Another data aggregator got airline reservations

In the course of an article on the efforts of high-technology companies on Masachusetts Route 128 to profit from the homeland security gravy train, the Boston Globe reports today that data aggregator LocatePLUS Holdings “has worked with the FBI to analyze the manifests of the four planes involved in the Sept. 11 terrorist attacks in an attempt to identify people who were not on the agency’s watch list, but should be.”

According to the “Investor Relations” section of the company’s Web site, “Since March 1, 2000, we have maintained a database that is accessible through the Internet, known as LocatePLUS. Our LocatePLUS product contains searchable and cross-referenced public information on 98% of the adult population in the United States, including individuals’ names, addresses, dates of birth, Social Security numbers, prior residences, and, in certain circumstances, real estate holdings, recorded bankruptcies, liens, judgments, drivers’ license information and motor vehicle records.”

The “passenger manifests” obtained by the FBI after 11 September 2001 actually included an entire year of passenger name records (PNRs) from Northwest Airlines, and an undisclosed volume of PNRs from American, United, and probably other airlines, according to admisisons by the airlines and documents obtained under the Freedom of Information Act by the Electronic Privacy Information Center.

Today’s story in the Globe is, so far as I know, the first — although unsurprising — indication that the FBI “shared” any of the airline reservation data with commercial data aggrgrators. The Globe article, apparently based on the boasts of LocatePLUS founder and CEO Jon Latorella, doesn’t mention whether the PNR data was retained by LocatePLUS, integrated with its other data holdings, added to its inventory of personal information for sale, or exposed to public access during subsequent lapses of LocatePLUS data security.

In December 2003, LocatePLUS left its database, including “millions of names, social security numbers, phone records and public records such as residential histories” open to public access over the Internet for several hours.

If LocatePLUS did expose airline reservation data to Internet access, it wouldn’t have been alone: all four of the major computerized reservation systems that host most airline reservations worldwide operate Web sites through which reservations can be viewed without the knowledge or consent of the travellers and, in three of the four cases, with no semblance of a password. But those systems generally make reservations available for a limited time — no more than a year, usually less — after the completion of the trip.