
The FBI is secretly using Sabre as a global travel surveillance tool - AndrewBissell
https://www.forbes.com/sites/thomasbrewster/2020/07/16/the-fbi-is-secretly-using-a-2-billion-company-for-global-travel-surveillance--the-us-could-do-the-same-to-track-covid-19
======
skim_milk
I work in the travel industry as a programmer (god only knows for how much
longer) - I can tell you that Sabre and other GDS's are only used if you go
through a travel agent or use _some_ online reservation systems. If you book
through the airline's systems or on online reservation systems they likely use
the airline's systems to track travel instead of GDS since the GDS wants to
take a big cut of every ticket sale. And obviously only legacy travel
companies like Hertz and Mariott integrate with GDS's, new travel companies
Uber and Airbnb likely don't have any relationship with Sabre.

You're only likely to be in a Sabre system if you've been booked by your
company through a travel agent and rent using legacy car/hotel companies also
through your company's travel agent.

~~~
walrus01
You think US intelligence doesn't have access to other major airlines' back
end databases, or things like major hotels' reward programs, airbnb, uber,
lyft?

~~~
lawnchair_larry
As someone who has worked on security for said systems, and who is somewhat
familiar with the types of requests that are serviced to LEAs and TLAs, I do
think that they don’t have access to back end databases.

What, you think we set up a VPN for them so their SQL client in Fort Meade can
just query as they please? Or do you think they hack us?

~~~
grey-area
If you work for a useful target yes they probably have hacked you. They've
certainly hacked google in the past for example - see below. These agencies
are lawless and motivated. I imagine knowing where targets stay/travel in
advance could be very useful.

[https://www.google.com/amp/s/amp.theguardian.com/technology/...](https://www.google.com/amp/s/amp.theguardian.com/technology/2013/nov/06/google-
nsa-gchq-spying-judicial-process)

~~~
lawnchair_larry
There has never been a documented case through leaks or otherwise that they do
domestic hacking, including in all the links you are providing.

~~~
grey-area
What is domestic and what is not? Is a company with assets abroad domestic or
fair game abroad? You are aware these agencies share most data across borders
aren't you?

Tempora is domestic hacking, Stellar Wind is domestic hacking (sweeping up
data from all Americans), and these agencies share data extensively, so
domestic vs foreign has very little meaning to them at least.

~~~
lawnchair_larry
No, interception and wiretapping (especially with permission of the service
provider) are not the same thing as hacking a company to maintain persistent
access and surreptitiously using their assets to exfiltrate data. These are
very different things and the distinction matters.

I’m familiar with what kinds of things they do, and I don’t agree that they
should be doing a lot of what they do. It’s just that rooting american assets
isn’t one of those.

Also, you have the wrong country for Tempora.

~~~
grey-area
The agencies extensively share data and routinely break domestic laws. They
even use sharing as a way of getting around domestic restrictions.

------
imglorp
Pretty sure they've also got feeds on everyone's credit card purchases, emails
of itineraries, text message confirmations, your phone homing and roaming
(from the cell networks), from scores of apps that wanted your location
squealing to whoever wants to buy it, from face rec at airports, etc etc.

Your travel is certainly no mystery to the state without this one airline
feed.

~~~
sneak
[https://www.wired.com/2010/12/realtime/](https://www.wired.com/2010/12/realtime/)

The feds get every card swipe in real-time without a warrant.

------
downvoteme1
I am surprised that this is considered a secret anymore. If you travel
anywhere and board a flight, stay a hotel or rent a car, you should assume
that the government already knows about this. All companies have data sharing
agreements with the government and judges are known to sign very broad data
warrants that force companies to give data to governments for any suspicion of
crime .

