TSA wants airlines to “share” frequent flyer records

The DHS already has root access to airlines’ computerized reservation systems to “pull” passenger name records (PNRs), even for flights that don’t touch the US.

Airlines serving or even merely overflying the US are required to “push” Advance Passenger Information to CBP before each international flight, and Secure Flight Passenger Data to the TSA before each domestic flight, and receive individualized permission from DHS before issuing each boarding pass.

But that’s not enough for the TSA.  In a Bloomberg news story that appears to have been planted by the TSA as a trial balloon, the TSA suggests aggregating frequent flyer and identity data, across airlines, for storage by a private contractor and use by the TSA:

PreCheck’s structure makes it difficult to clear passengers on more than one airline, said Douglas Hofsass, the TSA’s assistant administrator for the office of risk-based security….

Some airlines are reluctant to share customer information with competitors, Hofsass said. They’ve indicated they’re willing to work with TSA, he said….

“Technically, we don’t have the ability right now, based on the way the eligibility requirements are transmitted to the individual carrier, the way those individuals opt in and the way those records come into us, to validate those individuals,” Hofsass said.

“We don’t have the ability to cascade that to other carriers when those individuals make reservations,” he said. “It doesn’t mean we don’t have an idea as to how we might solve that.”

The agency needs to turn to a private-industry partner who can … create a database of PreCheck fliers, said U.S. Representative Mike Rogers, who oversees the agency through his Transportation Security subcommittee.

“PreCheck” is the latest incarnation of the TSA’s “registered traveler” (”more surveilled and maybe less-mistrusted traveler”) program, currently open only to those members of airline frequent flyer programs invited to apply based on some secret scoring, according to TSA algorithms, of their frequent flyer profiles.

Frequent flyer data is already included in PNR data pushed to CBP for all international flights, but isn’t included in Secure Flight Passenger Data provided by airlines to TSA for domestic flights.  So if you aren’t known to have traveled abroad, or if you use a passport for international travel and some other ID (or no ID) for domestic flights so your domestic and international travel histories are harder to match, the TSA might not yet have a comprehensive dossier of everything you’ve done that’s linked to your frequent flyer account(s).

To the TSA, any incompleteness in the coverage of its travel panopticon is obviously a security (read: surveillance) loophole that needs to be closed.

Under US law, frequent flyer records are the property of airlines, not travelers, and the airlines are free to “share” them with each other, governments, or other third parties without customer notice or consent.

So there’s no legal barrier to the creation of such a master database of frequent traveler records.

However, if the government maintained a copy of the database, it would be subject to the requirements of the Privacy Act.  So outsourcing hosting of the database to a private aggregator (most likely one of the existing computerized reservation systems or other travel data aggregators and intermediaries) would be the architecture that maximizes the government’s easy access to the data while minimizing legal accountability.

Leave a Reply