Search Mailing List Archives
[liberationtech] Buffoons stepping all over my privacy with muddy boots
reneelloyd at me.com
Fri Mar 2 08:45:18 PST 2012
So I read your post and thought this is pretty crummy. While we all "know" that data is shared this scenario highlights the "OMG, they did what?" really well. It is particularly cloying because you did not even sign up for this service the airline signed you up. The airline who, in the context of booking a flight, needs the personal data that you shared. But taking that information and sharing it with this company seemingly unrestricted without your notice and consent is stunning.
"Personal data will be processed in accordance with applicable local law and regulations regarding data privacy. Personal data will be processed, stored and disclosed only for business purposes as described below. We may use your data for the following purposes: - to provide you with the highest possible level of service and to help you to obtain the best service from our website; - for other administrative purposes and for internal analysis; and - to participate as part of a survey or to get feedback. Non-personal data may be used to compile and analyze travel trends and/or other demographic information."
They can process store and disclose personal data for business purposes which includes just about anything (note how they insert 'only' before "business purpose" to give the illusion that this is some limited right). In addition "purpose as described below" is not exclusive but rather reflective of some of the activities that would be considered use, disclosure, process for a business purpose. In any event, the 'purpose" is broad enough to do just about anything so there is little comfort that the policy will establish clear limits on what they do. While I don't labor under a delusion that these policies are designed in any way to protect the individual whose information collection, use etc they control, I DO take issue with the sneaky drafting. For example, as pointed out above, in the "how we use your data section" it reads, "Personal data will be processed stored and disclosed only for business purposes" but in the section labeled "To whom may your data be disclosed?" the policy reads as follows:
"If you are a travel and tourism customer, we will disclose your data to our partners for fulfillment of your booking request or other booking related requests. We will not disclose your data to any third parties except where necessary for the purposes of fulfilling any bookings, booking related requests, credit checks or fraud prevention, or as otherwise described in this statement. We may disclose your information if required by any applicable law, subpoena, or regulation. We may also disclose your data to third parties and professional advisors acting on our behalf who are obliged to keep that data confidential."
Something like this, to me is like a marketing document, they will be somewhat specific about the sharing that 'seems reasonable" or better yet does not immediately raise a red flag (it may be logical to share information for booking purposes) and rather than call out the "red flag raising" sharing of data (the stuff we actually care about) which legally they are required to disclose (in some form) they include the "or as otherwise described in this statement" which technically complies.
On 2012-03-02, at 9:43 AM, The Dod wrote:
> I've just changed the date of a flight, and got an email from the airline that also gave a link to my flight details at a site called checkmytrip.com
> It's SSL, but that's where the cargo cult ends.
> This url doesn't seem to contain anything with entropy, and leads to a page showing flight details, weather, and... my name, email address and 2 phone numbers.
> But it gets better.
> They have a "share this" option. Mail/twitter/facebook. I tried mail from/to trash mailboxes, and I get the exact same url I got.
> ZOMG. I could have twoten my identity all over the galaxy if I was a wee bit less concentrated.
> What's the procedure in such cases? How do I make this info disappear from that site without too much pain for me? Assuming they do that, how big is the threat of this info leaking to whoever checkmytrip are wheeling and dealing with?
> I mean, do I need to change my name and phone numbers? :)
> liberationtech mailing list
> liberationtech at lists.stanford.edu
> Should you need to change your subscription options, please go to:
> If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?"
> You will need the user name and password you receive from the list moderator in monthly reminders.
> Should you need immediate assistance, please contact the list moderator.
> Please don't forget to follow us on http://twitter.com/#!/Liberationtech
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the liberationtech