Hacker News new | past | comments | ask | show | jobs | submit login
How Airlines don’t care about privacy: Case Study Emirates.com (medium.com)
465 points by kkm on Mar 4, 2018 | hide | past | web | favorite | 174 comments

I oftentimes reach for my 'call the regulator' button when I read these articles. Whats odd is how many people say "god no..." as if there was some consequential downside to using the very government entity we created (in law) to make corporate entities "do the right thing" when they don't appear to want to do it voluntarily.

So.. here we go. Explain to me, why we don't want to enact law to require (through regulation) this practice to cease.

I'm waiting for someone to state "when you're not paying for something, you are the product", except in this case, you are paying for something, yet you're still the product.

This is just...disgusting.

This is why we should stop quoting that all the time.

Just because you are paying for a product does not prevent your data from being sold or used in unethical ways.

As much as I agree with you that we seriously have got to stop trotting out that quote all the time, the quote doesn't necessarily preclude what you point out.

According to the quote, if you don't pay for it, you're definitely the product, but clearly, as you mention, just because you pay for it doesn't mean you're still not the product.


That quote is a lazy-soudbite-argument that "you shouldn't use free services" (because "you're the product" and that's "obviously" bad). However, if you stop to think about it for a second, you'll realize that it's dead wrong. It sounds nice & all, but it is in fact meaningless, and probably misguiding.

I've thought about it for several seconds and don't see what is wrong with the quote.

It is a cheap and easy way to explain to non-technical people that when something is "free" the provider is getting something back. Payment for advertising to you, collected data from you, and so on. If you(general) understand that, and are OK with that, then continue. But don't be naive.

What does Linus (& the rest of the Linux developers) get from YOU?

Well, Linus and other groups make such good software that companies pay them to make it directly or otherwise; other people release code for showing their own portfolio like an artist, to prove their skills; others do it so people on the Internet can help improve the code. And finally, none of this matters, because that rule applies to organizations making money (or trying to). Jane Hobbyist writing device drivers for the love of the job isn't a part of the saying.

Reputation ? (and other network effects that comes with having a large audience)

You are the product that gives them reputation?

Note - I'm not saying people don't have a reason to provide free stuff. I'm saying that the soundbite "you're the product!" is lazy, and sometimes misleading.

The quote is not wrong. If you aren't paying for something, then 100% of the time you are the product. If you are paying for something, then <100% of the time you are also the product.

I don't pay for wikipedia (actually I do via donations and edits but that's not the point) but I don't see anything bad about their BM.

But Wikipedia is run by a non-profit organization...

I'd say the more direct response is that with Wikipedia there is no product, in that sense of the word.

There most certainly IS a product! The only way I can imagine that you came to believe there wasn't is that you were confused by the fact that they give their product away.

Does Encyclopedia Britannica's website "britannica.com" have a product? Is Encarta a product? Of course they are, and so is Wikipedia, unless BY DEFINITION you exclude any "product" not exchanged for money from the definition of "product". And by that definition, the second can of beans I got at the grocery store on a buy-one-get-one-free sale wasn't a product -- which I feel demolishes the usefulness of the term.

It's something that's produced, but not something sold (like Encarta). Accordingly you're right that it is a product.

In the informal sense in which we talk about users "being the product" I'd call it not quite right, since there's nothing sold. The user doesn't have to worry as much about ulterior motives.

What of Linux?

=< 100

This comment is spot on. Do you mind if I use it as a caption on the artice aswell(with due credits)

If you don't pay for it, you are the product. If you pay for it, you may still be productized. Odd that an EULA actually binds both parties, but somehow unequally? I don't think so!

not at all; I don't mind

This quote also completely forgets open source and non profits exist and provide things.

Well, the General Data Protection Regulation (GDPR) will become enforceable in May (for all people in the EU).

As far as I understand, Emirates is risking big fines if they they don't fix this by May 25.

Even though they are not based out of EU and only operate in EU?

Yes, the GDPR affects everyone who processes data of people in the EU, regardless of where they are based.

Where they are based doesn't matter. If they are collecting revenues (taking payments) from EU clients, it applies. That includes generating ad revenues from EU based eyeballs. When it comes to on-ad-generating, free websites, it remains to be seen how bold EU regulators get. It'll be hard to penalize or prosecute such websites, and there are enough violations in the fat cats anyway, so I'm guessing those free websites will get a free pass for now (pun intended).

> That includes generating ad revenues from EU based eyeballs.

That would be fairly hard to enforce against a company that doesn't have a physical or legal presence in the EU.

In general, I'm disturbed by governments trying to enforce laws beyond their border just because their citizens are somehow involved by sending information over the internet. In some fields, it's a legal minefield just to comply with the rules of one country, much less several. This won't be a major difficulty for big players with high-paid lawyers and compliance departments, but it could easily kill startups, some before they're even launched.

> In general, I'm disturbed by governments trying to enforce laws beyond their border just because their citizens are somehow involved by sending information over the internet.

Isn't it simple enough to geoblock areas if European customers are somehow too hard to serve?

