Airline Passenger Profiling for Profit

I have previously written and spoken about the privacy threats that come from the confluence of government and corporate interests. It’s not the deliberate police-state privacy invasions from governments that worry me, but the normal-business privacy invasions by corporations—and how corporate privacy invasions pave the way for government privacy invasions and vice versa.

The U.S. government’s airline passenger profiling system was called Secure Flight, and I’ve written about it extensively. At one point, the system was going to perform automatic background checks on all passengers based on both government and commercial databases—credit card databases, phone records, whatever—and assign everyone a “risk score” based on the data. Those with a higher risk score would be searched more thoroughly than those with a lower risk score. It’s a complete waste of time, and a huge invasion of privacy, and the last time I paid attention it had been scrapped.

But the very same system that is useless at picking terrorists out of passenger lists is probably very good at identifying consumers. So what the government rightly decided not to do, the start-up corporation Jetera is doing instead:

Jetera would start with an airline’s information on individual passengers on board a given flight, drawing the name, address, credit card number and loyalty club status from reservations data. Through a process, for which it seeks a patent, the company would match the passenger’s identification data with the mountains of information about him or her available at one of the mammoth credit bureaus, which maintain separately managed marketing as well as credit information. Jetera would tap into the marketing side, showing consumer demographics, purchases, interests, attitudes and the like.

Jetera’s data manipulation would shape the entertainment made available to each passenger during a flight. The passenger who subscribes to a do-it-yourself magazine might be offered a video on woodworking. Catalog purchase records would boost some offerings and downplay others. Sports fans, known through their subscriptions, credit card ticket-buying or booster club memberships, would get “The Natural” instead of “Pretty Woman.”

The article is dated August 21, 2006 and is subscriber-only. Most of it talks about the revenue potential of the model, the funding the company received, and the talks it has had with anonymous airlines. No airline has signed up for the service yet, which would not only include in-flight personalization but pre- and post-flight mailings and other personalized services. Privacy is dealt with at the end of the article:

Jetera sees two legal issues regarding privacy and resolves both in its favor. Nothing Jetera intends to do would violate federal law or airline privacy policies as expressed on their websites. In terms of customer perceptions, Jetera doesn’t intend to abuse anyone’s privacy and will have an “opt-out” opportunity at the point where passengers make inflight entertainment choices.

If an airline wants an opt-out feature at some other point in the process, Jetera will work to provide one, McChesney says. Privacy and customer service will be an issue for each airline, and Jetera will adapt specifically to each.

The U.S. government already collects data from the phone company, from hotels and rental-car companies, and from airlines. How long before it piggy backs onto this system?

The other side to this is in the news, too: commercial databases using government data:

Records once held only in paper form by law enforcement agencies, courts and corrections departments are now routinely digitized and sold in bulk to the private sector. Some commercial databases now contain more than 100 million criminal records. They are updated only fitfully, and expunged records now often turn up in criminal background checks ordered by employers and landlords.

Tags: air travel, background checks, economics of security, privacy, profiling

Posted on October 24, 2006 at 11:00 AM • 33 Comments

Comments

Saxon • October 24, 2006 11:36 AM

Ah, for the days when you could opt out of the non-meatspace world simply by changing a few pieces of paper. Nowadays, there is no way to avoid accumulating a far more complete identity in cyberspace than you could ever hope to have in real life, and no way to restrict access to it.

Rich • October 24, 2006 11:55 AM

I know of students who have worked their way through college by going to local courts, writing down the publicly available information and submitting it to their empolyer — an information company. That is how previously difficult to get information is now easily available.

Roy • October 24, 2006 11:56 AM

It’s the last part I find so curious. Courts no longer own their records. When they change something, often correcting mistakes or hiding embarrassments, the original records remain in the public domain.

Tom Davis • October 24, 2006 11:57 AM

One hundred years ago, the town grocer knew which cookies everyone in town preferred. The local parish vicar knew who was in financial straits, and everyone knew who was dating whom and which children were trouble makers. And people had a pretty good idea of who was trustworthy and what a person’s income was. And that’s was true not just for some short period of the ninteenth century, but for all of human history.

