Stay Updated Icon

Subscribe to Our Tech & Career Digest

Join thousands of readers getting the latest insights on tech trends, career tips, and exclusive updates delivered straight to their inbox.

Revealed: Airlines Sold Your Domestic Flight Data to DHS, Contract Demanded Secrecy

2:39 PM   |   11 June 2025

Revealed: Airlines Sold Your Domestic Flight Data to DHS, Contract Demanded Secrecy

The Secret Sale of Your Skies: How Airlines Sold Domestic Flight Data to the US Government

Imagine booking a flight, perhaps for a family vacation, a business trip, or to visit a friend. You provide your name, your destination, your dates, and your payment information. You expect this data to facilitate your journey, to get you from point A to point B. What you likely don't expect is for that sensitive personal information – detailing your movements across the country – to be quietly collected by an airline-owned entity and sold to government agencies, who are then contractually told not to reveal where they got it from. Yet, according to internal government documents, this is precisely what has been happening.

A data broker known as the Airlines Reporting Corporation (ARC), which is owned by many of the country's major airlines, has been collecting detailed domestic flight records of US travelers. These records include passenger names, their complete flight itineraries, and even financial details related to the purchase. Access to this trove of information has been sold to agencies within the Department of Homeland Security (DHS), specifically Customs and Border Protection (CBP) and Immigration and Customs Enforcement (ICE).

The revelation, brought to light through documents obtained via Freedom of Information Act (FOIA) requests by 404 Media, exposes a concerning practice that allows government entities to bypass traditional legal channels for obtaining such data. Even more troubling, the contract between ARC and CBP included a specific instruction for the government agency: do not publicly identify ARC as the source of the data unless absolutely compelled by a valid court order or subpoena, and even then, give ARC immediate notice.

This clandestine arrangement has ignited significant alarm among civil liberties advocates and lawmakers, who argue it represents a dangerous expansion of government surveillance capabilities, sidestepping the legal guardrails designed to protect Americans' privacy.

ARC: The Airline-Owned Data Conduit

At the heart of this issue is the Airlines Reporting Corporation (ARC). While perhaps not a household name for the average traveler, ARC is a critical player in the airline industry's backend operations. It primarily serves as a financial settlement system between airlines and travel agencies, processing ticket transactions. However, its business activities extend beyond this core function.

ARC is not an independent third party in the traditional sense; it is owned and operated by a consortium of major US airlines. Publicly available documents show that ARC's board of directors includes representatives from industry giants such as Delta, Southwest, United, American Airlines, Alaska Airlines, and JetBlue, as well as international carriers like Lufthansa and Air France, and Air Canada. With over 240 airlines relying on ARC for ticket settlement services, the company sits at a central point in the flow of airline passenger data.

Beyond financial settlement, ARC engages in other data-related activities, such as analyzing travel trends in partnership with companies like Expedia and providing fraud prevention services. The sale of US domestic flight information to the government falls under ARC's Travel Intelligence Program (TIP).

According to ARC, the TIP program was established in the aftermath of the September 11 terrorist attacks with the stated purpose of providing data to law enforcement for national security matters and criminal investigations. While the post-9/11 context is often cited to justify expanded surveillance measures, the current use cases revealed in the documents raise questions about the scope and necessity of this data access.

The Government's Justification: Identifying 'Persons of Interest'

The documents obtained by 404 Media provide insight into why at least one part of DHS, Customs and Border Protection (CBP), sought access to ARC's data. A Statement of Work included in the contract details CBP's need for the TIP product “to support federal, state, and local law enforcement agencies to identify persons of interest’s US domestic air travel ticketing information.”

CBP asserts that access to ARC's TIP data provides “visibility on a subject’s or person of interest’s domestic air travel ticketing information as well as tickets acquired through travel agencies in the U.S. and its territories.” The agency claims this data is “crucial” for both administrative and criminal cases.

A DHS Privacy Impact Assessment (PIA) related to the TIP data, available online, further elaborates on the nature of the information. The TIP database is updated daily and contains a vast collection of records – over one billion, spanning 39 months of past and future travel. The PIA notes that the database can be searched using various identifiers, including name, credit card number, or airline. However, it's important to note a limitation mentioned in the PIA: ARC's data primarily comes from tickets purchased through ARC-accredited travel agencies, such as Expedia. Flights booked directly with an airline may not be included in an ARC report accessed by the government.

