American travelers took 2.25 billion domestic trips and 87.7 million international trips in 2017, according to statistics from the U.S. Travel Association and the U.S. National Travel and Tourism Office. If you were one of those travelers, you likely walked through a body scanner, had your photo taken to confirm your identity or gave up personal data without even realizing it.
You may have also encountered "smart" hotel rooms in which a tablet controlled the lights, curtains and temperature, and perhaps even saved your preferences for your next stay. When you drove off in your rental car, you may not have realized that the rental company was collecting data on your driving habits and the car's location. And when you logged in to that hotel Wi-Fi network, you had no idea who else might be on the same network.
Of course, none of these practices are illegal. But they all raise the risks that your private personal data may be misused, misappropriated or stolen. Fortunately, there are ways you can try to minimize the data collection.
Quick Travel Privacy Tips
- If you're uncomfortable with facial-recognition systems or body scanners at U.S. airport security checkpoints, you can opt out.
- Use a VPN whenever you're on a Wi-Fi network, including in your hotel room.
- Turn off the Wi-Fi, GPS and Bluetooth functions on your smartphone when you're not using them.
- Travel tech can be both cheap and simple: bring a Chromebook instead of a laptop, and log out of and shut down the machine before crossing international borders.
- Bring a cheap Android phone instead of your regular smartphone.
- Consider setting up "fake" online accounts before you travel, in case border officials want to see them.
- Before you return a rental car, try to delete any navigation history or personal profile you set up in a rented GPS device or in the in-vehicle navigation system.
Dealing with creepy airport screening technology
Since 2016, the U.S. Customs and Border Protection's (CBP) Biometric Air Exit program has put facial-recognition technology in several U.S. airports.
When you board an international flight, CBP or a partner airline takes a picture of you and compares it against your passport photo. Delta and JetBlue already participate in this program.
The Transportation Security Administration recently launched a similar pilot program for international flights at Los Angeles International Airport in which departing travelers can opt to have their photos used to verify that their boarding passes and passports match.
If there is a discrepancy, travelers are not allowed through the security checkpoint — although TSA agents will still be able to manually verify their boarding documents.
CBP aims to use biometrics to confirm the identities of more than 97 percent of passengers in the next few years and to expand this initiative to every point of entry and exit in the United States. Facial recognition isn't 100 percent accurate, however — it more frequently misidentifies ethnic minorities and people wearing certain accessories or makeup, Quartz reported.
Jeramie Scott, director of the Electronic Privacy Information Center's Domestic Surveillance Project, said facial recognition as a primary means of identification heightens the capacity of the government to conduct surveillance beyond the scope of confirming travelers' identities. Scott worries that this data could be used in ways we haven't consented to — although CBP says images are deleted and purged from its systems within 14 days.
"There need to be protections around the collection and use of certain data," Scott told Tom's Guide. "If you agree to use your face as your boarding pass and confirm your identity that way, there should be rules in place that prevent that use from going beyond that stated purpose."
Scott said that, if you don't like the notion of facial-recognition software, you should be able to opt out of biometric screening to board flights by requesting an alternative review from a CBP official.
The same goes for body scanners, which used to essentially render you naked on a TSA agent's computer screen, but now display a generic body outline. If that still makes you uncomfortable, you have two choices as long as you're at a U.S. security checkpoint.
The first option is to sign up for the TSA's Precheck program. You'll have to pay $85 (good for five years), submit your fingerprints and agree to a background check.
But if you're accepted, then you'll be walking through a regular metal detector instead of a body scanner at participating U.S. airports. You'll frequently also encounter shorter security lines. (For frequent international travelers, there's a similar program called Global Entry that costs $100 for five years.)
The other option is to "opt out" of the body scanner. Instead, you'll get a regular pat-down, at the very least, from a TSA agent. But bear in mind that having to perform pat-downs can make TSA agents very cranky, and if they're in a bad mood, you might be taken into a side room for an even more thorough examination.
Travel with disposable devices — and disposable accounts
You'll likely want to bring some electronic devices with you, such as a smartphone and maybe a laptop, especially if you're traveling on business. But you shouldn't bring your regular smartphone and laptop, especially if you're traveling internationally.
Many customs officials and border guards, including American ones, have the right to examine your electronic devices and your online accounts. They can ask you for the passwords to your phone, your computer, and even your Google, Facebook and Dropbox accounts.
You don't have to give U.S. customs officials your passwords, but if you don't, they can confiscate your devices. Border officials in other countries may be even less friendly.
So instead of traveling with a $1,200 MacBook, travel with a $200 Chromebook. Perform a "power wash" to clear your account, and shut down the Chromebook before you cross any border.
And if you have stuff in your online accounts that you'd rather not have border officials see, then set up "fake" Google, Facebook and Dropbox accounts, using your real name, before you travel. Put some stuff in each account — not much, but enough to look real — in each one, and then show border officials those accounts if they ask.
