
How Airlines don’t care about privacy: Case Study Emirates.com - kkm
https://medium.com/@konarkmodi/how-airlines-dont-care-about-your-privacy-case-study-emirates-com-6271b3b8474b
======
ggm
I oftentimes reach for my 'call the regulator' button when I read these
articles. Whats odd is how many people say "god no..." as if there was some
consequential downside to using the very government entity we created (in law)
to make corporate entities "do the right thing" when they don't appear to want
to do it voluntarily.

So.. here we go. Explain to me, why we don't want to enact law to require
(through regulation) this practice to cease.

~~~
hermitdev
I'm waiting for someone to state "when you're not paying for something, you
are the product", except in this case, you are paying for something, yet
you're still the product.

This is just...disgusting.

~~~
on_and_off
This is why we should stop quoting that all the time.

Just because you are paying for a product does not prevent your data from
being sold or used in unethical ways.

~~~
craftyguy
The quote is not wrong. If you aren't paying for something, then 100% of the
time you are the product. If you are paying for something, then <100% of the
time you are also the product.

~~~
on_and_off
I don't pay for wikipedia (actually I do via donations and edits but that's
not the point) but I don't see anything bad about their BM.

~~~
tedeh
But Wikipedia is run by a non-profit organization...

~~~
orblivion
I'd say the more direct response is that with Wikipedia there is no product,
in that sense of the word.

~~~
mcherm
There most certainly IS a product! The only way I can imagine that you came to
believe there wasn't is that you were confused by the fact that they give
their product away.

Does Encyclopedia Britannica's website "britannica.com" have a product? Is
Encarta a product? Of course they are, and so is Wikipedia, unless BY
DEFINITION you exclude any "product" not exchanged for money from the
definition of "product". And by that definition, the second can of beans I got
at the grocery store on a buy-one-get-one-free sale wasn't a product -- which
I feel demolishes the usefulness of the term.

~~~
orblivion
It's something that's produced, but not something sold (like Encarta).
Accordingly you're right that it is a product.

In the informal sense in which we talk about users "being the product" I'd
call it not quite right, since there's nothing sold. The user doesn't have to
worry as much about ulterior motives.

------
AdmiralAsshat
I had a coworker who was flying to Morocco (I forget what airline). He called
me over to his desk at some point to show me the screen as he was picking out
his seat. By each occupied seat was a headshot of the passenger, pulled from
what I assume was their Facebook profile.

It was amazingly creepy.

~~~
United857
Sounds like KLM:
[https://www.klm.com/travel/us_en/prepare_for_travel/on_board...](https://www.klm.com/travel/us_en/prepare_for_travel/on_board/your_seat_on_board/meet_and_seat.htm)

This is on a strictly opt-in basis. I guess it's an interesting alternative to
Tinder if you're going to be stuck on a plane. (Disclaimer: I've never tried
it myself)

~~~
minimaxir
Apparently on Virgin Airlines there are _chat rooms_ on the planes. Those have
only two practical use cases: dating, and trolling:
[https://twitter.com/KrangTNelson/status/959907806622121984](https://twitter.com/KrangTNelson/status/959907806622121984)

~~~
untog
One practical use is talking to people you're on a flight with but not say
next to. I can't say I'd be a regular user of that feature, but I do find
myself on flights like that from time to time.

~~~
thaumasiotes
If you're all online anyway, wouldn't you already know how to reach those
people?

~~~
tjohns
That's IF you all pay extra for in-flight WiFi, and assuming the plane's
network link is working. (Many planes' WiFi use a cellular-based network link
that has occasional dead spots. Satellite linking is only available on newer
planes.)

Whereas seat-to-seat chat is free and relatively reliable.

------
artellectual
From my experience the travel industry are the worst offenders of data
security. I remember making booking on booking.com and not having to pay for
my booking, and I wondered how hotels can confirm bookings, when I went to
check in at the hotel I asked this question to the front desk staff, and they
simply told me “oh we get a fax or email from the OTA of your credit card
information”. You can imagine the look on my face when that happened.

Here I am building my online business using tokens with pci dss compliant
payment gateway and all these businesses out there don’t even care.

My lesson learned then was these industries will do anything to make it more
convenient for the travelers to book, even compromise on security.

