Go Back  FlyerTalk Forums > Miles&Points > Hotels and Places to Stay > Hilton | Hilton Honors
Reload this Page >

Hilton accesses your browser history when using their WiFi

Hilton accesses your browser history when using their WiFi

Old Jan 8, 20, 6:33 am
  #1  
Original Poster
 
Join Date: Aug 2007
Programs: AA EXP, Amex Plat
Posts: 551
Hilton accesses your browser history when using their WiFi

Thanks to the new California Consumer Privacy Act ("CCPA") and other laws like the GDPR, we now have more visibility into the information companies collect about us. Since I'm the type of person that likes to read the fine print, I reviewed Hilton's CCPA notice and came across something interesting. While I obviously assumed that Hilton could see what information I access through its WiFi network (if I don't have my VPN turned on) I was a surprised to see that they actually look at your browser history and search history, and could possibly be collecting things like e-mails, passwords and other sensitive information. Below is copied directly from Hilton's notice:

Internet or other electronic network activity information, including, but not limited to your browser history, search history and information regarding a customerís interaction with an internet website, application, or advertisement
I want to make a couple of points for people to think about. Before I do, I note that I write these type of clauses for a living and they are kept intentionally broad so that the client can pretty much do what they want:
  1. It's one thing to track the sites I access through the WiFi when I use it. That's normal logging. However, to access my browser history to find other pages that I've reviewed before signing onto Hilton WiFi crosses the line to me. I know that people are likely to say that all websites do this so I should stop worrying about it--well, my response is that I have the same issue with all websites. if you want to look at what I access through your WiFi network fine (well, not fine, but I can tolerate it), but don't go snooping around looking at what else I've accessed.
  2. The same goes for search history.
  3. Now, this last part is where these privacy notices are less-than-forthcoming... When the clause says "information regarding a customer's interaction with an internet website" most companies view this as giving them permission to capture whatever they want such as reading your e-mails, logging passwords, tracking usernames, etc. so long as it is permitted by law.
So, what is my purpose in posting this thread? My hope is that Hilton will clarify and provide more specificity about what information it collects about users' browser history, search history, and whether it does things like logging e-mails and passwords transmitted over its networks. Perhaps some reassurance from Hilton that it isn't collecting private communications, passwords, or usernames when guests use its WiFi.

Of course, much of this can be avoided by using a VPN, at least until hotels start blocking them (as I've noticed in some hotels recently).

And, lastly, to those that will undoubtedly say something to the effect of "why worry," "who cares," "email is inherently insecure anyway," or "it's just the way it is so move on," I choose not to ascribe that that notion. I don't want every detail of my life tracked by the companies I do business with!!
sokolov and strickerj like this.
tacostuff is offline  
Old Jan 8, 20, 7:02 am
  #2  
 
Join Date: Jul 2014
Location: WAW ✈ LHR
Programs: BA GGL/CCR, HH Diamond, IHG Spire Ambassador
Posts: 1,608
Originally Posted by tacostuff View Post
* It's one thing to track the sites I access through the WiFi when I use it. That's normal logging. However, to access my browser history to find other pages that I've reviewed before signing onto Hilton WiFi crosses the line to me. I know that people are likely to say that all websites do this so I should stop worrying about it--well, my response is that I have the same issue with all websites. if you want to look at what I access through your WiFi network fine (well, not fine, but I can tolerate it), but don't go snooping around looking at what else I've accessed.
There is no way Hilton could access your browser's history when you connect to their WiFi, neither websites you visit. I believe it's just wording issue - they can see your browsing history while you've been conencted to their WiFi, nothing else.
megaloman is offline  
Old Jan 8, 20, 10:13 am
  #3  
A FlyerTalk Posting Legend
 
Join Date: Apr 2013
Location: SFO
Programs: UA 1K 1MM; AS 75K; Marriott Ambassador; Hilton Diamond (Aspire); Hyatt Explorist
Posts: 43,041
Originally Posted by megaloman View Post
There is no way Hilton could access your browser's history when you connect to their WiFi, neither websites you visit.
Sure they could, though it would require use of code that is commonly understood to be malicious and would violate anti-hacking laws.
:D! and infinityplusone like this.
Kacee is online now  
Old Jan 8, 20, 10:28 am
  #4  
:D!
Hilton Contributor BadgeIHG Contributor Badge
 
