Introduction

I’d like to thank the German Marshall Fund for hosting and all of you for attending. Germany created this institution to memorialize America’s efforts to help rebuild Europe after World War II in the face of a growing Soviet threat. The transatlantic alliance that emerged from the rubble of the war did more than just resist and ultimately defeat the Soviet empire. It formed the basis of the liberal international system from which we all derive so much benefit today – a system based on the rule of law, human rights, and individual liberty.

Today I’d like to discuss our transatlantic efforts to combat a different threat – the threat of international terrorism – and some of the key tools and policies that make Europe and the United States safer.

I’ll start with a story. It’s July 14, 2003 at Chicago’s O’Hare international airport.

A Jordanian man named Ra’ed al-Banna is among the throng of passengers who have just arrived on KLM flight 611 from Amsterdam. After waiting in line, al-Banna presents his passport to customs officers. They access a system that analyzes his airline reservation data and past travel history.

Something doesn’t add up. Al-Banna has a legitimate passport and a valid U.S. visa; he’s even visited our country in the past without incident. But the officers aren’t satisfied that he’s being completely truthful, so they refuse him admission. They take his fingerprints and put him on a plane back to Jordan.

So far, it sounds like a routine day at the border. Nearly two years later, events in Iraq gave it a new, and sinister, significance.

On February 28, 2005, several hundred police recruits were standing outside a clinic in Hilla, a city in the south of Iraq. With no warning, a car drove into the crowd and detonated a massive bomb. One hundred thirty-two people were killed, and scores more were injured. It was the deadliest suicide bombing Iraq had seen.

The driver was Ra’ed al-Banna. We know that because when authorities found the steering wheel of his car, his forearm was still chained to it.

We don’t know why al-Banna wanted to come to the United States in 2003, and we don’t know what he would’ve done if he’d gotten in. But we do know what kept him out. Because officers were able to analyze his airline reservation data, they took a closer look and determined that his answers weren’t satisfactory.

PNR: A Critical Counterterrorism Tool

This all happened more than a decade ago, but the threat we face from terrorist travel remains acute. Every day, more than a million people enter the United States by land, sea, and air. The numbers in Europe are similar. We need to know which of these travelers are legitimate tourists or businesspersons, and which ones may pose a threat.

Terrorist groups like ISIS and al-Qa’ida depend on travel. They have to travel to receive training. They have to travel to case their targets. They have to travel to carry out their attacks. Every time they board a plane or cross a border, we have an opportunity to detect and capture them.

When ISIS attempted to create a physical Caliphate, an unprecedented number of foreign terrorist fighters – roughly 40,000 people – flocked to the war zone in Syria and Iraq. And now that we’ve liberated some 98 percent of the territory ISIS once held, there’s a risk that some of these battle-hardened veterans will return home or relocate to third countries.

So, how do we identify terrorists who are hiding in plain sight, concealing themselves among the millions of international travelers each day? How do we spot the proverbial needle in the haystack?

In short, we use PNR.

PNR stands for “Passenger Name Records.” PNR is the information you give an airline when you book a ticket. It generally includes your itinerary, your contact information – like phone number and email address – and other data. Under U.S. law, airlines are required to provide PNR for all flights to, from, or over our country. We then use the data to look for travelers who pose a threat.

PNR is one of the most valuable weapons in our counterterrorism arsenal. Let me give you a few examples of what we can do with it.

The most straightforward thing we do is hunt for threats we already know about. We use PNR to check travelers’ names against watchlists of known or suspected terrorists.

Of course, terrorists often use false identities or otherwise try to conceal themselves. That’s where PNR is especially valuable – it helps us find the unknown threats.

PNR can illuminate the hidden connections between known terrorists and their unknown associates. We call this technique “link analysis.” If a traveler has booked a ticket with the same mailing address as Khalid Shaikh Mohammed, the mastermind of the 9/11 attacks, he probably merits a closer look than a typical airline passenger.

Let’s dwell on that point for a moment. If investigators had applied simple link analysis techniques to PNR and related data, they could have uncovered the ties among all 19 of the 9/11 hijackers.

Let’s start with two men who flew American Airlines Flight 77 into the Pentagon, Nawaq Alhamzi and Khalid al-Midhar. Their names appeared on a U.S. watchlist, because they’d been spotted at a January 2000 terrorist meeting in Malaysia. So they would’ve been flagged when they bought their tickets.

Tugging on that thread would have revealed three other hijackers who used the same mailing addresses as the first two, including Mohamed Atta, the plot’s operational ringleader.

Officials would’ve discovered yet another hijacker who used the same frequent-flyer number as al-Midhar. Five others used the same phone numbers as Mohamed Atta. That’s 11 of the 19.

Officials could have found a twelfth hijacker on a watchlist for expired visas, and the remaining seven could have been flagged through him by matching other basic information.

