Airline websites don‘t care about your privacy follow-up: Emirates responds to my article with dubious arguments

Last Friday, I published an exposé on the privacy failings of airline websites, using Emirates as a case study. On Monday, The Register reported on my findings, and managed to get a response from Emirates.

As the researcher who uncovered these issues, I feel compelled to address Emirates‘ vague and factually flawed statement. Let‘s break it down point by point to see how their arguments fall apart under scrutiny.

Recap: Booking reference leaks and other issues

To quickly summarize, my investigation found several troubling vulnerabilities in how Emirates handles user data on its website and mobile app:

• Booking reference numbers and other sensitive passenger info was being passed in plain text to various third party advertisers and analytics providers
• These third parties have no legitimate need for this booking data to provide their services to Emirates
• Passport details and contact info was unobfuscated, visible to any third party script running on the page
• Emirates‘ own privacy policy highlights the importance of safeguarding booking references, as they can be used with just a last name to access and modify reservations

I responsibly disclosed these issues to Emirates well in advance of publishing my article. After an initial response in October 2017, follow-ups went unanswered. I found many of the problems were still present months later when I rechecked before publishing.

Emirates responds with a vague dismissal

Here is Emirates‘ full statement to The Register:

Right off the bat, this reply is light on details and heavy on misdirection. Let‘s dive into the claims one by one.

Issue #1: "None of the vulnerabilities will allow unauthorized access"

Emirates asserts that the issues described "will [not] allow a breach (unauthorised access) of personal data on our website or mobile app." This fails to address the crux of the problem on multiple levels.

First, let‘s define a data breach. The Cambridge Dictionary definition is clear:

"An occasion when private information can be seen by people who should not be able to see it."

By this standard, Emirates has already suffered a breach by leaking booking references and other passenger info to unauthorized third parties. These advertisers and analytics companies should not have access to this data.

Booking reference numbers are highly sensitive, as Emirates‘ own privacy policy admits:

With just a booking reference and last name – no further validation required – anyone can view and modify flight reservations, including the passenger names, itineraries, and contact details.

As of March 6th, 2018, days after my article was published, booking references were still being passed to various third parties. Here‘s another example of Emirates inexplicably sending full, unobfuscated booking refs to Google Analytics from their mobile app:

To claim there is no unauthorized access when multiple companies are receiving data they should never see is absurd. This is a breach, plain and simple.

Issue #2: "We continually review third party tool implementation"

Emirates next states that "whilst we do use a number of third party analytical tools on our sites for the purpose of improving the online browsing experience, we continually review how these are implemented."

This is hard to believe, given how long some blatant issues have persisted. I originally reported the unobfuscated passport details and other personal info leaking to third parties back in October 2017. As of February 2018, the mobile app was still sending this data in plain text.

If Emirates was truly conducting thorough, regular reviews of their third party scripts, such glaring problems should have been caught and fixed long ago. The "continuous" checks they claim to perform are clearly not effective.

It‘s also concerning that their focus is solely on "improving the online browsing experience." The primary goal of any security and privacy audit should be to proactively identify and close vulnerabilities. User experience is important, but cannot come at the expense of properly safeguarding sensitive data.

Issue #3: An incomplete privacy policy that doesn‘t match reality

Finally, let‘s look at Emirates‘ privacy policy and supposed opt-out options. The company states:

"Customers can find out more about how we use personal data and how they can opt out by reading our privacy policy on emirates.com"

I dug through the full Emirates privacy policy to verify this claim. There are several glaring issues:

1. The policy does not disclose all the third parties in use on the Emirates site and apps. I found numerous companies like Boxever, Coremetrics, and Iponweb receiving data that were not listed.

2. The only opt-out covered is for certain advertising cookies. Options for the analytics tools like CrazyEgg and Decibel Insight, which receive booking refs, are notably absent.

3. What few opt-outs exist are inconsistent across regions. EU residents get one set of options, US residents another, and everyone else is out of luck.

4. Blocking cookies won‘t stop the data leaks, since these third party tools are deeply integrated into the Emirates site/app. The referrer is not cleaned, so booking refs still get passed around.

If a user manages to check all the right boxes to purge these trackers (and most won‘t, given the unclear instructions), Emirates will still happily leak their sensitive flight details thanks to the current shoddy setup. The privacy policy paints a false picture of the real data sharing practices.

An urgent need for real solutions, not excuses

Emirates may not consider plugging these data leaks an urgent priority. But they cannot claim the extensively documented issues I raised are simply "not true." The evidence shows otherwise.

Vague assurances and victim-blaming won‘t cut it. Emirates, and other airlines with similar issues, need to take concrete steps to audit and overhaul how they handle user data. Anything less is a dereliction of duty to the customers who entrust them with their most sensitive personal info.

I strongly urge Emirates to:

1. Immediately stop leaking booking refs, passport details, and other sensitive data to unauthorized third parties. Audit and cut back the sharing to only what‘s strictly necessary.

2. Proactively fix these issues across all platforms: website, mobile app, and any other customer touchpoint. Ensure the teams coordinate to apply fixes consistently.

3. Provide clear, globally accessible opt-outs for data collection in line with the coming GDPR requirements. Make it easy for any user to understand and control how their info is used.

4. Update the public privacy policy to fully disclose all third party sharing and tracking. Be specific about what data goes where. Eliminate the regional double standards.

5. Establish robust, ongoing processes to catch and resolve any new leaks or vulnerabilities. Make safeguarding user privacy a core priority, not an afterthought.

Conclusion

I‘m disappointed that Emirates has chosen to downplay and deny these serious issues instead of forthrightly addressing them. Customers deserve better than half-measures and hand-waving.

The excuses in Emirates‘ statement don‘t stand up to scrutiny. But with enough public pressure, I believe the company will be forced to reevaluate and revamp its privacy-violating practices. We need to keep pushing for real, lasting solutions.

Other airlines should also take this as a wake-up call to proactively audit and improve their own data handling. In the coming months, I plan to expand my research to see which companies have cleaned up their act, and which are still leaving fliers exposed.

Do you have tips on other airline sites or apps mishandling customer info? Let me know. Together, we can hold the industry to a higher standard of privacy and security.