"This article originally was published at Law360.com."
A hotel is a personal place, even if you share it with thousands of other people. The very obscurity in a crowd can make you feel anonymous, and the private living space allows for the most private of conversations and activities. If you want to play video games with friends, sit in your underwear and watch a movie, or entertain your boss’s spouse in your private hotel room, who would know?
In 2016, people operating the hotel may know, and so may many others.
Hotels have slowly stopped being places of enforced privacy, gradually becoming prisons of information gathering, where the guest is a frequently unwitting generator of useful and profitable data. The hotel staff knows more about you than you think they do, and that information is growing all the time.
Unlike the Colorado hotel owner described this year in a Gay Telese New Yorker article, who set up each room with special equipment to spy on the guests, your typical innkeeper is not necessarily seeking to invade your privacy. But, like many businesses, hotels use big data tools and methods to collect an increasingly broad and deep array of information about customers. This information helps hotels make business decisions and offer customized customer services, such as which room service items to stock or which times local attractions are at their busiest. Current tools for intrusion simply make it too tempting to gather data about guests for business reasons.
Within each room, hotels have for years kept records of the television viewing habits of occupants, but now hotels provide Internet access to guests and, as a temporary ISP/Wi-Fi provider, the hotel managers are able to track what users do online. Hotel servers are like all others in that they accumulate a log file of all client transactions. Their surfing patterns are listed in that file. This includes the time guests logged in and out, guest name or ID number which is assigned by the server, and guest room number. Whether or not a guest deletes his or her personal log on a browser is irrelevant to the server. All entries are logged into the server database.
But now, hotels and resorts are tracking guests throughout the property and, in some cases, off the property, and into the guests’ travel destinations. Using smartphones, Fitbits, company-issued wearable devices, and other Internet-connected tools, resorts like Disney track the movements of guests throughout the properties and in the hotels, gathering data that will be used to enhance customer experiences and analyze customer behavior. Signals from the mobile and wearable technology are gathered by wifi spots placed throughout the resort and sent to centralized computers. This technology can conjure the magic when the costumed princess knows your granddaughter’s name and birthday, but it can also track how much time you spent at the craps tables or how many times you visited the buffet line or courtesy wine bar.
Of course, some hotels who don’t yet track mobile devices could reach the same result with cameras and facial recognition programs. Their properties are canvassed with camera equipment used for security and for guest tracking at every entrance, lobby, hallway, and garage level. Once a guest has been identified by the camera software, her presence can be noted and documented from the hotel pool to the elevators to the ground floor shops and restaurants.
Remember that a hostel or boarding house also keeps credit card statements and require valid government-issued identification papers to rent rooms to guests (often in compliance with local municipal rules), so the hotel can start building a personal file on each guest right away. If a guest succumbs to the siren call of hotel rewards programs, then the company has, even more, data about her, and a special database of marketing material to use with it. Hotel rewards programs track guests on the Internet across devices and websites, and they track personal activity from city to city, sharing with airlines and other travel businesses and publishers. Their role is to build a profile of each guest with as much information as possible, all for the prospect of a free night’s stay at some future date.
But a more intrusive future is easy to imagine, using tools available today. If you checked into a hotel and the hotel has a file on you, either through their rewards program or simply through collecting your data from previous stays or affiliated hotels, then the company can track you around its property and beyond through facial recognition or your smartphone or Fitbit. And if you decided to entertain your boss’s spouse in your hotel room, the hotel would be able to track the boss’s spouse through the same means and identify that person from previous stays or from earlier check-ins at affiliated hotels. Suddenly your hotel file has a new notation – the name of your guest, who never gave a name to the staff on this visit.
I do not know of any hotels taking this step of identifying visitors to your room right now, but the technology clearly exists to do so. The days of checking in as “Mr. and Mrs. Smith” are long gone as the reasonable expectation of privacy no longer applies in the hotel business.
