Friday, 22 August 2014

Key U.S. Senator questions airlines on privacy practices

The Chairman of the Senate Commerce Committee, Jay Rockefeller (D-WV), has sent a public letter of inquiry this week to the ten largest USA-based airlines, asking them to respond by 5 September 2014 to a series of questions about consumer issues including what information airlines collect about travellers, how long they retain this information, how they use and share it, and whether they allow consumers to access the information that airlines have on file about them.

In announcing this action, Sen. Rockefeller notes that:

Currently, there is no federal privacy law that covers the collection, use, and disclosure of consumer travel information. Because of this gap in federal law, consumer advocates have expressed concern that airline privacy policies can contain substantial caveats and that it is difficult for consumers to learn what information airlines and others in the travel sector are collecting, keeping, and sharing about them.

Sen. Rockefeller's letter didn't name those "consumer advocates", and I've never had any direct interaction with his staff or that of the committee he chairs. But I assume that his letter was referring to, and prompted in significant part by:

  1. The comments I submitted to the Federal Trade Commission on behalf of a coalition of consumer and privacy organizations in 2009;
  2. The presentation I gave as the sole consumer advocate invited to testify at a hearing called by the Department of Transportation's "Advisory Committee for Aviation Consumer Protection" in May of 2013; and
  3. The joint letter I sent to the ACACP in December 2013 on behalf of a much longer list of consumer advocacy, privacy, and civil liberties organizations.

Thanks are due to all of the organizations that co-signed these joint appeals, and especially to Charlie Leocha of Travelers United (formerly the Consumer Travel Alliance), for getting this issue on the ACACP agenda and helping to bring it to the attention of Congress as a consumer protection matter.

There's been slight but non-zero interest over the years from a few members of Congress in what information government agencies collect and retain about travellers, and how they use that data.

Sen. Rockefeller's letter is, however, the first time that any member of Congress has publicly -- or, so far as I know, privately -- expressed any interest whatsoever in any of the privacy issues related to commercial use by travel companies of personal data about travellers.

Government and commercial invasions of travellers' privacy are, in most real-world situations, inseparable. The U.S. governments has root access to airline reservation databases, and makes its own mirror copies of airline customer relationship data included in commercial PNRs. Airlines and government agencies share passenger data promiscuously and "transparently" (i.e. opaquely), so travellers can't tell when they are providing information to an airline, when they are providing information to a police officer, and when -- especially at airports -- they are providing information to a two-faced minion of both government and commercial masters. Airlines get a free pass to use data for their own marketing and other purposes that travellers provide only under government coercion. Even those people and organizations who have been concerned only about governments as invaders of travellers' privacy ought to be at least equally concerned about travel industry privacy (invasion) practices.

Sen. Rockefeller's letter of inquiry isn't a subpoena, and isn't formally backed by the full committee. But it carries the implicit threat of follow-up action that could include subpoenas, hearings, and/or the introduction of legislative proposals if the airlines don't give satisfactory answers.

And Sen Rockefeller is asking many of the right questions:

Do you retain personal information that your company obtains from consumers when they shop for airfares or from other sources? If yes:

  • State the period of time your company retains such information and what specific data points you retain;
  • State any specific sources for personal information or other such information your company obtains directly from consumers;...
  • State whether you provide consumers the right to []access the information you maintain about them... ;
  • State whether you sell or share this information, and if you do, describe what information you share, with whom you share it, and the purposes for which you share it; and
  • Provide a copy of your company’s privacy policy and describe when and how you make this available to consumers.

I expect that airlines' responses to Sen. Rockefeller's inquiry will be as incomplete and disingenuous as the stories that airline industry representatives told the ACACP at its hearing last year.

In practice, I've found no airline (even among the airlines based in Canada and the EU where this is required by law) that actually allows travellers to obtain all of the records that the airline keeps about them, including records such as browsing logs for registered and signed-in users of airline Web sites, despite airlines' plans to use this data to personalize ticket prices.

In practice, I've found no airline that accepts responsibility for data collection, retention, use, or sharing by travel agencies, even when those agencies are explicitly appointed to act, and explicitly state that they are acting, solely as agents of the airlines in executing contracts of carriage to which only the airlines, and not the agencies, are actually parties.

In practice, I've found no airline that complies with its privacy policies (if it publishes any).

In practice, no airline that outsources hosting of some or all of its reservation records (either or both those PNRs created directly by the airline or those PNRs created by the airline's its agents) to any of the major computerized reservation systems could possibly provide a complete accounting of third parties who have accessed personal information contained on those PNRs, since none of the major CRSs keep logs of who has accessed which PNRs (and each of them aggregates data from thousands of travel companies and has tens of thousands of "authorized" users around the world).

Airlines are almost certain to lie or obfuscate to Sen. Rockefeller on all of these points.

Hopefully, Sen. Rockefeller will publish the airlines' responses, consult with independent experts, and move forward, along with other members of the Commerce Committee, to hold hearings on this issue and sponsor either a general Federal consumer privacy law that includes airlines along with other types of companies (as do such laws in Canada and the EU), or, failing that, a strong specific travel privacy law applicable to airlines, travel agencies, computerized reservation systems, and their contractors and outsourced data processing vendors.

Link | Posted by Edward on Friday, 22 August 2014, 16:32 ( 4:32 PM) | TrackBack (0)
Comments

"Are domestic airlines making money by fleecing consumers?" (by Christopher Elliott, Washington Post, 29 August 2014):

http://www.washingtonpost.com/lifestyle/travel/are-domestic-airlines-making-money-by-fleecing-consumers/2014/08/28/5d2c7c08-2a19-11e4-958c-268a320a60ce_story.html

Posted by: Edward Hasbrouck, 29 August 2014, 10:36 (10:36 AM)

Good info. Thanks.

Posted by: Louise Lacey, 12 September 2014, 09:08 ( 9:08 AM)
Post a comment









Save personal info as cookie?