Join Date: Sep 2012
Location: Aberdeen, Bella Vista and Croydon
Programs: BA Spire, Hilton *G, A3 Diamond, IHG Silver
Posts: 4,590
If you secure your devices sufficiently it is unlikely that Hilton (or probably the hotel's wifi provider) would be able to see anything.
:D! is offline  
Old Jan 8, 20, 12:26 pm
  #5  
 
Join Date: May 2005
Posts: 3,618
So much unwarranted angst in the OP. If you don’t want to be tracked, don’t use tech.
smmrfld is offline  
Old Jan 8, 20, 3:26 pm
  #6  
 
Join Date: Sep 2006
Location: ORD
Programs: AA Platinum, Hilton Diamond
Posts: 235
Originally Posted by smmrfld View Post
So much unwarranted angst in the OP. If you donít want to be tracked, donít use tech.
Right! And if you don't like air pollution, don't breathe!
smithrh is offline  
Old Jan 9, 20, 6:22 am
  #7  
Hilton 5+ BadgeAccor 10+ Badge 2020 FlyerTalk Awards
 
Join Date: Nov 2012
Location: Rhineland-Palatinate
Programs: OW Ruby (BA), *A Gold (A3), Le Club Accor Gold, HHonor Diamond
Posts: 2,543
While I 100% agree with the OP and its philosophy, I think that the technicalities are such that this would never happen. It requires some skills and also violates laws in quite a few jurisdictions to read past browser history, keylog website interactions.
writerguyfl likes this.
fransknorge is offline  
Old Jan 9, 20, 6:54 am
  #8  
 
Join Date: Aug 2010
Location: MŁnchen, Germany
Programs: BA GGL (no longer CCR), Hertz PC, Hilton Diamond
Posts: 5,658
Given that this is a California law, I wonder if they have reserved rights/permissions in much the same way that everything is labeled as a carcinogen there - not because there is any appreciable risk for most people, but because you can't be punished for over-reporting.
Cymro is offline  
Old Jan 15, 20, 12:20 am
  #9  
 
Join Date: Oct 2014
Posts: 4,802
How did this nonsense make it to the front page of flyertalk? They can't access any of this.

They can see which sites you visit when you are on their wifi.

They can absolutely not access your google search history or your browser history. That's just idiotic.

Of course if they are installing spyware on your computer they may be able to see more, but that's true whether you are connected to their wifi or not.

Originally Posted by megaloman View Post
There is no way Hilton could access your browser's history when you connect to their WiFi, neither websites you visit. I believe it's just wording issue - they can see your browsing history while you've been conencted to their WiFi, nothing else.
They can't even see that. They can see the domains you have visited, not the paths, unless the sites are using plain http, rather than https, which almost no site does any more.

Suppose you visit https://example.com/path/to/page. Your browser does a TLS handshake with https://example.com to set up a secure connection (basically, a pair of keys that can be used to encrypt traffic back and forth, which a middleman (like an ISP) cannot decrypt). Then, once that is established, your browser sends a "GET /path/to/page" over that secure connection. So while someone in the middle (like the people who run the hotel wifi, or your ISP, or your mobile carrier if you are using your phone's mobile data) can see that you visited "example.com", they cannot see which pages on that site you accessed.

Of course, the domains that you visited could be valuable information (eg, for ad targeting) but it's not as much information as the full history.
megaloman, hhdl and :D! like this.
VegasGambler is offline  
Old Jan 15, 20, 9:49 am
  #10  
Original Poster
 
Join Date: Aug 2007
Programs: AA EXP, Amex Plat
Posts: 551
So, several comments here.

First, when I originally created this thread, my main point is that under its terms and conditions Hilton *could* access things like browser history and passwords if it chose and had the required technology. I have no knowledge that Hilton is doing this, or even has the capability to do so. I just wish that companies would be clearer with their T&Cs and what they actually track. Here, Hilton could be more specific about the information that it actually collects. If it is not collecting "browser history" then why specifically mention that in its CCPA disclosure?

Second, several of you have said that Hilton couldn't do this type of tracking without installing spyware. Even if this is true, I can almost certainly guarantee you (I'm not currently in a Hilton to verify this) that if you read the fine-print the next time you click to join a Hilton wifi network that you're agreeing that they can install pieces of software on your computer. This will probably be under the guise of something like "analytics," "troubleshooting," "network compatibility," or "ensuring optimal operation of the network." Many companies will interpret this as permission to install software on your computer that some would consider "spyware" (not that they do, but that they *could* if they wanted). Of course there are technical measures that all of us can and should be taking to prevent this.

