For Booking.com, it’s essential that users can book travel for other users by adding their email addresses to a booking because that’s how people frequently book trips together. And if it happens that the email address added to a booking is also linked to an existing Booking.com user, the trip is automatically added to that person’s account. After that, there’s no way for Booking.com to remove the trip from the stranger’s account, even if there’s a typo in the email or if auto-complete adds the wrong email domain and the user booking the trip doesn’t notice.
According to Booking.com, there is nothing to fix because this is not a “system glitch,” and there was no “security breach.” What Alfie encountered is simply the way the platform works, which, like any app where users input information, has the potential for human error.
In the end, Booking.com declined to remove the trip from Alfie’s account, saying that would have violated the privacy of the user booking the trip. The only resolution was for Alfie to remove the trip from his account and pretend it never happened.
Alfie remains concerned, telling Ars, “I can’t help thinking this can’t be the only occurrence of this issue.” But Jacob Hoffman-Andrews, a senior staff technologist for the digital rights group the Electronic Frontier Foundation, told Ars that after talking to other developers, his “gut reaction” is that Booking.com didn’t have a ton of options to prevent typos during bookings.
“There’s only so much they can do to protect people from their own typos,” Hoffman-Andrews said.
One step Booking.com could take to protect privacy
Perhaps the bigger concern exposed by Alfie’s experience beyond typos is Booking.com’s practice of automatically adding bookings to accounts linked to emails that users they don’t know input. Once the trip is added to someone’s account, that person can seemingly access sensitive information about the users booking the trip that Booking.com otherwise would not share.
While engaging with the Booking.com support team member, Alfie told Ars that he “probed for as much information as possible” to find out who was behind the strange booking on his account. And seemingly because the booking was added to Alfie’s account, the support team member had no problem sharing sensitive information that went beyond the full name and last four digits of the credit card used for the booking, which were listed in the trip information by default.
