The case of Rutgers University professor Mark Bray and his family provides an object lesson in the importance of being able to travel anonymously, and how the practices of governments and airlines endanger travelers by making them identifiable.

Dr. Bray, his partner Dr. Yesenia Barragan (also  a professor at Rutgers), and their two young children tried to flee the US last month after being denounced by members of the Rutgers chapter of Turning Point USA, doxxed,  and receiving death threats. They planned to spend the rest of this academic year teaching remotely from Spain, where Dr. Bray had lived on previous research trips.

Trying to get away from death threats isn’t an uncommon reason for travel, unfortunately. The factors behind the threats against Dr. Bray and his family — Dr. Bray’s scholarship as a historian of anti-fascist activism in Europe and North America since World War II — may be atypical. But thousands of people in the US flee their homes every day to escape from threats or ongoing patterns of domestic violence, often including credible death threats. We’ll never know how many of them have been stalked through their airline reservations.

Dr. Bray and his family bought tickets on United Airlines for a nonstop flight from Newark to Madrid — the most direct route from Rutgers (just a few miles from Newark in New Brunswick, NJ) to Spain. This was, unfortunately, also the most obvious airline and airport for them to use, and the easiest one for any of their local adversaries to stake out.

After they got to the airport, Dr. Bray posted on Bluesky, that, “‘Someone’ cancelled my family’s flight out of the country at the last second. We got our boarding passes. We checked our bags. Went through security. Then at our gate our reservation ‘disappeared.’”

In an interview with the Associated Press from a hotel room where he spent the night before trying again a day later, Prof. Bray said that, “We called the service that made the reservation. They didn’t cancel it. United [Airlines] didn’t cancel it.”

Airline staff rebooked the family on the same flight 24 hours later, when they had a different experience. In a later interview after making it to Spain, Dr. Bray described being pulled aside at the departure gate at Newark the next evening by Federal agents for an hour of questioning before being allowed to board the flight to Madrid with his family.

Dr. Bray and his family may never know who cancelled their reservations unless the culprit confesses, but there are two important lessons in this incident:

First, anonymous travel matters, sometimes as a matter of life or death. Both anonymity and the right to travel are never so important as they are for those who are fleeing death threats, whether those threats come from domestic abusers, vigilantes, or the government.

A decision last month by the 9th Circuit Court of Appeals in a case against Lufthansa shows how disclosure of personal information by an airline can put travelers at risk. A gay Saudi Arabian citizen reluctantly provided a copy of his marriage certificate (a same-sex marriage in the US to a US citizen) to Lufthansa. The marriage to a US citizen was relevant to the traveler’s admissibility to the US, but not to the validity of his ticket from Riyadh via Frankfurt to San Francisco, or to Lufthansa’s obligation to transport him. And because homosexuality, as would be conclusively proven by the marriage certificate, is a capital offense in Saudi Arabia, the traveler had not previously disclosed his sexual orientation to the Saudi government. But because Lufthansa staff took actions that may have disclosed his marriage to the Saudi government, he hasn’t dared to return to Saudi Arabia. He has been cut off from his family and community and has been forced to liquidate his real estate there at a loss, among other consequences. The takeaway from the case, at this stage, is that protecting passenger data really can be a life-or-death matter.

Name and ID requirements are touted as measures to “protect” travelers. But for some of the most vulnerable travelers they are a threat to personal security.

We don’t think governments should require passengers on common carriers to identify themselves, or that common carriers should be allowed to require them to do so. On domestic flights in the US, until 1996 anyone could buy a ticket in any arbitrary name and fly without showing any ID. We see no reason not to return to this historic norm.

On international flights, passengers’ names and documents may be relevant to decisions made by governments as to their right to leave the country from which the flight departs  or to be admitted to the destination country on arrival. But travelers can show their passports or other documents or make their claims for admission without documents (for example, as asylum seekers) without needing to identify themselves to airlines or other private parties. The right to leave any country is, under international treaty law, almost absolute. And decisions about admissibility, particularly in the case of asylum seekers, can be made only after arrival on the territory of the destination country.

Second, identifying information about air travelers isn’t adequately protected.

If governments unnecessarily require travelers to identify themselves to airlines or other common carriers,  then it must be recognized that (1) names and other potentially life-threatening identifying information are provided to these carriers solely to satisfy government mandates, and could not and would not otherwise be required or provided, and (2) the government therefore has the obligation to  make sure that this extremely sensitive information is not retained, used, or disclosed to anyone except the government.

As has long been known, and as the experience of Dr. Bray and his family illustrates yet again, airlines have failed to put in place even minimal protections for passenger data, and governments in the US and other countries, including in Spain and  the European Union, have failed to require airlines to protect this data or to sanction airlines for not doing so.

