Fred Cate, a law professor at Indiana University, said that my story raises a lot of questions about what the government is doing.


“Why isn’t the government complying with even the most basic cybersecurity standards?” Cate said. “Storing and transmitting credit card numbers without encryption has been found by the Federal Trade Commission to be so obviously dangerous as to be ‘unfair’ to the public. Why do transportation security officials not comply with even these most basic standards?”


The goal of PNR collection, according to CBP, is "to enable CBP to make accurate, comprehensive decisions about which passengers require additional inspection at the port of entry based on law enforcement and other information."
This information is retained for quite some time in government databases. CBP publicly states that PNR data is typically kept for five years before being moved to “dormant, non-operational status.” But in my case, my earliest PNR goes back to March 2005. A CBP spokesperson was unable to explain this discrepancy.


“No wonder the government can’t find needles in the haystack—it keeps storing irrelevant hay," Cate told me. "Even if the data were fresh and properly secured, how is collecting all of this aiding in the fight against terrorism? This is a really important issue because it exposes a basic and common fallacy in the government’s thinking: that more data equates with better security. But that wasn’t true on 9/11, and it still isn’t true today. This suggests that US transportation security officials are inefficient, incompetent, on using the data for other, undisclosed purposes. None of those are very encouraging options."


"No wonder they didn’t want you to know what they had about you,” he added.