ICAO mandates worldwide government surveillance of air travelers

This is an extraordinary and, so far as we can tell, unprecedented globalization and normalization of suspicionless mass surveillance of the innocent exercise of legal rights.

To the best of our knowledge, this is the first time that any industry — much less an industry of common carriers required by law (including by international aviation treaties) to transport all would-be passengers, without discrimination, in the exercise of a right to freedom of movement also recognized by international treaties — has been mandated by international treaty to provide government agencies worldwide with complete copies of its commercial records of each of its transactions with a customer. No such treaty obligation exists, for example, with respect to records of postal, telephone, Internet, or financial transactions.

The exercise of rights should not be deemed per se suspicious or a legitimate grounds for surveillance.

The requirement for PNR-based surveillance of air travelers is included in Amendment 28 to Annex 9 to the Chicago Convention. This amendment was approved by ICAO’s Council — an executive committee of countries elected by ICAO’s members to make decisions between ICAO’s triennial General Assembly of all member states — on June 23, 2020.

Unless disappproved by a majority of state parties to the Chicago Convention, the mandate for PNR-based surveillance of air travelers will take effect worldwide on February 28, 2021.  Pursuant to Article 90 of the Chicago Convention, “Standards And Recommended Practices” (SARPs) approved by the ICAO Council are binding on all parties to the treaty unless a majority of the signatories of the Convention notifies ICAO of their disapproval within three months or such longer time as is prescribed by the Council. ICAO Council Resolution A39-22, adopting Amendment 28 with its new PNR-based travel surveillance mandate, gives parties to the Chicago Convention more time, until October 30, 2020, to give notice to ICAO if they disapprove.

The new amendment is, we think, clearly contrary to the US Constitution and to multiple other international aviation and human rights treaties. Whether current government access to PNR data is compatible with fundamental European human rights law and treaties is currently under review by the Court of Justice of the European Union. But it seems unlikely that many (or any) ICAO members will reject the new PNR rules.

Assuming that the amendment adopting the new SARPs is not rejected, any country that does not plan to comply is required by Article 38 of the Chicago Convention to give notice to ICAO by the effective date of the amendment, February 28, 2021, of any expected national derogation from, or failure to implement, the new requirements.

The Chicago Convention authorizes the ICAO Council to delegate the development of SARPs to subcommittees, task forces, or working groups, effectively outsourcing and hiding the origins of policies that, once adopted, have the force of international treaty law. So far as we can tell, no representative of a data protection authority has ever bene included in a national delegation to ICAO, and no civil society organization concerned with surveillance has ever applied for observer status with ICAO. (We’ve been calling for that explicitly for a decade, but no funding for such a long-term, globaly dispersed effort has been forthcoming.) ICAO has no internal transaparency or disclosure rules. Records of ICAO’s closed-door decision-making meetings and events can be obtained only through participating national governments’ FOIA or other disclosure procedures. For all these reasons, ICAO has become one of the preferred vehicles for policy laundering by the US and its allies in promoting worldwide tracking, surveillance, and control of all individuals’ movements.

In 2005, ICAO’s Council amended Annex 9 to the Chicago Convention to require machine-readable passports.  In 2007, ICAO’s work to promote use of secretly and remotely-readable RFID chips in passports won a Big Brother Award from Privacy International.

Since 2005, a series of increasingly inclusive and prescriptive amendments to Annex 9 concerning provision to government agencies of airline data about travelers have worked their way through ICAO’s Facilitation Panel.

Prior to the latest amendments considered by the ICAO Facilitation Panael  in January 2020, ICAO recommended, but did not require, use of the PNRGOV data transmission format and other procedures described in ICAO Document 9944, if member states chose to require airlines to provide PNR data (copies of reservations) to government agencies. But there was no PNR mandate. The latest amendment converts the transmission format recommendation into a requirement, and adds both a requirement for governments to acquire copies of all international PNRs and a prohibition on any government sanctions against airlines or their partners for providing passenger data to government agencies.

Airlines are active participants in ICAO working groups, and strongly supported the new rules requiring them to help governments spy on travelers in every country where they fly. Airlines’ only concern has been to minimize the burden on them of collecting additional data or selecting or reformatting passenger data differently to satisfy different governments’ demands. The rule adopted by ICAO requires airlines to use a standard data transmission protocol, but allows the underlying PNR data to be left in its native format, which varies in structure and content from airline to airline.

Airlines will be required to send government agencies complete copies of PNRs, including free-text remarks entered in reservations by customer service, call center, or other travel industry staff. But airlines are only required to transmit the data they have collected for their own or their partners’ business purposes, and have stored in PNRs. This makes it important for travelers (a) to request copies of their PNR data from airlines, in countries where (unlike in the US) the law entitles them to do so, so that they know what information is being passed on to government agencies in every country they visit, including those where they merely change planes, and (b) insist that airlines start to minimize the data they store in PNRs, and move as much personal information about travelers as possible to other databases not subject to mandatory disclosure to government agencies. Even better, although more difficult, would be for an airline to move to a non-PNR customer data structure that would not be subject to government demands that are limited to PNR data.

The US and its international allies in mass surveillance are working quickly to capitalize and build on the new ICAO mandate for surveillance of travelers — even before it has officially come into effect. On August 31, 2020, ICAO concluded an agreement with the UN Office of Counter-Terrorism to collaborate in “capacity building” to teach member governments how to  use airline PNR data to identify and track persons of interest to those governments. (Many  governments, of course, designate their political opposition as “terrorists”.) And a first joint forum of ICAO and Interpol on use of passenger data for policing is planned (subject to COVID-19) for September 29 – October 2, 2020, at ICAO headquarters in Montreal — making clear that use of PNR-based surveillance and profiling  will not be limited to “terrorism”, but will be a general tool of law enforcement.