What information about us that the airline companies collect? And WHY?
“Always search for flights in incognito or private browsing mode to see the lowest prices.”
It all started when I see the tip above about airline-ticket purchase. The logic was simple. Repeated search ends up with higher prices. But is it that simple?
When I share this information, I received some other tips such as using different web browser, deleting cookies (small text files placed on your browser to quickly identify you when you re-visit a specific website), etc. It is like hiding your search history from the airline company. However, if the prices change based on your search history, doesn’t it mean that airlines set prices based on somewhat personal information?
When I shared these tips and speculated about the personal data that the airline companies may be collecting on social media, it drew some attentions. So I dug it up to see if it really happens. Sure, many companies collect personal information through mobile apps, web analytics tools, cookies, etc. But, since the airlines have dynamic pricing, i. e., same seat may be sold in different prices, it is more possible (and opportunistic) for them to exploit personal data for pricing.
When I first search about it, I read an article by The Telegraph on the same matter. The title of the article suggests that some airline companies have already on the way to personalize airline ticket fares.
“Airlines are starting to price their seats based on your personal information — but is it legal?”
The article was published on Feb. 2018 and gives hints about what data that the airline companies may use for pricing.
“…carriers are increasingly tempted by the lure of dynamic pricing — or fare discrimination — whereby online technology, such as cookies and customer accounts, gleans information on potential passengers, from salary to age, and offers them a unique, personalised price for a seat.”
The article also claimed that some major airline companies are very enthusiastic about personalized pricing with a quote from the Airline Tariff Publishing Company (ATPCO) back in 2015.
“Rather than managing only very broad segmentation, the application of [Customer Relationship Management] to revenue management results in the ability to price at a more granular level: the level of ‘who is asking’ ”
Note that many major airline companies use ATPCO for pricing fares.
Let’s get back to the question of what data is collectable by airline companies. If you register to website of an airline company, it eases to collect information about you. Once they know some amount of information about you (that you willingly give), it is easier to get the rest such as your marital status, your financial situation, etc. through some third-party data companies. However, my focus is not the customers who already registered and willingly give some personal piece of information. I will speculate more on individuals who visit an airline website or download a mobile app to search for an airline ticket without initially give some information. For this research, I focus on following 14 major airline companies from different parts of the world.
1- Air France
2- American Airlines
3- ANA
4- Air Canada
5- British Airways
6- Delta
7- Iberia
8- KLM
9- LATAM
10- Lufthansa
11- SAS
12- Swiss
13- Turkish Airlines
14- United
The easiest (and probably sneakiest) way to collect data is through mobile applications. So, I first checked the mobile apps published by this airlines. I simply entered the Google Play Store (haven’t checked the iOS version of the apps), found the app, and checked the permissions requested by the apps. Here are the results.
Some of the permissions might be de facto requests by many applications and some of them may be required to be able to efficiently use the app. However, some permissions are very difficult to explain such as, find, add, or remove accounts, read contact list, record audio, etc. With each permission, we provide more and more information about us.
When I sort these airlines based on the number of permission requested, I see that KLM is the highest with 25 requests and ANA is the lowest with seven. If some airline can do relevant mobile app operations with only seven permissions, why some other airline requires apprx. 3.5 times of that? It is also surprising to see some European-based companies require more permissions than others, considering that EU General Data Protection Regulation (GDPR) limits data collection.
Then, I look at the websites of these airlines. Websites collect information through cookies and Web Analytic tools with third-party Javascripts. I tried VPN connections to make the website believe that I accessed from different countries. There, I can see the effects of GDPR. If you access from Europe, a bunch of consent forms pops up and you have some level of control of what information can be collected by the website. But if you access from somewhere else, no consent form appears at all for some airline websites. You should check for privacy policies to see what data is collected when you visit the website. Some privacy policies are easy to reach, but for some others, such as United Airlines, you cannot reach it with one or two clicks.
