Forgot your password?
typodupeerror
United States Government Privacy

Ars Editor Learns Feds Have His Old IP Addresses, Full Credit Card Numbers 217

Posted by samzenpus
from the no-stone-left-unturned dept.
mpicpp writes with the ultimate results of Ars's senior business editor Cyrus Farivar's FOIA request. In May 2014, I reported on my efforts to learn what the feds know about me whenever I enter and exit the country. In particular, I wanted my Passenger Name Records (PNR), data created by airlines, hotels, and cruise ships whenever travel is booked. But instead of providing what I had requested, the United States Customs and Border Protection (CBP) turned over only basic information about my travel going back to 1994. So I appealed—and without explanation, the government recently turned over the actual PNRs I had requested the first time.

The 76 new pages of data, covering 2005 through 2013, show that CBP retains massive amounts of data on us when we travel internationally. My own PNRs include not just every mailing address, e-mail, and phone number I've ever used; some of them also contain: The IP address that I used to buy the ticket, my credit card number (in full), the language I used, and notes on my phone calls to airlines, even for something as minor as a seat change.
This discussion has been archived. No new comments can be posted.

Ars Editor Learns Feds Have His Old IP Addresses, Full Credit Card Numbers

Comments Filter:
  • Big Brother (Score:5, Insightful)

    by fizzer06 (1500649) on Sunday July 20, 2014 @04:42PM (#47496399)
    He is a nosy bastard.
    • by Anonymous Coward on Sunday July 20, 2014 @05:05PM (#47496477)

      My Big Brother is also my Uncle Sam. Does that make me inbred?

    • by c6gunner (950153)

      The funny thing is, fulfilling his FOIA request is probably the first time anyone in government actually looked at his data.

      • If you consider his info being nicely stored and indexed in various databases as not being looked at. I'm rather impressed at how easily they can run reports on this much disparate information.
  • by bunyip (17018) on Sunday July 20, 2014 @04:49PM (#47496431)

    The Travelocity guy avoided telling the whole story. They do provide relevant information, but if the government has the PNR with all the remarks in it, then it likely came from Travelocity or Sabre.

    Travel agencies and 3rd-party web sites, such as Travelocity. put all this encoded stuff into the remarks section of the PNR, it's all that "H-" stuff. When the PNR is sent to the airline, NONE of the remarks are transmitted. The airline doesn't receive your IP address, for example. Seat numbers, phone and contact information are transmitted in Special Service Request (SSR) and/or Other Service Information (OSI) fields. One major exception is that Travelocity and AA share the same PNR when booking AA.

    Now, the airlines have to send a whole bunch of data about you to the TSA to get clearance for you to board. Look up Secure Flight / APIS / AQQ and you can learn a little bit about it.

    A.

  • by Blue Stone (582566) on Sunday July 20, 2014 @05:02PM (#47496467) Homepage Journal

    The government has files on everyone (or nearly everyone); people never suspected of, or implicated in, any crime.

    How is this different from what the Stasi did?

    • by Anonymous Coward on Sunday July 20, 2014 @05:12PM (#47496501)

      "The Lives of Others (German: Das Leben der Anderen) is a 2006 German drama film, marking the feature film debut of filmmaker Florian Henckel von Donnersmarck, about the monitoring of East Berlin by agents of the Stasi, the GDR's secret police. It stars Ulrich Mühe as Stasi Captain Gerd Wiesler, Ulrich Tukur as his superior Anton Grubitz, Sebastian Koch as the playwright Georg Dreyman, and Martina Gedeck as Dreyman's lover, a prominent actress named Christa-Maria Sieland."

      http://en.wikipedia.org/wiki/The_Lives_of_Others

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Because 'Murica has better propaganda and dumber citizens.

    • How is this different from what the Stasi did?

      It's *alot* easier now?

    • by Anonymous Coward on Sunday July 20, 2014 @05:39PM (#47496631)

      How is this different from what the Stasi did?

      They were at least honest about the fact that they were doing it. Also, I don't think it was unconstitutional in Germany, so it wasn't the government acting rogue like we have now.

