A data broker owned by major U.S. airlines, including Delta, American Airlines, and United, collected and sold domestic flight information of American travelers to Customs and Border Protection (CBP), according to internal agency documents obtained by 404 Media. The records include passengers' names, full travel itineraries, and financial information.

The Airlines Reporting Corporation (ARC), a data brokerage company jointly owned by Delta, Southwest, United, American Airlines, Alaska Airlines, JetBlue, as well as international carriers Lufthansa, Air France, and Air Canada, provided CBP with passenger data under a program known as the Travel Intelligence Program (TIP). Documents disclosed through a Freedom of Information Act (FOIA) request by 404 Media revealed that ARC specifically instructed CBP not to disclose ARC as the data source unless compelled to do so by a court order.

CBP, an agency within the Department of Homeland Security (DHS), justified the purchase of this sensitive passenger information, stating that it is vital for federal, state, and local law enforcement agencies to track individuals of interest. "The data will provide visibility on a subject’s or person of interest’s domestic air travel ticketing information, as well as tickets acquired through travel agencies in the U.S. and its territories," according to the agency’s Statement of Work. The records span approximately 39 months and are updated daily.

However, ARC's data does not include flights booked directly through airline websites, but rather through ARC-accredited travel agencies, such as Expedia. CBP's Privacy Impact Assessment notes that this surveillance capability extends to both U.S. citizens and non-citizens, raising significant concerns about civil liberties among experts.

"The big airlines—through a shady data broker that they own called ARC—are selling the government bulk access to Americans' sensitive information, revealing where they fly and the credit card they used," Senator Ron Wyden said in a statement addressing the revelations.

The contract between CBP and ARC commenced in June 2024 and could extend until 2029.

CBP clarified that the passenger data purchased from ARC is specifically utilized when conducting investigations through its Office of Professional Responsibility (OPR), which probes employee misconduct within CBP. "CBP is committed to protecting individuals’ privacy during the execution of its mission," a spokesperson stated. The agency insisted the data is only the first step in investigative processes, with subsequent legal steps necessary for further inquiry.

Civil liberties advocates expressed alarm over the arrangement. Jake Laperruque, Deputy Director of the Center for Democracy & Technology's Security and Surveillance Project, described the practice as an attempt to circumvent existing surveillance restrictions. He characterized the arrangement as an expansion of the "Big Data Surveillance Complex," echoing concerns of unchecked governmental data collection previously rejected by the public and Congress.

"It's clear the data broker loophole is pushing the government back towards a pernicious 'collect it all' mentality," Laperruque warned. He urged legislative action to close loopholes allowing data brokers to evade legal oversight and privacy protections.

Senator Wyden stated he is actively seeking explanations from the airlines about their decision to authorize ARC's sale of customer data to the government. ARC declined to provide comments to media inquiries, deferring instead to past statements justifying the TIP program as essential for national security and criminal investigations post-September 11.

Consumer Protection and Class Action attorney Ralph Kalfayan discussed this matter with Law Commentary, stating that the airlines' sale of consumer flight data to CBP "a potentially serious violation of consumer rights." Kalfayan emphasized, "Consumers have a reasonable expectation of privacy when booking travel arrangements. The unauthorized sale of their personal and financial data undermines consumer trust and potentially exposes individuals to unnecessary surveillance or misuse of their information. Those affected may have legal recourse through class action litigation, aiming to hold these corporations accountable for breaching established privacy protections."

Law enforcement agencies increasingly purchase private data as an alternative to traditional judicial oversight mechanisms, such as warrants or subpoenas. This approach extends to purchasing smartphone location data, utility records, and internet activity. Privacy advocates continue to call for tighter regulation and transparency regarding the government's acquisition and use of private data.