Your flight lands, and on your way to pick up your luggage, you chuck the stub from your boarding pass. Bad move, according to a report in The Guardian of London, warning that with all the information out there on so many databases, just that little piece of paper could help an identity thief. Using the information retrieved from such a discarded pass, the story's author and a computer whiz
... logged on to the [British Airways] website, bought a ticket in [the stub discarder's] name and then, using the frequent flyer number on his boarding pass stub, without typing in a password, were given full access to all his personal details - including his passport number, the date it expired, his nationality (he is Dutch, living in the UK) and his date of birth. The system even allowed us to change the information.
Using this information and surfing publicly available databases, we were able -- within 15 minutes -- to find out where [he] lived, who lived there with him, where he worked, which universities he had attended and even how much his house was worth when he bought it two years ago. (This was particularly easy given his unusual name, but it would have been possible even if his name had been John Smith. We now had his date of birth and passport number, so we would have known exactly which John Smith.)
The data collection started with the Computer Assisted Passenger Pre-Screening System that followed the 1996 crash of TWA Flight 800 in New York. After 9/11, CAPPS was ramped up into CAPPS II, which dismayed privacy advocates and was replaced with Secure Flight, which doesn't seem very different. The Guardian quotes one of the creators of CAPPS II:
If you are an American who has volunteered lots of details proving that you are who you say you are, that you have a stable home, live in a community, aren't a criminal, [Capps II] will flag you up as green and you will be automatically allowed on to your flight... The problem is that if the system doesn't have a lot of information on you, or you have ordered a halal meal, or have a name similar to a known terrorist, or even if you are a foreigner, you'll most likely be flagged amber and held back to be asked for further details. If you are European and the US government is short of information on you -- or, as is likely, has incorrect information on you -- you can reckon on delay after delay unless you agree to let them delve into your private details.
That is inconvenient enough but, as we tested the system, it became clear that information was going to be used to build a complete picture of you from lots of private databases -- your credit record, your travel history, your criminal record, whether you had the remotest dubious links with anyone at your college who became a terrorist. I began to feel more and more uncomfortable about it.
Thanks to a friend who spotted the story, and "had heard of some of the problems with data security, but didn't know about this particular problem." And I can't find a similar report in US media.