Subscribe to my free travel newsletter!Send me an e-mail message at
and I will add you to my mailing list.
Prev | Next | Season Index | Amazing Race Home Page | Practical Nomad Home Page
This week CBS-TV started advertising for contestants on the next season of the reality-TV travel show, "The Amazing Race". You, too, can apply for a chance to chase a million dollars in a race around the world -- if you are willing to sacrifice your privacy and have every minute of your travels (except when you're in your bedroom) captured on film for broadcast to a TV audience of tens of millions.
Whether or not you are willing to give up your privacy for a chance to appear on television, at least the cast of "The Amazing Race" are aware of the cameras and the choice they've made. Unfortunately, a great deal of information about ordinary travelers is available on the Web, without those travelers being aware of what is happening or having agreed to permit public disclosure of their itineraries.
Travel data is, when you think about it, extraordinarily intimate and vulnerable to abuse -- if disclosed without your consent. Your reservations show not just where you went, when, and with whom, but behind the closed doors of your room, whether you asked for one bed or two. You can buy condoms for cash, anonymously, but you can't get on a plane in the USA (or most other countries) without having a reservation in a computerized database, which the airline is required to turn over to the government when you check in, with a name that matches your government- issued photo ID.
I've been talking and writing about travel data privacy issues in general, and the Web sites that give public access to travel itineraries in particular, for several years: in The Practical Nomad Guide to the Online Travel Marketplace, on my Web site, and in talks at industry conferences attended by representatives of the four big computerized reservations services (CRS's) that run these sites.
Last week Sabre -- the CRS that operates the most widely used of these Web sites, with information on the majority of all airline reservations made in the USA -- responded to my long-standing criticisms with changes to their site to better secure travelers' private information.
These changes are far too little, too late. The revised system is still far from secure. But it's a step in the right direction, and a significant step beyond Sabre's competitors who continue completely to ignore the vulnerability of their Web sites, and the information they have about travelers' itineraries, to Internet stalkers, voyeurs, and snoops.
What are these Web sites I'm talking about, and what do they do? What is it that Sabre has changed? And what is it that still needs to be done to keep travelers' private information really private?
Essentially all travel agencies, online or offline, use one of the big four computerized reservations systems or CRS's (Sabre, Galileo/Apollo, Amadeus, or Worldspan). The CRS's connect travel agents to airlines and other suppliers of travel services (hotels, car rental companies, etc.) and suppliers to each other, as well as storing the actual databases of reservations. As the oligopolistic repositories of data from many sources about travelers, the CRS's have the same central role and importance for travel data -- and data privacy protection -- that credit bureaus have for financial data.
Although the CRS's are independent of, and long predate, the Internet, each of the big four CRS's has set up a Web site that serves as an (insecure) gateway from the Internet to their database of travel records, permitting anyone who knows a traveler's last name (surname) and "record locator", or a customized URL (Web address) for a specific reservation, to view all the details of your itinerary.
The first and best-known of these services is Sabre's VirtuallyThere.com. The other CRS's lesser-known and more recent copycat Web site are ViewTrip.com (Galileo/Apollo), CheckMyTrip.com (Amadeus), and MyTripAndMore.com (Worldspan).
For example, reservations made through Orbitz.com and Expedia.com, which use the Worldspan CRS, are visible at MyTripAndMore.com. Reservations made through Galileo's subsidiaries, CheapTickets.com and Trip.com, as well as other agencies that use the Galileo/Apollo CRS, are visible at ViewTrip.com. Reservations made through Amadeus' online travel agency and consolidator subsidiary, Onetravel.com, and other Amadeus subscriber agencies, are visible at CheckMyTrip.com. And so on and so forth, for offline and online travel agencies alike. Most airlines don't host their own reservation databases, so many reservations are also viewable through the PNR access Web site of whichever CRS that airline uses. (If you make a reservation through a travel agency that uses one CRS, for travel on an airline that hosts its database in a different CRS, PNR's are created in both CRS's. And your reservations could be viewable through the PNR access Web sites of both CRS's.)
The problem is that the "record locator" is used as, in effect, a "password" for access to personal travel data. But it's too short (only six characters, which makes it easy for "shoulder surfers" to memorize at a glance), it's not user selectable or changeable, it's printed on every itinerary and most tickets (frequently in plain view in check-in lines, and sometimes visible through window envelopes), and it's displayed on every screen on the CRS's Web site. Worse, travelers are never told that you need to hide and safeguard your "record locator" as though it were a password.
I'm hanging out with some of the world's leading electronic data security and privacy experts this week at the annual Computers, Freedom, and Privacy conference. But one doesn't need to be an expert to tell that using the reservation "record locator" as a password violates even the most basic and minimal security norms.