A third use of PNR is to spot potential terrorists based on their travel patterns. Our software can tell if a traveler flies with a companion who is on a watchlist. It can tell if a passenger’s current travel varies from previous routes. It can tell if a traveler is taking odd routings to get from point A to point B.

What happens if there’s a hit? A traveler who matches a pattern might get a little extra screening at the airport, which allows our border security officials to take a closer look.

Fourth, PNR can help spot so-called “broken travel” – a technique in which terrorists use convoluted routings to avoid detection.

Do you remember Mehdi Nemmouche? He’s the gunman charged with murdering four people at the Jewish Museum in Brussels in 2014. Nemmouche reportedly used broken travel to the war zone in Syria, transit Asia, and reach Europe undetected.

A woman named Hayat Boumediene reportedly used the same technique to flee Europe after her husband – Amedy Coulibaly – murdered four people at a kosher market in Paris in January 2015.

This is where international cooperation becomes critical. The more countries that collect and share PNR data, the more likely we’ll be able to spot terrorist attempts to use broken travel.

Finally, PNR can help law enforcement identify perpetrators and their co-conspirators after an attack takes place.

In December 2009, a U.S. citizen by the name of Faisal Shahzad received explosives training in Pakistan from the Pakistani Taliban. In February of 2010, he arrived at JFK on a one-way ticket from Islamabad. He was referred to secondary screening because he matched a PNR targeting rule, so customs officers interviewed him and released him.

Three months later, on May 1, 2010, a car bomb failed to detonate in Times Square. Investigators tied Shahzad to the car. (It was a Nissan Pathfinder that he bought on Craigslist.) Customs then placed an alert for Shahzad in its system. When he booked a flight to flee the United States, the airline transmitted his information to authorities; he was arrested at JFK as he attempted to fly to Dubai. He was convicted and is now serving a life sentence.

It’s worth pointing out that PNR isn’t just good for security. It’s also good customer service. PNR can help facilitate legitimate travel. Advance transmission of reservation data enables passengers to be screened before they depart. That means officers can speed bona fide travelers along while focusing their attention on the small number of passengers who present a higher risk.

The Law of PNR

The United States has been using PNR as far back as 1992, and we intensified our efforts after 9/11. Today, the rest of the world is catching on.

States now have an obligation under international law to collect and use PNR. That’s because, last December, the UN Security Council adopted a tough new resolution on terrorist travel, which the United States pushed to unanimous approval with 66 co-sponsors.

Resolution 2396 obliges UN Member States to, and I’m quoting now, “develop the capability to collect, process, and analyze” PNR. It also encourages UN Members to, quote, “share PNR with relevant or concerned Member States to detect foreign terrorist fighters returning to their countries of origin or nationality, or traveling or relocating to a third country.”

This obligation to collect and use PNR is universal. There are no exceptions or carve outs. Nor could there be. Every country has a part to play in detecting and stopping terrorist travel.

Here in America, we’re especially glad that the European Union is now actively supporting PNR. Candidly, that always hasn’t been the case. Back in 2007, when I was at DHS, we had to work pretty hard to get an agreement for us to access European PNR. Some raised privacy concerns about the U.S. collecting personal information; others weren’t convinced that PNR was an effective tool.

Then Paris happened. The Paris attacks in 2015, and the follow-on attack in Brussels in 2016, shocked the French, Belgians, and the rest of Europe. Since then, we’ve seen a sea change in European thinking on PNR.

The attacks demonstrated that Europe’s borders were vulnerable to terrorist infiltration from Syria and Iraq. And they drove home the need for robust border security measures to prevent more mass casualty attacks.

As a result, in April 2016, the European Council adopted Directive 2016/681. That mandate required all Member States to implement PNR systems for extra-EU flights by May of this year. It also authorized EU members to implement PNR systems for certain internal EU flights as well.

PNR Myths and Reality

Unfortunately, our story doesn’t have an unambiguously happy ending – at least not yet. While PNR is now obligatory as a matter of international and European law, some critics continue to raise privacy concerns.

I’d like to explain why our use of PNR is entirely consistent with privacy values. The reality is that we’ve adopted extremely strong protections for personal privacy. And we’ve put a number of safeguards in place to prevent any possible abuses.

Collection

Some critics object to the government collecting PNR at all. But PNR data is fairly innocuous. We’re talking about airline reservation data – flight numbers and destinations and traveling companions. Passengers have already given it to Lufthansa when they booked their flight. Authorities should be able to use it to protect that flight from terrorist attacks.

Sharing

Others accept the need for PNR generally, but question whether the data needs to be shared within governments or between them.

Let me be clear: Information sharing is an absolutely critical part of counterterrorism. One of the lessons we learned on 9/11 was the need to tear down the walls that kept cops and spies and soldiers from talking to one another. We can’t rebuild walls when it comes to PNR.

In fact, the United States provides robust protections for PNR data.

Let’s start with the law. U.S. privacy laws establish a number of important safeguards for personal information.

