So.. here we go. Explain to me, why we don't want to enact law to require (through regulation) this practice to cease.
This is just...disgusting.
Just because you are paying for a product does not prevent your data from being sold or used in unethical ways.
According to the quote, if you don't pay for it, you're definitely the product, but clearly, as you mention, just because you pay for it doesn't mean you're still not the product.
It is a cheap and easy way to explain to non-technical people that when something is "free" the provider is getting something back. Payment for advertising to you, collected data from you, and so on. If you(general) understand that, and are OK with that, then continue. But don't be naive.
Note - I'm not saying people don't have a reason to provide free stuff. I'm saying that the soundbite "you're the product!" is lazy, and sometimes misleading.
Does Encyclopedia Britannica's website "britannica.com" have a product? Is Encarta a product? Of course they are, and so is Wikipedia, unless BY DEFINITION you exclude any "product" not exchanged for money from the definition of "product". And by that definition, the second can of beans I got at the grocery store on a buy-one-get-one-free sale wasn't a product -- which I feel demolishes the usefulness of the term.
In the informal sense in which we talk about users "being the product" I'd call it not quite right, since there's nothing sold. The user doesn't have to worry as much about ulterior motives.
As far as I understand, Emirates is risking big fines if they they don't fix this by May 25.
That would be fairly hard to enforce against a company that doesn't have a physical or legal presence in the EU.
In general, I'm disturbed by governments trying to enforce laws beyond their border just because their citizens are somehow involved by sending information over the internet. In some fields, it's a legal minefield just to comply with the rules of one country, much less several. This won't be a major difficulty for big players with high-paid lawyers and compliance departments, but it could easily kill startups, some before they're even launched.
Isn't it simple enough to geoblock areas if European customers are somehow too hard to serve?
> In some fields, it's a legal minefield just to comply with the rules of one country, much less several. This won't be a major difficulty for big players with high-paid lawyers and compliance departments, but it could easily kill startups, some before they're even launched.
As the topic is GDPR: a privacy first approach is not rocket science. I'm sure any startup with even the remotest chance of success can follow the basic principles without undue complications.
While I agree that startups should be respectful of privacy, that doesn't change the principle at work here. Allowing countries to enforce laws against companies that don't have a physical or legal presence within their borders is a dangerous mechanism. Introducing a dangerous mechanism to enforce a good policy will result in that mechanism being used for a bad policy later on.
How someone gets a hold of you to enforce any action against you is a different matter. But Emirates kind of needs to come to the EU sometimes to do its business there.
They have assets (and even more, they want to land in EU airports) in the EU so yes the EU can force them to comply even if they don't want to.
The GDPR is yet another regulation that adds a lot of liability with the risk of huge fines for a foreign company. And while no regulation in itself is ever going to be enough of reason, it's the plethora of regulations that is, and the more it grows, the more companies will feel it reached the tipping point for them, which may result in either withdrawal or refusal to serve the EU market. If this proves true, EU citizens should expect to see a lot more of "We're sorry, this service is not available in your country" messages. And it's already pretty bad from what I've heard.
Note: I'm not saying Emirates will pull out because of this, they won't. I'm also NOT against the GDPR and I totally understand the need, I just wish it would be regulated on a more universal level. Same with copyright regulations.
What could be a more universal level than EU that could actually enforce something like GDPR? US is rather anti-privacy these days, which I found interesting as they are extremely individualistic at the same time. The only even remotely suitable body is WTO, and that won't happen.
Again, I do not want to paint an overly bleak picture - and I do support regulations like this one - but my feeling is that, due to the lack of a universal solution, this GDPR won't have a better fate than the current copyright regulations: beneficial for some, but at the cost of more internet fragmentation and discrimination. It's almost like lawmakers consistently forget that the internet doesn't stop at borders.
To repeat myself: I'm [also] NOT against the GDPR and I totally understand the need, I just wish it would be regulated on a more universal level.
And what regulator is that? Does Dubai even have a "regulator" overseeing stuff like this?
Emirates is wholly owned by the government of Dubai. So basically you would be complaining about one Dubai government agency to another Dubai government agency.
Perhaps you could complain about this to some US or EU regulator? Would they care enough to get involved?
It was amazingly creepy.
