Thursday, 25 April 2019

My testimony to the National Commission on Military Service

Flyer for hearings on Selective Service

I've been invited to testify as part of a panel of expert witnesses at a hearing on the the military draft and the Selective Service System, including whether draft registration should be ended entirely or extended to women as well as men, on Thursday morning, 25 April 2019, before the National Commission on Military, National, and Public Service in Washington, DC.

These hearings are the most important public discussion of the issue of military conscription in the USA in more than 30 years. So far as I know, the last time a draft resister was invited to tell the Federal government what they thought should be done about the Selective Service System was in 1972 when David Harris was invited to testify before a Senate committee considering an amnesty for some (but not all) draft law violators, an event he described in his book, Our War.

Read on for links to my testimony and more about these hearings.

Continue reading "My testimony to the National Commission on Military Service"
Link | Posted by Edward, 25 April 2019, 06:00 ( 6:00 AM) | Comments (0) | TrackBack (0)

Sunday, 31 March 2019

WOW Air is bankrupt

Iceland-based discount airline WOW Air went bankrupt and ceased operations abruptly last Thursday. All WOW Air planes were grounded wherever they were, and even flights for which passengers were already being checked in were cancelled. Travellers have been stranded in Europe, in North America, and in Iceland.

Iceland's location along the great-circle route between Europe and North America has made it a natural connection and stopover hub for trans-Atlantic air travel. Icelandair remains in business, serving those markets. And of course there have been many successful short-haul discount airlines. But while there have also been many attempts to at long-haul discount airlines, both trans-Atlantic and trans-Pacific, there have been few if any long-term standalone successes.

Having a short-hop airline go out of business is one thing. Having a transoceanic carrier go out of business in the middle of your trip, when you can't get home by train or bus or rental car, is another matter -- not to mention getting stuck on a remote island such as Iceland while changing planes, or on what was planned to be just a short stopover.

Travellers holding WOW Air tickets purchased in Europe may eventually get compensation under European airline consumer protection rules and/or government travel insurance schemes. Travellers who bought their tickets in the USA, for flights originating in the USA, may be able to recover what they paid form credit card companies, but otherwise will probably be out of luck. The USA has far weaker consumer protection rules than many other countries.

My FAQ on Airline Bankruptcies has more on what you need to know about dealing with airlines that are already operating in bankruptcy or arte in danger of going bankrupt. The WOW Air debacle is a reminder that, despite reassuring rhetoric about "reorganization" not really being bankruptcy (really it is) and continuing to operate "normally" and honor tickets while bankrupt (whether that will be allowed is in the hands of the bankruptcy court, which is solely concerned with the interests of other creditors and not with those of ticket holders), you generally should not buy tickets on any airline that is, or is likely to become, bankrupt. If you do, have a Plan B and budget for what you would do if the airline shuts down at any time before or during your trip.

Link | Posted by Edward, 31 March 2019, 15:53 ( 3:53 PM) | Comments (0) | TrackBack (0)

Saturday, 30 March 2019

How writers monetize words: The marketplaces for writing in digital formats

The Internet is often depicted as a threat to traditional print publishing and traditional print publishers -- which it is. But the Internet has also created many new digital publishing and income opportunities for tech-savvy, innovative, and entrepreneurial writers, including ways to make money from business models and types of writing that would be difficult or impossible to exploit profitably in any print format.

The National Writers Union is the most diverse organization of working writers in the USA. Membership in the NWU is open to writers in all genres, media, and business models. As an elected national division chair of the NWU, and a representative of the NWU to several national and international coalitions and federations, I've seen more diversity of writers' revenue mixes than most writers themselves could imagine.

While I've been Co-Chair of the Book Division of the NWU since 2009, and have had books in print with what is now part of a major publisher for more than twenty years, I have earned my own living throughout that time primarily from writing published in digital formats as a staff writer, independent contractor, freelancer, and self-publisher of Web sites, blogs, and e-mail newsletters. Whenever I talk with an NWU chapter or other group of NWU members, I learn about more ways that writers are earning a living from writing distributed in digital formats.

