By Christopher Elliott
Special to The Washington Post
Friday, July 30, 2010; 2:14 PM
Thanks for the birthday card, Southwest Airlines.
The computer-generated missive, complete with signatures of the airline's executives, landed in my mailbox just before the big day. At first I was flattered by the thoughtful gesture. But then I was troubled.
How did they know my birthday?
And then it occurred to me: Airlines are now requiring passengers to provide their full name as it appears on a government-issued I.D., their date of birth and their gender as part of the Transportation Security Administration's new Secure Flight initiative.
You probably know Secure Flight as the pesky requirement that the name on your passport or driver's license be an exact match with the name on your airline ticket. But the program is much more than that. With the extra passenger data, the agency promises to improve the travel experience for all airline passengers, particularly those who have been misidentified as terrorists in the past.
With Secure Flight now operational domestically and expected to be in place for international flights by the end of the year, I think it's worth asking how those data are being employed. Specifically, can an airline use my personal information, such as my date of birth, to send me a card - or a promotional offer?
Southwest says it doesn't use Secure Flight data for promotional purposes and complies with all rules regarding the information. And in fact, a review of my records showed that I'd given Southwest my date of birth when I updated my frequent-flier account information several months earlier.
I asked the TSA about the personal information used for the program, and a representative pointed me to a statement on the agency's Web site assuring air travelers that the data are collected, used, distributed, stored and disposed of according to stringent guidelines and all applicable privacy laws and regulations.
The actual requirement can be found in a document called the System of Records Notice. It specifies what information can be gathered (your name, birth date and gender), whom it can be shared with (the TSA and various law enforcement agencies, as appropriate) and when it must be disposed of (a week after your flight, for most records).
Seems pretty reasonable. And my attitude toward privacy appears to be common among the jet set.
"I honestly don't mind providing an airline with data," said Lawrence Sherman, an executive with an educational company in Fort Washington, Pa. "I don't want the info to be used for other purposes."
But airlines see an opportunity to "maximize the marketing and other commercial value of this government-coerced informational windfall,"asserted Edward Hasbrouck, a consultant to the Identity Project, a privacy advocacy organization for travelers. And drawing a fine line between data collected for Secure Flight and information gathered for other purposes, such as frequent-flier program account information, may allow them to do that.
"It renders meaningless any restrictions on which of this data is retained, or for how long, by the government itself," Hasbrouck added.
I checked with several federal agencies, including the Department of Transportation and the Federal Trade Commission, that might have jurisdiction over data included in airline reservations.
The Transportation Department allows air carriers to articulate their own data privacy policies in their contract of carriage, which is the legal agreement with passengers. It can fine the airlines for violating those self-imposed rules. A spokesman for the Federal Trade Commission told me his agency has no authority over airlines.
Larry Ponemon, whose Traverse City, Mich., institute conducts independent research on privacy, data protection and information security policy, said the airlines are already collecting the information the government is requesting. Secure Flight merely requires that such information "be given to TSA for the purpose of screening passenger manifests against terror watch lists," he said.
Could it be that the information we give airlines doesn't belong to anyone or, worse, isn't regulated by anyone?
No, said Thom VanHorn, a vice president for Application Security, a New York database security firm. Even if you discount the TSA regulations, airlines must still follow federal compliance mandates under the Federal Information Security Management Act, the Privacy Act and other statues. These are broad regulations that don't specifically apply to airlines, he said, but they would prohibit an airline from, say, releasing the credit card information or Social Security numbers of its customers to a third party.
The TSA also allows air travelers to refuse to provide the information, VanHorn said. "However, they may be subject to additional screening or denied boarding," he said.
When I contacted Southwest to say thank you for my birthday card and to find out where the airline had gotten my information, spokesman Chris Mainz said that indeed, the data came from my Rapid Rewards frequent-flier program profile and had "nothing to do with Secure Flight."
When I searched my e-mail files, I found that Southwest had in fact required me to update my Rapid Rewards information, adding my birth date and other data, and cited the need to satisfy the TSA for Secure Flight when it did. So technically, I gave the data to Southwest, and it passed the information to the TSA.
"We protect [Secure Flight] information the same as we would protect credit card information and only use it for the information that is required by the TSA," Mainz said.
I find the airline's explanation both reassuring and problematic. I'd like to see this issue addressed in airline privacy policies, to reassure customers that the information isn't being passed along to a third party.
But in a world where privacy is fast becoming obsolete, does anyone really care?
Elliott is National Geographic Traveler magazine's reader advocate. E-mail him at firstname.lastname@example.org.