I oftentimes reach for my 'call the regulator' button when I read these articles. Whats odd is how many people say "god no..." as if there was some consequential downside to using the very government entity we created (in law) to make corporate entities "do the right thing" when they don't appear to want to do it voluntarily.
So.. here we go. Explain to me, why we don't want to enact law to require (through regulation) this practice to cease.
I'm waiting for someone to state "when you're not paying for something, you are the product", except in this case, you are paying for something, yet you're still the product.
As much as I agree with you that we seriously have got to stop trotting out that quote all the time, the quote doesn't necessarily preclude what you point out.
According to the quote, if you don't pay for it, you're definitely the product, but clearly, as you mention, just because you pay for it doesn't mean you're still not the product.
That quote is a lazy-soudbite-argument that "you shouldn't use free services" (because "you're the product" and that's "obviously" bad). However, if you stop to think about it for a second, you'll realize that it's dead wrong. It sounds nice & all, but it is in fact meaningless, and probably misguiding.
I've thought about it for several seconds and don't see what is wrong with the quote.
It is a cheap and easy way to explain to non-technical people that when something is "free" the provider is getting something back. Payment for advertising to you, collected data from you, and so on. If you(general) understand that, and are OK with that, then continue. But don't be naive.
Well, Linus and other groups make such good software that companies pay them to make it directly or otherwise; other people release code for showing their own portfolio like an artist, to prove their skills; others do it so people on the Internet can help improve the code. And finally, none of this matters, because that rule applies to organizations making money (or trying to). Jane Hobbyist writing device drivers for the love of the job isn't a part of the saying.
Note - I'm not saying people don't have a reason to provide free stuff. I'm saying that the soundbite "you're the product!" is lazy, and sometimes misleading.
The quote is not wrong. If you aren't paying for something, then 100% of the time you are the product. If you are paying for something, then <100% of the time you are also the product.
There most certainly IS a product! The only way I can imagine that you came to believe there wasn't is that you were confused by the fact that they give their product away.
Does Encyclopedia Britannica's website "britannica.com" have a product? Is Encarta a product? Of course they are, and so is Wikipedia, unless BY DEFINITION you exclude any "product" not exchanged for money from the definition of "product". And by that definition, the second can of beans I got at the grocery store on a buy-one-get-one-free sale wasn't a product -- which I feel demolishes the usefulness of the term.
It's something that's produced, but not something sold (like Encarta). Accordingly you're right that it is a product.
In the informal sense in which we talk about users "being the product" I'd call it not quite right, since there's nothing sold. The user doesn't have to worry as much about ulterior motives.
If you don't pay for it, you are the product. If you pay for it, you may still be productized. Odd that an EULA actually binds both parties, but somehow unequally? I don't think so!
Where they are based doesn't matter. If they are collecting revenues (taking payments) from EU clients, it applies. That includes generating ad revenues from EU based eyeballs.
When it comes to on-ad-generating, free websites, it remains to be seen how bold EU regulators get. It'll be hard to penalize or prosecute such websites, and there are enough violations in the fat cats anyway, so I'm guessing those free websites will get a free pass for now (pun intended).
> That includes generating ad revenues from EU based eyeballs.
That would be fairly hard to enforce against a company that doesn't have a physical or legal presence in the EU.
In general, I'm disturbed by governments trying to enforce laws beyond their border just because their citizens are somehow involved by sending information over the internet. In some fields, it's a legal minefield just to comply with the rules of one country, much less several. This won't be a major difficulty for big players with high-paid lawyers and compliance departments, but it could easily kill startups, some before they're even launched.
> In general, I'm disturbed by governments trying to enforce laws beyond their border just because their citizens are somehow involved by sending information over the internet.
Isn't it simple enough to geoblock areas if European customers are somehow too hard to serve?
> In some fields, it's a legal minefield just to comply with the rules of one country, much less several. This won't be a major difficulty for big players with high-paid lawyers and compliance departments, but it could easily kill startups, some before they're even launched.