In the last fifty years, the US has become extremely decommunitized (I made up that word, but feel free to use it), which is one reason for the success of Howard Johnson’s and McDonalds: no matter where you go, you can feel “at home” knowing that this franchise is going to be identical to the others.

Technology is moving us back to the status quo. While you may not know the flight attendant personally, there is no reason why you should be treated as a mere number when there exists sufficient information to provide you with in-flight entertainment that you’ld actually like to see. I find Amazon.com’s suggestions enlightening.

And of course, for those purchases we’d rather our bank manager not know about, we can still use cash. That’s the big issue! When the local bookstore won’t accept cash or some other untraceable equivalent then our privacy will have been invaded.

Other than that, it is just a matter of people knowing and understanding that paying with a credit card or having something delivered to home or the office is providing information. And if you don’t think that members of the general public are capable of understanding that, then you have only to look at the results of such shows as CSI:* on the habits of criminals to have your mind changed. Even my mother understands that when you kill someone you must ensure that ALL of the blood ends up on something which can be destroyed so as not to leave a trail. And she knows that credit card purchases are recorded forever (whether or not that’s true).

Bruce Schneier • October 24, 2006 12:05 PM

“Technology is moving us back to the status quo.”

Um, no. One hundred years ago, the town grocer knew his customer’s preferences. Because customers had a personal relationship with their grocer. Today, EVERY town grocer in EVERY town know’s EVERYONE’S preferences. And no one has a personal relationship with anyone. This isn’t a return to the status quo, this is something wholly different.

Tom Davis • October 24, 2006 12:06 PM

Your other blogs on one hacker stealing the information from other hacker forum databases, and Fedex account numbers being sold by employees (of Fedex or of the airline cargo handler) should be sufficient proof that legislation could not provide protection against the disclosure of ‘private’ information. After all, both of those examples are already illegal. Legislation would only make gullible people feel secure without actually providing any protection.

aeschylus • October 24, 2006 12:10 PM

Uh, “visa versa”? C’mon, Bruce… don’t mar your otherwise fine exposition with poor spelling. Or was there some kind of pun in there that I missed?

Anonymous • October 24, 2006 12:20 PM

Thanks for that, aeschylus.

Link about German privacy law • October 24, 2006 12:26 PM

Tom, one huge problem with privacy legislation in the U.S. is that if a company obtains your data (with your consent or not) it’s not your property, it’s theirs. So you lose control over it. On the contrary, the German Federal Constitution Court ruled once that having control over your own data is a fundamental right: http://www.privacyinternational.org/survey/phr2003/countries/germany.htm

Davi Ottenheimer • October 24, 2006 12:46 PM

“One hundred years ago, the town grocer knew his customer’s preferences.”

This is a complete fantasy. We wish this were true, but having grown up around tiny rural communities myself (comparable to 100 years ago) where this should have been the case I can tell you it most certainly was not. The opposite was often true where people formed opinions based on a lack of data.

Moreover, 100 years ago was 1906 and plenty of spaces existed where people moved about perfectly anonymously, often not by choice. My favorite story is the man who came through Ellis Island and was asked to write down his name. He stared blankly in fear at the clerk, only able to muster a “Ummmm, ich vergesse”. The clerk, obviously in a rush, entered “Mike Fergesson” and yelled “next, please”…

Think of it this way, a grocer’s mind is a database of information (with ability for retention widely varying) suceptible to all sorts of analysis and influence and difficult or even impossible to transmit. This is not at all comparable to the database of sales/marketing/analytic sharp-shooters, where information is likely to be stored indefinitely in original and highly accumulated format as well as easily transmitted in its entirety to just about anyone else. The grocer might have put value on knowing a thing or two about a customer, to build a relationship, but would not have found the same value in being able to sell that information down the river. Today, we are finding the opposite is the case — it is less about a relationship and more about expsosure.

I suspect that the “hundred years ago” concept is most often used by folks who have never lived in a place that fits their description, and so it becomes a convenient strawman argument.

