Meet the Airline-Owned Data Broker Selling Over 50% of Flight Data to ICE

Meet the Airline-Owned Data Broker Selling Over 50% of Flight Data to ICE

Redacto
5 min read

Delta, United, and American Airlines have probably sold your itinerary, credit card info, and your movements to Homeland Security and ICE.

Major U.S. airlines are acting as data brokers, selling your data to the Department of Homeland Security (DHS) and Immigration and Customs Enforcement (ICE).

404 Media acquired a contract that indicated an airline-owned data broker known as the Airlines Reporting Corporation (or ARC) has been secretly selling passenger data to ICE and the DHS. There are 9 major airlines holding shares in ARC;

  • United Airlines
  • Delta Air Lines
  • Air Canada
  • Air France
  • Alaska Airlines
  • American Airlines
  • JetBlue Airways
  • Southwest Airlines
  • Lufthansa

Passenger data is aggregated and sold as part of ARC’s TIP (Travel Intelligence Program). 404 also obtained a Statement of Work through a FOIA request. The document indicates the DHS and Customs and Border Protection (CBP) requested access to TIP data to “support federal, state, and local law enforcement agencies to identify persons of interest’s U.S. domestic air travel ticketing information”. ARC also requested CBP to “not publicly identify” them, or their employees.

What Data Are They Selling?

The Lever reviewed documents that revealed ARC is processing data for 12 billion passenger flights per year. If you’ve flown more than once in the last year, ARC almost certainly has some of your travel data, which could include;

  • Complete flight itineraries
  • Your name
  • Your financial details

Booking sites feed transactions through ARC, and more than 200 airlines settle their tickets through ARC – ultimately they have data on ~54% of flights taken globally and the database is updated daily.

This gives the DHS, or ICE, access to query these records based on any of the data they contain, mapping your past and future travel plans, bookings, and payment information. Beyond ARC, your social media activity is likely monitored via OSINT tools like SocialNet, and your car travel activity via license plate tracking companies like Flock. In aggregate, these data sources can be used for comprehensive surveillance, targeting both American citizens and non-citizens.

No Warrant, No Oversight

While U.S. law doesn’t always require a warrant for third-party data access, civil liberties advocates are ringing every alarm bell in reach.

Jake Laperruque of the Center for Democracy & Technology put it bluntly – “they’re still supposed to go through a legal process that ensures independent oversight and limits data collection to records that will support an investigation” (404 Media).

Historically, surveillance tools with lacking oversight are almost certain to be misused at some point. Take Flock for example;

  • Aurora, Colorado (2020): A Black family was wrongly pulled over and handcuffed due to a license plate reader error, resulting in a $1.9 million settlement.  
  • Kechi, Kansas (2022): A police lieutenant misused the system to stalk his estranged wife, highlighting the potential for abuse.  
  • Española, New Mexico: A Flock camera mistakenly identified a car as stolen, demonstrating the potential for errors to disrupt people’s lives.  

SocialNet is considerably more opaque in its operations, but almost certainly breaks ToS, definitely doesn’t use warrants, and has been criticized by the pro-privacy community (EPIC, Mozilla Foundation, The Intercept)

Can You Remove or Access ARC Data About You?

ARC, along with other private surveillance companies or data brokers are infringing on your right to privacy. Even social media platforms themselves regularly surveil and monetize data with reckless disregard to ethics and privacy.

You’re probably wondering if you can delete, or at least access data that ARC is holding about you. You could – in the past, ARC offered a GDPR Subject Access Request – a form you could fill out to request your data from ARC. The form is still being indexed on Google;

Unfortunately, this page has been 404’d as recently as May this year – as of the time of writing, there is no GDPR Subject Access Request Form for ARC. There is no clear alternative path to accessing or removing your information from ARC’s database at the time of writing.

What Can You Do?

We’ve reached out to ARC and asked them how to request personal information they’re holding – if we get a response, we’ll update this blog. If you’d like to make the same request, ARC has a contact form here.

Unfortunately, that’s pretty much all you can do when it comes to ARC.

Social Media is another massive surveillance target, and fortunately it’s considerably easier to get your own social content under control. If you want to minimize your digital footprint and reduce surveillance, you can start by wiping your social media accounts of old content. This process can take days or weeks depending on the number of accounts and how much you use them.

That’s why we built redact.dev – the only app that lets you mass delete your social content from major social platforms. You can try Redact and start deleting your content on Facebook, Reddit, Discord and Twitter/X for free – just download the app and set up an account.

Redact logo
Company
BlogContact Us
Media
AffiliatesPress Kit
Legal
Privacy PolicyTerms & Conditions
Socials
TwitterRedditDiscord

© 2025 Redact - All rights reserved