As the topic is GDPR: a privacy first approach is not rocket science. I'm sure any startup with even the remotest chance of success can follow the basic principles without undue complications.
While I agree that startups should be respectful of privacy, that doesn't change the principle at work here. Allowing countries to enforce laws against companies that don't have a physical or legal presence within their borders is a dangerous mechanism. Introducing a dangerous mechanism to enforce a good policy will result in that mechanism being used for a bad policy later on.
When you operate a business somewhere, you have to observe the laws of the place you do business in. It does not matter where you are based.
How someone gets a hold of you to enforce any action against you is a different matter. But Emirates kind of needs to come to the EU sometimes to do its business there.
If they sell to EU customers, then yes, they have to abide by the EU privacy regulations. Alternatively, they can set up a website just for EU customers or stop serving them altogether.
I can only hope for the EU that their economic incentive remains strong enough to prevent foreign companies from totally pulling out, resulting in the EU market becoming bleaker and bleaker. And it's not even the current companies that I worry most about - they often have already invested too much to withdraw because of this - it's the new companies that may flat out refuse to enter the EU market.
The GDPR is yet another regulation that adds a lot of liability with the risk of huge fines for a foreign company. And while no regulation in itself is ever going to be enough of reason, it's the plethora of regulations that is, and the more it grows, the more companies will feel it reached the tipping point for them, which may result in either withdrawal or refusal to serve the EU market. If this proves true, EU citizens should expect to see a lot more of "We're sorry, this service is not available in your country" messages. And it's already pretty bad from what I've heard.
Note: I'm not saying Emirates will pull out because of this, they won't. I'm also NOT against the GDPR and I totally understand the need, I just wish it would be regulated on a more universal level. Same with copyright regulations.
> Note: I'm not saying Emirates will pull out because of this, they won't. I'm also NOT against the GDPR and I totally understand the need, I just wish it would be regulated on a more universal level. Same with copyright regulations.
What could be a more universal level than EU that could actually enforce something like GDPR? US is rather anti-privacy these days, which I found interesting as they are extremely individualistic at the same time. The only even remotely suitable body is WTO, and that won't happen.
Right, it's a universal regulation that applies to about 6% of the world population. But you make a good point, it is very hard to regulate this on a higher level. I'm just saying that the EU shouldn't expect every foreign company to accept and play by their rules, especially if it's only relevant to a fraction of their customers. What this may lead to is companies refusing to serve the EU and EU residents forced to resort to shady VPN companies to access their services - as they already do to circumvent copyright regulations - eventually resulting in less privacy and loss of VAT and other revenue for the EU.
Again, I do not want to paint an overly bleak picture - and I do support regulations like this one - but my feeling is that, due to the lack of a universal solution, this GDPR won't have a better fate than the current copyright regulations: beneficial for some, but at the cost of more internet fragmentation and discrimination. It's almost like lawmakers consistently forget that the internet doesn't stop at borders.
The preamble of the GDPR states that it regulates the fundamental right to privacy, not the human right to privacy. The human right to privacy is much lower level than the fundamental right to privacy.
To repeat myself: I'm [also] NOT against the GDPR and I totally understand the need, I just wish it would be regulated on a more universal level.
I oftentimes reach for my 'call the regulator' button when I read these articles.
And what regulator is that? Does Dubai even have a "regulator" overseeing stuff like this?
Emirates is wholly owned by the government of Dubai. So basically you would be complaining about one Dubai government agency to another Dubai government agency.
Perhaps you could complain about this to some US or EU regulator? Would they care enough to get involved?
I live in Portugal, an EU country. After a complaint, our National Data Protection Commission fined one of my neighbors for having posted certain personal data of other tenants on our building hall.
Emirates gets a big chunk of their revenues from EU customers. They definitely don't want to piss of EU regulators. As for US regulators, they've been at odds with them for some time, so Emirates will probably try to fight them before giving in. But this particular privacy hole is the size of a crater - it will be hard to fight the regulators. In fact, as a software architect, I feel that the solution is far cheaper than fighting regulators.
