Shostack + Friends Blog Archive


Centers for Disease Control Want To Track All Travel

In “CDC plans flight e-tracking,” Bob Brewin of Government Health IT writes:

Battling a pandemic disease such as avian flu requires the ability to quickly track sick people and anyone they have contacted.

In response, Centers for Disease Control and Prevention officials have proposed new federal regulations to electronically track more than 600 million U.S. airline passengers a year traveling on more than 7 million flights through 67 hub airports.

There’s more quotes from the article after the break.

The transcribed press conference is online. I don’t think I’ll have a chance to analyze the 8 parts of the proposed rules at Control of Communicable Disease Proposed 42 CFR Parts 70 and 71. My expectations are that:

  1. The travel industry, already half-bankrupt, can’t afford $160 million in additional costs. That will kill this, unless the CDC steps in to fund the effort to invade all of our privacy.
  2. The data collection will be mandatory, with penalties for lying, but no penalties for re-use of the data. Acceptable uses will including updating the airline’s marketing databases. The marketing value of the data will fall far short of that $160 million.
  3. The discussion of the data in the proposed rules and the media analysis will assume the use of ‘PNR’ data. The analysis will completely ignore the reality that PNRs contain lots of non-passenger information. This is well documented by Ed Hasbrouck, and routinely ignored because acknowledging it would drive the cost of these implementations through the roof.

The regulations will require airlines to collect and maintain in an electronic database the following passenger information:

  • First, last and middle names, in addition to suffixes.
  • Current home address, including street, apartment number, city, state/province and ZIP code.
  • Mobile, home or pager phone numbers.
  • E-mail address.
  • Passport or travel document, including the issuing country or organization.
  • Traveling companions or group.
  • Flight information, including date, airline, flight number and return flight details.
  • Name, address and phone number of an emergency contact.

The same rules would also apply to passengers on international cruise lines and international ferry companies at U.S. ports, which the CDC estimated carry about 75 million passengers a year.

But the CDC estimated that even under this scenario, it would cost the airline industry $108.2 million to collect and retain the passenger manifest data. It would cost global reservation systems $2.97 million under the preferred CDC POS plan and travel agents $50.8 million.

The Eastern Research Group said the CDC may also have trouble obtaining data from Amadeus, one of the largest global reservation systems, because it is foreign-owned and stores passenger information in Germany. This information is covered by German laws on data privacy, and it would require changes in international law to obtain data from Amadeus, the Eastern Research Group analysis said.

Cetron said the CDC would employ rigorous standards of privacy to protect the passenger manifest data it collects, and the proposed rule calls for a one-year retention period instead of 10 years, which is the CDC’s normal practice for data retention.