Apparently "The Points Guy" web site has an app that allows you to consolidate viewing of your airline data across airlines, by logging into multiple airlines concurrently on the single app. American doesn't like this.

https://www.theverge.com/2022/1/21/2289 ... -copyright

Not sure why this ought to be a problem as this is done on the web in many other ways, too with other businesses.

Honestly, I'm on AA's side on this.

1) As a "tech guy" I do not like the fact that they are storing user's credentials for other sites in their system. In order for that to work, the passwords have to be stored in a manor where they necessarily can be decrypted so they can be used to log into the AA (and other airline's site). That is a huge IT security risk. For those not in the know - a good system you log into stores the password in a manor that it can't be easily recovered - essentially a one way encryption. When you log into the site it can encrypt the password the same way as the copy on their server to compare them. For TPG to log in, it has to decrypt it so it can't store it that way.

2) As much as it may seem like a nice to have service for some folks they are pretty clearly using AA's data in a manor that AA's terms to not allow. They also were clearly told by AA that they do not agree to them accessing their system in this manor, yet they went forward with it anyway. Like it or not, companies do not have to provide/allow access to their data by other businesses. if users were putting in their info on their own that may be one thing - but once you move onto a system like this - not a lot of companies are gonna be happy.

Google will store your credentials for absolutely everything, Facebook is how many people log in to all of their apps, this doesn’t seem very atypical.

WkndWanderer wrote:

Google will store your credentials for absolutely everything, Facebook is how many people log in to all of their apps, this doesn’t seem very atypical.

So, you’re not in IT and, obviously, don’t understand the issue?

Besides the fact of 3rd party accessing AA IT systems without consent and without appropriate established protocols, AA also claims TPG using AA brand and trademarks for its own gain and ignores AA's intellectual property.

Personally, I would not share my credentials with a 3rd party, when the same info can easily be accessed directly.

Also for the record, this is not the first travel site that has been stopped from profiting off access to AA and member data in recent times.

WkndWanderer wrote:

Google will store your credentials for absolutely everything, Facebook is how many people log in to all of their apps, this doesn’t seem very atypical.

When you are using Google or Facebook to log into things - you are actually logging in to Google or Facebook via and API that the site can access - they're not storing the local site's credentials.

When you use a password manager in a browser - even if the data is uploaded to the "cloud" - google (with chrome) or others can't actually decrypt your password - that only happens locally on your own phone/computer.

The issue here is the ability to actually decyrypt your password exists on TPGs servers - meaning if a bad actor gets in - they could potentially ave access to all these user credentials.

How is this different from financial websites that gather your 401(k) and other retirement and savings info into one site for planning purposes? The account owner has to share their individual login info to each site.

I'm in tech, though I don't get into the legal side of things often. Seems like the copyright violation has a basis. But is the AA system so "open" that it can be logged into without having to go in via an API?

* API is a means by which two systems communicate with each other. No communication occurs unless the system receiving the request for information through the API actually ALLOWS the connection to be made. (Very oversimplified but I realize many here never heard of "an API" before).

Good for AA.

RTWin10 wrote:

How is this different from financial websites that gather your 401(k) and other retirement and savings info into one site for planning purposes? The account owner has to share their individual login info to each site.

Not sure what website you speaking about, however, such sites would have approval and back-end interfaces to function securely.

As the lawsuit states, TPG does not have such integration with AA and collects member data storing their credentials with who knows what security and what else they do with the info. Also sharing and using such data by 3rd parties is against both AA.com and AAdvantage rules.

Additionally as mentioned prior, TPG benefits from this and uses both AA trademarks and IP without authorization for its own financial gain

@zuckie13,

You mean "manner", not "manor". A manor is a large residential building like the one Bruce Wayne resides in.

zuckie13 wrote:

1) As a "tech guy" I do not like the fact that they are storing user's credentials for other sites in their system. In order for that to work, the passwords have to be stored in a manor where they necessarily can be decrypted so they can be used to log into the AA (and other airline's site).

Why does it need to be stored on the site, why couldn’t that all be done within the app on the users own device. Many apps stope website data and passwords for users.

LAXintl wrote:

Besides the fact of 3rd party accessing AA IT systems without consent and without appropriate established protocols, AA also claims TPG using AA brand and trademarks for its own gain and ignores AA's intellectual property.

Sounds like the lawyers didn’t get far with the Delta use of fkagship so they are drumming up work elsewhere.

DUSdude wrote:

@zuckie13,

You mean "manner", not "manor". A manor is a large residential building like the one Bruce Wayne resides in.

Bruce moved into an aged care facility some time ago.

The article is somewhat misleading. The parent company for TPG actually sued AA first to stop them from denying access (it is currently allowed). AA countersued in response.

zuckie13 wrote:

When you use a password manager in a browser - even if the data is uploaded to the "cloud" - google (with chrome) or others can't actually decrypt your password - that only happens locally on your own phone/computer.