But many of these revenue streams are invisible to the traditional publishing industry, technology companies, and government officials. This results in technology, business, and policy proposals that are irrelevant to writers' real working lives or, worse, that have unintended or deliberate but unnoticed adverse consequences for writers' livelihoods.

So I was pleased to be invited to give a overview on behalf of the NWU of the marketplaces for writing in digital formats at the start of a day-long conference on March 28th on Developing the Digital Marketplace for Copyrighted Works. It was the latest in a series of events on this theme -- and the first at which a writer was invited to speak -- organized by the Department of Commerce's Internet Policy Task Force and hosted by the US Patent and Trademark Office (which also has, despite its name, a division that deals with copyrights rather than patents and trademarks) at the USPTO campus in Alexandria, VA. (See the agenda with complete list of speakers.)

I hope that a better understanding of writers' diverse livelihoods will better inform business proposals, industry analysis, and policy making by the stakeholders and government officials from multiple Federal agencies who attended or watched the webcast of the meeting.

I've posted my slides below, along with the notes from my presentation. I'll add links to the video archive and transcript as soon as they are posted by the USPTO.

I look forward to continuing the discussion of how writers make our living on the Internet -- and what it means for public policy -- within the NWU, with other writers' organizations, with other business partners and service providers, and with government policy makers. Please contact me if you're interested in a discussion or in hosting an event on this topic or on related issues of how writers can earn a living in the digital age.

Link | Posted by Edward, 30 March 2019, 16:29 ( 4:29 PM) | Comments (0) | TrackBack (0)

Thursday, 21 March 2019

BBC "Race Across the World"

It's been more than a year since the final episode of Season 30 of The Amazing Race was broadcast. Season 31 was filmed months ago, but isn't scheduled to premiere until 22 May 2019.

If you are looking for a fix of travel "reality" television in the meantime, I recommend the new BBC series, Race Across the World, now in the middle of its first season on BBC Two. "Race Across the World" premiered 12 March 2019, and all four episodes to date are still available for streaming on the BCC Web site.

The BBC tries to restrict streaming to IP addresses it thinks correspond to UK locations. But I've been able to preview the first few episodes of "Race Across the World", and I give it a thumbs up. It's the best of the localized spinoffs, imitators, and rivals of "The Amazing Race" in other countries and regions, and in some ways better than the US original.

The format of "Race Across the World" appears to be mostly based on Peking Express, the long-running and widely-franchised reality travel series first produced for a Flemish TV network and most successful in its Francophone version. The racers have to find their own routes -- using only surface transportation and no flights -- and pay for their own lodging (from a limited amount of money given to each team at the start of the race, plus whatever they can earn from casual labor along the way) between checkpoints that are typically several days journey apart. Sometimes they are on their own for a week or more at a time.

All of this makes the cast of "Race Across the World" solve more real-world travel problems than the teams on on "The Amazing Race", who are typically told what means of transport to use and what route to follow.

Other elements of "Race Across the World" appear to be inspired more by "The Amazing Race" than by "Peking Express". Curiously, there's nothing in the credits to "Race Across the World" to indicate whether ideas for the series were licensed from either of these conceptual predecessors in other countries.

The producers of "The Amazing Race" have said that they conceived the show first and foremost as a "relationship show" rather than a "travel show", and "Race Across the World" seems to have started out with the same soap-opera focus. There are only five teams at the start of Race Across the World", compared with ten to twelve on "The Amazing Race", so viewers get a more detailed sense of each of them.

The teams on "Race Across the World" can take any paid work or barter opportunities they can find, and some of them find work or charity on their own. However, each team is also given a guide to job opportunities along the routes they might follow that have been selected especially for the cast of the TV show. Some of these look more like the made-for-TV "challenges" and activities on "The Amazing Race" than like genuine jobs at ordinary local wages.

