What Does DHS Know About You?
Sep 7th, 2009 by sherri
Here’s a real copy of an American citizen’s DHS Travel Record retrieved from the U.S. Customs and Border Patrol’s Automated Targeting System (ATS). This was obtained through a FOIA/Privacy Act request and sent in by an anonymous reader (thanks!)
The document reveals that the DHS is storing the reader’s:
- Credit card number and expiration (really)
- IP address used to make web travel reservations
- Hotel information and itinerary
- Full Name, birth date and passport number
- Full airline itinerary, including flight numbers and seat numbers
- Cruise ship itinerary
- Phone numbers, incl. business, home & cell
- Every frequent flyer and hotel number associated with the subject, even ones not used for the specific reservation
Again, here is the full record. The anonymous reader obtained his/her travel history using Edward Hasbrouck’s excellent guides. Check out his site for more info!
Thanks a ton for sending this in. If anybody else gets a copy of their ATS travel record, send it in! We’d love to see them and compare.
| Sherri Davidoff |
| PGP-signed text: 2009-09-06 (current) |
What you are seeing is the data taken from a PNR record. It is everything the airline already has. This is actually old news. The only difference between DHS and an airline, is that the airline keep them only as long as they need it for the travel time, whereas the DHS keep it (presumably) for a long time (I read 10 years), possibly never deleting it.
Hello,
I work in information security, among other areas. If I am correct in assuming that items like credit card number and passport number were not redacted (ie – you could see all of your credit card account number), then this document violates several compliance requirements of the PCI-DSS (Payment Card Industry Data Security Standard), several elements of FISMA , and depending on your state of residence, may violate your state’s Data Breach Notification Law.
Wouldn’t it be fun to see how the DHS manages it’s compliance with those laws?
The PDF isn’t loading and I can’t get it to download…. it seems the website is secured? (I’m getting a “Connection refused” error)
Is there another link for non-registered users?
I hope I’m not the only one who noticed that the word ‘prefer’ is misspelled on page 6, line 9…
Interesting. I’m definitely going to request mine.
Question to the traveller: What is the 31337 and smiley referring to ?
This seems like regular information that can be placed in a reservation by a reservations agent. I believe that the information is there because your travel agent put it there. All the information on a PNR (Airline lingo for reservation) is transmitted to the DHS upon booking. If the agency didn’t put it there, then I don’t see why the DHS would have it. If you had paid cash, they would have seen that too. It looks like a printout of a Continental PNR created in Sabre.
Thanks for sharing this. Sounds like a nice one-stop shop for any number of purposes . . .
The “(b) (6)” redactions by the DHS are to prevent personally identifiable info from being handed to third parties, but we are the third party here — the FOI request was for that person’s own records, so as far as the DHS is concerned there is no third party here. I believe those redactions are bogus.
Does anyone know what law allows/forces the CC info to be relayed to the government? Absent some law I would assume that the agreement between the CC company and the company that collected the CC info in order to charge the card requires this info not be recorded or passed along to third parties. My reading of the USA PATRIOT acts seem to indicate that’s not the culprit…
to #4 Johnny:
31337 is ‘leet-speak, or typing at least, for “elite”, which is slang among hacker-wannabes. 3 maps to E, 1 maps to L, etc.
The term is more often used in an ironic sense among real hackers, and here I am using hacker in the original sense of real computer experts.
These are records of international travel, so should come as no surprise that the info is being sent to government. Interpol has been tracking international travellers for decades; just check into a hotel in most foreign countries and you’ll need to surrender your passport briefly and/or fill out an identifying form. Compared to most of the world the U.S. is still the “wild west” when it comes to freedom to travel anonymously WITHIN the country, so we Americans are not so used to the idea of government (or supergovernmental organizations like INTERPOL) tracking our travels. If DHS has now started trackgin domestic, that’s a sad development but sill par for the course compared with other nations.
Ugh, I get really frustrated with these people who post PNRs and act as if the government is collecting information in them! Any info in there YOU GAVE OUT to your airline or travel agency! Stop doing it! Rule #1, don’t use a travel agency. Rule #2, don’t use a frequent flier number. Rule #3, pay cash and use a fake name, if you’re THAT paranoid… The TSA will make you a selectee and give you a quickie screening at the security checkpoint–big deal. The airline doesn’t care if the name in your reservation matches the name on your passport, they only care that you HAVE a valid passport–but they do have to enter that passport info in the PNR and send it to DHS. So if you’re traveling internationally, it’s impossible to do anonymously, but we knew that anyway. You still don’t have to give them all the other details about you… That’s your mistake!
@#8
I am not sure what law requires them to send the CC info along, but I do know that the Payment Card Industry Data Security Standards are absolutely broken with the distribution and storage of the complete CC/Expiration to anyone. Someone should light up the PCI guys on this mess of identity theft waiting to happen.
If your goal is to convince people that you own them, you have to treat them like slaves and make sure nothing in their lives is private..while everything in yours, is. Beware of people who know where you live, without letting you know where THEY live….
The power elite are not subject to the laws and regulations of the masses and that, no doubt, gives them a tremendous woody.
The redactions (b)(6) and (b)(7)(c) are legit. What they took out are the names (or more likely the user IDs and or badge numbers) of their inspectors. Since that data does not pertain to the requester and could potentially give up sensitive info on another person, it was removed.
Surely the real question here is “WTF? Why would anyone prefer Delta?”
whats the big deal if you are not doing anything wrong why worry
@#16 Ian:
I prefer not to be watched while I’m in the shower. In the same way,
I prefer not to be tracked in government databases or placed under routine surveillance. It’s not specifically that I’m worried that something bad will happen. It’s that privacy is something I value in and of itself.
Our government, just as much as our neighbors, should respect this preference.
Re: #15, Some Fool
Hey, thats because United breaks guitars
http://www.youtube.com/watch?v=5YGc4zOqozo
Y0u would with with all of that security and crazy knowledge they have to implement this, they could actually try to spell “FONE” right on the report. “Tisk Tisk”
Typo on my par~ “you would think”
To freekymayne: Yes you are “Rainman.”
I understand about the not being watched in the shower and privacy from neighbors, I’ve had a few that couldn’t keep their noses in their own backyard.
On the other hand, if I’m being tracked in some way, yet not doing anything worthy of notation, it only stands to reason that those bent on some form of havoc and destruction are also being “watched”. If the government can’t “watch” ordinary citizens, how can we get mad at them if they can’t “watch” for the bad guys and keep us protected.
I approach their “watching” much like the white blood cells in our body monitor all the other cells so they know when an infection is present. They know when something is not right so they can deal with it.
It seems, in my opinion, that the only way to remain truly anonymous is not to really live life to the full. Most assuredly *you* will know who *I* am since my e-mail address (though “hidden”) is “required” for me to post a comment. To have a voice, I am no longer a secret, nor my identity a private matter. So you can’t remain totally anonymous if you want to surf the internet nor when you travel or otherwise enjoy your life.
I’m sure many have come up with ways to fly under the radar, let’s just pray they are not the *bad guys*, hmm? Then again, it also stands to reason, that given current trends the criteria for who the *bad guys* are may give me cause to change my opinion on this subject. It’s quite the dilemma to be sure.
@16 Would you mind leaving your housekeys down at the police station so they can enter periodically for a surprise look around to make sure you’re not doing anything illegal? I mean, after all, if you’re not doing anything wrong, why worry?
Traveling to America today is like visiting Nazi German in the 30’s, Russia in the 50’s or China in the 60’s.
Why worry? What why worry? invasion of privacy is not based on if you are “guilty” of something, what happens when
they mail you a ticket clicked on by a camera and it wasn’t you
In this country, you get to face your accuser…So who will show up? The camera’s? There’s a lot more to be concerned about
if we lose our privacy.. Read, 1984, Anthem or Fountainhead.