This is on a strictly opt-in basis. I guess it's an interesting alternative to Tinder if you're going to be stuck on a plane. (Disclaimer: I've never tried it myself)
I also know folks who have arranged large group bookings (30+ passengers going to the same event) and found it useful to talk to each other.
Whereas seat-to-seat chat is free and relatively reliable.
Thus you can't just randomly message any seat on the plane until they turn it on.
Here I am building my online business using tokens with pci dss compliant payment gateway and all these businesses out there don’t even care.
My lesson learned then was these industries will do anything to make it more convenient for the travelers to book, even compromise on security.
It's like anything else, companies don't lift a finger unless it costs them money or runs them afoul of regulators.
Ultimately it's the credit card companies that regulate this playing field, and up to a certain point they're happy to make a large trade-off between security & convenience, because they can work the security issues into their processing fees.
Credit card companies aren't dumb, of course they know that small Mom & Pop hotels are going to have horrible security practices when it comes to credit cards. They also know that any security issues are going to be contained to the customers of that establishment.
This is why PCI puts a huge amount compliance burden on companies such as payment processors and travel agencies that process a lot of credit cards, but by-and-large ignore small players.
The hotelier you described and his method of ad-hoc charging credit cards with a 10% fee at some unrelated business is surely in violation of some PCI rule(s), but that's going to be a matter between his customers and his bank, not all customers of the travel agency and Visa/MasterCard.
Of course, you then have to provide your credit card or another mean of payment to the hotel on arrival for insurance.
PS: and this is pretty much the why of how something as reviled by merchants as paypal is thriving, as a customer I love it.
The fact that your mail client / embedded browser takes you happily to sites with broken certs, giving them a tracking token (and in this case, total access to your booking) is also quite a problem.
For the case why browser did not redirect the broken cert, that is because the link sent in the email was over http.
I checked firefox and it works correctly too.
You would just end up paying more (directly or indirectly) while still having the representatives using the same problematic system, now from their end.
Every airline uses some sort of a contractor or a shared piece of software for online checkins. You can tell by the formed URI fragments and the JSON being sent back and forth.
Its all trash. I wanted to work on a business that unified all check-ins under single company. I do not think however, it is reasonable given that all of these airlines have the process, as shit as it is, for a reason.
They isn't much in common across airlines as far as the actual code goes, though. Beyond that they all use some limited set of CRS providers, like Galileo, Sabre, Amadeus, etc. That is to say, there's some common code, but it's pretty far down the stack, and only common across a few carriers.
One example: https://www.nytimes.com/2017/09/28/business/airport-check-in...
Hit several carriers, but not all by a long stretch.
Unfortunately, not just Emirates, but a huge number of e-commerce companies across industries like travel, shopping, healthcare are subjected to similar leaks.
You are probably refering to GDS - that’s been up since 1960’s: https://en.m.wikipedia.org/wiki/Computer_reservation_system#...
>Please note that I could not find a dedicated channel for reporting security bugs on Emirates website
I agree that he should've found an email channel but Twitter is their official customer support interaction.
"I also wrote an email to the Product Manager highlighting the security flaws. I was met with a deafening silence.
So, Social media team gives a canned response and the Product Manager doesn't bother to even respond to an email just goes on to show that Data security is not their priority.
"In the wake of responsible behaviour, on discovering these serious security flaws that violate user-data privacy, I decided to flag them to Emirates through Twitter DM in October 2017. Please note that I could not find a dedicated channel for reporting security bugs on Emirates website.
I also wrote an email to the Product Manager highlighting the security flaws. I was met with a deafening silence."
Again, I am more than happy to report it proper channels. I understand the reasons of ethically reporting such issues.
I would really appreciate it, can you help me find correct channel even now for Emirates, Lufthansa, KLM, Air-France ?
I will write it here for you - "In the wake of responsible behaviour, on discovering these serious security flaws that violate user-data privacy, I decided to flag them to Emirates through Twitter DM in October 2017. Please note that I could not find a dedicated channel for reporting security bugs on Emirates website.
The Social Media Team immediately responded to my Twitter DM with a canned response but I was not ready to give up hope. I also wrote an email to the Product Manager highlighting the security flaws. I was met with a deafening silence."
– Just as I was about to add this comment, I remembered how it's not limited to mobile devices anymore.
(Thankfully with certificate pinning and integrity checking you may be spared of the risk of ever finding out what your apps actually do. Remember: only weirdos and terrorists tinker.)
