The largest expert travel community:
  • 765,210 Total members
  • 5,642 Users online now
  • 1,716,625 Threads
  • 31,387,929 Posts
Reports From the Forum

“Just a Heads Up, Hilton Can See Your Browser History (& Read Your Emails)”

“Just a Heads Up, Hilton Can See Your Browser History (& Read Your Emails)”
FlyerTalk

The FlyerTalk Forum is a pretty big place, so when a particularly good piece of FlyerTalk comes across our desks, we put it on the front page for regular Reports From the Forum. Want to read more? Check out the Reports From the Forum tag, or head to the forum yourself to see what the FlyerTalk is about.

Update: William R. Sanders, the Hilton Ambassadors representative in the FlyerTalk forums offered a rebuttal and a point of clarity on Hilton’s privacy policy:

We’d like to offer an initial point of clarification. The Hilton CCPA disclosure addresses our Global Privacy Statement, so the language references multiple guest touchpoints with Hilton and is not specific to accessing WiFi while staying at one of our properties.

A consumer who is browsing the Hilton website or clicking on a Hilton advertisement will share information with us about the locations and hotels they are searching. This allows us to personalize the marketing they receive from Hilton. The same is true for Hilton Honors members who are logged in to their account.

We can appreciate how the statement’s legal sounding language may raise questions, and can confirm that we’re taking this back to the team. We want to be as clear as possible for our guests. That said, Hilton does not access a guest’s device to review their emails or browser history. As is customary for any business or public WiFi service, Hilton does have the ability to access the site visited, but this is not currently logged. This information is important for operational and security reasons. We do not track searches or web browsing away from Hilton.com, nor do we collect passwords, emails or data downloaded by guests when staying at a Hilton property.

Best regards,

William R. Sanders

Thanks to the new California Consumer Privacy Act (CCPA), travelers in (and visiting) the United States have a lot more visibility into the information that companies collect about them. While many just filed that information away in the slim “good news for US consumers” folder in our brains, others have been taking the opportunity to read a lot of fine print.

And when one FlyerTalker reviewed the fine print in Hilton’s CCPA, notice they found some interesting information:

While I obviously assumed that Hilton could see what information I access through its WiFi network (if I don’t have my VPN turned on) I was a surprised to see that they actually look at your browser history and search history, and could possibly be collecting things like e-mails, passwords and other sensitive information.

On its CCPA notice, Hilton makes it very clear that they have access to and may access “Internet or other electronic network activity information, including, but not limited to your browser history, search history and information regarding a customer’s interaction with an internet website, application, or advertisement.”

Privacy in 2020

We’re not assuming anything about your personal browser history. But, if we had to guess we’d say that you, like most of us, don’t want it rifled through by a major corporation. But, in 2020, rummaging through your data is what many corporations do, Hilton included.

In fact, the FlyerTalker who brought this Hilton data policy to the forum’s attention “writes these types of clauses for a living.” And they wanted to point out that, while its standard for a company to track the sites that you access when you are on their WiFi. “However, to access my browser history to find other pages that I’ve reviewed before signing onto Hilton WiFi crosses the line to me.

“I know that people are likely to say that all websites do this so I should stop worrying about it–well, my response is that I have the same issue with all websites. If you want to look at what I access through your WiFi network fine (well, not fine, but I can tolerate it), but don’t go snooping around looking at what else I’ve accessed.”

Or Your E-Mails, Passwords, and Usernames?

Says our new favorite professional fine print decoder, you should be particularly interested in the last part of Hilton’s disclosure where it says that it has the right to access “information regarding a customer’s interaction with an internet website, application, or advertisement.”

This last part is where these privacy notices are less-than-forthcoming… When the clause says “information regarding a customer’s interaction with an internet website” most companies view this as giving them permission to capture whatever they want such as reading your e-mails, logging passwords, tracking usernames, etc. so long as it is permitted by law.

To clarify, just because Hilton can collect this information, it doesn’t mean that is is. It also doesn’t mean that it isn’t collecting this information. But, as they point out, it would be nice if Hilton would clarify this very broad language and let us know just what information it collects about your browser and search history and whether it logs your e-mails or passwords transmitted over its networks (or private communications).

How Do I Protect Myself?

Their advice? Use a VPN, “at least until hotels start blocking them (as I’ve noticed in some hotels recently).”

View Comments (9)

9 Comments

  1. DCAFly

    January 13, 2020 at 1:20 pm

    Isn’t the better advice to just not use public WiFi and use your phone’s hot spot? Of course, then Verizon, T-Mobile, etc., are collecting all those data rather than Hilton…

  2. EmilyGuo

    January 14, 2020 at 1:00 am

    It’s never too late to protect my personal information and watch out!

  3. vbscript2

    January 14, 2020 at 1:21 am

    From a technical standpoint, I’m pretty sure this is wrong. Nothing about using their network allows them to search through your browser history.

    *However*, if you’re on their network and not using a VPN, then they can indeed see which sites you visit *while you’re on their network*. This is most likely what they meant from that part of their disclosure, even if the awkward wording may suggest otherwise. There is no possible technical way for them to avoid this.

