Introduction

The Internet has completely changed the face of commercial activity. Almost 4.2 billion people worldwide currently use the Internet (Kemp, 2018). Moreover, the quantity and the quality of connections have been amplified by the use of social networks, where almost 3.2 billion people use Facebook, YouTube, WhatsApp, Instagram or Twitter (Kulik, 2018). The magnitude of the phenomenon has changed our semantic relationship with cyberspace. In fact, whereas only a few years ago we used to draw a distinction between our life online and offline, now we may adopt the neologism onlife “to refer to the new experience of a hyperconnected reality within which it is no longer sensible to ask whether one may be online or offline” (Floridi, 2015, p. 1). Hence, the global network and new information and communication technologies have become an inseparable element of the dynamically developing modern market (Smul, 2013).

Being hyperconnected entails a new understanding of our spatial dimension. With the rise of the network society (Castells, 1996), telecommunications has not rendered geography meaningless. On the contrary, the use of spatial terms confirms the spatialization of the Internet (Kellerman, 2007). Cyberspace has been seen as a geographic metaphor (Graham, 2013), where the cyberspace often reflects the geoeconomic space (Warf, 2013). In this space, we can trace borders linked to economic or informational influence. In this context, websites in all their forms (applications, platforms, social media) are cyber-geographical areas where the intersection of personal data, virtual commerce, social relations, and knowledge occurs. With approximately over 1.94 billion websites running all over the world (Vpnmentor, 2018) and 7.59 billion people worldwide in 2018[1], there is a website for almost every four inhabitants of the planet.

As in physical space, having more choices may paralyze the decision-making process (Iyengar and Lepper, 2000), and in cyberspace such a great number of websites hinders companies’ ability to reach customers who are flooded with hundreds of offers. Therefore, for consumers it is necessary to sort and filter information so that it can be used in the purchase decision (Smul, 2013). Online platforms facilitate this task; consequently, they have become tools used by customers to simplify decision-making. One basis for using Internet platforms is adequate data security, which safeguards the security of transactions and builds the trust of customers.

The main aim of this study was to assess the cyber-security level of Internet platforms dedicated to nautical tourism, in which these tools are just now becoming popular. The popularity of nautical tourism, and in particular sailing, has been increasing in recent years, but the use of Internet platforms to serve the needs of this form of tourism is not yet very common. It was, therefore, considered a good time to analyse the content of these platforms and identify particular data in need of protection. The ways in which platforms function and their level of security will influence the possible popularity or stagnation of these platforms in the near future (as in the case of many other forms of tourism).

The research questions in this study focused on two basic and readily accessible elements of the platforms: secure transactions and data protection compliance with European regulations. The specific questions driving the research were as follows:

• Does the platform use a secure connection for payments?
• Are personal data protected in compliance with European regulations?

 

In order to achieve the study’s objective, a multidisciplinary and multilevel case-study approach was used to conduct an exploratory inductive content analysis. The subject matter is important due to the fact that nautical tourism and Internet platforms dedicated to sailing have been rarely mentioned by researchers; therefore, this study fills a theoretical gap in the existing literature.

Internet platforms and cybersecurity in tourism: theoretical background

Every day, new Information & Communication Technology (ICT) solutions are developed; therefore, tour operators have no choice but to use them (Rajs, 2008). The result is that Internet platforms are widely used in the tourism industry, which, more than many other types of activities, begins and ends with information (Nalazek, Moskała, Błaszczuk, Łopaciński, & Sikora, 2003). Online tourist platforms are quite popular, and there is great diversity among them. These platforms include social networks such as LonelyPlanet as well as transaction and booking platforms such as Booking.com or Trivago (Gössling and Lane, 2015; Xiang, Du, Ma & Fan, 2017). Most of these sites are also available in the form of mobile applications so as to facilitate the online offers presented (Rodriguez-Sanchez, Martinez-Romo, Borromeo & Hernandez-Tamames, 2013). The use of platforms offers many benefits both to the providers of tourist services and to the tourists themselves. Among the benefits to providers are ease of entrance into the market, broad promotion of market offers, and general credibility. In addition, other benefits include the opportunity to improve the quality of services, thanks to feedback from customers posted online and a reduction of ICT expenditures of individual providers. This reduction originates due to outsourced ICT support for the online platform. Tourists, in turn, appreciate the use of platforms because they offer easy access to many offers in one place. This feature gives the consumer the opportunity to compare offers, access information quickly (e.g., information about public transport, tourist and cultural attractions, and medical services). Likewise, tourists have the ability to make online payments, find information about sellers (which minimises transaction risk), and learn the opinions of other users.

