Rights of passengers
As a common rule, individual passenger data has to be provided to the carrier in order to complete a contract between a traveler and an airline. Carriers themselves confirm whether the provision of that information is mandatory for the flight to be booked. Anya Burgess, the Lead Communications Officer at the Information Commissioner's Office (independent national data protection body in the UK) states that if a data subject has a complaint regarding the way his/her data has been processed by the carrier, that complaint may be brought for data protection body for a compliance assessment.
The recent battle between Apple and the US Federal Bureau of Investigation has revived the long-standing debate over privacy and cyber security. FBI argues that the backdoor to iPhone security would be greatly beneficial for catching such terrorists as the ones responsible for the December mass shootings in California, but tech companies state that it could also potentially turn into a massive vault. Meanwhile, airlines and airports are also known for collecting certain data from passengers. But little is known about the way that such data is handled.
Airports aren't the ones collecting data
Airlines collect large amounts of individual passenger data every day. They store booking records, credit card data, payment information, even food or seating preferences. By saving this kind of information carriers can significantly improve the management of their businesses: they can adjust prices, avoid over-capacity and plan their routes accordingly.
Contrary to airlines, airports do not normally create their own personal databases for their daily activities and procedures. Certain personal data, such as names, emails, or phone numbers is saved only when pre-booking a parking service and collecting customer feedback. Airports do, however, monitor the relevant generalized statistics about travelers, but cannot tell if a certain passenger is visiting the hub on any given day.
While airports do not save any records of their passengers’ names, addresses, phone numbers, credit card information, some hubs collect information based on travelers’ movements in the building. This type of data collection can help to avoid congestion, for example, “by spotting bottlenecks and this way improving passenger experience further,” comments Petra Laivonen, Communications Specialist at Helsinki Airport.
Rights of passengers
As a common rule, individual passenger data has to be provided to the carrier in order to complete a contract between a traveler and an airline. Carriers themselves confirm whether the provision of that information is mandatory for the flight to be booked. Anya Burgess, the Lead Communications Officer at the Information Commissioner's Office (independent national data protection body in the UK) states that if a data subject has a complaint regarding the way his/her data has been processed by the carrier, that complaint may be brought for data protection body for a compliance assessment.
Nonetheless, passengers must have access to their personal data and change their preferences at any given time. Who is responsible for the data they provide? Travelers themselves.
Data is owned by the passenger, meaning that "passengers are actually in charge of their data”, states Paul Weber, Press officer of Corporate Affairs at Amsterdam Airport Schiphol.
“Also, airlines and airports must be transparent in how their compliance is enforced, regarding (legal) regulations on personal data.”
Is the data collected really safe?
Airlines store individual passenger data in special database partitions of a Computerized Reservation System (CRS). It is organized in the form of PNRs or, simply, passenger name records. PNRs can comprise names, addresses, phone numbers, credit card information, ethnic origin and passport numbers.
Unsurprisingly, when trying to steal PNRs, the first step of an attacker is to obtain the username and password of the database administrator. Once a hacker gains access to the system, he is able to copy all the information from the database and place it into the server he controls.
Bad news for passengers – many companies do not conduct their internal and external audits on a regular basis, so long periods of time may pass until they realize that there has been a breach and the data was stolen.
In August 2015 the largest carriers in the US – United and American Airlines - as well as the country’s government were breached by a hacker group linked to China. It is believed that the attackers stole personal, medical and employment information of millions of government employees. A foreign country could use that information tracking the U.S. officials and employees to detect military or intelligence operations.
According to the spokesman of DB Networks (a privately held information security company in the US), flight reservations do not have much value on the black market.
“However, if you combine flight records with stolen health records, personnel records, etc. the result is an extremely valuable portfolio of personal information that could be used for any sort of nefarious scheme.”
So is your personal data potentially served for hackers on a silver plate? According to Isabelle Arthur who is a Media Relations manager at Air Canada, airlines encrypt customer information at the time of the booking process and their systems are monitored on a regular basis to ensure the highest security levels.
How to protect information in the future?
Peter Tran, the GM & Senior Director at RSA (advanced cyber defense technology company) has agreed to share some tips that passengers could make use of in order to ensure the safety of their private data.
According to P.Tran, you should always “use multi-factor authentication when available, avoid open airport WiFi hotspots, USB charging stations as well as the use of Bluetooth and Near Field Communication (NFC) over mobile devices when traveling through airports and over in-flight network services.
As of carriers, DB Networks recommend installing the technology “that uses machine learning and behavior analysis to immediately and automatically identify when a database credential has been stolen and is being abused by an attacker.”
In conclusion
Airlines collect individual passenger data, such as booking records, credit card data every day in order to improve the management of their businesses. Unlike carriers, airports usually do not create their own personal databases, only larger hubs collect passenger movement information to increase the flow in the airport. Such information encrypted, protected and transmitted to third parties only under privacy laws, valid in countries where companies operate in. Currently, over 100 countries have privacy laws, that help minimizing needless monitoring of individual passenger data and regulate private companies. The most comprehensive ones are in the countries of the European Union, European Economic Area that have implemented the 1995 Data Protection Directive, while the United States are known for not having a one information privacy law, but having several sectoral laws in other areas. Because some of them involve statutory interpretation, instead of constitutional rights, there has been an ongoing dispute between the Apple and FBI and the decision could be made by Supreme Court.
No comments:
Post a Comment