      • Re: (Score:2, Informative)

        by Anonymous Coward

        In fact east germany had a democratic constitution, most likely due to pressure from the americans directly after the war, so that the soviets don't errect a communist dictature (same in all eastern european countries). The americans failed, but the constitution was democratic. The only truly democratic votes were at the end of the DDR. The voted parliament then declared to join west germany.
        Second thing to know: west germany still had claims on east germany, thinking it was one country. This was also the r

    • How is this different from what the Stasi did?

      The Stasi needed "electricians" to install bugs. We now buy the bugs and install them ourselves.

    • Re: (Score:2, Insightful)

      by NicBenjamin (2124018)

      Uhh...

      What country doesn't have a file on all it's residents? Seriously.

      Just think about all the files the US Government has had since the late 18th century. the Census had very good clues to everyone's religion, generally actually had a line for ethnicity, etc. During the first Libertarian-=Conservative period of dominance in the Judiciary the IRS had a database on exactly how much everyone made. A few years later the New Deal added a database on how much everyone makes that's updated every time you get a

    • by Sir Holo (531007)

      How is this different from what the Stasi did?

      It's not.

      There is a quote from a former Stasi guy (East-German secret police) regarding the Snowden leaks of NSA capabilities: "We could only have dreamed of having such powers."

  • by sandbagger (654585) on Sunday July 20, 2014 @05:02PM (#47496469)

    Major Strasser: We have a complete dossier on you: Richard Blaine, American, age 37. Cannot return to his country. The reason is a little vague. We also know what you did in Paris, Mr. Blaine, and also we know why you left Paris.
    [hands the dossier to Rick]
    Major Strasser: Don't worry, we are not going to broadcast it.
    Rick: [reading] Are my eyes really brown?

  • This isn't news (Score:5, Insightful)

    by GrandCow (229565) on Sunday July 20, 2014 @05:15PM (#47496513)

    Really, is there anyone out there (reading this site) that doesn't know that you have no privacy anywhere anymore?

    The actual question is: what are you going to do about it?

  • ... as credit card companies have been keeping on us since the 1980s?
  • PCI-DSS (Score:5, Insightful)

    by Alioth (221270) <no@spam> on Sunday July 20, 2014 @05:17PM (#47496521) Journal

    As an organisation accredited to be following PCI-DSS, we would be crucified if the PCI auditor found us holding the PAN (the long number on the front of your credit card, PAN = primary account number) in plain text. Surely the airlines/booking agents should not be passing the PAN to anyone else if they are following PCI-DSS (which is mandatory if you want to accept card payments)?

    • Surely the airlines/booking agents should not be passing the PAN to anyone else if they are following PCI-DSS (which is mandatory if you want to accept card payments)?

      What part of "any tangible thing" and third party doctrine does one suppose is non-applicable to card numbers?

      Government is not bound by rules of the road created by industry.

    • Re:PCI-DSS (Score:5, Interesting)

      by Loki_1929 (550940) on Monday July 21, 2014 @12:19AM (#47498427) Journal

      As an organisation accredited to be following PCI-DSS

      You aren't accredited to be following PCI because nobody is. There is no certificate. There is no special seal of approval. You provided security information to your acquiring bank(s) and you were allowed to process credit card transactions. There's no such thing as certification or accreditation for PCI.

      we would be crucified if the PCI auditor found us holding the PAN (the long number on the front of your credit card, PAN = primary account number) in plain text. Surely the airlines/booking agents should not be passing the PAN to anyone else if they are following PCI-DSS (which is mandatory if you want to accept card payments)?

      Who says they're holding the PAN in plaintext? They can decrypt it to send it to the Feds as needed without keeping it in plaintext in their systems. The Feds have no agreement with an acquiring bank, so they don't have to worry about how they store it. Nobody can do anything to them. Any agreement the airlines have with their acquiring banks undoubtedly includes plenty of cover for Federal data reporting requirements (likely a blanket "if the Feds come calling, we're just going to give them everything"). So long as the acquiring banks have signed off on it, they're in the clear. And since all these guys would like to continue doing business in the largest economy in the world, nobody's going to say no.