As suggested by Buhalis (2008), many studies on eTourism have explored the importance of web-based travel information systems. There is, however, still relatively little literature that is concerned with online tools for nautical tourism (Benevolo & Spinelli, 2018a, 2018b). Nonetheless, this phenomenon in the nautical tourism market is of particular interest for three main reasons. First, the development of nautical tourism is strategically relevant inside the European Community (European Commission, 2017). Second, according to the European Commission (2016b, p. 3), nautical tourism is “an important subset of coastal and maritime tourism, generating annual revenues of between €20 and €28 billion per year and employing between 200,000 and 234,000 people”[2], and regularly involving 36 million persons in boating activities. Third, according to some studies, the nautical tourism industry is relatively immature and still has not “fully exploiting their websites” (Benevolo & Spinelli, 2018b, p. 60). From this perspective and according to the authors’ previous studies (Balata et al., 2019; Łapko, 2019), an exploratory case-study on sailing web platforms was undertaken to gain a detailed understanding of the phenomenon.

Earlier research has established that trust is an element of competitiveness in e-commerce and eToursim (McKnight, Choudhury & Kacmar, 2002; Munar & Jacobsen, 2013). Additionally, it has been observed that cybersecurity plays a crucial role in the competitiveness of tourism destinations because it helps to build trust (Magliulo, 2016; Panai, 2018). Cybersecurity is usually defined as “the range of information technology processes intended to protect data being transmitted over the Internet, and to combat the threat of the installation of malware programs” (European Commission, 2016a, p. 4) or “the preservation of confidentiality, integrity and availability of information in cyberspace” (ISO, 2012, § 4.20).

In fact, the basis for using platforms on both sides is trust. Consequently, providers and tourists alike must be sure that the data and information they provide are safe. Indeed, stolen personal data can be used for identity theft in a direct cyber-attack when the target is the owner of the personal data (as in identity fraud, fraudulent tax returns, fraudulent loan applications, counterfeit cards, fraud in bill payments, fraudulent money transfers, the use information for blackmail or extortion, hacktivism, fraudulent insurance claims, fraudulent medical prescriptions, fraudulent online purchases, etc.) or in indirect cyber-attacks when the targets are professional entities (spear phishing attacks, wire and CEO fraud, etc.), business contacts (spear phishing attacks, etc.), personal contacts (advance-fee scams, spear phishing attacks, fake antivirus) or third-party external entities (spam, indirect cyber-attacks, etc.).

However, beside the important economic and competitive factors, trustfulness is also based “upon an underlying assumption of a moral duty with a strong ethical component” (Hosmer, 1995, p. 381). In this context, privacy is one of the public values most often mentioned by Information Ethics (IE) philosophers (Floridi, 2005; Ess & Thorseth, 2012). According to Brey (2012), public values like privacy can be easily understood by everybody, in which case they are referred to as being morally transparent; alternatively, public values may be hidden and impenetrable, in which case they are referred to as morally opaque. In this study, we selected two elements or moral agents that can influence trust: secure e-commerce transactions (as the morally transparent element) and cookies and trackers used in browsing tracking (as the morally opaque element).

In the first case, the correlation between trust and secure e-commerce transactions is transparent because the public cannot trust a system which makes their financial assets vulnerable. In this case, it was enough to verify that the level of security of the transactions respected the e-commerce standards for transaction. As a matter of fact, a non-secure transaction has technical consequences related to vulnerabilities (Rane & Meshram, 2015) and behavioral consequences related to the design of invalid certificate warnings (Sunshine, Egelman, Almuhimedi, Atri, & Cranor, 2009).

In the second case, the relationship between trust and browsing tracking is more opaque because the public may not clearly see how navigating amongst websites could impact their privacy. Using an interdisciplinary disclosive computer ethics approach (Brey 2000) in this case, the study highlights the relevance of third-party cookies (Ermakova, Hohensee, Orlamünde & Fabian, 2017; Roesner, Kohno & Wetherall, 2012). The importance of this subject has been brought to light by the European Community, which unleashed a General Data Protection Regulation (GDPR) that went into effect on 25 May 2018. The GDPR’s requirements for consent to the use of cookies or trackers was enforced by a lex specialis: the ePrivacy Regulation (ePR). Therefore, when investigating the cookies/trackers behaviour, the present study sought to verify compliance with the EU regulations.

