"What can I do to protect my PNR data?"

Since the recent public demonstration of some of the security and privacy vulnerabilities of airline reservations systems that I’ve been writing and speaking about for more than 15 years, people have been asking me, “What can I do to protect myself against stalking, harassment, surveillance, and fraud when I travel?”

Here are some answers from an interview I gave last week to Lucia Blasco of the BBC World Service:

BBC: What kind of information is included in airline reservations?

Edward Hasbrouck: There are two key pieces of data.

The “record locator” is the 5 or 6 characters that are used to retrieve the PNR.

The Passenger Name Record (PNR) is the record in the CRS or GDS database that contains all the information about your trip.

(Some people refer to the record locator as “the PNR”, but this is incorrect.)

The “record locator” is used on airline and travel agency and CRS/GDS Web sites to retrieve your PNR. So anyone who has your (a) name and (b) record locator can (a) see and often also (b) change, cancel, or take over your reservations.

The record locator is used as though it were a password, but it meets none of the criteria for a strong password.

Travellers are not told that they need to keep the record locator secret, as though it were a password. It’s hard to keep it secret, since it is printed (or included in a bar code) in so many places including boarding passes and checked-baggage tags. You can’t chose your own record locator as a password — it is assigned automatically. Perhaps worst of all, the record locator can’t be changed if it is compromised.

As for the PNR (the record in the reservation database), it contains (a) the details of your trip, and (b) much more personal information than most people realize.

Most people have never seen a complete PNR, and much of the data in the PNR does not show up on printed itineraries. PNRs can include whether you and your travelling companion asked for one bed or two in your hotel room, whether you ordered a kosher or halal meal, your IP address and credit card number, etc., as discussed in my FAQ, What’s in a Passenger Name Record (PNR)?.

The most sensitive data in the PNR is the travel data itself: Where you will be and when you will be there. This could be used to stalk and harass you, to rob your home or kidnap your children while you are gone, for industrial espionage, etc.

BBC: Does this apply for every travel company?

EH: In general, there is a PNR in at least one one of the major CRS/GDS systems systems for almost every trip on a major airline. These systems are used by airlines, by offline travel agencies, and by online travel agencies such as Expedia, Opodo, etc. (as well as by other travel companies including hotels and car rental companies).

BBC: How easy is for a non-tech-savvy person to have access to this information?

EH: It’s easy, and no special technical skill is needed. All you need is the name of your victim (a stalker already knows that, of course) and the record locator.

An attacker (or their accomplice) can “shoulder-surf” the record locator on an itinerary if they stand behind the target in a check-in line, or photograph it from a distance, or overhear it on the phone, or get it from a baggage tag on the carousel at the airport or a discarded boarding pass or baggage tag, or get it by “pretexting” — calling the airline and pretending to be the passenger or a family member who is meeting them.

BBC: And for a hacker?

EH: It’s a little easier for a hacker than for a person with no expert knowledge or skill. But as the researchers from SRLabs said in their talk, they didn’t need to use a lot of hacking.

BBC: What are the threats against consumers?

EH: By far the most serious and common threats are stalking and domestic violence.

It is only a matter of time before a stalker uses PNR data to track his victim and kill or kidnap her and/or her children.

There are also potential threats of identity theft, and of burglars targeting travellers’ empty homes.

The threats of financial fraud are less serious, and mainly would cost airlines and travel agencies, not consumers.

BBC: What can the people do to protect their personal data when they travel?

EH: There are technical measures you can take (as discussed below), but they won’t be effective.

What is urgently needed, and what travellers need to demand, are (a) technical changes by the CRS companies (starting with user-selectable passwords for PNR access, and mandatory access logging), and (b) enforcement of existing data protection laws against CRS companies and airlines.

In Europe, there is a code of conduct for CRSs which is supposed to be enforced directly by the European Commission. It includes data protection rules which the CRSs are all violating, but it has not been enforced. This is a serious failure by the European Commission. Europeans can and should complain directly to the European Commission about this, and demand enforcement.

There are also national data protection authorities in each EU member state, and in other countries including Canada (but not the USA) whose laws are being violated.

As I said, real passwords and mandatory access logging are essential. There’s much more that could be done, but these have to come first, and are relatively easy technically. Not trivial, but definitely feasible.

BBC: In the meantime, what can travellers do?

EH: You have to treat your record locator as an especially sensitive password, because it can’t be changed.

Shred or burn all your boarding passes, luggage labels, and printed itineraries or printouts of e-mail from airlines or travel agencies that contain your record locator. (It may be in a bar code even if it isn’t written.)

Never carry a boarding pass or itinerary visible in public. Keep it folded, or in your pocket or purse.

Remove luggage tags (and hide them until you have a chance to shred or burn them) as soon as you claim your luggage.

(A burglar could easily collect the travel information of everyone on a flight from the record locators on the tags on their bags on the baggage claim carousel. There is nothing you can do to stop that. Airlines should not print record locators on baggage tags, or include them in bar codes on those tags.)

Never say your record locator out loud or on the phone in a public place.

Never tell anyone except the airline or your travel agent or someone you trust completely your record locator or forward e-mail that includes it.

Don’t take or post photos, or let anyone else take them or post them, that include your boarding pass, baggage check, or any other airline document that includes your record locator or a bar code (most of these bar codes include the record locator).

If all this sounds difficult or impossible, it is! That’s why travellers should demand that data protection authorities force CRS companies to fix their systems. In the US, as I’ve been saying for many years, Congress needs to enact a Federal privacy law applicable to travel data and to the CRSs.

BBC: Is there anything else that travellers should know?

EH: These are not new or unknown or surprising vulnerabilities. I wrote about them in books and on my Web site, and told all the major CRS companies about them starting more than 15 years ago. I offered to help the CRS companies fix these problems, but they ignored me.

The CRS companies have made a deliberate decision not to fix these known security flaws. They have chosen to ignore the law, and to ignore the threat to the public. The public needs to demand that governments force these companies to change.