Airlines, Travel Sites Hand Over Your Full Booking Credit Card, IP Info To Feds, Who Keep It Stored With No Encryption

from the incredible dept

Ars Technica's Cyrus Farivar filed a FOIA request for the Passenger Name Records (PNRs) that had been stored by the federal government concerning his own travel history. PNRs are created by travel companies (airlines, hotels, cruise lines) whenever you book a reservation, and are then handed over to the government. After an appeal, Customs and Border Patrol turned over the records, showing that airlines (1) record a ton of information about you every time you book a flight and (2) hand over all that information to the government. Bizarrely, this includes the credit card number and IP address you used to book your travel, and it appears that the airlines and the US government are ignoring the most basic of cybersecurity protections in that they store the credit card info in the clear.
The fourth line in the record above is Farivar's (long-expired and changed) full credit card. While it may not seem like a huge surprise that the government is basically snooping on everything you tell the airlines (including seat changes, food preferences, any special assistance you might need, etc.), it's stunning that they're passing around and storing credit card info in the clear.
Fred Cate, a law professor at Indiana University, said that my story raises a lot of questions about what the government is doing.

“Why isn’t the government complying with even the most basic cybersecurity standards?” Cate said. “Storing and transmitting credit card numbers without encryption has been found by the Federal Trade Commission to be so obviously dangerous as to be ‘unfair’ to the public. Why do transportation security officials not comply with even these most basic standards?”
Farivar also notes that the CBP publicly states that the info is kept for five years, but his own records go back to March of 2005 -- suggesting that the CBP is hanging onto all this info for a lot longer. Of course, as we've seen in the past, if there's one government agency that appears to be able to get away with anything with absolutely no oversight at all, it's Customs and Border Patrol. However, this seems like a fairly serious problem. Beyond the 4th Amendment questions it raises about why they're getting all this information on Americans, it seems like they're creating a much bigger security risk in storing (and passing around) all such info in the clear.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: credit cards, customs and border patrol, cyrus farivar, dhs, foia, homeland security, passenger name records, pnr, travel, unencrypted


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Richard (profile), 21 Jul 2014 @ 7:59am

    Good Guys

    Why do transportation security officials not comply with even these most basic standards?”

    Because "we're the good guys, so it's all fine"

    link to this | view in chronology ]

    • identicon
      David, 21 Jul 2014 @ 8:17am

      Re: Good Guys

      If you outlaw privacy violations, only criminals get to violate your privacy.
      -- National Snooping Association

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 21 Jul 2014 @ 9:40am

        Re: Re: Good Guys

        How could you possibly mess that up!

        "If you outlaw privacy violations, then only criminals violate your privacy." is how this should have went! Like the "If you outlaw guns, then only criminals will have them!" saying.

        They don't "get to" anything. Outlawing something gives the police tools to bring people to justice with. Well supposed to be used for justice anyways...

        But it is clear that the government has become a criminal organization right in front of our faces.

        link to this | view in chronology ]

    • identicon
      Anonymous Coward, 21 Jul 2014 @ 8:21am

      Re: Good Guys

      I think it is something international where the old politicians have lacked understanding for security matters since "the good dollars" told them it was all fine. Security is hard to convince someone about the importance of untill they see a reason for it (after the accident etc.). Also: So far the reasons against prioritizing security (NSA!) has weighed heavier than the reasons for.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 Jul 2014 @ 8:16am

    Why do transportation security officials not comply with even these most basic standards?”

    Because fuck the public, that's why.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 Jul 2014 @ 8:16am

    i decided a long time ago that buying anything over the 'net is a bad idea.  that impression continues to get stronger and stronger.

    link to this | view in chronology ]

    • icon
      Geno0wl (profile), 21 Jul 2014 @ 8:36am

      Re:

      They would keep this exact same information about you if you bought this over the phone.
      So unless you want to go in person and only buy in cash for everything...good luck.
      Hell the act of doing that itself in 20 years will likely raise flags itself.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 21 Jul 2014 @ 9:45am

        Re: Re:

        Buying plane tickets today in cash will raise flags, and that's been true for probably a decade.

        link to this | view in chronology ]

      • identicon
        Rekrul, 21 Jul 2014 @ 8:06pm

        Re: Re:

        So unless you want to go in person and only buy in cash for everything...good luck.
        Hell the act of doing that itself in 20 years will likely raise flags itself.