Third, there are obviously technologies that many of us can (and should) be using to improve security and limit the amount of tracking. As others have mentioned, things like making sure you're browsing over an HTTPS connection and/or VPN. For me this is standard if I have to use a public wifi network. Also, as others have pointed out, I try to use my phone as a hotspot as much as possible, but generally overseas this is cost prohibitive. Though, as I originally said, I have noticed that some hotels are starting to block VPN connections (and not just in countries like China or Russia).

Lastly, what I said isn't to imply that Hilton can download, for example, your actual Chrome browser history (this may or may not be possible technically). But I do know they can absolutely track what sites you have visited prior to joining a Hilton Wifi network using third-party tracking technologies such as cookies and fingerprinting. Again, I know this is true for most webpages, but I just don't like the idea that Hilton is doing it to me as I pay to stay in its hotels.
alanslegal likes this.

Last edited by tacostuff; Jan 15, 20 at 2:16 pm
tacostuff is offline  
Old Jan 15, 20, 12:01 pm
  #11  
 
Join Date: Sep 2006
Programs: AA LT Plat - 2MM;HH Diamond
Posts: 227
Is this disclosure related only to use of their WiFi network or also to the use of their kiosk machines in the business center? If it also includes the kiosk, there is a lot more data that Hilton would have access to (even if they didn't choose to look/record it somewhere).
danorum is offline  
Old Jan 15, 20, 4:13 pm
  #12  
 
Join Date: Jan 2000
Posts: 2,612
All - use a VPN from any public WiFi access point. Sure it may slow you down a tad but it protects you enourmously. If you don't then you have to know that anything you do when connected to WiFi is fair game. It's like using a speakerphone for a conference call and talking about confidential issues.
sdix is offline  
Old Jan 15, 20, 4:37 pm
  #13  
Company Representative - Honors by Hilton
 
Join Date: Aug 2009
Programs: Hilton Honors
Posts: 1,205
Weíd like to offer an initial point of clarification. The Hilton CCPA disclosure addresses our Global Privacy Statement, so the language references multiple guest touchpoints with Hilton and is not specific to accessing WiFi while staying at one of our properties.

A consumer who is browsing the Hilton website or clicking on a Hilton advertisement will share information with us about the locations and hotels they are searching. This allows us to personalize the marketing they receive from Hilton. The same is true for Hilton Honors members who are logged in to their account.

We can appreciate how the statementís legal sounding language may raise questions, and can confirm that we're taking this back to the team. We want to be as clear as possible for our guests. That said, Hilton does not access a guestís device to review their emails or browser history. As is customary for any business or public WiFi service, Hilton does have the ability to access the site visited, but this is not currently logged. This information is important for operational and security reasons. We do not track searches or web browsing away from Hilton.com, nor do we collect passwords, emails or data downloaded by guests when staying at a Hilton property.

Best regards,

William R. Sanders
megaloman, DC9, jefftiger and 1 others like this.
Hilton Honors Ambassador is offline  
Old Jan 15, 20, 7:40 pm
  #14  
 
Join Date: Oct 2014
Posts: 4,802
Originally Posted by tacostuff View Post
First, when I originally created this thread, my main point is that under its terms and conditions Hilton *could* access things like browser history and passwords if it chose and had the required technology.
With the required technology, I can travel back in time, buy Amazon/Google/Apple/Microsoft at IPO time, and be a billionaire.
writerguyfl, :D! and hhdl like this.
VegasGambler is offline  
Old Jan 15, 20, 11:50 pm
  #15  
Hilton Contributor Badge
 
Join Date: Jan 2009
Location: Singapore
Programs: IHG Plat Ambassador, HHonors Diamond; A3 *Nothing ; BA Exec. Club Gold; Flying Blue Ivory
Posts: 1,449
Perfectly happy for Hilton too see the questionable amount of porn I browse during my lonely hotel stays. If they want to see my browsing history they might reconsider that once seen

Privacy is an illusion.

Globalist
DC9 and hhdl like this.
Globalist is offline  

Thread Tools
Search this Thread
Search Engine: