Emirates dinged for slipshod online data privacy practices

Fly the insecure skies

By Thomas Claburn in San Francisco


Updated International airline Emirates leaks customers' sensitive personal information to third-party marketing partners and network adversaries, according to Konark Modi, a data security engineer for Cliqz, a privacy-focused browser based on Firefox.

Modi, in an online post on Friday, said that after a customer books a flight through Emirates, the process of managing the reservation shares personally identifiable information with over a dozen third-party trackers, including Boxever, Coremetrics, Crazy Egg, Facebook, and Google.

The data includes: customer name, customer email, itinerary, phone number, passport number and details, and brings with it the ability to edit this information.

The Emirates privacy policy makes clear some data sharing may occur. But the policy language stops short of declaring a wholesale customer data giveaway or granting the ability to alter reservations.

Emirates and Turkish Airlines lift laptop ban on US-bound flights


Modi said his argument is not against using third-party trackers. "The concern lies when such services are implemented across all pages of the website, without distinguishing between what is private data and what is not," he said, noting that not all such services should have access to the full spectrum of customer data.

The reservation confirmation email, when clicked, Modi explains, takes the user to Emirates website, which is festooned with trackers – code that captures data on behalf of a marketing partner.

And because the initial link relies on the insecure HTTP protocol, related data is potentially accessible to a network-based man-in-the-middle attack.

In an email to The Register, Modi described several scenarios by which such information could be abused:

These are, however, theoretical concerns; there's no indication that this data is presently being abused.

Modi says he identified the issue and raised it with Emirates via social media back in October 2017. At the time, he maintains, the web app passed personal information through hidden form fields that were nonetheless accessible as plain text.

The web app received a subsequent revision that eliminated the problem, but the Emirates mobile app, he insists, now exhibits the same issue.

"For Emirates, yes the issue still persists," he confirmed to The Register.

Modi contends that other airlines like KLM and Lufthansa exhibit similarly lackluster data security practices, or at least did so when he checked last October. He says that the problem isn't so much the usage of third-party services as how these services are implemented.

Trackers like Facebook and Google Analytics allow companies to track individuals across the internet and potentially to de-anonymize them, said Modi.

"The key point here is the user never signed for this, all s/he did was surf the internet," he explained.

Modi would like to see Emirates limit the use of third-party tracking code that puts privacy data at risk.

"Emirates has the control of their website and what the website shares with third party services," he says. "It is this control that needs to be exercised to limit the leakage of user information."

Emirates did not immediately respond to a request for comment. ®

Updated to add

Emirates have sent in the following statement:

We are aware of the article posted by Mr Konark Modi on 2 March 2018. We take all claims of security or privacy breaches seriously and have conducted a thorough review of our sites and systems. We can confirm that none of the security vulnerabilities highlighted in Mr Modi’s article will allow a breach (unauthorized access) of personal data on our website or mobile app.

Whilst we do use a number of third party analytical tools on our sites for the purpose of improving the online browsing experience, we continually review how these are implemented. The depiction in Mr Modi’s article as to what data is being shared, or customer choice in ‘opting out’ is inaccurate. We are committed to protecting the privacy of our customer’s personal data. Customers can find out more about how we use personal data and how they can opt out by reading our privacy policy on

In response to the statement issued by Emirates, Modi said, “This statement is not just vague but is also factually incorrect.”

He elaborated on his objections in a follow-up post

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Er, we have 670 staff to feed now: UK's ICO fines 100 firms that failed to pay data protection fee

Enforcing GDPR is expensive work, says watchdog

Campaigners call for immigration exemption in UK's Data Protection Act to be scrapped

Judicial review into law launched

Cambridge Analytica seeks data protection assistant

Jobseeker? You may have heard of it...

Reel talk: You know what's safely offline? Tape. Data protection outfit Veeam inks deal with Quantum

Magnetic strips barrier to ransomware, burble box-flingers

US tech circles wagons as India reviews data protection proposals

Ex-Cisco CEO-chaired lobby leading the charge

IT management software crowd Kaseya buys cloudy data protection crew Spanning

Private equity holdings shuffle

Why, hello Rubrik's Trello: Data protection biz leaves productivity tool open to world+dog

Anyone with URL could see lists of case study projects

Uber hack: EU data protection bods launch taskforce

Justice commissioner slams biz for 'irresponsible' behaviour's Brexiteers warned not to push for divergence on data protection laws

As PM lacks specifics on UK’s desired ‘adequacy-plus’ deal

Big tech wants the ICO on EU data protection board in Brexit fallout

Watchdog keeping voting rights 'huge gain' for marketing sector, say Facebook, Google et al