If it’s called Secure Flight, why do I feel so insecure?

Thanks for the birthday card, Southwest Airlines.

The computer-generated missive, complete with signatures of the airline’s executives, landed in my mailbox just before the big day. At first I was flattered by the thoughtful gesture. But then I was troubled.

How did they know my birthday?

And then it occurred to me: Airlines are now requiring passengers to provide their full name as it appears on a government-issued I.D., their date of birth and their gender as part of the Transportation Security Administration’s new Secure Flight initiative.

You probably know Secure Flight as the pesky requirement that the name on your passport or driver’s license be an exact match with the name on your airline ticket. But the program is much more than that. With the extra passenger data, the agency promises to improve the travel experience for all airline passengers, particularly those who have been misidentified as terrorists in the past.

With Secure Flight now operational domestically and expected to be in place for international flights by the end of the year, I think it’s worth asking how those data are being employed. Specifically, can an airline use my personal information, such as my date of birth, to send me a card – or a promotional offer?

Southwest says it doesn’t use Secure Flight data for promotional purposes and complies with all rules regarding the information. And in fact, a review of my records showed that I’d given Southwest my date of birth when I updated my frequent-flier account information several months earlier.

I asked the TSA about the personal information used for the program, and a representative pointed me to a statement on the agency’s Web site assuring air travelers that the data are collected, used, distributed, stored and disposed of according to stringent guidelines and all applicable privacy laws and regulations.

The actual requirement can be found in a document called the System of Records Notice. It specifies what information can be gathered (your name, birth date and gender), whom it can be shared with (the TSA and various law enforcement agencies, as appropriate) and when it must be disposed of (a week after your flight, for most records).

Seems pretty reasonable. And my attitude toward privacy appears to be common among the jet set.

“I honestly don’t mind providing an airline with data,” said Lawrence Sherman, an executive with an educational company in Fort Washington, Pa. “I don’t want the info to be used for other purposes.”

But airlines see an opportunity to “maximize the marketing and other commercial value of this government-coerced informational windfall,”asserted Edward Hasbrouck, a consultant to the Identity Project, a privacy advocacy organization for travelers. And drawing a fine line between data collected for Secure Flight and information gathered for other purposes, such as frequent-flier program account information, may allow them to do that.

“It renders meaningless any restrictions on which of this data is retained, or for how long, by the government itself,” Hasbrouck added.

I checked with several federal agencies, including the Department of Transportation and the Federal Trade Commission, that might have jurisdiction over data included in airline reservations.

The Transportation Department allows air carriers to articulate their own data privacy policies in their contract of carriage, which is the legal agreement with passengers. It can fine the airlines for violating those self-imposed rules. A spokesman for the Federal Trade Commission told me his agency has no authority over airlines.

Larry Ponemon, whose Traverse City, Mich., institute conducts independent research on privacy, data protection and information security policy, said the airlines are already collecting the information the government is requesting. Secure Flight merely requires that such information “be given to TSA for the purpose of screening passenger manifests against terror watch lists,” he said.

Could it be that the information we give airlines doesn’t belong to anyone or, worse, isn’t regulated by anyone?

No, said Thom VanHorn, a vice president for Application Security, a New York database security firm. Even if you discount the TSA regulations, airlines must still follow federal compliance mandates under the Federal Information Security Management Act, the Privacy Act and other statues. These are broad regulations that don’t specifically apply to airlines, he said, but they would prohibit an airline from, say, releasing the credit card information or Social Security numbers of its customers to a third party.

The TSA also allows air travelers to refuse to provide the information, VanHorn said. “However, they may be subject to additional screening or denied boarding,” he said.

When I contacted Southwest to say thank you for my birthday card and to find out where the airline had gotten my information, spokesman Chris Mainz said that indeed, the data came from my Rapid Rewards frequent-flier program profile and had “nothing to do with Secure Flight.”

When I searched my e-mail files, I found that Southwest had in fact required me to update my Rapid Rewards information, adding my birth date and other data, and cited the need to satisfy the TSA for Secure Flight when it did. So technically, I gave the data to Southwest, and it passed the information to the TSA.

“We protect [Secure Flight] information the same as we would protect credit card information and only use it for the information that is required by the TSA,” Mainz said.

I find the airline’s explanation both reassuring and problematic. I’d like to see this issue addressed in airline privacy policies, to reassure customers that the information isn’t being passed along to a third party.

But in a world where privacy is fast becoming obsolete, does anyone really care?

