Laudator: Werner Hülsmann, FIFF e.V.

"The Big Brother Award 2003 in the category of State Authorities / Institutions is earned by the

government of the United States of America

for their coercion of European and especially German airlines into granting various US authorities access to the vast amount of data related to the bookings of all passengers travelling to or via the United States."

The Big Brother Award 2003 in the Category of State Authorities / Institutions is earned by the government of the United States of America, for their coercion of European and especially German airlines into granting various US authorities access to the large amount of data related to bookings of all passengers travelling to or via the United States. Many people will ask why the German Big Brother Awards should consider the government of another country for a "prize" when there is a Big Brother Award in that country as well. But since the recognised measure does not primarily affect US citizens (residents), but foreigners such as Europeans and therefore Germans as well, the jury decided to give the award to a non-German state institution this time. That is not supposed to mean that no German authorities had been conspicuous with prize-worthy behaviour, only that the US government did surpass them in their disregard to data protection and privacy. The bad habit of using the fight against terrorism to erode civic rights is widespread in many countries, including Germany. And by the way, in the year of the attacks on New York's World Trade Center, 2001, it was the German interior minister Otto Schily who received the Big Brother Award for his surveillance laws enacted in the name of fighting terror. Since March 5th, 2003, European airlines are giving US customs authorities access to passenger data. There are around 40 items that have to be revealed, ranging from actual flight (flight number, route, date) and purely personal data (name, date of birth, address, phone number, travelling partners) to information such as credit card details and meal preferences, hotel bookings and car rentals.

The German airline Lufthansa, for example, opened its booking system AMADEUS directly to access by the US authorities. As a result, the transfer of large amounts of data is potentially affecting all passengers, not just those flying to the US. This is because there is as yet no means of technically restricting the access to US-bound passengers. The US authorities have promised only to access data related to US flights, and this is to be verified by activating certain logging functions - but whether these logs can actually be evaluated and what should happen if the US authorities do access other data is unclear.

Once again it shows that the US government see it as their right to internationally press through regulations that they regard as legal, even against the resistance of sovereign states and against international law. The legal foundation cited is the "US Aviation and Transportation Security Act" of Nov 19, 2001, as well as the implementing regulations adopted by the US customs authority. The fact that this is a severe intrusion against the right to informational self-determination as well as a breach of European data protection legislation, and therefore a violation of sovereignty of democratic states, seems to be of no interest to the US government. If access is not given, there will be no landing permission, goes the simple and convincing "argument" of the US authorities.

Up to 11 million passengers on transatlantic flights are affected by these data transfers. These are processed in a system named CAPPS (Computer Assisted Passenger Pre-screening System) that will assign one of three categories to a passenger. The green category signifies "minimal risk", yellow calls for "heightened security measures", and red will "alarm security forces for eventual arrest". The planned successor, CAPPS II, is supposed to achieve this within five seconds. The kind of excess that might result is demonstrated by the experience of two peace activists who got onto a "no fly" list and were held at San Francisco airport in August 2002.

What little priority is given to data protection in the design of such systems is illustrated by the fact that a "privacy impact assessment", required for the release of further state funds, has not yet been made, although the developing company has been announcing it is going to work on it for the last two years. Interestingly, the restrictions currently planned for the amount and duration of storage only benefit US citizens. Non-US citizens seem to be regarded as free game.

In an agreement with the EU Commission on Feb 18, 2003, the US customs authority has obliged to respect the basic principles of European data protection laws - it did promise, for example, not to inspect particularly sensitive passenger data and to use what it does see only for lawful purposes. But an understanding which data is to be regarded as sensitive still has not been reached. And which purposes are lawful is of course not decided by the European Commission but by the US legislative.

What is already known is that the US wants to store all retrieved data for a period of seven years and not restrict its use to the fight against terror. After those seven years the intention is to store the data for another eight years in a "deleted record file". Objections raised by the European institutions that this extent of storage and use are not in the spirit of European data protection laws have been brushed aside as legal nit picking in face of the dangers posed by international terrorism. This seems typical of a very one-sided idea of freedom by the US government.

Congratulations to the government of the United States of America for the Big Brother Award 2003 in the state authorities/institutions category.