An editor at Ars Technica, Cyrus Farivar, finally shook loose from the government their dossier on him. As far as we know none of this information was retrieved by hacking a computer system or wiretapping (or the digital equivalent of wiretapping) a phone call. Nor was this editor, as far as we know, a suspect in any crime. This information was collected simply because he traveled out of the country. He writes, “I wanted my Passenger Name Records (PNR), data created by airlines, hotels, and cruise ships whenever travel is booked.”
It was a great deal of data!
The 76 new pages of data, covering 2005 through 2013, show that CBP [Customs and Border Protection] retains massive amounts of data on us when we travel internationally. My own PNRs include not just every mailing address, e-mail, and phone number I’ve ever used; some of them also contain:
- The IP address that I used to buy the ticket
- My credit card number (in full)
- The language I used
- Notes on my phone calls to airlines, even for something as minor as a seat change
The breadth of long-term data retention illustrates yet another way that the federal government enforces its post-September 11 “collect it all” mentality.
Farivar was quite shocked to see his complete credit card numbers printed in plaintext and was happy that the card was now expired. He was also surprised that even a seat change was part of his permanent record.
As I looked through the logs, I also saw notes, presumably made by call center staff, recording each time I had tried to make a change by phone. Hasbrouck said that this is typical and that it’s one of the downsides of global outsourcing—the people I’m talking to probably have no idea that everything they write down will be kept in American government records for years.
“There’s no sense on the airline call center staff that they may or may not be aware that anything they put in may be in your permanent file with the Department of Homeland Security,” Hasbrouck said. “There’s no training in data minimization. They are empowered to put things in people’s files with the government. I think that’s pretty disturbing.”
Travel sites (such as Travelocity) and airlines (such as American) all recorded the basic information one might expect, like payment and contact details, but only some of them kept detailed records of calls. It turns out that whatever the site chooses to put into its PNR will almost certainly be handed over to CBP and will remain in your file for years.
What is most disturbing is that no one seems to be honest about what is going on. Travelocity explained that they only share certain details but couldn’t explain why Farivar’s credit card number had been recorded. CBP claims they only retain information for five years, but the information Farivar received went farther back than that.
And in the meantime, none of this prevented the Tsarnaev bothers from setting off a bomb despite Tamerlan Tsarnaev’s trip to Russia.