Last year, I signed up to the web service TripIt, which promises to help organise (and share) travel itineraries.
I travel far less frequently than I’d like to, but I love technology and enjoy playing with new tech. So, I signed up to TripIt and downloaded the Android app. At the time, the service asked you to forward emails whenever you wanted it to automatically create an itinerary. I was fine with this, since I figured users have the right to choose which information they share with the service. Nonetheless, I still connected it with my Google Account, trusting it to only access information in the way it said it would. At some point, I suspect TripIt asked me to authorise the change, but it was probably a case of TL;DR, as with most Terms of Service documents.
This week, I received an email from a travel provider with booking information for someone else’s trip. I regularly receive such information because the person in question doesn’t have easy access to email or printers. This person’s security and privacy is very important to me. TripIt promptly scanned the email and imported the details into their service. Not cool.
TripIt allows users to disconnect their Google Accounts (I haven’t done so yet because I wanted to see what else would happen, once I was sure the information wasn’t being shared widely). I’ve set up some tests, and I’ll update this post with the results.
Have you had any issues with web services sharing or accessing more data than you realise?
UPDATE: TripIt responded to my blog post. You can read their response here.