Just Email Us the Documents

Consumer · Field notes REF / SECURITY

How two banks, in the same week, asked me to send my most sensitive documents over the one channel they spend a fortune warning me never to trust — and what happened when I asked for something safer.

Two requests for proof of income, a dead upload link, a secure app that can’t take a file, and a polite suggestion that I use the post.

Two banks. Same week. Both wanted proof of residency and proof of income. Both, without a flicker of self-awareness, asked me to email it to them.

These are institutions that freeze your card if you buy a coffee in the wrong postcode. That make you authorise a €30 transfer with a fingerprint, a one-time code, and a passive-aggressive push notification. That bury you in literature about phishing, about never sharing details, about how they will never ask you to send sensitive information by email.

And then they ask me to send sensitive information by email.

What’s actually in those documents

Stop and think about what a “proof of residency and proof of income” bundle contains. A utility bill or bank statement with my full name and home address. Payslips or tax documents with my employer, my salary, my national insurance or tax reference number. Often an account number or two thrown in for good measure. Frequently a signature.

That is not paperwork. That is a starter kit for identity theft, assembled and gift-wrapped, sent over the one channel specifically designed in 1971 without a single thought for confidentiality.

Email was never secure and never pretended to be

Here’s the part the average compliance officer seems to have missed. Email is not a sealed envelope. It’s a postcard that may or may not be carried in an armoured van for part of the journey.

Yes, most providers now negotiate TLS between mail servers, so the message is usually encrypted in transit. But “usually” is carrying a lot of weight there — if the receiving server doesn’t support it, plenty of systems silently fall back to plaintext rather than fail. And in-transit encryption does nothing about the rest of the lifecycle:

• The attachment sits decrypted at rest in my Sent folder, indefinitely.
• It sits decrypted in their inbox, indefinitely, on infrastructure I will never see and cannot vouch for.
• It passes through, and is logged by, however many intermediate systems, spam filters, and archiving appliances sit between us.
• It is exactly one compromised mailbox — mine or theirs — away from being copied wholesale. And email accounts are the single most phished, most credential-stuffed, most reused-password target on the internet.

End-to-end encryption — the thing that would actually fix this — is something neither a high-street bank nor a normal customer has set up. So it isn’t happening. The document is travelling in the clear at both ends of its life, which is most of its life.

The bit that should genuinely worry them

Forget the technical exposure for a second. The worse damage is behavioural.

Banks have spent two decades and untold marketing budgets trying to train customers on one rule: we will never ask you to send personal information by email, so if someone does, it’s a scam. It’s printed on statements. It’s in the app. It’s read out by the hold music.

Then the real bank emails you and asks for personal information by email.

Every time a legitimate institution does this, it sands down the one instinct that protects people. It teaches customers that yes, actually, banks do fire off unsolicited requests for sensitive documents over email, and the right response is to comply quickly. That is the precise reflex every phishing campaign on earth is trying to manufacture — and the banks are manufacturing it for free, on the bank’s own letterhead, making the next fraudulent request indistinguishable from a real one.

You cannot run a customer-education programme that says “this never happens” while operating a back office that does it twice a week.

It isn’t even hard to do properly

The maddening part is that the fix is mature, cheap, and already sitting in most of these organisations:

• A secure upload portal — a link to an authenticated page on the bank’s own domain where you drop the file. Standard for a decade.
• In-app document upload. The app I authenticate into with biometrics every single day. The file never touches email at all.
• Secure messaging inside online banking, where the document stays within their walls end to end.
• Failing all of that, bring it to a branch — remember those?

This is not a budget problem or a technology problem. It’s an institutional shrug. Email is the path of least resistance for whichever team is chasing the document, so email wins, and the security function that would object either wasn’t asked or was overruled by “the customer just needs to send it.”

So I asked. Reader, it went well.

I didn’t email anything. I asked both banks for a secure alternative, and the responses were instructive.

