CGomezOctober 5, 2009 7:52 AM

The problem is there is no need to peruse or keep this data for 100% of the people who fly almost every day (almost being defined as 99.99% or more of all days). Seeing as how there are not hijackings or attacks every day, we waste an awful lot of time and effort most days.

I believe strongly that we should consider an airplane something that can be turned into a tool of terrorism. I just don't believe we should waste so much time and energy on things (or people) that are not terrorists.

John CampbellOctober 5, 2009 7:52 AM

The problem with retention is that it can't be secured.

If it can't be secured from the people who customarily have access to it, it can't avoid being mis-used.

The problem, of course, is that human beings are the problem... and it is an INSOLUBLE problem... as long as human beings are made of flesh and blood.


Stalin said that it takes millions of deaths to turn people into statistics... but, really, between the spreadsheets that corporate bean-counters use to pigeon-hole employees and these kinds of databases, we're statistics while still breathing.

jakeOctober 5, 2009 9:37 AM

government cannot be trusted, its legal for them to lie to you and illegal for you to lie to them. government is about power for a few who pretend to lead us, but usually mislead us. They want to know all about us and they want to remain anonymous. power corrupts, and anonymous power in the hands of minor officers is a tool for their egos. when the cop who stops you for some trivial pretext (pretext means lie) tries to pretend that its a friendly stop, ask him where he lives, he already has your address, and its unlikely that he will give you his name. in fact, some police departments have nametags with the first intials and the last name on a goldplated bar that hangs pointed downward and often had the black ink in the name scrubbed out of the grooves with a toothbrush. The gold plate is to dazzle you with bright sunshine if you try to read the name.

johnonbellonOctober 5, 2009 9:44 AM

That DHS travel record consists simply of PNR (reservation) record copies transmitted by the airlines - exactly the same information entered by your travel agent or airline.

The difference is that travel agents/airlines only keep them for not long after the trip, whereas the DHS keeps their copies forever.

phred14October 5, 2009 10:04 AM


>government cannot be trusted, its legal for them to...

Unfortunately, you can take the word "government" out of that sentence, and substitute far too many other words for it. I mention this because often times, people use this reasoning to curse government and call for limiting its power, while thinking nothing of the same power being wielded by, for instance, banks or other large multinational corporations.

At the very least, with the government I have the power to vote and/or write to my elected officials, but many cite the ineffectiveness of one vote, corruption, etc. I am supposed to be able to "vote with my wallet" in participation in the free market as a check and balance on the corporate world, but especially with large multinationals, I would argue that it's about as effective as one vote.

Finally, at its essence the government is supposed to serve its people. That failure is so common is sad. At its essence a corporation strives to separate me from my money, preferably happily and voluntarily by offering me something in return, so we are both pleased by the bargain. These days, I would say that the failure rate is approaching that of governments, however the failure is usually in the secondary goal - providing me with happy exchange, not in the primary goal of getting my money.

I'm not trying to absolve governments here, I'm just saying that too much focus on "governent evil" is probably not a good idea.

Clive RobinsonOctober 5, 2009 11:16 AM

@ phred14,

"I'm not trying to absolve governments here, I'm just saying that too much focus on "governent evil" is probably not a good idea."

Do you mean that we should not forget that those same global con-artists who take our money, use it to pay for "government evil" via their over paid lobbying lackies?

David DonahueOctober 5, 2009 12:23 PM

Since this document contains full name, credit card number / expiration and frequent flyer info, etc. isn't this a breach of the supposed requester's info security? It sure violates PCI/DSS. I mean, what if it's not really the supposed requester.

It seems to me that its just small jump from the information presented here to being able to do credit card fraud/identity theft.

Of course, poor authentication on credit transactions and there being easy ways to obtain the info for identity theft should come as no surprise to anyone here.

How long is it until we see the following:

"Hello my name is TOM SMITH please send my DHS Travel Record from the U.S. Customs and Border Patrol’s Automated Targeting System (ATS) under a FOIA/Privacy Act request. Please deliver to my foreign business office at:

Royal Family Solicitors
Attn: N. A. Mabunetu for TOM SMITH
Lagos, Federal Republic of Nigeria"

savanikOctober 5, 2009 1:26 PM

@David Donahue

I was thinking the same thing about five minutes ago. When you pause to think, though, remember that the government is able to charge a fee for the time and materials used in a FOIA request.