> In some fields, it's a legal minefield just to comply with the rules of one country, much less several. This won't be a major difficulty for big players with high-paid lawyers and compliance departments, but it could easily kill startups, some before they're even launched.

As the topic is GDPR: a privacy first approach is not rocket science. I'm sure any startup with even the remotest chance of success can follow the basic principles without undue complications.

Geoblocking is breaking the internet.

While I agree that startups should be respectful of privacy, that doesn't change the principle at work here. Allowing countries to enforce laws against companies that don't have a physical or legal presence within their borders is a dangerous mechanism. Introducing a dangerous mechanism to enforce a good policy will result in that mechanism being used for a bad policy later on.

When you operate a business somewhere, you have to observe the laws of the place you do business in. It does not matter where you are based.

How someone gets a hold of you to enforce any action against you is a different matter. But Emirates kind of needs to come to the EU sometimes to do its business there.

They're taking money from EU customers, so yes the EU will enforce.

They have assets (and even more, they want to land in EU airports) in the EU so yes the EU can force them to comply even if they don't want to.

If they sell to EU customers, then yes, they have to abide by the EU privacy regulations. Alternatively, they can set up a website just for EU customers or stop serving them altogether.

I can only hope for the EU that their economic incentive remains strong enough to prevent foreign companies from totally pulling out, resulting in the EU market becoming bleaker and bleaker. And it's not even the current companies that I worry most about - they often have already invested too much to withdraw because of this - it's the new companies that may flat out refuse to enter the EU market.

The GDPR is yet another regulation that adds a lot of liability with the risk of huge fines for a foreign company. And while no regulation in itself is ever going to be enough of reason, it's the plethora of regulations that is, and the more it grows, the more companies will feel it reached the tipping point for them, which may result in either withdrawal or refusal to serve the EU market. If this proves true, EU citizens should expect to see a lot more of "We're sorry, this service is not available in your country" messages. And it's already pretty bad from what I've heard.

Note: I'm not saying Emirates will pull out because of this, they won't. I'm also NOT against the GDPR and I totally understand the need, I just wish it would be regulated on a more universal level. Same with copyright regulations.

> Note: I'm not saying Emirates will pull out because of this, they won't. I'm also NOT against the GDPR and I totally understand the need, I just wish it would be regulated on a more universal level. Same with copyright regulations.

What could be a more universal level than EU that could actually enforce something like GDPR? US is rather anti-privacy these days, which I found interesting as they are extremely individualistic at the same time. The only even remotely suitable body is WTO, and that won't happen.

Right, it's a universal regulation that applies to about 6% of the world population. But you make a good point, it is very hard to regulate this on a higher level. I'm just saying that the EU shouldn't expect every foreign company to accept and play by their rules, especially if it's only relevant to a fraction of their customers. What this may lead to is companies refusing to serve the EU and EU residents forced to resort to shady VPN companies to access their services - as they already do to circumvent copyright regulations - eventually resulting in less privacy and loss of VAT and other revenue for the EU.

Again, I do not want to paint an overly bleak picture - and I do support regulations like this one - but my feeling is that, due to the lack of a universal solution, this GDPR won't have a better fate than the current copyright regulations: beneficial for some, but at the cost of more internet fragmentation and discrimination. It's almost like lawmakers consistently forget that the internet doesn't stop at borders.

GDPR concerns a human right (civil rights in USA-parlance). Are you stating that human rights are a nuisance?

The preamble of the GDPR states that it regulates the fundamental right to privacy, not the human right to privacy. The human right to privacy is much lower level than the fundamental right to privacy.

To repeat myself: I'm [also] NOT against the GDPR and I totally understand the need, I just wish it would be regulated on a more universal level.

I oftentimes reach for my 'call the regulator' button when I read these articles.

And what regulator is that? Does Dubai even have a "regulator" overseeing stuff like this?

Emirates is wholly owned by the government of Dubai. So basically you would be complaining about one Dubai government agency to another Dubai government agency.

Perhaps you could complain about this to some US or EU regulator? Would they care enough to get involved?

I live in Portugal, an EU country. After a complaint, our National Data Protection Commission fined one of my neighbors for having posted certain personal data of other tenants on our building hall.

They care.

Emirates gets a big chunk of their revenues from EU customers. They definitely don't want to piss of EU regulators. As for US regulators, they've been at odds with them for some time, so Emirates will probably try to fight them before giving in. But this particular privacy hole is the size of a crater - it will be hard to fight the regulators. In fact, as a software architect, I feel that the solution is far cheaper than fighting regulators.

Emirates has a physical presence in the EU and would definitely be subject to EU regulations when a flight to, from or purchased in the EU is involved.

I had a coworker who was flying to Morocco (I forget what airline). He called me over to his desk at some point to show me the screen as he was picking out his seat. By each occupied seat was a headshot of the passenger, pulled from what I assume was their Facebook profile.

It was amazingly creepy.

Sounds like KLM: https://www.klm.com/travel/us_en/prepare_for_travel/on_board...