The US government blacklists some people from air travel and flags others for special surveillance when they travel. But what reportedly happened to Dr. Bray and his family doesn’t fit the profile of either of those air travel surveillance and control systems.

If Dr. Bray had been on the US no-fly list or matched real-time no-fly algorithms, the Department of Homeland Security would have sent the airline a negative “Boarding Pass Printing Result” message in response to his PNR and API data, and he wouldn’t have received a boarding  pass. If he had been on the “selectee” list or another “watchlist”, or the subject of a TECS alert (often used to target searches and seizures of digital data) he would have been allowed to fly after special handling, as happened the second night.

What happened to Dr. Bray is consistent with what happens if a reservation is canceled after check-in and issuance of a boarding pass and before actual boarding. This can cause exactly the sort  of confusion on the part of airline staff that Dr. Bray reported, especially if the PNR gets out of sync with the record in the airline’s departure control system and the source or reason for the cancellation can’t be determined from the PNR or DCS records.

It may seem surprising that it’s possible to cancel a reservation through the United Airlines website or app after a boarding pass has been issued, but we’ve seen it happen.

If an airline staff member canceled the reservation, their unique “agent sine” would be attached to the cancellation in the “history” (change log) portion of the PNR. And airline staff including call center staff are trained to log who requested a change in the “received form” field in the PNR history for each change.

If someone had called the airline and impersonated Dr. Bray to cancel his reservations, airline staff would have told him, “Our records show that you called and asked us to cancel your reservations, not “We don’t know how or by whom your reservations were canceled.

Dr. Bray’s report suggests that his reservations were canceled through one of the Internet gateways to the reservation system. In such a case, the PNR would identify only the gateway or ‘bot and perhaps the IP address from which the app or website was accessed, leaving airline staff unable to determine who was responsible for the cancellation.

This is easy for a stalker to do, leaving no traces (or at the most an IP address), because (1) airlines have chosen not to require a to access, change, or cancel a PNR, and (2) airlines have chosen not to include access logs in PNRs.

This isn’t news. This is a feature, not a bug, of airline reservation systems. This vulnerability has been known to airlines, publicized, and publicly demonstrated for decades. Airlines worldwide have all chosen to continue this practice because (3) requiring passengers to remember and enter a password to retrieve their reservations would inhibit use of self check-in and other self-service functions, and require airlines to spend more on human check-in and customer service staff, and (4) no government anywhere in the world has required airlines to  adopt even minimal PNR security or access logging.

Airlines use an unchangeable, system-assigned “record locator” for each PNR as though it were a password, and they print this record locator prominently on every itinerary and boarding pass and almost all baggage tags and claim checks. It’s as though they printed your “password” in boldface type at the top of each of those documents. All that’s needed to “claim” and monitor a PNR in the United Airlines app or website — even if you are signed in to an unrelated account in another name — is the last name and record locator.

The United Airlines app is perfectly designed to function as a remote stalking app.

Anyone who follows or photographs you in an airport — at an increasing distance as the resolution of cellphone cameras improves — or glances at the tags after you drop off your checked bags can retrieve and, yes, change or cancel your reservations.

I assume that someone who doesn’t like Dr. Bray, for whatever reason, spotted him in the airport at Newark. Maybe it was happenstance, or maybe they had staked out the departure area and were looking for him. They shoulder-surfed his record locator as he and his family checked in and dropped off their luggage, and then  canceled their reservations.

Dr. Bray will probably never know who did this, just as air travelers generally don’t know which foreign governments have accesses their reservations, or when they have done so. In the absence of access logs, this would come to light only if the culprit confesses their modus operandi or if someone spots them in the act and blows the whistle on them.

The last time there was a flurry of public interest in the insecurity of airline reservations it involved someone with very different political views: Sen. Ted Cruz. After Sen. Cruz’s reservations (on United Airlines, as it happens, but as with Dr. Bray it could have been any airline) were leaked, United Airlines launched an investigation into the source of the leak.  But as we predicted at the time, nothing was ever said about the results of that investigation, presumably because what it found was that the leaker couldn’t be identified. The system was and still is so designed as to make leaks like this untraceable.

What happened to Dr. Bary and his family should be a teachable moment for travelers, and for governments worldwide that have forced travelers to identify themselves to airlines, while failing to hold airlines (and the computerized reservation systems that supply their outsourced and shared hosting) to even the most rudimentary data protection norms.

Travelers should demand action by governments, airlines, and reservation systems:

Traveler anonymity matters, as does the security of travel information.

If governments make air travelers reveal personal information to airlines, those governments should make those airlines protect and log access to that information.