Like many of us, Modi was simply booking some plane tickets for his family on the Emirates website when he noticed a few things that his inner internet privacy advocate found alarming. Specifically, “when you book your flight through Emirates, Domestic or International, there are approximately 300 data points related to your booking,” he writes in a March 2 Medium post. This data is compiled for the customer on a personalized “Manage Preferences” page that they receive in an email once they book a flight.
Yet Modi found that the URL of that page–and the data points it contained–were also being shared with “approximately 14 different third-party trackers like Crazy egg, Boxever, Coremetrics, Google, and Facebook among others.”
At first blush, this sort of behavior is a sad and obnoxious reality that those of us on the web deal with every day: personal data shared with third-party trackers. But what made matters worse: the URL included in Modi’s email used the HTTP protocol—that is, it began with “http://”—which is notoriously insecure compared with HTTPS, and can make supposedly “private” webpages accessible to hackers and other adversaries.
As Modi points out, this isn’t just obnoxious: it’s downright dangerous. “Anyone who has access to these links can not only read but also edit the information that I as a user can,” he writes. That includes changing or canceling the flight, checking out your passport information, changing your seat or meal preference and more.
Modi, who notes that there is no evidence that any of this data has been abused, shared his findings with the airline in October 2017, both through a Twitter DM conversation with the company’s social media team, and through an email to the app’s product manager, but was met, he says, “with a deafening silence.”
The Emirates’ web app has been improved somewhat since he first discovered this flaw, according to Modi, but as of Friday the mobile app still reveals what should be private data.
While Modi only focused on Emirates, he suggests checking out WhoTracksMe to see if your favorite website uses trackers—and to be alert for websites that only use HTTP. “This issue is not only limited to Emirates, a lot of airlines like Lufthansa, KLM (last checked on October 2017) suffer from the same issues,” he writes. Unfortunately, there isn’t much that consumers can do about leaky websites save for pressuring the companies to improve online security, and using web privacy apps like uBlock Origin, Privacy Badger, or Ghostery. (Modi himself is an engineer for Cliqz, a privacy-focused browser for Firefox.)
It’s almost enough to make you long for the days of real life travel agents … almost.