This is on a strictly opt-in basis. I guess it's an interesting alternative to Tinder if you're going to be stuck on a plane. (Disclaimer: I've never tried it myself)

Apparently on Virgin Airlines there are chat rooms on the planes. Those have only two practical use cases: dating, and trolling: https://twitter.com/KrangTNelson/status/959907806622121984

I use it frequently both to talk to folks in my party who got seated elsewhere, other friends who are coincidentally on the same flight (common when traveling for conventions/conferences).

I also know folks who have arranged large group bookings (30+ passengers going to the same event) and found it useful to talk to each other.

One practical use is talking to people you're on a flight with but not say next to. I can't say I'd be a regular user of that feature, but I do find myself on flights like that from time to time.

If you're all online anyway, wouldn't you already know how to reach those people?

That's IF you all pay extra for in-flight WiFi, and assuming the plane's network link is working. (Many planes' WiFi use a cellular-based network link that has occasional dead spots. Satellite linking is only available on newer planes.)

Whereas seat-to-seat chat is free and relatively reliable.

"If you're all online anyway" is a reasonably sized caveat. I often don't bother buying in flight WiFi because you can't do all that much with it.

I used the chat on a KLM flight to Canada recently, it was neat. You could also chat with a specified seat number, and they would get a popup on their screen that you want to initiate chat - it was very useful as there was a large group of us travelling together and I could just chat with someone without walking to their seat on the other end of the plane.

This has been around for years. Besides messaging, there was a plane-wide chat. Pretty fun to ask people how first class is :)

I suspect the primary use case is talking to fellow passengers with whom you already have a relationship. But maybe not. I've never used it.

Something people seem to miss every time this comes up.. every airline I've seen this on (Qantas, Emirates, Cathay Pacific, American Airlines, etc).. require you to enable receiving messages before someone can send you a message.

Thus you can't just randomly message any seat on the plane until they turn it on.

I saw a similar feature at least ten years ago elsewhere. I'm not sure of the airline but it might have been Air France. It was more basic - think SMS - and you could do voice calls as well. I figured it was meant for people who were traveling together but who were not sitting together.

Wouldn't there be an incentive to make yourself ... less pleasant looking in the hopes nobody sits next to you?

No! you'll just invite to spend 10hrs flight with a creep next to you :)

This could be due to regulatory requirements on Morocco's side. I regularly fly EUN<->TFS via LPA with Binter: In/out of Laayoune you have to take your assigned seat, within the Canaries they don't care.

isn't this mostly so you don't accidentally end up sitting next to a woman who isn't your wife?

From my experience the travel industry are the worst offenders of data security. I remember making booking on booking.com and not having to pay for my booking, and I wondered how hotels can confirm bookings, when I went to check in at the hotel I asked this question to the front desk staff, and they simply told me “oh we get a fax or email from the OTA of your credit card information”. You can imagine the look on my face when that happened.

Here I am building my online business using tokens with pci dss compliant payment gateway and all these businesses out there don’t even care.

My lesson learned then was these industries will do anything to make it more convenient for the travelers to book, even compromise on security.

They have to support the lowest common denominator. I worked for a company that did camping reservations. Our system for remote sites involved a ranger getting up at 4am, starting a generator and powering up a fax machine. That was seen as an improvement over travelling 40 miles to get a weekly, guaranteed useless list or the honor system and cash payments.

It's like anything else, companies don't lift a finger unless it costs them money or runs them afoul of regulators.

Sending credit cards via FAX to be printed out is not only OK with PCI DSS, it's recommended. The reason companies like Booking.com do this is because the credit card companies wanted it this way.

I remember having a chat with a small guesthouse owner a few years ago, he showed me what the OTA sent through to them which was clear copy text of the booking along with all the credit card details. The big online OTA would directly charge the customer 15% deposit if I remember correctly which they banked as their commission - kind of clever removing the big remittance headache. It was then down the hotel to directly capture the remaining balance and enforce the cancellation rules. He explained that if customers don't turn up he takes the credit card details down to the road to a small independent unrelated travel agency which attempts to hit the card and charges him 10% for privilege, he says it's about 50/50 weather the card authorizes. I think this still happens.

This definitely still happens, but I think implicit in your post and this thread in general is the unstated statement "...and this is a horrible state of affairs that shouldn't persist for even one more day!".

Ultimately it's the credit card companies that regulate this playing field, and up to a certain point they're happy to make a large trade-off between security & convenience, because they can work the security issues into their processing fees.

Credit card companies aren't dumb, of course they know that small Mom & Pop hotels are going to have horrible security practices when it comes to credit cards. They also know that any security issues are going to be contained to the customers of that establishment.

This is why PCI puts a huge amount compliance burden on companies such as payment processors and travel agencies that process a lot of credit cards, but by-and-large ignore small players.

The hotelier you described and his method of ad-hoc charging credit cards with a 10% fee at some unrelated business is surely in violation of some PCI rule(s), but that's going to be a matter between his customers and his bank, not all customers of the travel agency and Visa/MasterCard.