Emirates has a physical presence in the EU and would definitely be subject to EU regulations when a flight to, from or purchased in the EU is involved.
I had a coworker who was flying to Morocco (I forget what airline). He called me over to his desk at some point to show me the screen as he was picking out his seat. By each occupied seat was a headshot of the passenger, pulled from what I assume was their Facebook profile.
This is on a strictly opt-in basis. I guess it's an interesting alternative to Tinder if you're going to be stuck on a plane. (Disclaimer: I've never tried it myself)
I use it frequently both to talk to folks in my party who got seated elsewhere, other friends who are coincidentally on the same flight (common when traveling for conventions/conferences).
I also know folks who have arranged large group bookings (30+ passengers going to the same event) and found it useful to talk to each other.
One practical use is talking to people you're on a flight with but not say next to. I can't say I'd be a regular user of that feature, but I do find myself on flights like that from time to time.
That's IF you all pay extra for in-flight WiFi, and assuming the plane's network link is working. (Many planes' WiFi use a cellular-based network link that has occasional dead spots. Satellite linking is only available on newer planes.)
Whereas seat-to-seat chat is free and relatively reliable.
I used the chat on a KLM flight to Canada recently, it was neat. You could also chat with a specified seat number, and they would get a popup on their screen that you want to initiate chat - it was very useful as there was a large group of us travelling together and I could just chat with someone without walking to their seat on the other end of the plane.
Something people seem to miss every time this comes up.. every airline I've seen this on (Qantas, Emirates, Cathay Pacific, American Airlines, etc).. require you to enable receiving messages before someone can send you a message.
Thus you can't just randomly message any seat on the plane until they turn it on.
I saw a similar feature at least ten years ago elsewhere. I'm not sure of the airline but it might have been Air France. It was more basic - think SMS - and you could do voice calls as well. I figured it was meant for people who were traveling together but who were not sitting together.
This could be due to regulatory requirements on Morocco's side. I regularly fly EUN<->TFS via LPA with Binter: In/out of Laayoune you have to take your assigned seat, within the Canaries they don't care.
From my experience the travel industry are the worst offenders of data security. I remember making booking on booking.com and not having to pay for my booking, and I wondered how hotels can confirm bookings, when I went to check in at the hotel I asked this question to the front desk staff, and they simply told me “oh we get a fax or email from the OTA of your credit card information”. You can imagine the look on my face when that happened.
Here I am building my online business using tokens with pci dss compliant payment gateway and all these businesses out there don’t even care.
My lesson learned then was these industries will do anything to make it more convenient for the travelers to book, even compromise on security.
They have to support the lowest common denominator. I worked for a company that did camping reservations. Our system for remote sites involved a ranger getting up at 4am, starting a generator and powering up a fax machine. That was seen as an improvement over travelling 40 miles to get a weekly, guaranteed useless list or the honor system and cash payments.
It's like anything else, companies don't lift a finger unless it costs them money or runs them afoul of regulators.
Sending credit cards via FAX to be printed out is not only OK with PCI DSS, it's recommended. The reason companies like Booking.com do this is because the credit card companies wanted it this way.
I remember having a chat with a small guesthouse owner a few years ago, he showed me what the OTA sent through to them which was clear copy text of the booking along with all the credit card details. The big online OTA would directly charge the customer 15% deposit if I remember correctly which they banked as their commission - kind of clever removing the big remittance headache. It was then down the hotel to directly capture the remaining balance and enforce the cancellation rules. He explained that if customers don't turn up he takes the credit card details down to the road to a small independent unrelated travel agency which attempts to hit the card and charges him 10% for privilege, he says it's about 50/50 weather the card authorizes. I think this still happens.
This definitely still happens, but I think implicit in your post and this thread in general is the unstated statement "...and this is a horrible state of affairs that shouldn't persist for even one more day!".
Ultimately it's the credit card companies that regulate this playing field, and up to a certain point they're happy to make a large trade-off between security & convenience, because they can work the security issues into their processing fees.