While Nigeria can spam the government, each of those messages would cost them something like $20, and the government is free to turn around and deny access to the results until they've been paid. In fact, they'd probably deny them pre-emptively if they received a few million messages like that over a weekend - and if a /reasonable/ supervisor gets it, they won't even start the requests until they've at least been paid - by the actual person who's requesting records.

Contrary to popular belief, real people do work in government. Some of them even have the flexibility in their job to make common sense decisions. I suspect most of them work in IT. ;)

john grecoOctober 5, 2009 1:51 PM


While a $20 charge may stop Nigerian spammers from spamming requests in bulk, it would not do a thing to slow down any identity thief determined to get my identity.

savanikOctober 5, 2009 2:40 PM

Well, Symantec says my ID is only worth $5.23, so I should be safe. ;)

In reality, it's the same information security problem we've seen all the time. Against targeted, persistent attacks there's very little an individual or even a single company can do to protect itself. They can at best minimize the damage when (not if) they get compromised. On the other hand, we shouldn't have to worry about broad swathes of random attacks at this particular spot.

On that note - how would you minimize the damage to yourself if someone did make a targeted attack against your identify, specifically? Those credit protection 'products' don't really do that much.

john grecoOctober 5, 2009 3:04 PM

Well I certainly wouldn't argue that the situation isn't already crap, but I don't think that's a reason to give up entirely and excuse this kind of negligence.

I'm by no means an expert in identify theft but this still strikes me as a very bad, very exploitable idea.

Edward HasbrouckOctober 6, 2009 9:14 AM

"johnonbellon" says, "travel agents/airlines only keep them for not long after the trip". Actually, it's just the reverse: the DHS doesn't need to retain its copies of this data, because airlines and travel agencies, and the reservation systems (CRS's) that host their data, will for commercial reasons keep them forever. Most travel agencies don't keep PNR archives on site, but can retrieve them on demand from the CRS they subscribe to -- as can, unfortunately, the government, in secret, with a National Security Letter or by "voluntary" cooperation of the airline or travel agency.

"johnonbellon" also says that PNR's contain "exactly the same information entered by your travel agent or airline". Unfortunately, travellers have no way, at least in the USA, to know what data has been entered into their PNR, including data from airlines, travel agents, and other third parties. A proposed rule to exempt this third-party data in PNR's from the Privacy Act -- so that the government could access and use this third-party derogatory information in PNR's as the basis for permission-to-fly decisions under Secure Flight, without disclosing it to the travellers against whom it is being used -- is pending on the CBP regulatory docket:

So if you want to get your own "targeting" dossier, you should do so ASAP, before this rule is finalized.

The Identity Project's report on the responses to our first group to requests is at:

Further progress has been slow: my own appeal of the CBP's failure to turn over many of their records listed in their Privacy Act notices (including their records of and my work as a travel agent and my land border crossings -- they admit to getting information on cross-border travel from Amtrak and Greyhound, both of which I've used for travel to Canada, but have yet to disclose any of it ), has been pending for more than two years without any response. But the more people ask for their files, the more we will learn, even if the responses are (like *all* of those I've seen to date) manifestly incomplete.

More examples of responses to Privacy Act requests for DHS travel records, as well as templates to request your own records, are at:

Time permitting, I'll be happy to help recipients interpret the responses to their requests.

Edward HasbrouckOctober 6, 2009 1:06 PM

To answer the other question about pretexting the DHS with a forged Privacy Act request: If you want to get a PNR, it's probably easier to pretext the airline or travel agency. But that's not usually necessary: airlines' online check-in systems generally show the entire itinerary (although not the entire PNR), not just the single flight, with only a name and record locator. Much more of the PNR (not nearly all, but enough for many stalkers and domestic assailants, who in my experience are the largest segment of attackers interested in PNR data), can be obtained with only the surname and record locator shoulder-surfed or read off a discarded boarding pass stub or the label on bag going around on the carousel (you were just reading the tag to see if it was your bag or someone else's, right?) from the CRS's non-password-protected Web gateways, which use the publicly printed and displayed record locator as a pseudo-password:

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..