Privacy concerns plague TSA’s new Secure Traveler program

by Charlie Leocha on August 15, 2009

SanFranciscoAirport
The Transportation Security Administration (TSA) has mandated that airlines and travel agents collect gender and date of birth for all passengers. However, the government has not dictated security measures necessary to safeguard the collected data. Date of birth (DOB) information is one of the “three pillars of identity theft” together with address and social security numbers.

I just received an email from an associate who is “stumped as to how TSA can outsource this collection without imposing Privacy Act requirements on the airlines and the travel agencies.” We know that there are all sorts of privacy standard in operation at TSA and theoretically within the government. But the same privacy and encryption standards are virtually nonexistent with airline databases and travel agency systems.

There has always been a battle between privacy and freedom of travel advocates about government restrictions on movement and collection of information. With TSA mandating the collection of gender and date of birth that battle is over for the time being and now the focus must be on protecting the collected information.

The airline industry has taken a don’t-worry-be-happy approach to the TSA’s new program, which goes into effect today.

We need to look at this as an issue of criminals vs. the people rather than strictly as government vs. the people now that our date of birth information will be collected and held by relatively unsecure systems.

But, while airline systems are generally secure, they are not specifically set up to protect DOB data from determined hackers — some of whom may obtain initial access by masquerading as travel agents.

Well beyond the airlines, the softest targets of opportunity for hackers will likely be the travel agencies, especially smaller agencies with limited resources to implement robust security systems. For example, while there are numerous encryption-based systems available to protect credit card data — and VISA, Mastercard, et al., will extract substantial penalties if merchants fail to use them — these systems are not equipped to hold DOB. So, it may be easiest for travel agencies to store the customers’ DOB information unencrypted in a random extra data field as if it were merely an additional contact phone number.

While a compromised credit card number can be replaced with a new one, obviously the same cannot be said for compromised DOB data.

Making matters worse, according to privacy advocate, Edward Hasbrouck,

airlines and computerized reservations systems can (and probably will, since storage is cheap and they can probably find ways to monetize the information about you) keep your records forever, use them, sell them, or send them to other countries. They don’t have to get your permission, tell you what they have in your permanent file, or tell you what they have done with it.

The Consumer Travel Alliance has sent an email to TSA asking about requirements for data protection and whether there are any sale of information restrictions on the data collected by airlines and travel agencies.

(Photo: Mishiru/Flickr Creative Commons.)

Print Friendly

Tagged as: airport security, DOT, privacy, secure traveler, Transportation Security Administration

  • Puzzled

    As an agent in a mid-size brick and mortar agency I can state unequivocally that our agency NEVER sells customer data. Ironically, many travelers will happily plunk down their dollars with on-line sites (including travel sites) without a second thought for the huge amounts of data collected on line but are reluctant to provide a real, local business with which they have initiated contact even the most basic information required to mail a brochure or issue a ticket. Go figure.

    As an agent I have concerns about the additional TSA requirements but feel that the booking systems we use are more secure than on-line booking engines. I don’t actually believe that the requirement and its implementation were very carefully thought out, however, and can understand the concerns about security. I believe the issue bears watching and consideration of all the issues involved.

  • http://www.singleparenttravel.net John F

    Charlie, the airlines have been monetizing the data collected for years. Just go to Arccorp.com and see what $300 will buy you. You don’t think Sabre “sold” data to Travelocity, LastMinute.com or Site59?

    Traveler’s data has been sold more often that…well, let’s not go there, but you get the idea!

  • Hapgood

    An while they’re at it, the Alliance should send a letter to the Secretary of Homeland Security asking exactly what “Secure Traveler” is getting us in exchange for the increased risk of identity theft (and the inevitable hassles of TSA screeners mindlessly demanding an exact match between our boarding passes and our papers). How does more complete identification of passengers provide better protect aviation? And how will giving the TSA our full legal name, gender, and birth date improve the accuracy of watch list matching if (as seems almost certain) the agencies that maintain the watch lists have not updated the million-odd names to include full legal names, genders, and birth dates?

    All these questions SHOULD have been asked well before the TSA added “Secure Traveler” to the list of hassles they inflict on travelers. But the one thing at which the TSA seems to be extremely successful is implementing inept and questionable measures without any oversight or scrutiny.

    These questions, along with the obvious privacy concern mentioned in the article, can only suggest that “Secure Traveler” is just the latest half-baked, ill-conceived Homeland Security/TSA “initiative” that will provide uncertain (and most likely illusory) “security” benefits at the cost of needless difficulty for millions of passengers.

Previous post:

Next post: