Latest news

Frequent Fliers Fear Privacy Loss

Frequent fliers might forfeit more than future flights on their favored carrier if any of the country’s beleaguered airlines go out of business. They could also lose control over their personal information.

The airline industry has been reeling from business losses related to the Iraq war, the slowdown in the economy, the Sept. 11 terrorist attacks and the recent SARS outbreak.

Both United Airlines and Hawaiian airlines are operating under bankruptcy protection, while American Airlines narrowly avoided having to file for bankruptcy this week by securing $1.8 billion in labor concessions.

If any of these carriers do go out of business, its assets will go on the auction block or be passed to its creditors. Privacy advocates contend the sale of either frequent flyer databases or general passenger records, if legally permitted, would severely compromise the privacy and rights of airline passengers.

“It’s the most intimate, revealing, computerized, correlated, archived and significant record of people outside of health and financial data,” said Edward Hasbrouck, a travel privacy advocate and the author of The Practical Nomad.

Frequent flier records include detailed personal information about an airline’s best customers – addresses, phone numbers, e-mail addresses, dietary preferences and the names of children and travel companions. United Airlines’ Mileage Plus program alone has more than 40 million members.

The records also contain detailed histories of each passenger’s previous flights, car rentals and hotel bookings. And for those who participate in programs that accumulate miles for credit-card or supermarket purchases, the data could be even more detailed.

“These databases would be one of the airlines’ largest assets,” said Hasbrouck. “Since airlines lease most of their planes, this data would be their second biggest asset after their foreign route rights.”

In addition, airlines maintain data on every airline traveler, contained in passenger-name records in a central reservation system.

These databases, while much larger, are less organized than frequent flyer records. Unlike the latter, which assign a unique number to each participant, the central reservation system assigns its unique identifier to each trip, making it difficult to accurately track a person’s flight history, since names aren’t unique.

“It’s fascinating what you can do with this data – it’s also scary,” said Brett Madigan, managing director of Madigan, Pratt & Associates, a travel marketing consultant firm.

“(Data aggregators) can do data enhancement, overlaying other data, then move into profiling and dividing the customers into segments, then model them,” said Madigan. “Then you do all sorts of analytics and start doing predictions. You can find out if we do this, what will customers do?”

It remains unclear, however, whether the airlines or its creditors could legally sell their frequent flier databases.

Travel records are not explicitly protected under federal privacy laws, such as those that restrict the distribution of a person’s financial and health information.

However, if a company’s privacy policy states that the information will not be sold, the Federal Trade Commission can prohibit the sale.

The FTC did just that in July 2000 in response to Toysmart.com’s attempt to sell its customer database while in bankruptcy court. The five-member commission ruled that privacy policies were enforceable and that Toysmart couldn’t sell its customer list since the company’s privacy policy explicitly told visitors, “You can rest assured that your information will never be shared with a third party.”

But the decision didn’t prevent the sale of the data if a “family-oriented website” was willing to buy the entire Toysmart website in order to keep it running. Eventually, the negative publicity generated by the potential sale led Disney, a Toysmart.com investor, to pay Toysmart $50,000 to destroy the list.

The United Airlines privacy policy says the company shares data with third parties, but requires “strict contractual obligations.”

United spokesman Jeff McAndrews refused to elaborate on whether the policy allowed for a future sale and declined to speculate on what might happen if the company were liquidated.

McAndrews did say, however, “United is not in the business of renting or selling those lists.”

Airlines, including United, already routinely share some data with law enforcement agents.

Hasbrouck argues that these exchanges of data and the possible sale of passenger data indicate a need, not just for a travel privacy law, but for a more sweeping privacy bill of rights similar to one adopted by the European Union.

Even if a potential sale of travel data were technically legal, a public backlash could diminish the value of the data, as it did in the Toysmart case.

“If a stink arises from airlines selling this data, you can buy the list, but there is no value,” said Henry Harteveldt, Forrester Research‘s principal travel industry analyst. “Instead, there is a huge, negative public relations problem.”

Chris Hoofnagle, an attorney with the Electronic Privacy Information Center, said that if such data were sold it could lead to a new kind of fear of flying.

“The Supreme Court has ruled that freedom to travel is a basic right,” said Hoofnagle. “It is tied to the right to assemble, to explore new ideas, to the freedom of thought. Travel can be chilled if data about it is aggregated or shared.”

Comment here