The first bank actually had a portal — and sent me a link to it. The link was broken. Dead. A 404 where my sensitive documents were supposed to go. This is, in a grim way, the most honest outcome of the lot: the secure capability exists on paper, someone built it, someone is presumably reporting it up the chain as “customers can upload securely” — and it doesn’t work. A broken secure channel is arguably worse than an honest lack of one, because it lets everyone tick the box while the real-world fallback quietly becomes “oh, just email it then.” Security that 404s isn’t security. It’s a screenshot for an audit.

And here’s the kicker. This same bank has a perfectly good secure app — the one I log into with my face, the encrypted channel I’m already trusted to move money through. It just doesn’t support document upload. So the most secure pipe they own, the one I’m holding in my hand, can’t accept the very thing they’re asking me for. The secure channel exists and the broken channel exists, and the only one missing is the join between them. So the document gets routed to email — the least secure option on the menu — not because the secure one is unavailable, but because nobody finished building the on-ramp to it.

The second bank is still thinking about it. But it did offer an alternative while I wait: the post. Send the documents by mail.

And — how, exactly, is that more secure?

Post is a sealed postcard’s more confident cousin, and not much else. Standard mail has no encryption because it has no anything — it’s a physical object handled by a chain of strangers, dropped through a letterbox that, in plenty of buildings, is a communal tray anyone can reach into. There’s no tracking unless you pay for it, no proof of delivery, no audit trail, and no way to know it arrived until it doesn’t. It can be lost, misdelivered, or simply lifted — mail theft is a real and growing route into exactly this kind of identity fraud. And in my case the documents would be crossing a border to get there, which adds days of exposure, more hands, and more depots.

So the menu I’ve been offered is: an insecure digital channel (email), a secure digital channel that doesn’t load (the dead portal), or a Victorian analogue channel with no security model at all (the post). The only option deliberately designed with confidentiality in mind is the one that’s broken.

Security theatre, meet security tragedy

We’ve all rolled our eyes at security theatre — the elaborate, visible rituals that make you feel protected while achieving very little. Forced 90-day password rotation. The transaction you have to approve from three different directions.

This is the inverse, and it’s worse. It’s a real, serious risk handled with total informality, behind a façade of an institution that talks about security constantly. The performance is all front-of-house. Out the back, your tax documents are going out as a Gmail attachment — or, when someone finally builds the proper channel, sitting behind a link that 404s while the bank suggests you pop them in the post instead.

Everything secure about the bank stopped exactly where I needed it most.

If your bank asks you to email proof of income, don’t. Ask for the secure portal — and then check it actually loads, because apparently that’s on you now too. And if the fallback they offer is the post, ask them, as I did, how a chain of strangers and an unlocked letterbox is the more secure option. Make them sit with the question. Somewhere in that organisation is a secure channel that works. They just haven’t been asked often enough to go and find it.

Ends

The button marked “Add extra baggage” that adds no baggage

Consumer · Field notes REF / BAGGAGE

How British Airways, Qatar Airways and the Civil Aviation Authority built a perfect little trap — and each, quite correctly, denied responsibility for it.

A reward booking, one checked bag, and the limits of trying to give a company your money.

There is a particular kind of modern absurdity that only reveals itself when you try to give a company money and discover you can’t. This is a story about that — about a checked bag I tried to buy ten months early, the airline website that cheerfully invited me to buy it, the two airlines that then spent a fortnight explaining why I couldn’t, and the regulator that wrote back to say the whole thing was none of its business.

It is, I think, a small but perfect example of how a system can be working exactly as designed and still be ridiculous.

The setup

I booked a long-haul return trip using Avios — a reward booking on flights operated end to end by Qatar Airways , but ticketed and sold by British Airways . This is an entirely normal thing to do. Millions of people redeem miles on partner flights every year. Because of how these redemptions work, the booking can only be made by telephone; the website won’t do it.

Fine. I made the call, the Avios came off, the tickets were issued, and a confirmation arrived listing a generous baggage allowance and noting — reasonably enough — that I “may also be charged for extra or overweight checked bags.” Extra bags, then, were a thing one could arrange. Good to know, because I wanted one.

The button that does nothing

So I went to manage the booking on the British Airways website, where the airline presents a tidy grid of things you can do: choose a seat, request a special meal, upgrade your cabin, and — right there, with its own little suitcase icon — Add extra baggage .