Despite this limitation, the data still impacts both US and non-US persons, meaning information on American citizens' domestic travel is included and accessible. CBP stated that the data is only used when an investigation by its Office of Professional Responsibility (OPR) is open and the agency needs to locate someone related to that investigation. They describe the data as a potential starting point to identify relevant flight records before pursuing further information through legal processes.

While CBP frames this access as a tool for specific investigations, civil liberties experts argue that purchasing bulk data from a broker circumvents the legal processes typically required to obtain sensitive information. These processes, such as obtaining a warrant or subpoena, involve judicial oversight and are intended to ensure that data collection is limited to what is necessary for a specific investigation.

The Secrecy Clause: Hiding the Source

One of the most striking revelations from the obtained documents is the clause included in the contract between ARC and CBP. ARC explicitly requested that CBP “not publicly identify vendor, or its employees, individually or collectively, as the source of the Reports unless the Customer is compelled to do so by a valid court order or subpoena and gives ARC immediate notice of same.”

This clause suggests a deliberate effort to obscure the origin of the data once it is in the government's hands. By preventing the government from disclosing that ARC is the source, it makes it significantly harder for the public, oversight bodies, or even individuals whose data is accessed, to understand the full scope of government surveillance activities and the role played by private companies.

Transparency is a cornerstone of accountability, particularly when government agencies are collecting sensitive personal information. A clause demanding secrecy about the data source undermines this principle, making it difficult to scrutinize the legality, necessity, and privacy implications of these data purchases. It raises questions about why ARC and the airlines that own it would seek such a condition, potentially suggesting an awareness that the public might react negatively to the knowledge that their travel data is being sold to the government.

Bypassing the Fourth Amendment? The Data Broker Loophole

The practice of government agencies purchasing commercially available data from brokers has become a significant concern for privacy advocates. Experts argue that this constitutes a “data broker loophole,” allowing agencies to acquire information that would otherwise require a warrant or other legal process based on probable cause.

The Fourth Amendment to the US Constitution protects individuals from unreasonable searches and seizures, generally requiring a warrant supported by probable cause for government intrusion into areas where individuals have a reasonable expectation of privacy. While courts have sometimes ruled that information voluntarily shared with third parties (like phone companies or banks) has a reduced expectation of privacy, the scale, sensitivity, and aggregation of data available through brokers challenge these precedents.

Jake Laperruque, deputy director of the Center for Democracy & Technology's Security and Surveillance Project, highlighted this concern, stating, “While obtaining domestic airline data—like many other transaction and purchase records—generally doesn't require a warrant, there's still supposed to go through a legal process that ensures independent oversight and limits data collection to records that will support an investigation.” He argues that the government is using data brokers “to buy their way around important guardrails and limits.”

The purchase of domestic flight data is not an isolated incident. Reports have revealed government agencies buying various types of sensitive data from brokers, including:

  • Location data harvested from smartphone apps.
  • Utility data revealing information about household activities and presence.
  • Internet backbone data that can reveal online activity patterns.

This pattern suggests a systemic reliance on the commercial data market to enhance surveillance capabilities without the legal burdens associated with traditional methods. Laperruque describes this trend as the “Big Data Surveillance Complex,” drawing a parallel to the military-industrial complex, where private industry profits from government demand for surveillance tools and data.

Critics argue that this approach pushes the government back towards a “collect it all” mentality, amassing vast databases of sensitive information on ordinary Americans by default, rather than focusing investigations based on specific suspicions and legal authorization. This stands in contrast to surveillance reforms enacted in the past, particularly after revelations of bulk data collection programs, which aimed to limit the government's ability to collect data on Americans indiscriminately.

Congressional Concern and Calls for Action

The revelations have prompted swift reactions from lawmakers concerned about privacy rights. Senator Ron Wyden, a vocal advocate for privacy and oversight of government surveillance, issued a strong statement condemning the practice.