"Race Across the World" is more patronizing and Orientalist in its attitude toward local people in the places the race passes though -- at least as expressed in the voiceover narration -- than is the US version of "The Amazing Race". That's at least partially offset, however, by the advantages of the format, which makes the cast members on "Race Across the World" significantly more dependent on help from strangers they meet along the way, and allows them more opportunities for interactions with local people that aren't completely staged by the TV producers, than on "The Amazing Race" (although what you see on both of these shows is, inevitably, significantly influenced by the presence of the TV cameras and crew accompanying each pair of racers).

The stakes aren't nearly as high on "Race Across the World": only GBP20,000 (approximately USD26,000) to the team of two travellers who finish first, compared to US$1 million for the winners of each season of "The Amazing Race". Perhaps for that reason, the teams on "Race Across the World" don't seem to have done as much preparation for the show as a competition, and take at least a little more time for sightseeing along the way.

Among the avoidable mistakes made by several of the teams in the first few episodes of "Race Across the World" was arriving at borders to transfer points without having enough of the right local currency to pay onward bus, train, ferry, or taxi fares. US Dollars and Euros are the most "universal" world currencies (Euros having long since displaced British Pounds in that role), but there are many places where neither US Dollars nor Euros are accepted. While there's an ATM in the arrival area of most (not all) international airports, there's no guarantee of finding an ATM or 24/7 money changer at a land broader crossing, train or bus station, or ferry port. I always try to find some fellow traveller in the waiting area or onboard who can change change at least some money into the currency of my destination before I arrive.

The other mistake all but one of the teams made at the start of the "Race Across the World" was to assume that the fastest way to get from London to Delphi, Greece, without flying would be by train or by walk-on passenger ferery. As high-speed trains allow longer and longer distances to be covered within a day, most overnight trains within Europe have been discontinued. For longer distances, those travellers too poor to afford to fly mostly take cheaper long-distance buses rather than trains.

For tourists, there's an obvious drawback to travelling overnight, whether by train, bus, or ferry: You miss the scenery along the way. But if your goal is making long distances quickly and cheaply, look for the long-distance express night buses that transport workers between their jobs in Northern and Western Europe and their families and friends in Eastern and Southern Europe and the Balkans. The one team that took an overnight through bus to Germany, via the Dover-Calais night ferry, leaving after the last Eurostar (Channel Tunnel) train for the evening, got a substantial head start on the rest of the racers.

Several of the teams on the "Race Across the World" took Flixbus, which now owns the US "Megabus" brand and which markets the largest and best-known network of European long-distance buses, mainly on overnight schedules. But there were better options even than that.

Other less widely-known operators cater primarily to ethnic, immigrant, and "guest worker" niche markets. These services are largely invisible to tourists. Often they leave from immigrant and "ethnic" neighborhoods rather than from downtown terminals, and their Web sites may not be in English. Travel agencies and sometimes other shops in such neighborhoods often sell tickets on buses like this as an alternative to airline tickets. On the positive side of the ledger, travelling on a bus like this is a chance for immersion in a community that might otherwise be invisible, inaccessible, or simply overlooked by tourists.

For what it's worth, these European buses have their North American counterpart in the direct buses, little noticed by most gringos, that operate between cities in Mexico and Mexican-American communities in places in the US as far north as Chicago.

One Bulgarian company (with its timetable and online ticket sales only in Bulgarian) offers direct buses from London to Sofia, the European Union capital city furthest to the southeast. That route would have enabled the racers to get to Delphi, via Sofia and Thessaloniki, more cheaply, with fewer transfers, and more than 24 hours faster than any of them did.

If you have a chance to watch "Race Across the World", let me know in the comments what you think, and what travel lessons you learned.

Link | Posted by Edward, 21 March 2019, 16:00 ( 4:00 PM) | Comments (0) | TrackBack (0)

Thursday, 14 March 2019

What's wrong with automated facial recognition in airports?