This exploratory analysis was initially inspired by the security component of the SMAS (Social, Mobile, Analytics & Security) model proposed by Camerada (2018), but an original multidisciplinary and multilevel case-study approach was adopted to capture the complexities of the phenomenon. In fact, while a number of techniques have been developed to evaluate websites for the purpose of considering their level of usability (Fernandez, Insfran & Abrahão, 2011), cybersecurity (Hong and Kim, 2004) or quality of web communication(Benevolo & Spinelli, 2018a), it appears that no studies have been conducted that investigate the importance of data protection in sailing-related web platforms.

The present study found that the cybersecurity practices of the platforms for nautical tourism respect most of the best practices for transactions but still lack adequate protections of personal data as required by European regulations. Consequently, greater effort needs to be made for these platforms to become compliant with the European regulations on data protection and privacy for all citizens of the European Union. This study also highlights some rather interesting geographical and geopolitical observations that emerged from the data.

Methods

The present research used a convenience sample of four sailing platforms operating in Europe (although the headquarters location may have been outside Europe). A small sample was chosen because of the expected difficulty in obtaining qualitative information in a reduced amount of time. Thus, four case studies were carried out using an inductive content analysis of the data collected in order to identify factors that affect the trustworthiness (Elo et al., 2014) of the platforms. The use of qualitative case studies is a well-established approach in exploratory studies. Hence, a comparative case study approach was adopted to allow deeper insight into the phenomenon. As in previous studies on cybersecurity awareness (Blythe, 2013), this research investigated the phenomenon by monitoring and analysing the real environment. The aim was not to indicate causation directly but, instead, correlation and analysis sufficient to lead to a causal conclusion (Sagarin & Pauchard, 2010). The inductive process was chosen because, according to Edgar and Manz (2017, p. 97), “inductive reasoning is intrinsically uncertain”, nevertheless “this uncertainty fits in very well with the complex cyber domain”.

In order to answer the previously stated research questions, the following steps were taken:

• Definition of criteria and selection of the platforms
• Heuristic screening of the content and features of the websites, and consequent qualitative analysis
• Assessment of the secure transition protocol
• Risk analysis of cookies and geographical analysis trackers
• Compliance with EU regulations (GDPR and ePR)

 

The data were collected between January 1 and April 10, 2019, using Google Search (google.com) to shortlist the platforms, SSL Shopper (sslshopper.com) to investigate the status of the website domain validation certificates, and GDPR cookie scan (gdprcookiescan.eu) to study the degree of risk of first- and third-party cookies.

Definition of criteria and selection

For the purpose of the study, four Internet platforms or websites that can be used by people planning sailing cruises were analysed. The study selected those that offer cruises in at least several countries. Several platforms were shortlisted using Google Search, still the most widely used search web engine as of October, 2019, accounting for 87.96% of the global search market[3].

Criteria for selecting the subjects were as follows:

• Keywords
• Location of the search

 

To find the platforms in the search engine, the following keywords were entered: sailing tourism platform, the best marinas, attractions for sailors, sailing destinations, for sailors, berth booking. The keywords were proposed by 16 participants in an international course for marina operators and staff that was organised by Maritime University of Szczecin. The reader should bear in mind that the study is based on the results obtained through the Google search engine geo-localised in Szczecin, Poland. In fact, there is a growing body of literature that recognises the importance of geographic location in personalising search engine results (Hannák et al., 2013; Andrade & Silva, 2006; Yu & Cai, 2007).

In each instance, the results found only on the first page of the search engine were checked. As a result of this approach, four platforms were identified. However, with a small sample size, caution must be applied, as the findings might present a confidentiality concern. For privacy reasons, therefore, we cannot provide actual names and will refer to the four platforms simply as alpha, beta, gamma and delta.

 

Heuristic screening and data collection

Each of the four platforms was explored in order to collect general information, languages used, and particular features of the internal search engine. The first step in this process was to conduct a qualitative investigation by experts. Then, all data were reorganised and structured as shown in Table 5 (Spoken Languages), Table 6 (Search Engine Features), Table 7 (Communications Tools) and Table 8 (E-Commerce). These data were necessary in order to gain a better understanding of each platform. The second step of this study was to develop a better understanding of cyber vulnerability in public content.

The following is a brief description of each platform.

