You have to show your passport to TSA and customs officials when you travel internationally, and you have to declare any goods you have with you. But did you know that the government stores a lot more information about your trip, most of which is collected by your travel provider?
That was the discovery of Cyrus Farivar, an editor with Ars Technica, when he filed a request under the Freedom of Information Act in May of 2014. Farivar found out that airlines and travel booking sites routinely provide detailed information to the United States Customs and Border Protection (CBP) agency on travelers' itineraries, but that information often includes more than just where you traveled. Farivar's records included the credit card number he had used to book the flight, the IP address of the computer he used, the language he spoke, and notes made by customer service staff when he phoned to request a seat change.
All this was part of the Passenger Name Record (PNR), which is generated every time you book an airline flight, or for that matter, a hotel room or cruise. Airlines and travel web sites need to collect this information in order to coordinate your arrangements. For instance, your itinerary may includes more than one flight or destination, so each provider needs to add its portion to the PNR to make sure everything matches up. And when you travel internationally, this information must also be provided to US Customs.
But Farivar discovered there's a lot more to it than that. For one thing, CBP is supposed to retain the information for a maximum of 5 years, but there were items in his record over 9 years old. And for another, there is a lot more information being entered into the PNR than is necessary for that purpose, and it's being sent to CBP whether they need it or not.
Part of this stems from the fact that there is no universally accepted format for a PNR, so the information recorded there varies widely. Another difficulty is that booking agents, especially outsourced ones in other countries, may put information into the PNR without realizing it will be retained for years by the US government.
Flaviar says he was informed by travel writer Edward Hasbrouck that “There’s no sense on the airline call center staff that they may or may not be aware that anything they put in may be in your permanent file with the Department of Homeland Security,” Hasbrouck said. “There’s no training in data minimization. They are empowered to put things in people’s files with the government. I think that’s pretty disturbing.”
The result of all this is that the US government has a lot more information about your travels than you might think, and it is kept on file for years. The PNR often contains information on special requests, such as meals, that could be used to determine your religion, disability accommodations, which reveal medical history, and much more. And the thing that disturbed him most was that his credit card information was transmitted in the clear. (Fortunately, it had expired.) With all the security breaches we've seen recently, in the corporate world and in government circles, that is really disturbing.
Flaviar spoke with Fred Cate, a law professor at Indiana University, who said that his story raises a lot of questions about what the government is doing.
“Why isn’t the government complying with even the most basic cybersecurity standards?” Cate said. “Storing and transmitting credit card numbers without encryption has been found by the Federal Trade Commission to be so obviously dangerous as to be ‘unfair’ to the public. Why do transportation security officials not comply with even these most basic standards?”
Flaviar says he doesn't like this state of affairs, but there's not much that can be done about it. It took him two FOIA requests and several months just to see his file, which ran 76 pages and covered his travels back to 2005. Some people use tactics such as only buying last-minute tickets at an airport and in person. But that’s a lot harder when traveling with others, and it's almost always significantly more expensive. Traveling is difficult enough already without adding more stress to the equation.
So be aware that airlines and travel providers are collecting lots of information about you, and transmitting it to the government, who may be keeping it for years.