Major US Airlines are Selling Your Travel Data: The Parties Involved, Risks, and Tips

Do you feel jitters every time you’re about to board a flight? Your palms become sweaty, and you start rehearsing what to do in case something goes wrong. But what’s worse, while you’re clutching the armrest at 30,000 feet, your personal data is also soaring behind the scenes.

Major airlines (Delta, United, American, and Southwest) are sharing travel data with the DHS. This can lead to data breaches, scams, identity theft, targeted ads, and loss of control.

Did you know? Our personal data starts a different journey whenever we go online, buy something, or sign up for a service. It will be collected and passed around by data brokers and different companies, even those you’ve never heard of. Now, airlines have joined the ranks of these data profiteers.

In recent reports, it was revealed that the Major U.S. airlines (including Delta, United, American, and Southwest) have been quietly sharing travel data with the Department of Homeland Security (DHS).

That's because the DHS has access to the Airlines Reporting Corporation (ARC), which is a data broker company that offers ticket transaction settlement for airlines, travel agencies, and travel management companies. This means that ARC deals with vast amounts of data. In fact, the company holds itinerary and personal data for over half of all global flights.

The ARC was created with the intention of supporting law enforcement after the 9/11 attacks. They’ve already amassed more than a billion travel records.

It was revealed that the ARC had a $776,750 contract that allows ICE to search for data, even if passengers don’t know about it.

Now, critics are saying this agreement lacks transparency. That’s mostly because airline privacy policies rarely mention “ARC” or the fact that the government has access.

The DHS is defending the program, claiming that the agreement contributes to investigations. Still, this deal raises concerns about the growing surveillance in travel, including:

• Real ID
• Airport facial recognition
• Long-term storage of biometric data

And the thing is, the DHS isn’t the only organization that may have access to your travel data. Airlines can sell your information to third-party companies, data brokers, insurers, analytic firms, and advertisers. That’s how the multi-billion-dollar data broker industry works.

You won’t know about this because of “partner sharing clauses” buried in lengthy fine print. There are also terms that you might’ve agreed to without seeing that they allow data sharing.

Basically, whenever you book that summer trip, you’re not just picking the hotel and the airline, but also a data dealer.

Now, you might say: “I’ve got nothing to hide. I’m innocent. This is not a problem for me.”

The problem is not just that the government has access to your data. Even if you’re not scheming a top-secret mission, you should care that your data is being shared or sold. Here are 4 reasons why:

Airlines, the government, and every company that collects your data can get hacked. This puts your data at risk.

In fact, there’s a rise in cyberattacks on the aviation industry. One major incident is the Cathay Pacific data breach.

The attack had been ongoing since October 2014, but the company only detected it in March 2018. What’s worse, the company only released a public disclosure in October 2018.

This breach affected over 9 million passengers. The compromised data includes:

• Nationalities
• Names
• Dates of birth
• Email addresses
• Phone numbers
• Physical addresses
• Passport numbers
• History of travel information
• Membership numbers
• Credit card details

After a data breach, your data will likely be sold on the dark web. Once it’s there, it’ll be hard or impossible to remove.

With your data exposed online and on the dark web, you’ll be at risk of scams and identity theft.

For example, with your phone number, scammers can send you phishing and smishing attacks. You might start receiving convincing messages that will trick you into sending more information or money.

If your itinerary and booking data get leaked, scammers can impersonate you to request flight changes, claim fake refunds, and even sell fraudulent rebookings to other travelers.

Aside from scams, constant data collection leads to increased targeted ads, too many, and it will be creepy.

For example, when you’re booking a flight, you’ll start getting targeted ads for car rentals, hotels, and even SIM cards to buy and use in your destination city. It will be all over the place, you won’t even be able to navigate the booking website.

Basically, the more data companies have on you, the more aggressive they become when marketing to you.

Once your data is out there, it’ll be hard to remove. That’s because your data will be passed down to countless companies.

Deleting your data is like trying to stop your secret from being told to everyone when that one friend has already whispered it to everyone at the party.

And what’s worse, you may never know who else has your data. You can’t request a data removal if you don’t know who to ask.

This loss of control over your data can lead to data misuse, transparency gaps, and algorithmic bias.

This doesn’t mean that you have to throw away your passport or stop taking trips. There are things you can do to protect yourself without sacrificing your upcoming trip to Rome or Japan.

• Protection 1: Use Privacy-Focused Platforms: Whenever you’re booking for a trip, use only official airline websites. Don’t use sites of aggregators like travel agencies because they’re likely selling data and are prone to data leaks. It’s also ideal to use privacy-friendly browsers (e.g., Firefox and Brave) that block tracking.
  
• Protection 2: Don’t Log In Just to Book: When there’s an option to book as a guest, take it as it reduces privacy compromises.
  
• Protection 3: Use Alias Emails & Virtual Cards: If you have to log in, use alias emails, which will protect your real email address, and you can easily dispose. That way, your real email can’t be tracked, won’t receive spam, and will be safe from data breaches. Also, use virtual cards, which are one-time-use credit card numbers. This will help you avoid tracking and cross-referencing of your travel activity.
  
• Protection 4: Use a VPN: When you book, use a virtual private network or VPN. This will help you mask your IP address. Plus, it’ll prevent tracking.
  
• Protection 5: Opt Out (When Possible): Check every privacy setting and opt-out boxes when you’re booking for a flight. Don’t forget about data brokers. Make sure they can’t collect your data. You can start with:
  • Airlines Reporting Corporation (ARC)
  • Epsilon
  • Acxiom
  • Experian
  • Booking Holdings

Traveling is about adventure and relaxation. It shouldn’t be something we should worry about because our data is at risk.

When you book your next getaway, remember the tips we shared earlier. Travel smart, and keep your digital footprint as tiny as your flight seat legroom.

How can you know if a data broker has your data?

One way to know that data brokers have your data is by searching for yourself on Google. Search for your name, number, and email address. If your details show up, then a data broker has your data. You can also visit each data broker website, like Spokeo and Whitepages, to search for your information.

How do brokers track you?

Data brokers get your data and track you via public records (e.g., court documents and property ownership) and online activity (e.g., cookies, social media scraping, and web tracking). They also use loyalty programs, apps, credit reporting, and financial institutions.