I think we can be confident that sites that don't even use CSP won't be implementing Expect-CT any time.
However, profiling the public key of the site a mobile app connects to and erroring out if it is compromised to prevent MitM attacks is called 'certificate pinning' for mobile apps but is not related to the HPKP pinning of browsers. A reference for certificate pinning: https://blog.netspi.com/certificate-pinning-in-a-mobile-appl...
Makes me suspect that a lot of client side validation is happening with mobile apps.
I guess the problem here is that from an overall experience POV you want users to be able to get to their booking from their email without having to go back and forth to figure out their booking reference number and type it in.
Even as an advanced user sometimes there is very little you can do to protect against this. In a lot of cases, blocking trackers is also a flaky solution because sometimes custom event tracking takes place as part of a JS event, and the event fails horribly due to the library not being loaded thanks to your blocker, and as a result the event doesn't do what it's supposed to, and you can't use the interface.
For mobile users, blockers are either not easy to install, or exist on some fringe browser that is untested, and breaks the UI.
I wonder if it is possible to measure or guess how many humans have access to your booking in such cases. Some part of the sysadmin team at each of those tracking companies, maybe product leads, customer support?
Disclaimer: This is a project from the company I work for. (Cliqz)
In the case of airlines, sometimes you have no choice but to go with a particular carrier because there is no other carrier who will take you to your destination with seats available that meet your schedule.
You also wouldn't know of these practices until much after you have already paid for your ticket, by which time your booking is already in the hands of a few hundred other "trusted third party" employees.
Each 3rd party add-on is probably required by marketing in one form or another (analytics, social sharing, partner data, advertising, ). And possibly development has been done just thinking about how to do something, rather than if they should be doing something. We don't know what the gatekeepers have managed to prevent getting deployed...
Part of how I see my role is to always to have a product-owner sanity-check hat on. But at the end of the day, it's the people with the wallets who decide what gets included in their outcome, even if it's against the recommendations of experts.
Commercial reality sometimes trumps common sense.
That's quite different from having to put physical eyeballs on a luggage tag.
As an aside, turns out 9/10 decoy bombs and bladed weapons are smuggled onboard with no problems in tests. All the security theatre and voodoo rituals requiring passengers to switch off all electronic devices for no actual reasons and it's still trivial to hijack a plane.
Also, switching off electronic devices has nothing to do with security. The apparent reason is that it can cause issues with navigation, as was theorised after a plane crash in the 90's. Most flights these days don't even require you to turn your electronics off, or even put it in airplane mode.
I'm fairly sure the reason that they made you turn your electronics off wasn't even for the plane, but rather to ensure that you pay attention to the safety briefing.
The reason that different airlines have different rules, is that their OpSpecs have different (and sometimes evolving) treatment on portable electronic devices, which is their way, as operators, of complying with § 91.21
(shared because I suspect some will find it interesting in a random-trivia sort of way, not because I'm arguing against your post)
IF you were a captain, responsible for a several millions dollar aircraft and for hundreds of lives, AND IF there was a teeny-tiny, extremely low probability that using a phone (or computer or other electronic device) could cause a disaster, including the possibility of a suicide act of sabotage, how would you implement in practice the Federal Rule you cited?
1) Kindly ask the passengers to have the devices switched off.
2) Seize each and every such device before boarding, and X-ray/scan each and every passengers to be 100% sure that they don't carry with them one (hidden).
Try #2 and you find yourself unemployed as a captain. Try it as an airline and you find yourself without passengers and shortly, without an airline.
Airlines and aviation authorities balance safety, cost, and convenience all the time. ETOPS is a good example of that balance evolving. ETOPS-240 would have been unthinkable at the start of the jet age.
I realize that was a moral high horse: I'm curious about how you can reward people for positive long term growth.
Even as a very technically savvy person I am not sure I would stop flying an airline because of this. While I agree these are awful practices would I be willing to do an extra hop with an airline that had better security? Nope. So while I sympathize with the article if Emirates was my main airline I would probably still fly them. It turns out many companies suck at securing their customers data. If that is important to their customers they will be reward/punished accordingly.
Ironically this is one of the reasons I prefer to buy things online through Amazon and why I think they have 50% market share. They are a trusted counterparty to my transactions and I would rather buy something through them than a small companies website.
