What's in a Passenger Name Record (PNR)? (2013)
hasbrouck.org47 points by rzk 5 days ago
47 points by rzk 5 days ago
A famous demonstration of how easy it is to use a photo of a boarding pass to get a prime minister's passport info and personal phone number via the PNR:
https://mango.pdf.zone/finding-former-australian-prime-minis...
> Airlines don’t collect most passenger information — travel agents do. Most passengers never deal with the airline until they check in for their flight at the airport. And standard travel agency procedures make them function, in practice, as quite effective “anonymizing proxies” for travellers.
So my takeaway is that for enhanced privacy I should try to book flights with travel agencies instead of directly with airlines. Is the advice still applicable or is it nowadays futile?
While basically everything about PNRs described here remains unchanged (as it has been since the 60s), government data collection on top of PNRs has become far more extensive since this was written 12 years ago.
If traveling into the US from overseas, you need to disclose a whole bunch of info to get your ESTA, and for the flight itself there's APIS: https://en.wikipedia.org/wiki/Advance_Passenger_Information_...
And for any flight that even overflies the US, there's Secure Flight:
Not all flights. Private aircraft (rich people) and the military follow different rules. These rules target airlines. No airline, no problem.
Not just overflies the US, but gets close to the US. Looking at the airport pairs, flights like Toronto to Europe are deemed to be flying over the US, whether they do or not.
https://upload.wikimedia.org/wikipedia/commons/b/b8/TSA_Secu...
Discussed (a bit) at the time:
What's in a Passenger Name Record (PNR)? - https://news.ycombinator.com/item?id=6037279 - July 2013 (2 comments)
If I may, I’d like to reproduce the lengthy article’s “punchline” here in addition:
“PNR's show where you went, when, with whom, for how long, and at whose expense. Behind the closed doors of your hotel room, with a particular other person, they show whether you asked for one bed or two. Through departmental and project billing codes, business travel PNR's reveal confidential internal corporate and other organization structures and lines of authority and show which people were involved in work together, even if they travelled separately. Particularly in the aggregate, they reveal trade secrets, insider financial information, and information protected by attorney-client, journalistic, and other privileges.
Through meeting codes used for convention and other discounts, PNR's reveal affiliations -- even with organizations whose membership lists are closely-held secrets not required to be divulged to the government. Through special service codes, they reveal details of travellers' physical and medical conditions. Through special meal requests, they contain indications of travellers' religious practices -- a category of information specially protected by many countries.
PNR's for reservations made or changed online routinely include IP addresses and timestamps to enable them to be cross-referenced with Web server logs.”
The rest of the web site remains a curious display of information.
As a junior dev I had to develop software to read and write this bastards. Long time no see.
I worked briefly on GDS/ARS protocol in modern times (for reservation system on Linux servers that could talk directly to the mainframe network, rather than using a middleware wrapper around your own mainframe)
The protocols are heavily documented in many ways, but we also had an on-site pair of experts on this particular mainframe network, as an information resource, and we needed them. And I still had to reverse-engineer some semantics or format from real-world protocol captures, and freeze that knowledge in unit tests.
There was one opcode that initially sounded simple. IIRC, linguistically, it turned out be closer to an eval than an echo.
This kind of work, carefully interoperating with critical legacy systems, can be more interesting and positive than serving cat pictures and running surveillance trackers in exactly the architecture memorized for a Design Interview. But if you do anything involving mainframes, and then want to go back to startups or Big Tech, I wouldn't put the toxic keyword "mainframe" on your techbro resume; use euphemisms like "global financial system" instead. Also, you should say that you "disrupted" it; though disrupting a critical system is not usually considered a positive achievement in other circles.
PNRs also contain info on the Form of Payment used to pay for the ticket, in case you were ever wondering who's paying for their airfares in cash...
[flagged]
[flagged]