[liberationtech] Buffoons stepping all over my privacy with muddy boots

Renee Lloyd reneelloyd at me.com
Fri Mar 2 08:45:18 PST 2012 

So I read your post and thought this is pretty crummy.   While we all "know" that data is shared this scenario highlights the "OMG, they did what?" really well.   It is particularly cloying because you did not even sign up for this service the airline signed you up.  The airline who, in the context of booking a flight, needs the personal data that you shared.  But taking that information and sharing it with this company seemingly unrestricted without your notice and consent is stunning.    

To be honest, after reading what you wrote, I thought, for sure they would have some type of, "opt out and delete" function or procedure in their TOS or Privacy Policy.   I, perhaps foolishly, thought that they would also have a more limited use on information furnished by third parties or partners (airline).   Curiosity got the better of me and I actually looked at the site.  They don;t have a TOS but a fairly elaborate privacy policy and their policy says that they use the data:

"Personal data will be processed in accordance with applicable local law and regulations regarding data privacy. Personal data will be processed, stored and disclosed only for business purposes as described below. We may use your data for the following purposes: - to provide you with the highest possible level of service and to help you to obtain the best service from our website; - for other administrative purposes and for internal analysis; and - to participate as part of a survey or to get feedback. Non-personal data may be used to compile and analyze travel trends and/or other demographic information."

They can process store and disclose personal data for business purposes which includes just about anything (note how they insert 'only' before "business purpose" to give the illusion that this is some limited right).   In addition "purpose as described below" is not exclusive but rather reflective of some of the activities that would be considered use, disclosure, process for a business purpose.  In any event,  the 'purpose" is broad enough to do just about anything so there is little comfort that the policy will establish clear limits on what they do.   While I don't labor under a delusion that these policies are designed in any way to protect the individual whose information collection, use etc they control, I DO take issue with the sneaky drafting.  For example, as pointed out above, in the "how we use your data section"  it reads, "Personal data will be processed stored and disclosed only for business purposes"  but in the section labeled "To whom may your data be disclosed?"   the policy reads as follows:

 "If you are a travel and tourism customer, we will disclose your data to our partners for fulfillment of your booking request or other booking related requests. We will not disclose your data to any third parties except where necessary for the purposes of fulfilling any bookings, booking related requests, credit checks or fraud prevention, or as otherwise described in this statement. We may disclose your information if required by any applicable law, subpoena, or regulation. We may also disclose your data to third parties and professional advisors acting on our behalf who are obliged to keep that data confidential."

Something like this, to me is like a marketing document, they will be somewhat specific about the sharing that 'seems reasonable"  or better yet does not immediately raise a red flag (it may be  logical to share information for booking purposes) and rather than call out the "red flag raising" sharing of data (the stuff we actually care about) which legally they are required to disclose (in some form)  they include  the "or as otherwise described in this statement" which technically complies.    

As I write this I am thinking 'this is madness"  you arrange a flight and the digital terms and policies of the airline and companies like this site seamlessly allow your information to be shared  which certainly benefits the airline and the site.  It may benefit you, if you were given the opportunity to understand and consent, but that is not how these things are designed.   Based on what I learned, there are a lot of concerns with their policy, at a minimum their collection, use, distribution, disclosure of non-volunteered information is outrageous.  The  site also directs individuals with concerns or questions about the privacy policy to send an email to:   dataprotection at amadeus.com.     I intend to send an e-mail and hope others do as well.  





On 2012-03-02, at 9:43 AM, The Dod wrote:

> I've just changed the date of a flight, and got an email from the airline that also gave a link to my flight details at a site called checkmytrip.com
> It's SSL, but that's where the cargo cult ends.
> This url doesn't seem to contain anything with entropy, and leads to a page showing flight details, weather, and... my name, email address and 2 phone numbers.
> OK. The airline leaked this someone without my consent, and even if they have a privacy policy, too late for me to read it.
> But it gets better.
> They have a "share this" option. Mail/twitter/facebook. I tried mail from/to trash mailboxes, and I get the exact same url I got.
> ZOMG. I could have twoten my identity all over the galaxy if I was a wee bit less concentrated.
> 
> What's the procedure in such cases? How do I make this info disappear from that site without too much pain for me? Assuming they do that, how big is the threat of this info leaking to whoever checkmytrip are wheeling and dealing with?
> I mean, do I need to change my name and phone numbers? :)
> _______________________________________________
> liberationtech mailing list
> liberationtech at lists.stanford.edu
> 
> Should you need to change your subscription options, please go to:
> 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> 
> If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?"
> 
> You will need the user name and password you receive from the list moderator in monthly reminders.
> 
> Should you need immediate assistance, please contact the list moderator.
> 
> Please don't forget to follow us on http://twitter.com/#!/Liberationtech

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20120302/72cdf06a/attachment.html>

More information about the liberationtech mailing list