Benjamin Braddock begins his affair with Mrs. Robinson in The Graduate by nervously checking into a hotel under the name Mr. Gladstone. After all, in our cultural imagination, booking a room in a hotel is a refuge for anonymity, and often, the vice that comes along with it. But that’s certainly not the case today — if it ever was, beyond the silver screen.
On Friday, Marriott provided an update on the 4-years-long data breach of its Starwood database announced in November. In the breach, hackers were able to access the *unencrypted* passport numbers of more than 5 million hotel guests.
That’s worrisome for a lot of reasons. Chief among them: The Chinese government is the primary suspect in the hack, and those passport numbers would likely be used to spy on people’s movements and associations across the globe.
But what was Marriott doing with passport numbers in the first place? Why have hotels — which used to stand for a way to escape — become yet another data repository for tracking our every movement?
Mostly, it’s not actually the fault of hotels. The decision to both collect and store ID information including passports originates with the government in whatever location a hotel is.
“That idea of a hotel as a place you can go and be anonymous isn’t universally true,” Katie Moussouris, a bug bounty hunter and decorated security expert said. “A lot of the motivation behind it is for law enforcement purposes.”
With or without a hack from a hostile foreign power, hotels are a way governments around the world can keep tabs on citizens, wherever they go.
When asked why Marriott stored guests’ passport information in the first place, the chain told Mashable via email that it did so to comply with local law.
Passports are requested at the local hotel level and that request is governed in part by country, state or, in some cases, city-specific regulations — which is why there isn’t a universal process or policy in place.
Marriott also stated that it does not store passport information in a central database, and that it has phased out the Starwood database that did.
While Starwood retained this information in their central reservation system, Marriott’s central reservation system does not store passport information on our central reservations system — instead, that information can be collected and retained at the local hotel level. As indicated in the release, the company has phased out the operation of the Starwood reservation database, effective the end of 2018.
Experts say this reasoning makes sense. Moussouris explained that hotels collect identity information so they can run background checks, as well as to serve as a reference for the government should anything criminal happen. That law enforcement element means that hotels may need to store, not just check, identification.
“It’s the fact that it might need to be checked against a criminal database, and different countries vary in their regulations about that,” Moussouris said.
The European Union requires hotels in member states to collect passport information. However, what they do with that information varies. For example, in Italy, hotels automatically give this to the authorities. But that’s not the case throughout Europe. Policy on ID collection varies between cities and states in the US.
Complying with local law is a reason for collecting and storing that information — but it may not be the only motivation.
“That’s done for a wide variety of reasons,” Rebecca Herold, a top information security expert and consultant to multinational corporations who’s also known as “The Privacy Professor,” said.
In addition to having a database of guests and their associated passport identifiers in case anything goes wrong, law enforcement may want to have identity information on hand so that it can track how long someone is staying in the country, especially if they have a limited travel or work visa.
“Ever since 9/11, the tracking of folks from other countries has become much more prevalent,” Herold said. “As time goes on and more terrorist activities occur, then more collection of information about people from other countries is being required, especially at the state and local level.”
But Herold said hotels themselves may want ID information, too. With passports or other government IDs, hotels can always track down visitors, so they can collect payment on outstanding charges. They may want to run background checks to prohibit certain people from staying with them. And having guests in a centralized database may be helpful so that — in the case of a massive chain like Marriott with multiple seemingly disparate properties — the behavior, background, and expenses of guests follow them as they check in around the world.
“Passports are the only consistent type of identification that exists world wide.”
“With a huge hotel like Marriott, they have so many locations under so many different names, that’s how they can keep track of the different guests that are coming in and out of their environment, in addition to meeting the country laws,” Herold said. “Passports are the only consistent type of identification that exists world wide.”
Marriott said it collects ID data for reservations, and to comply with local law.
But “complying with local law” is now trickier than it once was. Thanks to the GDPR and other data privacy laws under consideration, if a company collects customers’ data, they also have the obligation to protect it.
“If there are laws requiring that you store personally identifiable information, and there are laws that you keep it safe and private, what are global companies doing right now to audit and insure that they are capable of meeting those requirements?” Moussouris asked. “There needs to be some sort of practical middle ground where appropriate data security and privacy measures are universally applied in places that are required to store this information.”
In the case of Marriott’s Starwood breach, that’s where the rubber has hit the road.
Today, it may not be possible to have a Graduate-esque fake-name affair in a high-class hotel. But it should still be possible to check in, and out, without fear of undue surveillance and identity theft.