 

Alpha platform

This platform contains a comprehensive offer for people who want to rent a yacht and take a cruise in one of the regions mentioned above. The site search engine includes such filters as the following: type of boat, sailing destination, date of charter, charter duration, number of cabins, type of mainsail, length of the yacht, equipment, brand, year built, and range of prices. Those interested may also take advantage of the yacht ownership program, which involves paying 55%-60% of the yacht’s value, allowing the buyer to use the yacht for a few weeks each year for five-six consecutive years, while for the other weeks of each year, the yacht is rented out through the alpha platform and part of the rental income is passed on to the owner. After this time, the yacht can be bought or sold. In addition, the platform contains information on individual destinations with sample routes. Another unique offer is a route planner containing a tool that provides the measurement of distances between selected ports. Interested individuals can make reservations and online payments through the platform. Cruise insurance is also available. Users of the platform have the option of contacting employees in a variety of ways via the online contact centre. Contact can be made by e-mail, phone call (or users may request a call), or Skype. In addition, the platform contains comprehensive descriptions of applicable procedures (booking steps, the process for yacht chartering in various countries, needed licences, etc.) and instructional videos. Users are not allowed to post comments. The basic features of the Alpha platform are shown in Table 1.

Table 1: Alpha Platform Information

Platform	Alpha
Headquarters	Croatia
Offerings	yacht charters, yacht ownership program
Languages	EN, DE, IT, ES, FR, CZ, SK, HU, PL, SE, RU, and HR
Countries concerned	Mediterranean countries, Caribbean, Seychelles, and Thailand

 

Beta platform

This platform is intended for people who want to charter a yacht. The search engine includes filters such as sailing destination, date of charter, number of guests, type of boat, number of cabins, length of the yacht, year built, and range of prices. In addition to charter offers, the platform includes guides for sailors in individual regions, guides on sailing cuisine, culture, customs and events, among others. Users can book a yacht and make an online payment as well as purchase cruise insurance. The platform provides 24-hour contact with consultants via e-mail or telephone. Users are asked to post comments and rate the quality of the platform (using a third-party system, namely TrustScore[4]) on the home page. The basic features of the Beta platform are shown in Table 2.

 

Table 2: Beta Platform Information

Platform	Beta
Headquarters	Germany
Offerings	yacht charters
Languages	EN, DE, IT, and NL
Countries concerned	Croatia, Greece, Spain, Virgin Islands, Turkey, France, and Italy

 

Gamma platform

The countries and regions concerned include Mediterranean countries, the Caribbean, Seychelles, Thailand, Tahiti, Tongo, and the Bahamas. This platform is intended for people who want to charter a yacht for groups of up to 12 people. Customers can choose from a custom fleet of spacious catamarans and classic monohulls with the option of independent sailing or the hiring of a licensed captain and crew. The site search engine contains filters such as sailing destination, date of departure, number of nights, and number of passengers. In addition, under the Sailing Charters tab, there are other filters such as yacht length, number of cabins, and maximum berths. Users can book a yacht and make online payments as well as purchase cruise insurance. The platform allows the consultants to be contacted by e-mail, by phone, via Chat Online (Mon-Fri: 8:00 a.m.-8:00 p.m. ET and Sat-Sun: 10:00 a.m.-4:00 p.m. ET) or by using the contact form (i.e., requesting a call). The platform also runs a blog, in which there are categories such as best of, destinations, events and regattas, food and drink, news, things to do, and yachts. Consumers can also ask questions via the blog in the category you asked and read the answers to frequently asked questions in the category we answered. Interested persons can subscribe to the e-Newsletter and order an information brochure for the current season. The basic features of the Gamma platform are shown in Table 3.

 

Table 3: Gamma Platform Information

Platform	Gamma
Headquarters	Florida, US
Offerings	Large group sailing charter
Languages	EN, ES, and PT
Countries concerned	Antigua, Bahamas, Belize, British Virgin Islands, Croatia, Greece, Grenada, Italy, Martinique, Puerto Rico, Seychelles, Spain, St. Lucia, St. Martin, St. Thomas, Tahiti, Thailand, Tongo

 

Delta platform

Delta platform is an online booking platform for mooring locations that connects boat owners, travellers, and charterers with marinas around the world. Sailing enthusiasts can find accurate and useful information about the main attractions both in marinas and in the region. Owners of marinas can present their facilities here and provide detailed information about what makes their ports unique. The search engine includes filters such as “where do you want to go?” and “check in and check out”. After filling out the necessary information, the interested person is redirected to the site, where offers are proposed by the platform and can be sorted by price, location, length, and age. Later, the user can refine their expectations with filters such as boat type, cabin price per day (EUR), length, number of guests, cabins, berths, and age of the boat. The platform includes the following: a reservation management system that allows captains and charterers to manage reservations and obtain accurate information in less than 24 hours; the possibility of booking additional marina facilities, such as hotel accommodations, swimming pools, assistance in mooring, Wi-Fi, lift, parking, washing services, among others; opinions of customers that to assist other travellers and sailors in choosing recommended ports and travel destinations; an immediate booking confirmation by e-mail and SMS; and a secure and trusted payment system. The platform also runs a blog, which includes categories such as Marina Guides, News, Events, Interviews, and How To (containing useful information for sailors). Other areas in the blog include Across the 7 seas (with information on sailing conditions in the given water area) and best marinas (with information about individual marinas in a given region). The basic features of the Delta platform are shown in Table 4.

