What does the government know about your travel records via Passenger Name Records?
Have you ever been curious as to what information the government has stored about you and your travel records? A Passenger Name Record (PNR) is a computerized travel record created by airlines or travel agencies for both domestic and international flights, as well as hotel bookings, car rentals, cruises, and train trips. Your PNR, which is given to U.S. Customs and Border Protection (CBP) if you travel internationally, can include details like your un-redacted credit card number or IP addresses. As Ars Technica’s Cyrus Farivar found out, your PNR is just another example of the government’s “collect it all” mentality.
Farivar submitted a Freedom of Information Act request to CBP for his PNR; he was eventually given 76 pages of data covering his travel from 2005 to 2013. He said his PNRs included “every mailing address, email, and phone number” he ever used, as well as some PNRs listing the IP address he used when buying the ticket, his full credit card number stored in the clear, and notes jotted down by airline call center employees “even for something as minor as a seat change.”
After he consulted travel writer Edward Hasbrouck, Farivar was told, “PNRs like mine are created for domestic flights, too, but that it’s only for international travel that data is routinely given to CBP.” He also learned that every notation made by an airline call center employee, for things such as seat changes or even special needs requests, can stay in your permanent file kept by DHS.
Hasbrouck has written extensively about what’s in a PNR and about Computerized Reservation System databases.
If you make your hotel, car rental, cruise, tour, sightseeing, event, theme park, or theater ticket bookings through the same travel agency, Web site, or airline, they are added to the same PNR. So a PNR isn’t necessarily, or usually, created all at once: information from many different sources is gradually added to it through different channels over time.
When a ticket is issued, that is recorded in the PNR; if it’s an e-ticket, the actual “ticket”, as defined by the airline, is the electronic ticket record in the PNR. When you check-in, the claim check numbers and the weights of your bags are added to the PNR. If you don’t show up for a flight on which you are booked, that fact is logged in the PNR.
Any additions, changes, cancellations, seat assignment or special needs requests can also be added to the PNR. Hasbrouck explained, “The bottom line is that PNRs contain a great deal of confidential and sensitive information deserving of strong privacy protection, but not necessarily even the most basic information needed for positive identification or ‘profiling’ of travelers.”
The amount of personal and sensitive data collected in PNRs has been an area of concern for some privacy watchdogs, like EPIC. The PNR could include “the passenger’s full name, date of birth, home and work address, telephone number, email address, credit card details, IP address if booked online, as well as the names and personal information of emergency contacts.” A PNR could also contain “detailed information on patterns of association between travelers,” as well as sensitive information like “religious meal preferences and special service requests that describe details of physical and medical conditions (e.g., ‘Uses wheelchair, can control bowels and bladder’).”
Farivar found out that after booking a flight with Travelocity, the PNR included “a huge amount of information,” like his full credit card number. Storing credit card numbers in the clear is a breach of PCI data security standards (pdf).
“Why isn’t the government complying with even the most basic cybersecurity standards?” asked Fred Cate, a law professor at Indiana University. “Storing and transmitting credit card numbers without encryption has been found by the Federal Trade Commission to be so obviously dangerous as to be ‘unfair’ to the public. Why do transportation security officials not comply with even these most basic standards?”
Cate also told Farivar:
“No wonder the government can’t find needles in the haystack—it keeps storing irrelevant hay. Even if the data were fresh and properly secured, how is collecting all of this aiding in the fight against terrorism? This is a really important issue because it exposes a basic and common fallacy in the government’s thinking: that more data equates with better security. But that wasn’t true on 9/11, and it still isn’t true today. This suggests that US transportation security officials are inefficient, incompetent, on using the data for other, undisclosed purposes. None of those are very encouraging options.”
The government may not have wanted Farivar to see what his PNRs contained, as he had to appeal his FOIA request. But it’s not just PNRs with sensitive information that DHS/CBP can access. An investigation by the Toronto Star found that thousands of Canadians, who were never convicted of a crime, are listed in massive police databases that are accessible to U.S. border authorities. Toronto police had also been accused of “disclosing the mental health records it logs into Canada’s national police database,” and then sharing the sensitive medical records with U.S. border authorities, ultimately resulting in Canadians being blocked from entering the U.S.
CBP claims PNR data is kept for five years, but as Farivar found out after seeing nine years of his travel records, “We now live in a world where it’s increasingly difficult to prevent the authorities from capturing information on one’s movements or communications.” Indeed, it’s part of the “collect it all” mentality…just in case you – or someone you know or sat by during travel – might turn out to be a crook or terrorist.