      • by DRJlaw (946416)

        Who says they're holding the PAN in plaintext? They can decrypt it to send it to the Feds as needed without keeping it in plaintext in their systems.

        So your argument is that they're reconstructing the PAN within the remarks section of the PNR by inserting decrypted credit card information back into the record?

        I was most surprised to see my credit card detailsâ"full card number and expiration dateâ"published unredacted and in the clear. Fortunately, that credit card number has long expired, but I

      • by rlwhite (219604)

        You aren't accredited to be following PCI because nobody is. There is no certificate. There is no special seal of approval. You provided security information to your acquiring bank(s) and you were allowed to process credit card transactions. There's no such thing as certification or accreditation for PCI.

        No, there's no certificate, but there is a process of documentation and testing commonly referred to as "certification" before you are allowed to process credit card transactions. I work in point of sale software development and have had to help retail chains overcome problems found in their certification tests. You either don't know what you're talking about, or you're playing a pointless semantic game.

    • by Wildclaw (15718)

      Remember that PCI-DSS is a fairly new standard. A quick search got me a VISA document that listed january 1, 2008 as the date for phasing out old payment systems that didn't manage card numbers securely.

      The plain text credit card number was apparently used in a transaction from 2005. Still a bad idea to use a plain text card number. But ompanies doing stupid stuff like that.is kind of the reason why PCI-DSS became mandatory in the first place.

  • by Mister Liberty (769145) on Sunday July 20, 2014 @05:19PM (#47496529)

    have a constitution that has some reknown, and maybe organized defenders of same?
    If so, get in touch with them, organize, get active.

  • Not effective (Score:5, Insightful)

    by HangingChad (677530) on Sunday July 20, 2014 @05:34PM (#47496617) Homepage

    This kind of mass data collection on everyone is a huge waste of resources. The more people you add to a database, the less relevant it becomes for anything. People who know trade craft, know how to cover their tracks and pollute big data. So this is basically a giant database of amateurs, stupid crooks and ordinary civilians.

    Another problem with big data are the large numbers of errors. I've run big databases where users were motivated to provide good data and there were still gaps in the data, misspelled names, numbers transposed, and some entries locked out because they were trying to enter duplicate primary keys. Travel data is coming in fast, I can't imagine what the exception reports look like every day.

    • Re:Not effective (Score:4, Insightful)

      by linearz69 (3473163) on Sunday July 20, 2014 @06:00PM (#47496715)

      Writing this off as not effective misses the point. Most reasonable people - certainly most reasonable technical people - know this is ineffective. But this isn't about finding terrorists.....

      If a defense contractor can convince bureaucrats and politicians that an ineffective big system can effectively ID potential terrorist, then we are left with either a false sense of security and/or a lot of innocent people being treated like potential terrorists. It makes for good security theater at the expense of civil liberties.

    • > This kind of mass data collection on everyone is a huge waste of resources.

      Compared to the cost of intelligently filtering it down to unpredictably "relevant" information, and only storing that? Picking out only the "relevant" or even "legal to hold" information would be, in espionage terms, a complete waste of time, prone to error and reducing the effectiveness of exactly the sort of personal, detailed information which this helps gather.

      I sincerely doubt that the NSA cares about the fine grained accu

    • by c6gunner (950153)

      The more people you add to a database, the less relevant it becomes for anything.

      Totally. Just like mass-surveys become more and more useless the more people you add to them. And scientific research becomes more and more useless the more data points you gather.

  • I read the article and while one might question why data is being stored that is almost a decade old, the data itself is not that big of a deal. Basically the airlines store all the information about how he bought the ticket and what his preferences were (seat assignments, meal choices, etc.) The call center agents kept notes on why he called.

