Slashdot Mirror
Ars Editor Learns Feds Have His Old IP Addresses, Full Credit Card Numbers
mpicpp writes with the ultimate results of Ars's senior business editor Cyrus Farivar's FOIA request. In May 2014, I reported on my efforts to learn what the feds know about me whenever I enter and exit the country. In particular, I wanted my Passenger Name Records (PNR), data created by airlines, hotels, and cruise ships whenever travel is booked. But instead of providing what I had requested, the United States Customs and Border Protection (CBP) turned over only basic information about my travel going back to 1994. So I appealed—and without explanation, the government recently turned over the actual PNRs I had requested the first time.
The 76 new pages of data, covering 2005 through 2013, show that CBP retains massive amounts of data on us when we travel internationally. My own PNRs include not just every mailing address, e-mail, and phone number I've ever used; some of them also contain: The IP address that I used to buy the ticket, my credit card number (in full), the language I used, and notes on my phone calls to airlines, even for something as minor as a seat change.
The 76 new pages of data, covering 2005 through 2013, show that CBP retains massive amounts of data on us when we travel internationally. My own PNRs include not just every mailing address, e-mail, and phone number I've ever used; some of them also contain: The IP address that I used to buy the ticket, my credit card number (in full), the language I used, and notes on my phone calls to airlines, even for something as minor as a seat change.
He is a nosy bastard.
The Travelocity guy avoided telling the whole story. They do provide relevant information, but if the government has the PNR with all the remarks in it, then it likely came from Travelocity or Sabre.
Travel agencies and 3rd-party web sites, such as Travelocity. put all this encoded stuff into the remarks section of the PNR, it's all that "H-" stuff. When the PNR is sent to the airline, NONE of the remarks are transmitted. The airline doesn't receive your IP address, for example. Seat numbers, phone and contact information are transmitted in Special Service Request (SSR) and/or Other Service Information (OSI) fields. One major exception is that Travelocity and AA share the same PNR when booking AA.
Now, the airlines have to send a whole bunch of data about you to the TSA to get clearance for you to board. Look up Secure Flight / APIS / AQQ and you can learn a little bit about it.
A.
The government has files on everyone (or nearly everyone); people never suspected of, or implicated in, any crime.
How is this different from what the Stasi did?
Corporation, n. An ingenious device for obtaining individual profit without individual responsibility. - Ambrose Bierce
Major Strasser: We have a complete dossier on you: Richard Blaine, American, age 37. Cannot return to his country. The reason is a little vague. We also know what you did in Paris, Mr. Blaine, and also we know why you left Paris.
[hands the dossier to Rick]
Major Strasser: Don't worry, we are not going to broadcast it.
Rick: [reading] Are my eyes really brown?
---- The above post was generated by the Turing Institute. Maybe.
Really, is there anyone out there (reading this site) that doesn't know that you have no privacy anywhere anymore?
The actual question is: what are you going to do about it?
"Well kids, you tried your best, and you failed. The lesson is, never try." -Homer Simpson
As an organisation accredited to be following PCI-DSS, we would be crucified if the PCI auditor found us holding the PAN (the long number on the front of your credit card, PAN = primary account number) in plain text. Surely the airlines/booking agents should not be passing the PAN to anyone else if they are following PCI-DSS (which is mandatory if you want to accept card payments)?
Oolite: Elite-like game. For Mac, Linux and Windows
have a constitution that has some reknown, and maybe organized defenders of same?
If so, get in touch with them, organize, get active.
Because most of the time the airline blacks out most of the Credit Card before sending it to the Feds. In theory the Fed're only supposed to have the last four digits, because that should be enough (when combined with name and expiration date) to identify the card.
This is actually a pretty typical story on this issue. The Feds collect data that can be very useful in searching for terrorists, but they don't actually look at it much. They do a computer search, and most of it will never come up. So the airline sent them more then it should, and maybe somebody noticed, but nobody cared. So it got sent to his file folders (both electronic and physical). Then he FOIA'd the info, and since nobody FOIA's the info they had no procedure to respond to the FOIA, so he got it in a ridicuklous way (two batches, the first batch of which he had not asked for, and the second batch seems to have been totally unexpected).
If you think privacy rights are incredibly important, and are sincerely worried that Obama isn't enforcing them better, it's terrifying that a federal Agent could have stolen his CC info. And it's even more terrifying that there's no bureaucrat in charge of purging irrelevant info (like his CC number).
If you're me, and you take a more philosophical view of the whole issue, you note that a bureaucrat in charge of looking at his info would have looked at his info. Said info was highly unlikely to leak from the TSA to anyone else unless a) they had probable cause due to some investigation, or b) some enterprising agent decided to go over his file and verify it. Federal agencies just don't share information with each-other the way privacy purists imagine in their nightmares, rather they horde it and then exaggerate the info-horde's usefulness in powerpoints demanding an increased budget.
This kind of mass data collection on everyone is a huge waste of resources. The more people you add to a database, the less relevant it becomes for anything. People who know trade craft, know how to cover their tracks and pollute big data. So this is basically a giant database of amateurs, stupid crooks and ordinary civilians.