~~~
avar
Sending credit cards via FAX to be printed out is not only OK with PCI DSS,
it's recommended. The reason companies like Booking.com do this is because the
credit card companies wanted it this way.

~~~
sitepodmatt
I remember having a chat with a small guesthouse owner a few years ago, he
showed me what the OTA sent through to them which was clear copy text of the
booking along with all the credit card details. The big online OTA would
directly charge the customer 15% deposit if I remember correctly which they
banked as their commission - kind of clever removing the big remittance
headache. It was then down the hotel to directly capture the remaining balance
and enforce the cancellation rules. He explained that if customers don't turn
up he takes the credit card details down to the road to a small independent
unrelated travel agency which attempts to hit the card and charges him 10% for
privilege, he says it's about 50/50 weather the card authorizes. I think this
still happens.

~~~
avar
This definitely still happens, but I think implicit in your post and this
thread in general is the unstated statement "...and this is a horrible state
of affairs that shouldn't persist for even one more day!".

Ultimately it's the credit card companies that regulate this playing field,
and up to a certain point they're happy to make a large trade-off between
security & convenience, because they can work the security issues into their
processing fees.

Credit card companies aren't dumb, of course they know that small Mom & Pop
hotels are going to have horrible security practices when it comes to credit
cards. They also know that any security issues are going to be contained to
the customers of that establishment.

This is why PCI puts a huge amount compliance burden on companies such as
payment processors and travel agencies that process a lot of credit cards, but
by-and-large ignore small players.

The hotelier you described and his method of ad-hoc charging credit cards with
a 10% fee at some unrelated business is surely in violation of some PCI
rule(s), but that's going to be a matter between his customers and his bank,
not all customers of the travel agency and Visa/MasterCard.

------
asterius
If you look at [https://track.emirates.email](https://track.emirates.email)
you will see that it isn't emirates either, but a service provided by
Mandrill, an add-on for MailChimp, and the cert is valid for
[https://mandrillapp.com](https://mandrillapp.com). Surely they could have
figured out how to use SNI.

The fact that your mail client / embedded browser takes you happily to sites
with broken certs, giving them a tracking token (and in this case, total
access to your booking) is also quite a problem.

~~~
kkm
Exactly, the fact that the url does not have any expiry (apart from the end of
booking), the email providers in this case Mailchimp would also have access to
the same.

For the case why browser did not redirect the broken cert, that is because the
link sent in the email was over http.

~~~
asterius
I tested going to a https link via gmail. On desktop chrome, it immediately
opens the link (and hence passes the link parameters). On mobile it pops up a
privacy error, "Attackers might be trying to steal your information"
(NET::ERR_CERT_COMMON_NAME_INVALID), which is certainly the right thing to do.
Still have to try it on Office365 and Outlook.

~~~
kkm
Strange, I always encounter `NET::ERR_CERT_COMMON_NAME_INVALID` even on Gmail
with Chrome. What's your test setup?

~~~
asterius
Doh, you're right. I looked at the site earlier and forgot to click on the red
triangle and click "re-enable warnings". Mea culpa.

I checked firefox and it works correctly too.

------
product50
I mean - after Equifax got away with leaking SSNs, Names, Addresses with DoBs
of all 142M Americans - this is seriously nothing. At this point, I have
become apathetic on these privacy related issues as nothing will be done.

~~~
0xffff2
All 142m Americans?

~~~
sincerely
Yes: [https://www.reuters.com/article/us-equifax-breach/equifax-
fa...](https://www.reuters.com/article/us-equifax-breach/equifax-failed-to-
patch-security-vulnerability-in-march-former-ceo-idUSKCN1C71VY)

~~~
0xffff2
"Yes" isn't a valid answer to the question. There are a lot more than 142
million US citizens.

------
Arbalest
Yet another reason blocking ads is a must. But not just blocking ads, trackers
as well. I use uMatrix and uBlock origin. Unfortunately this does nothing to
deal with the aforementioned redirect chain. I suppose maybe this means it is
time to go back to the telephone and flight agencies.