 

Table 4: Delta Platform Information

Platform	Delta
Headquarters	Romania
Offerings	booking for mooring places
Languages	EN, ES, FR, and IT
Countries concerned	Mediterranean countries

 

A comparative benchmarking of essential features

Table 5, Table 6, Table 7, and Table 8 summarize the basic features of the analysed platforms to facilitate their comparison.

Table 5 shows that all platforms have several available language versions, which suggests that their intention is to reach a wide audience. The most popular is the English version, followed by the Spanish and Italian versions

Table 5: Spoken Languages

Languages	ISO 3166-1	ISO 639-1	alpha	beta	gamma	delta
Czech	CZ	CS	yes
German	DE	DE	yes	yes
English	EN	EN	yes	yes	yes	yes
Spanish, Castilian	ES	ES	yes		yes	yes
French	FR	FR	yes			yes
Croatian	HR	HR	yes
Hungarian	HU	HU	yes
Italian	IT	IT	yes	yes		yes
Dutch, Flemish	NL	NL		yes
Polish	PL	PL	yes
Portuguese	PT	PT			yes
Russian	RU	RU	yes
Swedish	SE	SV	yes
Slovak	SK	SK	yes
Others	–	–

 

Table 6 shows that the internal search engine features related to booking tools in the various platforms allow those interested in charters to search for a yacht according to wide range of criteria. Only two of the analysed platforms, however, offer the ability to book a quay (berths).

 

Table 6: Search Engine Features

Search Engine	alpha	beta	gamma	delta
Type of boat	yes	yes		yes
Sailing destination	yes	yes	yes
Date of charter	yes	yes	yes
Charter duration/number of nights	yes		yes
Number of cabins	yes	yes	yes	yes
Number of guests	yes	yes	yes
Type of mainsail	yes
Length of the yacht	yes	yes	yes
Equipment	yes
Brand	yes
Year built/boat’s age	yes	yes		yes
Range of prices	yes	yes
Berths (book a quay)			yes	yes

 

Table 7 compares the communication tools available on each site. Given that the availability of appropriate information is fundamental to the purchasing process, in addition to accurate descriptions, platforms usually give tourists the opportunity to contact the service through a variety of tools, whether online (e.g., e-mail or skype) or traditional (telephone).

Table 7: Communications Tools

Contact/Community	alpha	beta	gamma	delta
Online chats	yes		yes
E-mail/contact form	yes	yes	yes	yes
Phone call	yes	yes	yes	yes
Skype	yes
Community/comments		yes	yes	yes

 

Table 8 shows that customers also have the ability to pay for booked services or yachts using online payments tools available on each analysed platform. Nevertheless, one platform did not offer cruise insurance. The lack of this feature could negatively affect trust in the platform.

Table 8: E-Commerce

E-Commerce	alpha	beta	gamma	delta
Online payments	yes	yes	yes	yes
Cruise insurance	yes	yes	yes	no

 

Indeed, such variety of services offered needs proper protection in order to reduce the risk of the theft of unsecured data.

 

Secure transaction

Customers buy only if they trust vendors. According to McKnight, Choudhury and Kacmar (2002, p. 334), “trust plays a central role in helping consumers overcome perceptions of risk and insecurity”. One way to build trust is to grant a minimum level of security during a transaction using a Secure Sockets Layer (SSL) or a Transport Layer Security (TLS) certificate and Secure HyperText Transfer Protocol (HTTPS). An SSL/TLS certificate is a small data file that digitally binds a cryptographic key and allows secure connections from a web server to a browser. Typically, SSL/TLS and HTTPS are used to secure credit card transactions, data transfer, and logins. Whereas an “SSL is designed to establish a secure connection between two computers, an S-HTTP is designed to send individual messages securely” (Tipton & Krause, 2001, vol. 2, p. 77). A correct SSL/TLS certificate reduces the risk of man-in-the-middle attacks by identifying and encrypting all communications between the client and the server.

In order to verify the existence of secure connections on the sites in question, we used the tool SSL Shopper[5] to observe the status of the SSL/TLS certificate of each, as shown in Table 9, rows 1 and 2. We also tested whether a connection through HTTP (non-secured Hyper Text Transfer Protocol) was automatically redirected to HTTPS (secured HyperText Transfer Protocol) , as shown in Table 9, row 3.