Another problem with big data are the large numbers of errors. I've run big databases where users were motivated to provide good data and there were still gaps in the data, misspelled names, numbers transposed, and some entries locked out because they were trying to enter duplicate primary keys. Travel data is coming in fast, I can't imagine what the exception reports look like every day.
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
So, do you believe abuses like those described here do not happen as a regular course of business: "NSA Employees Routinely Pass Around Nude Photos Obtained Via Mass Surveillance" http://www.zerohedge.com/news/...
I find that naive. Now, do I care? Not really. But I understand why some people might, and I don't consider that privacy purity.
> And we can actually be quite sure it was not widely shared at the TSA, because if it had been some asshole would have stolen his Credit Card number.
Except that they're available, in bulk, to whoever administers that database. And a theft or loss of a backup of that database is hideously unlikely to ever be reported, for "national security reasons" but also to reduce bureaucratic business. And given the history of federal agency personal and political fraud against private citizens, especially politically active citizens, it verifies that they have far too much data, far too easily accessed, available at whim for whatever purpose is desired.
Just because "it's boring text" does not mean it's not incredibly useful for political espionage or frame-ups. Please, do not try to claim that it "wouldn't happen here" The abuse of confidential federal information to harass political opponents certainly _has_ happened here, in the McCarthy hunt for Communits, with the Committee to Re-Elect the President in Nixon's presidential reign whose failures cost Richard Nixon his presidency, and with the Valerie Plame affair during George W. Bush's presidency.
The collection and aggregation of "uninteresting" private information or "metadata" represent risks to political careers and private liberty that will not cease simply because "who would care" or "it's dull". It's hardly dull to be able to use someone's personal information and credit card data to track the nature, times, and location of _every purchase_, and have warrant free monitoring of travels and personal business. And there is, effectively, no oversight of such access because it's the NSA: they operate under a tremendous shroud of national security that prevents rational oversight of such sensitive information.
You realize Hoover never had access to any non-FBI database? Neither did HUAC at al. And there are plenty of Federal databases besides the FBI. In another thread I mentioned three that are actually a lot more dangerous, and a lot older, then anything we're talking about: the Census, Social Security, and the IRS. Neither the CREEPs nor the Plame Scandal involved the use of a Federal database. Plame was not even a database at all. Rove was talking to a random guy about her husband, and he mentioned the CIA connection. The CREEP did not abuse any Federal databases, it tried to steal information that could not be added to those databases (like reports from the shrink of a guy who pissed Nixon off).
I'll note here you haven't managed to quote the only actual example of a Federal database being used against US Citizens (Japanese internment).
So while I will agree, that in theory this database could be used by a future Hoover, I will also point out that it is quite useful in numerous actual law enforcement situations. Terrorism actually exists, even tho we like to pretend it no longer counts just because almost all the victims are black Africans. I disagree with much of the war on drugs, but the drug runners are not nice people. Both groups use the US Air network, and if there's any pattern to their usage we can't find that out unless it's recorded somewhere. Given that the US Government is pretty consistent in it's evils (they tend to involve totally ignoring the Constitution to get new data, and/or abuse minorities; using data from existing data sources just isn't the MO), the long-term risk of them abusing old data is quite low. Call it 5%.
So we have a database, that will be useful in numerous perfectly legitimate law enforcement operations, and a small risk of it leading to bad things. You're free to conclude any risk is too much, but I think that risk is fine.
The surprise twist ending is when we end up with an authoritarian regime because too many people just sighed and said, "this is news?" any time something that should outrage us happened.
http://www.rootstrikers.org/
Anyone who believes that, go stand on your head in the corner and be counted.
*Repent!Quit Your Job!Slack Off!The World Ends Tomorrow and You May Die!
The only wasted vote is a vote for provably evil scumbags. To say that someone else might win because I cast my vote for someone who isn't an evil scumbag is extremely short-sighted; nothing is ever going to change if people do not take a stand. And win or not, people voting for third parties sends a message to The One Party.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
The Nisei were a wholesale incarceration, and was quite public. I was referring more to illegal acts in living memory. The other acts involved the abuse of private information, held in federal hands. It doesn't have to be in a database. The extent of the data and its ease of access _expand_ the risk, not reduce it.
> So we have a database, that will be useful in numerous perfectly legitimate law enforcement operations, and a small risk of it leading to bad things
The "risk" is real. I'm afraid that its abuse is inevitable with so much data concentrated behind closed doors, without any judicial review or enforceable consequences for its misuse.
The problem is in your phrasing of it as 'government abuses'. In the most part, it's not 'the government', as a monolithic entity acting based on policy that is abusing the power, it's individuals whose abuses are enabled by the government's programs. There's a political split over whether you can trust 'the government', but both sides agree that you probably can't trust an underpaid civil servant with a napoleon complex.
I am TheRaven on Soylent News
You guys are stuck with a stupid two-party system, all you can do is vote for the lesser of two evils.
The solution is obvious: vote Cthulhu