~~~
kkm
Some of the tracking protection tools might help, but not all for exactly the
reasons you mentioned. However, you can enforce some settings in Firefox and
Firefox based browsers to control referrer leakage in control. But it does
break few websites. I can recommend taking a look at :
[https://wiki.mozilla.org/Security/Referrer](https://wiki.mozilla.org/Security/Referrer)
and see what suits your need.

~~~
Arbalest
I wonder if enabling referrer trimming by default on common browsers would
force people willing to use tracking to reconsider their practices. Like
everything (it seems) it is always a game of cat and mouse, and the best way
to make it harder for trackers is to make sure the targets keep moving.

------
ziikutv
Its funny to be reading this just a week after noticing this.

Every airline uses some sort of a contractor or a shared piece of software for
online checkins. You can tell by the formed URI fragments and the JSON being
sent back and forth.

Its all trash. I wanted to work on a business that unified all check-ins under
single company. I do not think however, it is reasonable given that all of
these airlines have the process, as shit as it is, for a reason.

~~~
tyingq
That's not quite right. They all (mostly) do checkin with some combinination
of PNR identifier, and last/first name. There's no actual collusion though.
Just coincidental settling on the same minimum need.

They isn't much in common across airlines as far as the actual code goes,
though. Beyond that they all use some limited set of CRS providers, like
Galileo, Sabre, Amadeus, etc. That is to say, there's some common code, but
it's pretty far down the stack, and only common across a few carriers.

One example: [https://www.nytimes.com/2017/09/28/business/airport-check-
in...](https://www.nytimes.com/2017/09/28/business/airport-check-in-
computer.html)

Hit several carriers, but not all by a long stretch.

------
Too
That's pretty bad, but frankly he could have communicated better to Emirates.
If I was working as first line support and received that message with _" omg
do you know you are sharing fields a, b and c to partners. And maybe you are
sharing with x, y and z also?"_, without any technical details at all, I would
also give a canned response, tag it as tinfoil hat and throw it into the junk.

~~~
Matheus28
Exactly. Twitter isn't the medium to report this sort of problem. Ask for an
email address for security vulnerabilities, and send it there.

~~~
kkm
That was the first question I asked on Twitter support, to which they replied,
I can report the issues here. [https://cdn-
images-1.medium.com/max/1600/1*VvnWUPs8xnWRtH92M...](https://cdn-
images-1.medium.com/max/1600/1*VvnWUPs8xnWRtH92MJ5MWA.png)

Again, I am more than happy to report it proper channels. I understand the
reasons of ethically reporting such issues.

I would really appreciate it, can you help me find correct channel even now
for Emirates, Lufthansa, KLM, Air-France ?

------
dictum
In line with the age-old advice on how sausages are made, here's my advice:
don't ever inspect the data leaving a mobile device.

– Just as I was about to add this comment, I remembered how it's not limited
to mobile devices anymore.

(Thankfully with certificate pinning and integrity checking you may be spared
of the risk of ever finding out what your apps actually do. Remember: only
weirdos and terrorists tinker.)

~~~
asterius
Certificate pinning is going away: [http://www.zdnet.com/article/google-
chrome-is-backing-away-f...](http://www.zdnet.com/article/google-chrome-is-
backing-away-from-public-key-pinning-and-heres-why/)

I think we can be confident that sites that don't even use CSP won't be
implementing Expect-CT any time.

~~~
seanmcelroy
HPKP is what the article you posted to is referring to, and probably will go
away completely.