Booking.com literally became successful because they build this massive infrastructure around European hotels that refused to update their booking systems past fax and phone calls

I use agoda.com over booking.com for this very reason: it lets me pay with paypal. If you care about that sort of things, I suggest you do too.

Of course, you then have to provide your credit card or another mean of payment to the hotel on arrival for insurance.

PS: and this is pretty much the why of how something as reviled by merchants as paypal is thriving, as a customer I love it.

I wish I had the level of audacity or ignorance these people have and send plaintext user data over http, write half-assed webapps that just look pretty but offer no security etc etc. I would be in a much better place right now from a professional point of view. But I just can't do it.

Last time this was discussed, someone said that hotels get a generated CC from Booking, valid only for that transaction. Hope it's true :)

Why isn’t it the same when you hand them your credit card?

Your credit card number should not persist in their system when you hand it to them, and it definitely should not be printed on hard copy.


If you look at https://track.emirates.email you will see that it isn't emirates either, but a service provided by Mandrill, an add-on for MailChimp, and the cert is valid for https://mandrillapp.com. Surely they could have figured out how to use SNI.

The fact that your mail client / embedded browser takes you happily to sites with broken certs, giving them a tracking token (and in this case, total access to your booking) is also quite a problem.

Exactly, the fact that the url does not have any expiry (apart from the end of booking), the email providers in this case Mailchimp would also have access to the same.

For the case why browser did not redirect the broken cert, that is because the link sent in the email was over http.

I tested going to a https link via gmail. On desktop chrome, it immediately opens the link (and hence passes the link parameters). On mobile it pops up a privacy error, "Attackers might be trying to steal your information" (NET::ERR_CERT_COMMON_NAME_INVALID), which is certainly the right thing to do. Still have to try it on Office365 and Outlook.

Strange, I always encounter `NET::ERR_CERT_COMMON_NAME_INVALID` even on Gmail with Chrome. What's your test setup?

Doh, you're right. I looked at the site earlier and forgot to click on the red triangle and click "re-enable warnings". Mea culpa.

I checked firefox and it works correctly too.

I mean - after Equifax got away with leaking SSNs, Names, Addresses with DoBs of all 142M Americans - this is seriously nothing. At this point, I have become apathetic on these privacy related issues as nothing will be done.

Yap and their stock pretty much recovered. Worse, as you said, everyone learned: "it's actually quite alright to leak all this stuff, no need to revamp anything or worry about security, privacy and spending extra on that, you'll be just fine".

All 142m Americans?

Adults that have credit history, I believe.

"Yes" isn't a valid answer to the question. There are a lot more than 142 million US citizens.

Yet another reason blocking ads is a must. But not just blocking ads, trackers as well. I use uMatrix and uBlock origin. Unfortunately this does nothing to deal with the aforementioned redirect chain. I suppose maybe this means it is time to go back to the telephone and flight agencies.

Some of the tracking protection tools might help, but not all for exactly the reasons you mentioned. However, you can enforce some settings in Firefox and Firefox based browsers to control referrer leakage in control. But it does break few websites. I can recommend taking a look at : https://wiki.mozilla.org/Security/Referrer and see what suits your need.

I wonder if enabling referrer trimming by default on common browsers would force people willing to use tracking to reconsider their practices. Like everything (it seems) it is always a game of cat and mouse, and the best way to make it harder for trackers is to make sure the targets keep moving.

>> I suppose maybe this means it is time to go back to the telephone and flight agencies.

You would just end up paying more (directly or indirectly) while still having the representatives using the same problematic system, now from their end.

Hard to block all analytics because you can also shuffle them through as first party traffic too.

There is really no way out of the redirect chain here, but if you want to avoid malicious redirects on many other websites you can use the Neat URL extension.

Its funny to be reading this just a week after noticing this.

Every airline uses some sort of a contractor or a shared piece of software for online checkins. You can tell by the formed URI fragments and the JSON being sent back and forth.

Its all trash. I wanted to work on a business that unified all check-ins under single company. I do not think however, it is reasonable given that all of these airlines have the process, as shit as it is, for a reason.

That's not quite right. They all (mostly) do checkin with some combinination of PNR identifier, and last/first name. There's no actual collusion though. Just coincidental settling on the same minimum need.

They isn't much in common across airlines as far as the actual code goes, though. Beyond that they all use some limited set of CRS providers, like Galileo, Sabre, Amadeus, etc. That is to say, there's some common code, but it's pretty far down the stack, and only common across a few carriers.

One example: https://www.nytimes.com/2017/09/28/business/airport-check-in...

Hit several carriers, but not all by a long stretch.

I hear you, the problem is deeply rooted, in the implementation design. Even reporting these problems is such a tedious task, that you kind of feel like giving up after a certain point.

Unfortunately, not just Emirates, but a huge number of e-commerce companies across industries like travel, shopping, healthcare are subjected to similar leaks.

> shared piece of software for online checkins

You are probably refering to GDS - that’s been up since 1960’s: https://en.m.wikipedia.org/wiki/Computer_reservation_system#...

