Passengers won’t even have time to ping

According to Kommersant, from September 1, in addition to passport and ticket data, carriers will be required to transfer data on bank cards, IP addresses, telephone numbers, email addresses and account passwords to a unified database. AEVT and airlines believe that some of the data is confidential information and cannot be transferred without the additional consent of the passenger. Kommersant’s sources in airlines also fear data leaks and increased liability for them. Kommersant’s interlocutors close to the Ministry of Transport say that the state system is well protected, and tracking anomalies in the data will make it possible to quickly identify criminals.

As Kommersant learned, the Ministry of Transport has prepared a draft order on a new procedure for the formation of automated databases of personal data on passengers and personnel (crew), which should come into force on September 1. Data must be transmitted by carriers on air, water and rail transport, as well as road transport for intercity and international traffic (except for flights between Moscow and the Moscow region, St. Petersburg and the Leningrad region).

The information will be fed into the unified state information system for transport security (USIS OTB). Its operator is the Federal State Unitary Enterprise of the Ministry of Transport “Zashchitainfotrans”. Rosaviation, Rostransnadzor, the Ministry of Internal Affairs and the FSB have access to the database. Now the Unified State Health Information System collects passport data, travel date and route.

The draft new order, which Kommersant has reviewed, expands this list. It will add the information that the passenger provides when booking and purchasing a ticket (Passenger Name Records, PNR): phone number, email address, ticket information. In addition, it is also proposed to collect account data (login and password) on the carrier’s website or application, as well as the IP address and port number from which the information was transmitted. When paying by credit card, the carrier will have to provide the last four digits of the card and the name of the bank, as well as the cost of the ticket and class of service. The data will be stored for seven years.

The Association of Air Transport Operators (AEVT), in a review of the project sent to the Ministry of Transport (available to Kommersant), indicated that some of the additional data about passengers, in particular the account login and password, are “confidential information, due to which cannot be disclosed without the consent of the subject of such data.”

At the same time, the transfer of PNR data within 15 minutes from the completion of each registered ticket transaction “does not comply with established standards and ICAO recommendations and is a difficult task for both Russian and foreign carriers using different booking systems.”

AEVT points out that the international standard is ICAO Doc 9944, Recommendations on Passenger Registration Records (PNRs), which “encourages States not to require or hold an operator responsible for providing PNR data that is not already collected or maintained.” in its reservation system.” In addition, they noted, the current legislation does not oblige carriers or authorized agents to obtain identification document details from the passenger at the booking stage. AEVT asked the Ministry of Transport to finalize the project.

Russian Railways and major airlines refrained from making official comments. Kommersant’s interlocutor at one of the airlines admitted that he does not yet understand how possible it is to automate the transfer of such a volume of data and why it is needed. The collection and transmission of data imposes additional costs, duties and responsibilities on airlines. Another Kommersant source agreed with this, noting that the new information may be of interest to attackers. At the same time, the Russian Federation has tightened liability for leaks of personal data: legal entities in case of repeated violation face fines of up to 500 million rubles, or 3% of annual revenue.

Smartavia agreed with AEVT that the requested data “is confidential and cannot be collected by air carriers.” Currently, the airline does not store the IP address and port from which the ticket was purchased or booked. “The assessment of the benefits is also not very clear, since a person can reach the booking stage on one device, continue purchasing from another, for example, from a mobile device, and carry out all these actions using a VPN,” the press service added. The carrier does not store passwords for your personal account on the website, “we also cannot transfer them, since this is only a hash of the password, which still needs to be matched to this hash, which is a very difficult task.” The carrier can theoretically provide the bank and the last four digits of the passenger’s bank card number, “but in case of payment using the SBP or SberPay system, the airline will not have such information.” “The more information is collected, the greater the potential negative consequences in the event of a leak,” the airline concludes.

In bus routes, only 10–15% of tickets are issued via the Internet, notes Tatyana Rakulova, director of the Association of Auto-Passenger Carriers. Verification of passenger cards during non-cash payments of passengers at the checkout will create additional difficulties for carriers. Digitalization itself and the collection of passenger data, in her opinion, are being successfully implemented in international practice, but the attempt to increase data collection is now “outpacing the situation in the Russian transportation market.”

AEVT, the Ministry of Transport and Zashchitainfotrans did not respond at the time of publication. According to a Kommersant interlocutor close to the Ministry of Transport, the document will no longer be finalized. He considers carriers’ concerns about possible leaks to be exaggerated. “Given the development of hacker capabilities, nothing can be ruled out, but Unified State Information System OTB systems are better protected than carrier reservation systems,” he added. According to Kommersant’s source, analysis of passenger data will make it possible to quickly identify “behavioral anomalies” and identify attackers “from smugglers to terrorists.” A Kommersant source in one of the domestic reservation systems objects that they store a minimum set of PNRs about the passenger and his ticket. Now there is a large amount of legal work to be done to revise agreements between booking systems and carriers, which will expand the list of data collected. For carriers, he concluded, restructuring processes will be “an expensive and lengthy process.”

Aigul Abdullina