Airline Websites Still Put Your Privacy at Risk: An In-Depth Technical Analysis

As a full-stack developer with extensive experience in web security and data privacy, I was disturbed but not entirely surprised by the rampant issues I found in my 2018 investigation into Emirates.com and their careless exposure of sensitive customer data. From leaking passport numbers to dozens of unnecessary third-party trackers to storing critical info unencrypted, Emirates exhibited a blatant disregard for user privacy and fundamental security best practices.

Surely in the 5 years since, with the advent of new privacy laws like GDPR and a crescendo of major data breaches making headlines, Emirates and other airlines would have cleaned up their acts and implemented proper safeguards for their customers‘ intimate travel details. At least, that was my hope in revisiting this subject to see what, if any progress had been made.

Spoiler alert: not nearly enough. As I‘ll detail in this piece, while airlines may have made some superficial improvements, the core issues persist and in many ways the scale of privacy violations has only intensified. Fasten your seatbelts and return your tray tables to their upright positions as we embark on a whirlwind tour of airline privacy failures and why they should have all of us demanding change.

Emirates.com Circa 2023: Plus Ça Change

First stop, a fresh examination of Emirates.com to evaluate how they‘ve addressed the litany of issues from my initial report. Things look slightly better on the surface – connections now default to HTTPS instead of HTTP, meaning data is at least encrypted in transit. Some sensitive passenger info like passport numbers are no longer in plain text in the page source.

However, these amount to little more than band-aids over the gaping wounds in Emirates‘ data practices. The crux of the problem remains – clicking the "Manage Booking" link after logging in still sends your booking reference number and last name to a laundry list of third-party domains via URL parameters:

Emirates network requests show booking details being leaked to third parties

I counted over 20 different third-party services, from the usual suspects like Google Analytics and Facebook to more obscure ones like Boxever and Sojern, receiving this info that could be used to access, and in some cases even change, flight details and passenger information.

Troublingly, many of these third parties don‘t even use HTTPS themselves, negating the whole point of Emirates bothering with encryption:

Unencrypted HTTP request to Boxever containing Emirates booking reference

Why is our booking data being blasted to "Boxever" in the first place? They appear to be a shady data broker that has previously been fined for privacy violations. I couldn‘t find any mention of them in Emirates‘ privacy policy, so customers have no clue this company is slurping up their travel details.

Alarmingly, this pattern held true across every major airline site I tested. Sensitive booking data was being sprayed to a sprawling network of third-party domains, many with questionable privacy records, using unencrypted connections. Installing a tracker-blocking browser extension like uBlock Origin reveals the scale of this undisclosed data sharing:

American Airlines booking confirmation page loads over 60 third-party trackers

For a sense of how out of control this third-party data sharing is, a 2019 study of airline websites found:

• The average airline homepage contacts around 113 third-party domains
• Airline websites contacted 7 times more third-party domains than other travel sites like hotels and cruise lines
• 57% of these third parties are in the business of tracking and profiling users

It‘s essentially impossible for any normal user to make heads or tails of this tangled web of data sharing or give anything resembling informed consent. Airlines counting on us to just accept these flagrant intrusions into our privacy as the "price of traveling" in the digital age.

The Mobile App Menace

Shockingly, booking on an airline‘s mobile app instead of their website often yields even worse privacy outcomes. Digging into the current crop of airline apps, I consistently found sloppy handling of sensitive data that would make even the greenest software engineer wince.

Case in point, opening up "My Trips" in Delta‘s iOS app, I was greeted by the sight of my unobscured passport number and date of birth:

Delta mobile app displays sensitive passenger info in plaintext

It‘s baffling that in 2023, major corporations are still storing ultra-sensitive data like passport numbers in completely unencrypted plaintext format, trivial for any hacker or snooping employee to exploit. This was far from a one-off occurrence – a 2019 investigation of seven major airline apps found all but one stored full passport numbers either unencrypted or using easily breakable hashing.

Factor in all the third-party trackers airline apps are feeding your data to and you have the perfect storm of privacy disaster. Examining network traffic, the average airline app sends your info to 14 different third-party domains with every action, according to data from Exodus Privacy.

Real-World Risks and Lack of Accountability

"Why should I care if some obscure data company knows what flight I‘m on?", you might be wondering. The potential for abuse of our sensitive travel data is not some theoretical fear—it can have serious real-world consequences:

• In 2012, over 100 American Airlines and United accounts were hacked, letting attackers steal frequent flyer miles and book free travel in other people‘s names. The airlines refused to reveal how their systems were breached but it demonstrates how much damage can be done with just a hacked account.

• A 2020 data breach of several airlines exposed passenger names, payment card details, and even passport info, costing millions in government fines and credit monitoring for affected customers. The true costs in terms of identity theft and fraud enabled by this type of sensitive data exposure is incalculable.