That's pretty bad, but frankly he could have communicated better to Emirates. If I was working as first line support and received that message with "omg do you know you are sharing fields a, b and c to partners. And maybe you are sharing with x, y and z also?", without any technical details at all, I would also give a canned response, tag it as tinfoil hat and throw it into the junk.

He does address that though:

>Please note that I could not find a dedicated channel for reporting security bugs on Emirates website

I agree that he should've found an email channel but Twitter is their official customer support interaction.

He also says that he wrote an email to the Product Manager -

"I also wrote an email to the Product Manager highlighting the security flaws. I was met with a deafening silence.

So, Social media team gives a canned response and the Product Manager doesn't bother to even respond to an email just goes on to show that Data security is not their priority.

I guess you missed out on this part -

"In the wake of responsible behaviour, on discovering these serious security flaws that violate user-data privacy, I decided to flag them to Emirates through Twitter DM in October 2017. Please note that I could not find a dedicated channel for reporting security bugs on Emirates website.

I also wrote an email to the Product Manager highlighting the security flaws. I was met with a deafening silence."

Proper first-line support setup makes the staff send any queries they don't understand to higher levels, not throw away.

The new thing now even with big travel booking companies is to have one tier of phone support that can literally only provide canned answers, and a very difficult to get to escalation to an email team that will give you a canned answer.

Exactly. Twitter isn't the medium to report this sort of problem. Ask for an email address for security vulnerabilities, and send it there.

That was the first question I asked on Twitter support, to which they replied, I can report the issues here. https://cdn-images-1.medium.com/max/1600/1*VvnWUPs8xnWRtH92M...

Again, I am more than happy to report it proper channels. I understand the reasons of ethically reporting such issues.

I would really appreciate it, can you help me find correct channel even now for Emirates, Lufthansa, KLM, Air-France ?

Well: «Please note that I could not find a dedicated channel for reporting security bugs on Emirates website.»

I guess you completely missed the paragraph titled "Reporting it to Emirates:"

I will write it here for you - "In the wake of responsible behaviour, on discovering these serious security flaws that violate user-data privacy, I decided to flag them to Emirates through Twitter DM in October 2017. Please note that I could not find a dedicated channel for reporting security bugs on Emirates website.

The Social Media Team immediately responded to my Twitter DM with a canned response but I was not ready to give up hope. I also wrote an email to the Product Manager highlighting the security flaws. I was met with a deafening silence."

In line with the age-old advice on how sausages are made, here's my advice: don't ever inspect the data leaving a mobile device.

– Just as I was about to add this comment, I remembered how it's not limited to mobile devices anymore.

(Thankfully with certificate pinning and integrity checking you may be spared of the risk of ever finding out what your apps actually do. Remember: only weirdos and terrorists tinker.)

Certificate pinning and integrity checking will only come into play if the services move to HTTPS :). Sadly, Emirates is sending HTTP links to help user's manage booking.

Certificate pinning is going away: http://www.zdnet.com/article/google-chrome-is-backing-away-f...

I think we can be confident that sites that don't even use CSP won't be implementing Expect-CT any time.

HPKP is what the article you posted to is referring to, and probably will go away completely.

However, profiling the public key of the site a mobile app connects to and erroring out if it is compromised to prevent MitM attacks is called 'certificate pinning' for mobile apps but is not related to the HPKP pinning of browsers. A reference for certificate pinning: https://blog.netspi.com/certificate-pinning-in-a-mobile-appl...

It seems grandiose to call that 'certificate pinning' when it is just hard coding, e.g. a self-signed CA cert or (worse) a particular server cert.

Makes me suspect that a lot of client side validation is happening with mobile apps.

Presumably GP was talking about in-app certificate pinning, not Google’s opinion of the day...

These magic URLs that can log you in automatically, generally ought to necessitate a very high degree of paranoia from whoever is implementing them. In this case the single point of failure seems like the leaky referrer, which ought to have been noticed as part of the aforementioned paranoia.

I guess the problem here is that from an overall experience POV you want users to be able to get to their booking from their email without having to go back and forth to figure out their booking reference number and type it in.

Even as an advanced user sometimes there is very little you can do to protect against this. In a lot of cases, blocking trackers is also a flaky solution because sometimes custom event tracking takes place as part of a JS event, and the event fails horribly due to the library not being loaded thanks to your blocker, and as a result the event doesn't do what it's supposed to, and you can't use the interface.

For mobile users, blockers are either not easy to install, or exist on some fringe browser that is untested, and breaks the UI.

I wonder if it is possible to measure or guess how many humans have access to your booking in such cases. Some part of the sysadmin team at each of those tracking companies, maybe product leads, customer support?

For measuring presence of trackers on popular websites, I recommend: https://whotracks.me/

Disclaimer: This is a project from the company I work for. (Cliqz)

Installing uBlock Origin on mobile Firefox is trivial.

You will still hit the same problems they described for some sites. Because some JS has been blocked by your blocker, certain websites will have buttons that just don't work. This is frustrating when those buttons are key things like 'buy' or 'confirm'.

Then those sites do not deserve your business

I agree with the sentiment but it's not always possible.

