Airline Passenger Profiling

From an anonymous reader who works for the airline industry in the United States:

There are two initiatives in the works, neither of which leaves me feeling very good about privacy rights.

The first is being put together by the TSA and is called the “Secure Flight Initiative.” An initial test of this program was performed recently and involved each airline listed in the document having to send in passenger information (aka PNR data) for every passenger that “completed a successful domestic trip” during June 2004. A sample of some of the fields that were required to be sent: name, address, phone (if available), itinerary, any comments in the PNR record made by airline personnel, credit card number and expiration date, and any changes made to the booking before the actual flight.

This test data was transmitted to the TSA via physical CD. The requirement was that we “encrypt” it using pkzip (or equivalent) before putting it on the CD. We were to then e-mail the password to the Secure Flight Initiative e-mail address. Although this is far from ideal, it is in fact a big step up. The original process was going to have people simply e-mail the above data to the TSA. They claim to have a secure facility where the data is stored.

As far as the TSA’s retention of the data, the only information we have been given is that as soon as the test phase is over, they will securely delete the data. We were given no choice but had to simply take their word for it.

Rollout of the Secure Flight initiative is scheduled for “next year” sometime. They’re going to start with larger carriers and work their way down to the smaller carriers. It hasn’t been formalized (as far as I know) yet as to what data will be required to be transmitted when. My suspicion is that upon flight takeoff, all PNR data for all passengers on board will be required to be sent. At this point, I still have not heard as to what method will be used for data transmission.

There is another initiative being implemented by the Customs and Border Protection, which is part of the Department of Homeland Security. This (unnamed) initiative is essentially the same thing as the Secure Flight program. That’s right—two government agencies are requiring us to transmit the information separately to each of them. So much for information sharing within the government.

Most larger carriers are complying with this directive by simply allowing the CBP access to their records directly within their
reservation systems (often hosted by folks like Sabre, Worldspan, Galileo, etc). Others (such as the airline I work for) are opting to
only transmit the bare requirements without giving direct access to our system. The data is transmitted over a proprietary data network that is used by the airline industry.

There are a couple of differences between the Secure Flight program and the one being instituted by the CBP. The CBP’s program requires that PNR data for all booked passengers be transmitted:

  • 72 hours before flight time
  • 24 hours before flight time
  • 8 hours before flight time
  • and then again immediately after flight departure

The other major difference is that it looks as though there will be a requirement that we operate in a way that allows them to send a request for data for any flight at any time which we must send back in an automated fashion.

Oh, and just as a kick in the pants, the airlines are expected to pay the costs for all these data transmissions (to the tune of several thousand dollars a month).

Posted on December 22, 2004 at 10:06 AM10 Comments


Vivian Burns December 22, 2004 12:10 PM

Do you have any way of verifying that this information is true? It’s disturbing, but coming from an anonymous source I can’t help wondering. Plausible, though.

piglet December 22, 2004 4:08 PM

This is of course true, and not new:,1848,65822,00.html

Passenger (PNR) data from passengers arriving on flights from abroad are already transmitted to the US government and stored for several years in a mega database. You may remember that this data transfer was a major dispute between the EU and the US because under EU privacy law, it is unlawful for airlines to transmit those data to a third party. Finally, the EU commission agreed to make an exception to the law but this is still being opposed by the Parliament and now subject of a dispute before the European Court of Justice. (;;

However, the data are currently being transmitted.
It seems that airlines are giving US Customs (CBP) direct online access to their customer databases. The US have promised to use the data only as agreed but there is no way to verify this. CBP store the data for 3 1/2 years (although the agreement doesn’t explicitly oblige CBP to delete the data after that period).

There is a very odd clause about CAPPS in the agreement: “TSA may use PNR originating in the EU for testing of CAPPS II, but not until CAPPS II is authorized to begin testing with domestic data”.

piglet December 22, 2004 4:17 PM

PS This looks like an excellent opportunity for European and US privacy advocats to work together and coordinate their efforts. It is ironic that on the one hand, European governments are using the US “war on privacy” as an excuse to weaken their own privacy laws, on the other hand, the US government is now trying to extend a system that originally was designed for international travel on domestic travellers as well.

piglet December 23, 2004 10:28 AM

Why is there “no way of verifying this information” if reported it on already november 24?

“U.S. airlines turned over a month’s worth of passenger data Tuesday to Homeland Security officials, who want to test a massive, centralized passenger-screening system.

The Transportation Security Administration ordered America’s 72 airlines to turn over their June 2004 domestic passenger flight records by Tuesday afternoon. The airlines had initially questioned the order because of privacy concerns, but they all complied.

The agency wants the records — which can include credit card numbers, phone numbers and health information — to test a system called Secure Flight. Currently, passengers are screened by the airlines, which check itineraries against a set of watch lists provided by the government. The TSA hopes to reduce the number of people flagged incorrectly by performing the checks itself using an expanded, centralized terrorist watch list.

Privacy advocates contend that the list-based system is ineffective and that passengers with names similar to suspected terrorists would still be snagged under the new system.

The TSA plans to evaluate the system over the next 90 days in hopes of rolling out the system in the spring.

Congress, however, has barred the system from airports until the Government Accountability Office certifies that the system is effective and not overly invasive.

This is not the first time airlines have turned over passenger data to help test an antiterrorism screening system, but it is the first time that the transfers were not secret.”

Jacob February 16, 2009 12:11 PM

Hello Mr. Schneier, I creating a book about traveling for kids. And somtimes kids feel inconfortable with the of the others flying with them becuase of their apearance. What would you say?

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.