British Airways “Manage My Booking.” “Add extra baggage” is offered as a service, alongside seat selection, meals and cabin upgrades.

I clicked it.

It did not let me add extra baggage. It took me to a general information page explaining that baggage on partner-operated flights is governed by the operating airline, with a link sending me off to Qatar Airways’ site. No purchase. No price. No bag. Just a door marked “Add extra baggage” with a brick wall behind it.

Where the button leads: an information page about partner-airline allowances. No purchase, no price — just a redirect to the operating carrier.

This, it turns out, is the whole story in miniature.

The bounce

Following the trail, I asked British Airways directly. Its escalations team — and I want to be fair here, because they were genuinely helpful and human throughout — told me in writing that extra baggage “can be booked directly through” Qatar Airways’ website.

So we rang Qatar Airways. They said no: extra baggage can’t be added to a ticket issued by another airline, and the only option is to pay at the airport on the day. We rang again. Same answer. And again. Three times. Eventually they put it in writing: prepaid baggage is available only on Qatar Airways’ own ticket stock, this restriction “applies strictly in all circumstances,” and no exception would be made.

One airline tells you, in writing, to go and buy the bag from the other. The other tells you, in writing, that it will never sell it to you. Both are correct about their own rules.

The passenger is simply standing in the gap between two policies that don’t meet.

The price you’re not allowed to know

Here is the part that tips it from frustrating into faintly insulting. Because I couldn’t prepay, the only route left was the airport excess-baggage desk — which, on this route, runs to around fifty US dollars per kilo . A single extra suitcase would cost north of a thousand dollars. Buying the same allowance in advance online — the option I was structurally barred from — would have been up to 20% cheaper.

And when we asked Qatar Airways simply to tell us what the airport charge would be, so we could at least budget, the answer was that it would be “the rules and rates applicable at that time.” You cannot buy the thing in advance. You cannot find out what it will cost. You can only turn up on the day and discover the number at the precise moment you have no alternative.

(The rational move, for the record, is to ignore the airline entirely and post the suitcase home, which costs roughly a tenth as much. When shipping a bag across the planet by courier is an order of magnitude cheaper than checking it in, something in the pricing has come loose.)

Credit where it’s due

I said I’d be fair, and I mean it, because the contrast is the point. British Airways actually engaged. A named human looked at the case, phoned me, took it to Qatar Airways himself, and was honest about the limits of what he could do. He couldn’t fix it — but he tried, and he didn’t hide.

Qatar Airways did the opposite. It recited a policy, linked to a webpage, and declined four times to engage with the substance, including a flat refusal to quote a price. One airline ran out of road. The other built the roadblock and put up a sign saying the road was someone else’s responsibility.

The bit nobody discloses

Strip away the back-and-forth and the real fault is singular: none of this is told to you when you book. Not on the phone, not in the confirmation, not anywhere a normal person would look before paying. You find out only afterwards, when you try to buy a bag and hit the wall. A reward booking that millions of people make comes with a quiet, undisclosed catch — that one of the most ordinary purchases in air travel is closed to you, and that the fallback is the most expensive version of it, at a price you’re not permitted to see in advance.

That’s not a service hiccup. That’s a transparency failure, and a structural one, because Qatar Airways confirmed in writing that it applies to every ticket not issued on its own stock. Which is to say: to everyone in my position, every time.

And the regulator?

You might think this is what a regulator is for. I did too. So I referred it to the Civil Aviation Authority — carefully framed not as “fix my booking” but as “here is a market-wide practice worth looking at.”

The CAA wrote back to say it no longer handles complaints about airlines that belong to a dispute-resolution scheme, and — my favourite sentence of the entire saga — that it “has no legal powers to impose a solution on an airline.” It directed me to that scheme, the Centre for Effective Dispute Resolution (CEDR), instead.

But CEDR only does one thing: it makes binding decisions on individual claims. It cannot touch the underlying practice. It can, at best, order one airline to refund one passenger one fee. It cannot ask why the door marked “Add extra baggage” leads to a wall, or why a price can’t be quoted in advance, or why none of this is disclosed at the point of sale.