In the case of airlines, sometimes you have no choice but to go with a particular carrier because there is no other carrier who will take you to your destination with seats available that meet your schedule.

You also wouldn't know of these practices until much after you have already paid for your ticket, by which time your booking is already in the hands of a few hundred other "trusted third party" employees.

ublock is fully functional in firefox mobile on android. I use it since v57, do not know how it was before that.

Emirates.com has changed a lot in the 18 years since I last worked on it. But I can see how this might have come about.

Each 3rd party add-on is probably required by marketing in one form or another (analytics, social sharing, partner data, advertising, ). And possibly development has been done just thinking about how to do something, rather than if they should be doing something. We don't know what the gatekeepers have managed to prevent getting deployed...

Part of how I see my role is to always to have a product-owner sanity-check hat on. But at the end of the day, it's the people with the wallets who decide what gets included in their outcome, even if it's against the recommendations of experts.

Commercial reality sometimes trumps common sense.

Absolutely agree with you, having been a digital marketer and later Product Manager for an Airline, I realized the ill-effects of mindlessly using tools to "crack" the secret sauce of heightened UX and hence increased revenue stream. Would I do it today? No. Would a CMO push for third party trackers? Hell, Yes. The onus lies on CTO to evaluate products, third party tools against a checklist that also covers User-Data protection as one of the bullet points.

Hmm, no mention of luggage tags or boarding passes? Your luggage tag usually has your last name and your booking code. Those 2 bits of information are enough to login to your flight details, including your passport information. They are also on your boarding pass, also coded on the barcode, which people sometimes post online, it can also be photographed from a distance with a good enough camera.

FTA: Every single passenger's info is readable by a list of 20+ domains that are not Emirates.

That's quite different from having to put physical eyeballs on a luggage tag.

I think you are referring to an attack similar to this: https://media.ccc.de/v/33c3-7964-where_in_the_world_is_carme..., I just linked this video in the article and not the complete attack vector.

Airlines don't care about privacy, security, user experience, prices... There are many things you don't have to care about when competition is low and barriers to entry are incredibly high.

As an aside, turns out 9/10 decoy bombs and bladed weapons are smuggled onboard with no problems in tests. All the security theatre and voodoo rituals requiring passengers to switch off all electronic devices for no actual reasons and it's still trivial to hijack a plane.

Airlines aren't responsible for security. The rules are specified by the IATA and national agencies and security is either handled by a government department (e.g. TSA) or by the airport itself.

Also, switching off electronic devices has nothing to do with security. The apparent reason is that it can cause issues with navigation, as was theorised after a plane crash in the 90's. Most flights these days don't even require you to turn your electronics off, or even put it in airplane mode.

I'm fairly sure the reason that they made you turn your electronics off wasn't even for the plane, but rather to ensure that you pay attention to the safety briefing.

It's not just that. It's the airlines' means for complying with a specific federal law as well.


The reason that different airlines have different rules, is that their OpSpecs have different (and sometimes evolving) treatment on portable electronic devices, which is their way, as operators, of complying with § 91.21

(shared because I suspect some will find it interesting in a random-trivia sort of way, not because I'm arguing against your post)

Yes, and I would add some (hopefully) "common sense" consideration.

IF you were a captain, responsible for a several millions dollar aircraft and for hundreds of lives, AND IF there was a teeny-tiny, extremely low probability that using a phone (or computer or other electronic device) could cause a disaster, including the possibility of a suicide act of sabotage, how would you implement in practice the Federal Rule you cited?

1) Kindly ask the passengers to have the devices switched off.

2) Seize each and every such device before boarding, and X-ray/scan each and every passengers to be 100% sure that they don't carry with them one (hidden).

#1 clearly, or perhaps switched off below 10K feet MSL.

Try #2 and you find yourself unemployed as a captain. Try it as an airline and you find yourself without passengers and shortly, without an airline.

Airlines and aviation authorities balance safety, cost, and convenience all the time. ETOPS is a good example of that balance evolving. ETOPS-240 would have been unthinkable at the start of the jet age.

This should not be a surpise. Most business types don't give a shit about anything but money. Community, social, environment, or any other negative externaliaities. They just don't care. They're after and bound to "feduciary" responsiblity. (Short term reward and ignoring long term consequences)

I realize that was a moral high horse: I'm curious about how you can reward people for positive long term growth.

It turns out that people in general buy airline tickets based almost exclusively on price. Airlines are actually showing very long term thinking given that they have very high capital costs and need to make those investments pay off in the very long run. People are rewarded in the long term with profit because they have built a business that their customers want to patronize.

Even as a very technically savvy person I am not sure I would stop flying an airline because of this. While I agree these are awful practices would I be willing to do an extra hop with an airline that had better security? Nope. So while I sympathize with the article if Emirates was my main airline I would probably still fly them. It turns out many companies suck at securing their customers data. If that is important to their customers they will be reward/punished accordingly.

Ironically this is one of the reasons I prefer to buy things online through Amazon and why I think they have 50% market share. They are a trusted counterparty to my transactions and I would rather buy something through them than a small companies website.

