The Transportation Security Administration (TSA) has mandated that airlines and travel agents collect gender and date of birth for all passengers. However, the government has not dictated security measures necessary to safeguard the collected data. Date of birth (DOB) information is one of the “three pillars of identity theft” together with address and social security numbers.
I just received an email from an associate who is “stumped as to how TSA can outsource this collection without imposing Privacy Act requirements on the airlines and the travel agencies.” We know that there are all sorts of privacy standard in operation at TSA and theoretically within the government. But the same privacy and encryption standards are virtually nonexistent with airline databases and travel agency systems.
There has always been a battle between privacy and freedom of travel advocates about government restrictions on movement and collection of information. With TSA mandating the collection of gender and date of birth that battle is over for the time being and now the focus must be on protecting the collected information.
The airline industry has taken a don’t-worry-be-happy approach to the TSA’s new program, which goes into effect today.
We need to look at this as an issue of criminals vs. the people rather than strictly as government vs. the people now that our date of birth information will be collected and held by relatively unsecure systems.
But, while airline systems are generally secure, they are not specifically set up to protect DOB data from determined hackers — some of whom may obtain initial access by masquerading as travel agents.
Well beyond the airlines, the softest targets of opportunity for hackers will likely be the travel agencies, especially smaller agencies with limited resources to implement robust security systems. For example, while there are numerous encryption-based systems available to protect credit card data — and VISA, Mastercard, et al., will extract substantial penalties if merchants fail to use them — these systems are not equipped to hold DOB. So, it may be easiest for travel agencies to store the customers’ DOB information unencrypted in a random extra data field as if it were merely an additional contact phone number.
While a compromised credit card number can be replaced with a new one, obviously the same cannot be said for compromised DOB data.
Making matters worse, according to privacy advocate, Edward Hasbrouck,
airlines and computerized reservations systems can (and probably will, since storage is cheap and they can probably find ways to monetize the information about you) keep your records forever, use them, sell them, or send them to other countries. They don’t have to get your permission, tell you what they have in your permanent file, or tell you what they have done with it.
The Consumer Travel Alliance has sent an email to TSA asking about requirements for data protection and whether there are any sale of information restrictions on the data collected by airlines and travel agencies.
(Photo: Mishiru/Flickr Creative Commons.)
Charlie Leocha is the President of Travelers United. He has been working in Washington, DC, for the past 14 years with Congress, the Department of Transportation, and industry stakeholders on travel issues. He was the first consumer representative to the Advisory Committee for Aviation Consumer Protections appointed by the Secretary of Transportation from 2012 through 2018.
