Dark side of Rewards Miles and government surveillance: DOT monitors how airlines misuse your data

The Department of Transportation is initiating a new review of airline privacy practices, impacting both frequent flyer programs and civil liberties.

DOT is monitoring the ten largest U.S. airlines for how they collect, manage and use passenger information – including whether they engage in unethical revenue generation or disseminating passenger data to third parties without proper authorization. According to Secretary Buttigieg:

Airline passengers must be able to trust that their personal data will not be inappropriately shared with third parties or mishandled by employees.

The agency will look at airlines’ data management policies, how they handle privacy breaches (I regularly hear from passengers receiving copies of other people’s itineraries!) and how they train staff in handling private data. The agency highlights the role that Senator Ron Wyden’s (D-OR) office has in advancing these issues. According to Senator Wyden,

Secretary Buttigieg and the Biden Administration deserve much credit for working with me to launch a new initiative to overhaul the privacy practices of major U.S. airlines.

Because consumers will often never know that their personal data has been misused or sold to shady data brokers, effective privacy regulation cannot depend on consumer complaints to detect corporate abuse. I will continue to work with DOT to ensure that airlines are held accountable for harmful or negligent privacy practices.

How airlines use and misuse data

There are two main uses of data, besides running the operations of an airline that carries passengers on planes (and of course they must comply with relevant data processing laws and take ordinary measures to protect that data).

  • Generate revenue through loyalty programs. They and their partners want to sell things to airline frequent flyer program members. The biggest here are the co-branded credit card partner banks.
  • Providing travel information to governments. Government agencies gain access to travel history and reservation data, and it is not always clear whether this has been authorized or disclosed to consumers. There are probably data usage violations here, but I would be surprised if the US government called out airlines for cooperating with it and other governments.

Governments obtain information about customers both officially (by accessing reservation data) and unofficially (by asking or paying low-level employees to provide this information).

The Drug Enforcement Administration pays employees to provide them with confidential information from their employers. The DEA is no longer allowed to do this with “quasi-government agencies like Amtrak,” but their internal policies have not changed to prohibit this with companies including airlines (and hotel chains).

Will the government crack down on government abuses?

Providing information to governments, in ways that are not public to customers and that do not result from proper oversight, certainly violates an airline’s obligation to protect corporate data. Government agencies should use a subpoena or at least legal and official channels to obtain customer information.

  • I’m skeptical that the Department of Transportation will go after airlines because their employees make data available to the DEA under such a scheme, but I’d like to see my skepticism proven.
  • Indeed, the Federal Trade Commission took action against a data broker that sold location data to defense companies, which then provided it to US intelligence agencies and the Department of Defense. So maybe!

Frequent Flyer programs are data warehouses

Because marketing relationships with third parties are the lifeblood of airlines, government efforts are at stake. Carriers will need to ensure that their attorneys update their privacy policies to reflect actual data sharing practices, if they are not already consistent.

At the same time, privacy policies ignore the core value of the information that companies possess. It’s theirs adopt behavioral models that information about you and turns it into predictive tools. That is why a consumer transacts with a brand; their intention that drives action; as well as the timing of their behavior.

Additional exposure areas for airlines

Other areas of potential liability include the processing of data of minors (both passengers and children with frequent flyer accounts!) and the movement of data between the US and EU for airlines with a European presence and partnerships.

What we should do to protect our privacy

Years ago I wrote that we are being followed. That ship has sailed. The idea that the government will protect us from tracking seems unlikely, because they do it more than anyone else. From license plate readers to storing geolocation data from mobile phones: the government can respond to almost anyone. They want companies to collect data because it makes their lives easier. That’s why I’ll be surprised if DOT sees aviation data sharing scale back in a meaningful way.

The most important thing is to control the power of those who have access to the information. It must hold governments to account, not just be a tool of governments. Companies need to be protected from rather than forced to become instruments of government surveillance, from banks to cell phone providers to social media and email services and… airlines. I just don’t see that happening, but I will applaud this effort if it makes even the slightest difference.

Leave a Reply

Your email address will not be published. Required fields are marked *