Every year, billions of people board flights. Each reservation leaves a digital footprint—names, travel dates, seat numbers, payment details—collectively called a Passenger Name Record (PNR). After the 9/11 attacks, security services worldwide realised that, if pooled and analysed, these records could reveal hidden plots before anyone reaches the airport. The European Union therefore passed the PNR Directive in 2016, asking every member state to set up a special office—a Passenger Information Unit (PIU)—to gather, check and share these clues.

In the context of TENACITy, between December 2023 and February 2024 researchers circulated a confidential questionnaire to PIU analysts, technicians and directors across 14 countries. Their frank answers sketch a picture of promise, but also of potholes that slow the road to safer skies.

1. The Good News First

• PIUs are up and running. All units that replied already collect PNR data and most can perform basic computer searches.
• Staff overwhelmingly believe the data do help: hidden links between suspects, suspicious money trails and even drug routes have been spotted sooner than old-fashioned police work would have managed.
• International cooperation is alive: PIUs swap tips with sister units, Europol and, in some cases, non-EU partners.

2. Six Headaches Revealed by the Survey

2.1 Data Transmission – “Same Language, Different Accents”

Airlines are free to pick how they send spreadsheets or XML messages. Some still email Excel files. Result: formats differ, fields swap places, and one in five messages arrives unreadable without manual tidying.

2.2 Data Collection – “Plenty of Noise, Not Always Signal”

Budget tickets bought through travel agencies often lack phone numbers or correct spelling. Because carriers are not obliged to double-check typing, analysts later waste hours guessing whether “J. Smiht” is simply a typo or a deliberate smokescreen.

2.3 Data Quality – “Missing Puzzle Pieces”

Optional fields (date of birth, payment method, baggage details) are frequently blank. Missing birthday information is especially frustrating; without age, risk-scoring algorithms misfire and toddlers can be flagged next to terror suspects.

2.4 Data Analysis – “Broken Travels, Blind Spots”

Europe currently collects air data only. Clever offenders dodge detection by flying into Istanbul, then continuing overland by bus or ferry. PIUs call this “broken travel” and warn they are blind to the second leg.

2.5 Staff Matters – “Too Much Haystack, Too Few Hands”

Most units operate with fewer than twenty specialists. Manually eyeballing every record is impossible, yet many PIUs lack funds for data-science training or modern visualisation tools.

2.6 Legal Matters – “Navigating a Maze”

A 2022 EU court ruling tightened the screws: data may be stored longer than six months only if a concrete security threat is documented. Staff now juggle shorter retention windows, extra paperwork and the need to show “human eyes” reviewed every automated alert.

3. Practical Fixes Proposed by the People in the Trenches

1. Mandatory fields: Make date of birth, citizenship and contact details compulsory at the booking screen; a simple pop-up could block incomplete orders.
2. Automatic spell-check on entry: Airlines already verify credit-card numbers—why not names and passport digits?
3. Shared templates: One common Europol form, with drop-down menus, for state-to-state queries would cut email ping-pong.
4. Robot helpers: Small “quality bots” that highlight misspellings or impossible travel itineraries the moment files land, freeing analysts for real detective work.
5. Smarter rules engines: Software that learns from past hits and suggests new risk patterns, always keeping a human in the final loop.
6. Multi-modal vision: Explore extending PNR-style collection to ferries, international trains and long-distance coaches, but only where necessity is proven and privacy safeguards travel alongside.

4. Why This Matters Beyond Airports

The study is a reality check for “big data” security more generally. Simply pouring oceans of information into computers does not automatically produce answers. Standard formats, data hygiene and well-trained humans remain the secret sauce. Policymakers worldwide – whether crafting health, climate or cyber-risk databases – can draw the same lesson: invest first in quality and cooperation, then in fancy algorithms.