First, the Privacy Act and Judicial Redress Act limit when and to whom federal agencies may disclose personally identifiable information.

Second, data subjects have the right to request access to their records; in some cases, they can also request amendments.

Third, the Privacy Act includes a “code of fair information practices” that offers other protections. For example, the Act limits the purposes for which federal agencies may use personal data and requires appropriate safeguards to protect that data.

A few minutes ago I mentioned the U.S.-EU PNR agreement. That agreement contains a number of extra protections that go beyond what’s required by U.S. law.

First, we use encryption and strict administrative controls to limit access to the PNR data we collect. The information must also be safely located and can only be queried in a way consistent with the purpose laid out in the agreement. In short, analysts can’t go rummaging around the databases at random.

Second, we notify any travelers – as well as our European counterparts – in the unlikely event that PNR data is disclosed or accessed improperly. This notification requirement helps deter misconduct. As the lawyers say, sunlight is the best disinfectant.

There are also technological safeguards. PNR users are closely audited. All system queries are logged, and can be traced back to the employee who did the analysis. We have zero tolerance for misuse of the system. All misconduct is punished; an employee who breaks the rules faces penalties that range from suspension to termination.

Data Retention

Some critics want us to delete the data we’ve collected as soon as a traveler’s visit ends. That would defeat the whole point.

Sometimes, it won’t be clear that a given piece of information is valuable until years after the fact. That’s the lesson of Ra’ed al-Banna – he became a suicide bomber some two years after he tried to enter this country. It’s also the lesson of Faisal Shahzad – he tried to bomb Times Square months after he arrived. If we’d deleted their records, we would have missed opportunities to fully investigate and understand their plots.

So how long do we keep it? Authorized users have access to PNR in an active database for up to five years. After that, the records are “depersonalized” and transferred to a dormant database, where they can be held for up to ten more years.

The data that’s held in “cold storage,” as it were, is subject to additional controls. It can’t be accessed without permission from a senior official designated by the Secretary of Homeland Security. Furthermore, dormant PNR may only be re-personalized in connection with a law enforcement operation and only in response to an identifiable case, threat, or risk. We can keep information for longer only if it’s linked to active law enforcement lookout records, matches to enforcement activities, or ongoing investigations or cases.

The Way Forward

So how does the United States intend to move forward with PNR?

First, we’re going to help other countries implement their UNSCR 2396 obligation to develop PNR systems. We recognize that some Member States face challenges due to limited capacity and resources. Certain provisions may take years to achieve and some partners will need technical and other forms of assistance to meet their obligations.

The United States stands ready to help. We’re willing to share our PNR system – the Automated Targeting System-Global, or ATS-G – with any country that wants it. We’re also ready to share our technical expertise. The Dutch have made a similar offer. They’re contributing their Traveler Identification Portal to other countries through the United Nations, and we applaud them for this effort.

Second, the United States will continue to work through multilateral fora to press for fast and full implementation of Resolution 2396 and to highlight the value of PNR.

In particular, we want to work with the International Civil Aviation Organization to establish appropriate Standards and Recommended Practices for PNR as soon as possible. ICAO recently did the same for another kind of airline reservation data – advanced passenger information, or API.

That’s the good news. The bad news is that the process took four years. We don’t have that kind of time.

Finally, let me state the obvious. The United States is not going to stop using PNR to protect our borders. Terrorist travel remains too severe a threat, and PNR remains too effective a tool, for us to unilaterally disarm. And we don’t have to. Privacy and security are not mutually exclusive. PNR lets us have both.

A few minutes ago I mentioned the court decision striking down the proposed PNR agreement between Canada and the EU. Of course we have our own, separate agreement with the EU, the most recent version of which went into effect in 2012.

Our friends in Brussels have told us that the ECJ’s decision won’t affect that agreement. We’re glad to hear this and we take them at their word. We consider this to be an internal matter for the EU to sort out on its own.

But lest there be any misunderstanding, let me be clear. The United States is not prepared to renegotiate our PNR agreement. We simply cannot accept any additional restrictions on our ability to use PNR beyond what we accepted in 2012. Indeed, if our agreement weresomehow reopened, we would look to loosen restrictions on our ability to combat terrorist travel.

I hope European policymakers who recognize the value of PNR – both in national capitals and in Brussels – will take their case to their publics. We need to demonstrate that this program is vital to our citizens’ safety and wellbeing. And we need to show how the protections for personal data are adequate and fully consistent with the privacy values we all affirm.

Conclusion

In conclusion, the United States and the nations of Europe are strategic partners on virtually every major issue of the day. Indeed, more than partners – allies and friends. Nowhere is this transatlantic synergy more apparent than in our joint struggle against global terrorism.

We share the same values, we share the same interests, and we share the same enemies. In short, we’re in this together. There’s a lot of work ahead of us in the fight against terrorism. Only by facing it together can we win.

U.S. Department of State

The Lessons of 1989: Freedom and Our Future