I'm quoted at length in an investigative report by Davey Alba published this week by Buzzfeed News on the US government's use of automated facial recognition to track and control air travellers, in collaboration with airlines and airports that will operate the cameras and share the data for their own commercial purposes.

As I say in the pull quote at the top of the article, "This is opening the door to an extraordinarily more intrusive and granular level of government control."

For Hasbrouck, the big takeaway is that the broad surveillance of people in airports amounts to a kind of "individualized control of citizenry" -- not unlike what's already happening with the social credit scoring system in China. "There are already people who aren't allowed on, say, a high-speed train because their social credit scores are too low," he said, pointing out that China's program is significantly based in "identifying individual people and tracking their movements in public spaces though automated facial recognition."

"This is opening the door to an extraordinarily more intrusive and granular level of government control, starting with where we can go and our ability to move freely about the country," Hasbrouck said. "And then potentially, once the system is proved out in that way, it can literally extend to a vast number of controls in other parts of our lives."

Click here for more information and links to my previous reporting on this issue for the Identity Project.

Link | Posted by Edward, 14 March 2019, 09:53 ( 9:53 AM) | Comments (0) | TrackBack (0)

Sunday, 24 February 2019

Federal court declares current military draft registration requirement unconstitutional

A Federal District Court judge issued a declaratory judgement on Friday, 22 February 2019, that the current requirement for men, but not women, to register with the Selective Service System for a possible military draft is unconstitutional.

How did this happen? What did the Court say? Is this a surprise? What does this decision mean? What will happen next? What should happen next?

I've accepted an invitation to testify as an expert witness before the National Commission on Military, National, and Public Service (NCMNPS) on April 25th at a formal hearing on *Should Selective Service registration be required of all Americans", i.e. should it be extended to young women as well as young men. This hearing is likely to include substantial discussion of this decision and its implications.

For now, here are some initial answers to questions you may have about Friday's decision:

Continue reading "Federal court declares current military draft registration requirement unconstitutional"
Link | Posted by Edward, 24 February 2019, 05:16 ( 5:16 AM) | Comments (5) | TrackBack (0)

Thursday, 14 February 2019

"An appeal to readers and librarians..."

As Co-Chair of the Book Division of the National Writers Union, I'm quoted today in Publishers Weekly in an article about "Controlled Digital Lending" (CDL), the flawed legal theory being used by the Internet Archive and its library "partners" as their jusitification for unauthorized, unpaid scanning and distribution on the Internet of hundreds of thousand of books -- including multiple editions of my Practical Nomad books.

Here's more information about what's happening and why it matters to writers, readers, and librarians:

If you are a reader or fan of my books, or of any books, please support writers in this campaign against CDL. As the Appeal from the victoms of CDL says, "When writers can't make a living, they can't afford to keep writing, and readers lose too."

This isn't a new issue for me or for the NWU. I said this about digital libraries two years ago when I was elected to represent writers on the Board of Directors of IFRRO (one of the other signers of today's Appeal from the victoms of CDL):

I'm a vocal advocate for funding for digital libraries: funding for the librarians, funding for the people who would build and manage the server farms, and, yes, funding to acquire the digital contents of those libraries. I don't think that a digital library should be created by confiscating the fruits of writers' labors any more than it should be built by conscripting the labor of computer programmers or librarians or bricklayers or any other workers.

Librarians, like teachers, do work that serves the public interest. We don't pay librarians or teachers as much as we should, but we don't expect them to work for free. Why should we expect writers to fill a digital library with their work for free? Opposing expropriation and unpaid forced labor is, I think, a moderate position that shouldn't be controversial.

Unfortunately, librarians and public interest advocates are often unaware of freelance writers' new and entrepreneurial business models -- most of which don't show up in library catalogs, which have failed to keep pace with crowdsourcing and peer-to-peer indexing and distribution systems -- or the ways that writers' livelihoods would be affected by well-meaning but unfunded digital library schemes.