Basically today, everybody should assume that the government knows everything
about you - where you live, where you work, what car you drive, where you
travel, What property you own, lease , whom you call etc. Privacy exists in
name only.

~~~
SkyBelow
>Privacy exists in name only.

Given that this information is the companies own info, voluntarily shared as a
private business, I wonder if we can make a comparison to free speech and the
notion that free speech still exists despite most avenues of communication now
being privatized and having control over what speech is allowed. Conceptually,
if free speech can still be considered to exist in such a realm, cannot
privacy? Yes, you may have to choose to note engage in companies that share
their data if you want to keep your privacy, but that is much like what
happens if you want to be able to speak without having to follow the limits
those companies have in place. This is not to say the arguments are identical,
but that there does seem to be similarity in their structure.

If one can takes the argument that you can keep your privacy by just refusing
to use airlines, credit cards, hotels, etc. and says that being forced to give
up so much to maintain privacy means that privacy is dead (or exists in name
only), then shouldn't it also be possible to make the argument that you can
keep your free speech as long as you avoid the growing list of companies who
refuse to business with individuals who engage in certain forms of speech
(especially who do so loudly) mean that free speech is also dead?

If instead the 'private businesses doing what they want' argument wins, then
shouldn't it also apply in the case of privacy? That the company sharing whom
they are offering a service to doesn't violate privacy because it is
information you willingly gave them that they can then give others. (The case
where the information is gathered through overly broad warrants stands out as
an exception, being that it is forced by the government.)

------
jorblumesea
They're also a target for APTs and foreign governments. Pretty much everyone
wants to get their hand on travel data. Also fairly likely that other GDS such
as Amadeus has similar issues. Speaking from personal experience, Sabre's code
base is very outdated, and filled with tech debt and hacks. They haven't done
a good job controlling bloat and many teams are skeleton crews that are
consumed with ops and can barely fix bugs. I'm sure you don't need to "hack"
anything.

Contrary to what some posters here seem to be saying, Sabre is very widely
used in many parts of the travel industry.

[https://www.forbes.com/sites/leemathews/2017/07/06/travel-
gi...](https://www.forbes.com/sites/leemathews/2017/07/06/travel-giant-sabre-
confirms-its-reservation-system-was-hacked/#1ffa7bd14b20)

------
neximo64
How is this interesting?

Any old school travel agent can look up names and follow their travel history
anyway? (No matter how it is booked btw)

You could call one up and ask if X has got on the flight and they can check.
I've done it before to check if I wanted to know the persons flight was
delayed and made it to the airport on time.

~~~
tyingq
It's more complicated than that. Most tickets aren't in a GDS, but only in an
individual airline's CRS. And a travel agent wouldn't have broad SQL like
ability to query. They would need at least 2 of name, record locator, or
flight/date. And travel agents don't typically have access to every airline
CRS and all GDS systems...some subset is more common.

~~~
perennate
Presumably there is some travel agent with access to the data. I think it's
concerning that one company maintains so much information, but in terms of
government access, if the FBI is going to go through the trouble of getting a
court-issued order like this [1] (which is specific to one person for one
particular six-month period), then finding the right travel agent to serve the
order to doesn't seem like it'd slow things down much (it took at least three
days to get the order since some "Judge Huff was not in chambers").

[1] [https://www.documentcloud.org/documents/6989724-All-Writs-
Ac...](https://www.documentcloud.org/documents/6989724-All-Writs-Act-Order-on-
Sabre-to-Give-Real-Time.html)

~~~
tyingq
You used to be able to fly without an ID...you could fly as John Smith or
whatever. Certainly has turned.

------
vuyani
Now swap FBI with China and HN would be calling for a full on ban. When its
America, its just “how is this interesting”

------
imroot
The travel industry (esp the airlines) are moving to puzzle piece style
integrations -- I know that Hilton Uses Sabre for incoming GDS reservations,
but, uses salesforce internally for managing a lot of the guest interactions
(including bookings and customer support): AA (as mentioned previously in this
thread) uses multiple commercial systems, and Marriott uses a mixture of
FOSSE, MARSA (there might be an H in there, but, it's been a while since I've
been at MI) that talk to their backend microservices for their .com system.

MI picked up a LOT of technical debt and a LOT of security bugs when
transitioning SPG programs and properties into MI's portfolio (thankfully, I
was off of that project at that point in time).

I don't think this is the case where the FBI or other conglomerates have
direct SQL-style access into their systems, but, more-so where FBI has retired
or plans internally to pull data from systems when requested: When it's hard
as hell for employees with the proper need-to-know for their application to
pull up data in a meaningful fashion, you know that it's next to impossible
for Law Enforcement to have a nice little dashboard where they can just type
"Ian Wilson" and get a list of every place I've ever stayed ever (unless
they're working with VISA: that's something that I kinda expect, tho).

