Talk to people about sensitive data and they'll think first of their medical records, then maybe their email inboxes or telephone calls. But travel data is exceptionally intimate, more so than most people realise when they open frequent flyer accounts or watch an immigration official slide their passport through a reader. Travel data can expose your religion (special airline meals), your friends and lovers (itineraries, hotel records, seat selections), your medical conditions, and, for businesses, commercially sensitive interactions. It is not accidental that government policy pays so much attention to collecting this information.
There’s no doubt about it – they’re collecting it. Since 7/7, London's congestion charge data has been subject to a security certificate, which exempts it from the Data Protection Act and gives security services untrammelled access. Today's machine-readable passports deposit your details in a database every time you enter the country. There are plans to extend the surveillance aspects of the congestion charge – the automatic number plate recognition system – throughout the country, either as part of road pricing plans, or as part of increased police monitoring, or both. Airlines – to whom frequent flyers gleefully trade their information for the occasional free ticket and a slight improvement in service – regard their flyers' data as one of their most valuable assets. How secure is all this stuff?
| Travel information technology is its own parallel universe |
| Edward Hasbrouck |
What's rarely recognised, says Edward Hasbrouck, author of The Practical Nomad, director of The Identity Project, and the leading expert on travel data, is that, "Travel information technology is its own parallel universe." This is largely for historical reasons: before the internet, the travel industry developed what was probably one of the world's largest real-time networks and developed its own ways of doing things that persist to this day.
"There's a tendency by people who have not worked in this field, especially younger people", says Hasbrouck, "to be very dismissive of this as some antiquated legacy with old-fashioned technology. From the point of view of the people in travel, it's pioneering and cutting edge, way ahead and much bigger."
He adds, "One of the reasons it was possible for travel reservations and especially airline tickets to be the leading edge of ecommerce – which they were – was not only that the product was more or less virtual, but because the infrastructure already existed. Airlines were the first businesses that absolutely had to have a real-time global network – they needed communications to arrive before the planes did. They weren't introducing ecommerce, just giving internet access to an existing ecommerce system that existed one or two decades before the term was invented. If Expedia and Travelocity had to build their infrastructure from scratch they'd still be working on it."
Open heart surgery
It may seem weird to those used to internet standards, but the old airline systems can't just be thrown away and replaced: it's a working network with billions of dollars a day coursing through it. Hasbrouck compares re-engineering these systems to "open heart surgery on a living patient". However, in recent years, efforts have been proceeding to rebuild them. "When complete, it should enable them to incorporate security models that are more appropriate to current circumstances", says Hasbrouck.
The vulnerabilities in these systems are largely related to the threat model in existence when they were built, when the biggest threat was that valuable paper tickets could be physically stolen. We talk, says Hasbrouck, about ‘bookings’ because at one time every reservation was entered in a giant book; that was replaced by racks of cards, and then by databases to whom a relatively small number of people had access.
Then things began to change: airlines marketed database hosting to smaller airlines who couldn't afford to do their own and spread it to travel agents. The security concern was to ensure that competitors couldn't see each others' data and keeping insiders from issuing free tickets to their friends.
| Do you want to be almost unreasonable certain about data security or do you want to be able to afford an airline ticket? |
| A former airline industry insider |
"Security was less about what data people can see than what kinds of commands they have available", says Hasbrouck. Now, internet access is introducing a new level of vulnerability.
"E-tickets broke the disconnect between tickets and money and reservations", he says. "A ticket is only a piece of a passenger name record (PNR), and being able to create a reservation record is the same as being able to issue a ticket." The industry's greatest concern is still insider fraud. "A lot of vulnerabilities today", he says, "are at the mom-and-pop agency level, which are vanishing."
Out with the old, in with the new
Some of the vulnerabilities in travel systems derive from the interface between new (electronic) and old (paper): the pile of reservation faxes websites send small hotels, for example. Most are individualised: installing a keylogger on the check-in terminals in many hotels that print boarding passes, for example, or taking advantage of RFID passports to clone one belonging to a passenger who looks somewhat like you, or the stalker who is good at conning staff into giving out information they shouldn't.
| EU hotel guest information, as a report filed by the Department of Homeland Security points out, is routinely collected and supplied to law enforcement on request |
Very little is ever written about the computer reservations systems (CRSs) – also called global distribution systems – that handle most airlines' bookings, including those made directly over the web. Originally airlines' private networks, these systems were spun off in the 1990s to generate much-needed cash. Today, the three major CRSs are: Amadeus (originally Continental and many European airlines), Galileo (United), and Sabre (American and US Airways). Galileo's owner, Travelport, also owns the online travel agency Orbitz.
