American AAdvantage - TripIt no longer tracking aadvantage

just got an email from tripit pro:

Dear TripIt Pro traveler,
We regret that we are no longer able to track one or more of your travel reward-point programs currently monitored by TripIt Pro's point tracker feature.

Beginning today, TripIt Pro will no longer report account balance, activity, or point expirations for the following:

American AAdvantage

Your other reward-point programs remain unaffected.

We apologize for any inconvenience and encourage you to watch for TripIt Pro improvements coming soon. If you have any questions, please don't hesitate to contact us.

Thank you for being a valued TripIt Pro customer.

Best regards,

The TripIt Pro team

anyone know if this is this an account glitch on my end or has there been some kind of policy change?

I just received the same email.

I did as well. I sent an e-mail to AA customer relations. I suspect this might be from the AA side, perhaps too many logins from tripit into AA accounts?

I'd like it to get fixed, but I really don't look at the TripIt points page all that often, at least not for airline miles. I've got all my eggs in the AA basket mostly.

I received the same email. Southwest pulled the same stunt last year. Not sure what the airlines have to gain, but if the airlines all do everything they can to make sure we ONLY visit their own sites, it will drive me (and I assume others) to pick a favorite and shop there only. I don't want to visit 10 sites everytime I want to check mileage balances. And my favorite will NOT be American.

I received the same email. Not sure it matters about the points tracking in the grand scheme of things.

My concern is the proactive flight monitoring. Is AA shutting off access to everything or just point totals?

I was very impressed with Tripit last week when I received a message that my flight would be delayed by an hour. The amazing thing is that I received the message 11 hours before my departure. AA EXP Desk said the flight was on time until 30 minutes before departure. The departure time moved 15 minutes later and then again, you guessed it, another 15 minutes later. As Tripit called it 11 hours earlier, the flight took off 1 hour late. I am curious how Tripit knows more about AA's flights that AA knows or is willing to share.

I hope this is a point monitoring only event and not a precursor to something more.

I received the same email. Oddly enough, the last update from Tripit for AA was 6 hours ago. You would think it wouldn't have worked at all today.

That said, I don't use Tripit to monitor my points so it's not a big deal for me.

Nikonshooter brings up a great point. If it affects more than just points monitoring then it's a big deal. If it affects flight updates, then i'll have big issues. That's one of the big services I rely on Tripit for.

yeah the points thing i liked because i have points spread across multiple programs (two airlines and three hotel programs) and i would rather not have to log into each one to get my stats. it's definitely not a must have, but it's a feature i pay for on tripit and i'd like it to work.

doh for anyone keeping tabs, here's the response i got from tripit:


tripitguy, Jul 10 11:33 am (PDT):

Hi bob_the_d,

We're sorry to say that, due to a decision by American Airlines, the American Airlines AAdvantage program is no longer available for point-tracking services like that in TripIt Pro.

We appreciate that many of our customers participate in the American Airlines frequent flier program, so we regret this change. Should there be any developments that allow us to again present the American Airlines AAdvantage program we will alert all of our Pro customers.

Best Regards,
tripit guy

Be sure to check out http://help.tripit.com/home for answers to common questions.

sadface.

Lame.
Though not surprising since AA already yanked support for Award Wallet.

AA seems to be blocking other programs that track miles balances and the like as well. I have been waiting for this shoe to fall, unfortunately. This will not make me move away from TripIt Pro, as it's too valuable for me - but AA seems bent on controlling our miles information, possibly due to "security concerns" - the 2000's response for all kinds of airline-related travesties.

(re-titled slightly to show this is an actual and factual condition, and not a question.)

TripTracker went away a while ago. I've send several emails, but they're really more about making me feel better for sending them and complaining than any belief that it will do any good. Since the security concern is actually legitimate, even if low risk, it will be hard to appeal to them on this.

Cheers.

This is a shame. I work in the travel tech industry (building a product that is somewhat similar to TripIt) and while the rest of the world is getting more open about data flow, travel companies continue to close off data. It's bad for the user experience - the whole 'don't let people leave your site' mantra is a bit outdated.

