This week CBS-TV started advertising for contestants on the next season of the reality-TV travel show, The Amazing Race. You, too, can apply for a chance to chase a million dollars in a race around the world — if you are willing to sacrifice your privacy and have every minute of your travels (except when you’re in your bedroom) captured on film for broadcast to a TV audience of tens of millions.
Whether or not you are willing to give up your privacy for a chance to appear on television, at least the cast of “The Amazing Race” are aware of the cameras and the choice they’ve made. Unfortunately, a great deal of information about ordinary travellers is available on the Web, without those travellers being aware of what is happening or having agreed to permit public disclosure of their itineraries.
Travel data is, when you think about it, extraordinarily intimate and vulnerable to abuse — if disclosed without your consent. Your reservations show not just where you went, when, and with whom, but behind the closed doors of your room, whether you asked for one bed or two. You can buy condoms for cash, anonymously, but you can’t get on a plane in the USA (or most other countries) without having a reservation in a computerized database, which the airline is required to turn over to the government when you check in, with a name that matches your government- issued photo ID.
I’ve been talking and writing about travel data privacy issues in general, and the Web sites that give public access to travel itineraries in particular, for several years: in The Practical Nomad Guide to the Online Travel Marketplace, on my Web site, and in talks at industry conferences attended by representatives of the four big computerized reservations systems (CRS’s) that run these sites.
Last week Sabre — the CRS that operates the most widely used of these Web sites, with information on the majority of all airline reservations made in the USA — responded to my long-standing criticisms with changes to their site to better secure travellers’ private information.
These changes are far too little, too late. The revised system is still far from secure. But it’s a step in the right direction, and a significant step beyond Sabre’s competitors who continue completely to ignore the vulnerability of their Web sites, and the information they have about travellers’ itineraries, to Internet stalkers, voyeurs, and snoops.
What are these Web sites I’m talking about, and what do they do? What is it that Sabre has changed? And what is it that still needs to be done to keep travellers’ private information really private?
Essentially all travel agencies, online or offline, use one of the big four computerized reservations systems or CRS’s (Sabre, Galileo/Apollo, Amadeus, or Worldspan). The CRS’s connect travel agents to airlines and other suppliers of travel services (hotels, car rental companies, etc.) and suppliers to each other, as well as storing the actual databases of reservations. As the oligopolistic repositories of data from many sources about travellers, the CRS’s have the same central role and importance for travel data — and data privacy protection — that credit bureaus have for financial data.
Although the CRS’s are independent of, and long predate, the Internet, each of the big four CRS’s has set up a Web site that serves as an (insecure) gateway from the Internet to their database of travel records, permitting anyone who knows a traveller’s last name (surname) and “record locator”, or a customized URL (Web address) for a specific reservation, to view all the details of your itinerary.
The first and best-known of these services is Sabre’s VirtuallyThere.com. The other CRS’s lesser-known and more recent copycat Web site are ViewTrip.com (Galileo/Apollo), CheckMyTrip.com (Amadeus), and MyTripAndMore.com (Worldspan).
For example, reservations made through Orbitz.com and Expedia.com, which use the Worldspan CRS, are visible at MyTripAndMore.com. Reservations made through Travelocity.com, the online travel agency that’s a division of Sabre and of course uses Sabre to store its PNRs, are visible at VirtuallyThere.com. And so on and so forth, for offline and online travel agencies alike. Most airlines don’t host their own reservation databases, so many reservations are also viewable through the PNR access Web site of whichever CRS that airline uses. (If you make a reservation through a travel agency that uses one CRS, for travel on an airline that hosts its database in a different CRS, PNRs are created in both CRS’s. And your reservations could be viewable through the PNR access Web sites of both CRS’s.)
The problem is that the “record locator” is used as, in effect, a “password” for access to personal travel data. But it’s too short (only six characters, which makes it easy for “shoulder surfers” to memorize at a glance), it’s not user selectable or changeable, it’s printed on every itinerary and most tickets (frequently in plain view in check-in lines, and sometimes visible through window envelopes), and it’s displayed on every screen on the CRS’s Web site. Worse, travellers are never told that you need to hide and safeguard your “record locator” as though it were a password.