    All of the information is benign. They kept his credit card information in plain text which is lame, but I have yet to see a story about a CBP breach that led to a

  • My own PNRs include not just every mailing address, e-mail, and phone number I've ever used; some of them also contain: The IP address that I used to buy the ticket, my credit card number (in full), the language I used, and notes on my phone calls to airlines, even for something as minor as a seat change.

    Someone tell me there's a difference on this issue...Just this issue please.

    • by AHuxley (892839)
      The files and paper work to sort on a massive scale. Per city in German–occupied Europe the Gestapo staff count was not big considering the tasks.
      Most work was done with informants and tips, letters. A vast network of local people wanting to settle grudges and grievance via denunciation.
      A vast happy to help collaborative staff in different nations also worked very hard to clear out their cities..
      Very few nations bothered to look into the huge numbers of collaborative staff after ww2. Most just
  • "The population census has got him down as "dormanted". The Central Collective Storehouse computer has got him down as "deleted". [â¦] Information Retrieval has got him down as "inoperative". And thereâ(TM)s another one - security has got him down as "excised". Administration has got him down as "completed". ⦠Heâ(TM)s dead."

    Brazil (1985)

  • IP's with out ISP logs are useless and even if they have them ones from public networks are dead ends unless they have full logs as well.

    • IP's with out ISP logs are useless and even if they have them ones from public networks are dead ends unless they have full logs as well.

      Perhaps some 20 years ago when millions browsed the web from AOL behind a complex series of proxy server.

      Today everyone has always on broadband at home with long lived IP addresses. Knowing the user or household associated with an IP with some degree of accuracy seems to me to be anything but useless.

    • by z0idberg (888892)

      Not useless.

      Can you not cross-reference the IP address of known transactions (booking a flight with credit card/personal info), with unknown transactions (emails intended to be sent anonymously, visits to "offensive/dangerous/terrorist" sites etc) to determine who is doing what?

      Yes, there are ways around masking your IP source and identity if you go to the trouble, but that doesn't mean everyone takes those measures.

  • by the_rajah (749499) * on Sunday July 20, 2014 @07:33PM (#47497261) Homepage
    My wife and I last flew commercial on 9-10-2001 out of LGA, the day before 9-11. My wife and I decided, the next day that, short of an emergency situation, we were done flying commercial. If we couldn't drive to get there, we didn't need to go. It's not because we were afraid of terrorists, but we saw what a hassle and invasion of privacy it would became.
    • by Nkwe (604125) on Sunday July 20, 2014 @07:53PM (#47497353)

      My wife and I last flew commercial on 9-10-2001 out of LGA, the day before 9-11. My wife and I decided, the next day that, short of an emergency situation, we were done flying commercial. If we couldn't drive to get there, we didn't need to go. It's not because we were afraid of terrorists, but we saw what a hassle and invasion of privacy it would became.

      I hope that when you are driving, you don't use any toll roads and that when you buy gas or anything else, you use cash that you obtained from an ATM when you were at home. Best also not to drive through any intersections with red light cameras. You also might need to put optical filters on your license plates if you don't want to be tracked. There are lots of cameras out there.

      • They said 'hassle' not just 'invasion of privacy.' None of the things you listed amount to a hassle similar to that which regular people now face when they try to enter an airport terminal.

        But that stuff you rambled on about certainly sounds like a hassle. Is that how you live your life? Really?

        • But that stuff you rambled on about certainly sounds like a hassle. Is that how you live your life? Really?

          I consider avoiding being tracked by government thugs to the best of my ability to be very important.

        • by Nkwe (604125)

          But that stuff you rambled on about certainly sounds like a hassle. Is that how you live your life? Really?

          Nope, I don't do any of it. I was just saying that if you are trying to avoid being tracked when traveling by avoiding flying, it won't do you any good. I travel a lot and I assume that I am tracked a lot.

          Actually if you travel a lot, the hassle factor gets greatly reduced; when you travel by air frequently, you gain status with the airlines and they treat you much nicer. You also become eligible for TSA Pre / known traveler, which lets you go back to the simple "old school" security which is basically ju

    • by whoever57 (658626)

      My wife and I decided, the next day that, short of an emergency situation, we were done flying commercial. If we couldn't drive to get there, we didn't need to go. It's not because we were afraid of terrorists, but we saw what a hassle and invasion of privacy it would became.