Link | Posted by Edward, 14 February 2019, 13:46 ( 1:46 PM) | Comments (0) | TrackBack (0)

Saturday, 2 February 2019

"A modern-day draft, if marketed carefully and cleverly,..."

"A modern-day draft, if marketed carefully and cleverly, could foster patriotism via the investment of every family in the nation. A greater involvement of the population to include National (nonmilitary) Service could reach every social demographic within the U.S."

The comments above were included in the recommendations from the Selective Service System made to the National Commission on Military, National, and Public Service. This report was sent to the NCMNPS in December 2017, but wasn't made public until this week, in response to my FOIA requests and after the conclusion of the first year of nationwide public events and collection of written public comments by the NCMNPS and the issuance of an Interim Report by the NCMNPS last week.

There's some, but only minimal, acknowledgement in the Selective Service System report of opposition to conscription. But dissent is conceptualized as "protest" (complaint) rather than as resistance (direct action) -- a political, religious, or moral, rather than a practical, impediment to the draft:

Historically, involuntary induction into the Armed Forces has been controversial, has initiated public dissent and protest.... Although many factors can influence fluctuation of registration rates, low registration compliance rates may reflect elements of society that do not have a incentive to serve, or exposure to the value of National or public service. Although many young men fail to register because they are unaware of the requirement (high school dropouts, immigrants, isolated communities), some populations and communities may be averse to service by religious conviction, moral perspective, or social pressures.

There's no mention at all in the Selective Service System report of the current decades-old Department of Justice policy of nonenforcement of the criminal penalties for wilful refusal to register for the draft. But there is an implicit admission that the low level of compliance, coupled with the lack of effective (or feasible) criminal penalties, would create the basis for challenges to the fairness of any draft based on the current incomplete and inaccurate registration database. In an exercise in wishful thinking, however, the Selective Service System fantasizes that this could be addressed by "careful and clever" marketing -- as though the reluctance of young men to kill and die on the government's command could be turned around by better targeted advertising ("outreach"):

In order to ensure a fair and equitable draft in a national emergency, it is imperative that as close to 100% of eligible men are in fact registered for Selective Service. One change that would be productive could be a widely expanded, interagency-driven national outreach that addresses all of society (registrants and influencers) with particular attention on a broad array of 'At risk' youth, undocumented persons, and elements of society that are not impacted or influenced by automatic registration processes (Drivers License Legislation, Alaska Permanent fund, federal employment etc.) A fair and equitable induction process through a lottery system requires full participation by the nation's eligible citizens.... Registration is the law; the nation should back this up by investing in citizenship activities, to include registration for Selective Service. There should be a consequence, other than loss of some federal benefits, for failure to register. That requires an investment in outreach.

The report and recommendations from the Selective Service System were submitted to the NCMNPS in December 2017, as part of a package of reports from Cabinet departments and independent agencies required by the law that established the NCMNPS during the lame-duck Congressional session after the 2016 elections. The section from the Selective Service System was inexplicably missing from the version of the PDF file containing all the other agencies' reports initially released by the NCMNPS in response to my FOIA requests, although it was listed in the table of contents.

After I pointed out the unexplained omission, and requested that the NCMNPS conduct an additional search specifically for the Selective Service System report, a replacement version of the compilation of reports created on 31 January 2019 and including the previously missing pages from the Selective Service System was quietly posted this week.

I'm continuing to pursue the other records still not disclosed in response to my FOIA requests to the NCMNPS. [Update: On 6 February 2019 the NCMNPS released a PowerPoint presentation (PDF version) given to the members of the NCMNPS during their visit to the Selective Service System data center at Naval Station Great Lakes, North Chicago, IL, on 29 June 2018. It gives more detail than has been available previously concerning the sources of the current Selective Service System database of registrants for the draft.]