Below are the example of consent forms that pop-up (because of GDPR), when you enter a European-based airline company’s website. GDPR enforces companies to opt-out unnecessary data collection permissions by default. So, the pop-up screen come up with Functional Cookies (the necessary ones to proper functioning of the website) is opted-in and others are opted-out. Now, assume that you are not protected by GDPR and all these cookies are functioning without a permission. Imagine the information that they know or guess about you. For instance, if they know that you search through Safari Web Browser, they can easily assume that you use a MacBook, so your financial situation may be good enough to afford slightly higher ticket price. Again, I am just speculating to open a discussion.
How about non-European companies. The Japanese airline company, All Nippon Airways (ANA), gives a short list of what information is collected for European customers. This Use of Cookies page appears only if you access from a EU country. On this list I have one question: What is “data from personalized pages”?
On the Privacy Policy, ANA is more openly say that they collect following information;
…customer name, address, telephone and fax numbers, email address, business contact (name of company, department, title, address, telephone and fax numbers), mailing address, member card type, member service qualification, membership area, mileage status, credit card number and expiration date, need for wheelchair and other special arrangements, flight reservation and cancelation information, boarding status, etc.
Most of them are OK, I guess. But, wait! Is there an “etc.” at the end?
We can see that cookies used by airline companies can be classified as functional cookies, analytical cookies (to track your actions during your visit to website), informational cookies (country, language, browser type, etc.), and third-party cookies. 3rd-party cookies managed by third-party data companies. Airline companies do not have any control on them, but they still like to share your data.
Air Canada has similar categorization of the cookies used in their website.
When it comes to US-based airline companies, things are a little bit different. First of all, the information popped-up for European customers does not appear right away in some companies and you need to dig in to find the information about what data is collected. The description about third-party analytics given in United Airlines website somewhat explains why airline companies shared your information (collected during the visit) with third-parties. These third-party data collectors can correlate your information collected from different sites and profile you based on them. Then, they may sell the data back to their subscribers like airline companies.
Further in privacy page, United Airlines lists the information that they collect about you. “User and activity data from our websites and mobile application” appears in the list as well.
The privacy and cookie information published in the websites are sometimes hard to find and most of the visitor overlook them. With GDPR, these types of data-collection information gain some visibility and certainly increase the awareness about data privacy.
On the last step of my research, I explored the technologies used in their website. Weppalyzer provides a service to identify the technologies (not just javaScripts, but from Java Libraries to frameworks) used on a certain website.
I wish there is a tool that can show only the 3rd-party JavaScripts run over a website, but Weppalyzer is also fine. I just needed to filter and categorize the results. The classification made with respect to how the JavaScript defined by Weppalyzer. I focus on following categories; Advertising Networks, Analytics, Cache Tools, Issue Trackers, Marketing Automation. I do not claim that all the tools under these categories collect information, but it is safe to assume that they probably do.
These 3rd-party tools are concerning not only from privacy point of view but also from cyber security perspective. The 3rd-party JavaScripts have been used in many recent cyber attacks. Especially, Magecart attackers used javascript vulnerabilities to steal payment and personally identifiable information of British Airways, Newegg, and TicketMaster customers. RiskIQ analysts track the trace of Magecart campaign and publish a comprehensive report about it. Last week, a cryptocurrency exchange, gate.io, also got hit through a 3rd-party javascript used for Web Analytics.
In 2015, major cyber attacks to airlines were only motivated for reward points (attacks to United Airlines, American Airlines, and British airways). The motivation altered to passenger information in 2016 (attacks to Asiana, Vietnam, and Hong Kong Airlines) and 2017 (attacks to Virgin, WestJet, and Spirit Airlines). But it has evolved to passenger information and credit card information in 2018 (attacks to British Airways, Cathay Pacific).
Bottomline is that too many unnecessary data that say something about you are collected by airlines or third-parties they work with. Do the airline companies use all these data to price fares? Not sure. Do they want to use them? Hell ya!
Thanks for reading. If you enjoyed this article, feel free to hit that clap button 👏 to help others find it.