      Some of us have families the other sides of oceans. It's not so easy to give up flying.

    • by gl4ss (559668)

      good news!

      the invasion of privacy according to the data started long, long before 9/11!

  • Back before PCI DSS we used to store everything we got during the booking process. And that include FOP (Form Of payment, CA cash, CC Credit Card, CH Checks, government card have another code etc...), FOID (Form of Identification - often Passport number nowadays but used to be FF card and CC card) confidential remarks (financial data) non confidential remarks (address, tel numbers, etc... And for a web based system , yes the IP you used). Everything you have directly or indirectly was saved i the PNR. And
  • When the spooks treat the entire public as the enemy is probably the the time to recognise the spooks are the enemy of civil society.

  • by Ronin Developer (67677) on Monday July 21, 2014 @07:53AM (#47499677)

    When I used to work for the IT of a very large travel agency in the late 1990's/early 2K's, our systems interacted with the computer reservations systems (CRS') of the major airlines, hotel and rental car chains. Every little detail of a call, itinerary, preferences and even comments by the travel agents are recorded. This information is collected by both travel agents on behalf of the travel firms so that they can provide better customer service (or, in the case of asshat travellers, give the agent a heads up).

    We, as a travel agents could see the PNRs of all the airlines, hotels and rental car companies we did business with. And, we kept information on our corporate and personal clients in our own CRS as well - often, it included information extracted from those other systems so we could present it in a manner useful for our agents.

    The point? The point is that this information has been available to 3rd parties for years under agreement. Since 9/11, right or wrong, the gov't has become more interested in your travel plans. This is, especially, true if you are a person of interest. Imagine what they have on your when the merge your credit card info / purchases, gas and food purchases, toll records, call records (meta data or actual, recorded calls) bank records, health records, video feeds, DMV records, and social media...Imagine the picture they can paint on each one of us under the guise of "National Security".

    None of this is new. Only now are people beginning to understand what data is collected and available to those who want to know more about you. And, only now, do we as society have the ability to aggregate all this information into a single profile about you. You can can for what they have on you. You, almost certainly, will not like what you see. And, you aren't going to see the intel they extracted from that info.

    There is no privacy. We, as a society, have given up privacy for convenience. And, we have accepted what corporations push on us (i.e. ATM fees (which, used to be free, btw) ) as the price for the convenience.

    Here's something else to consider - we put money into banks. Those banks use our money to make money via loans. And, they fail to pay any reasonable interest on the money you deposited and allowing them to use (I remember 6% on savings...today? maybe 0.5%..can't even buy A lunch on the interest payment). And, they have the balls to charge you for the "privilege" of having an account and accessing your own money. Worse, you HAVE to have an account if you desire the convenience of a credit card, debit card, loan, or even as a place to deposit your paycheck as many corporations don't like cutting checks. The gov't has access to all these accounts and transactions and we pay for it. This is all in the name of convenience. Convenient, isn't it?

  • You voted for 'em. (Score:4, Interesting)

    by XB-70 (812342) on Monday July 21, 2014 @08:19AM (#47499883)
    It is long overdue that government surveillance becomes a major political issue. Yet, we are no longer represented by our elected officials who have been bought off by the oligarchy. Moreover, if you talk to 99% of citizens, they will simply shrug off news items like this and go back to the latest Kardashian wardrobe malfunction intrigue.

    This isn't about paranoia, it's about the fact that our personal rights are being completely abrogated by governments that are out of our control.

    Our true freedom is doomed until we demand action so that due process takes place - legally and by the rules.

    It's time to use the system to give itself back to us: with court challenges and by voting out non-supportive elected officials.

    Exposure of incompetence and malfeasance with articles such as this are where to begin.

What the world *really* needs is a good Automatic Bicycle Sharpener.

Working...