One of the changes Sabre has made to address my criticisms is to require visitors to the VirtuallyThere.com Web site to provide your e-mail address, as well as your last name and record locator, before they can see your reservations.
(Anyone can still view your information just by entering a special URL, which they might get without your permission from, for example, the "recently visited pages" list of a Web browser in a cybercafe where you'd gone to check your itinerary. If they have the URL, they don't need your name, record locator, e-mail address, or any other information to see your reservations.)
Sabre's other response to my criticisms is more significant, though still not sufficient: reservation records in which no e-mail address has been entered will no longer be viewable by anyone through VirtuallyThere.com. That means that, for the first time since all the major CRS's set up their itinerary viewing Web sites, it will be possible -- if you are careful -- to make travel reservations without having them available on the Internet to any casual snoop. It's not a real "opt-in" system, since a travel agency or airline might enter an e-mail address in your reservation without your knowledge, but it goes a long way in the right direction.
If you don't want your reservations publicly viewable, make them with an airline or through a travel agency that uses Sabre, not one of the other CRS's, and make sure that they leave the "PE" ("passenger e-mail") field blank. To its credit, Sabre has done the right thing with its own online travel agency subsidiary, Travelocity.com: the PE field in Travelocity.com reservations will be left blank (although an airline could still fill it in), and by default those reservations won't be publicly viewable on VirtuallyThere.com.
[Update: In late August 2003, I discovered that Sabre applied these changes only for access to reservations created by travel agencies that use Sabre. For reasons they haven't yet explained -- and that I can't fathom -- Sabre still offers airlines "hosted" by Sabre the option to grant access to their reservations without any semblance of a password. All reservations made directly with airlines that outsource hosting of their reservation database to Sabre -- including US Airways and ATA in the USA, and Gulf Air and many others elsewhere -- may still be viewable by anyone who knows your name and the Sabre record locator printed on all those airlines' tickets, itineraries, and boarding passes. Since the other CRS's that host other airlines' databases don't require a password either, that means regardless of which airline you fly on, you need to safeguard, or shred, your tickets, itineraries, and boarding passes: anyone who picks up a discarded boarding pass can use it, through the CRS Web site, to view all your reservations for the rest of your trip. American Airlines, the largest airline hosted in Sabre, doesn't make it's reservations available through VirtuallyThere.com. But all American Airlines reservations, regardless of how they were made, can be viewed on the airline's own AA,com Web site with just ba name and the AA record locator, with no need for a password.]
As I wrote in The Practical Nomad Guide to the Online Travel Marketplace, "Privacy is the Achilles heel of Internet travel planning." CRS's are central to that travel privacy problem. And not just for Internet travel planning: storefront offline travel agencies are equally dependent on the CRS's to connect them to suppliers of travel services, store their databases of reservations, and protect their customers' privacy. If the CRS's get privacy wrong -- as they have -- it makes it impossible for anyone in the travel industry, especially any travel agency, to get it right.
The problems with CRS itinerary viewing Web sites are just the tip of the iceberg of travel data privacy problems, both with travel companies and government agencies. But because of their pervasiveness and vulnerability to abuse, these Web sites, the Computer Assisted Passenger Pre-Screening (CAPPS) system, and the failure of travel companies to comply with privacy laws in places like Canada and the European Union (where, unlike in the USA, there are decent privacy laws), are some of the best places for privacy-conscious travelers to start demanding changes.
A few weeks ago, when Sabre vice president and privacy director Dave Houck called to advise me of the changes Sabre has since implemented in VirtuallyThere.com, he told me, "We're quite proud of where we are [on privacy], but we're not totally there." I think he's right, at least compared to the other CRS's, on both counts. Qualified kudos to him and fellow Sabre vice president Ellen Keszler, with hopes that they take seriously their recognition that they "aren't there yet" when it comes to protecting travelers' privacy. Sacks of coal for Christmas to their competitors who have yet to do anything about the gaping security and privacy vulnerabilities of their itinerary viewing Web sites.
Peach and Mary were eliminated from "The Amazing Race 2" this week in Hong Kong, after all the teams were on the same flight from Bangkok, they went out of their way to find the "Fast Forward" clue -- which only one team can use -- and Dave and Gary got to it first. But the race goes on. Stay tuned -- I'll keep you posted.
[Updated version of this article with links to additional background and follow-up information.]
[Disclosure: My employer in my day job, Airtreks.com, subscribes to the Amadeus, Sabre, and Galileo CRS's.]
Prev | Next | Season Index | Amazing Race Home Page | Practical Nomad Home Page
Copyright © 1991-2017 Edward Hasbrouck, except as noted. Use of any information obtained from this site for the purpose of sending unsolicited bulk e-mail is expressly forbidden, and is a violation of your license to use this copyrighted material.