“The big airlines—through a shady data broker that they own called ARC—are selling the government bulk access to Americans' sensitive information, revealing where they fly and the credit card they used,” Senator Wyden stated. He noted that ARC has refused to answer questions from Congress regarding these practices.

In response, Senator Wyden has contacted the major airlines that own ARC, including Delta, American Airlines, and United, demanding to know why they approved the sale of their customers' data to the government. This indicates a growing push for accountability not only from the government agencies purchasing the data but also from the private companies facilitating its sale.

The call for congressional intervention is becoming louder. Experts like Laperruque argue that it is time for Congress to step in again, just as it did after previous surveillance controversies, to close the data broker loophole and prevent it from being used to bypass existing legal protections and surveillance reform legislation.

The Airlines' Stance (or Lack Thereof)

When contacted about the data sales, the airlines involved have largely remained silent or deferred responsibility. According to 404 Media's reporting, airlines contacted either declined to comment, did not respond, or directed inquiries to ARC or DHS. ARC itself also declined to comment on the matter.

This lack of transparency from the airlines is concerning, given their ownership of ARC and the sensitive nature of the data being sold. Travelers entrust airlines with personal information necessary for travel, operating under the implicit assumption that this data will be used for legitimate travel-related purposes, not sold to government agencies for surveillance purposes without their explicit consent or knowledge.

The airlines' ownership structure of ARC means they are directly benefiting from the sale of this data, raising ethical questions about their role in facilitating government surveillance that bypasses legal processes. Their silence in the face of public and congressional scrutiny further erodes public trust.

The Scope of the Data and Government Access

The ARC TIP database, with its billion-plus records spanning over three years, represents a significant repository of information about Americans' movements. While the DHS PIA notes that it primarily covers tickets booked through travel agencies, this still accounts for a substantial portion of air travel, particularly for business travelers and those using online travel platforms like Expedia.

The ability to search this database by name, credit card, or airline allows agencies like CBP and ICE to quickly identify individuals' past and future travel plans, potentially without needing to demonstrate specific suspicion or obtain a warrant. This kind of access can reveal sensitive details about a person's life, including their associations, their destinations (which could indicate medical appointments, political gatherings, or personal relationships), and their financial activities.

The CBP contract, initially a modest $11,025 transaction starting in June 2024, has already seen an extension with an additional $6,847.50 for “Option Year 1,” suggesting an ongoing relationship and potential for further extensions through 2029. While these specific contract values might seem small in the context of government spending, they represent access to a vast and continuously updated dataset.

The fact that the data is used to support federal, state, and local law enforcement agencies means its reach extends beyond federal borders and immigration enforcement, potentially impacting a wide range of investigations at different levels of government.

Privacy in the Age of Data Brokers

The case of airlines selling flight data to DHS through ARC is a stark illustration of the challenges to privacy in the modern data economy. Companies collect vast amounts of personal information as part of their services, and a parallel industry of data brokers has emerged to aggregate, analyze, and sell this data.

Consumers are often unaware of the extent to which their data is collected, shared, and sold. Privacy policies are frequently complex and difficult to understand, and the sheer volume of data transactions makes it nearly impossible for individuals to track how their information is being used.

When government agencies become customers in this data market, it creates a powerful incentive for data collection and aggregation, potentially blurring the lines between legitimate business practices and government surveillance. It also raises questions about accountability – who is responsible when sensitive data is misused or accessed without proper legal authorization? Is it the data broker, the government agency, or the original company that collected the data?

The secrecy clause in the ARC-CBP contract further complicates accountability, making it harder to trace the origins of data used in investigations and potentially shielding the data broker from public scrutiny and legal challenges.

The reliance on data brokers also bypasses the checks and balances inherent in the traditional legal system. Warrants and subpoenas require a showing of probable cause or relevance to a specific investigation, and they are reviewed by a judge. Purchasing data from a broker, however, can allow agencies to access information on a much broader scale, potentially enabling dragnet surveillance or investigations based on tenuous connections.

Looking Ahead: The Need for Regulation and Transparency

The revelations about ARC and DHS highlight the urgent need for greater regulation of the data broker industry and increased transparency regarding government data purchases. Lawmakers and privacy advocates are calling for legislative action to close the data broker loophole and ensure that government access to sensitive personal information is subject to meaningful legal oversight.