Credit card companies aren't dumb, of course they know that small Mom & Pop hotels are going to have horrible security practices when it comes to credit cards. They also know that any security issues are going to be contained to the customers of that establishment.
This is why PCI puts a huge amount compliance burden on companies such as payment processors and travel agencies that process a lot of credit cards, but by-and-large ignore small players.
The hotelier you described and his method of ad-hoc charging credit cards with a 10% fee at some unrelated business is surely in violation of some PCI rule(s), but that's going to be a matter between his customers and his bank, not all customers of the travel agency and Visa/MasterCard.
Booking.com literally became successful because they build this massive infrastructure around European hotels that refused to update their booking systems past fax and phone calls
I wish I had the level of audacity or ignorance these people have and send plaintext user data over http, write half-assed webapps that just look pretty but offer no security etc etc. I would be in a much better place right now from a professional point of view. But I just can't do it.
If you look at https://track.emirates.email you will see that it isn't emirates either, but a service provided by Mandrill, an add-on for MailChimp, and the cert is valid for https://mandrillapp.com. Surely they could have figured out how to use SNI.
The fact that your mail client / embedded browser takes you happily to sites with broken certs, giving them a tracking token (and in this case, total access to your booking) is also quite a problem.
Exactly, the fact that the url does not have any expiry (apart from the end of booking), the email providers in this case Mailchimp would also have access to the same.
For the case why browser did not redirect the broken cert, that is because the link sent in the email was over http.
I tested going to a https link via gmail. On desktop chrome, it immediately opens the link (and hence passes the link parameters). On mobile it pops up a privacy error, "Attackers might be trying to steal your information" (NET::ERR_CERT_COMMON_NAME_INVALID), which is certainly the right thing to do. Still have to try it on Office365 and Outlook.
I mean - after Equifax got away with leaking SSNs, Names, Addresses with DoBs of all 142M Americans - this is seriously nothing. At this point, I have become apathetic on these privacy related issues as nothing will be done.
Yap and their stock pretty much recovered. Worse, as you said, everyone learned: "it's actually quite alright to leak all this stuff, no need to revamp anything or worry about security, privacy and spending extra on that, you'll be just fine".
Yet another reason blocking ads is a must. But not just blocking ads, trackers as well. I use uMatrix and uBlock origin. Unfortunately this does nothing to deal with the aforementioned redirect chain. I suppose maybe this means it is time to go back to the telephone and flight agencies.
Some of the tracking protection tools might help, but not all for exactly the reasons you mentioned.
However, you can enforce some settings in Firefox and Firefox based browsers to control referrer leakage in control. But it does break few websites. I can recommend taking a look at : https://wiki.mozilla.org/Security/Referrer and see what suits your need.
I wonder if enabling referrer trimming by default on common browsers would force people willing to use tracking to reconsider their practices. Like everything (it seems) it is always a game of cat and mouse, and the best way to make it harder for trackers is to make sure the targets keep moving.
>> I suppose maybe this means it is time to go back to the telephone and flight agencies.
You would just end up paying more (directly or indirectly) while still having the representatives using the same problematic system, now from their end.
There is really no way out of the redirect chain here, but if you want to avoid malicious redirects on many other websites you can use the Neat URL extension.
Its funny to be reading this just a week after noticing this.
Every airline uses some sort of a contractor or a shared piece of software for online checkins. You can tell by the formed URI fragments and the JSON being sent back and forth.
Its all trash. I wanted to work on a business that unified all check-ins under single company. I do not think however, it is reasonable given that all of these airlines have the process, as shit as it is, for a reason.
That's not quite right. They all (mostly) do checkin with some combinination of PNR identifier, and last/first name. There's no actual collusion though. Just coincidental settling on the same minimum need.
They isn't much in common across airlines as far as the actual code goes, though. Beyond that they all use some limited set of CRS providers, like Galileo, Sabre, Amadeus, etc. That is to say, there's some common code, but it's pretty far down the stack, and only common across a few carriers.