• In one particularly frightening incident, a stalker obtained his victim‘s travel itinerary by searching the free text name field on the airline‘s website. He planned to assault her at her hotel but fortunately she found out in time and changed her reservations. This underscores how dangerous it is for airlines to treat our personal details so recklessly.

Creepy online ads are just the tip of the iceberg—the uncontrolled trade in our travel data also enables "data inference" where companies and governments can piece together intimate details of our lives from breadcrumb trails:

• Your frequent flights to certain political hotspots could flag you for extra screening or surveillance
• Health conditions or risky behavior could be inferred and used to deny you loans or insurance
• Details of your trips could be used by hackers to time attacks when they know your home will be empty
• Shady data brokers could build dossiers on your movements, preferences and personal associations, sold to anyone willing to pay

Despite the very real harms of playing fast and loose with user data, accountability in the airline industry is in short supply. Airlines are often able to weasel out of any real consequences for major breaches thanks to forced arbitration clauses, legal jurisdictional grey areas, and the simple fact that customers often have no choice but to fly and grudgingly accept their terrible privacy practices.

Fines and negative PR from breaches thus far have proved insufficient to force airlines to overhaul their approach to data protection. The lack of rigorous privacy and security auditing means airlines are often not even aware of all the third parties with access to their customer data or whether proper safeguards are in place. For too long, airlines have treated privacy as an afterthought rather than a core requirement to be baked in from the ground up.

Consumers are slowly waking up to the intrusiveness of online tracking but still place too much misplaced trust in airlines to protect their data. Airlines shamelessly exploit this information asymmetry, burying vague, broadly-worded privacy policies deep in their sites that give them carte blanche to collect and share your data with few limits:

"We may disclose your information…To third parties who provide services on our behalf, including marketing, IT, payments…When we believe in good faith that disclosure is needed to comply with applicable laws, to respond to a subpoena, search warrant, court order…We may share information with other companies for marketing or other purposes, including companies that may offer products or services that may interest you."
–Delta Privacy Policy

These all-encompassing policies provide virtually no limits on how your data is shared or used. Without explicitly opting out (buried in your account settings), airlines consider themselves to have free rein to use your data however they please.

Demanding Change: A Technically-Informed Path Forward

It doesn‘t have to be this way. As software engineers, we know there are clear steps airlines could take to drastically shore up their data privacy and security practices:

• Properly hash and encrypt all sensitive passenger data both in transit and at rest
• Require strong authentication tokens to retrieve booking details vs. easily guessable passenger name and record number
• Set short expiration times on booking access links and tokens to limit potential misuse
• Implement strict access controls and auditing on employee and contractor access to customer databases
• Provide transparent opt-out links and data deletion flows in line with privacy laws like GDPR and CCPA
• Regularly conduct third-party privacy audits and penetration testing to proactively identify and fix vulnerabilities
• Invest in modernizing legacy reservation systems to build in privacy and security controls by default

On the policy front, we need stronger regulations that set clear limits on the collection and sharing of travel data and impose hefty fines for non-compliance. The US FAA should expand its oversight mandate to include privacy and data security practices, conducting regular audits to keep airlines honest. Short of this, we‘ll continue to see airlines cut corners and play fast and loose with customer data in service of maximizing profits.

What You Can Do to Protect Your Data When Traveling

For the average traveler, pushing back against ingrained airline data practices can feel like an uphill battle. But there are concrete steps you can take to reduce your digital footprint and limit the exposure of your sensitive travel details:

1. Use a VPN and privacy-preserving browser like Tor when searching for flights and booking to mask your IP address and other identifiers

2. Install browser extensions like uBlock Origin, Privacy Badger, and DuckDuckGo to block invasive third-party trackers

3. Opt to book as a guest vs creating an airline account that saves all your personal details

4. Consider making reservations over the phone or in person to avoid web tracking

5. Set up a separate email address just for travel reservations to limit data leakage across accounts

6. Avoid or limit using airline mobile apps that are often even worse for data privacy

7. Initiate a data subject access request and deletion with airlines after your trip to purge your info from their systems

8. Support advocacy efforts like Travelers‘ Privacy Protection Act that would force airlines to adopt better data practices and empower individuals to control their own data

Most importantly, speak out and make clear to the airlines that you won‘t stand for lackadaisical treatment of your sensitive personal information. The more consumers demand change, the harder it will be for airlines to keep brushing these issues under the rug. If we keep holding their feet to the fire, change is possible.

I‘ll continue to press airlines to do better through my research and advocacy. Subscribe for more deep dives into the privacy risks lurking in the systems and apps we use every day. Until next time, safe travels!