> It turns out that people in general buy airline tickets based almost exclusively on price

> They are a trusted counterparty

This is interesting, and I agree. But while I'm a big fan of quality and think there's many cases where not buying the cheapest is a good more in general, I find it hard to justify with airlines.

The quality varies wildly now, and reward programs are getting more and more meaningless - often they're even pointless because you simply can't fly to that airport with a carrier in your airline alliance, or they offer a way more inconvenient flight.

Sometimes, business class is only marginally better than economy (same seats, more legroom), but you couldn't tell from the cost. There are only very few airlines where business class is consistent. Why do I need to know what type of plane it is to know what business class seating is going to look like? The difference between business and first class is similarly vague. Sometimes it's worlds apart, others it's a slightly larger screen.

So why take the chance for airlines that aren't Singapore/Thai/ANA (to name my favourites)? Just buy the cheapest flight, brave it, and take some unpaid vacation and maybe a massage with the money you saved to make up for the horrible experience.

The only constant is flying sucks, and will suck a lot more if you can't avoid the USA. (Although the major US airports are such a shitshow that paying more to arrive/depart at a smaller airport could be worth it time-wise.)

Fiduciary responsibility does not necessitate a short term thought process. If you can show that the long term negative consequences outweigh the short term positive ones, the people you're complaining about will listen. The problem is that you can't tie these things to a negative financial impact. Boards of Directors frankly don't give a shit about your moral high horse, nor is that their job. Get off it and prove to them that your positive long term growth strategy will result in high overall profitability and they'll listen.

But, as someone else stated, airline tickets are a commodity now. So until you're personally going to be paying more for identical tickets because of something like this, be prepared to reap what you sow.

Although I completely agree with the article, I think it's putting the bar a bit too low to expect individual privacy from a UAE based company, when they have little regard for even the basics of Human Rights[1].

[1]: https://en.wikipedia.org/wiki/Human_rights_in_the_United_Ara...

PayPal is an awful company. If they went out of business tomorrow the world would be a better place.

Nothing will happen until a malicious party ends up cancelling an entire flight’s worth of passengers and it starts costing them serious money and reputation.

It’s a sad state of affairs when there is no ethical way to correct certain grossly unethical business practices.

> malicious party

Which one? Google, Twitter, Facebook, Microsoft, Yahoo, Crazy Egg, Criteo or NSA listening on the wire?

My apologies if you disagree, but I feel that the article is borderline alarmist and I believe is written in the worst possible tone to communicate the problem.

Yup, there is a shitton of analytics products. Yes, PII is leaked and this needs to be fixed. But, no, it's not like listed parties (BTW, of which ek.aero is Emirates' own domain) are immediate threats. However, yes, this is quite severe as there are many scenarios when the data would eventually land in the wrong hands. E.g. if it would not considered sensitive PII anymore but treated as "just some analytics/statistics".

Basically, he should have patiently communicated that despite the trust in big analytic companies, private personal information still gets sent to them (mostly indirectly - in form of session links), and this may lead to accidental security leaks. Like, for example, some subcontractor having access to "only" analytics would technically have access to much more data than they are expected to have.

The article fails to do this and instead screams what's essentially boils down to "Google Analytics sees a link to the page with my passport details!". Color me surprised the support reply was not helpful at all.

>Which one? Google, Twitter, Facebook, Microsoft, Yahoo, Crazy Egg, Criteo or NSA listening on the wire?

Or anyone exploiting either of those parties' bad security. That's an enormous attack surface. Also add the passenger's email provider to that list.

You missed the part where it's unencrypted HTTP traffic. So, any 'malicious party' sitting at a café with free wifi.

So did the message to the support, screenshotted in the article.

And it's not just "any party sitting at a cafe". It specifically requires that this malicious party is sitting in the same cafe, present (physically or remotely) at the moment the site is accessed. So it's more likely to be an airport's WiFi network - which is much more probably place where an unsuspecting traveler may access such page. Hunting for a cafe with someone buying tickets from a specific airline is probably too complicated to pay off, unless the attack is personal.

Anyway, I don't argue this is all very bad. It is. What I want to say is that the problem was communicated in a very poor way. And even this follow-up blog article is so light on details, a person without some security knowledge would quite likely shrug it off with an impression it's some tinfoil-hatter screaming at analytics trackers.

Absolutely agree, data security is a not a priority for almost all organizations in Service Industry. Hopefully GDPR and E-Privacy will be the beginning of an era when organizations are forced to think about protecting user information.

The website sounds like a blatant GDPR violation, and GDPR has teeth.

I'm wondering how sharp those teeth are. What are they going to do, revoke Emirates operational licenses throughout Europe? That would not go over well with flyers...

A fine of up to €20 million or up to 4% of the annual worldwide turnover, whichever is greater. Yeah there's a reason everyone's panicking about GDPR, it can seriously wreck your business.

