Tripping Up

Last year, I signed up to the web service TripIt, which promises to help organise (and share) travel itineraries.

I travel far less frequently than I’d like to, but I love technology and enjoy playing with new tech. So, I signed up to TripIt and downloaded the Android app. At the time, the service asked you to forward emails whenever you wanted it to automatically create an itinerary. I was fine with this, since I figured users have the right to choose which information they share with the service. Nonetheless, I still connected it with my Google Account, trusting it to only access information in the way it said it would. At some point, I suspect TripIt asked me to authorise the change, but it was probably a case of TL;DR, as with most Terms of Service documents.

This week, I received an email from a travel provider with booking information for someone else’s trip. I regularly receive such information because the person in question doesn’t have easy access to email or printers. This person’s security and privacy is very important to me. TripIt promptly scanned the email and imported the details into their service. Not cool.

Obviously, you can say that the whole situation is my fault, since I obviously didn’t look carefully enough at the way TripIt operates before I agreed to use the service. (Who does?) Further, when it at some point asked me to review changes, I didn’t do that properly either. However, when net services rely on trust and handle personal information, they should more carefully consider the needs of users (in this case, for privacy) rather than hiding things away in lengthy TOS.

I haven’t yet deleted TripIt, because I’m still interested in its potential, and I hope to be able to use it a little more in 2012 and beyond. But I have reconsidered the potential dangers of such services. Should I take to using TripIt more often, I will be ensuring I choose what information it accesses, and I will only be sharing itineraries with very trusted people (my partner and my family).

TripIt allows users to disconnect their Google Accounts (I haven’t done so yet because I wanted to see what else would happen, once I was sure the information wasn’t being shared widely). I’ve set up some tests, and I’ll update this post with the results.

Have you had any issues with web services sharing or accessing more data than you realise?


UPDATE: TripIt responded to my blog post. You can read their response here.