The Practical Nomad

Subscribe to my free travel newsletter

Your e-mail address:

I will never rent or share your address. (More info)

Prev | Next | Index of Articles | Practical Nomad Home Page


Who's watching you while you travel?

by Edward Hasbrouck, author of "The Practical Nomad"

This week [18 April 2002] CBS-TV started advertising for contestants on the next season of the reality-TV travel show, The Amazing Race. You, too, can apply for a chance to chase a million dollars in a race around the world -- if you are willing to sacrifice your privacy and have every minute of your travels (except when you're in your bedroom) captured on film for broadcast to a TV audience of tens of millions.

Whether or not you are willing to give up your privacy for a chance to appear on television, at least the cast of "The Amazing Race" are aware of the cameras and the choice they've made. Unfortunately, a great deal of information about ordinary travelers is available on the Web, without those travelers being aware of what is happening or having agreed to permit public disclosure of their itineraries.

Travel data is, when you think about it, extraordinarily intimate and vulnerable to abuse -- if disclosed without your consent. Your reservations show not just where you went, when, and with whom, but behind the closed doors of your room, whether you asked for one bed or two. You can buy condoms for cash, anonymously, but you can't get on a plane in the USA (or most other countries) without having a reservation in a computerized database, which the airline is required to turn over to the government when you check in, with a name that matches your government- issued photo ID.

I've been talking and writing about travel data privacy issues in general, and the Web sites that give public access to travel itineraries in particular, for several years: in The Practical Nomad Guide to the Online Travel Marketplace, on my Web site, and in talks at industry conferences attended by representatives of the four big computerized reservations systems (CRS's) that run these sites.

Last week Sabre -- the CRS that operates the most widely used of these Web sites, with information on the majority of all airline reservations made in the USA -- responded to my long-standing criticisms with changes to their site to better secure travelers' private information.

These changes are far too little, too late. The revised system is still far from secure. But it's a step in the right direction, and a significant step beyond Sabre's competitors who continue completely to ignore the vulnerability of their Web sites, and the information they have about travelers' itineraries, to Internet stalkers, voyeurs, and snoops.

What are these Web sites I'm talking about, and what do they do? What is it that Sabre has changed? And what is it that still needs to be done to keep travelers' private information really private?

Essentially all travel agencies, online or offline, use one of the big four computerized reservations systems or CRS's (Sabre, Galileo/Apollo, Amadeus, or Worldspan). The CRS's connect travel agents to airlines and other suppliers of travel services (hotels, car rental companies, etc.) and suppliers to each other, as well as storing the actual databases of reservations. As the oligopolistic repositories of data from many sources about travelers, the CRS's have the same central role and importance for travel data -- and data privacy protection -- that credit bureaus have for financial data.

Although the CRS's are independent of, and long predate, the Internet, each of the big four CRS's has set up a Web site that serves as an (insecure) gateway from the Internet to their database of travel records, permitting anyone who knows a traveler's last name (surname) and "record locator", or a customized URL (Web address) for a specific reservation, to view all the details of your itinerary.

The first and best-known of these services is Sabre's VirtuallyThere.com. The other CRS's lesser-known and more recent copycat Web site are ViewTrip.com (Galileo/Apollo), CheckMyTrip.com (Amadeus), and MyTripAndMore.com (Worldspan).

For example, reservations made through Orbitz.com and Expedia.com, which use the Worldspan CRS, are visible at MyTripAndMore.com. Reservations made through Travelocity.com, the online travel agency that's a division of Sabre and of course uses Sabre to store its PNR's, are visible at VirtuallyThere.com. And so on and so forth, for offline and online travel agencies alike. Most airlines don't host their own reservation databases, so many reservations are also viewable through the PNR access Web site of whichever CRS that airline uses. (If you make a reservation through a travel agency that uses one CRS, for travel on an airline that hosts its database in a different CRS, PNR's are created in both CRS's. And your reservations could be viewable through the PNR access Web sites of both CRS's.)

The problem is that the "record locator" is used as, in effect, a "password" for access to personal travel data. But it's too short (only six characters, which makes it easy for "shoulder surfers" to memorize at a glance), it's not user selectable or changeable, it's printed on every itinerary and most tickets (frequently in plain view in check-in lines, and sometimes visible through window envelopes), and it's displayed on every screen on the CRS's Web site. Worse, travelers are never told that you need to hide and safeguard your "record locator" as though it were a password.

I'm hanging out with some of the world's leading electronic data security and privacy experts this week at the annual Computers, Freedom, and Privacy conference. But one doesn't need to be an expert to tell that using the reservation "record locator" as a password violates even the most basic and minimal security norms.

One of the changes Sabre has made to address my criticisms is to require visitors to the VirtuallyThere.com Web site to provide your e-mail address, as well as your last name and record locator, before they can see your reservations.

But your e-mail address -- even a "pseudo e-mail address" that you might make up -- still isn't really anything like a secure password. Sabre claims in its privacy policy, "Sabre uses highly sophisticated technology to ensure your data is completely protected and secure. In addition, we have established complex physical, electronic and managerial procedures to safeguard your privacy." No one could sincerely describe the "security" of VirtuallyThere.com, even with last weeks' changes, in these terms. [Update: That sentence was removed from Sabre's privacy policy after this article first appeared -- Sabre no longer even claims to keep personal data secure!]

