Travel providers store our credit card information. Airlines may have our date of birth, passport number, and Known Traveler or Redress number.
They know where we’re going. They know where we’re staying.
There’s identity theft. There’s stalker risk. And there’s corporate espionage.
Following a venture capitalist you might know where they are investing. Following the travels of a lawyer you might discern the confidential and privileged business of a client.
And that doesn’t even touch on the information held by banks we do business with, which are themselves travel providers through their co-brand relationships.
So I was intrigued when jamesb2147 pointed me to Google’s report on use of encrypted e-mail.
My working model has always been that the big banks and financial institutions have high security standards, and companies that have data interfaces working with those banks probably have high security standards as well, or at least that big bank contracts require it.
Encrypted email isn’t the only, or perhaps even most important, factor in security and privacy.
And not all email needs to be encrypted. If there’s no personal information, if it’s just a marketing or promotion email, I don’t worry about it.
I do think though that itineraries should be encrypted. Credit card bill notifications, or payment acknowledgements should be — especially when those messages contain dates and amounts.
That appears to be the exact model followed by Chase — financial institution emails encrypted, marketing emails not:
jamesb2147 points out some things he notices in the Google report:
United hasn’t changed the mail server configuration of the servers inherited from Continental. The emails coming from [Continental] servers are encrypted, and the emails coming from [United] servers are not encrypted in transit.
…Setting up encrypted connections is trivial, and clearly, [Continental] at some point had the requisite knowledge to accomplish this. It uses a small amount more processing power..but is a minimal step that can be taken to significantly protect the privacy of clients.
It appears that emails from americanexpress.com, spiritairlines.com, and barclaycardus.com do not ever enter gmail’s system encrypted. Very little Delta email comes in encrypted.
My itineraries from American appear to come from ‘aa.globalnotifications.com’ and I don’t see a result for that searching Google’s report.
Encryption matters, but if you’re working with a company that collaborates closely with the government I wouldn’t expect it to hide your information from the government. They get all PNR data before you travel anyway, and access to your credit card transactions, so this issue is really about protecting yourself from non-state actors.. and whether the companies you deal with are working in your best interests to do the same.
Do you worry about the security of your personal information? Does your airline, hotel, and financial institution partner information factor high on the list of your privacy concerns?