This from the same government that actually published all of our Social Security Numbers on line on the SSI site which was up
for over a month.
RFID – is everywhere, books clothes you name it.
Will Microwaving it work to destroy it?
In Texas, the have the RFID in a pilot program that
on the sticker on the car windshield, they can clock, in realtime
your speed, and distance who you are and where you are.
So along with the “camera’s” at every intersection light
can track you all over the area. It’s already too late for
opposition to these practices…But worth the effort.
It’s a digital world, and we are digitial girls
[...] Privacy is deader than a Norwegian Blue parrot. [...]
Ummmm…
“If you’re not doing something wrong…”
The real problem with records like this is that there is such a thing as a RETROACTIVE decision that you have done something wrong.
Yes, new laws are usually passed which do not allows for retroactive enforcement, but there have been enough that have allowed for it.
Hasn’t anyone read Brunner’s “Shockwave Rider”?
We’ve seen that haves and have-nots… with money, power… and, now, privacy. The Shrub was able to hide his criminal (well, DUI) record… and our Good Irish Friend is able to hide a birth certificate.
Why them and not us?
So the big question for everybody:
Do you feel more secure now that you know what the DHS knows about you?
If over 50% of you don’t; US democracy isn’t working!
Esto es lo que el Departamento de Seguridad Nacional de los Estados Unidos sabe sobre los viajeros [EN]…
Se informa de los datos que el DHS guarda de los viajeros que llegan al país y pasan por los servicios de aduanas/inmigración. La información la obtuvieron haciendo una petición oficial de esas que obliga a revelar los datos de que dispone el oganismo;…
With regards to the questions about PCI standard violations, I don’t believe they are applicable in this case. PCI is targeted at merchants and processors of credit cards. In other words, people who need to maintain a business relationship with the credit card companies, and thus agree to certain business practices as dictated by the PCI standard.
I don’t believe the DHS fits this definition and thus couldn’t suffer the normal penalties the credit card companies might seek to impose for standard violations. The companies passing the DHS this information might, but they may also have an excuse if the DHS is requiring them to pass on the data.
As far as I know, I could ask all of you for your credit card data and then post it on the Internet because I’m not bound to the PCI agreement.
@Bruce: You are correct. The PCI DSS power of enforcement arises from the contractual agreements between the card brands, acquirers, and merchants. Anyone who is not a party to those is not subject to the standard.
Roy@2.
The government naturally doesn’t need to comply with commercial standards like PCI (in fact businesses don’t need to comply either; it’s just a good practice). Of course DHS doesn’t need to comply with lesser state privacy regulations; the federal government is not subject to state law in such a situation. They may be stupid and even malicious, but they’re not breaking the law.
Michele,
Why do you assume that the “bad guys” will never be government agents? That’s the real question. It has always happened, and will always happen, that bad guys get into government. Power tends to attract ruthless sociopathic bastids like Cheney and Rahm Immanuel. Do you want them knowing every detail of your life?
At first I hoped that the comments to the effect of “If you aren’t doing anything wrong, you don’t have to worry…” were sarcasm, but as the numbers grow, I have to take them at face value and say, once again, that anyone making such a statement doesn’t understand what freedom actually is and probably won’t until theirs is taken away.
To pick a particularly inflammatory example, were German Jews in the 1930s doing anything “wrong”. Nope, not until they were effectively outlawed. Did it happen on one particular day? Nope, fascism creeps in like fog, and your legal actions today can be the Star of David sewn on your coat tomorrow. Think “That can’t happen in these enlightened times”? I’m certain that’s what many thought in the ’30s as well.
Secondly, claiming that you are comfortable with government surveillance because you feel safer, may I direct you to the words of one Benjamin Franklin (paraphrased) “They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety.” I for one suspect Franklin was a more keen observer of the dangers of government that most Americans today, raised as we are in the cotton candy padding of wealth and isolationism.