The NCMNPS will hold two days of public hearings on the future of the Selective Service System, military conscription, and compulsory national "service", including whether draft registration should be ended, extended to women, or modified in other ways, at Gallaudet University in Washington, DC, on Wednesday and Thursday, April 24th and 25th, 2019. (Gallaudet University focuses on deaf and hard of hearing students, who would be deemed medically unfit for military service under the criteria in current Selective Service regulations and contingency plans. A far smaller percentage of students at Gallaudet than at most colleges or universities are at risk of being drafted.) I'll be there and I hope to see some of you there. The Commission needs to hear from those who will resist and those who will defend and support resisters in court, in the court of public opinion, and in and out of prison. If you are planning to attend, please get in touch.

Link | Posted by Edward, 2 February 2019, 10:11 (10:11 AM) | Comments (5) | TrackBack (0)

Wednesday, 23 January 2019

Interim Report of the National Commission on Military, National, and Public Service

[Members of the NCMNPS at the event yesterday launching the interim report. In foreground at podium: Debra Wada, Vice-Chair of the NCMNPS for military service issues and former Assistant Secretary of the Army for Manpower [sic] and Reserve Affairs. Photo from offical NCMNPS Twitter feed.]

The National Commission on Military, National, and Public Service (NCMNPS) released its interim report today.

The Commission was created in 2016 to study and report to Congress and the President on whether registration with the Selective Service System for military conscription ("the draft") should be ended, extended to young women as well as young men, extended to older women and men with skills in special demand by the military (in health care, computer science, STEM, foreign languages, etc.), or replaced with something else such as compulsory "national service" with both civilian and military options.

I've been following the Commission as closely as its penchant for secrecy has allowed. I attended four of the Commission's public events last year (in Boston, Nashua, Denver, and Los Angeles), possibly more than anyone else except the Commision and its staff and contractors; submitted detailed written testimony and personally deliveried copies of a petition initiated by Julie Mastrine and signed by more than 25,000 people asking that draft registration be ended rather than extended to women; testified in person at the Commission event in Denver; and obtained and published the most comprehensive collection of records of the Commision's activities, released in response to my Freedom Of Information Act (FOIA) requests.

The Commision's goal in its interim report released today is not really to "report" on what it has done, but to set the terms of debate (excluding options like, "Admit that draft registration has failed"), and test the political reaction to some of the proposals the Commission is considering.

As I told Gregory Korte for his story in USA Today about the Commission:

Edward Hasbrouck... was jailed for four months in the 1980s for refusing to register for the draft.

The prosecutor in that case: Robert Mueller, who became FBI director and is the special counsel investigating Donald Trump's presidential campaign....

Hasbrouck is one of more than 25,000 people who signed a petition urging the commission to end the draft.

"I think any objective serious examination of the last 40 years of draft registration would conclude that draft registration has failed," he said."It cannot be enforced. There's no reason to think it can be salvaged by expanding it to women."

Here are some other key points to keep in mind as you read the interim report and/or news stories about it:

Continue reading "Interim Report of the National Commission on Military, National, and Public Service"
Link | Posted by Edward, 23 January 2019, 05:53 ( 5:53 AM) | Comments (4) | TrackBack (0)

Wednesday, 16 January 2019

Another demonstration of CRS/GDS insecurity

Zack Whittaker had a report yesterday for Techcrunch on the latest rediscovery of a continuing vulnerability affecting sensitive personal data in airline reservations that I first reported, both publicly and to the responsible companies, more than 15 years ago: computerized reservations systems and systems that rely on them for data storage and retrieval, including airline check-in Web sites, use a short, insecure, unchangeable, system-assigned, and fundamentally insecure "record locator" as though it were a secure password to control access to passenger name record (PNR) data.

