All Mine
Passengers’ Personal Data At Risk

January 20, 2015

Remember a few years after 9/11 when the airlines started requiring you to use your full name as it appears on a government issued ID, date of birth and gender when you buy a plane ticket?
That’s so the TSA can check you against the Federal No-Fly List. 
But there is more than meets the eye.
In 2012, TSA rolled out “PreCheck” (or “Pre✓®”). 
Exempt from Federal privacy laws, the PreCheck database contains detailed personal information, including name, birthdate, biometric information, physical characteristics, Social Security Number and financial information.
TSA now plans to release applicant’s data to federal, state, tribal, local, foreign governments and debt collectors.
Mission Creep
Last year, while Congress was gone for the holidays, TSA quietly published its intent to hire private-sector data companies, to solicit applicants for PreCheck enrollment, but also mine your grocery receipts, your credit card purchases, Facebook and Twitter posts to “determine if you are a terrorist risk” – not just once but on an ongoing basis. 
A traveler is fingerprinted while enrolling at a TSA PreCheck application center at New York’s LaGuardia Airport. GETTY IMAGES
We fail to see how compiling big data on the shopping habits of American citizens can be used for national security.

The push for TSA funds was urgent after Congress cut funding for the Department of Homeland Security this year by $336 million, with most of the reductions coming from TSA.

Its private partner, CLEAR, roundly applauded the move to outsource government citizen data.
CLEAR was the company that, back in 2008, had a widely-publicized incident in which an employee misplaced a laptop computer which had personal information from over 30,000 CLEAR members stored on it at San Francisco International Airport. 
Despite this, TSA believes private sector companies are better at using commercial data and computerized algorithms to examine a passenger’s background and predict who is a terrorist risk. 
In September 2007, the Inspector General of the Justice Department reported that the Terrorist Screening Center (the FBI-administered organization that consolidates terrorist watch list information in the US) had over 700,000 names in its database as of April 2007 – and that the list was growing by an average of over 20,000 records per month.
(See also the March 2008 report). 
By those numbers, the list now has over one million names on it. 

TSA also maintains a PreCheck disqualification list – tracking people accused of violating security regulations, including disputes with checkpoint or airline staff members.

Changes In The Air

Airlines are also starting to learn to use their wealth of customer data. 

InFlight Wi-Fi: Keep in mind that browsing the web on a plane is far more public than it is in most other respects.  
Gogo, which cornered the market for in-flight Internet and digital entertainment to a number of different national and international airlines, has deals with U.S. law enforcement and the NSA to assist in tracking users when so ordered. 
However, earlier this year, it was revealed that Gogo partnered with government officials that went beyond those outlined under federal law and added spyware into their service. 
Earlier this month reports confirmed that Gogo Inflight Internet had intentionally issued fake SSL certificates, effectively performing man-in-the-middle attacks on its own users.

In-air surveillance is not new. Back in the early 1990s NBC News reported that French intelligence agencies were using Air France as a base for in-flight surveillance of U.S. businesspeople and government officials.

More recently, the UK Telegraph reported that the EU has been funding and testing surveillance systems on planes involving “a combination of cameras, microphones, explosive sniffers and a sophisticated computer system” to monitor passengers.

Meanwhile, Gogo’s major competitor for in-flight Wi-Fi service is ViaSat, a defense contractor that specializes, in part, in surveillance.

Airport Beacon Misuse

Unregulated and coming to an airport near you are tracking beacons – little wireless sensors that pings your mobile phone via its embedded Wi-Fi and Bluetooth signals. 

Touted as a benefit to passengers with personalized up-to-the-minute information about airport parking availability, wait times at security and passport control, baggage tracking, gate changes, flight status and retail offers, but the technology is moving faster than the agencies that regulate them.
Airport passenger-tracking technology exists in a legal grey area with no standards on how location data can be used, collected and stored and if consumers should be notified that data collection is taking place.

Beacons collect the phone’s unique identifier, a 12-digit code that knows where the passenger moves around in the airport, what stores they visit and more.

Some European airports notify travelers that the technology is in use, while most US airport officials don’t, saying the system poses no privacy issues.

If you have information about a possible privacy violation by airlines or their associates using passenger data, we invite you to report it to Federal Communications Commission (FCC): or the Federal Aviation Administration (FAA):
And please send us a copy at
Mining For Dollars

To shed more light on this subject, FlyersRights spoke with Frank Pasquale, author of The Black Box Society: The Secret Algorithms That Control Money and Information.

What’s the 10,000 foot overview regarding the data mining of passengers?

People need a big picture view on all this data. What I’m finding in my research is that in any particular [data collection] program 99.9% of people say ‘Oh, why does it matter, it doesn’t matter to me.’

But the problem is that when you have literally thousands of programs like this, the .1% adds up to the point where gradually the majority of people, I predict, will have situations where they’re adversely effected by algorithms or privacy violations that they know nothing about and can’t challenge.

You often speak of these small bits of data ending up somehow in your credit report. Can passengers’ credit be affected?

We shouldn’t be a world where merely flying leads to an inquiry on your credit report, but maybe we’re there, maybe this is happening. Because credit scoring is so secretive, it is very hard to know. 

Last year it was exposed that Delta Air Lines mined detailed, personal data about its SkyMiles members to profile them, including their home values and annual income.

That brings up the company Target, which I write about in my book, [where they say, for example] we just want all this data to send coupons to our pregnant customers. Then they had this huge data breach. 

The big question is: what security measures are put in place by the airlines? Without proper security, mass data collection is very dangerous.

What do you think of inflight Wi-Fi? Airport beacons?

I think people deserve to know what kind of data is being collected by the airlines as they use such technology. They deserve to know in very clear terms the terms of service of the Wi-Fi – who gets that data, how long they keep it and for what purposes do they keep it.

Re. airport beacons: I think people don’t realize that the degree to which the phone data could be used to create derogatory profiles. 

Imagine if the person is tracked going into McDonalds as opposed to a nicer restaurant, suppose they walk with a limp or more slowly as opposed to a business traveler… They could be classified as a lower value customer.  A banking startup recently noted that they consider a person less creditworthy if they don’t use capital letters correctly. Imagine what airlines might do with such data!

That’s where people ought to understand there’s always a risk that the data collected is about figuring out if you’re worth investing as a customer. And even if you look flush, that could be used in unexpected ways… as in, should we charge this person a lot more because they went to the fancy store?

Every time they say the data is merely going to be used to serve you, there’s always a flip side of the data potentially being used against you – charging you more, classifying you as low value customer, etc.

What is your opinion of the airlines’ new “Resolution 787” selling strategy – of using customer’s personal data to price airfares?

Making it more difficult to comparison shop is very interesting. They don’t want a middleman taking a cut. But all the airlines coming together raises some red flags, as well as setting fares based on your personal data: how much a person makes, where they live, etc.. I would like more information on it, and conditions in place: for example, a review and possible suspension of it if prices go up too much or there are other problems.

                           Sign the FlyersRights Petition 
                         for a Passenger Bill of Rights

                                        Kate Hanni, founder 
                                        with Paul Hudson, President
                        Click Here To Donate To FlyersRights!
Getting on a Plane? 
Put This Number in Your Phone:

Send comments and tips to KendallCreighton or on Twitter@KendallFlyers.

Forward this email!

This email was sent to by | | 4411 Bee Ridge Road | Sarasota | FL | 34233