Davi Ottenheimer • October 24, 2006 12:59 PM

I posted about the ChoicePoint connection before, somewhere on this blog, but since my memory is not like a Jetera database, here it is again:

http://www.govexec.com/features/0304/0304s1.htm

“For years, the Federal Bureau of Investigation, the Internal Revenue Service, the Defense Department, the Social Security Administration and about three dozen other federal agencies have called on ChoicePoint to identify tax evaders by uncovering hidden assets, root out medical benefits fraud and help track down criminal suspects. ChoicePoint won accolades in 2003 for leading federal and local officials to the Washington snipers, by mining name and license plate data the company owns to identify the suspects.

But it was the Sept. 11 terrorist attacks that made the company’s capabilities most valuable to government. ChoicePoint performed more than 112,000 background checks on airline passenger screeners for the Transportation Security Administration.”

And then there are companies like Cyveillance…

http://cyveillance.linuxgod.net/

Clive Robinson • October 24, 2006 1:11 PM

“Technology is moving us back to the status quo.”

Ah no, it was only the town grocer who had knowledge, you could always go out of town and get your service where you where not known or known differently (as men often did when visiting a brothel for instance).

The simple fact is you cannot just walk away and start again as you where once able to do up untill the late 1980’s.

So if somebody takes a downer on you for whatever reason they can poison the “well of life” against you, and where ever you go it will be held against you, not just in your home country but globaly these days.

Oh and don’t think you can sort it out, you probably can’t, the number of times the same piece of incorect information gets sold around is astounding. Once it starts it is an almost endless task chasing around to find out who has the incorect information and who (if they are willing to tell you) they have sold it onto. IF you doubt this just look at the info posted on the Internet by people who have tried to clear their name after ID theft. They might just clear their name but get their credit rating back…

And apart from a few places in Europe, it is considered suspicious not to use a credit / debit / store / loyalty card and cash in the U.S above twenty bucks well, it’s treated like it’s contaminated with anthrax or drugs.

The last time I was in the U.S. I was treated almost like a criminal by the hotel receptionist in a large chain because I did not use a credit card, and paid a substantial deposit in cash.

When I then declined to let go of my passport (so she could back office it), she came up with some very silly reasons why she should. And when she said as a last resort “it should be put in the reception safe so it does not get lost” she did not like the response that “I trust you and the other staff less than you trust me”.

In the U.K. the Governement have started talking to private consumer DB companies yet again about getting unrestricted access to “prevent terrorisum and serious crime”. How come I don’t belive them, and think that at some point they will either use it to raise more taxes (you live above the norm for your income) or to remove benifits (no you cannot have an operation because you buy more than a thousand units of alchol a year etc).

OldTimer • October 24, 2006 1:12 PM

@Davi, Bruce

“One hundred years ago, the town grocer knew his customer’s preferences. Because customers had a personal relationship with their grocer.”

I grew up in a small town and we had such a grocer, everyone called him “Frankie”. He knew most of his customers, usually able to predict what types of deli meats you preferred and how you liked them sliced (thick or thin). However, most of his “data” about his customers came from what sold and what didn’t. He knew that everyone in town liked chocolate chip cookies over oatmeal, since he knew that he sold more chocolate chip cookies, not becuase he knew each customer that well. Just simple inventory on his part.

Although, old Frankie met his match when a big box grocery store opened in the next town (just a short drive away). Frankie still had personalized service, but just couldn’t compete, and retired a couple of years later.

Regarding privacy, over the years, Frankie did accumulate a lot of “saleable” info on his customers food preferences. However at that time, I suspect that if Frankie had ever decided to sell that information, and his loyal customers found out, they would have considered that a huge invasion of privacy, breaking the “trust” Frankie had with his customers, who would have quickly spread the word that “Frankie’s” is not a good place to buy groceries.

My how times have changed!!!

MathFox • October 24, 2006 1:12 PM

In a small town the Grocer knew which cookies you ate, but you knew which church he visited, the ages of his children, etc. But you were pretty anonymous when you did shopping in the “big city”.
Now the big chainstores try to keep a tab on you, without giving information back about their operations. You might escape from it by buying cash or in another country, but that becomes harder and harder.

There is a conflict between Jetera’s proposed operations and EU privacy laws. The EU insists on “opt in”.

