A famous demonstration of how easy it is to use a photo of a boarding pass to get a prime minister's passport info and personal phone number via the PNR:
I've had to write an entire backend to interface with Sabre - using SOAP/XML - it was anything but straightforward. But yeah, you need surprisingly little information to book/cancel/view flights and PNR data.
> Airlines don’t collect most passenger information — travel agents do. Most passengers never deal with the airline until they check in for their flight at the airport. And standard travel agency procedures make them function, in practice, as quite effective “anonymizing proxies” for travellers.
So my takeaway is that for enhanced privacy I should try to book flights with travel agencies instead of directly with airlines. Is the advice still applicable or is it nowadays futile?
The travel agency is the one that collects your personal information - but it (unsurprisingly) immediately passes just about everything to the airline: name, date of birthday, phone number, email etc.
In general, the airline won’t get your payment details though.
How? There are two setups, either you book with an agency, which then forwards your data to the airline, or you book directly with an airline. In both cases, you have a more or less fixed amount of data collected, due to legal requirements. But the agency will usually act as a proxy, only forwarding the absolute necessary information, and using some on their own (like form of payment or contacts), often even send replacement-data or their own to the airline.
So it's absolutely true that in certain common setups, the airline is not the one collecting and holding most information. But, this comes with the price that more parties are holding your information.
And agencies are often going through a CRS or even through a middleman to the CRS, not booking directly with the airline, so there is a good chance of a third or even fourth party also holding your information. Though, technically this can also depend on the agency, airline and type of flight. With Charter- and Lowcost-flights it can happen that the agency is going directly to the airline, hacking their way around the airlines' website. But this is getting shoot down in the last years but those airline, and not obvious from the outside.
Oh, and historically speaking, it used to be that agencies were often collecting more personal information than laws demanded, while airlines went with the absolute necessary stuff. So maybe the article was meaning this aspect too.
The nuance there is you can’t change anything _except via the travel agent_ until after the first leg of the journey is complete. But yes, absolutely, book direct for maximum flexibility.
While basically everything about PNRs described here remains unchanged (as it has been since the 60s), government data collection on top of PNRs has become far more extensive since this was written 12 years ago.
Not just overflies the US, but gets close to the US. Looking at the airport pairs, flights like Toronto to Europe are deemed to be flying over the US, whether they do or not.
If I may, I’d like to reproduce the lengthy article’s “punchline” here in addition:
“PNR's show where you went, when, with whom, for how long, and at whose expense. Behind the closed doors of your hotel room, with a particular other person, they show whether you asked for one bed or two. Through departmental and project billing codes, business travel PNR's reveal confidential internal corporate and other organization structures and lines of authority and show which people were involved in work together, even if they travelled separately. Particularly in the aggregate, they reveal trade secrets, insider financial information, and information protected by attorney-client, journalistic, and other privileges.
Through meeting codes used for convention and other discounts, PNR's reveal affiliations -- even with organizations whose membership lists are closely-held secrets not required to be divulged to the government. Through special service codes, they reveal details of travellers' physical and medical conditions. Through special meal requests, they contain indications of travellers' religious practices -- a category of information specially protected by many countries.
PNR's for reservations made or changed online routinely include IP addresses and timestamps to enable them to be cross-referenced with Web server logs.”
The rest of the web site remains a curious display of information.
I worked briefly on GDS/ARS protocol in modern times (for reservation system on Linux servers that could talk directly to the mainframe network, rather than using a middleware wrapper around your own mainframe)
The protocols are heavily documented in many ways, but we also had an on-site pair of experts on this particular mainframe network, as an information resource, and we needed them. And I still had to reverse-engineer some semantics or format from real-world protocol captures, and freeze that knowledge in unit tests.
There was one opcode that initially sounded simple. IIRC, linguistically, it turned out be closer to an eval than an echo.
