[liberationtech] Buffoons stepping all over my privacy with muddy boots

The Dod unclezzzen at gmail.com
Sat Mar 3 03:39:49 PST 2012 

On 03/03/2012 12:24 AM, John Graham-Cumming wrote:
> Given that the company in question is Amadeus and Amadeus is one of 
> the major reservation systems used by airlines I'd hazard to guess 
> that no 'sharing' of data happened here. I'd wager that the airline in 
> question uses Amadeus for its reservations and *all* they've done is 
> send you to a site that Amadeus runs so people can see their 
> reservations.
>
> John.
> --
> Sent from mobile device. Please excuse brevity and strange typos.
>

I resent the world "*all*". *What* they've done was illegal and 
*practically* dangerous to me.
Let's assume they do nothing else "behind the scene" (and why should I 
assume that? They've already done enough, and their so called "privacy 
policy" allows them to do practically anything). The situation *at the 
moment* is unbearable (even without script kiddies going fishing there 
in the shallow-entropy side of the pool).

A simple demonstration: 
https://twitter.com/SergiooPiza24/status/175635157720641536
Feel free to call Sergio in Bogota and tell him checkmytrip rats on him. 
You have the number there :)



> On 2 Mar 2012, at 16:45, Renee Lloyd <reneelloyd at me.com 
> <mailto:reneelloyd at me.com>> wrote:
>
>> So I read your post and thought this is pretty crummy.   While we all 
>> "know" that data is shared this scenario highlights the "OMG, they 
>> did what?" really well.   It is particularly cloying because you did 
>> not even sign up for this service the airline signed you up.  The 
>> airline who, in the context of booking a flight, needs the personal 
>> data that you shared.  But taking that information and sharing it 
>> with this company seemingly unrestricted without your notice and 
>> consent is stunning.
>>
>> To be honest, after reading what you wrote, I thought, for sure they 
>> would have some type of, "opt out and delete" function or procedure 
>> in their TOS or Privacy Policy.   I, perhaps foolishly, thought that 
>> they would also have a more limited use on information furnished by 
>> third parties or partners (airline).   Curiosity got the better of me 
>> and I actually looked at the site.  They don;t have a TOS but a 
>> fairly elaborate privacy policy and their policy says that they use 
>> the data:
>>
>> /"Personal data will be processed in accordance with applicable local 
>> law and regulations regarding data privacy.*Personal data will be 
>> processed, stored and disclosed only for business purposes as 
>> described below*. We may use your data for the following purposes: - 
>> *to provide you with the highest possible level of service and to 
>> help you to obtain the best service from our website*; - for other 
>> administrative purposes and for internal analysis; and - to 
>> participate as part of a survey or to get feedback. Non-personal data 
>> may be used to compile and analyze travel trends and/or other 
>> demographic information."/
>>
>> They can process store and *disclose* personal data for business 
>> purposes which includes just about anything (note how they insert 
>> 'only' before "business purpose" to give the illusion that this is 
>> some limited right).   In addition "purpose as described below" is 
>> not exclusive but rather reflective of some of the activities that 
>> would be considered use, disclosure, process for a business purpose. 
>>  In any event,  the 'purpose" is broad enough to do just about 
>> anything so there is little comfort that the policy will establish 
>> clear limits on what they do.   While I don't labor under a delusion 
>> that these policies are designed in any way to protect the individual 
>> whose information collection, use etc they control, I DO take issue 
>> with the sneaky drafting.  For example, as pointed out above, in the 
>> "how we use your data section"  it reads, "Personal data will be 
>> processed stored *and disclosed *only for business purposes*" * but 
>> in the section labeled "To whom may your data be disclosed?"   the 
>> policy reads as follows:
>>
>> / "If you are a travel and tourism customer, we will disclose your 
>> data to our partners for fulfillment of your booking request or other 
>> booking related requests. We will not disclose your data to any third 
>> parties except where necessary for the purposes of fulfilling any 
>> bookings, booking related requests, credit checks or fraud 
>> prevention, *or as otherwise described in this statement.* We may 