Fraud Guy • October 24, 2006 2:17 PM

@Clive Robertson

Your post reminded me of an old story:

A man, angry at another parishoner in his church, decided to get revenge by spreading a scandalous story about them. In time, the story spread and damaged the other person’s reputation and position in the community to a far greater extent than was his intention.
Aghast at what he had done, the man went to his pastor and confessed to his deeds, asking forgiveness for spreading the rumour. The priest asked the man to come back to the church with a down pillow.

Confused, the man did as instructed, and the priest then asked him to come to the top of the church bell tower with him. When they arrived at the top, the priest took the pillow from the man, cut it open with a knife, and let all the feathers out into the breeze. The priest then turned to the man and said: “When you have gathered all of these feathers, then will you have made amends for what you have done.”

Obviously, the feathers are our data, and unfortunately the ubiquitousness of methods of gathering data about us (browsing habits, card purchases, loyalty cards, tollway passes, phone calls, etc.) and their convenience have us all ripping open our own metaphorical pillows. Even “opt-in” methods can make it seem better and easier to allow this expansion of our personal lives.

How do we address this? Do we make all information brokers responsible for the accuracy of their data? Can we make them retain definitive proof authorizing use of any data they have? Can we require them to update pertinent public records that is no longer legally accurate?

I think, unfortunately, that the genie is out of the bottle. I would like to tell ChoicePoint that, regardless of cost, they have to follow the above strictures, which would either put them out of business or increase the cost to their customers and so end the utility of their services (cheap, easy “verification” of customer/applicant data). Unfortunately, they can just lobby to prevent such laws–a few hundred thousand to the proper party funds (or both to make sure) will save them millions (or billions) in costs and business.

Our personal security requires effort, extensive support, and means of neutralizing the ability of those who benefit from the exposure of our data to use their already established position to keep our data available for sale and use. I don’t see that happening in the near future, and the longer it takes, the harder it is to undo.

And to those that point out the EU privacy laws, the EU has already agreed to US demands for information on airline passengers that were denounced as violations of that very policy. There is no safe harbor from this, anywhere, except for ones that we create for ourselves. And for that, the criminals are far ahead of the common person in creating their own privacy.

Pedant • October 24, 2006 2:56 PM

@aeschylus

Thanks again aeschylus.
I am also keen on tightening up spelling and grammar (Clive Robinson take note!).
I’d never really thought about this one until you pointed it out.
Wikipedia clearly states that “vice versa” is correct but it is obvious by searching the Net the “visa versa” is also very common.
http://en.wikipedia.org/wiki/List_of_Latin_phrases
Here is a reference that claims that Bruce’s spelling is etymologically correct but less common:
http://www.answers.com/topic/list-of-latin-phrases-full

dana • October 24, 2006 3:15 PM

I have never understood the concept of our not owning our personal information. How is it possible that it is allowed that some other entity has ownership or control of that which is uniquely ours? By what rational does this exist? I know that the corporations have gotten this ability by means of payoffs to politicians, but still, this idea eludes me. On the face of it, this goes against the 4, 5, 9 and 14 amendments to the Constitution. What more basic property do we own than our name?

derf • October 24, 2006 3:22 PM

I doubt we could ever make it happen, but a “format and reinstall” policy on personal information once it’s used (per transaction) is the only way to ensure that information doesn’t continue to live. Hefty fines and jail-time (ala HIPAA) for any breaches of this policy would be needed to make sure everyone played nicely.

Anon • October 24, 2006 4:57 PM

@Pedant

I don’t see how the Latin phrases site can claim “visa versa” is etyomologically correct.

I don’t know what “visa versa” would mean. Forces turned? Vision turned? Faces turned? Credit-card turned?

Realist • October 24, 2006 5:14 PM

@dana
“I have never understood the concept of our not owning our personal information.”

I’m curious about this assertion. If I have knowledge, do you own it? Suppose my knowledge is about you: your personal information. Do you own this knowledge? Am I supposed to forget it, at your request? Must I ask permission prior to every use of this knowledge? Prior to mentioning this knowledge in a conversation? The fact is, the human mind isn’t wired with tags that indicate permissions for each bit of knowledge.