However, profiling the public key of the site a mobile app connects to and
erroring out if it is compromised to prevent MitM attacks is called
'certificate pinning' for mobile apps but is not related to the HPKP pinning
of browsers. A reference for certificate pinning:
[https://blog.netspi.com/certificate-pinning-in-a-mobile-
appl...](https://blog.netspi.com/certificate-pinning-in-a-mobile-application/)

~~~
asterius
It seems grandiose to call that 'certificate pinning' when it is just hard
coding, e.g. a self-signed CA cert or (worse) a particular server cert.

Makes me suspect that a lot of client side validation is happening with mobile
apps.

------
fareesh
These magic URLs that can log you in automatically, generally ought to
necessitate a very high degree of paranoia from whoever is implementing them.
In this case the single point of failure seems like the leaky referrer, which
ought to have been noticed as part of the aforementioned paranoia.

I guess the problem here is that from an overall experience POV you want users
to be able to get to their booking from their email without having to go back
and forth to figure out their booking reference number and type it in.

Even as an advanced user sometimes there is very little you can do to protect
against this. In a lot of cases, blocking trackers is also a flaky solution
because sometimes custom event tracking takes place as part of a JS event, and
the event fails horribly due to the library not being loaded thanks to your
blocker, and as a result the event doesn't do what it's supposed to, and you
can't use the interface.

For mobile users, blockers are either not easy to install, or exist on some
fringe browser that is untested, and breaks the UI.

I wonder if it is possible to measure or guess how many humans have access to
your booking in such cases. Some part of the sysadmin team at each of those
tracking companies, maybe product leads, customer support?

~~~
sorokod
Installing uBlock Origin on mobile Firefox is trivial.

~~~
joosters
You will still hit the same problems they described for some sites. Because
some JS has been blocked by your blocker, certain websites will have buttons
that just don't work. This is frustrating when those buttons are key things
like 'buy' or 'confirm'.

~~~
paulie_a
Then those sites do not deserve your business

~~~
fareesh
I agree with the sentiment but it's not always possible.

In the case of airlines, sometimes you have no choice but to go with a
particular carrier because there is no other carrier who will take you to your
destination with seats available that meet your schedule.

You also wouldn't know of these practices until much after you have already
paid for your ticket, by which time your booking is already in the hands of a
few hundred other "trusted third party" employees.

------
davewasthere
Emirates.com has changed a lot in the 18 years since I last worked on it. But
I can see how this might have come about.

Each 3rd party add-on is probably required by marketing in one form or another
(analytics, social sharing, partner data, advertising, ). And possibly
development has been done just thinking about how to do something, rather than
if they should be doing something. We don't know what the gatekeepers have
managed to prevent getting deployed...

Part of how I see my role is to always to have a product-owner sanity-check
hat on. But at the end of the day, it's the people with the wallets who decide
what gets included in their outcome, even if it's against the recommendations
of experts.

Commercial reality sometimes trumps common sense.

~~~
palmodi
Absolutely agree with you, having been a digital marketer and later Product
Manager for an Airline, I realized the ill-effects of mindlessly using tools
to "crack" the secret sauce of heightened UX and hence increased revenue
stream. Would I do it today? No. Would a CMO push for third party trackers?
Hell, Yes. The onus lies on CTO to evaluate products, third party tools
against a checklist that also covers User-Data protection as one of the bullet
points.

------
netsharc
Hmm, no mention of luggage tags or boarding passes? Your luggage tag usually
has your last name and your booking code. Those 2 bits of information are
enough to login to your flight details, including your passport information.
They are also on your boarding pass, also coded on the barcode, which people
sometimes post online, it can also be photographed from a distance with a good
enough camera.

~~~
arnarbi
FTA: Every single passenger's info is readable by a list of 20+ domains that
are not Emirates.

That's quite different from having to put physical eyeballs on a luggage tag.

------
nukeop
Airlines don't care about privacy, security, user experience, prices... There
are many things you don't have to care about when competition is low and
barriers to entry are incredibly high.

As an aside, turns out 9/10 decoy bombs and bladed weapons are smuggled
onboard with no problems in tests. All the security theatre and voodoo rituals
requiring passengers to switch off all electronic devices for no actual
reasons and it's still trivial to hijack a plane.

~~~
toomanybeersies
Airlines aren't responsible for security. The rules are specified by the IATA
and national agencies and security is either handled by a government
department (e.g. TSA) or by the airport itself.

