A company you’ve never heard of is selling copies of every airline ticket issued by a travel agency in the US to the US Department of Homeland Security (DHS) and a plethora of other Federal law enforcement and immigration agencies — and who knows who else.

Records of airline tickets issued by travel agencies in the US are being sold to US Immigration and Customs Enforcement (ICE) and other Federal law enforcement agencies, according to an ICE procurement document posted yesterday on a US government contract website and uncovered in a major scoop today by Katya Schwenk of Lever News.

According to the document found by Ms. Schwenk on SAM.gov, ICE is entering into a no-bid contract with the Airlines Reporting Corporation (ARC) “to procure, on a sole source basis, licenses for Travel Intelligence Program (TIP)… The vendor listed is the only company that can provide the required software licenses.”

ARC is the financial clearinghouse through which travel agencies in the US (from mom-and-pop agencies to online mega-agencies like Expedia) pay airlines (including both US and foreign airlines) for the tickets those agencies have sold. Its role is similar to that of VISA and MasterCard for credit card merchant  transactions, except that VISA and MasterCard compete with each other, while ARC has no competitor in  the US.

Every day, each travel agency in the US submits a report to ARC with a copy of every ticket it has issued, the amount paid, the fare calculation and tax breakdown, and the form of payment. ARC takes the total for the day’s sales on all airlines out of the agency’s bank account, and pays each airline a daily total for its tickets issued by all agencies accredited through ARC. Copies of tickets are included with agencies’ daily reports to ARC so that airlines can audit that agents have charged the correct fare.

(ARC only handles payments from travel agencies in the US. Payments and credits to airlines from travel agencies in countries other than the US are settled through other regional financial clearinghouses under IATA’s Bank Settlement Plan, BSP.)

The amounts paid to ARC by Federal agencies aren’t large enough to make selling data to the Feds a significant line of business for ARC.  But the amounts are large enough to indicate that Federal law enforcement and immigration agencies are using information about airline tickets obtained from ARC in a significant and growing number of cases, for unknown purposes and on an unknown legal basis.

We’ve never heard of the “Travel Intelligence Portal” through which ARC offers access to ticket records before now. TIP isn’t mentioned anywhere on ARC’s website, in ARC’s privacy policy, or in the privacy policy of any airline or travel agency we’ve reviewed.  Travelers and ticket purchasers who don’t know that ARC exists aren’t likely to ask what it has done with their data. We don’t know whether TIP is a service offered by ARC exclusively to Federal agencies, or if it has other government or commercial users in the US and/or abroad.

The previously unnoticed ARC contracts with ICE and other US government agencies also raise substantial doubt as to whether travel agencies or airlines — including foreign airlines that process payments for their ticket sales in the US through ARC, and travel agencies that act as their agents in the US — are complying with foreign laws including PIPEDA in Canada and the GDPR in Europe.

If ARC is selling ticket data to the US government without reporting those disclosures to the travel agencies and airlines involved, those agencies and airlines  will be unable to provide data subjects with an accurate or complete accounting of the disclosures of their personal data, as required by PIPEDA and the GDPR.

On the other hand, if travel agencies and/or airlines have authorized ARC to make this data available to the US government, or have continued to transmit data to ARC after learning that ARC was making it available to the US government, those travel agencies and/or airlines have likely violated their duty not to transmit personal data to entities that could not assure adequate protection of that data against onward disclosure.

Sharing personal data about travelers and their movements and associations with a US-based intermediary such as ARC creates a vulnerability similar to the one created when a foreign airline uses a US-based  CRS to store their PNR data. We’ve discussed this loophole in our invited testimony to the European Parliament and the Canadian Parliament.

ARC holds data from competing travel agencies and airlines, all of which want assurances that “their” data won’t be disclosed to their competitors. But ARC’s data security policies are designed to  protect travel agencies’ and airlines’ proprietary business data, not to protect the privacy of airline passengers or ticket purchasers.

The role of ARC, and the reasons law enforcement and immigration agencies want access to this unique source of aggregated data, are described by ICE as follows:

ARC is owned and operated by eight U.S. major airlines and is the sole entity facilitating financial transactions between the airline industry and U.S. based travel agencies. ARC is uniquely positioned within the airline industry as the central hub for financial settlement and data exchange between airlines and travel agencies, ensuring secure and efficient transactions. With its comprehensive industry data, ARC provides unmatched insights and analytics, supporting airline revenue management, fraud prevention, and operational efficiencies. Its primary role is to accredit travel agencies and manage financial settlements, generating an extensive, real-time database of airline tickets sold.

Daily, travel agencies must submit ticket sales and funds for over 240 airlines worldwide to ARC. This process enables ARC’s TIP, an essential intelligence tool integrated into HSI [Homeland security Investigations] INTEL’s investigative mission. TIP allows authorized law enforcement and national security personnel to search ARC’s air ticketing database to track and analyze travel patterns of persons of interest. Users can conduct searches using key identifiers such as passenger name, itinerary, fare details, and payment methods.