(Anyone can still view your information just by entering a special URL, which they might get without your permission from, for example, the "recently visited pages" list of a Web browser in a cybercafe where you'd gone to check your itinerary. If they have the URL, they don't need your name, record locator, e-mail address, or any other information to see your reservations.)

Sabre's other response to my criticisms is more significant, though still not sufficient: reservation records in which no e-mail address has been entered will no longer be viewable by anyone through VirtuallyThere.com. That means that, for the first time since all the major CRS's set up their itinerary viewing Web sites, it will be possible -- if you are careful -- to make travel reservations without having them available on the Internet to any casual snoop. It's not a real "opt-in" system, since a travel agency or airline might enter an e-mail address in your reservation without your knowledge, but it goes a long way in the right direction.

If you don't want your reservations publicly viewable, make them with an airline or through a travel agency that uses Sabre, not one of the other CRS's, and make sure that they leave the "PE" ("passenger e-mail") field blank. To its credit, Sabre has done the right thing with its own online travel agency subsidiary, Travelocity.com: the PE field in Travelocity.com reservations will be left blank (although an airline could still fill it in), and by default those reservations won't be publicly viewable on VirtuallyThere.com.

[Update: In late August 2003, I discovered that Sabre applied these changes only for access to reservations created by travel agencies that use Sabre. For reasons they haven't yet explained -- and that I can't fathom -- Sabre still offers airlines "hosted" by Sabre the option to grant access to their reservations without any semblance of a password. All reservations made directly with airlines that outsource hosting of their reservation database to Sabre, and Gulf Air and many others overseas as well as airlines in the USA -- may still be viewable by anyone who knows your name and the Sabre record locator printed on all those airlines' tickets, itineraries, and boarding passes. Since the other CRS's that host other airlines' databases don't require a password either, that means regardless of which airline you fly on, you need to safeguard, or shred, your tickets, itineraries, and boarding passes: anyone who picks up a discarded boarding pass can use it, through the CRS Web site, to view all your reservations for the rest of your trip. American Airlines, the largest airline hosted in Sabre, doesn't make its reservations available through VirtuallyThere.com. But all American Airlines reservations, regardless of how they were made, can be viewed on the airline's own AA.com Web site with just a name and the AA record locator, with no need for a password. Airlines' Web check-in forms invariably require only a surname and record locator, and typically display not merely the flight that day or the next for which you are checking in, but your entire itinerary.]

As I wrote in The Practical Nomad Guide to the Online Travel Marketplace, "Privacy is the Achilles heel of Internet travel planning." CRS's are central to that travel privacy problem. And not just for Internet travel planning: storefront offline travel agencies are equally dependent on the CRS's to connect them to suppliers of travel services, store their databases of reservations, and protect their customers' privacy. If the CRS's get privacy wrong -- as they have -- it makes it impossible for anyone in the travel industry, especially any travel agency, to get it right.

The problems with CRS itinerary viewing Web sites are just the tip of the iceberg of travel data privacy problems, both with travel companies and government agencies. But because of their pervasiveness and vulnerability to abuse, these Web sites, governments' focus on access to PNR's obtained through CRS's and other intermediaries as the core of travel surveillance and control schemes such as Secure Flight, and the failure of travel companies to comply with privacy laws in places like Canada and the European Union (where, unlike in the USA, there are decent privacy laws), are some of the best places for privacy-conscious travelers to start demanding changes.

The CRS Web sites that give access to PNR and personal profile data -- without any password and without any logging of such access -- make no distinction between data collected in the USA and data collected in Canada, the European Union, or elsewhere in the world. While there is no privacy law in the USA applicable to travel data, the inclusion of data collected in Canada and the EU in these insecure and unlogged access systems is a flagrant violation of Canadian and EU privacy law and the EU Code of Conduct for Computerized Reservation Systems. People who provided data to airlines or travel companies in Canada or the EU -- including to offices in Canada or the EU of US-based airlines -- and find that it is available through these insecure Web sites should complain to your national privacy or data protection authorities.

A few weeks ago, when Sabre vice president and privacy director Dave Houck called to advise me of the changes Sabre has since implemented in VirtuallyThere.com, he told me, "We're quite proud of where we are [on privacy], but we're not totally there." I think he's right, at least compared to the other CRS's, on both counts. Qualified kudos to him and fellow Sabre vice president Ellen Keszler, with hopes that they take seriously their recognition that they "aren't there yet" when it comes to protecting travelers' privacy. Sacks of coal for Christmas to their competitors who have yet to do anything about the gaping security and privacy vulnerabilities of their itinerary viewing Web sites.

Stay tuned -- I'll keep you posted.

[18 April 2002]

[More on Whats's in a PNR? and How to request your own travel records.]

[Disclosure: I am a paid affiliate of Airtreks.com, which subscribes to the Amadeus, Sabre, and Galileo CRS's.]


Prev | Next | Index of Articles | Practical Nomad Home Page


Subscribe to the Practical Nomad's free travel newsletter:

E-mail address: (AOL users click here)

Copyright © 1991-2011 Edward Hasbrouck, except as noted. Use of any information obtained from this site for the purpose of sending unsolicited bulk e-mail is expressly forbidden, and is a violation of your license to use this copyrighted material.


Around-the-world and multi-stop airline tickets from Airtreks.com around-the-world and multi-stop airline tickets from Airtreks.com

Search for Airfare on all these sites