Also, switching off electronic devices has nothing to do with security. The
apparent reason is that it can cause issues with navigation, as was theorised
after a plane crash in the 90's. Most flights these days don't even require
you to turn your electronics off, or even put it in airplane mode.

I'm fairly sure the reason that they made you turn your electronics off wasn't
even for the plane, but rather to ensure that you pay attention to the safety
briefing.

~~~
sokoloff
It's not just that. It's the airlines' means for complying with a specific
federal law as well.

[https://www.law.cornell.edu/cfr/text/14/91.21](https://www.law.cornell.edu/cfr/text/14/91.21)

The reason that different airlines have different rules, is that their OpSpecs
have different (and sometimes evolving) treatment on portable electronic
devices, which is their way, as operators, of complying with § 91.21

(shared because I suspect some will find it interesting in a random-trivia
sort of way, not because I'm arguing against your post)

~~~
jaclaz
Yes, and I would add some (hopefully) "common sense" consideration.

IF you were a captain, responsible for a several millions dollar aircraft and
for hundreds of lives, AND IF there was a teeny-tiny, extremely low
probability that using a phone (or computer or other electronic device) could
cause a disaster, including the possibility of a suicide act of sabotage, how
would you implement in practice the Federal Rule you cited?

1) Kindly ask the passengers to have the devices switched off.

2) Seize each and every such device before boarding, and X-ray/scan each and
every passengers to be 100% sure that they don't carry with them one (hidden).

~~~
sokoloff
#1 clearly, or perhaps switched off below 10K feet MSL.

Try #2 and you find yourself unemployed as a captain. Try it as an airline and
you find yourself without passengers and shortly, without an airline.

Airlines and aviation authorities balance safety, cost, and convenience all
the time. ETOPS is a good example of that balance evolving. ETOPS-240 would
have been unthinkable at the start of the jet age.

------
monksy
This should not be a surpise. Most business types don't give a shit about
anything but money. Community, social, environment, or any other negative
externaliaities. They just don't care. They're after and bound to "feduciary"
responsiblity. (Short term reward and ignoring long term consequences)

I realize that was a moral high horse: I'm curious about how you can reward
people for positive long term growth.

~~~
sseveran
It turns out that people in general buy airline tickets based almost
exclusively on price. Airlines are actually showing very long term thinking
given that they have very high capital costs and need to make those
investments pay off in the very long run. People are rewarded in the long term
with profit because they have built a business that their customers want to
patronize.

Even as a very technically savvy person I am not sure I would stop flying an
airline because of this. While I agree these are awful practices would I be
willing to do an extra hop with an airline that had better security? Nope. So
while I sympathize with the article if Emirates was my main airline I would
probably still fly them. It turns out many companies suck at securing their
customers data. If that is important to their customers they will be
reward/punished accordingly.

Ironically this is one of the reasons I prefer to buy things online through
Amazon and why I think they have 50% market share. They are a trusted
counterparty to my transactions and I would rather buy something through them
than a small companies website.

~~~
guitarbill
> It turns out that people in general buy airline tickets based almost
> exclusively on price

> They are a trusted counterparty

This is interesting, and I agree. But while I'm a big fan of quality and think
there's many cases where not buying the cheapest is a good more in general, I
find it hard to justify with airlines.

The quality varies wildly now, and reward programs are getting more and more
meaningless - often they're even pointless because you simply can't fly to
that airport with a carrier in your airline alliance, or they offer a way more
inconvenient flight.

Sometimes, business class is only marginally better than economy (same seats,
more legroom), but you couldn't tell from the cost. There are only very few
airlines where business class is consistent. Why do I need to know what type
of plane it is to know what business class seating is going to look like? The
difference between business and first class is similarly vague. Sometimes it's
worlds apart, others it's a slightly larger screen.

So why take the chance for airlines that aren't Singapore/Thai/ANA (to name my
favourites)? Just buy the cheapest flight, brave it, and take some unpaid
vacation and maybe a massage with the money you saved to make up for the
horrible experience.

The only constant is flying sucks, and will suck a lot more if you can't avoid
the USA. (Although the major US airports are such a shitshow that paying more
to arrive/depart at a smaller airport could be worth it time-wise.)

------
princekolt
Although I completely agree with the article, I think it's putting the bar a
bit too low to expect individual privacy from a UAE based company, when they
have little regard for even the basics of Human Rights[1].

[1]:
[https://en.wikipedia.org/wiki/Human_rights_in_the_United_Ara...](https://en.wikipedia.org/wiki/Human_rights_in_the_United_Arab_Emirates)

~~~
scrollaway
Ok, how about Paypal?