ARC offers three TIP services—TIP Online, TIP Monitoring, and TIP Search delivering real-time data on the previous day’s ticket sales. This system provides unique access to “ticket face” information, including full flight itineraries, passenger name records, and financial details, which are otherwise difficult or impossible to obtain. The TIP database holds over one billion records, spanning 39 months of past and future travel data—an unparalleled intelligence resource.

Through TIP licenses, INTEL analysts gain unrestricted access to all sold ticket databases, enabling targeted searches by name or credit card number.

This description seems accurate, so far as we can tell, although the reference to ARC having passenger name records (PNRs)  may mean only that ARC data includes the “record locator” or pointer to each PNR in a computerized reservation system (CRS). We don’t know if ARC receives or retains complete PNRs. We’d welcome any tips on this.

Based on the names of the three TIP services, and what we know about how government agencies seek to use air travel data, here’s what we suspect each of these services does:

1. “TIP Online” — This seems most likely to be the basic functionality for searches for recently-issued tickets and/or tickets for upcoming flights.
2. “TIP Monitoring” — This probably enables users to set flags for specific parameters, so that the user will be alerted whenever a ticket is reported matching those parameters (name, credit card number, etc.). This would be similar to the TECS alerts used by CBP  to monitor PNRs for international flights.
3. “TIP Search” — We don’t know how this differs from TIP Online, but it may provide more complex data mining and search capabilities for older archived ticket data.

The DHS, which includes ICE among other components, already receives some data about all airline tickets for flights to, from, or within the US. But although ARC data only includes information about tickets issue by travel agencies in the US, it (1) is normalized in a single standard format, unlike PNR data which varies according the CRSs and business practices of airline and travel agencies, and (2) includes significant categories of data not otherwise available to the government through any channel disclosed to date:

Airlines operating domestic flights within the US are required to transmit Secure Flight passenger data to the Transportation Security Administration (TSA) for each passenger, in order to request permission from the TSA to issue a boarding pass. But Secure Flight data is more limited than the ticket image and other data reported to ARC. Secure Flight data is sent  to TSA only 72 hours before the flight is scheduled to depart, and is supposedly deleted immediately after the flight if the passenger is not, at flight time, deemed “suspicious”.  Ticket data is reported to ARC the day the ticket is issued, and retained by ARC (for use in case of credit card payment or refund disputes) for several years. Access to ARC data extends DHS surveillance capabilities with respect to domestic air travel significantly further into both the future and the past than Secure Flight.

For international flights to, from, or overflying the US, airlines are required to send complete mirror copies of raw PNR data — everything about each passenger in the airline’s own business  records — to US Customs and Border Protection (CBP) in order to request permission to issue a boarding pass. CBP keeps this data as part of its lifetime file on each traveler, whether a US or a foreign citizen. But as with Secure Flight data for domestic flights, this data is sent only 72 hours before departure. ARC data is send the day a ticket is issued, which can be as much as 11 months, sometimes a year, before a ticketed flight.

ARC reports also include tickets issued by travel agencies in the US for flights by foreign airlines between points outside the US, extending US government travel surveillance capabilities worldwide to flights over which the US has no jurisdiction.

Today’s report in Lever News exposes only the tip of the TIP iceberg, and leaves many questions unanswered:

1. What is ARC’s policy for responding to requests for ticket data by government agencies? (Neither ARC, any of the CRSs, nor any major airline or travel agency publishes the sort of transparency report that might address this question.)
2. Does ARC require government requesters to show a warrant or court order before releasing data? Or are government users of ARC’s TIP portal on the honor system not to retrieve data without a legal basis?
3. Has ARC informed travel agencies of the existence of TIP? Airlines?
4. Are there users of TIP other than US government agencies? In the US? In other countries? Who are they? Is there a list available to travelers or ticket purchasers of all the entities that might have accessed records of our tickets through TIP?
5. When a US government agency or other user of TIP retrieves data about a specific ticket or transaction, is that fact disclosed to (a) the passenger or ticket purchaser, (b) the travel agency that issued the ticket, and/or (c) the airline?
6. What sorts of searches, monitoring, or data mining of ARC records are possible with TIP? (If anyone has a user manual or UI screenshots, please send us a copy.)
7. Is there a subject access request procedure by which an individual can obtain a copy of the information pertaining to them held by ARC, or an accounting of disclosures of this data to other entities? Can an individual request that this information be expunged by ARC, or that it not be sold to the US government or other third parties?
8. When ARC holds data about transactions in which a US travel agency acted as the agent for an airline based in Canada or the EU, and the contract of carriage was entered into by that airline as principal, does ARC comply with PIPEDA or the GDPR? Does ARC have any policies for PIPEDA or GDPR compliance in these cases?

We look forward to learning more. We invite those in the know about TIP to share their tips.