American Airlines Customer Relations P.O. Box 619612 MD 2400 DFW Airport, TX 75261-9612Ê 14 January, 2005 To whom it may concern, On Sunday, January 9th, I flew AA51 from London Gatwick to Dallas-Fort Worth. At Gatwick, I was confronted with a security check that exceeded sense and decency and, I feel, creates a terrible potential liability for your airline. At Gatwick, I was directed to a security podium before I checking in for my flight. The security officer asked me a series of questions, such as: * Where are you flying? * How long have you owned your luggage for? * Have any of your electronics been serviced recently? * Why are you flying this route? This last one was a little weird: the route I was flying had been selected for me by the computer running www.aa.com's reservation system, but I answered anyway, wanting to be cooperative. Then the officer asked me where I would be staying in the USA: "I will be staying with a friend tonight, at a hotel near LAX tomorrow, and with a different friend in Tarzana for the rest of the week." The security officer then handed me a blank piece of paper and said, "Please write down the names and addresses of everyone you're staying with in the USA." I actually began to write this out when I was brought up short. "Wait a second -- since when does AA compile a written dossier on the names and addresses of my friends? Why are you asking me this? Do you have a privacy policy and a data-retention policy I can inspect prior to this?" The security officer told me that this was a Transport Security Agency (TSA) regulation. I asked for the name or number of the regulation, its text, and the details of the data-retention and privacy practices in place at AA UK. The security officer wasn't able to answer my questions, and she went to get her supervisor. After several minutes, her supervisor appeared and said, after introducing himself, "Sir, this is for your own protection." I think it's pretty hard to argue that making passengers produce written dossiers on their friends' home addresses makes planes in the sky secure. I asked again if this was really a TSA regulation and what AA's privacy and data-retention policies are. The officer said, "This is a TSA regulation." I said, "Why didn't I have to provide this information when I flew out of Gatwick on US Air in December then?" He said, "Well, you know that American Airlines has had some terrible things happen to it in the past." I asked "So the TSA wrote a special regulation for AA? What is the name of this regulation, and what is your data-retention and privacy policy?" He didn't know the answer and went off to fetch the terminal supervisor for AA. Several more minutes passed, and then the supervisor appeared. He had looked over my documents and said, "Sir, I'm sorry, you are a Platinum AAdvantage member and shouldn't have been asked this question." I thanked him and asked him if he knew what AA's privacy and data-retention policies were. He didn't. In the past few days, I've told this story to many friends in the US and the UK and they've all been shocked by it. It's really stuck in my craw, and left me with three questions for your airline: 1. What is the AA privacy and data-retention policy? 2. Do non-Platinum flyers have to provide dossiers on their friends on demand from an AA officer? Why? 3. Is there a TSA regulation that requires you to gather this information? What is the number or name of that regulation and where can I get a copy of it? Under the UK Data Protection Act, AA is required to be accountable for the personal information it collects from the public. On presentation of a nominal fee of ten pounds, AA is expected to provide a reasonable accounting of what information it has gathered from me and how it uses that information. I believe gathering these dossiers means that you incur this liability not only to me, but to all of my friends, too -- in other words, if you require me to give you my friends' name and address, my friends also have the right to find out how you use that information. This explodes your data-retention liability, potentially by an order of magnitude. I was told that I came under extra scrutiny at the podium because I was flying from the UK to the US on a Canadian passport; that is, a passport that doesn't come from either the origin or destination of my flight. I fly a lot to the USA, and other airlines don't seem to have this policy. Should I take this to mean that if I continue to fly AA on this customary UK-US voyage of mine, I can expect to be given a hassle every time I fly? I'm cc'ing this note to my colleagues at the Electronic Frontier Foundation, to my friend John Gilmore who is currently suing the TSA over some of its regulations, and to the website I co-edit, Boing Boing (boingboing.net), which has over 200,000 daily readers. I will be very interested to hear your reply. I would appreciate a response by February 1, 2005. Thank you, Cory Doctorow AAdvantage Number: XXXXXXX