[https://twitter.com/Adys/status/943346017608585216](https://twitter.com/Adys/status/943346017608585216)

~~~
paulie_a
PayPal is an awful company. If they went out of business tomorrow the world
would be a better place.

~~~
amelius
[https://news.ycombinator.com/item?id=16279017](https://news.ycombinator.com/item?id=16279017)

------
M_Bakhtiari
Nothing will happen until a malicious party ends up cancelling an entire
flight’s worth of passengers and it starts costing them serious money and
reputation.

It’s a sad state of affairs when there is no ethical way to correct certain
grossly unethical business practices.

~~~
drdaeman
> malicious party

Which one? Google, Twitter, Facebook, Microsoft, Yahoo, Crazy Egg, Criteo or
NSA listening on the wire?

My apologies if you disagree, but I feel that the article is borderline
alarmist and I believe is written in the worst possible tone to communicate
the problem.

Yup, there is a shitton of analytics products. Yes, PII is leaked and this
needs to be fixed. But, no, it's not like listed parties (BTW, of which
ek.aero is Emirates' own domain) are immediate threats. However, yes, this is
quite severe as there are many scenarios when the data would eventually land
in the wrong hands. E.g. if it would not considered sensitive PII anymore but
treated as "just some analytics/statistics".

Basically, he should have patiently communicated that despite the trust in big
analytic companies, private personal information still gets sent to them
(mostly indirectly - in form of session links), and this may lead to
accidental security leaks. Like, for example, some subcontractor having access
to "only" analytics would technically have access to much more data than they
are expected to have.

The article fails to do this and instead screams what's essentially boils down
to "Google Analytics sees a link to the page with my passport details!". Color
me surprised the support reply was not helpful at all.

~~~
hooeezit
You missed the part where it's unencrypted HTTP traffic. So, any 'malicious
party' sitting at a café with free wifi.

~~~
drdaeman
So did the message to the support, screenshotted in the article.

And it's not just "any party sitting at a cafe". It specifically requires that
this malicious party is sitting in the same cafe, present (physically or
remotely) at the moment the site is accessed. So it's more likely to be an
airport's WiFi network - which is much more probably place where an
unsuspecting traveler may access such page. Hunting for a cafe with someone
buying tickets from a specific airline is probably too complicated to pay off,
unless the attack is personal.

Anyway, I don't argue this is all very bad. It is. What I want to say is that
the problem was communicated in a very poor way. And even this follow-up blog
article is so light on details, a person without some security knowledge would
quite likely shrug it off with an impression it's some tinfoil-hatter
screaming at analytics trackers.

------
leroy_masochist
One funny thing is that Emirates makes it look like they do care about
security by implementing a surprisingly onerous Captcha requirement before
Skywards login. I usually get it wrong a couple of times before I can get to
my account -- lots of 6s that might be Gs, partially obfuscated 8s that might
be 3s, etc.

------
etaioinshrdlu
It's technical incompetence. Emirates is a fantastic airline that treats
people very well. Of course this doesn't have anything to with well engineered
IT systems.

~~~
kkm
Failure to accept and acknowledge these issues needs to be sorted out.Unless
these issues are treated as a technical priority, organisations will have a
huge impact on service delivery issues sooner or later.

------
Sir_Cmpwn
Browsers need to take a hardline stance on external content and stop allowing
pages to load anything whatsoever from external domains. But they won't,
becuase one of them is Google.

~~~
pc86
So in addition to explaining to your parents what an SSL cert is you want to
explain to them which domains should be whitelisted and which shouldn't?

~~~
Sir_Cmpwn
What does this have to do with my comment?

