In the section on questions for Randy Petersen in the August issue of Inside Flyer (subscription required), there’s a shout out to my award booking service. I’m flattered, and therefore should be gracious enough to simply say thank you.
Instead, I read on and found the next question for Randy troublesome. A reader asked about why websites like TripIt are no longer allowed to access American AAdvantage account information.
Of course they care, which is why they have begun to enforce a policy that has long been in their rules and conditions. Let’s back up a bit. American AAdvantage was not the first airline to put a stop to this sort of access–that distinction belongs to the Southwest Rapid Rewards program. And while it might seem that those Texas-based airlines are sticking together (maybe we are lucky that Continental moved their headquarters to Chicago!), the reasoning behind the decision is actually something they see as best for their customers.
These services, which TripIt and others provide, all require you to release your loyalty account numbers and PINs. Over the past 10 years, dozens of these services have popped up … and later went out of business. What happens to your account and PIN? Of those that currently offer these services, are you aware of the level of security they use to protect your data? What do they do with the data they collect? It’s these types of concerns that led Southwest, and later American, to block further access to your account.
While not making headlines, there has been an increase in the number of awards that have been fraudulently redeemed from members’ accounts, and the action taken by these two programs is an attempt to step back and take a look at how they can implement some sort of system to better protect all members from outside access, not just those using these services.
This got my juices flowing enough that I’ve sent off the following Letter to the Editor:
In the August issue of Inside Flyer, you tell reader John Mitchell that American’s decision to forbid mileage tracking websites from accessing AAdvantage account information is reasonable because (1) it’s in their terms and conditions, (2) Southwest did it first, and (3) it’s to protect member data.
You’ve frequently been critical of frequent flyer programs sticking to their terms and conditions to the detriment of their members, and contrary to their own long-term interests. Just because they can do something, doesn’t mean they should. I hope you’ll recognize this as one of those instances.
When members have to take extra steps to check their frequent flyer balances, they become less engaged in the program. The programs that are easiest to watch miles grow in — that don’t require manually logging in (and remembering to log in!) to another website are the programs whose shopping portals members will most use, the programs they’ll accumulate car rentals with, and other partner activity as well.
While you suggested to this reader that there’s a security risk in releasing account passwords or PINs to a website, mileage tracking site Award Wallet didn’t need member account information at all, and stopped storing that information on its website. It created a browser plugin so that all account numbers, passwords, and mileage balances were stored on the member’s computers only. American’s lawyers still shut them down.
The notion that this is all in the best interests of the member doesn’t wash. Making it harder for members to watch their balances regularly and closely REDUCES security. In contrast, members checking changes in their balances regularly on mileage aggregator sites allows them to realize more quickly when there’s a problem and sound the alarm.
Meanwhile American won’t permit access to websites that the banks are happy to allow to access and store financial account information. If a site can meet Fidelity or Chase security standards, surely a security rationale on American’s part is wrong-headed, even if it were genuine?
But it isn’t about security at all, it’s about commercial agreements. In response to a question from a member in the American AAdvantage chat on Milepoint, American President Suzanne Rubin acknowledged the reason for shutting off these sites’ access is “Our preference is to enter into commercial agreements with these sites that recognize American’s rights and control the unauthorized dissemination of American’s customer data. ”
I certainly hope these websites can find a way to come to terms, but it’s unclear how an internet venture that doesn’t charge members can afford to pay American or other frequent flyer programs a fee for something that increases those members very engagement in the program.
Perhaps with enough persistence I can change your mind and you’ll join the call to let members manage their data in the most convenient manner possible, within clear and transparent security guidelines.
We’ll see if I make it into the magazine! (And, Randy, thank you 🙂 )