Table 9: Secure Transactions

Indicator	Cybersecurity	alpha	beta	gamma	delta
SSL/TLS	Has a website domain validation certificate SSL or TLS?	yes	yes	yes	yes
VALID SSL/TLS	Has a website domain validation certificate SSL or TLS?	yes	yes	yes	yes
HTTPS Redirection	Does an automatic redirection to a secure protocol exist?	yes	yes	yes	yes

 

We verified the duration of each SSL/TLS certificate, as shown in Table 10.

 

Table 10: SSL/TLS Duration (April 10, 2019)

Platform	Validation	Days
alpha platform	July 27, 2018, to October 1, 2019	431
beta platform	January 23, 2019 to February 22, 2021	761
gamma platform	March 4, 2019, to September 11, 2019	191
delta platform	April 8, 2019 to April 8, 2021	731

 

The above tables present the answer to the first question: Do the websites secure the connection for payments?

Table 9 shows that every configuration parameter of the protocol SSL/TLS had been correctly set; hence, users would navigate those platforms without any non-valid certification warning appearing on the screen.

Table 10 shows that there was no SSL/TLS certificate expiring within a short period of time; hence, this information contributes to trust in the platforms because there is indication of long-term planning in managing SSL/TLS certificates. Indeed, according to an independent certification company, the dangers of SSL certificate expiration for an owner include “reduction in trust as the site becomes unsecure”.[6]

In sum, the overall results in regard to the first question can be considered quite positive.

 

Cookies/trackers, GDPR and ePR compliance

In Europe, the ePrivacy Regulation[7] (ePR) and General Data Protection Regulation[8] (GDPR-EU 2016/679) protect personal data, which here means “any information relating to an identified or identifiable natural person” (Art. 4). The ePrivacy Regulation has been published to broaden the scope of the GDPR and to harmonize the different online privacy rules existing in the Member States of the European Union. The ePR takes into account all the definitions of the protection of privacy and data which have been introduced in the GDPR. Its role is to clarify and enhance the GDPR. In particular, the ePrivacy Regulation is a lex specialis focusing on unsolicited marketing, requirements for consent for cookies and trackers, and opt-outs.

Both regulations aim to build a shield around personal data, using a multifaceted approach; this has reshaped the way organisations across the EU region approach data privacy.

Using a disclosive computer ethics approach (Brey, 2000) that tries to make transparent opaque ethical issues in the information ethics field, the present study emphasizes the relevance of third-party cookies in a broader geoeconomic and geopolitical landscape.

According to the type of data we collected, this study investigates three factors:

1. Compliance with the ePR: Does the website require explicit consent for other cookies that are not strictly necessary?
2. Compliance with Article 30 of the GDPR: Does the website provide an opt-out option to block cookies and trackers for personal data?
3. Compliance with Article 45 of the GDPR: Is the website sending personal data only to adequate countries?

To assess whether and how investigated platforms are compliant with these regulations, we measured information about cookies and trackers. As a rule, websites use cookies and trackers to collect users’ data.

A tracker (also known as a tracking pixel) is used to find the frequency and the geo-localization of a page’s visualization. A tracker is embedded into a website (into its HTML code) so that each time a user loads the site, a pixel tag is also loaded at the same time. This event triggers a request to the web server where the tracker is hosted. Consequently, the user’s IP address is logged on the website server.

On the other hand, a cookie is a small text file used to store session information on the user’s device. A website can write cookies directly to improve the experience of the user, or it can allow third-party companies to write cookies in exchange for free services. For example, in order to be able to use Google Analytics and have an advanced statistical tool monitoring the website at all times for free, the website’s owner allows Google to write its own cookies. While first-party cookies are used to improve interaction with users, third-party cookies and trackers are used for logging users’ behaviour.

In order to determine the existence of cookies, trackers and their connections with external servers, we used the tool GDPR cookie scan[9].

During the process, we collected detailed information about all trackers and cookies. A small sample is shown in Table 11 and Table 12.

For cookies, we saved the file name (i.e., __cfduid, MUIDB, AWSALB, _hjIncludedInSample, _omappvp, and others—a short example is provided in Table 11), the origin (website, Google, Facebook) and the type (first-party or third-party). There is not a technical difference between first-party and third-party cookies, given that both of them collect similar pieces of information and can perform the same functions. However, there is a difference between creators and exploiters of those cookies. While first-party cookies are generated and stored by the website domain that users are visiting, third-party cookies are created by external services and used for cross-site tracking.