I hear you, the problem is deeply rooted, in the implementation design. Even reporting these problems is such a tedious task, that you kind of feel like giving up after a certain point.
Unfortunately, not just Emirates, but a huge number of e-commerce companies across industries like travel, shopping, healthcare are subjected to similar leaks.
That's pretty bad, but frankly he could have communicated better to Emirates. If I was working as first line support and received that message with "omg do you know you are sharing fields a, b and c to partners. And maybe you are sharing with x, y and z also?", without any technical details at all, I would also give a canned response, tag it as tinfoil hat and throw it into the junk.
He also says that he wrote an email to the Product Manager -
"I also wrote an email to the Product Manager highlighting the security flaws. I was met with a deafening silence.
So, Social media team gives a canned response and the Product Manager doesn't bother to even respond to an email just goes on to show that Data security is not their priority.
"In the wake of responsible behaviour, on discovering these serious security flaws that violate user-data privacy, I decided to flag them to Emirates through Twitter DM in October 2017. Please note that I could not find a dedicated channel for reporting security bugs on Emirates website.
I also wrote an email to the Product Manager highlighting the security flaws. I was met with a deafening silence."
The new thing now even with big travel booking companies is to have one tier of phone support that can literally only provide canned answers, and a very difficult to get to escalation to an email team that will give you a canned answer.
I guess you completely missed the paragraph titled "Reporting it to Emirates:"
I will write it here for you - "In the wake of responsible behaviour, on discovering these serious security flaws that violate user-data privacy, I decided to flag them to Emirates through Twitter DM in October 2017. Please note that I could not find a dedicated channel for reporting security bugs on Emirates website.
The Social Media Team immediately responded to my Twitter DM with a canned response but I was not ready to give up hope. I also wrote an email to the Product Manager highlighting the security flaws. I was met with a deafening silence."
In line with the age-old advice on how sausages are made, here's my advice: don't ever inspect the data leaving a mobile device.
– Just as I was about to add this comment, I remembered how it's not limited to mobile devices anymore.
(Thankfully with certificate pinning and integrity checking you may be spared of the risk of ever finding out what your apps actually do. Remember: only weirdos and terrorists tinker.)
Certificate pinning and integrity checking will only come into play if the services move to HTTPS :). Sadly, Emirates is sending HTTP links to help user's manage booking.
HPKP is what the article you posted to is referring to, and probably will go away completely.
However, profiling the public key of the site a mobile app connects to and erroring out if it is compromised to prevent MitM attacks is called 'certificate pinning' for mobile apps but is not related to the HPKP pinning of browsers. A reference for certificate pinning: https://blog.netspi.com/certificate-pinning-in-a-mobile-appl...
These magic URLs that can log you in automatically, generally ought to necessitate a very high degree of paranoia from whoever is implementing them. In this case the single point of failure seems like the leaky referrer, which ought to have been noticed as part of the aforementioned paranoia.
I guess the problem here is that from an overall experience POV you want users to be able to get to their booking from their email without having to go back and forth to figure out their booking reference number and type it in.
Even as an advanced user sometimes there is very little you can do to protect against this. In a lot of cases, blocking trackers is also a flaky solution because sometimes custom event tracking takes place as part of a JS event, and the event fails horribly due to the library not being loaded thanks to your blocker, and as a result the event doesn't do what it's supposed to, and you can't use the interface.
For mobile users, blockers are either not easy to install, or exist on some fringe browser that is untested, and breaks the UI.
I wonder if it is possible to measure or guess how many humans have access to your booking in such cases. Some part of the sysadmin team at each of those tracking companies, maybe product leads, customer support?
You will still hit the same problems they described for some sites. Because some JS has been blocked by your blocker, certain websites will have buttons that just don't work. This is frustrating when those buttons are key things like 'buy' or 'confirm'.
I agree with the sentiment but it's not always possible.
In the case of airlines, sometimes you have no choice but to go with a particular carrier because there is no other carrier who will take you to your destination with seats available that meet your schedule.
