# Aer Lingus Email:Gathering data for US Department of Homeland Security



## gentle123 (28 Sep 2005)

hi,

Im travelling to USA in October, i just received the following email today from Aer Lingus 

Dear Sir or Madam: 



Your booking reference includes travel to the USA. 



The U.S. Department of Homeland Security (Bureau of Customs and Border

Protection) requires certain Advance Information about all passengers -

including infants - travelling to the USA. 

Airlines must have this information before passengers can be Checked In

for flights to the USA. 



We are currently gathering the data in advance of check in to provide a more efficient service for you, our passenger and to reduce Queuing time at check in. 



The Information required from each passenger - including infants - is: 



- First Name (as on passport)

- Family Name (as on passport)

- Gender

- Date of Birth (ddmmmyy format)

- Nationality

- Passport Number and Alien Resident Card (Green Card) if applicable

- Country of Issue of Passport and Alien Resident Card (Green Card) if applicable

- Expiry Date of Passport and Alien Resident Card (Green Card) if applicable (ddmmmyy format)

- Address while in USA (including ZIP Code) 



In order to assist you in providing us with the details we have set up the following email address, customer.contact@aerlingus.com to which you can reply. 

Thank you for your time 





Kind Regards,

Aer Lingus Customer Contact Centre 

Has anyone else received an email like this and did you send off the information?

Thanks in advance


----------



## Cahir (28 Sep 2005)

*Re: Aer Lingus Email*

I'm travelling in November with aer lingus and haven't received anything like this.  Seems a bit strange, you should give them a call.


----------



## soy (28 Sep 2005)

*Re: Aer Lingus Email*

This is a new US immigration requirment that comes into effect on Oct 4th. There is no scam involved.


----------



## Cahir (28 Sep 2005)

*Re: Aer Lingus Email*

But you fill all that stuff out on the plane anyway.


----------



## zag (28 Sep 2005)

*Re: Aer Lingus Email*

I would ring Aer Lingus to confirm this.  It probably is legitimate, and especially so if they have included your dates and booking references, but it could be someones effort at phishing - getting people to part with confidential information by pretending to be someone else.  Unlikely if they actually are using an aerlingus.com email address, but possible.

If this is the way Aer Lingus are collecting confidential information (like passport numbers and expiry dates) then their IT auditors and compliance people should be woken up and told about it.  They are asking people to send this information in clear-text through the internet and they don't provide (from the email above) a privacy policy indicating what they will or will not do with the information provided.  Yes, they will pass it on to the US authorities (and you can't do much about it if you want to go there these days), but who else will they pass this information on to ?

At the very least they should provide a secure website where you can enter this information without risk of it being intercepted.

The more I think about it, the sillier it seems - if people send in free-form emails with information all over the place, someone is going to have to re-enter the information into whatever system they are using to record all the details.  Much better to graball the information from a web site and stick it in the application directly.

z


----------



## zag (28 Sep 2005)

*Re: Aer Lingus Email*

cahir - the US authorities want advance warning these days.  They currently require airlines to provide passenger lists when planes have departed so they can scan them for terrorists traveling on legitimate passports.  Remember Cat Stevens got sent back to London last year because someone saw him on a list - plane just landed and he had to get back on it and return.  The US authorities are trying to pre-screen the lists now instead of waiting until the terrorist is in the air.

Just to clarify - I use the word 'terrorist' above loosely, meaning whoever it is *they* don't like, not meaning somene who has actually carried out a terrorist act.

z

Link to Cat Stevens article - http://abcnews.go.com/2020/News/story?id=139607&page=1


----------



## Capaill (28 Sep 2005)

*Re: Aer Lingus Email*

To follow up on Zags point it may be worthwhile pointing this out to the Data Protection Commissioner as this is personal information that is not properly secured.

C


----------



## BillK (28 Sep 2005)

*Re: Aer Lingus Email*

Zag is absolutely right; the US authorities do require the info when the plane has departed. (This has been extensively reported here in UK)
The alternative to providing the info in the manner requested by Aer Lingus is to give the info to the check-in clerk at the airport. How long before departure time would you have to be at the airport for the data to input and how many errors do you think would be generated, with the pressure of 300 other passengers waiting to check in?
Clearly a pain in the butt, but if you want to fly to the States that is part of the price.