Our study focuses on cookies used for cross-site tracking because, as shown by Ermakova et al. (2017), crossing data may have a great impact on the data privacy of a user.

 

Table 11: Examples of Third-Party Cookies

File name	Origin
__cfduid	.8digits.com
Dc	.abtasty.com
Loc	.addthis.com
MUID	.bing.com
__cfduid	.chatra.io
Uid	.criteo.com
_pinterest_ct_rt	.ct.pinterest.com
test_cookie	.doubleclick.net
Fr	.facebook.com
1P_JAR	.google.com
	etc.

 

For trackers, we saved the function (Advertising, Analytics, Customer Interaction, Essential, Social Media, or Unclassified), the origin (Google, Facebook, Yandex, etc.), the status (i.e., whether the tracker was taken into account by an opt-out option), and where data were sent (USA, Ireland, Russia, etc.), as shown in Table 12.

 

Table 12: Examples of Trackers

Category	Origin	GDPR	Adequate Country	Hosted
Advertising	Others	no	yes	France
Advertising	Facebook	no	yes	Ireland
Advertising	Google	no	yes	USA
Advertising	Microsoft	no	yes	USA
Advertising	Yandex	no	no	Russia
Analytics	Hotjar	no	yes	USA
Analytics	Tasty	no	yes	USA
Interaction	Zopim	no	yes	USA
Social	Facebook	no	yes	Ireland
				etc.

 

Only four trackers are related to undefined host countries. In these cases, we supposed that the data were sent to the company’s tracker country. 1) Criteo is an advertising company located in Paris, France. 2) AddThis is an advertising company located in Vienna, Virginia, USA. 3) Hubspot is an advertising company located in Cambridge, Massachusetts, USA. 4) New Relic is an analytics company located in Chicago, Illinois, USA.

Table 13 shows where personal data are sent, confirming that the vast majority are sent outside the European community.

Table 13: Destinations of Personal Data

Destination	alpha	beta	gamma	delta	TOT
France		1			1.47%
Ireland	5	5	5	5	29.41%
Netherlands			5		1.47%
Russia	4				5.88%
USA	9	14	14	5	61.76%

 

Finally, Table 14 shows the quantity of and types of cookies, and Table 15 presents the degree of risk posed by first- and third-party cookies according to the GDPR cookie scan algorithm. The level of risk is related to the data stored in the cookie; hence, a cookie is high risk for data breaches when it stores login information or other personal data.

Table 14: First- and Third-Party Cookies

Cookies	alpha	beta	gamma	delta	TOT
First-party cookies	19	15	33	7	53.2%
Third-party cookies	16	20	21	8	46.8%
TOT	35	35	54	15	100%

 

Table 15: Cookies’ Level of Risk

Cookies’ Risk	High	Medium	Unclassified
alpha platform	5	3	18
beta platform	7	2	13
gamma platform	14	9	17
delta platform	5	3	4
TOT	31	17	52

 

Analysis in the context of established research questions

Notwithstanding the relatively limited sample, this work offers valuable insights into the level of secure transaction and compliance with the EU General Data Protection Regulation of four sailing platforms operating in Europe. The study concluded that the cybersecurity level of the platforms respect most of the best practices for transactions but still lack protections for personal data as required by European regulations. Consequently, greater effort should be made to become compliant with the European regulations on data protection and privacy for all individual citizens of the European Union.

In response to the first research question (Do the websites secure connection for payments?), it is concluded that the minimal requirements for secure transaction have been reached by the entire sample. All platforms were shown to be compliant with secure transfer protocols. Each platform has a valid Secure Socket Layer (SSL) or Transport Layer Security (TLS) certificate that has been verified by an independent agency, and all platforms correctly used the Secure Hypertext Transfer Protocol (HTTPS).

The study also found that the average duration of an SSL/TLS certificate was 528.5 days. Given that the maximum SSL/TLS certificate validity period is 825 days[10], this value suggests that the average duration covers 64% of the total validity period (Figure 1).

Figure 1: SSL/TLS Certificate Duration

 

The second research question was whether the protection of personal data is in accordance with European Regulations. The clearest finding to emerge from the analysis is that there were very poor levels of compliance with the GDPR and ePR. The cause of this may be the novelty of the EU regulations.

In particular, alpha platform is sending 2 sets of data to 1 country deemed not adequate by the GDPR.

First, no consent was required for other than strictly necessary cookies, and no system was available to block cookies and trackers. Therefore, no platform studied was compliant with the ePR Regulation.