> They are a trusted counterparty
This is interesting, and I agree. But while I'm a big fan of quality and think there's many cases where not buying the cheapest is a good more in general, I find it hard to justify with airlines.
The quality varies wildly now, and reward programs are getting more and more meaningless - often they're even pointless because you simply can't fly to that airport with a carrier in your airline alliance, or they offer a way more inconvenient flight.
Sometimes, business class is only marginally better than economy (same seats, more legroom), but you couldn't tell from the cost. There are only very few airlines where business class is consistent. Why do I need to know what type of plane it is to know what business class seating is going to look like? The difference between business and first class is similarly vague. Sometimes it's worlds apart, others it's a slightly larger screen.
So why take the chance for airlines that aren't Singapore/Thai/ANA (to name my favourites)? Just buy the cheapest flight, brave it, and take some unpaid vacation and maybe a massage with the money you saved to make up for the horrible experience.
The only constant is flying sucks, and will suck a lot more if you can't avoid the USA. (Although the major US airports are such a shitshow that paying more to arrive/depart at a smaller airport could be worth it time-wise.)
But, as someone else stated, airline tickets are a commodity now. So until you're personally going to be paying more for identical tickets because of something like this, be prepared to reap what you sow.
It’s a sad state of affairs when there is no ethical way to correct certain grossly unethical business practices.
Which one? Google, Twitter, Facebook, Microsoft, Yahoo, Crazy Egg, Criteo or NSA listening on the wire?
My apologies if you disagree, but I feel that the article is borderline alarmist and I believe is written in the worst possible tone to communicate the problem.
Yup, there is a shitton of analytics products. Yes, PII is leaked and this needs to be fixed. But, no, it's not like listed parties (BTW, of which ek.aero is Emirates' own domain) are immediate threats. However, yes, this is quite severe as there are many scenarios when the data would eventually land in the wrong hands. E.g. if it would not considered sensitive PII anymore but treated as "just some analytics/statistics".
Basically, he should have patiently communicated that despite the trust in big analytic companies, private personal information still gets sent to them (mostly indirectly - in form of session links), and this may lead to accidental security leaks. Like, for example, some subcontractor having access to "only" analytics would technically have access to much more data than they are expected to have.
The article fails to do this and instead screams what's essentially boils down to "Google Analytics sees a link to the page with my passport details!". Color me surprised the support reply was not helpful at all.
Or anyone exploiting either of those parties' bad security. That's an enormous attack surface. Also add the passenger's email provider to that list.
And it's not just "any party sitting at a cafe". It specifically requires that this malicious party is sitting in the same cafe, present (physically or remotely) at the moment the site is accessed. So it's more likely to be an airport's WiFi network - which is much more probably place where an unsuspecting traveler may access such page. Hunting for a cafe with someone buying tickets from a specific airline is probably too complicated to pay off, unless the attack is personal.
Anyway, I don't argue this is all very bad. It is. What I want to say is that the problem was communicated in a very poor way. And even this follow-up blog article is so light on details, a person without some security knowledge would quite likely shrug it off with an impression it's some tinfoil-hatter screaming at analytics trackers.
Except in the event of exploit of vulnerability...
EDIT: (Addendum) - The user would also have the right to ask the first party (airline) to "require" third parties it has shared personal data with, to delete them. Enforcing this however, will be hard.
I had the opportunity to witness a data-scientist being able to tap into life itinerary data-stream, set up listeners and filter out anything they liked.
Can someone explain how I'd see all those issues that he mentioned? Just through Inspector in Firefox, or other tools?
1. Open a new tab.
2. Right click inspect element and check the option to preserve logs.
3. Copy and paste the link which you want to check,
4. Preserve log will keep all the re-directions.
and you can then inspect what the website is upto.
There are more tools, which help you debug traffic outside browser like https://mitmproxy.org, Wireshark etc, but I think Inspect Element should be enough to help you reproduce the scenarios mentioned in the article.
the entire airline industry runs on software that is about 25-30 years behind the state of the art.
- March 6th, 2018:
Emirates responded with a standard statement.
Excerpt: “The depiction in Mr Modi’s article as to what data is being shared, or customer choice in ‘opting out’ is inaccurate.”
Here is my response: https://news.ycombinator.com/item?id=16532591
Still, god bless Emirates. Hands down, best airline.