Emirates dinged for slipshod online data privacy practices

International airline Emirates leaks customers' sensitive personal information to third-party marketing partners and network adversaries, according to Konark Modi, a data security engineer for Cliqz, a privacy-focused browser based on Firefox.

Modi, in an online post on Friday, said that after a customer books a flight through Emirates, the process of managing the reservation shares personally identifiable information with over a dozen third-party trackers, including Boxever, Coremetrics, Crazy Egg, Facebook, and Google.

The data includes: customer name, customer email, itinerary, phone number, passport number and details, and brings with it the ability to edit this information.

The Emirates privacy policy makes clear some data sharing may occur. But the policy language stops short of declaring a wholesale customer data giveaway or granting the ability to alter reservations.

Modi said his argument is not against using third-party trackers. "The concern lies when such services are implemented across all pages of the website, without distinguishing between what is private data and what is not," he said, noting that not all such services should have access to the full spectrum of customer data.

The reservation confirmation email, when clicked, Modi explains, takes the user to Emirates website, which is festooned with trackers – code that captures data on behalf of a marketing partner.

And because the initial link relies on the insecure HTTP protocol, related data is potentially accessible to a network-based man-in-the-middle attack.

In an email to The Register, Modi described several scenarios by which such information could be abused:

This are, however, theoretical concerns; there's no indication that this data is presently being abused.

Modi says he identified the issue and raised it with Emirates via social media back in October 2017. At the time, he maintains, the web app passed personal information through hidden form fields that were nonetheless accessible as plain text.

The web app received a subsequent revision that eliminated the problem, but the Emirates mobile app, he insists, now exhibits the same issue.

"For Emirates, yes the issue still persists," he confirmed to The Register.

Modi contends that other airlines like KLM and Lufthansa exhibit similarly lackluster data security practices, or at least did so when he checked last October. He says that the problem isn't so much the usage of third-party services as how these services are implemented.

Trackers like Facebook and Google Analytics allow companies to track individuals across the internet and potentially to de-anonymize them, said Modi.

"The key point here is the user never signed for this, all s/he did was surf the internet," he explained.

Modi would like to see Emirates limit the use of third-party tracking code that puts privacy data at risk.

"Emirates has the control of their website and what the website shares with third party services," he says. "It is this control that needs to be exercised to limit the leakage of user information."

Emirates did not immediately respond to a request for comment. ®