Once you're across the border, log out of the fake Google account and then log back in with your regular Google account. As long as you have internet access, all your data will be restored.
The same strategy goes for smartphones. Leave the iPhone behind, and get a cheap Android phone instead. If you're truly worried about officials seeing your data, then set it up with your fake Google account, and log in to your fake Facebook account before you cross a border. If any nosy official wants to see what's on the phone, gladly provide it.
Use a VPN the whole time
The biggest threat to privacy while traveling, however, comes from unsecured Wi-Fi networks in airports, hotels and restaurants. If any data you transmit from your laptop or phone is unencrypted, anyone else on the same network may be able to read it, even if the network has a password.
Take the baby step up of installing the Electronic Frontier Foundation's HTTPS Everywhere browser plugin on your laptop browsers. The plugin will activate encrypted connections to any website that supports them, including Facebook and Google.
But not all websites support encrypted connections. That's where a VPN (virtual private network) service comes in. The VPN will encrypt all internet traffic between your laptop or smartphone, making sure that all your Wi-Fi data will be unreadable to snoopers on the same network.
If you're traveling on business, ask your company's IT department if there's a company VPN service you can use. We've tested all of the top services; if you're willing to pay for a VPN, check out our picks for the best VPNs.
The Canadian VPN service Windscribe lets you encrypt up to 10GB of data per month for free. The U.S. VPN service Hotspot Shield gives you an unlimited amount for free, but only on mobile devices, and it may also inject ads into the web pages you're viewing.
Smart hotel rooms may be too smart
Hotel rooms may soon collect and use your personal data to customize your experience. Both Marriott and Hilton are working to bring the smart-home concept to their properties.
Marriott's IoT Guestroom Lab, which is currently in testing at the company's headquarters, would let users interact with a virtual assistant to set alarms, request services and operate various features, including turning on the shower to a specific temperature based on stored preferences.
Hilton's Connected Room is in the pilot phase in one hotel. The goal is for guests to use both voice commands and the Hilton Honors app, which already has check-in and digital-key capabilities, to control temperature, lights and streaming media and to save custom preferences in their profiles.
While guests may want, or even expect, their hotel rooms to operate like their smart homes, according to a recent University of Delaware study, smart technology isn't risk-free.
For example, Marriott's smart room is designed to go into sleep mode when guests aren't present. This makes the hotel more energy-efficient, but it may also compromise your personal safety and security if it becomes obvious that you are not in your room, Scott said.
He also noted that if guests give up seemingly harmless personal data to a hotel, they make it easier both for malicious actors to link that data to more sensitive information, and for law enforcement to access the information without explicit consent.
"It goes beyond what is necessary to perform a service," Scott said. "There should be clear options for guests, and the option should be to opt in if they so choose — not one where you have to actively opt out."
Rental cars may keep track of where you go
Airports and hotels may be the most obvious places in which traveler data might be collected and potentially compromised, but they aren't the only ones.
If you rent a car, the vehicle likely has an event data recorder (EDR). Like an airplane's black box, the EDR collects information about the vehicle's systems, its location and operator behavior as you drive.
While EDR data is most often used to piece together crash reports, and a 2015 federal law states that collected EDR data belongs to a car's owner or leaseholder, it's unlikely that rental-car drivers would be entitled to privacy with regard to EDR data.
If you use a rented or built-in GPS navigation system while driving a rental car, or you connect your phone to your rental car's Bluetooth system, you could be tracked by the car-rental company or hacked by a third party.
Try to delete any navigation history or personal profile you set up in a rented GPS device or in the in-vehicle computer before you return the rental car. Unfortunately, you won't be able to do anything about the EDR data, and if the rental company was actively tracking your movements, then it already has the location data.
Bringing it all back home
This kind of surveillance isn't limited to travelers. Scott said many retailers increasingly use security cameras with facial-recognition capabilities to identify known shoplifters in their brick-and-mortar stores, although only Lowe's would confirm this. License-plate readers used by police are not uncommon in bigger cities.
All this means that your movements can be easily tracked, and that your information can be accessed by law enforcement or may be at risk of being compromised in a data breach. Unfortunately, stores are within their rights to surveil their customers, and you're not allowed to cover up the license plate on a moving vehicle.
One way to avoid this, whether you're traveling or not, is to turn off the Wi-Fi, GPS and Bluetooth functions on your smartphone when you're not using them. Keeping them on just makes it easier for other people to track you and read your data. The same goes for your laptop when you're out of the house or the office; if you're not using it, fully shut it down instead of just letting it go to "sleep."
These heightened privacy risks shouldn't stop you from traveling, or from going about your daily routine when you're at home. But you should be aware of how your data is collected and used, and you should look for opportunities to limit or opt out of providing personal information when you can.