentional strategy of fear-mongering. So it’s important to note those occasions when our worries have turned out to be on target.

The most recent such confirmation comes in the context of small boat terrorist attacks.

Two weeks ago, in Mumbai, India, terrorists seized a fishing vessel, killed its crew, navigated to Mumbai, and used small inflatable boats to come ashore for their attack.

DHS spent much of the last year on measures to reduce the risk that terrorists will be able to use small boats in an attack on this country.

In April, 2008, the Department developed a Small Vessel Security Strategy. The strategy outlines the goals and objectives that the Department component agencies, especially the U.S. Coast Guard and Customs and Border Protection, will work toward. Supporting the strategy an interagency working group has been developing an implementation plan which in the coming weeks will outline the Department’s specific intentions. All of this effort has been done in coordination with the owners and operators of small vessels, including American fishing fleets, recreational craft associations, and commercial passenger and cargo vessels.

And less than a week ago, on December 5th, an international effort led by the United States, the United Kingdom, and Japan, resulted in the approval by the International Maritime Organization of new guidelines for small vessel security.

A year in the making, the new guidelines provide recommendations for governments and the owners and operators of small vessels and related facilities such as marinas. The recommendations encourage the registry of vessels and the sharing of such registry information between governments, the installation of access controls at marinas and on small commercial craft, as well as guidance on how to conduct vessel searches.

Numerous delegations at the International Maritime Organization meeting expressed their intent to implement the guidelines within their domestic security programs.

Getting the international community to focus on terrorism, and especially on new terrorism threats, is not a job for the impatient, but this is a case where DHS was both patient and ahead of the curve, and the reward is that we were able to move swiftly once an international consensus emerged.

Stewart Baker
Assistant Secretary, Policy

Small Boats

The tragic terror attack in Mumbai and its maritime nexus represents further cause for action on an effective international and domestic approach to small vessel security. After hijacking a fishing vessel, the terrorists used off-the-shelf GPS technology to navigate from Karachi, Pakistan to Mumbai and then simply rowed ashore in inflatable dinghies. They didn’t make much of an effort to conceal their movements.

Such brazen activity would have been detected on land but the water is a much different environment. In the maritime domain, thousands of small vessels ply international or coastal waters with relative anonymity. With limited awareness offshore, law enforcement entities are forced to respond to unfolding maritime events instead of preventing them.

The Coast Guard articulated these challenges in a 2007 report.

The emergence of transnational threats: Transnational criminals, pirates, and terrorists seek to exploit the complexity of the maritime domain and the vulnerabilities of the global supply system. Weapons of mass destruction (WMD), contraband smuggling, and small vessel threats, such as water-borne improvised explosive devices (WBIEDs), represent the greatest risks from terrorism in the maritime domain. Today's trafficking of drugs, migrants, and contraband by criminals is becoming increasingly sophisticated and threatening as well.

The vastness, anonymity, and limited governance of the global maritime domain: The maritime domain, by its nature, creates its own challenges. Legitimate uses and criminal threats are growing in a realm that spans the globe, has limited governance, and provides little transparency of activity (particularly for smaller vessels). This creates tension between recognized legal regimes and the emerging need for greater security and safety -- U.S. Coast Guard Strategy for Maritime Safety, Security and Stewardship (Download PDF)

I recently wrote an article on the new approach needed to counter the small vessel threat consistent with our maritime security strategy. To mitigate the small vessel threat, law enforcement agencies need greater maritime domain awareness, appropriate legal regimes, and partnerships across the public and private sector to implement risk-based solutions. You can read the article (PDF).

There is no singular solution to the security threat presented by small vessels. The cooperative effort to reduce this threat, and mitigate potential impacts cuts across borders, jurisdictions and agencies. It requires a collaborative effort across government, the private sector and the international community.

Significant progress has been made to reduce the risks. Efforts have included technology, information sharing, improved operational capability, as well as legal regimes. Examples include:

• Improved international regulation through the International Maritime Organization
• International cooperative efforts to enhance global maritime domain awareness
• Department Small Vessel Security Summits and Strategy
• National Association of Boating Law Administrator initiatives to improve registration requirements
• Self-propelled Semi-submersible legislation
• Development of advanced interdiction capability and capacity

We must continue to work to further overlap our layers of defense and close the current gaps in our maritime security strategy. Our solutions need to be risk-based to identify the potential illicit actors while ensuring the free-flow of legitimate commercial traffic and the freedom of movement American boaters have come to expect.

Admiral Thad Allen

Commandant, U.S. Coast Guard