Ars Editor Learns Feds Have His Old IP Addresses, Full Credit Card Numbers 217
mpicpp writes with the ultimate results of Ars's senior business editor Cyrus Farivar's FOIA request. In May 2014, I reported on my efforts to learn what the feds know about me whenever I enter and exit the country. In particular, I wanted my Passenger Name Records (PNR), data created by airlines, hotels, and cruise ships whenever travel is booked. But instead of providing what I had requested, the United States Customs and Border Protection (CBP) turned over only basic information about my travel going back to 1994. So I appealed—and without explanation, the government recently turned over the actual PNRs I had requested the first time.
The 76 new pages of data, covering 2005 through 2013, show that CBP retains massive amounts of data on us when we travel internationally. My own PNRs include not just every mailing address, e-mail, and phone number I've ever used; some of them also contain: The IP address that I used to buy the ticket, my credit card number (in full), the language I used, and notes on my phone calls to airlines, even for something as minor as a seat change.
The 76 new pages of data, covering 2005 through 2013, show that CBP retains massive amounts of data on us when we travel internationally. My own PNRs include not just every mailing address, e-mail, and phone number I've ever used; some of them also contain: The IP address that I used to buy the ticket, my credit card number (in full), the language I used, and notes on my phone calls to airlines, even for something as minor as a seat change.
Big Brother (Score:5, Insightful)
Re:This is news? (Score:2, Insightful)
full Credit card numbers is not just basic Info, imagine a data breach.
The Stasi & Stripes (Score:5, Insightful)
The government has files on everyone (or nearly everyone); people never suspected of, or implicated in, any crime.
How is this different from what the Stasi did?
This isn't news (Score:5, Insightful)
Really, is there anyone out there (reading this site) that doesn't know that you have no privacy anywhere anymore?
The actual question is: what are you going to do about it?
PCI-DSS (Score:5, Insightful)
As an organisation accredited to be following PCI-DSS, we would be crucified if the PCI auditor found us holding the PAN (the long number on the front of your credit card, PAN = primary account number) in plain text. Surely the airlines/booking agents should not be passing the PAN to anyone else if they are following PCI-DSS (which is mandatory if you want to accept card payments)?
Does the country you're a national of.... (Score:5, Insightful)
have a constitution that has some reknown, and maybe organized defenders of same?
If so, get in touch with them, organize, get active.
Re:The Stasi & Stripes (Score:2, Insightful)
Because 'Murica has better propaganda and dumber citizens.
Re:This is news? (Score:5, Insightful)
Because most of the time the airline blacks out most of the Credit Card before sending it to the Feds. In theory the Fed're only supposed to have the last four digits, because that should be enough (when combined with name and expiration date) to identify the card.
This is actually a pretty typical story on this issue. The Feds collect data that can be very useful in searching for terrorists, but they don't actually look at it much. They do a computer search, and most of it will never come up. So the airline sent them more then it should, and maybe somebody noticed, but nobody cared. So it got sent to his file folders (both electronic and physical). Then he FOIA'd the info, and since nobody FOIA's the info they had no procedure to respond to the FOIA, so he got it in a ridicuklous way (two batches, the first batch of which he had not asked for, and the second batch seems to have been totally unexpected).
If you think privacy rights are incredibly important, and are sincerely worried that Obama isn't enforcing them better, it's terrifying that a federal Agent could have stolen his CC info. And it's even more terrifying that there's no bureaucrat in charge of purging irrelevant info (like his CC number).
If you're me, and you take a more philosophical view of the whole issue, you note that a bureaucrat in charge of looking at his info would have looked at his info. Said info was highly unlikely to leak from the TSA to anyone else unless a) they had probable cause due to some investigation, or b) some enterprising agent decided to go over his file and verify it. Federal agencies just don't share information with each-other the way privacy purists imagine in their nightmares, rather they horde it and then exaggerate the info-horde's usefulness in powerpoints demanding an increased budget.
Not effective (Score:5, Insightful)
This kind of mass data collection on everyone is a huge waste of resources. The more people you add to a database, the less relevant it becomes for anything. People who know trade craft, know how to cover their tracks and pollute big data. So this is basically a giant database of amateurs, stupid crooks and ordinary civilians.
Another problem with big data are the large numbers of errors. I've run big databases where users were motivated to provide good data and there were still gaps in the data, misspelled names, numbers transposed, and some entries locked out because they were trying to enter duplicate primary keys. Travel data is coming in fast, I can't imagine what the exception reports look like every day.
Re:The Stasi & Stripes (Score:5, Insightful)
How is this different from what the Stasi did?
They were at least honest about the fact that they were doing it. Also, I don't think it was unconstitutional in Germany, so it wasn't the government acting rogue like we have now.
Re:Not effective (Score:4, Insightful)
Writing this off as not effective misses the point. Most reasonable people - certainly most reasonable technical people - know this is ineffective. But this isn't about finding terrorists.....
If a defense contractor can convince bureaucrats and politicians that an ineffective big system can effectively ID potential terrorist, then we are left with either a false sense of security and/or a lot of innocent people being treated like potential terrorists. It makes for good security theater at the expense of civil liberties.
Re:This is news? (Score:5, Insightful)
So, do you believe abuses like those described here do not happen as a regular course of business: "NSA Employees Routinely Pass Around Nude Photos Obtained Via Mass Surveillance" http://www.zerohedge.com/news/... [zerohedge.com]
I find that naive. Now, do I care? Not really. But I understand why some people might, and I don't consider that privacy purity.