    The part about capturing it could possibly mean that they’re keeping track of the websites you visit for data mining/marketing purposes, but more likely it’s just in there to cover themselves in case they need to make a wireshark capture or similar at some point for their own network management/troubleshooting purposes.

    As far as seeing passwords, the only way they could do that is if you’re sending a password in plaintext over the wire, which is no one’s fault but your own and the site you’re sending it to. Any website of even remotely competent design that requires a login will be using TLS to encrypt the traffic between your browser and their server. Other people on your network (including Hilton) can see that you’re communicating with that site (if you’re not using a VPN,) but they *can’t* actually see any of the information you’re sending to or receiving from that site if you’re using TLS. You can tell whether or not your using TLS for your connection to a given site by its address. If it starts with “https://”, then it’s using TLS. If it just starts with “http://”, then you’re not using TLS and the connection is not encrypted.

    The only way for them to see any of the information you’re sending to a website or that it’s sending you would be if you’re using an unencrypted connection to a website, which you should absolutely never do for any site that requires a login or which requires you to send any non-public information to it. If the address of the site you’re visiting starts with http:// instead of https://, then you should absolutely assume that anything you’re sending to it, including passwords, is compromised regardless of what network you’re on, but especially on anything remotely resembling a public access network, such as in a hotel.

    Perhaps the person who posted that does indeed write such clauses for a living, but I design computer networking software for the security industry for a living and this reaction to the ToS seems quite exaggerated to me. As someone who also helps write such clauses as part of my job at times, I would just take the language to mean that they want to cover themselves in case some of your network traffic gets captured while someone is running a network capture for network administration purposes, not that they’re actually intending to do anything nefarious with it, let alone rifling through your browser’s history.

    If you’re sending passwords in plaintext over a computer network, then they can be captured trivially on any computer network regardless of what the T&Cs may or may not say. Not only by the owner of the network, but by anyone on it. So just don’t do that.

  4. VegasGambler

    January 14, 2020 at 11:25 pm

    This is all completely wrong. The hotel can’t see your emails, or your browser history, or even the contents of the web pages you visit (assuming https connections, which is the default just about everywhere). Everything is secured by SSL/TLS. The only thing that they can see is the domain names of the sites that you visit.

  5. top987

    January 15, 2020 at 4:23 am

    @vbscript2 is correct. It appears the CCPA notice is stating to you what technically is possible if you use their network, not necessarily what they are doing. I would imagine that their lawyers and their technology team got together and made sure to put in the statement any and every possible thing they could think of so that they didn’t get sued under the act if someone felt it didn’t give the advance warning they need. While no analogy is perfect, I would liken this to the drug commercials on TV. They always include a long list of possible side effects. Few or none of which are likely to affect the majority of patients taking the medicine.

  6. jjbiv

    January 15, 2020 at 5:08 am

    vbscript2’s reply is right on. The original post is lacking in technical knowledge.

  7. aidano

    January 15, 2020 at 6:44 am

    As vbscript2 says above, there’s no way for them to see your browser history, or your search history, aside from what they can activity track while you’re using their network.

  8. Hilton Honors Ambassador

    January 15, 2020 at 2:38 pm

    We’d like to offer an initial point of clarification. The Hilton CCPA disclosure addresses our Global Privacy Statement, so the language references multiple guest touchpoints with Hilton and is not specific to accessing WiFi while staying at one of our properties.

    A consumer who is browsing the Hilton website or clicking on a Hilton advertisement will share information with us about the locations and hotels they are searching. This allows us to personalize the marketing they receive from Hilton. The same is true for Hilton Honors members who are logged in to their account.

    We can appreciate how the statement’s legal sounding language may raise questions, and can confirm that we’re taking this back to the team. We want to be as clear as possible for our guests. That said, Hilton does not access a guest’s device to review their emails or browser history. As is customary for any business or public WiFi service, Hilton does have the ability to access the site visited, but this is not currently logged. This information is important for operational and security reasons. We do not track searches or web browsing away from Hilton.com, nor do we collect passwords, emails or data downloaded by guests when staying at a Hilton property.

    Best regards,

    William R. Sanders

  9. baggins

    January 15, 2020 at 7:40 pm

    Use a VPN, “at least until hotels start blocking them (as I’ve noticed in some hotels recently).”
    Which hotels do this and how exactly do they accomplish this?

You must be logged in on the FORUM to post a comment Login

Leave a Reply

Reports From the Forum

More in Reports From the Forum

“I Can Predict the Status of Your Next British Airways Flight”

FlyerTalkJanuary 15, 2020

Here’s How You Can Help Australia

Jennifer BillockJanuary 10, 2020
Missed Daughters Birth Business Class American Airlines

“You Missed Your Child’s Birth Because You Couldn’t Fly Business Class?”

FlyerTalkJanuary 7, 2020

Copyright © 2014 Top News Theme. Theme by MVP Themes, powered by Wordpress.