Ars Editor Learns Feds Have His Old IP Addresses, Full Credit Card Numbers

mpicpp writes with the ultimate results of Ars's senior business editor Cyrus Farivar's FOIA request. In May 2014, I reported on my efforts to learn what the feds know about me whenever I enter and exit the country. In particular, I wanted my Passenger Name Records (PNR), data created by airlines, hotels, and cruise ships whenever travel is booked. But instead of providing what I had requested, the United States Customs and Border Protection (CBP) turned over only basic information about my travel going back to 1994. So I appealed—and without explanation, the government recently turned over the actual PNRs I had requested the first time.

The 76 new pages of data, covering 2005 through 2013, show that CBP retains massive amounts of data on us when we travel internationally. My own PNRs include not just every mailing address, e-mail, and phone number I've ever used; some of them also contain: The IP address that I used to buy the ticket, my credit card number (in full), the language I used, and notes on my phone calls to airlines, even for something as minor as a seat change.

Data sent to airlines

[bunyip]

The Travelocity guy avoided telling the whole story. They do provide relevant information, but if the government has the PNR with all the remarks in it, then it likely came from Travelocity or Sabre.

Travel agencies and 3rd-party web sites, such as Travelocity. put all this encoded stuff into the remarks section of the PNR, it's all that "H-" stuff. When the PNR is sent to the airline, NONE of the remarks are transmitted. The airline doesn't receive your IP address, for example. Seat numbers, phone and contact information are transmitted in Special Service Request (SSR) and/or Other Service Information (OSI) fields. One major exception is that Travelocity and AA share the same PNR when booking AA.

Now, the airlines have to send a whole bunch of data about you to the TSA to get clearance for you to board. Look up Secure Flight / APIS / AQQ and you can learn a little bit about it.

A.

Required quote from Casablanca

[sandbagger]

Major Strasser: We have a complete dossier on you: Richard Blaine, American, age 37. Cannot return to his country. The reason is a little vague. We also know what you did in Paris, Mr. Blaine, and also we know why you left Paris.
[hands the dossier to Rick]
Major Strasser: Don't worry, we are not going to broadcast it.
Rick: [reading] Are my eyes really brown?

Re:This is news?

[Anonymous Coward]

How do you think all those companies let you pay without re-entering payment info?
They store your credit card number.
Sure it sucks if they get hacked or whatever, but that's the way it is.
They whole idea that you can use someones credit card just by knowing some numbers is stupid anyway.

Re:This is news?

[flyneye]

All this info, just lying around, in case they need it. They wanna see what kind of home improvement crap I bought, what brand of tortilla chips I eat, where I gas up at, when I occasionally call on the phone, perhaps they'd like a scratch n sniff X-ray of my colon before I had a polyp removed. Maybe they'd like to hear the last obnoxious joke I told with the punchline of Hillary carrying Obamas two headed love child to term before marinating it in jalepeno barbeque sauce.

I'm pretty boring, and I hate and distrust the charlatans misusing the government, like any other human on the planet. But it's nice to see that one day they will have spent everything I ever paid in taxes on hardware to store my unused trivia.
LOL, yeah Omama is gonna PROTECT us from terrorists and is busily doing everything he can think of with that baseball sized head of his. Him n his Repubmocrat buddies gonna start a PROGRAM to look into what could help and appoint a commitee to get a feel for what the Corporations would agree to and talk about a solution and it's effect on the economy, while appeasing the voters.
(Ever listen to the words of DEVOs "Mongoloid"? Kinda applies to the whole shithouse load of them, doesn't it?)

Re:PCI-DSS

[Loki_1929]

As an organisation accredited to be following PCI-DSS

You aren't accredited to be following PCI because nobody is. There is no certificate. There is no special seal of approval. You provided security information to your acquiring bank(s) and you were allowed to process credit card transactions. There's no such thing as certification or accreditation for PCI.

we would be crucified if the PCI auditor found us holding the PAN (the long number on the front of your credit card, PAN = primary account number) in plain text. Surely the airlines/booking agents should not be passing the PAN to anyone else if they are following PCI-DSS (which is mandatory if you want to accept card payments)?

Who says they're holding the PAN in plaintext? They can decrypt it to send it to the Feds as needed without keeping it in plaintext in their systems. The Feds have no agreement with an acquiring bank, so they don't have to worry about how they store it. Nobody can do anything to them. Any agreement the airlines have with their acquiring banks undoubtedly includes plenty of cover for Federal data reporting requirements (likely a blanket "if the Feds come calling, we're just going to give them everything"). So long as the acquiring banks have signed off on it, they're in the clear. And since all these guys would like to continue doing business in the largest economy in the world, nobody's going to say no.

You voted for 'em.

[XB-70]

It is long overdue that government surveillance becomes a major political issue. Yet, we are no longer represented by our elected officials who have been bought off by the oligarchy. Moreover, if you talk to 99% of citizens, they will simply shrug off news items like this and go back to the latest Kardashian wardrobe malfunction intrigue.

This isn't about paranoia, it's about the fact that our personal rights are being completely abrogated by governments that are out of our control.

Our true freedom is doomed until we demand action so that due process takes place - legally and by the rules.

It's time to use the system to give itself back to us: with court challenges and by voting out non-supportive elected officials.

Exposure of incompetence and malfeasance with articles such as this are where to begin.