You also wouldn't know of these practices until much after you have already paid for your ticket, by which time your booking is already in the hands of a few hundred other "trusted third party" employees.
Emirates.com has changed a lot in the 18 years since I last worked on it. But I can see how this might have come about.
Each 3rd party add-on is probably required by marketing in one form or another (analytics, social sharing, partner data, advertising, ). And possibly development has been done just thinking about how to do something, rather than if they should be doing something. We don't know what the gatekeepers have managed to prevent getting deployed...
Part of how I see my role is to always to have a product-owner sanity-check hat on. But at the end of the day, it's the people with the wallets who decide what gets included in their outcome, even if it's against the recommendations of experts.
Absolutely agree with you, having been a digital marketer and later Product Manager for an Airline, I realized the ill-effects of mindlessly using tools to "crack" the secret sauce of heightened UX and hence increased revenue stream. Would I do it today? No. Would a CMO push for third party trackers? Hell, Yes. The onus lies on CTO to evaluate products, third party tools against a checklist that also covers User-Data protection as one of the bullet points.
Hmm, no mention of luggage tags or boarding passes? Your luggage tag usually has your last name and your booking code. Those 2 bits of information are enough to login to your flight details, including your passport information. They are also on your boarding pass, also coded on the barcode, which people sometimes post online, it can also be photographed from a distance with a good enough camera.
Airlines don't care about privacy, security, user experience, prices... There are many things you don't have to care about when competition is low and barriers to entry are incredibly high.
As an aside, turns out 9/10 decoy bombs and bladed weapons are smuggled onboard with no problems in tests. All the security theatre and voodoo rituals requiring passengers to switch off all electronic devices for no actual reasons and it's still trivial to hijack a plane.
Airlines aren't responsible for security. The rules are specified by the IATA and national agencies and security is either handled by a government department (e.g. TSA) or by the airport itself.
Also, switching off electronic devices has nothing to do with security. The apparent reason is that it can cause issues with navigation, as was theorised after a plane crash in the 90's. Most flights these days don't even require you to turn your electronics off, or even put it in airplane mode.
I'm fairly sure the reason that they made you turn your electronics off wasn't even for the plane, but rather to ensure that you pay attention to the safety briefing.
The reason that different airlines have different rules, is that their OpSpecs have different (and sometimes evolving) treatment on portable electronic devices, which is their way, as operators, of complying with § 91.21
(shared because I suspect some will find it interesting in a random-trivia sort of way, not because I'm arguing against your post)
Yes, and I would add some (hopefully) "common sense" consideration.
IF you were a captain, responsible for a several millions dollar aircraft and for hundreds of lives, AND IF there was a teeny-tiny, extremely low probability that using a phone (or computer or other electronic device) could cause a disaster, including the possibility of a suicide act of sabotage, how would you implement in practice the Federal Rule you cited?
1) Kindly ask the passengers to have the devices switched off.
2) Seize each and every such device before boarding, and X-ray/scan each and every passengers to be 100% sure that they don't carry with them one (hidden).
#1 clearly, or perhaps switched off below 10K feet MSL.
Try #2 and you find yourself unemployed as a captain. Try it as an airline and you find yourself without passengers and shortly, without an airline.
Airlines and aviation authorities balance safety, cost, and convenience all the time. ETOPS is a good example of that balance evolving. ETOPS-240 would have been unthinkable at the start of the jet age.
This should not be a surpise. Most business types don't give a shit about anything but money. Community, social, environment, or any other negative externaliaities. They just don't care. They're after and bound to "feduciary" responsiblity. (Short term reward and ignoring long term consequences)
I realize that was a moral high horse: I'm curious about how you can reward people for positive long term growth.
It turns out that people in general buy airline tickets based almost exclusively on price. Airlines are actually showing very long term thinking given that they have very high capital costs and need to make those investments pay off in the very long run. People are rewarded in the long term with profit because they have built a business that their customers want to patronize.