>> disclose your information if required by any applicable law, 
>> subpoena, or regulation. We may also disclose your data to third 
>> parties and professional advisors acting on our behalf who are 
>> obliged to keep that data confidential."/
>>
>> Something like this, to me is like a marketing document, they will be 
>> somewhat specific about the sharing that 'seems reasonable"  or 
>> better yet does not immediately raise a red flag (it may be  logical 
>> to share information for booking purposes) and rather than call out 
>> the*"red flag raising" *sharing of data*(the stuff we actually care 
>> about) w*hich legally they are required to disclose (in some form) 
>>  they i*nclude  the *"*or as otherwise described in this statement*" 
>> which technically complies.
>>
>> As I write this I am thinking 'this is madness"  you arrange a flight 
>> and the digital terms and policies of the airline and companies like 
>> this site seamlessly allow your information to be shared  which 
>> certainly benefits the airline and the site.  It may benefit you, if 
>> you were given the opportunity to understand and consent, but that is 
>> not how these things are designed.   Based on what I learned, there 
>> are a lot of concerns with their policy, at a minimum their 
>> collection, use, distribution, disclosure of 
>> *non-volunteered* information is outrageous.  The  site also directs 
>> individuals with concerns or questions about the privacy policy to 
>> send an email to: dataprotection at amadeus.com 
>> <mailto:dataprotection at amadeus.com>.     I intend to send an e-mail 
>> and hope others do as well.
>>
>>
>>
>>
>>
>> On 2012-03-02, at 9:43 AM, The Dod wrote:
>>
>>> I've just changed the date of a flight, and got an email from the 
>>> airline that also gave a link to my flight details at a site called 
>>> checkmytrip.com <http://checkmytrip.com>
>>> It's SSL, but that's where the cargo cult ends.
>>> This url doesn't seem to contain anything with entropy, and leads to 
>>> a page showing flight details, weather, and... my name, email 
>>> address and 2 phone numbers.
>>> OK. The airline leaked this someone without my consent, and even if 
>>> they have a privacy policy, too late for me to read it.
>>> But it gets better.
>>> They have a "share this" option. Mail/twitter/facebook. I tried mail 
>>> from/to trash mailboxes, and I get the exact same url I got.
>>> ZOMG. I could have twoten my identity all over the galaxy if I was a 
>>> wee bit less concentrated.
>>>
>>> What's the procedure in such cases? How do I make this info 
>>> disappear from that site without too much pain for me? Assuming they 
>>> do that, how big is the threat of this info leaking to whoever 
>>> checkmytrip are wheeling and dealing with?
>>> I mean, do I need to change my name and phone numbers? :)
>>> _______________________________________________
>>> liberationtech mailing list
>>> liberationtech at lists.stanford.edu 
>>> <mailto:liberationtech at lists.stanford.edu>
>>>
>>> Should you need to change your subscription options, please go to:
>>>
>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>>
>>> If you would like to receive a daily digest, click "yes" (once you 
>>> click above) next to "would you like to receive list mail batched in 
>>> a daily digest?"
>>>
>>> You will need the user name and password you receive from the list 
>>> moderator in monthly reminders.
>>>
>>> Should you need immediate assistance, please contact the list moderator.
>>>
>>> Please don't forget to follow us on 
>>> http://twitter.com/#!/Liberationtech 
>>> <http://twitter.com/#%21/Liberationtech>
>>
>> _______________________________________________
>> liberationtech mailing list
>> liberationtech at lists.stanford.edu 
>> <mailto:liberationtech at lists.stanford.edu>
>>
>> Should you need to change your subscription options, please go to:
>>
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>
>> If you would like to receive a daily digest, click "yes" (once you 
>> click above) next to "would you like to receive list mail batched in 
>> a daily digest?"
>>
>> You will need the user name and password you receive from the list 
>> moderator in monthly reminders.
>>
>> Should you need immediate assistance, please contact the list moderator.
>>
>> Please don't forget to follow us on 
>> http://twitter.com/#!/Liberationtech 
>> <http://twitter.com/#%21/Liberationtech>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20120303/8bfa4c04/attachment.html>

More information about the liberationtech mailing list