I'm surprised it took this long. Yodlee, AwardWallet, Traxo, UsingMiles, GoMiles, MileTracker, MileManager and every other one I use received this notice from AA several months ago.

I wonder what the logic is behind continually pulling support for these programs that make their customers happy?

I doubt this will impact flight information, as there are lots of ways for TripIt to get that information besides directly from AA. Plus there is no security issue because the info not tied to a personal account - TripIt is only monitoring my flight, not my reservation.

I suppose I'll lob a complaint into AA about the miles tracker anyway...

I wonder what the logic is behind continually pulling support for these programs that make their customers happy?

The excuse when they pulled from awardwallet was security concerns, which I read as "we're missing out on page views to our site and hence missing eyeballs for the advertising and promotions on aa.com"

It's annoying but not a dealbreaker for me to lose the mileage tracking. Tripit Pro's monitoring service is the real value.

If AA breaks that, I'll be POed.

I presume that somehow AA blocked the use of an API that supported finding mileage totals. Instead of giving up, why doesn't AwardWallet, etc, go to a "screen scrape" approach instead?

just got a reply from AA:

Dear Mr. bobthed,

First, allow me to thank you for being one of our Executive Platinum®
members. We appreciate your sharing with us your views on the service
provided by TripIt.

Upholding our long-held stance on how third party websites access
proprietary AAdvantage member details is just one of the ways we protect
the benefits afforded through the AAdvantage program. Because your
AAdvantage account number and password can be used to claim AAdvantage
mileage awards out of your account and to access your personal details,
we will always protect this information.

When making decisions around the sharing of our customer?s data with
third-party websites, security is chief among our points of
consideration. We simply cannot permit websites which have not satisfied
our security requirements the access needed to track your balance or any
other function that is otherwise secured behind your AA.com login
credentials.

In this light, we hope you will agree with us that it is best to protect
the value of the AAdvantage program to you and the privacy of our
members. Consistent with these principles, you may be interested to know
that Points.com, an AAdvantage participant, allows many of the same
types of services as other mileage tracker websites ? but has fully
satisfied our rigorous security requirements. If you are interested in
an alternative to tracking your balance at AA.com, we hope you will
consider giving http://www.points.com a try. We are also in the process
of qualifying a number of other mileage tracker websites, and we hope to
share these new choices with you in the near future.

Again, thank you for your feedback regarding TripIt!

Regards,

aadvantagecsdude
AAdvantage Customer Service
American Airlines

I presume that somehow AA blocked the use of an API that supported finding mileage totals. Instead of giving up, why doesn't AwardWallet, etc, go to a "screen scrape" approach instead?

How so? To scrape data from the AA acc't, the programs would still need to possess the login information.

They should allow each user to select opt ins to allow Tripit to access their Frequent Flyer info.

They should allow each user to select opt ins to allow Tripit to access their Frequent Flyer info.

And yet... they don't

Regards

How so? To scrape data from the AA acc't, the programs would still need to possess the login information.
AA first blocked AwardWallet from its usual way of gathering AAdvantage-mile totals. AA claimed it was for the security of the passenger's information.

AwardWallet countered by creating a widget that sat on the individual's computer and gathered the mile balance without sending login information to AW.

Then AA blocked that, also, with some non-sensical excuse.

Then AA blocked that, also, with some non-sensical excuse.That's not the worst of it. Apparently AA attempted to prevent Awardwallet users from manually tracking their own AA miles on the site. They were told to ban anyone entering the word "American" into a data field. I experienced that. Apparently, then AA told AW to ban anyone from entering any eight character string for an airline name. But as I understand it, at that point AW pushed back. My miles are manually entered into the system as "Anerican". But there are others who prefer to use "unAmerican" which is much wittier.

just got a reply from AA:

So, other than the emotional reply that "I want them to allow this so any decision they make must be wrong and have some ulterior motive other than what is stated," does anyone here have real information about AA's security criteria and the results of any tests with the various sites/apps in question with regard to safeguarding passwords and such?

I don't, but it sounds like other folks here don't either and are primarily complaining because it's inconvenient (as I did in the thread that included Trip Tracker :))

On that note, I just sent them yet another email asking about the "security issues" and whether the app providers had been apprised of them so that they could fix them and get re-inspected. I don't expect a useful reply :)

Cheers.