There is an appropriate policy debate regarding the protection of that information. But let’s not overreach. Unless your personal information is so unique that you can copyright it, you don’t own it.

Outta Names • October 24, 2006 7:03 PM

Isn’t Jetera a little late to the party? I seriously doubt there is anything there that justifies a patent. It’s little more than CRM SOP.

Check with any number of other travel iindustry companies, e.g. Hertz who has been able to do similar matching for decades. They’ve got the credit card, the ariline arrival data, and in many cases the frequent flyer and other affinity program data in their profile and rental transactions. What they don’t have can easily be matched up with various promotional partners.

"Anonymous" gets too confusing • October 24, 2006 7:47 PM

Hmmmm….©

Lemme see here©. If I write something, I own the Copyright to that writing.© Under the current Copyright laws, I wonder….©

Is there a paper equivalent to DRM?©

Calo Bob • October 25, 2006 3:19 AM

Geoff Lane • October 25, 2006 4:33 AM

This is just another version of the widespread fallacy that if you gather sufficient lowgrade data you can generate high grade information.

You can’t, all you get are wildeyed guesses that just annoy your customers.

aeschylus • October 25, 2006 11:25 AM

Pedant> Wikipedia clearly states that “vice versa” is correct but it is obvious by searching the Net the “visa versa” is also very common.

Interesting. I’ve heard it pronounced that way (OED also lists a two-syllable pronunciation for “vice” in this context), but I don’t recall ever seeing anyone misspell it “visa versa” before.

Pedant> http://en.wikipedia.org/wiki/List_of_Latin_phrases
Pedant> Here is a reference that claims that Bruce’s spelling is etymologically correct but less common:
Pedant> http://www.answers.com/topic/list-of-latin-phrases-full

That reference is on crack.

OED (1971) lists “visa versa” neither as an alternate spelling nor in a separate entry. On “vice versa” it provides this etymology (where I’m transciribing italics as quotation, a-circumflex as ‘a^’ and a-macron as ‘a:’:

[L. (also “versa vice”), from “vice”, abl. sing. of “vicis” turn, place, position, etc., and “versa:”, abl. sing. fem. of “versus”, pa. pple. of “vertere” to turn. So F. “vice versa^”, Sp., Pg., It. “vice versa”, “viceversa”.]

Theseus • October 25, 2006 3:24 PM

@Realist
“I have never understood the concept of our not owning our personal information.”

A human individual and aggregrates (i.e companies, government bodies, …) are just not equal in my opinion.

Since 1900s companies have succeeded in obtaining ever more rights, that used to be and ought to remain rights that only an invidual should have.

There is an interesting book about this subject it’s called :
Gangs of America
The rise of corporate power and the disabling of democracy
Author : Ted Nace
Isbn : 1-57675-260-7

There are several reasons why this is an erroneous development :
– Disparity in relations.
— Normal relations between entities assume some form of equality.
— One party is able to inflict a lot more damage on the other and i think you know who is the underdog.
– A company is something entirely different from an individual.

If i know something about you as an individual you don’t own that information.
Owning that information would require you controlling me on a one to one basis somehow.

If a company knows something about you they should not be able to call that their property as there will never be any way to hold them accountable for any damage they caused (un)willingly to you by the use they made of the information that you gave them for a single specific purpose.

So i believe in the end it is all about their being accountable for the use that’s being made of that information. No accountability === Lawlesness

TSA-Insider • October 25, 2006 8:28 PM

Bruce,
Hate to tell you, but Secure Flight is being revived. DHS/TSA hasn’t given up on vetting passengers.

Roger • October 26, 2006 1:46 AM

@Geoff Lane:

This is just another version of the widespread fallacy that if you gather sufficient lowgrade data you can generate high grade information.

Erm, that isn’t a fallacy, it is true, and in fact a very important truth. In fact it is the basis of life itself: living systems absorb large amounts of high entropy energy from their environments, discard some large fraction (with even higher entropy) and construct localised systems of very low entropy (relative Kolmogorov complexity close to 1). The total information content, of course, is constant but locally the information density increases dramatically.