------
classified
> _No one really knows just how often or widely the government has used the
> All Writs Act to force companies into surveillance_

Seeing how they used Sabre to prosecute a measly $5000 damage, we can surmise
that they'll use this and similar systems for just about anything they can
possibly be used for.

------
drc500free
What's interesting is that names on international flights are already checked
directly against several watchlists. So apparently that tool isn't sufficient.

------
mixmastamyk
How far back does this data go? I'm hoping it gets deleted after ten years or
so, but not optimistic.

~~~
chishaku
[https://en.wikipedia.org/wiki/Utah_Data_Center](https://en.wikipedia.org/wiki/Utah_Data_Center)

------
jermier
Interesting that the word 'secretly' is used in the title, after the fact, and
not before it

------
dboreham
Honestly I would have thought Sabre would have been streaming their data to
TLAs since the 1960s.

------
criveros
I wonder if Sabre's printers still catch on fire.

------
andy_ppp
/secretly/obviously/

------
crb002
The FBI is probably using all information sold to advertisers. The EU passed
GDPR for security, not just privacy.

------
virologist
and what is wrong with that? it is FBI it saves lives.

------
Cthulhu_
Meanwhile, most of the West has been very er, Critical, about anything coming
in from China because they may be spying on us. Double standards?

------
justanotheranon
[https://search.edwardsnowden.com/docs/FullSpectrumCyberEffec...](https://search.edwardsnowden.com/docs/FullSpectrumCyberEffects2014-04-04_nsadocs_snowden_doc)

see page 8.

GCHQ has a program called ROYALCONCIERGE, where they hack the reservation
systems of hotels to watch for targets renting rooms. then GCHQ sends teams
ahead of time to intercept the targets, preaumably to spy on them, or
assassinate them or rendition them to a black site.

from another Snowden doc which i can no longer find, it was revealed that
ROYAL CONCIERGE hacked hotels owned by Starwood, one of the biggest umbrella
corps owning multiple global hotel chains.

you think NSA only went after Starwood hotels? remember NSA said their "Full
Spectrum Domination" posture means "Collect It All."

you think if NSA/GCHQ are hacking into hotel reservation databases to
exfiltrate the whole shebang, that Airline reservation systems are NOT a
higher priority?

a commenter said it is ridiculous hypocracy how we blast China for forcing its
tech companies to become appendages of their military/intelligence complex,
while ignoring FBI/CIA/NSA do the very exact same thing under the rubric of
NSLs and Bulk FISA Warrants and Business Records "All Tangible Things" and
EO12333 get-out-of-jail-free cards to target anything loosely related to
"understanding foreign intelligence."

there is zero difference between what China does and what the FVEYs do, except
that our Overlords tell us they are not spying on us, while every peasant in
China knows they are being spied on by their govt because the Chinese govt
openly admits to it.

~~~
echelon
> there is zero difference between what China does and what the FVEYs do,
> except that our Overlords tell us they are not spying on us, while every
> peasant in China knows they are being spied on by their govt because the
> Chinese govt openly admits to it.

We can fight it by electing the correct people.

But more importantly, I won't be spirited away to a black site by speaking ill
about the president. Nor can the government decide it doesn't want me as CEO
of my company anymore. Or prevent me from funding the opposition party.

There's an enormous difference between the West and totalitarian dystopia
China.

~~~
tintor
"I won't be spirited away to a black site by speaking ill about the
president."

It is happening in Oregon.

[https://www.telegraph.co.uk/news/2020/07/18/call-
kidnapping-...](https://www.telegraph.co.uk/news/2020/07/18/call-kidnapping-
federal-officers-accused-using-unmarked-cars/)

~~~
unchocked
Which is aberrant, and is being denounced by political opposition and non-
state-controlled media.

~~~
ergothus
How many things have been aberrant and denounced, only to become the
regrettable norm in the last few years?

When I was a child, the US wouldn't open admit to torture. It didn't have
publicly known programs to ship prisoners to other jurisdictions so the U.S.
rules of conduct could be bypassed. It didn't have a (publicly known) prison
filled with non-U.S. people that were denied a civil trial. It didn't have a
president that actively preached for or against public companies outside of
criminal matters. When I was a child, a president openly violating ethics
concerns WAS a matter of that president getting removed - with such certainty
they'd step down to avoid the inevitable result.

I'm totally willing to believe that an aberrant behavior doesn't have to
become the norm, but I won't believe that should be expected. I've been told
all my life to expect that dramatic reactions and concerns are overstated and
not the case, that we should all be calm and expect things to work out well,
but if I look at the actual events of my life, I see the opposite lessons
being taught: Unless we react strongly, clearly, and persistently, progress
will not happen and things will slide for the worse.

It's not the lesson I want to learn, it's not a lesson I am comfortable with,
but it does appear to be what I've seen in the last few decades.