One funny thing is that Emirates makes it look like they do care about security by implementing a surprisingly onerous Captcha requirement before Skywards login. I usually get it wrong a couple of times before I can get to my account -- lots of 6s that might be Gs, partially obfuscated 8s that might be 3s, etc.

It's technical incompetence. Emirates is a fantastic airline that treats people very well. Of course this doesn't have anything to with well engineered IT systems.

Failure to accept and acknowledge these issues needs to be sorted out.Unless these issues are treated as a technical priority, organisations will have a huge impact on service delivery issues sooner or later.

Browsers need to take a hardline stance on external content and stop allowing pages to load anything whatsoever from external domains. But they won't, becuase one of them is Google.

Wouldn't this just lead to these websites putting everything behind a reverse proxy? That would make it harder to detect and block third party scripts.

So in addition to explaining to your parents what an SSL cert is you want to explain to them which domains should be whitelisted and which shouldn't?

What does this have to do with my comment?

Yeah that's exactly what we need, browsers arbitrarily deciding what content is allowed to be loaded.

It would not be arbitrary, it would be well defined.

I agree with your sentiment but this would break every website that uses a CDN for static assets.

It would, that's the point. You'd give them time to fix it, like you give notice before visually indicating HTTP is insecure or deprecating SHA-1 certificates.

Has anyone heard of an exploit that sets people's flights to use the attackers frequent flyer number, thus collecting their miles?

No, because in most cases the program requires the passenger's name to match the FF account name.

a lot of FF programmes allow transferring of miles

> the program requires

Except in the event of exploit of vulnerability...

This[1] talk linked in the article mentions that it is happening, and that the name check is mostly useless because you can often just change the name attached to the frequent flyer number. Of course, things may have changed, but they probably haven't.

[1]: https://media.ccc.de/v/33c3-7964-where_in_the_world_is_carme...

Interesting thought, would be really curious to see the outcome for that. AFAIK, the link that Emirates is sharing allowed me to add my own miles number. What I am not sure is, if there is a check at the backend (Emirates side) which compares the miles number with ticket holder email ID.

i wonder how GDPR will affect this sort of issue.

In this case, the airline would have to get explicit consent for sharing the user's personal data with third parties. So at the very least, it will increase transparency. Post-GDPR, in the event of negligence, organizations like https://noyb.eu/ will become more relevant as mediums for collective action in the form of class action suits.

EDIT: (Addendum) - The user would also have the right to ask the first party (airline) to "require" third parties it has shared personal data with, to delete them. Enforcing this however, will be hard.

it raises a larger question in the industry such as what kind of internal protection do companies such as "Amadeus IT Group" have in place to prevent employees from sifting through passengers etix[¹] booking data?

I had the opportunity to witness a data-scientist being able to tap into life itinerary data-stream, set up listeners and filter out anything they liked.

¹ https://en.wikipedia.org/wiki/Etix

Having worked with Amadeus IT products for airlines, I can tell you this - they are the most regressive "IT" products available in the world.

How does one see what redirects you are being sent through?

Can someone explain how I'd see all those issues that he mentioned? Just through Inspector in Firefox, or other tools?

Inspect element is a good place to start. I would suggest the following approach:

1. Open a new tab. 2. Right click inspect element and check the option to preserve logs. 3. Copy and paste the link which you want to check, 4. Preserve log will keep all the re-directions.

and you can then inspect what the website is upto.

There are more tools, which help you debug traffic outside browser like https://mitmproxy.org, Wireshark etc, but I think Inspect Element should be enough to help you reproduce the scenarios mentioned in the article.

airlines regularly transmit PNR info to third parties with no crypto at all, sadly, it is their default industry standard.


the entire airline industry runs on software that is about 25-30 years behind the state of the art.


- March 6th, 2018:

Emirates responded with a standard statement.

Excerpt: “The depiction in Mr Modi’s article as to what data is being shared, or customer choice in ‘opting out’ is inaccurate.”

Here is my response: https://news.ycombinator.com/item?id=16532591

I can easily see how this happened - Product deems that requiring a login for that page is too high a barrier and bad for business. Engineering thinks that “it ain’t so bad” since said links have a difficult to guess uuid; but of course forgot about or didn’t consider all the trackers that Marketing setup.

How do Expedia, Travelocity, etc. compare with airline booking sites?

Lot of the e-commerce sites are bound to similar leaks. I remember reporting similar issues to MakeMytrip.com, Expedia last year, MakeMyTrip.com was prompt enough to fix these issues. Sadly, never go any response from Expedia so not sure if they fixed the issues or not.

To what degree can products like Privacy Badger, and uBlock, help with this sort of invasion?

> This issue is not only limited to Emirates, a lot of airlines like Lufthansa, KLM (last checked on October 2017) suffer from the same issues.

Still, god bless Emirates. Hands down, best airline.

One story of my life: I was scheduled for a flight Singapore -> Frankfurt and wanted to avoid sitting next to a colleague. Asked at check-in the lady who was sitting next to me and got the names without hesitation. On the flight back from Frankfurt, I could not confirm the names due to privacy laws. I suppose it is a question of awareness and local practices.

What is the definition of privacy?

Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact