Airlines, Travel Sites Hand Over Your Full Booking Credit Card, IP Info To Feds, Who Keep It Stored With No Encryption
from the incredible dept
Ars Technica's Cyrus Farivar filed a FOIA request for the Passenger Name Records (PNRs) that had been stored by the federal government concerning his own travel history. PNRs are created by travel companies (airlines, hotels, cruise lines) whenever you book a reservation, and are then handed over to the government. After an appeal, Customs and Border Patrol turned over the records, showing that airlines (1) record a ton of information about you every time you book a flight and (2) hand over all that information to the government. Bizarrely, this includes the credit card number and IP address you used to book your travel, and it appears that the airlines and the US government are ignoring the most basic of cybersecurity protections in that they store the credit card info in the clear.Fred Cate, a law professor at Indiana University, said that my story raises a lot of questions about what the government is doing.Farivar also notes that the CBP publicly states that the info is kept for five years, but his own records go back to March of 2005 -- suggesting that the CBP is hanging onto all this info for a lot longer. Of course, as we've seen in the past, if there's one government agency that appears to be able to get away with anything with absolutely no oversight at all, it's Customs and Border Patrol. However, this seems like a fairly serious problem. Beyond the 4th Amendment questions it raises about why they're getting all this information on Americans, it seems like they're creating a much bigger security risk in storing (and passing around) all such info in the clear.
“Why isn’t the government complying with even the most basic cybersecurity standards?” Cate said. “Storing and transmitting credit card numbers without encryption has been found by the Federal Trade Commission to be so obviously dangerous as to be ‘unfair’ to the public. Why do transportation security officials not comply with even these most basic standards?”
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: credit cards, customs and border patrol, cyrus farivar, dhs, foia, homeland security, passenger name records, pnr, travel, unencrypted
Reader Comments
Subscribe: RSS
View by: Time | Thread
Good Guys
Because "we're the good guys, so it's all fine"
[ link to this | view in thread ]
Because fuck the public, that's why.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Good Guys
-- National Snooping Association
[ link to this | view in thread ]
Re: Good Guys
[ link to this | view in thread ]
Re:
So unless you want to go in person and only buy in cash for everything...good luck.
Hell the act of doing that itself in 20 years will likely raise flags itself.
[ link to this | view in thread ]
More importantly, outside of the FOI request, is this data actually available via an online system, or is it in a private, non-connected system?
Just wondering.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
It does not matter, as either a computer hack, a lost DVD, or malicious copy to a thumb drive can put the data into a criminals hands.
[ link to this | view in thread ]
Re:
Besides, since he booked online, it would have had to be stored digitally to begin with.
Even though it is his credit card, it should have at the very least, been redacted to some degree. For example, just this minute, I've checked my credit card details on Amazon. Despite the fact that I just authenticated who I am with them by entering my user name and password, the image that is given to me only shows the last four digits of my credit cards.
[ link to this | view in thread ]
A few observations
2. Since credit cards numbers are stored in the clear in this database, what reason do we have to believe that they were transmitted to this database in encrypted form?
3. What access controls and what auditing exists to control and log user access to this data? Are they any better than the NSA's? If not, then what stops a rogue employee from downloading 40,000 records and selling the data to carders?
4. Is this data being shared with any foreign government? If so, which? Why?
5. If this data isn't being shared with any foreign government (deliberately) then how do we know it's not being "shared" because they've helped themselves to it?
6. Did it occur to anyone involved in the design and construction of this database that they were building the motherlode for kidnappers, extortionists, terrorists and others? (After all: knowing that someone flies to a certain country regularly, books a first-class ticket, pays for it with an AmEx card, orders a gourmet meal, etc., will be of great help in identifying a wealthy person whose company/family will be willing to pay a sizable ransom.)
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Re: Good Guys
"If you outlaw privacy violations, then only criminals violate your privacy." is how this should have went! Like the "If you outlaw guns, then only criminals will have them!" saying.
They don't "get to" anything. Outlawing something gives the police tools to bring people to justice with. Well supposed to be used for justice anyways...
But it is clear that the government has become a criminal organization right in front of our faces.
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: A few observations
For a brief period in the late 60s/early 70s, newspaper society pages in Los Angeles would publish passenger lists of cruises and whatnot.
And while the elite were away having a romp, legitimate-looking crews would show up at their houses and remove their lawns.
Sod was at a premium in those days.
[ link to this | view in thread ]
How many US citizens have traveled by plane since March of 2005? I bet it's a lot more than 6.5 million!
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
All your data are belong to...everybody.
This is one of the big issues that surfaced with the NSA which Snowden keeps validating, is that the people who run these intelligence agencies seem to still believe we're in the 1960s.
If the NSA has collected all your data, you are not just endangered by the feds taking issue with you, but also the attention of every other corporate or national interest who has a low-level mole in the NSA.
The problem is going to be ten times worse in an organization like the CBP who has no awareness of the need for data security, given its just a bunch of mooks for the RIAA and MPAA.
[ link to this | view in thread ]
Re: Re:
I would expect so, because anyone could have hacked your account. I don't think that anyone could have hacked a FOI request, could they?
It means that anyone could have looked up this dude's credit card details with no problem whatsoever.
How, exactly? What I am trying to figure out is if this is in a non-connected system, and the information is stored as scanned pages rather than straight digital information, then where exactly are the big risk factors? Hackers would hate stuff like this, it's way too much work.
I understand the security risks, but I am trying to figure out if this is non-connected system (no outside access) which would pretty much mitigate most of those risks.
Remember, that information does have to be provided because customs is looking to see who pays for air travel as well as who travels.
[ link to this | view in thread ]
Re: Re:
Hell the act of doing that itself in 20 years will likely raise flags itself.
It already does...
[ link to this | view in thread ]
Omission
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
Re:
...and that matters when someone accesses the datastore anyway... how? You do realise that a "scanned page" is still stored digitally and therefore a security risk, right, even if you don't consider the fact that decent OCR would make the difference between actual plain text and, say, a PDF rather trivial once access is gained? Even manually reading the scanned pages would be a massive breach if someone manages to gain access.
"is this data actually available via an online system, or is it in a private, non-connected system?"
Or, is the system designed poorly enough so that a direct connection to the internet doesn't matter?
For example: Target's security breach last year affected systems that were not online, but an attack on a 3rd party HVAC supplier enabled a potential 110 million credit cards to be compromised. (example article http://krebsonsecurity.com/2014/02/email-attack-on-vendor-set-up-breach-at-target/ - there's a lot more online if you actually wish to educate yourself).
Perhaps instead of rejecting every possible criticism again, and "wondering" about ways to not admit that articles and comments may have a point you might wish to think this through for 2 minutes? Some criticism is valid, but you're yet to provide it.
[ link to this | view in thread ]
Wow!
[ link to this | view in thread ]
Re: Re: Re:
Script kiddies hate this stuff. Professional hackers love this stuff: it's why they get paid the big bucks.
"I understand the security risks, but I am trying to figure out if this is non-connected system (no outside access) which would pretty much mitigate most of those risks"
But a nonconnected system doesn't mitigate the greatest security risks. Most serious security breaches do not come from the outside, they come from employees of the company holding the data (disgruntled, bribed, whatever employees). Keeping a system disconnected from the internet doesn't affect those attack vectors at all.
[ link to this | view in thread ]
gov't storing credit card #'s
[ link to this | view in thread ]