I haven’t followed the AwardWallet controversy too closely, mostly because I’ve never used it. I think it’s a cool service, but I just don’t need another login or account to keep track of, so I’ve never bothered to sign up.
You probably know this already, but back in December of last year, American banned AwardWallet from storing AA.com customer account information and using that info to access AAdvantage account data on behalf of AwardWallet customers. Southwest also did something similar when they barred AwardWallet from storing Rapid Rewards account information.
Over the years, working for a software firm that was an outside vendor to some big companies, I’ve worked on projects that required hosting a client’s customer data, and it was always a process that required multiple security audits, review by attorneys, and liability insurance policies and agreements.
So when I first read about American banning AwardWallet, I wasn’t surprised that it happened. It seemed almost inevitable that Award Wallet was going to run into problems for storing AAdvantage account information for perhaps millions of American’s customers, if they were doing it without some kind of formal agreement with American.
I’ve read a few comments on blogs and in the forums suggesting that American banned AwardWallet because they were afraid that they would siphon off traffic from AA.com.
I guess it could be possible, but the idea that folks at AA.com are loosing sleep because of AwardWallet just doesn’t seem that credible. Kayak? Sure. Google purchasing ITA Software? Definitely. Losing traffic to AwardWallet? Probably not.
I think it really is just an issue of security and liability.
I couldn’t imagine a bank allowing an outside company, with whom they have no liability or security agreements, to store millions of customers’ online bank account usernames and password, and I could’t imagine American, Southwest, or any airline not taking a similar stance.
After American banned AwardWallet from hosting AA.com customer data, AwardWallet implemented a work around by introducing a browser plug-in that stored AAdvantage account login info on a user’s hard drive. Thus, it was no longer being stored on AwardWallet’s servers, so I guess they figured that it would make American happy. It didn’t, and last month American forced AwardWallet to discontinue that tactic as well.
I’m not sure how the plug-in worked, but it’s not the way Points.com, Sabre, and other third party companies communicate with American’s systems, so that the plug-in was banned, wasn’t much of a surprise.
The other day, I was reading about the how challenging it was for Microsoft and American to integrate AA.com user data with the new American Airlines App for Windows Mobile, and to host copies of that data on Microsoft’s servers and still keep user info secure and safe as it moved between the two services. It took teams of people (engineers, security experts, and management) on both sides to make it work, and that seems to be the right way of doing it. A browser plug-in just seems like a hack.
I’m sure that at this point, the solution is for AwardWallet to use some kind of secure, sanctioned, API. That’s how American has chosen to share data with other outside partners, so any other approach is probably not going to work.
I really didn’t intend for this post to be a defense of American, even though it’s kind of turned out that way. You’ve probably read so many other opinions on the subject, that reading yet another won’t impact your view anyway.
The reason I was writing though (really) was to point your attention to a post on the topic by Michael at Michael W Travels. He was actually able to solicit some comments from representatives at AwardWallet and American Airlines, so rather than try to convince you of how right I am, I figured if you’re interested, you could read the back and forth and decide for yourself.