Even as a very technically savvy person I am not sure I would stop flying an airline because of this. While I agree these are awful practices would I be willing to do an extra hop with an airline that had better security? Nope. So while I sympathize with the article if Emirates was my main airline I would probably still fly them. It turns out many companies suck at securing their customers data. If that is important to their customers they will be reward/punished accordingly.
Ironically this is one of the reasons I prefer to buy things online through Amazon and why I think they have 50% market share. They are a trusted counterparty to my transactions and I would rather buy something through them than a small companies website.
> It turns out that people in general buy airline tickets based almost exclusively on price
> They are a trusted counterparty
This is interesting, and I agree. But while I'm a big fan of quality and think there's many cases where not buying the cheapest is a good more in general, I find it hard to justify with airlines.
The quality varies wildly now, and reward programs are getting more and more meaningless - often they're even pointless because you simply can't fly to that airport with a carrier in your airline alliance, or they offer a way more inconvenient flight.
Sometimes, business class is only marginally better than economy (same seats, more legroom), but you couldn't tell from the cost. There are only very few airlines where business class is consistent. Why do I need to know what type of plane it is to know what business class seating is going to look like? The difference between business and first class is similarly vague. Sometimes it's worlds apart, others it's a slightly larger screen.
So why take the chance for airlines that aren't Singapore/Thai/ANA (to name my favourites)? Just buy the cheapest flight, brave it, and take some unpaid vacation and maybe a massage with the money you saved to make up for the horrible experience.
The only constant is flying sucks, and will suck a lot more if you can't avoid the USA. (Although the major US airports are such a shitshow that paying more to arrive/depart at a smaller airport could be worth it time-wise.)
Fiduciary responsibility does not necessitate a short term thought process. If you can show that the long term negative consequences outweigh the short term positive ones, the people you're complaining about will listen. The problem is that you can't tie these things to a negative financial impact. Boards of Directors frankly don't give a shit about your moral high horse, nor is that their job. Get off it and prove to them that your positive long term growth strategy will result in high overall profitability and they'll listen.
But, as someone else stated, airline tickets are a commodity now. So until you're personally going to be paying more for identical tickets because of something like this, be prepared to reap what you sow.
Although I completely agree with the article, I think it's putting the bar a bit too low to expect individual privacy from a UAE based company, when they have little regard for even the basics of Human Rights[1].
Nothing will happen until a malicious party ends up cancelling an entire flight’s worth of passengers and it starts costing them serious money and reputation.
It’s a sad state of affairs when there is no ethical way to correct certain grossly unethical business practices.
Which one? Google, Twitter, Facebook, Microsoft, Yahoo, Crazy Egg, Criteo or NSA listening on the wire?
My apologies if you disagree, but I feel that the article is borderline alarmist and I believe is written in the worst possible tone to communicate the problem.
Yup, there is a shitton of analytics products. Yes, PII is leaked and this needs to be fixed. But, no, it's not like listed parties (BTW, of which ek.aero is Emirates' own domain) are immediate threats. However, yes, this is quite severe as there are many scenarios when the data would eventually land in the wrong hands. E.g. if it would not considered sensitive PII anymore but treated as "just some analytics/statistics".
Basically, he should have patiently communicated that despite the trust in big analytic companies, private personal information still gets sent to them (mostly indirectly - in form of session links), and this may lead to accidental security leaks. Like, for example, some subcontractor having access to "only" analytics would technically have access to much more data than they are expected to have.
The article fails to do this and instead screams what's essentially boils down to "Google Analytics sees a link to the page with my passport details!". Color me surprised the support reply was not helpful at all.
So did the message to the support, screenshotted in the article.
And it's not just "any party sitting at a cafe". It specifically requires that this malicious party is sitting in the same cafe, present (physically or remotely) at the moment the site is accessed. So it's more likely to be an airport's WiFi network - which is much more probably place where an unsuspecting traveler may access such page. Hunting for a cafe with someone buying tickets from a specific airline is probably too complicated to pay off, unless the attack is personal.
Anyway, I don't argue this is all very bad. It is. What I want to say is that the problem was communicated in a very poor way. And even this follow-up blog article is so light on details, a person without some security knowledge would quite likely shrug it off with an impression it's some tinfoil-hatter screaming at analytics trackers.