------
crb
Has anyone heard of an exploit that sets people's flights to use the attackers
frequent flyer number, thus collecting their miles?

~~~
vwcx
No, because in most cases the program requires the passenger's name to match
the FF account name.

~~~
sksksk
a lot of FF programmes allow transferring of miles

------
chii
i wonder how GDPR will affect this sort of issue.

~~~
__ka
In this case, the airline would have to get explicit consent for sharing the
user's personal data with third parties. So at the very least, it will
increase transparency. Post-GDPR, in the event of negligence, organizations
like [https://noyb.eu/](https://noyb.eu/) will become more relevant as mediums
for collective action in the form of class action suits.

EDIT: (Addendum) - The user would also have the right to ask the first party
(airline) to "require" third parties it has shared personal data with, to
delete them. Enforcing this however, will be hard.

------
DyslexicAtheist
it raises a larger question in the industry such as what kind of internal
protection do companies such as "Amadeus IT Group" have in place to prevent
employees from sifting through passengers etix[¹] booking data?

I had the opportunity to witness a data-scientist being able to tap into life
itinerary data-stream, set up listeners and filter out anything they liked.

¹ [https://en.wikipedia.org/wiki/Etix](https://en.wikipedia.org/wiki/Etix)

~~~
palmodi
Having worked with Amadeus IT products for airlines, I can tell you this -
they are the most regressive "IT" products available in the world.

------
brokenmachine
How does one see what redirects you are being sent through?

Can someone explain how I'd see all those issues that he mentioned? Just
through Inspector in Firefox, or other tools?

~~~
kkm
Inspect element is a good place to start. I would suggest the following
approach:

1\. Open a new tab. 2\. Right click inspect element and check the option to
preserve logs. 3\. Copy and paste the link which you want to check, 4\.
Preserve log will keep all the re-directions.

and you can then inspect what the website is upto.

There are more tools, which help you debug traffic outside browser like
[https://mitmproxy.org](https://mitmproxy.org), Wireshark etc, but I think
Inspect Element should be enough to help you reproduce the scenarios mentioned
in the article.

------
walrus01
airlines regularly transmit PNR info to third parties with no crypto at all,
sadly, it is their default industry standard.

[https://en.wikipedia.org/wiki/Passenger_name_record](https://en.wikipedia.org/wiki/Passenger_name_record)

the entire airline industry runs on software that is about 25-30 years behind
the state of the art.

------
kkm
Updates:

\- March 6th, 2018:

Emirates responded with a standard statement.

Excerpt: “The depiction in Mr Modi’s article as to what data is being shared,
or customer choice in ‘opting out’ is inaccurate.”

Here is my response:
[https://news.ycombinator.com/item?id=16532591](https://news.ycombinator.com/item?id=16532591)

------
granshaw
I can easily see how this happened - Product deems that requiring a login for
that page is too high a barrier and bad for business. Engineering thinks that
“it ain’t so bad” since said links have a difficult to guess uuid; but of
course forgot about or didn’t consider all the trackers that Marketing setup.

------
walterbell
How do Expedia, Travelocity, etc. compare with airline booking sites?

~~~
kkm
Lot of the e-commerce sites are bound to similar leaks. I remember reporting
similar issues to MakeMytrip.com, Expedia last year, MakeMyTrip.com was prompt
enough to fix these issues. Sadly, never go any response from Expedia so not
sure if they fixed the issues or not.

------
ycombinete
To what degree can products like Privacy Badger, and uBlock, help with this
sort of invasion?

------
Aspos
> This issue is not only limited to Emirates, a lot of airlines like
> Lufthansa, KLM (last checked on October 2017) suffer from the same issues.

Still, god bless Emirates. Hands down, best airline.

~~~
jsemrau
One story of my life: I was scheduled for a flight Singapore -> Frankfurt and
wanted to avoid sitting next to a colleague. Asked at check-in the lady who
was sitting next to me and got the names without hesitation. On the flight
back from Frankfurt, I could not confirm the names due to privacy laws. I
suppose it is a question of awareness and local practices.

------
ksk
What is the definition of privacy?

