Requesting Personal Data From Airbnb

Requesting Data?

Thanks to GDPR, most of people(even Asian like me) are entiled to request personal data from every company that have your data. I'm not going to talk about this here, cuz I'm not an expert nor a rockect scientist.
Yeah, basically this is just a document about how I get my data from Airbnb and what data do they stored about me.

Quick conclusion:
I've create an account on Airbnb with my Facebook account, and maybe I shouldn't have done that.

Why Airbnb

Airbnb is an startup from US which provide wordwide services, and I've only used this platform in Asia. Considering it's not an EU based company(I found out their headquater is in Ireland later on) and also my account was both registered and used outside EU, I thought it would be interesting to mess with them and see how they react.

The process of getting my personal data took quite a while, but to be honest, I'm pretty satisfied with the result. I knew reading the timeline might be tidious, so you are free to jump to the What Data did Airbnb stored

Simplified timeline

My request was sent though emial to the DPO of Airbnb, and it took roughly 7 weeks to get my data, so I think it will be nice to have a simple graph explain what had happened during the contact with Airbnb
(You can find all of the detail Email below)

I hope the graph is easy to understand

From my point of view this how long it took in each steps

I've send my request on 25 Sep.
After 7 days, they confirm my request and ask me to send an ID to verify.
After 30 days, they informed me that I was verified
After 34 days, I received a link to access my data(link didn't work).
After 49 days, I received an Email with Encrypted xlse file(works fine).

Detail Emails

To make things easiler to read, the following time in "Green" are Emails I sent, and those in "Bright Red" "Bright Red" are Emails Airbnb sent

September 25 2020 14:01(GMT+1)
Sending my first request but forgot to attach mine ID
I actaully send them two letter by accident

October 2 2020 18:14(GMT+1)
Airbnb confirm I want to execute my right of accessing my data and ask me for restatement and an ID with photo

October 2 2020 18:31(GMT+1)
I send an restatement and an ID with photo but in madarine, and I forgot to blur some sensitive data on my driving liscens…

October 2 2020 18:49(GMT+1)
Airbnb confirm I want to execute my right of deleting all my data ask me for restatement and an ID with photo

October 2 2020 19:09(GMT+1)
I told them I was trying to do an assignment in school, plz don't delete my account

October 25 2020 11:50(GMT+1)
Airbnb confirm I have provide enough data, so they would process the data asap

October 29 2020 18:05(GMT+1)
Airbnb send me an email and told me I there is an message in Airbnb platform which include the URL to my data

November 2 2020 10:19(GMT+1)
I told them the link doesn't work, PLZ send me another one.

November 2 18:35
Airbnb confirm the technical issue and has refer the problem to the tech team

November 17 2020 17:00(GMT+1)
Unlike the previous letters which are apparently send though the costomer service system, this time Airbnb send me a letter from an address call Legal Ireland, with detailed explaination about how the data was used and an profolile photo of my acccount and an excel file that contain all my datas.

November 17 2020 17:02(GMT+1)
Another letter was send from the same address Legal Ireland, which contain the password to the file attached in previous letter.

What Data did Airbnb stored

Overview

After a long period of waiting, I finally get an encrypted xlse file for all my personal data that were stored on Airbnb server, and also an zip file for the images.

The data has been spilt in muitple pages in the xlse file, but most of them can be found in page named 'Profile, Reservations & Emails', which seems like a massive json format file to me.
Since now we have an overview on the speadsheet, it's time to dig a little deeper to the data.

Reservation

When I look at the reservation's data, everything looks fine to me, booking message, my name, birthday, address(I actually don't remember providing my address in this reservation, maybe they get it from my credit card), messages with the host…etc.
Then something werid shows up, a field call"socail_media_data". Wait what? why do they store data about my social media in the reservation section? and they store them in a creepy way. They caculate how my friends on Facebook use the Airbnb platform, kind of like building a persona base on my Facebook account.

I can see that 40% of my friends on Facebook who are using Airbnb have at least one reservation, and only small portion of them have ever cancelled reservation before.

Those seems to be some harmless data, but think about it, they've access to link all of our accounts, which means they can build up a network of activated user, and then make advertising more precise.

Image this, let's say some of your friends coincidentally went on a vacation at the same month, and all of them used Airbnb. If you were Airbnb what would you do? If I were Airbnb, I would assumed that you have been expose to muitle ideas of vacation, and thus this is the best timing to put some vacation advertisements on you.

For the record, these are all my speculations, I've no idea how Airbnb works with advertising

Signals

I knew that most of the web services store every action we've made on their platforms. But not until I saw the actual data they stored, did I realize how detailed they were following us.

Base on the key'homeListingCardPhotoSwipe', 'homePdpScroll', and the fact that there were stored under catalog call signals, I assuming this is all of the activities that I've done in Airbnb's website.

Timestamp, browser, language, and even the exact pixel size of the broswer were recorded. On the bright side the might be using all of this information to improve their user-experience, but on the dark side…maybe only the sith know how bad could it be.

There are around 400,000 lines of activities data in my file.

Messages

I've seen a lot of message page in the data, but a lot of data were censored, so I couldn't really explain what were in those data.

Facebook

I knew we've talked about facebook data in previous section, but that was an modified social media data in reservation(still don't why they stored those things there though), and now I found a whole part for just social media relation data.

By the way, they use ######## to cover sensitive data, in this case, names.

Support Emails Notes

This is actually pretty interesting that they also put all the interal emails about my case in to the file. From this perspective, Airbnb reacted faster than what I've learned in Email I received.

I was trying to mess with them by sending an ID that is entirely in Madarin, and when I looked at those notes I realized they can simply just send the ID back to COR in Taiwan and verified it.

I accidently send my ID without blocking some sensitive information(like social security number, address), and they actually realize that might be a problem and delete it. At least that's what I learned from those notes.

Conclusion and future

Even though this part is called conclusion, I'm pretty afraid to conclude anything here, cuz I'm not really an expert and not really sure if I interpreted things right.
All in all, I'm just terrified about how many data they have on me.

In order to work with GDPR, I think some part of 'Computer-Processed Personal Data Protection Law' in Taiwan were actually slight change to fit the regulation of EU. Again, I'm not a expert in law or data studies, so it might be better for u to check it out youreslf

I did send an data request to an online shopping platform base on the 'Computer-Processed Personal Data Protection Law', but so far nothing come back yet.