Other classic examples include optics (e.g. synthetic aperture imaging takes a lot of blurry images and produces one crisp one), digital signal processing (e.g. error correcting code take many bits with large error rate and produce a shorter string which is error free), and for a sociological example, say, criminal investigations (take a large number of statements of uncertain truth value and produce a single statement that is likely to be true). But ultimately, almost all creative processes–weeding a garden, knitting a lace shawl, curing a disease–can be characterised as gathering a lot of low grade data and generating a smaller amount of high grade information.

This isn’t to say, of course, that all attempts to do so are either well-founded or wise.

Davi Ottenheimer • October 26, 2006 3:19 PM

“He knew that everyone in town liked chocolate chip cookies over oatmeal, since he knew that he sold more chocolate chip cookies, not becuase he knew each customer that well.”

Good example. That’s aggregate data rather than personal information.

100 boxes of choco-chips for 10 people could mean 10 per person or 100 for one person (running a cookie business), etc..

This is usually the right type of information for companies to gather and trade. It is far better to manage a database that holds info on the percentage of 18-25 year olds who purchased choco-chips in the past 12 months for x region, versus a record of the birthdate for every customer, their address and the date/time of every visit. Many companies/agencies today will attempt to compile the latter when all they really need is the former.

It’s a bit like someone trying to buy the farm when all they need is a bag of groceries. The sad thing is that without proper security controls the cost to the buyer may be the same while the cost to the seller…

Peter • October 31, 2006 9:43 AM

We do have a mechanism for re-creating
identities, preferences, but it’s limited
to the Witness Protection Program, and
some other specialized uses. To what extent should it be applied to anyone?

J. • October 31, 2006 6:18 PM

@Clive Robertson

“And apart from a few places in Europe, it is considered suspicious not to use a credit / debit / store / loyalty card and cash in the U.S above twenty bucks well, it’s treated like it’s contaminated with anthrax or drugs.”

Heh? AFAIK not really, we often use bank cards with a PIN in (some parts of, not all) Europe, or plain ol’ cash. In some places you cannot use certain cash notes as they’re not accepted (I think 250 EUR+ notes, but I don’t care, as I usually use a number of 20s or a bank card with PIN). If you do groceries, it is normal you pay with a bank card with PIN or cash. If you’d go to IKEA to buy sth more expensive like a new kitchen or in the 100-200+ range you’d probably pay with a bank card with PIN so you don’t have to carry large amounts of cash around. If you are certain you are going to buy something, cash would be fine for your needs though and it’d be accepted just fine. For small amounts, cash is always OK. It depends where and what you buy and it differs per country/culture, I assume. My experience in the USA was that cash in a grocery store was OK (but traveller cheques were some work and caused delay). But I was only there for a short while in an odd town, and not in a big city or something.

Obviously, a bank card with a PIN also has privacy issues as does cash with RFID.

Credit/debit/store/loyalty cards are more something from the UK/US.

I don’t like the concept of a credit card (buy now, get in debt, pay later). There are concepts where you buy something and pay it later, for example a car. This is a deal with the car (re)seller and you. Not with any credit card corporation. I’d love to get a debit card for reasons of ease of use and compatibility however contrary to UK and US I haven’t found a service providing this in my country yet.

elduqe • November 5, 2006 6:32 PM

Bruce,
Just a fact check, and correct me if I’m wrong, but wasn’t the commerical data mining program you’re describing part of CAPPS II, not Secure Flight? I believe Secure Flight is the government’s effort to match passenger names to terrorist watch-lists at the TSC. As far as I know it’s been postponed indefinitely but not cancelled. Thanks.

Bruce Schneier • November 5, 2006 11:55 PM

“Just a fact check, and correct me if I’m wrong, but wasn’t the commerical data mining program you’re describing part of CAPPS II, not Secure Flight? I believe Secure Flight is the government’s effort to match passenger names to terrorist watch-lists at the TSC. As far as I know it’s been postponed indefinitely but not cancelled.”

Commercial data was definitely part of Secure Flight, at least at some points. When I reviewed it for the TSA, it was no longer part — although it was clear that they were building the system so they could add it later.

As to the current status of Secure Flight, I really don’t know.

Schneier on Security

Airline Passenger Profiling for Profit

Comments

Leave a comment Cancel reply