A Forbes legal challenge forces the unsealing of documents that reveal for the first time the scope of secretive surveillance orders that track the movements of individuals around the globe. Critics say the government isn’t doing enough to inform the public about the unusual initiative, which involves multi-billion dollar private companies.
In 2015, the U.S. Secret Service was on the hunt for Aleksei Burkov, an infamous Russian hacker suspected of facilitating the theft of $20 million from stolen credit cards on the Cardplanet website. The methods the agency used to pursue him, revealed for the first time as a result of a Forbes legal challenge, show how the U.S. government was able to strongarm two data companies into spying on him for two years based on the authority of a 233-year-old law and to issue weekly reports on his whereabouts. The government has never disclosed how many other individuals could be under such prolonged and unconventional surveillance.
The two companies, Sabre in the U.S. and Travelport in the U.K., were perfect suppliers to American law enforcement because of the business they’re in. For decades, they’ve been collecting and storing information about international tourists in a so-called global distribution system. GDSs are essentially hubs of information that make travel bookings easy between airlines, cruise providers, car rental companies and hoteliers. The two companies dominate the industry outside Russia and China, the only other competitor being Spain’s Amadeus. U.S. law enforcement saw the value in the data used by Sabre and Travelport because Moscow has no extradition agreement with Washington, meaning the only way they could arrest Burkov would be to nab him when he left Russia.
In a November 2015 court order, the Secret Service demanded that Sabre and Travelport continuously monitor Burkov’s travel for two years — or what the U.S called “complete and contemporaneous real-time account activity” — and report back to the Secret Service every week with what they saw. That’s significantly longer than the only other similar order that’s been made public (also revealed by Forbes, in 2020), which detailed the monitoring of another alleged hacker via Sabre. That order lasted for six months. The companies were also prohibited from disclosing the order until a court gave them permission.
The effectiveness of the subsequent surveillance remains uncertain. Not long after the orders, Burkov, who would later plead guilty to computer hacking and fraud charges in 2020, was arrested after a week’s vacation in Tel Aviv in late 2015, according to Israeli media, but no official claim has been made about how he was tracked as he traveled to the country. The Department of Justice declined to comment or provide further information.
Neither Sabre nor Travelport would comment on whether they fought the orders or complied, though there are no filings on the court docket showing the companies pushed back. A Sabre spokesperson said the company responds to lawful processes under applicable laws. “We take seriously our obligation to protect data of Sabre users and to follow the law,” said the spokesperson, who declined to comment further and referred more detailed questions to law enforcement. In August 2020, in response to questions from the office of Senator Ron Wyden (D-Oregon) after Forbes’ original reporting on the surveillance technique, Sabre revealed it had received seven federal court orders targeting seven individuals. The company has provided no further update on those figures.
Travelport told Forbes it didn’t do targeted monitoring, but wouldn’t comment on how it responded to the Burkov order. “As this subpoena is almost seven years old, and by its terms expired five years ago, we are unable to comment regarding the details of this particular matter,” a spokesperson said. “Travelport complies with validly issued government subpoenas but does not carry out active monitoring of any individual.” The company did not clarify what kinds of data it can provide to governments when requests are issued.
The legality of using data-collection companies to snoop on individuals stems from the All Writs Act of 1789, which allows the government to ask for “non-burdensome” assistance from entities not directly related to a given investigation. The law kicked up controversy in 2015 when the FBI tried, and ultimately failed, to use it to force Apple to open an iPhone belonging to a suspect in the San Bernardino mass shooting. Privacy activists at the American Civil Liberties Union (ACLU) and the Electronic Frontier Foundation have argued that All Writs Act orders don’t get the same legal or public scrutiny as search warrants and wiretaps, and are “routinely” filed under seal.
“Too much about these types of warrants is hidden from the public,” said Jennifer Granick, surveillance and cybersecurity counsel at the ACLU. Collecting information about future travel that may have nothing to do with past criminal offenses “is particularly invasive and susceptible to abuse,” Granick said. “The police are capitalizing on private data collection to obtain revolutionary surveillance powers that are essentially unapproved and unsupervised by democratic processes.” Granick said the public knows next to nothing about how law enforcement uses the powers, how frequently, in what kinds of investigations, anything about the granularity of the data they generate or how the government uses that information.
Such surveillance has remained secret over the past decade, locked behind sealed orders. Thanks to lawsuits filed by Forbes, working with attorneys at the Reporters Committee for Freedom of the Press and members of the University of Virginia School of Law First Amendment Clinic, the shroud is being lifted, if only partially. The documents ordering Sabre and Travelport to carry out surveillance on Burkov were unsealed last month, after Forbes’ legal challenge. Ongoing petitions to unseal documents related to similar orders in three other jurisdictions were launched in January 2021. The Justice Department has continued to argue that there’s no general right to access All Writs Act orders and that “compelling law enforcement interests demand the continued sealing of those materials.” One court agreed that such orders have “traditionally been kept secret for important policy reasons.”
While critics say it’s an invasive and overly secretive form of spying, to those who know the business, it’s little surprise the U.S. government would want to avail itself of the vast troves of information stored by these travel companies. Together, they have travel data going back half a century, which critics say could provide a detailed picture of an individual’s life. The industry started with Sabre in the 1960s after it was spun off from American Airlines as a modernized version of the company’s huge “passenger name record” databases. Today, the three dominant players are vast enterprises. Sabre is a public company on the NASDAQ with a market cap of $2.5 billion; Amadeus is valued on Spanish stock markets in excess of $25 billion; and Travelport remains a private entity, acquired for $4.4 billion in 2018. Sabre says it processes over 1 billion trips and $120 billion of travel spending every year. Before Covid-19 sent the global travel market spiraling, in 2019 Travelport was handling $79 billion in travel transactions — “more value flowing across our platform than eBay,” according to testimony the company gave to the British government in May 2020 in light of the coronavirus transport crisis. Such is the influence of these businesses that Sabre’s decision to cut off Russian airline Aeroflot in response to the Ukraine invasion reportedly crippled its ability to sell seats.
“Too much about these types of warrants is hidden from the public”
Joe Herzog, a former executive with both Sabre and Travelport who spent nearly two decades working in the industry, told Forbes that while he was not intimately aware of any government demands for information, technologically it’s “relatively simple” for the companies to cooperate and provide data to law enforcement. “It’s just a question of privacy laws,” Herzog said. Much of the same data could be found across each GDS provider, adding that “there’s a tremendous amount of overlap [in] the datasets with the intelligence information … I’d guess that 90-something percent of all the information in one GDS is accessible by another.”
Amadeus, Sabre and Travelport have counterparts in Russia and China: Sirena-Travel and TravelSky. Both are closely aligned with their respective governments.
Burkov may yet find himself under U.S. surveillance again. In late 2019, despite Russia’s attempts to prevent his transfer, Burkov was extradited from Israel to the U.S. and, after admitting fraud and hacking offenses, in June 2020 he was sentenced to 108 months in prison. In September 2021, however, something strange happened. He was sent back to Russia. It remains unclear why Burkov was allowed to return to his homeland. The Department of Justice has yet to provide a full explanation. In a March letter to National Security Advisor Jacob Sullivan, Republican members of the House Judiciary, Homeland Security, Intelligence and Foreign Affairs committees demanded an explanation. “The Russian government has a history of using cybercriminals as assets for Russian intelligence services,” the lawmakers warned. “Some former officials have suggested that Burkov may now be working for Russia, against U.S. interests.”
In the U.S., Forbes and its legal partners continue to press U.S. courts to unseal more information on how deep and broad this kind of spying goes.