~~~
refurb
Go back another 30 years and everything you mention was happening as well.

JFK - lying about the missile gap with Russia to get elected

Johnson - lying about his intentions in Vietnam

Nixon - too many to list

If anything, I'd say there _is more_ transparency around unethical behavior by
elected officials.

~~~
ergothus
> I'd say there is more transparency around unethical behavior by elected
> officials

And that's what worries me - note in my post above I was careful to talk about
"public". Before there was a veil of deniability, the idea that at least a
pretense of innocence had to be maintained.

Now it feels like there is little care to hide it. Sure, many of us are
outraged, but that outrage has done nothing to translate into stopping the
actions.

~~~
tdeck
Your perspective really resonates with me, and it reminds me of the old quote
"Hypocrisy is the homage that vice pays to virtue". When people lie to cover
up their misdeeds, it at least promotes the collective acknowledgement that we
have certain values.

~~~
jacobush
It also puts a limit on what evil deeds can be done, too many or large things
can't be hidden under the veil of innocence.

When even pretence is no longer a concern, there's no limit really.

------
01100011
National Security Letters basically turn any private database into a tool of
the state:
[https://en.wikipedia.org/wiki/National_security_letter?wprov...](https://en.wikipedia.org/wiki/National_security_letter?wprov=sfla1)

I'm not saying the US is as bad as China, but I roll my eyes when people talk
about China forcing its companies to serve the interests of the state. Our
government does it all the time and it doesn't require a warrant.

~~~
koheripbal
This is a "both sides"/whataboutism argument. China is absolutely worse than
the US in this regard. Chinese military intelligence actually conducts
offensive espionage _on behalf_ of Chinese companies to steal IP from western
companies.

The US has a court system that reviews National Security Letters, and can
accept challenges to them, and while that court is secret, it's still bound by
rules that are established by elected congressional officials. ...and perhaps
most importantly, they are still somewhat rare.

Chinese companies on the other hand are _required_ to cooperate on all
requests, even international subsidiaries of any Chinese companies. No
"letters" or court orders - you either do it or the CEO goes to jail, no
trial, no judicial review.

It might seem like the results are similar, but having judicial and
congressional oversight makes a world of difference in tempering how/when it
can be used and, more importantly, rolling it back when it's no longer
necessary.

[https://en.wikipedia.org/wiki/National_security_letter#Doe_v...](https://en.wikipedia.org/wiki/National_security_letter#Doe_v._Ashcroft)

It's a night and day comparison.

~~~
vmception
replying “Whataboutism” is just a reductive way to defend “hypocrisy” in a
geopolitical context. which is worse? Not being aware of the similarity and
replying “whataboutism”, or being aware of the similarity just gaslighting and
deflecting with whoever pointed out the hypocrisy?

most of these observations are very valid

just because you coincidentally respect the due process that reaches a result,
doesn’t mean that it is a functionally different or better. its only
indoctrination and pure happenstance to whatever you were exposed to first.

~~~
sudosysgen
Yup. Whataboutism is only fallacious if you use it to claim moral superiority.
Whataboutism is not fallacious if you're trying to draw an equivalent between
two actors.

~~~
newen
How is whataboutism even fallacious. You can be logically consistent and still
do whataboutism. It's more like a distraction to an argument being made. There
nothing that inherently makes it fallacious.

~~~
sudosysgen
I can understand that argument, but some people do essentially use
whataboutism as a tu quoque to completely dismiss an argument and treat it as
obsolete. Obviously this is very rarely the case.

------
colecut
heeeyyeyyy Dunder Mifflin is a part of Sabre

~~~
l0c0b0x
ROFL... I actually searched for 'Dunder'. I knew someone was going to bring it
up.