Potential solutions could include:

  • Requiring warrants for government access to certain types of commercially available data that would otherwise require a warrant if collected directly.
  • Establishing clear rules and limitations on the types of data government agencies can purchase and how they can use it.
  • Mandating transparency requirements for both data brokers and government agencies regarding the sale and purchase of personal data.
  • Holding companies like airlines accountable for how the data they collect is used and shared by entities they own or partner with.

Without such measures, the trend of government agencies buying their way into vast databases of personal information is likely to continue, eroding privacy rights and expanding the surveillance state without public knowledge or democratic debate.

The fact that airlines, companies that profit directly from facilitating travel, are involved in selling the detailed travel records of their customers to government agencies underscores the complex and often hidden ways our personal data is being used. As Senator Wyden and privacy experts emphasize, shedding light on these practices and implementing robust legal protections are crucial steps in safeguarding civil liberties in the digital age.

The documents obtained by 404 Media serve as a critical reminder that the data we generate every day, even through seemingly mundane activities like booking a flight, can be collected, aggregated, and used in ways we never intended or imagined. The fight for data privacy and against unchecked government surveillance is increasingly focused on the opaque world of data brokers and the companies that feed them information about our lives.

Planes sit on the tarmac at Newark Liberty International Airport
Planes sit on the tarmac at Newark Liberty International Airport on June 02, 2025, in Newark, New Jersey. Photograph: Spencer Platt/Getty Images

The secrecy clause in the ARC-CBP contract is particularly concerning because it actively works against the transparency needed for public oversight. If the government is buying data to bypass legal processes, and the source of that data is hidden, it becomes nearly impossible for civil liberties groups, journalists, or the public to track these activities and hold agencies accountable. This lack of transparency creates an environment where surveillance can expand unchecked, without the public being fully aware of how their information is being used or the extent of government access to their private lives.

The argument that this data is necessary for national security or criminal investigations, while potentially true in specific, targeted cases, does not justify bulk, warrantless access to the travel records of millions of Americans. The legal system provides mechanisms for government agencies to obtain data when they have a legitimate need and can demonstrate probable cause or relevance to a specific crime. Bypassing these mechanisms through commercial data purchases undermines the balance between security and privacy that is fundamental to a democratic society.

Furthermore, the involvement of major airlines, companies that rely on public trust, in this data-selling scheme raises questions about their ethical obligations to their customers. While ARC may have been established with post-9/11 security in mind, its current activities, including selling data for domestic law enforcement purposes with a secrecy clause, go beyond what most travelers would reasonably expect or consent to.

The ongoing nature of the CBP contract with ARC, and the previous revelations about ICE's similar purchase, indicate that this is a standard practice within DHS. The list of other agencies found to have purchased ARC's services – including the Secret Service, SEC, DEA, the Air Force, US Marshals Service, TSA, and ATF – suggests that the use of this airline data broker is widespread across the federal government.

This broad government reliance on commercially available data, acquired without warrants, represents a significant shift in surveillance practices. It moves away from targeted investigations based on suspicion towards a model of mass data acquisition and analysis, where individuals' activities can be tracked and scrutinized based on their presence in commercial databases.

The call from Senator Wyden and civil liberties groups for Congress to act is a crucial step. Legislation is needed to explicitly regulate government data purchases from brokers, ensuring that such acquisitions do not become a backdoor around constitutional protections. The public deserves to know how their data is being used by their government, and companies that collect and sell sensitive information must be held accountable for their role in the surveillance ecosystem.

The story of airlines selling flight data to DHS is more than just a technical privacy issue; it's a story about power, transparency, and the future of surveillance in a data-driven world. It highlights the urgent need for a public conversation about the limits of government access to private data and the responsibilities of companies that hold that data. As the digital footprint of our lives continues to grow, ensuring that our fundamental rights are protected requires vigilance and action to close the loopholes that allow for unchecked surveillance.

The documents obtained by 404 Media, detailing the CBP contract and the secrecy clause, provide concrete evidence of these practices. They underscore the importance of investigative journalism and FOIA requests in uncovering hidden government activities. Without such efforts, the public would remain largely unaware of the extent to which their most sensitive information is being traded and used.

