It's no surprise that the U.S. government keeps an enormous amount of information on its citizens, but one tech editor recently found that the government has more than just his metadata — the feds have, among other things, his plain text credit card number.
It wasn't protected at all.
Ars Technica editor Cyrus Farivar has been documenting the various ways government tracks citizens (license plates, cell towers, metadata sharing) for years now, and he recently filed a Freedom of Information Act request to see what records the government has kept of his travel.
The first time the feds responded, the data they gave him was "incomplete and a bit baffling."
A few months later, the government turned over Farivar's Passenger Name Records (PNR), and the information they contained was frightening.
The 76 new pages of data, covering 2005 through 2013, show that [United States Customs and Border Protection (CBP)] retains massive amounts of data on us when we travel internationally. My own PNRs include not just every mailing address, e-mail, and phone number I've ever used; some of them also contain:
- The IP address that I used to buy the ticket
- My credit card number (in full)
- The language I used
- Notes on my phone calls to airlines, even for something as minor as a seat change
The breadth of long-term data retention illustrates yet another way that the federal government enforces its post-September 11 "collect it all" mentality.
Farivar initially published a picture of the information complete with his exposed credit card number, though he later redacted it on the suggestion of readers.
Thankfully for Farivar, the particular credit card number that CBP had on file was expired, but the fact that a government agency would store the number unencrypted was concerning.
Also of concern: extensive notes included in the files by airline call center staff.
“There’s no sense on the airline call center staff that they may or may not be aware that anything they put in may be in your permanent file with the Department of Homeland Security,” travel writer Edward Hasbrouck told Farivar. “There’s no training in data minimization. They are empowered to put things in people’s files with the government. I think that’s pretty disturbing.”
Farivar's PNR shows that the U.S. government is collecting a lot more than just metadata on citizens, and that airlines and travel companies (including, in this case specifically, Travelocity) are complicit.
There are a few ways to minimize the opportunities Uncle Sam has to snoop on you, but when it comes to travel, as Farivar noted, there seem to be few options for privacy besides showing up last-minute to buy plane tickets in person — and that's an expensive proposition.
Follow Zach Noble (@thezachnoble) on Twitter