Have you ever been curious as to what information the government has stored about you and your travel records? A Passenger Name Record (PNR) is a computerized travel record created by airlines or travel agencies for both domestic and international flights, as well as hotel bookings, car rentals, cruises, and train trips. Your PNR, which is given to U.S. Customs and Border Protection (CBP) if you travel internationally, can include details like your un-redacted credit card number or IP addresses. As Ars Technica\u2019s Cyrus Farivar found out, your PNR is just another example of the government\u2019s \u201ccollect it all\u201d mentality.Farivar submitted a Freedom of Information Act request to CBP for his PNR; he was eventually given 76 pages of data covering his travel from 2005 to 2013. He said his PNRs included \u201cevery mailing address, email, and phone number\u201d he ever used, as well as some PNRs listing the IP address he used when buying the ticket, his full credit card number stored in the clear, and notes jotted down by airline call center employees \u201ceven for something as minor as a seat change.\u201dAfter he consulted travel writer Edward Hasbrouck, Farivar was told, \u201cPNRs like mine are created for domestic flights, too, but that it's only for international travel that data is routinely given to CBP.\u201d He also learned that every notation made by an airline call center employee, for things such as seat changes or even special needs requests, can stay in your permanent file kept by DHS.Hasbrouck has written extensively about what\u2019s in a PNR and about Computerized Reservation System databases.If you make your hotel, car rental, cruise, tour, sightseeing, event, theme park, or theater ticket bookings through the same travel agency, Web site, or airline, they are added to the same PNR. So a PNR isn't necessarily, or usually, created all at once: information from many different sources is gradually added to it through different channels over time.When a ticket is issued, that is recorded in the PNR; if it's an e-ticket, the actual "ticket", as defined by the airline, is the electronic ticket record in the PNR. When you check-in, the claim check numbers and the weights of your bags are added to the PNR. If you don't show up for a flight on which you are booked, that fact is logged in the PNR.Any additions, changes, cancellations, seat assignment or special needs requests can also be added to the PNR. Hasbrouck explained, "The bottom line is that PNRs contain a great deal of confidential and sensitive information deserving of strong privacy protection, but not necessarily even the most basic information needed for positive identification or 'profiling' of travelers."The amount of personal and sensitive data collected in PNRs has been an area of concern for some privacy watchdogs, like EPIC. The PNR could include\u00a0"the passenger's full name, date of birth, home and work address, telephone number, email address, credit card details, IP address if booked online, as well as the names and personal information of emergency contacts." A PNR could also contain "detailed information on patterns of association between travelers," as well as sensitive information like "religious meal preferences and special service requests that describe details of physical and medical conditions (e.g., 'Uses wheelchair, can control bowels and bladder')."Farivar found out that after booking a flight with Travelocity, the PNR included\u00a0"a huge amount of information," like his full credit card number. Storing credit card numbers in the clear is a breach of PCI data security standards (pdf).\u201cWhy isn\u2019t the government complying with even the most basic cybersecurity standards?\u201d asked Fred Cate, a law professor at Indiana University. \u201cStoring and transmitting credit card numbers without encryption has been found by the Federal Trade Commission to be so obviously dangerous as to be \u2018unfair\u2019 to the public. Why do transportation security officials not comply with even these most basic standards?\u201dCate also told Farivar:"No wonder the government can\u2019t find needles in the haystack\u2014it keeps storing irrelevant hay. Even if the data were fresh and properly secured, how is collecting all of this aiding in the fight against terrorism? This is a really important issue because it exposes a basic and common fallacy in the government\u2019s thinking: that more data equates with better security. But that wasn\u2019t true on 9\/11, and it still isn\u2019t true today. This suggests that US transportation security officials are inefficient, incompetent, on using the data for other, undisclosed purposes. None of those are very encouraging options."The government may not have wanted Farivar to see what his PNRs contained, as he had to appeal his FOIA request. But it's not just PNRs with sensitive information that DHS\/CBP can access. An investigation by the Toronto Star found that thousands of Canadians, who were never convicted of a crime, are listed in massive police databases that are accessible to U.S. border authorities. Toronto police had also been accused of "disclosing the mental health records it logs into Canada\u2019s national police database," and then sharing the sensitive medical records with U.S. border authorities, ultimately resulting in Canadians being blocked from entering the U.S.CBP claims PNR data is kept for five years, but as Farivar found out after seeing nine years of his travel records, "We now live in a world where it\u2019s increasingly difficult to prevent the authorities from capturing information on one\u2019s movements or communications." Indeed, it's part of the "collect it all" mentality\u2026just in case you \u2013 or someone you know or sat by during travel \u2013 might turn out to be a crook or terrorist.