Plus there is no security issue because the info not tied to a personal account - TripIt is only monitoring my flight, not my reservation.

I don't use TripIt, but if you are counting on them to track your flights, but checking reservations in your account, I wouldn't expect that to work - they can no longer log in as you. If you manually type in all your flight data, then yes, they should be able to monitor/provide data.

I presume that somehow AA blocked the use of an API that supported finding mileage totals. Instead of giving up, why doesn't AwardWallet, etc, go to a "screen scrape" approach instead?

As noted above, AwardWallet tried that, using a browser plug-in so they were never in possession of any of your data. AA strong-armed them on that one also.

I don't use TripIt, but if you are counting on them to track your flights, but checking reservations in your account, I wouldn't expect that to work - they can no longer log in as you. If you manually type in all your flight data, then yes, they should be able to monitor/provide data.
Tripit never had access to my actual reservations data. They knew which flights I was on because either I forwarded them my confirmation emails or I manually entered the flight information. Based on that, and that alone, they would monitor the flights that I told them I was taking. If I changed my flight, there's no way they would know unless I edited the information in my itinerary.

My point is that I don't expect any of this to change because none of it required access to my AAdvantage account.

But interestingly, TripIt also has the ability to scrape your email inbox, assuming you give them the login information, for various travel confirmation emails (I do not avail myself of this feature...). It will then automatically import your plans into an itinerary.

I suppose they could also scrape your email for monthly mileage account update emails, although I don't think AAdvantage emails your actual mileage statement with the individual transactions, only a summary with the total mileage balance and some other information.

Points.com is where mileage value goes to die!

One can easily imagine a FT post of the future:

"I am an long-term EXP AA customer. Like many others, I trusted XYZ Third Party to manage my various frequent flyer and hotel guest accounts.

"I had a zillion miles in that account, and was planning on taking my long-suffering spouse on a dream vacation to make up for all the years I've spent travelling.

"Imagine my dismay when I discovered XYZ Third Party had fallen victim to the ABC Virus / Trojan / Data Breach / Worm, and that all my miles disappeared from my account. Like so many others, I called AA and asked that my miles be reinstated since they were lost from my account through no fault of my own.

"AA refused to reinstate my miles, telling me that buried deep in the teeny fine print of the T&Cs, there is a one-sentence line forbidding me to disclose my password to anyone else. They certainly allowed XYZ Third Party to access my account for years. Why, suddenly, do they enforce their T&Cs only when it to their advantage?

"I am just furious. I will never fly AA again. I blame it on the bankruptcy."

You know, a customer-friendly company would implement and release a "read only" API - an API that only supports reading your balance, etc, but does not allow an active role in redeeming miles, booking flights, whatever.

You know, a customer-friendly company would implement and release a "read only" API - an API that only supports reading your balance, etc, but does not allow an active role in redeeming miles, booking flights, whatever.

It's not the API that's the issue. Unless a separate password were set up for this read-only API, then the password is still at risk even with this limited API. If that gets compromised, then it can be used on the full access API.

I'm agreeing that AA are woefully behind the times here, I just don't think that this is the solution.

Cheers.

It's not the API that's the issue. Unless a separate password were set up for this read-only API, then the password is still at risk even with this limited API. If that gets compromised, then it can be used on the full access API.

I'm agreeing that AA are woefully behind the times here, I just don't think that this is the solution.

Cheers.

Actually by definition a "read-only API" implies that you would not be giving away your password to third party websites. OAuth 2 is designed to do just that.

http://en.wikipedia.org/wiki/OAuth

It is easy to implement, and many websites, such as Facebook, use it today. You can authorize someone to see some of your data on Facebook but you are not giving them your Facebook password. One of our developer implemented this OAuth 2 protocol in about 1 - 2 days.

Actually by definition a "read-only API" implies that you would not be giving away your password to third party websites. OAuth 2 is designed to do just that.

http://en.wikipedia.org/wiki/OAuth

It is easy to implement, and many websites, such as Facebook, use it today. You can authorize someone to see some of your data on Facebook but you are not giving them your Facebook password. One of our developer implemented this OAuth 2 protocol in about 1 - 2 days.