Secondly, no system was available to block cookies and trackers or to set up their confidentiality. Therefore, no platform studied was compliant with Article 30 of the GDPR.

Thirdly, one platform out of the four was found not to transmit personal data strictly to adequate countries. In particular, alpha platform (Croatia) was found to send two sets of data to one country deemed not adequate by the GDPR, namely, the Russian Federation. Therefore, one platform was not compliant with Article 45 of the GDPR.

The research highlights that, even if the majority of websites use first-party cookies (53%) instead of third-party cookies (47%), as shown in Figure 2, every platform has more high-risk cookies than medium risk ones (Figure 3).

Figure 2: First- vs. Third-Party Cookies

Figure 3 – Medium VS High-Risk Cookies per platform

Although this study focused on cybersecurity aspects like secure transactions and GDPR compliance, the research findings suggest that there are other questions still in need of further investigation. These questions relate to geoeconomic and geopolitical implications of personal data sovereignty.

Considering the data from the four platforms for proposed sailing destinations, the zone of activity of each platform may be highlighted on a world map. The result is a belt-shaped zone stretching from the Island of Tonga to Thailand, as shown in Figure 4, a zone we may call the Sailing Belt. This zone represents the area of sailing destinations for the majority of the platforms. The only exception is delta platform, which seems to specialise in the Mediterranean Area.

 

Figure 4: Sailing Belt	Figure 5: Platform Headquarters

 

Another important finding involves where personal data are sent and which recipient country is the hungriest. In fact, the analysis of trackers allowed us to identify the destinations to which personal data are actually sent. Starting from the headquarters location of each platform (Figure 5), we have drawn the flows of personal data to the tracker hosting countries (Figure 6, Figure 7, Figure 8 and Figure 9). Of particular concern is the situation of alpha platform, located in Croatia. This platform is the only one to send personal data to Russia, but, at the same time, it is the only one to be located in a post-Soviet state. This relation suggests that a link can be supposed between personal data flows and geopolitical influences. Further work is required to establish the validity of this hypothesis.

Figure 6: Flow from Romania (delta platform)	Figure 7: Flow from Florida, US (gamma platform)

 

Figure 8: Flow from Croatia (alpha platform)	Figure 9: Flow from Germany (beta platform)

 

 

Globally, we can affirm that most of the personal data end up in the USA (61.76%), as shown in Table 13 and Figure 10. However, if we consider that data sent to Ireland (29.41%) are sent to a US company (viz., Facebook), we can conclude that more than 91% of personal data are handled by US companies.

Figure 10: Distribution of Personal Data

 

Conclusions

This study has established that the online commerce of the sailing platforms we investigated respects best practices for secure transaction, whereas the protection of personal data and compliance with the European regulations (GDPR and ePR) are still remarkably weak. The analysis of the personal data flows around the world showed that a large amount of personal data is sent to the US or to US-based companies. In the future, longitudinal research needs to be conducted to measure the improvement of compliance with the GDPR and ePR.

Paying attention to this subject is vital due to the growing importance of internet tools in tourism. Their popularity will definitely grow, and data security is crucial to ensure the proper use of these tools. As a result, tourists will have easier access to information, and companies will be able to create complex tourist services. Data security should be ensured by those responsible for managing the platforms, whether regions, tourist organisations or private entities.

One peculiar finding suggested by the analysis is that historical geopolitical influences can be reflected in today’s flow of personal data. However, further research should be undertaken to investigate this hypothesis.

We conclude, in brief, that the treatment of personal data in the sector of sailing platforms is still inadequate. Consequently, greater effort should be made to reach compliance with the European regulations. At the same time, we should not underestimate the geopolitical implications that may derive from the possession of personal data.

 

Notes

[1] source: https://data.worldbank.org/

[2] There is no comprehensive dataset for nautical tourism activity. The estimated range is from ICF calculations using ICOMIA 2014 data; and Communication from the Commission to the European Parliament calculations using 2011 ICOMIA data (published in COM(2014) 254 final/2 of 13.5.2014)

[3] https://www.statista.com/statistics/216573/worldwide-market-share-of-search-engines/

[4] https://trustpilot.com/

[5] sslshopper.com

[6] https://www.globalsign.com/en/ssl-information-center/dangers-expired-ssl-certificates/

[7]_ https://ec.europa.eu/digital-single-market/en/proposal-eprivacy-regulation

[8]_ https://eur-lex.europa.eu/legal-content/FR/TXT/?uri=CELEX%3A32016R0679

[9] http://gdprcookiescan.eu/

[10] https://cabforum.org/2017/03/17/ballot-193-825-day-certificate-lifetimes/