        It already does...

        link to this | view in chronology ]

        • identicon
          derp, 21 Jul 2014 @ 11:27pm

          Re: Re: Re:

          paying cash and travelling one way is pretty much all that they need to set off flags.

          link to this | view in chronology ]

  • icon
    Whatever (profile), 21 Jul 2014 @ 8:43am

    Two quick questions: Is the information actually stored on computer as digital data or as a scanned page?

    More importantly, outside of the FOI request, is this data actually available via an online system, or is it in a private, non-connected system?

    Just wondering.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 21 Jul 2014 @ 9:05am

      Re:

      Answer to both questions:-
      It does not matter, as either a computer hack, a lost DVD, or malicious copy to a thumb drive can put the data into a criminals hands.

      link to this | view in chronology ]

    • icon
      Rikuo (profile), 21 Jul 2014 @ 9:08am

      Re:

      If stored as a page, then it doesn't matter whether or not it's available via some online-system or in a non-connected system. It means that anyone could have looked up this dude's credit card details with no problem whatsoever.
      Besides, since he booked online, it would have had to be stored digitally to begin with.

      Even though it is his credit card, it should have at the very least, been redacted to some degree. For example, just this minute, I've checked my credit card details on Amazon. Despite the fact that I just authenticated who I am with them by entering my user name and password, the image that is given to me only shows the last four digits of my credit cards.

      link to this | view in chronology ]

      • icon
        Whatever (profile), 21 Jul 2014 @ 5:11pm

        Re: Re:

        the image that is given to me only shows the last four digits of my credit cards.

        I would expect so, because anyone could have hacked your account. I don't think that anyone could have hacked a FOI request, could they?

        It means that anyone could have looked up this dude's credit card details with no problem whatsoever.

        How, exactly? What I am trying to figure out is if this is in a non-connected system, and the information is stored as scanned pages rather than straight digital information, then where exactly are the big risk factors? Hackers would hate stuff like this, it's way too much work.

        I understand the security risks, but I am trying to figure out if this is non-connected system (no outside access) which would pretty much mitigate most of those risks.

        Remember, that information does have to be provided because customs is looking to see who pays for air travel as well as who travels.

        link to this | view in chronology ]

        • icon
          John Fenderson (profile), 22 Jul 2014 @ 9:36am

          Re: Re: Re:

          "Hackers would hate stuff like this, it's way too much work."

          Script kiddies hate this stuff. Professional hackers love this stuff: it's why they get paid the big bucks.

          "I understand the security risks, but I am trying to figure out if this is non-connected system (no outside access) which would pretty much mitigate most of those risks"

          But a nonconnected system doesn't mitigate the greatest security risks. Most serious security breaches do not come from the outside, they come from employees of the company holding the data (disgruntled, bribed, whatever employees). Keeping a system disconnected from the internet doesn't affect those attack vectors at all.

          link to this | view in chronology ]

    • icon
      PaulT (profile), 22 Jul 2014 @ 12:47am

      Re:

      "Is the information actually stored on computer as digital data or as a scanned page?"

      ...and that matters when someone accesses the datastore anyway... how? You do realise that a "scanned page" is still stored digitally and therefore a security risk, right, even if you don't consider the fact that decent OCR would make the difference between actual plain text and, say, a PDF rather trivial once access is gained? Even manually reading the scanned pages would be a massive breach if someone manages to gain access.

      "is this data actually available via an online system, or is it in a private, non-connected system?"

      Or, is the system designed poorly enough so that a direct connection to the internet doesn't matter?

      For example: Target's security breach last year affected systems that were not online, but an attack on a 3rd party HVAC supplier enabled a potential 110 million credit cards to be compromised. (example article http://krebsonsecurity.com/2014/02/email-attack-on-vendor-set-up-breach-at-target/ - there's a lot more online if you actually wish to educate yourself).