The world did not change on 9/11, Americans were merely made aware that the world extends beyond our borders.
I am not an alarmist, conspiracy theorist, member of a paramilitary enclave, nor do I wear a tinfoil hat. I’m a middle class, middle age, mid-western American who happens to know his history and the fallibility of government.
“Someone should light up the PCI guys on this mess of identity theft waiting to happen.”
Just a quick nit pick, because it really does matter – stealing credit card data is not IDENTITY THEFT, it is credit card theft. It is a non-issue to most consumers as the extent of damage they will actually endure is the annoyance of getting the charges cancelled and waiting for a new card. Identity theft, however, is a horribly frustrating crime to the victim as it can take years of legal wrangling to clear them of the liability for any fraudulent credit taken in their name, repair credit history, etc. Identity Theft should not be watered down with such casual usage as it removes a sense of the severity, in the same way as labeling punching a guy as murder would remove any sense of severity from the label murder.
Honestly what bugs me is all of the other information associated here. It may make a convinient audit log for the government to back track through, but thoroughly monitoring the movements of citizens is ripe for abuse (FFN even if one isn’t used serves the sole purpose of being able to link together travel records for monitoring purposes).
If I were a foreign terrorist “working” in US, obviously I’d travelled with false identities, fake CC, cash,… Very easy to avoid this DHS “super control”
True, your right to access your own payment card data is a consumer right.
But I’m not convinced that PCI DSS isn’t applicable.
The standard also applies to Service Providers. Based on the PCI SSC’s definition of “service providers,” I think a case can be made that the standard applies. The point of the standard is the security of payment cards.
“Service Provider: Business entity that is not a payment card brand member or a merchant directly involved in the processing, storage, transmission, and switching or transaction data and cardholder information or both. This also includes companies that provide services to merchants, services providers or members that control or could impact the security of cardholder data. Examples include managed service providers that provide managed firewalls, IDS and other services as well as hosting providers and other entities. Entities such as telecommunications companies that only provide communication links without access to the application layer of the communication link are excluded.”
(https://www.pcisecuritystandards.org/security_standards/glossary.shtml#s)
Danby,
I’m well aware of “bad guys” being in government, that is quite obvious, Hitler and Stalin are two examples that come to mind. As I said, given current trends in government, I could, because of my affiliations, become a target of the “bad guys” in our government. I am well aware of that fact and it stands to reason that anyone, at any time, could be a potential target of someone else’s suspicion and “watchfulness”. Wars start because of differences of opinion and people’s suspicions. What is the answer? Evil always takes advantage of the things meant to be good, such as things that safeguard us. Would it be better not to have any safeguards? Seems to me we can either wear ourselves out doing battle with those who breach our privacy rights and be suspicious of everyone who is not us or become hermits and remove ourselves from society so all we have is us and our privacy. Neither of those seems like a life worth living. I have met Secret Service Agents, pretty scary and intimidating dudes. Would I want them to come to my house and haul me off because they found something about me they thought was subversive, no, of course not. But if I was a terrorist who lived next door to you, wouldn’t you be glad they did? What I am saying is you can’t have it both ways. No matter how you look at it, it’s going to trap somebody it should and possibly somebody it shouldn’t. Still a dilemma then isn’t it?
Actually, the PCI-DSS standards have specific carve-outs that exclude reasons relating to law enforcement, customs and national security. These carve-outs were put there (I think, rationally so) by the travel industry, because otherwise they would be taking the risk for something (government handling of the data) that they are unable to audit or control.
Sigh, PCI applies to the company that processed the CC transaction not the government. Giving CC data to somebody is not OK under the PCI rules (absent a statutory requirement which serves to modify the contract – e.g. all contracts for data protection implicitly have a clause that says that data will be protected “unless a judge orders us to release it via a valid legal process”). If the CC processor gave out data to the gov without a statutory override to the contract, the CC processor is in breach of the contract.