I’m hanging out with some of the world’s leading electronic data security and privacy experts this week at the annual Computers, Freedom, and Privacy conference. But one doesn’t need to be an expert to tell that using the reservation “record locator” as a password violates even the most basic and minimal security norms.
One of the changes Sabre has made to address my criticisms is to require visitors to the VirtuallyThere.com Web site to provide your e-mail address, as well as your last name and record locator, before they can see your reservations.
But your e-mail address — even a “pseudo e-mail address” that you might make up — still isn’t really anything like a secure password. Sabre claims in its privacy policy, “Sabre uses highly sophisticated technology to ensure your data is completely protected and secure. In addition, we have established complex physical, electronic and managerial procedures to safeguard your privacy.” No one could sincerely describe the “security” of VirtuallyThere.com, even with last weeks’ changes, in these terms. [Update: That sentence was removed from Sabre’s privacy policy after this article first appeared — Sabre no longer even claims to keep personal data secure!]
(Anyone can still view your information just by entering a special URL, which they might get without your permission from, for example, the “recently visited pages” list of a Web browser in a cybercafe where you’d gone to check your itinerary. If they have the URL, they don’t need your name, record locator, e-mail address, or any other information to see your reservations.)
Sabre’s other response to my criticisms is more significant, though still not sufficient: reservation records in which no e-mail address has been entered will no longer be viewable by anyone through VirtuallyThere.com. That means that, for the first time since all the major CRS’s set up their itinerary viewing Web sites, it will be possible — if you are careful — to make travel reservations without having them available on the Internet to any casual snoop. It’s not a real “opt-in” system, since a travel agency or airline might enter an e-mail address in your reservation without your knowledge, but it goes a long way in the right direction.
If you don’t want your reservations publicly viewable, make them with an airline or through a travel agency that uses Sabre, not one of the other CRS’s, and make sure that they leave the “PE” (“passenger e-mail”) field blank. To its credit, Sabre has done the right thing with its own online travel agency subsidiary, Travelocity.com: the PE field in Travelocity.com reservations will be left blank (although an airline could still fill it in), and by default those reservations won’t be publicly viewable on VirtuallyThere.com.
[Update: In late August 2003, I discovered that Sabre applied these changes only for access to reservations created by travel agencies that use Sabre. For reasons they haven’t yet explained — and that I can’t fathom — Sabre still offers airlines “hosted” by Sabre the option to grant access to their reservations without any semblance of a password. All reservations made directly with airlines that outsource hosting of their reservation database to Sabre, and Gulf Air and many others overseas as well as airlines in the USA — may still be viewable by anyone who knows your name and the Sabre record locator printed on all those airlines’ tickets, itineraries, and boarding passes. Since the other CRS’s that host other airlines’ databases don’t require a password either, that means regardless of which airline you fly on, you need to safeguard, or shred, your tickets, itineraries, and boarding passes: anyone who picks up a discarded boarding pass can use it, through the CRS Web site, to view all your reservations for the rest of your trip. American Airlines, the largest airline hosted in Sabre, doesn’t make its reservations available through VirtuallyThere.com. But all American Airlines reservations, regardless of how they were made, can be viewed on the airline’s own AA.com Web site with just a name and the AA record locator, with no need for a password. Airlines’ Web check-in forms invariably require only a surname and record locator, and typically display not merely the flight that day or the next for which you are checking in, but your entire itinerary.]
As I wrote in The Practical Nomad Guide to the Online Travel Marketplace, “Privacy is the Achilles heel of Internet travel planning.” CRS’s are central to that travel privacy problem. And not just for Internet travel planning: storefront offline travel agencies are equally dependent on the CRS’s to connect them to suppliers of travel services, store their databases of reservations, and protect their customers’ privacy. If the CRS’s get privacy wrong — as they have — it makes it impossible for anyone in the travel industry, especially any travel agency, to get it right.