Hotel guests are also vulnerable to intrusion from outside parties. So the vast array of information collected by guests will not necessarily remain within the control of the hotel’s owner. This information, whether electronic web surfing, payment data or location-based tracking, can easily make its way into government hands, either through process of law or otherwise, or it can be taken by hackers for their own nefarious purposes or for sale on deep web information markets.
Governments in the West, like the U.S. or Canada, may request hotel data by subpoena, and some local ordinances, like those in Los Angeles, force hotel owners to demand valid identification for each check-in and to provide guest data to police whenever requested. While in some countries, government agencies use hotels to conduct surveillance on international guests. Travel logs are rife with stories from China, Russia and many other countries where hotels are used as information gathering tools so that local governments can build dossiers on foreign visitors. Never bring your work laptop or smartphone to one of these countries where the hotels and airports are used to infiltrate business and government computing devices.
While data breaches have occurred in a number of other sectors, the hotel and hospitality industry remains particularly vulnerable to such attacks. The 21st Century hotel is marked by deep intrusions into customer privacy in the names of security and better service. For example,
In November 2015, Starwood Hotel & Resorts Worldwide announced that customer credit card data had been compromised at 54 hotels operating under the Westin, Sheraton and W brand names. The data breach occurred as the result of a malware infection of the hotels’ point-of-sale systems.
Later that month, Hilton announced that a number of its properties had been infected by similar malware attacks. Once again, customer payment card information had been affected.
In December 2015, Hyatt suffered a similar payment card data breach at numerous restaurants, spas, parking lots and other points of sale.
Similar data breaches took place in 2015 at Trump Hotel Collection, White Lodging Hotel Service Corp., and Mandarin Oriental Hotel Group properties.
This list is a small sample of the breaches, public and private, known and unknown, that occur regularly in the travel industry. Willie Sutton robbed banks because “that’s where the money is.” While today’s hackers steal from hotel systems because that’s where tons of personal and payment data resides.
There are at least some indications that customers and federal enforcement agencies are pushing back against hotels in the collection of personal data.
The FCC recently levied a $600,000 civil penalty against Marriott for disabling Wi-Fi at the Gaylord Opryland hotel and convention center in Nashville. Following a complaint and an investigation, the FCC ruled that the Marriott-managed facility unlawfully disabled wireless hot-spot networks created by guests.
By disabling the hot-spots, customers had to pay to use the hotel’s Internet service. But the FCC ruled that such actions were in violation of the law. The FCC’s Enforcement Bureau also issued a public advisory warning that “Wi-Fi Blocking is Prohibited.”
The FCC Advisory states, “The Enforcement Bureau has seen a disturbing trend in which hotels and other commercial establishments block wireless consumers from using their own personal Wi-Fi hot spots on the commercial establishment’s premises. As a result, the Bureau is protecting consumers by aggressively investigating and acting against such unlawful intentional interference.”
In addition, the FCC wrote, “No hotel, convention center, or other commercial establishment or the network operator providing services at such establishments may intentionally block or disrupt personal Wi-Fi hot spots on such premises, including as part of an effort to force consumers to purchase access to the property owner’s Wi-Fi network. Such action is illegal and violations could lead to the assessment of substantial monetary penalties.”
Companies in the hospitality industry should take the FCC’s warning at face value. With the Marriott penalty, federal regulators have made it clear they take the issue of Wi-Fi blocking seriously. From the consumer’s standpoint, assume that any information shared over a hotel server may be compromised, be aware that your smartphone may be tracked by hotel hot-spots, and keep close tabs on credit card accounts after staying at a hotel to make sure that account hasn’t been hacked.
The innkeeper’s place in our society has changed over time, and the new age of big data may lead to the biggest changes of all.
Ted Claypoole leads Womble Carlyle’s IP Transaction Team and its Privacy and Data Protection Industry Team. He currently serves as Chair of the American Bar Association’s Cyberspace Law Committee in the Business Law Section, and has recently co-authored the books Privacy in the Age of Big Data: Recognizing Threats, Defending Your Rights and Protecting Your Family and Protecting Your Internet Identity: Are You Naked Online? with former White House CIO Theresa Payton.