That's mostly false, passwords stored on the cloud almost always can be decrypted by the cloud providers. Some have stricter security possibilities, there the key to decrypt is not stored, but that is almost never used option because that way you lose cloud backup if you lose that decryption key. That is not acceptable for most people.
For this scrapping issue there must have been some precedents set already.
I only remember Ryanair which tried to sue somebody and lost for scrapping prices. But that is public information and not password protected and also in EU, so hardly relevant

LAXintl wrote:

Also for the record, this is not the first travel site that has been stopped from profiting off access to AA and member data in recent times.

IMHO, that's really AA's beef. AA doesn't want TPG to suggest individualized strategies to maximize value, like accruing miles in programs other than AA, or max-value miles redemptions. All the rest of it just fluffs up the suit, although asserting improper use of AA trademarks is likely to give them at least a partial win.

zeke wrote:

zuckie13 wrote:

1) As a "tech guy" I do not like the fact that they are storing user's credentials for other sites in their system. In order for that to work, the passwords have to be stored in a manor where they necessarily can be decrypted so they can be used to log into the AA (and other airline's site).

Why does it need to be stored on the site, why couldn’t that all be done within the app on the users own device. Many apps stope website data and passwords for users.

LAXintl wrote:

Besides the fact of 3rd party accessing AA IT systems without consent and without appropriate established protocols, AA also claims TPG using AA brand and trademarks for its own gain and ignores AA's intellectual property.

Sounds like the lawyers didn’t get far with the Delta use of fkagship so they are drumming up work elsewhere.

It's going to their site because it's their site that's doing the access of the AA site. You give TPG your credentials that are sent to TPG's sever so it can log into the AA site to pull your points info.

miegapele wrote:

zuckie13 wrote:

When you use a password manager in a browser - even if the data is uploaded to the "cloud" - google (with chrome) or others can't actually decrypt your password - that only happens locally on your own phone/computer.

That's mostly false, passwords stored on the cloud almost always can be decrypted by the cloud providers. Some have stricter security possibilities, there the key to decrypt is not stored, but that is almost never used option because that way you lose cloud backup if you lose that decryption key. That is not acceptable for most people.
For this scrapping issue there must have been some precedents set already.
I only remember Ryanair which tried to sue somebody and lost for scrapping prices. But that is public information and not password protected and also in EU, so hardly relevant

I disagree with you on password storage - but this is the wrong forum for that argument.

The big difference here vs scraping fares is like you said, the points info is not public info. The main argument in the lawsuit is the terms their are accepted by login basically don't allow use of the account info or data by someone other than the actual AA customer. That's AA's alleged gotcha here.

Brickell305 wrote:

The article is somewhat misleading. The parent company for TPG actually sued AA first to stop them from denying access (it is currently allowed). AA countersued in response.

The full sequence appears to have been:

1) TPG reached out to AA they want to set up an agreement/access for getting this points info info from AA.
2) AA considered, and decided no.
3) TPG decides to do it on their own anyway and then files a lawsuit in Delaware asking for a ruling to allow them to use this data.
4) AA files this lawsuit in Texas to stop TPG - because they argue that the terms of service for accessing their system requires disputes to be filed in this Texas jurisdiction.

zuckie13 wrote:

It's going to their site because it's their site that's doing the access of the AA site. You give TPG your credentials that are sent to TPG's sever so it can log into the AA site to pull your points info.

Nothing stopping your device connecting to the AA site and your device updating TPG. It does not need to be done server side.

MIflyer12 wrote:

IMHO, that's really AA's beef. AA doesn't want TPG to suggest individualized strategies to maximize value, like accruing miles in programs other than AA, or max-value miles redemptions. All the rest of it just fluffs up the suit, although asserting improper use of AA trademarks is likely to give them at least a partial win.

Nothing stops TPG or any other business from helping you accrue or spend miles. But they certainly don't need your AAdvantage account credentials to do it.

zeke wrote:

zuckie13 wrote:

It's going to their site because it's their site that's doing the access of the AA site. You give TPG your credentials that are sent to TPG's sever so it can log into the AA site to pull your points info.

Nothing stopping your device connecting to the AA site and your device updating TPG. It does not need to be done server side.

Maybe not, but that's not how they implemented it according to the lawsuit - AA recorded tons of connection from the same set of IP addresses belonging to TPG.

zuckie13 wrote:

zeke wrote:

zuckie13 wrote:

It's going to their site because it's their site that's doing the access of the AA site. You give TPG your credentials that are sent to TPG's sever so it can log into the AA site to pull your points info.

Nothing stopping your device connecting to the AA site and your device updating TPG. It does not need to be done server side.

Maybe not, but that's not how they implemented it according to the lawsuit - AA recorded tons of connection from the same set of IP addresses belonging to TPG.

It should be technically trivial for AA to block those connections and render the TPG app useless. So that is not a very smart design of the TPG app. They should implement the app so that it is indistinguishable from a browser running on the user's device.

WN has successfully sued apps on multiple occasions for very similar issues.