The problems with CRS itinerary viewing Web sites are just the tip of the iceberg of travel data privacy problems, both with travel companies and government agencies. But because of their pervasiveness and vulnerability to abuse, these Web sites, governments’ focus on access to PNRs obtained through CRS’s and other intermediaries as the core of travel surveillance and control schemes such as Secure Flight, and the failure of travel companies to comply with privacy laws in places like Canada and the European Union (where, unlike in the USA, there are decent privacy laws), are some of the best places for privacy-conscious travellers to start demanding changes.
The CRS Web sites that give access to PNR and personal profile data — without any password and without any logging of such access — make no distinction between data collected in the USA and data collected in Canada, the European Union, or elsewhere in the world. While there is no privacy law in the USA applicable to travel data, the inclusion of data collected in Canada and the EU in these insecure and unlogged access systems is a flagrant violation of Canadian and EU privacy law and the EU Code of Conduct for Computerized Reservation Systems. People who provided data to airlines or travel companies in Canada or the EU — including to offices in Canada or the EU of US-based airlines — and find that it is available through these insecure Web sites should complain to your national privacy or data protection authorities.
A few weeks ago, when Sabre vice president and privacy director Dave Houck called to advise me of the changes Sabre has since implemented in VirtuallyThere.com, he told me, “We’re quite proud of where we are [on privacy], but we’re not totally there.” I think he’s right, at least compared to the other CRS’s, on both counts. Qualified kudos, at least for now, to him and fellow Sabre vice president Ellen Keszler, with hopes that they take seriously their recognition that they “aren’t there yet” when it comes to protecting travellers’ privacy. Sacks of coal for Christmas to their competitors who have yet to do anything about the gaping security and privacy vulnerabilities of their itinerary viewing Web sites.
Stay tuned — I’ll keep you posted.
[Update: Sadly, since this article was first published in 2002 in my weekly column about The Amazing Race, and since the last update above, Sabre has again reverted to not even requiring an e-mail address or other pseudo-password. Complete itinerary details for many PNRs can once again be viewed on VirtuallyThere.com with only a record locator and the last name of any one of the passengers in the PNR.]
[Updates: In December 2016, white-hat hackers publicly demonstrated their ability to exploit public CRS/GDS Web gateways including the CheckMyTrip.com site operated by Amadeus. Amadeus falsely claimed that it would be working to address the vulnerabilities “revealed” by this presentation. But in fact, the vulnerability that was exploited was the same one I had discussed in the article above in 2002. At that time, I sought comment from each of the big four CRS/GDS companies, including Amadeus. Only Sabre responded to my request for comment, as discussed above. The other main points in the list the hackers gave of major vulnerabilities of CRSs and PNR data (lack of sufficiently granular access controls, lack of adequate authentication, lack of access logging) were included in, among others of my publications and public talks, my 2013 testimony as an invited expert witness before the Advisory Committee on Aviation Consumer Protection of the U.S. Department of Transportation, and my submission to the US Federal Trade Commission in 2009 which were co-signed by several consumer and privacy organizations. I don’t want to denigrate the cleverness and the contribution to public awareness and understanding of this problem made by Karsten Nohl, Nemanja Nikodijevic, and their colleagues at SRLabs. I am grateful to them for bringing more attention to this issue. But in light of the false claim made by Amadeus, I think it’s important for the record to show that this 2016 presentation “revealed” nothing that the CRS/GDS companies including Amadeus haven’t known about for many years. More: CRS/GDS companies and travellers’ privacy, 30 December 2016. The same vulnerabilities were demonstrated yet again in September 2020.]
[Disclosure: I have been a paid affiliate of Airtreks.com, which subscribed to the Amadeus, Sabre, and Galileo CRS’s.]
About | Bicycle Travel | Blog | Books | Contact | Disclosures | Events | FAQs & Explainers | Home | Mastodon | Newsletter | Privacy | Resisters.Info | Sitemap & Search | The Amazing Race | The Identity Project | Travel Privacy & Human Rights
This page published or republished here 5 October 2020; most recently modified 11 January 2024. Copyright © 1991-2024 Edward Hasbrouck, except as noted. ORCID 0000-0001-9698-7556. Mirroring, syndication, and/or archiving of this Web site for purposes of redistribution, or use of information from this site to send unsolicited bulk e-mail or any SMS messages, is prohibited.
