Gogo, the in-flight Wi-Fi service on several major airlines, chose an odd way to stop you from hogging the plane's Internet connection.
Its Web portal pretends to be Google (GOOG), duping your computer into trusting it.
That helps Gogo block YouTube. But it also gives Gogo (GOGO) the ability to snoop on your searches and read your email. Gogo is adamant it doesn't actually look at customers' personal data, though.
In the computer world, issuing fake website certificates is typically the domain of hackers and law enforcement. It's considered a "man-in-the-middle" attack -- similar to a wiretap.
This quirk was discovered by Adrienne Porter Felt, a Google engineer and Chrome browser security expert, during a Friday flight. She called out Gogo on Twitter and got the company's attention.
On Monday, Gogo's chief technology officer, Anand Chari, issued a statement explaining why the company does this to block video streaming websites. He said it's how Gogo ensures "that everyone who wants to access the Internet on a Gogo equipped plane will have a consistent browsing experience."
Chari promised that "no user information is being collected when any of these techniques are being used."
But here's how one Web developer, Anthony Sherwood, described Gogo's choice to impersonate Google: "Engaging in identity theft as a 'way to manage bandwidth' is the flimsiest excuse I've ever heard."
Average folks aren't likely to understand what's so bad about this type of Web certificate forgery. But it undermines the basic security that allows you to privately communicate online and ensure websites like Facebook and Yahoo really are what they say they are.
And that's especially relevant for Gogo. Last year, Wired revealed how the in-flight Wi-Fi provider went the extra mile to help the U.S. government spy on Americans, teaming up with law enforcement when designing its network on planes.
Eleanor Saitta, a respected privacy and cybersecurity consultant, said it would have been more appropriate if Gogo simply interrupted your Internet connection and redirected you to its own page. Instead, Gogo opted for deception and a take-all approach.
"And they're neither informing users nor getting meaningful consent," she said.