Ultimately, the responsibility lies with both the government and the private sector. Government agencies must adhere to the spirit and letter of the law, using legal processes to obtain data rather than buying it to bypass oversight. Airlines and data brokers must prioritize the privacy of individuals whose data they handle, being transparent about how that data is used and refusing to participate in practices that undermine civil liberties.

The path forward requires legislative reform, increased transparency, and sustained public pressure. Only by addressing the data broker loophole and demanding accountability from both government and corporations can we hope to protect our privacy in an increasingly interconnected and data-saturated world.

The contract between ARC and CBP, with its explicit instruction for secrecy, serves as a stark reminder that the erosion of privacy often happens quietly, behind closed doors, through seemingly innocuous commercial transactions. Bringing these practices into the light is the first step towards demanding change and rebuilding trust.

The full implications of government agencies having access to years of domestic flight data, searchable by name or credit card, are vast. It allows for the mapping of relationships, tracking of movements to sensitive locations (like political rallies, medical facilities, or places of worship), and the creation of detailed profiles of individuals' lives, all potentially without any form of judicial review or oversight.

This situation underscores the critical need for a comprehensive federal privacy law that would regulate the collection, use, and sale of personal data by companies, including data brokers. Such a law could provide individuals with greater control over their information and establish clear rules for when and how government agencies can access commercially available data.

In the meantime, the efforts of journalists and civil liberties advocates to expose these practices remain vital. The more the public understands how their data is being used, the more pressure can be brought to bear on lawmakers and corporations to implement meaningful reforms.

The sale of domestic flight data by airlines through ARC to DHS, coupled with the demand for secrecy, is a clear signal that the current legal and regulatory framework is insufficient to protect privacy in the age of big data. It is a call to action for policymakers to address the data broker loophole and ensure that government surveillance is conducted in a manner consistent with constitutional rights and democratic values.

As travelers, we have little choice but to provide sensitive information to airlines to fly. We should be able to do so with the confidence that this information will be protected and not weaponized for surveillance purposes without proper legal authorization. The current revelations demonstrate that this confidence is misplaced, highlighting the urgent need for change.

The documents obtained by 404 Media are a crucial piece of evidence in the ongoing debate about government surveillance and data privacy. They provide a concrete example of how commercial data markets are being leveraged by government agencies to expand their surveillance capabilities, often in ways that bypass traditional legal constraints and transparency requirements. The secrecy clause adds another layer of concern, suggesting a deliberate attempt to keep these practices hidden from public view.

Addressing this issue requires a multi-pronged approach, involving legislative reform, increased oversight, and greater transparency from both government and the private sector. The goal must be to ensure that government access to sensitive personal data is always subject to meaningful legal checks and balances, and that individuals' privacy rights are protected in the digital age.

The story of ARC and DHS is a wake-up call, reminding us that the fight for privacy is not just about protecting our online activities, but also about safeguarding the information generated by our everyday lives, including how we travel. It is a call for greater scrutiny of the relationships between corporations and government agencies, particularly when those relationships involve the exchange of sensitive personal data.

The future of privacy depends on our ability to close the data broker loophole and establish clear rules for government access to commercially available information. The revelations about airline data are a critical step in bringing this issue to the forefront and demanding action.

The contract between ARC and CBP, and the secrecy clause it contains, should serve as a catalyst for reform. It is time for Congress to act, for airlines to be transparent, and for the public to demand that their privacy be protected from unchecked government surveillance facilitated by the commercial data market.

The documents obtained through FOIA requests are invaluable in exposing these practices. They demonstrate the power of public information laws and independent journalism in holding powerful institutions accountable. Without such efforts, the secret sale of our skies might have remained hidden, allowing the expansion of surveillance to continue unchecked.

The implications of this data sale extend beyond individual privacy. They touch upon fundamental questions about the nature of government power, the role of corporations in facilitating surveillance, and the effectiveness of existing legal frameworks in protecting civil liberties in the digital age. Addressing these questions is essential for building a society where technology serves humanity, rather than enabling unchecked surveillance.

The time for action is now. The data broker loophole must be closed, transparency must be mandated, and accountability must be enforced. Our right to privacy depends on it.