Re:The Stasi & Stripes (Score:2, Insightful)
Uhh...
What country doesn't have a file on all it's residents? Seriously.
Just think about all the files the US Government has had since the late 18th century. the Census had very good clues to everyone's religion, generally actually had a line for ethnicity, etc. During the first Libertarian-=Conservative period of dominance in the Judiciary the IRS had a database on exactly how much everyone made. A few years later the New Deal added a database on how much everyone makes that's updated every time you get a check. All three of these have more information, and more personal information then the TSA database. Both the IRS and the Social Security database could be used to steal a lot more from you then a single Credit Card.
Re:if you've voted R or D... (Score:3, Insightful)
Nonsense. For example, if you voted for Ross Perot, you're directly responsible for the Republicans losing the White House. If you voted for Nader, you're directly responsible for the Democrats losing the White House.
Either go back to your government as intended; that is to say, without political parties, or accept the fact that there are, in fact, political parties, and change your government setup to work with that.
IP's with out ISP logs are useless and even if the (Score:2, Insightful)
IP's with out ISP logs are useless and even if they have them ones from public networks are dead ends unless they have full logs as well.
Re:This is news? (Score:5, Insightful)
> And we can actually be quite sure it was not widely shared at the TSA, because if it had been some asshole would have stolen his Credit Card number.
Except that they're available, in bulk, to whoever administers that database. And a theft or loss of a backup of that database is hideously unlikely to ever be reported, for "national security reasons" but also to reduce bureaucratic business. And given the history of federal agency personal and political fraud against private citizens, especially politically active citizens, it verifies that they have far too much data, far too easily accessed, available at whim for whatever purpose is desired.
Just because "it's boring text" does not mean it's not incredibly useful for political espionage or frame-ups. Please, do not try to claim that it "wouldn't happen here" The abuse of confidential federal information to harass political opponents certainly _has_ happened here, in the McCarthy hunt for Communits, with the Committee to Re-Elect the President in Nixon's presidential reign whose failures cost Richard Nixon his presidency, and with the Valerie Plame affair during George W. Bush's presidency.
The collection and aggregation of "uninteresting" private information or "metadata" represent risks to political careers and private liberty that will not cease simply because "who would care" or "it's dull". It's hardly dull to be able to use someone's personal information and credit card data to track the nature, times, and location of _every purchase_, and have warrant free monitoring of travels and personal business. And there is, effectively, no oversight of such access because it's the NSA: they operate under a tremendous shroud of national security that prevents rational oversight of such sensitive information.
Re:This is news? (Score:5, Insightful)
You realize Hoover never had access to any non-FBI database? Neither did HUAC at al. And there are plenty of Federal databases besides the FBI. In another thread I mentioned three that are actually a lot more dangerous, and a lot older, then anything we're talking about: the Census, Social Security, and the IRS. Neither the CREEPs nor the Plame Scandal involved the use of a Federal database. Plame was not even a database at all. Rove was talking to a random guy about her husband, and he mentioned the CIA connection. The CREEP did not abuse any Federal databases, it tried to steal information that could not be added to those databases (like reports from the shrink of a guy who pissed Nixon off).
I'll note here you haven't managed to quote the only actual example of a Federal database being used against US Citizens (Japanese internment).
So while I will agree, that in theory this database could be used by a future Hoover, I will also point out that it is quite useful in numerous actual law enforcement situations. Terrorism actually exists, even tho we like to pretend it no longer counts just because almost all the victims are black Africans. I disagree with much of the war on drugs, but the drug runners are not nice people. Both groups use the US Air network, and if there's any pattern to their usage we can't find that out unless it's recorded somewhere. Given that the US Government is pretty consistent in it's evils (they tend to involve totally ignoring the Constitution to get new data, and/or abuse minorities; using data from existing data sources just isn't the MO), the long-term risk of them abusing old data is quite low. Call it 5%.
So we have a database, that will be useful in numerous perfectly legitimate law enforcement operations, and a small risk of it leading to bad things. You're free to conclude any risk is too much, but I think that risk is fine.
Re:this is news? (Score:5, Insightful)
The surprise twist ending is when we end up with an authoritarian regime because too many people just sighed and said, "this is news?" any time something that should outrage us happened.
Re:This is news? (Score:5, Insightful)
Anyone who believes that, go stand on your head in the corner and be counted.
Re:if you've voted R or D... (Score:5, Insightful)
The only wasted vote is a vote for provably evil scumbags. To say that someone else might win because I cast my vote for someone who isn't an evil scumbag is extremely short-sighted; nothing is ever going to change if people do not take a stand. And win or not, people voting for third parties sends a message to The One Party.
Re:This is news? (Score:5, Insightful)
The Nisei were a wholesale incarceration, and was quite public. I was referring more to illegal acts in living memory. The other acts involved the abuse of private information, held in federal hands. It doesn't have to be in a database. The extent of the data and its ease of access _expand_ the risk, not reduce it.
> So we have a database, that will be useful in numerous perfectly legitimate law enforcement operations, and a small risk of it leading to bad things
The "risk" is real. I'm afraid that its abuse is inevitable with so much data concentrated behind closed doors, without any judicial review or enforceable consequences for its misuse.
Re:this is news? (Score:2, Insightful)
Vote your heart when it comes to elections, even if statistically speaking, the candidate is going to lose. If enough people stopped voting for the lesser of two evils, and for someone whom they really want to be elected, I wonder what will happen?
Re:This is news? (Score:5, Insightful)