Excellent! Thanks for the link.

(I will take one exception, though - "read only" API does not, by definition, imply anything about the use of credentials. It's simply an interface that doesn't allow modification of data. OAuth is a particular implementation that does have credential implications.)

While I work in complex software development, it's pretty clear that I don't work in web technology, and wasn't aware of this (in retrospect, very obvious) development.

Of course, one the third parties have that data, even if read only, what other things might they be doing with it, besides just showing it to the user?

Cheers.

You know, a customer-friendly company would implement and release a "read only" API - an API that only supports reading your balance, etc, but does not allow an active role in redeeming miles, booking flights, whatever.

In the olden days we use to have separate passwords on our databases that granted read-only or read-write access. Have we gotten away from that?

Besides, I don't think it's what the app might do, but what people might do with the information from the app... Even with read-only access there would be enough data made available someone could call and book something. Does this fall into pretexting?

Sites that believe they are the be-all their users need should get some fresh air. There are effective ways to manage cooperative agreements and everyone wins. Unfortunately users have become the commodity and the data/service is a far second.

Did you use Google Translate for that? :D I suspect there may be some truth to that. The "read-only API" info here would seem to support that, IMO.

The excuse when they pulled from awardwallet was security concerns, which I read as "we're missing out on page views to our site and hence missing eyeballs for the advertising and promotions on aa.com"

AA seems to be blocking other programs that track miles balances and the like as well. I have been waiting for this shoe to fall, unfortunately. This will not make me move away from TripIt Pro, as it's too valuable for me - but AA seems bent on controlling our miles information, possibly due to "security concerns" - the 2000's response for all kinds of airline-related travesties.

(re-titled slightly to show this is an actual and factual condition, and not a question.)

Slightly off topic, but what do you think are the most valuable parts of Pro?

I had the service through Amex Platinum last year and found the flight status updates, baggage claim notices, etc. convenient but not indispensable (you can find this information elsewhere too.)

I really like the service for managing itineraries, but are there other benefits I am missing? Flight refund alerts?

Also off topic, the flight refund alerts are not so useful, because they often are not matches in the full fare detail and iirc not accurate in including the change fees. Mostly, it's having it all in one place and the updates - AA certainly doesn't provide many updates or change notices, and though I have apps I can use individually for various things it's the convenience factor I like.

What I do not like is the inability AA imposed on TripIt to get my AAdvantage account data. I think it's more than about "security" - and some folks here have ideas about that.

Slightly off topic, but what do you think are the most valuable parts of Pro?

I had the service through Amex Platinum last year and found the flight status updates, baggage claim notices, etc. convenient but not indispensable (you can find this information elsewhere too.)

I really like the service for managing itineraries, but are there other benefits I am missing? Flight refund alerts?

What I do not like is the inability AA imposed on TripIt to get my AAdvantage account data. I think it's more than about "security" - and some folks here have ideas about that.

Another consideration is, once they've gotten your data, and shown it to you....they have your data. Even if it's a read only interface, and they have no access to your account password for booking purposes, they still have possession of data that would potentially be valuable to....some.

Cheers.

I received the same email. Not sure it matters about the points tracking in the grand scheme of things.

My concern is the proactive flight monitoring. Is AA shutting off access to everything or just point totals?

I was very impressed with Tripit last week when I received a message that my flight would be delayed by an hour. The amazing thing is that I received the message 11 hours before my departure. AA EXP Desk said the flight was on time until 30 minutes before departure. The departure time moved 15 minutes later and then again, you guessed it, another 15 minutes later. As Tripit called it 11 hours earlier, the flight took off 1 hour late. I am curious how Tripit knows more about AA's flights that AA knows or is willing to share.

I hope this is a point monitoring only event and not a precursor to something more.

Nikon Shooter: I'm delighted to hear that TripIt Pro helped you out on
your recent trip. Rest assured that although we can no longer track your
American Airlines points, this change does not impact TripIt Pro flight
monitoring.