----------



## MPH (29 Sep 2005)

*Re: Aer Lingus Email*

I booked flights to NY for early October on the net some weeks ago.  First I booked my own flight with my visa card then booked same flight for travel companion immediately after, same flights and dates.  She inputted her credit card details.  Two flight and two booking refs.  She has received this email and I haven't?  I will be calling Aer Lingus in the morning to check if it is bona fide.  Don't like sending this info in an email.  Why were we not asked for this info at the time of booking so it could be sent securely with cc details?


----------



## bond-007 (29 Sep 2005)

*Re: Aer Lingus Email*

I received the same email today also. I have forwarded it to Pat Kenny's radio show and we will see what comes of it!


----------



## gentle123 (29 Sep 2005)

*Re: Aer Lingus Email*

Hi Guys,  Thanks for all your replies.  I rang Aer Lingus yesterday, and yes this seems genuine.  There is a new immigration law that takes effect from Oct 4.  Aer Lingus are looking for the information to speed up check in.  One question i have is do the the people who have booked through the travel agencies have to provide the same information or is it just the people who have booked through the website?


Thanks again.


----------



## bond-007 (29 Sep 2005)

*Re: Aer Lingus Email*

It affects everyone. Those that don't give the info in advance will have to give it at check in, which will slow down the whole process. Its your choice which way you want to go.


----------



## gentle123 (29 Sep 2005)

I will be emailing the information today.  Every little bit helps as they say !!!


----------



## Capaill (29 Sep 2005)

I have raised the above email with the Data Protection Commissioner to see what their take is on Aer Lingus collecting personal information in unsecure emails.

Will let all know what feedback I get

C


----------



## gentle123 (29 Sep 2005)

Hi Guys,


I emailed Aer Lingus regarding the information required, this is their reply.

In order to speed up your check in time we need this information asap so you will not have to provide these details at the airport

Aer Lingus Customer Contact Centre
customer.contact@aerlingus.com


----------



## ajapale (29 Sep 2005)

Hi Gentle,

Would you like to post a copy of the email you sent to Aer Lingus? Take out any personal information.

This way we can assess whether AL addressed all the specific questions you asked.

aj


----------



## zag (29 Sep 2005)

It will be interesting to hear what the Data Protection Commissioner says.

There is enough information in the email for someone to build themselves a new passport using your details.  If someone intercepted one of these mails (and had the relevant passport faking technology - a fair assumption if they are sufficiently nefarious) they could create a passport with a valid passport number (yours), name (yours), place of issue, date of birth (yours), expiry date and their own picture.  As far as the immigration people would be concerned it would all ring true as the picture on the passport would match the face of the person in the queue and all the other details would be consistent.

This is like sending your credit card number, name and expiry date in a plain email - every single card provider strongly advises against this for a very good reason.

z


----------



## zag (29 Sep 2005)

In terms of the response from Aer Lingus - it might well speed up check-in, but it also fundamentally compromises your identity.

z


----------



## bond-007 (29 Sep 2005)

Pat Kenny is covering this matter, this morning apparently. He mentioned a shocking item on photo ids that we wanted to tell us about.


----------



## gentle123 (29 Sep 2005)

Hi AJ,


On the email i sent to AL, I basically just said that i was confused about their original email, i asked them if they wanted me to send the req'd info asap.  I also rang them to see if the email was genuine.

Thanks


----------



## Capaill (29 Sep 2005)

Reply from Datacommissioner Office re the above

"I refer to your earlier enquiry in relation to passenger data being submitted to Aer Lingus for transfer to the U.S. Department of Homeland Security.

Section 2D of the Data Protection Acts 1988 & 2003 covers the fair processing of  personal data. Section 2D (2) states that you should be aware of the following:

(a)the identity of the data controller,
(b) if he or she has nominated a representative for the purposes of this Act, the identity of the representative,
(c) the purpose or purposes for which the data are intended to be processed, and
(d) any other information which is necessary, having regard to the specific circumstances in which the data are or are to be processed, to enable processing in respect of the data to be fair to the data subject such as information as to the recipients or categories of recipients of the data, as to whether replies to questions asked for the purpose of the collection of the data are obligatory, as to the possible consequences of failure to give such replies and as to the existence of the right of access to and the right to rectify the data concerning him or her.