Absolutely agree, data security is a not a priority for almost all organizations in Service Industry. Hopefully GDPR and E-Privacy will be the beginning of an era when organizations are forced to think about protecting user information.
I'm wondering how sharp those teeth are. What are they going to do, revoke Emirates operational licenses throughout Europe? That would not go over well with flyers...
A fine of up to €20 million or up to 4% of the annual worldwide turnover, whichever is greater.
Yeah there's a reason everyone's panicking about GDPR, it can seriously wreck your business.
One funny thing is that Emirates makes it look like they do care about security by implementing a surprisingly onerous Captcha requirement before Skywards login. I usually get it wrong a couple of times before I can get to my account -- lots of 6s that might be Gs, partially obfuscated 8s that might be 3s, etc.
It's technical incompetence. Emirates is a fantastic airline that treats people very well. Of course this doesn't have anything to with well engineered IT systems.
Failure to accept and acknowledge these issues needs to be sorted out.Unless these issues are treated as a technical priority, organisations will have a huge impact on service delivery issues sooner or later.
Browsers need to take a hardline stance on external content and stop allowing pages to load anything whatsoever from external domains. But they won't, becuase one of them is Google.
Wouldn't this just lead to these websites putting everything behind a reverse proxy? That would make it harder to detect and block third party scripts.
It would, that's the point. You'd give them time to fix it, like you give notice before visually indicating HTTP is insecure or deprecating SHA-1 certificates.
This[1] talk linked in the article mentions that it is happening, and that the name check is mostly useless because you can often just change the name attached to the frequent flyer number. Of course, things may have changed, but they probably haven't.
Interesting thought, would be really curious to see the outcome for that. AFAIK, the link that Emirates is sharing allowed me to add my own miles number. What I am not sure is, if there is a check at the backend (Emirates side) which compares the miles number with ticket holder email ID.
In this case, the airline would have to get explicit consent for sharing the user's personal data with third parties. So at the very least, it will increase transparency. Post-GDPR, in the event of negligence, organizations like https://noyb.eu/ will become more relevant as mediums for collective action in the form of class action suits.
EDIT: (Addendum) - The user would also have the right to ask the first party (airline) to "require" third parties it has shared personal data with, to delete them. Enforcing this however, will be hard.
it raises a larger question in the industry such as what kind of internal protection do companies such as "Amadeus IT Group" have in place to prevent employees from sifting through passengers etix[¹] booking data?
I had the opportunity to witness a data-scientist being able to tap into life itinerary data-stream, set up listeners and filter out anything they liked.
Inspect element is a good place to start. I would suggest the following approach:
1. Open a new tab.
2. Right click inspect element and check the option to preserve logs.
3. Copy and paste the link which you want to check,
4. Preserve log will keep all the re-directions.
and you can then inspect what the website is upto.
There are more tools, which help you debug traffic outside browser like https://mitmproxy.org, Wireshark etc, but I think Inspect Element should be enough to help you reproduce the scenarios mentioned in the article.
I can easily see how this happened - Product deems that requiring a login for that page is too high a barrier and bad for business. Engineering thinks that “it ain’t so bad” since said links have a difficult to guess uuid; but of course forgot about or didn’t consider all the trackers that Marketing setup.
Lot of the e-commerce sites are bound to similar leaks. I remember reporting similar issues to MakeMytrip.com, Expedia last year, MakeMyTrip.com was prompt enough to fix these issues. Sadly, never go any response from Expedia so not sure if they fixed the issues or not.
One story of my life:
I was scheduled for a flight Singapore -> Frankfurt and wanted to avoid sitting next to a colleague. Asked at check-in the lady who was sitting next to me and got the names without hesitation. On the flight back from Frankfurt, I could not confirm the names due to privacy laws. I suppose it is a question of awareness and local practices.
So.. here we go. Explain to me, why we don't want to enact law to require (through regulation) this practice to cease.