      Perhaps instead of rejecting every possible criticism again, and "wondering" about ways to not admit that articles and comments may have a point you might wish to think this through for 2 minutes? Some criticism is valid, but you're yet to provide it.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 Jul 2014 @ 8:48am

    We're from the government, and we're here to help you.

    link to this | view in chronology ]

  • identicon
    Rich Kulawiec, 21 Jul 2014 @ 9:11am

    A few observations

    1. For those who engage in periodic travel, this is a security problem: anyone examining the records will quickly be able to deduce that, for example, they spend every fourth week out of the country.

    2. Since credit cards numbers are stored in the clear in this database, what reason do we have to believe that they were transmitted to this database in encrypted form?

    3. What access controls and what auditing exists to control and log user access to this data? Are they any better than the NSA's? If not, then what stops a rogue employee from downloading 40,000 records and selling the data to carders?

    4. Is this data being shared with any foreign government? If so, which? Why?

    5. If this data isn't being shared with any foreign government (deliberately) then how do we know it's not being "shared" because they've helped themselves to it?

    6. Did it occur to anyone involved in the design and construction of this database that they were building the motherlode for kidnappers, extortionists, terrorists and others? (After all: knowing that someone flies to a certain country regularly, books a first-class ticket, pays for it with an AmEx card, orders a gourmet meal, etc., will be of great help in identifying a wealthy person whose company/family will be willing to pay a sizable ransom.)

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 21 Jul 2014 @ 9:49am

      Re: A few observations

      Strange but true:

      For a brief period in the late 60s/early 70s, newspaper society pages in Los Angeles would publish passenger lists of cruises and whatnot.

      And while the elite were away having a romp, legitimate-looking crews would show up at their houses and remove their lawns.

      Sod was at a premium in those days.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 Jul 2014 @ 9:16am

    I don't like that they store such detailed records, but I'm glad that they're ignoring even basic cybersecurity practises in its storage. Storing it insecurely makes it easier to characterize them as having a blatant disregard for the negative consequences they inflict on other people.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 Jul 2014 @ 9:35am

    This illustrates an aspect of the NSA data collection I find the deeply troubling. I'm not particularly worried about the NSA coming after me, but I don't trust them to keep their data about me secure. Heck, these guys have an incentive to make systems less secure in general. What incentive do they have to keep my data safe? Congressional "ovesight?". This CBP data only confirms my fears.

    link to this | view in chronology ]

  • icon
    Mason Wheeler (profile), 21 Jul 2014 @ 10:58am

    A couple years back, LinkedIn got hacked, and due to lax data security, personal details of 6.5 million users got stolen. This resulted in a $5M class-action lawsuit for negligence.

    How many US citizens have traveled by plane since March of 2005? I bet it's a lot more than 6.5 million!

    link to this | view in chronology ]

  • At this rate, all members of the Free Software Foundation will start traveling abroad on foot.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 Jul 2014 @ 1:12pm

    Just to be picky: CBP = Customs and Border Protection, not Patrol...

    link to this | view in chronology ]

  • icon
    Uriel-238 (profile), 21 Jul 2014 @ 4:45pm

    All your data are belong to...everybody.

    Isn't the CBP just a bunch of mooks for the RIAA and MPAA?

    This is one of the big issues that surfaced with the NSA which Snowden keeps validating, is that the people who run these intelligence agencies seem to still believe we're in the 1960s.

    If the NSA has collected all your data, you are not just endangered by the feds taking issue with you, but also the attention of every other corporate or national interest who has a low-level mole in the NSA.

    The problem is going to be ten times worse in an organization like the CBP who has no awareness of the need for data security, given its just a bunch of mooks for the RIAA and MPAA.

    link to this | view in chronology ]

  • icon
    Coyne Tibbets (profile), 21 Jul 2014 @ 10:47pm

    Omission

    You forgot to include: After your strip search, they also hand over your underwear.

    link to this | view in chronology ]

  • icon
    Sheogorath (profile), 22 Jul 2014 @ 7:44am

    Wow!

    Now I'mma go on an online spending spree, then report my debit card as stolen. When I'm asked how the thieves possibly got hold of my details in order to spend so much, I'll just link them to this article. Thanks!

    link to this | view in chronology ]

  • identicon
    robert spano, 22 Jul 2014 @ 9:46am

    gov't storing credit card #'s

    They are using the credit cards to fund their covert operations and to buy cocaine which they use in incredible amounts. Why else would they be so paranoid?

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.