From the information given Aer Lingus have met all obligations under our Acts. If one of the requests was for bank details then the information would have to be encrypted or inputted to a secure site.

Hope I've clarified the query for you."

C


----------



## Ash (29 Sep 2005)

Is the same additional information required when flying to the US with any of the American based carriers?  My sister booked a flight to New York recently with Continental travelling in November.  That information wasn't requested at the time of booking and as far as I know, haven't been asked for since.
Anyway, apart from the US address, aren't all the details listed as required available on machine readable passports which we all have to have going to the States?


----------



## RainyDay (29 Sep 2005)

Capaill said:
			
		

> If one of the requests was for bank details then the information would have to be encrypted or inputted to a secure site.


It's not clear if this rule for bank information is from the legislation, or simply a matter of best practice. If the latter, it may well be that the practice should really be extended to cover all confidential information (including passport details), but the issue simply hasn't come up before.


----------



## zag (29 Sep 2005)

Ash - the main point is not that they are gathering the information.  Most people accept that if you want to enter a country you follow their rules or you don't go - so if the US authorities want this information before letting you in then so be it.

The main point is that Aer Lingus are asking people to send the information by email.  Email, while not entirely easy to intercept is totally insecure - if someone did intercept it they could read off all the details no problem.  Like I said above - the banks and credit card companies are pretty unanimous that you shouldn't send your credit card details to anyone by email precisely because it is insecure.  Why should passport details be any different.  It doesn't affect me because I'm not flying there, but if I do need to fly there I will fax them my details.

z


----------



## bond-007 (29 Sep 2005)

I can't see any problem in giving them the info on the morning of the flight. There is no specific requirement that they need the information weeks before hand.


----------



## Marion (29 Sep 2005)

I will be travelling to the US later this year with AA and I definitely wasn't asked to provide this information. I would normally have provided the information requested of _gentle 123_ at immigration control.

Marion


----------



## ajapale (30 Sep 2005)

from the data commissioners site.


> The Data Protection Acts, 1988 and 2003 do not detail specific security measures that a Data Controller or Data Processor must have in place. Rather section 2(1)(d) of the 1988 Act places an obligation on persons to have appropriate measures in place to prevent "unauthorised access to, or alteration, disclosure or destruction of, the data and against their accidental loss or destruction."



I think that the data commissioner's response simply skirts the issue.

Aer Lingus have an obligation under the act to "prevent unauthorised access to, or alteration, disclosure or destruction of, the data and against their accidental loss or destruction." By seeking this information by unsecure email I believe that they are operating in contravention of the act.

ajapale


----------



## z105 (13 Dec 2006)

The following was received by me a month ago before a trip to the USA - I see the difference is that one inputs the info via their website versus sending back an e-mail to them. One assumes some form of protection via their website as you need the booking ref to "manage your booking". At least I hope so !!

Dear Sir or Madam:

Your booking reference includes travel to and/or from the USA.

The U.S. Department of Homeland Security (Bureau of Customs and Border Protection) requires certain Advance Information about all passengers travelling to and/or from the USA.
Airlines must have this information before passengers can be checked in for flights to and/or from the USA.

For your convenience, and to reduce queuing time at check-in, you can now input this information on-line at  www.aerlingus.com. To add the information to your booking, simply logon to www.aerlingus.com and click on "Manage Booking" from the home page.

The Information required from each passenger is:

- First Name (as on passport)
- Family Name (as on passport)
- Gender
- Date of Birth
- Citizenship
- Passport Number and Alien Resident Card Number (Green Card) if applicable
- Passport Country
- Expiry Date of Passport
- Address while in USA (including ZIP Code)

Thank you for your time


Kind Regards,
Aer Lingus Customer Contact Centre



"This email is generated by computer and does not accept replies.
Please do not send email to this address as they will not be responded to"


----------



## redchariot (14 Dec 2006)

Don't send information by email; it is not secure. Although, having said that, you are required to provide the information to the airline before flying to the USA. If you booked your flight on aerlingus.com then you should be able to access your booking and enter the details securely.


----------



## Joe Nonety (21 May 2007)

Just wondering if filling in this information means you no longer have to fill out a form at the airport?


----------



## gentle123 (21 May 2007)

No, you still have to fill in the green form, all the information provides is advanced information on who is flying to the US.


----------

