Emirates dinged for slipshod online data privacy practices International airline Emirates leaks customers' sensitive personal information to third-party marketing partners and network adversaries, according to Konark Modi, a data security engineer for Cliqz, a privacy-focused browser based on Firefox. Modi, in an online post on Friday, said that after a customer books a flight through …
"shares personally identifiable information with over a dozen third-party trackers, including ... Google"
If I read correctly it doesn't. It shares a link that can be used to find personal details. So unless Google et al follow the link there's nothing lost.
Passing personal data is a breach of the Google Analytics terms. Bet that's not often enforced.
I've noticed lots of airlines pulling similar stunts. Printing a 'boarding pass' in particular has become a sordid exercise in some dirty-tricks campaign. Anyone been redirected from an airline site to a 3rd party system that's only uses HTTP and expects you to enter a treasure trove of personal info. Fuck that!
It's not just airlines...
I was looking at the list of sites/scripts that were blocked by uMatrix while I was on a banking website for military members that included Facebook, Bing, Yahoo, Google analytics, DoubleClick and an online car dealership. (just to name a few)
Emirates went onto my "Do not use" list when I purchased 2 business class tickets through an agent at >£10,000 which included "free" limo drop off and pick up. They stiffed me £20 for the trip to and from the airport because I was 3 miles over their 25 mile limit. I wrote to them and said that there was no mention of this in the paperwork. They wrote back and said that if I had gone onto their website, I could have searched for the information. The reply was rude and condescending, as I would have needed to know about the limit to have searched for it. I later found that the reason that I did not get stiffed in the UK, was that the limit was 60 miles. Since then I have steered 6 intercontinental business class tickets to other airlines. Service: Have they heard of it?
A lot of companies do this, not only airlines but banks, hotels, news publications, etc often use a whole heap of third party trackers. This is often something decided by non-technical people who have received a sales pitch from those tracking companies, and who then decide to use them without fully understanding the technical implications.
On the topic of Emirates, they have had other interesting issues in the past. E.g. for a long period of time, their mobile app did not validate any SSL/TLS server certificates, so anyone could man-in-the-middle communications between the app and Emirates servers. Since it is an app used by travellers, those who use it have a good chance of using it on MITM-prone third party networks at airports/hotels/cafes/etc. When they finally fixed it, they did that silently; users were not notified that their information may have been leaked/intercepted, and release notes didn't mention the security fixes. (More details on that issue here: http://huagati.blogspot.com/2017/03/dear-emirates-your-mobile-app-has.html )
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
