Emirates dinged for slipshod online data privacy practices

Fly the insecure skies

By Thomas Claburn in San Francisco

Posted in Security, 5th March 2018 20:59 GMT

Updated International airline Emirates leaks customers' sensitive personal information to third-party marketing partners and network adversaries, according to Konark Modi, a data security engineer for Cliqz, a privacy-focused browser based on Firefox.

Modi, in an online post on Friday, said that after a customer books a flight through Emirates, the process of managing the reservation shares personally identifiable information with over a dozen third-party trackers, including Boxever, Coremetrics, Crazy Egg, Facebook, and Google.

The data includes: customer name, customer email, itinerary, phone number, passport number and details, and brings with it the ability to edit this information.

The Emirates privacy policy makes clear some data sharing may occur. But the policy language stops short of declaring a wholesale customer data giveaway or granting the ability to alter reservations.

Emirates and Turkish Airlines lift laptop ban on US-bound flights

READ MORE

Modi said his argument is not against using third-party trackers. "The concern lies when such services are implemented across all pages of the website, without distinguishing between what is private data and what is not," he said, noting that not all such services should have access to the full spectrum of customer data.

The reservation confirmation email, when clicked, Modi explains, takes the user to Emirates website, which is festooned with trackers – code that captures data on behalf of a marketing partner.

And because the initial link relies on the insecure HTTP protocol, related data is potentially accessible to a network-based man-in-the-middle attack.

In an email to The Register, Modi described several scenarios by which such information could be abused:

These are, however, theoretical concerns; there's no indication that this data is presently being abused.

Modi says he identified the issue and raised it with Emirates via social media back in October 2017. At the time, he maintains, the web app passed personal information through hidden form fields that were nonetheless accessible as plain text.

The web app received a subsequent revision that eliminated the problem, but the Emirates mobile app, he insists, now exhibits the same issue.

"For Emirates, yes the issue still persists," he confirmed to The Register.

Modi contends that other airlines like KLM and Lufthansa exhibit similarly lackluster data security practices, or at least did so when he checked last October. He says that the problem isn't so much the usage of third-party services as how these services are implemented.

Trackers like Facebook and Google Analytics allow companies to track individuals across the internet and potentially to de-anonymize them, said Modi.

"The key point here is the user never signed for this, all s/he did was surf the internet," he explained.

Modi would like to see Emirates limit the use of third-party tracking code that puts privacy data at risk.

"Emirates has the control of their website and what the website shares with third party services," he says. "It is this control that needs to be exercised to limit the leakage of user information."

Emirates did not immediately respond to a request for comment. ®

Updated to add

Emirates have sent in the following statement:

We are aware of the article posted by Mr Konark Modi on 2 March 2018. We take all claims of security or privacy breaches seriously and have conducted a thorough review of our sites and systems. We can confirm that none of the security vulnerabilities highlighted in Mr Modi’s article will allow a breach (unauthorized access) of personal data on our website or mobile app.

Whilst we do use a number of third party analytical tools on our sites for the purpose of improving the online browsing experience, we continually review how these are implemented. The depiction in Mr Modi’s article as to what data is being shared, or customer choice in ‘opting out’ is inaccurate. We are committed to protecting the privacy of our customer’s personal data. Customers can find out more about how we use personal data and how they can opt out by reading our privacy policy on emirates.com.

In response to the statement issued by Emirates, Modi said, “This statement is not just vague but is also factually incorrect.”

He elaborated on his objections in a follow-up post

Sign up to our NewsletterGet IT in your inbox daily

11 Comments

More from The Register

Cambridge Analytica seeks data protection assistant

Jobseeker? You may have heard of it...

UK.gov's Brexiteers warned not to push for divergence on data protection laws

As PM lacks specifics on UK’s desired ‘adequacy-plus’ deal

Uber hack: EU data protection bods launch taskforce

Justice commissioner slams biz for 'irresponsible' behaviour

Big tech wants the ICO on EU data protection board in Brexit fallout

Watchdog keeping voting rights 'huge gain' for marketing sector, say Facebook, Google et al

UK regulator moots data protection sandbox for organisations to play in

ICO strategy outlines plans to slurp up academic expertise

Austrian privacy chief handed leash to EU's data protection beast

Group warms up for greater powers once GDPR hits

Facebook smartmobe app's pre-ticked privacy settings violate German data protection law

Court favours consumer group in long-running dispute

Don't sweat Brexit, big biz told: Your shiny data protection sticker will remain intact

Survey reveals GDPR training and investment is on the rise

UK.gov told: Scrap immigration exemption from Data Protection Bill or we'll see you in court

Campaigners say proposed law would create a 'discriminatory' system for data access rights

Irish eyes are sighing: Data protection office notes olagoanin'* up 79%

Annual report reveals boost in complaints, breach notifications