Of course, so what. I doubt that Visa, MasterCard, or any bank, will challenge that practice (unless maybe there is a major breach of a homeland security database). Since the PCI standards are promulgated by Visa, MasterCard (and to a lesser extent the issuing and acquiring banks) they are the only ones who can take action against merchants who don’t comply. Do you really think the CC processor for United Airlines is going to tell them not to give Uncle Sam CC data and risk loosing the account?
+1 Neighborcat #35 Nice to see that at least some Americans get it! I’m sure we all still see the “if you’re not doing anything wrong you have nothing to worry about” line touted in media by political and police forces, and it’s rarely questioned…shows just how lazy (or compliant) our media are.
The real problem here isn’t government having access to your travel info or even your credit card records. They already have (and had pre-9/11) the ability to get both if they want them (indeed, there were wiretaps on Moussaoui and some of the other perps — the fact that government didn’t move in on them before their D-day was a screwup by the feds).
What’s really going on both with the PATRIOT Act and its sequels is two things:
1) When any tragedy takes place, some of the public, and naturally the media, urgently demand that government DO SOMETHING. Often the result is some feel-good law that doesn’t accomplish anything worthwhile, but does make it look as though lawmakers are doing what the public wants. Another example of this was the Sarbanes-Oxley act, passed in reaction to the Enron and Worldcom frauds: we all know perfectly well that it wasn’t needed, because the chief bad guys in both cases went to prison under the old laws anyway, but stupid people demanded action and now everyone in the business world has to deal with extra burdens. Similarly here, all air travelers have to deal with extra hassles so it will look like Congress DID SOMETHING.
2) The drug police had been asking for most of the powers in the PATRIOT Act for decades. 9/11 gave them an excuse and they grabbed it. Of course, the drugs still get through and always will: Adam Smith’s invisible hand is a natural law and no human agency can defeat it.
The feds pulled a Big Lie and most of you fell for it. Let’s try not to get fooled again.
[...] The government knows everything–or almost everything! [...]
if you think dhs keeping travel records is shocking, do a background check on yourself. not only is there a record of everywhere you have lived, but the actual latitude/longtitude record as well. unless they are planning to drop a bomb on your house i see no reason for that. along with your criminal record, your tax records, whether you have a lien or bankruptcy, there is one very pertinent little section here. the section is listed as neighbor info. that’s right. anything they could glean from a conversation with your neighbors is listed in this section for anyone, and i mean anyone to see. one thing no one talks about at government level is how people are now being targeted by background checks. say you left your husband and he was abusive, all he has to do to find you is pay 39.95 to one of the hundreds of companies out there who now sell this info to the public. of course this is all done in the name of public safety. if they are so concerned about public safety then how come chold molestors are allowed to live in the neighborhood? why not keep them in public housing where they can be watched? may as well execute criminals in this country as our laws also prevent those with records from working at gainful employment. try getting an interview with anything so small as a dui. one in eight of all americans have a criminal record so don’t think you won’t have to live near one. does knowing your neighbor was wrote a bad check or stole a candy bar really kake you any safer? all this info is kept for one reason, and one reason only, to keep the population in line. government loves to make example of people, it keeps the other sheeple in line. most of you are too stupid to yet realize that everything you do, say, or think in america is already watched, and very closely.
so… next time I loose my itinerary I can call DHS to tell me what time my flight leaves?
[...] to the USA (as I am this month)? This is scary – what the Dept of Homeland Security knows about you when you check in… Big Brother eat your heart [...]
[...] can sneak a peek at a travel record held by the United States Department of Homeland Security. The scanned copies are posted on philosecurity, and include data [...]
Guys, what if PCI-DSS standards is a one part of globalization planning? Im not sure it’s about ours security and privacy….. but who knows..