(Photo: M Agh/Flickr Creative Commons)

  • Joe R

    This really isn’t any different than Facebook, supermarket rewards cards, or any number of other programs or websites. We give away our privacy without blinking all over the place… why should this be any different?

    Very rarely does a company that promises not to share your information not pass it on to some “trusted” third party. What happens after that is anyone’s guess.

    People need to accept that we have no privacy any more. Your personal information is out there for anyone with the money to buy the right lists to use to their hearts’ content.

    All to make our lives “better” of course. Uh huh.

  • KF

    Southwest also obtains your birthday when you sign up for its Rapid Rewards programs – especially when you opt to receive drink coupons with your free tickets. I’ve gotten birthday cards for years from Southwest before secure flight.

  • Lisa S

    @Joe, except I don’t actually put my real birth date on any of the programs you listed. No way am I giving people access to information that could be used for security access to other accounts.

    I do agree that we don’t have privacy anymore, although I think people should be more wary of sharing their information and there should be more regulation preventing sharing. Charities have lost my patronage for sharing my information with unauthorized parties.

  • J Smith

    Thank you for this article.

    What are we going to do? Have you seen the movie Zero Effect? “Always give wrong information.” There are only eight (8) institutions that are required by law to have your social security number. Only give your social to those specific entities. For all other inquires just give a number – not your number but a number.

    This has gotten way out of hand. Take control of your information. “Always give wrong information.”

  • PZ3

    I’ve been getting these long before Secure Flight. It’s from your Rapid Rewards membership.

    On the “Identity Theft Freak Out Scale” I’m going to rate Southwest Airlines sending me a birthday card as a -1 out of 10. Chill.

  • Joe Farrell

    Mr. Smith – after social security, IRS and Dept of State, what would those other 4 be? I am asked for the number by dozens of places from my doctor to my escrow company. . . and I ALWAYS leave it blank. The escrow company told me that the title insurer said it was ‘absolutely needed to rule out other persons who have liens and other real estate issues.’ I told them to screw off – sure, you want to run my risk for title insurance – I understand that. But, you have my name, previous residences and date of birth. Go ahead, put my name in your database and see what comes up – if there are any other Joe Farrells with claims on their title insurance policy, you come back to me and we’ll talk about why they are not me. Only THEN would I turn over the information. You would not believe the vague threats and abuse I received – until after about 2 weeks – and running the name and coming up with no matches, they all of sudden went away and just wanted my money. Its funny how that is. . .. they had to work a little harder than simply entering my SSN – but I asked them what their data security practices were and got nothing in return other than they ‘don’t share it,’ which is a non-answer to that question.

    Since I work for myself and have since 1993, I never have to worry about the I9 form, and give my EIN when I get paid. Of course, once hired for job, well, thats not a problem obviously. My wife got a new job and THEN they wanted to run a background check and I told her to fill out the form and NOT give her SSN [since they never sought clearance to run a credit check on the form] and the company called me after she told them to speak with her lawyer. All they weer going to do was run a credit check – which they did not have any consent to do – and I pointed out the problems with their procedure and they ran for the hills. The employer then hired me to revamp their employment screening practices.

    When anyone except the Social Security admin or for a passport or IRS asks for your SSN say no. There is no reason to give it up. They’ll figure out a way to work around it unless they really need it, like to run a credit check. All anyone needs anymore is your SSN and they really don’t need anything else to get a mortgage or a give credit. Names and addresses are superfluous.

  • Jeanne in NE

    @Joe Farrell: Thanks for the information. I, too, am wondering what the other 4 agencies are to which J Smith referred. I do have a question about SSN that I have to resolve very soon: the water utility to which I am making application for service wants my SSN. I don’t hand that out. But your 2nd to last sentence refers to credit checks, which I presume is the reason that they want that info. How do you handle such situations?

  • Scott

    While this is a very important issue, I do want to point out Chris, that you dilute your argument when you approach your article by “attempting” to blame Secure Flight for something you did yourself. You then acknowledge it, but this is the equivalent of putting your retraction on page 13.

    Not appropriate.

  • jeneva

    this is unfortunate, sometimes air port authority forgets really vital issue for the sake of taking care other issue

    http://www.airticket.co.uk/

  • Joe Farrell

    I do not give my ssn to utilites – I ask them if they discriminate against illegal aliens – and that sends their politically correct corporates rears into a tizzy – you can offerto give them a deposit and then to bill you on a credit card – works every time

  • Karen P

    My birthday just passed and I didn’t get a card from Southwest Airlines! I’m a rewards member with them too and fly them a few times a year. What gives?

  • David Z

    @Karen P – maybe forgot to input your birthdate? :P