This kind of work, carefully interoperating with critical legacy systems, can be more interesting and positive than serving cat pictures and running surveillance trackers in exactly the architecture memorized for a Design Interview. But if you do anything involving mainframes, and then want to go back to startups or Big Tech, I wouldn't put the toxic keyword "mainframe" on your techbro resume; use euphemisms like "global financial system" instead. Also, you should say that you "disrupted" it; though disrupting a critical system is not usually considered a positive achievement in other circles.
https://mango.pdf.zone/finding-former-australian-prime-minis...
So my takeaway is that for enhanced privacy I should try to book flights with travel agencies instead of directly with airlines. Is the advice still applicable or is it nowadays futile?
The travel agency is the one that collects your personal information - but it (unsurprisingly) immediately passes just about everything to the airline: name, date of birthday, phone number, email etc.
In general, the airline won’t get your payment details though.
How? There are two setups, either you book with an agency, which then forwards your data to the airline, or you book directly with an airline. In both cases, you have a more or less fixed amount of data collected, due to legal requirements. But the agency will usually act as a proxy, only forwarding the absolute necessary information, and using some on their own (like form of payment or contacts), often even send replacement-data or their own to the airline.
So it's absolutely true that in certain common setups, the airline is not the one collecting and holding most information. But, this comes with the price that more parties are holding your information.
And agencies are often going through a CRS or even through a middleman to the CRS, not booking directly with the airline, so there is a good chance of a third or even fourth party also holding your information. Though, technically this can also depend on the agency, airline and type of flight. With Charter- and Lowcost-flights it can happen that the agency is going directly to the airline, hacking their way around the airlines' website. But this is getting shoot down in the last years but those airline, and not obvious from the outside.
Oh, and historically speaking, it used to be that agencies were often collecting more personal information than laws demanded, while airlines went with the absolute necessary stuff. So maybe the article was meaning this aspect too.
If traveling into the US from overseas, you need to disclose a whole bunch of info to get your ESTA, and for the flight itself there's APIS: https://en.wikipedia.org/wiki/Advance_Passenger_Information_...
And for any flight that even overflies the US, there's Secure Flight:
https://en.wikipedia.org/wiki/Secure_Flight
https://upload.wikimedia.org/wikipedia/commons/b/b8/TSA_Secu...
What's in a Passenger Name Record (PNR)? - https://news.ycombinator.com/item?id=6037279 - July 2013 (2 comments)
“PNR's show where you went, when, with whom, for how long, and at whose expense. Behind the closed doors of your hotel room, with a particular other person, they show whether you asked for one bed or two. Through departmental and project billing codes, business travel PNR's reveal confidential internal corporate and other organization structures and lines of authority and show which people were involved in work together, even if they travelled separately. Particularly in the aggregate, they reveal trade secrets, insider financial information, and information protected by attorney-client, journalistic, and other privileges.
Through meeting codes used for convention and other discounts, PNR's reveal affiliations -- even with organizations whose membership lists are closely-held secrets not required to be divulged to the government. Through special service codes, they reveal details of travellers' physical and medical conditions. Through special meal requests, they contain indications of travellers' religious practices -- a category of information specially protected by many countries.
PNR's for reservations made or changed online routinely include IP addresses and timestamps to enable them to be cross-referenced with Web server logs.”
The rest of the web site remains a curious display of information.
The protocols are heavily documented in many ways, but we also had an on-site pair of experts on this particular mainframe network, as an information resource, and we needed them. And I still had to reverse-engineer some semantics or format from real-world protocol captures, and freeze that knowledge in unit tests.
There was one opcode that initially sounded simple. IIRC, linguistically, it turned out be closer to an eval than an echo.
This kind of work, carefully interoperating with critical legacy systems, can be more interesting and positive than serving cat pictures and running surveillance trackers in exactly the architecture memorized for a Design Interview. But if you do anything involving mainframes, and then want to go back to startups or Big Tech, I wouldn't put the toxic keyword "mainframe" on your techbro resume; use euphemisms like "global financial system" instead. Also, you should say that you "disrupted" it; though disrupting a critical system is not usually considered a positive achievement in other circles.