A former airline industry insider says that many discussions have taken place around what the necessary and sustainable privacy practices for protecting customer information should be, particularly after the Hewlett-Packard board spying incident. Beyond what's legally required, the insider says, it is not cost-justified to secure privacy. Customers don't expect it, regulators don't require it, and competitors don't do it. As always, there's a financial balance to be struck: "Do you want to be almost unreasonable certain about data security or do you want to be able to afford an airline ticket?"
The market value of privacy
In general, you don't need much information in order to access a particular passenger's airline booking – on Travelport's ViewTrip site, for example, just the record locator and last name will unlock the full itinerary details. Over the phone, a good pretexter could certainly mess with details like flight dates, special meals, requested assistance, and so on. Getting access to someone's full flight history would be harder without the person's frequent flight number.
| I think it speaks highly of the industry that there haven't been more scandals around gossip spread by travel agents at the individual level |
| Edward Hasbrouck |
Again though, the balance is about money, says the former insider. "Plenty of technologies could be used to enhance the privacy of the record, but none are cost-effective. Anything you can get customers to pay for is cost-justified, but the airline industry as a whole know how their major competitors identify callers – literally know, because they travel and buy tickets. They know 'they don't do anything more than we do' and therefore it's not cost-justified to secure privacy. I'm sure the same is true of a hotel reservation."
Under the Data Protection Act details such as meal requests are considered sensitive personal information requiring strong protection because it may reveal one's health, philosophy, or religion. But, says the former insider, "In practice no data protection authority treats it that way because it's ancillary to the database." Little is likely to change until, or unless, privacy acquires a clear market value.
Conflicting motives
The bigger vulnerabilities lie in two areas. First, the fact that airlines, which used to do everything themselves including cook meals, clean airplanes, and stuff their own marketing envelopes, now outsource practically everything. "Everyone is a possible place for infosecurity harm to occur", he says.
The second is the various government agencies' requirements to access and store travel data. Besides the activities noted above, police requests for Oyster card data on London Underground travel are up from seven in 2004 to more than 3100 between January and October 2007. TFL requires police to show that they need the personal data in connection with the prevention or detection of crime on a case-by-case basis. EU hotel guest information, as a report filed by Hugo Teufel, the outgoing privacy officer for the Department of Homeland Security points out, is routinely collected and supplied to law enforcement on request. Conversely, the US now requires passenger reservation information before flights take off – but does not collect hotel data.
Both the US and the UK pay great attention to securing their borders, sometimes with bizarre consequences. Gus Hosein, a visiting scholar at the London School of Economics and senior fellow of Privacy International, points to Heathrow's Terminal 5 as a perfect example of a conflict between commercial and security motives. The terminal, rather unusually, mixed domestic and international passenger flows to ensure that anyone passing through has a chance to shop. But that meant that someone arriving from, say, Winnipeg, could collect a boarding pass from a friend who'd checked in for a flight to Edinburgh and proceed to Scotland without ever having passed through passport control. Heathrow's solution to this was to propose to fingerprint every passenger, domestic and international to authenticate them on arrival at check-in and again when boarding a plane.
"Privacy International filed a complaint", says Hosein, "and they had to tear it down before it opened." Instead, domestic passengers in Terminals 1 and 5 are digitally photographed at check-in and the photograph is re-checked at boarding.
All this said, Hasbrouck believes that the industry's record is pretty good. "Travel is very closely correlated with wealth and power", he says. "I think it speaks highly of the industry that there haven't been more scandals around gossip spread by travel agents at the individual level. The public may not understand the intimacy and the potential, but the people who see PNRs daily get it." Even so, the vulnerabilities are there. "If it were more widely recognised, I think the industry would be more freaked out about the potential liability. I hope it doesn't take a widely publicised fiasco."