Big Brother Has a Boarding Pass
By the time you hand over your boarding pass, a government risk score already exists for you. Here's what's being collected, who sees it, and what you can actually do about it.
The boarding pass printed. The bag dropped at check-in. Flight's in three hours, and I'm already in a database.
Not a metaphor. Literally: the airline transmitted my passport data to U.S. Customs and Border Protection before I reached the security line. By the time I board, a risk score has been assigned to me — drawn from my travel history, my booking behavior, who I've traveled with, how I paid. The CBP officer who scans my passport at arrival has already seen it.
Most travelers have no idea any of this is happening. I'm a lawyer who reads fine print for a living, and I had a significant gap in my understanding until I started pulling on this thread.
Here's what I found.
The Two Systems Running Every Time You Fly
There are two distinct data pipelines behind every international flight. They have boring acronyms, but the implications are anything but.
API: Advance Passenger Information
This is the hard data — your name, date of birth, nationality, passport number, flight details. It comes straight off your travel document. When you're flying into the U.S., the airline is legally required to transmit it before the plane pushes back from the gate. By the time the flight attendant finishes the safety demo, CBP already knows you're on that plane.
PNR: Passenger Name Record
This one is considerably juicier. PNR is the reservation-based data that airlines and travel agencies collect when you book — your itinerary, payment method, contact information, travel companions, seat preferences, baggage details. Your meal request (kosher? vegan? gluten-free?). Whether you've requested a wheelchair. How you paid and when. Where you're staying at your destination.
Governments typically start receiving PNR data 72 hours before departure. They're looking at this days before you land — not as you walk up to the immigration desk.
How Many Countries Are Doing This?
More than you'd guess, and the number keeps climbing.
Around 106 countries now require API data. Around 64 mandate PNR as well. A decade ago, this wasn't standard practice. The 9/11 attacks were the inflection point — the U.S. made PNR mandatory shortly afterward, and much of the world followed over the next decade. The EU formalized its framework in 2016. The UN Security Council passed resolutions pushing member states to build out their own systems.
It's now genuinely global, and the trajectory is clear: more countries, more data, every year.
Who Sees What — And When
The data doesn't flow to one place. It distributes across a hierarchy of people, each with different access levels, at every stage of the journey.
The check-in agent who tags your bags has access to your full PNR — your entire booking record. They can see how much you paid, when you bought it, through what channel. Agents can and do make notes on passenger records, and those notes can follow you on future flights.
The gate agent sees everything about your ticket — price, purchase date, channel. They see your frequent flyer status, your special service requests, whether you've been flagged as a runner on a tight connection. What they generally don't have: access to your broader travel history or government security files. Their job is operational — get the right people on the plane.
The flight attendant sees considerably less. Cabin crew typically receive a manifest with names, seat assignments, meal preferences, and special service codes. They may know your elite status. What's new: many airlines now equip crew with tablets giving real-time access to passenger data. That flight attendant greeting you by name in business class? Not necessarily memory. Probably technology.
The CBP officer at the U.S. border is where the data picture explodes.
When that officer scans your passport, they pull your record from the Automated Targeting System — a risk-scoring engine that has been quietly building a file on you across every trip you've ever taken. That file includes your name, aliases, address, phone number, email, date of birth, travel document details, PNR data, biometric data on file, and biographical information from visa or ESTA applications.
It also includes your full travel history. Every border crossing is captured and added to your passage record, and computers analyze those histories to identify patterns worth a closer look. The officer can also see notes left by previous officers. That tense interaction at JFK three years ago? It may still be in there.
And the scope extends further. Border officers access security databases sourced from Interpol, national watchlists, and international terrorism and criminal records.
The border officer in a foreign country varies significantly by nation. What most will see: your passport data, your travel history in their own systems, and any international watchlist flags. When data is shared between countries — the U.S. and Canada, for instance — it's no longer subject to the privacy laws of the originating country. The receiving country's policies govern it.
For those of us who cross a lot of borders: assume any country with a serious border apparatus has more on you than you'd expect.
The Government vs. Commercial Data Split
Everything above is about government surveillance. There's a parallel commercial data story that airlines don't advertise.
As carriers gather intelligence on your travel patterns, seat preferences, booking habits, and financial profile, they build behavioral models covering your interests, price thresholds, and payment tendencies. The first eight digits of your credit card number identify your bank and card type. Whether you consistently upgrade signals your price sensitivity. Even whether your employer is on the same flight can be data airlines track and use.
This information flows to partner airlines through alliance networks and to commercial partners — banks, hotels, car rental companies. Bank partnerships account for half the points earned in frequent flyer programs and up to 71% of their cash flow. Your airline and your bank have an extraordinarily cozy data relationship. The commercial picture gets its own full treatment later in this series.
For now: two entirely different surveillance architectures are running when we fly — government and commercial — and they operate largely independently of each other.
Should You Be Worried?
Not alarmed. Informed.
The government collection is largely unavoidable if you fly internationally. It exists, it's legal, it's built on treaties and domestic law. We're probably more exposed to it than the average traveler — we cross more borders more often, which means more data points, more patterns, more file.
That file isn't sinister. But it exists, it's growing, and what's in it can determine whether you board a flight, get pulled aside, or face questions you weren't expecting.
That's what the rest of this series is about.
Up next: four letters stamped on your boarding pass that can unravel your entire travel day — and the invisible scoring system behind them.