I wrote about these vulnerabilities and reported them to each of the major CRS/GDS companies in 2001, 2002, and 2003, specifically noting their applicability to airline check-in Web sites (among many other Web services). I pointed these vulnerabilities out in a submission to the US Federal Trade Commission in 2009 which was co-signed by several consumer and privacy organizations, in my 2013 testimony as an invited expert witness before the Advisory Committee on Aviation Consumer Protection of the U.S. Department of Transportation, in a complaint which was which finally accepted and docketed by the European Commission in 2017, and in my comments to the European Commission in December 2018 with respect to its current review of the European Union's regulations governing protection of personal data by CRSs.

Meanwhile, in late 2016, both the insecurity of "record locators" as passwords and "brute force" record locator attacks on one of the Web gateways to the Amadeus CRS that I had written about were publicly demonstrated by white-hat hackers, prompting another and more extensive round of publicity.

In my comments last month to the European Commission, I recounted some of this history and recommended that:

The privacy and data protection provisions of the CRS Code of Conduct.... Should be retained [and] should be enforced... including by requiring CRSs to replace "record locators" with user-selectable, user-changeable passwords.

I also pointed out the reason that airlines have not closed these vulnerabilities, or pressured CRSs to do so, despite having been aware of them for many years from my own and other reports:

In the absence of support by the CRSs for password controls on PNR access, numerous public-facing systems that rely on CRSs for data storage and functionality, including self-service check-in and itinerary viewing systems operated by airlines and travel agencies (or operated by CRSs in the names of airlines or travel agencies), rely on inherently insecure, fixed, CRS-assigned "record locators" in place of passwords. These record locators are printed on boarding passes, baggage tags, and itineraries. Travellers are never told that they need to treat record locators as unchangeable passwords....

Airlines accept this lack of security because it facilitates automation through self-service systems that reduce airline labor costs. More secure systems that require a unique or user-selectable password for access to each PNR would require more airline and/or airport staff to deal with lost or forgotten passwords, and might reduce or slow adoption of self-service check-in, flight change, or other labor-saving systems. In the absence of data protection enforcement, airlines have a financial interest in prioritizing their own business process automation over the security of travellers' personal data.

Airlines and other CRS users will implement more secure, but more costly, PNR access controls only if they are forced to do so through enforcement of data protection requirements, or if passwords are implemented by CRSs as requirements for all users. [emphasis added]

The responses by Amadeus to the latest demonstration of these longstanding, well-known, and already reported and publicized vulnerabilities, according to Techcrunch, is to claim to have taken "immediate action". But I spent hours on the phone and engaged in extensive e-mail correspondence with Amadeus in 20901-2003, trying unsuccessfully to get the company to do anything about this vulnerability or explain its inaction. There was no action in response, immediate or otherwise.

Yesterday Amadeus also said, according to Techcrunch, "We work with our customers and partners in the industry to address PNR security overall. The airline industry relies on IATA standards that were introduced to improve efficiency and customer service on a global scale. Because the industry works on common industry standards, including the PNR, further improvements should include reviewing and changing some of the industry standards themselves, which requires industry collaboration."

Even if this were true, the industry has had ample time -- more than 15 years -- to implement changes to IATA standards such as the AIRIMP. But the suggestion that closing this vulnerability would require changes to IATA standards is simply not true. Neither the AIRIMP (which sets standards for messaging between airlines and CRSs, but not for consumer-facing interfaces) nor any other IATA standard requires the use of a record locator as means of controlling access to PNR data, or precludes the inclusion in PNRs of user-selectable and user-changeable passwords or their use to control access to PNR data.

Yes, industry-wide changes are needed. But they need to start with Amadeus and the other CRSs that set the de facto standard of insecurity for handling of personal information in airline reservations.

Amadeus and the other CRS companies, as well as the airlines that accept their insecure services, need to stop lying, stop pointing fingers of blame at anyone but themselves, stop feigning surprise at each new report of the same well-known vulnerabilities, and get to work on fixing their problems.

Link | Posted by Edward, 16 January 2019, 21:16 ( 9:16 PM) | Comments (0) | TrackBack (0)