Privacy implications of handing over your boarding pass at an airport shop
11 August 2015
Update: Brian Krebs has a good breakdown of just how much data is in a boarding pass barcode.
Over the last two days, mainstream UK media seems to have caught up with the fact that airport retailers here ask passengers for boarding passes so they can avoid paying VAT on the purchase when the person in question is travelling outside of the EEA.
While it’s slightly unfair to frame this as tax avoidance, it’s reasonable to assume that ‘duty free’ savings are passed on to customers rather than withheld by the retailer. Some do, some don’t.
But this isn’t the only legitimate concern a passenger should have about handing over their boarding pass.
Each boarding pass displays a barcode-encoded PNR, or passenger name record, commonly referred to as a booking reference. These are typically alphanumeric and 5–6 characters long.
With a PNR and a surname, also present in the barcode data, the retailer gets access to the passenger’s entire itinerary.
For a simple flight booking, this might not include much of interest – their seat number, for example, or the names of the other passengers.
But in many cases it will include much more, especially if the itinerary is booked by a travel agent and includes accommodation and other services. Hotel names and addresses, car rental details and so on could all be revealed – a veritable stalker’s paradise.
Quite simply: handing over your boarding pass to an airport retailer allows them to spy on your travel plans.
Despite reassurances from some that they don’t store the data – Boots confirmed to me that it doesn’t – it’s only a matter of time before this process is abused.
Corporate travellers are most at risk at present, as their PNRs are likely to refer to complete itineraries rather than just a single flight, and it wouldn’t be surprising if corporate travel policies and security teams started to ban employees from handing over this sort of information.
It’s time for airport retailers to end this practice. A simple visual check of the boarding pass will reveal the destination, which is sufficient information to allow them to fulfil their VAT obligations. Collecting swathes of personal data is both egregious and incredibly risky.