So the systemic problem has no home. The regulator says it’s the scheme’s job; the scheme only does individuals; and the practice itself sails on, undisclosed, for the next person who clicks the button. I’ve now reported it to the Competition and Markets Authority , which — under the new consumer-protection regime — is the one body that can actually look at a practice rather than a single complaint. We’ll see.

The point

I will probably end up posting the suitcase. The fee, in the end, is survivable. What isn’t quite so easy to shrug off is the shape of the thing: a button that promises a purchase it can’t deliver, two airlines each pointing at the other, a price you can’t discover until it’s too late to avoid, and a regulator that has quietly arranged to have no responsibility for any of it.

Everything here is working as designed. That’s exactly what’s wrong with it.

Failure of Leadership

 

Following on from what I wrote a few weeks ago about Technology Ethics I read this article on the BBC website the other day which links to this article. Particularly the later one paints a shocking picture of the leadership culture that existed at the time (and may still exist today, we can only guess) inside Fujitsu UK.

Worth a note that responses to the questions presented by the BBC were email only, I guess they were afraid of a Prince Andrew style on camera interview.

However you look at this it highlights some serious underlying failings in the leadership style inside Fujitsu UK where the CEO did know in detail about the issues being encountered, this only happens one of two ways (i) the leader was so hands off as to not to care with "don't bother me with detail attitude" or (ii) the leadership team under the CEO at multiple levels had no integrity and were either not prepared to share bad news or were too scared of leadership at the CEO level to share the facts.

However you look at both these scenarios it paints a very damning picture of the leadership culture inside Fujitsu UK during this period. During this whole period Fujitsu UK had a very poor track record of contract delivery, the Benefits Agency contract being another example of this, which cost Fujitsu UK over £180M when the agency pulled out.

You then have this quote from a former CEO of Fujitsu UK who described winning the Post Office contract for ICL as "his proudest moment". How that quote should be haunting the individual now.

At least the current Fujitsu UK CEO seems to have seen the light (at least in public) which is something missing from his predecessors when he said that there had been "bugs, errors and defects" with Horizon from the start, and apologised for his firm's role in the scandal.

The UK government seems to have a fundamental flaw it the procurement process across whatever department, the MoD often comes in for the most criticism, one of the more recent ones is the Type 45 power plant issue which is costing the British tax payer £160M. It seems the MoD has not learnt anything from the old days of cost plus contracts and scope creep.

Something is fundamentally wrong in the culture of UK Government procurement at all levels and especially accountability, as the Post Office is publicly owned not only is the UK tax payer picking up the cost of the public enquiry but they are picking up the cost of compensation as well as already having paid the cost of the now proven to be flawed litigation in the first place. Why aren't Fujistu paying the UK taxpayer back all the costs associated with the original litigation, the public enquiry and the compensation? As none of us have ever seen the contract we can only guess, but I suspect the savvy lawyers at Fujitsu excluded all such costs.

As I said in my last post on a personal note I worked with many people at Fujitsu in Japan for twenty years at all levels and I always found their ethics to be beyond reproach even with things that were difficult and I had a lot of respect for them and very much enjoyed working with them.

Technology Ethics

 

 

I've been reading a lot about the scandal of the UK Post Office Horizon IT system and what seems a knowingly deliberate attempt by executives at both Fujitsu UK and the Post Office to cover up what was a known set of issues.

I've been involved in technology development at all levels for over 33 years (more if you include the time when I worked whilst at University and writing code as a kid growing up) and it is fair to see I've seen my fair share of bugs in both hardware and software, some of those have been very expensive (both commercially and technically, in terms of engineering time and materials to fix). The specific details of which I will never ever discuss with anyone.

I've also on a few occasions actually had to appear in court as a witness on IT related matters, the details of which I'm not permitted to discuss here. The consequences of shall we say mis-representing the facts in this later scenario carry far broader personal and commercial consequences from perjury, perverting the cause of justice, fraud, the list goes on and as in the case of the Horizon scandal the ruining of peoples lives, including people taking there own lives.

However what is now coming to light during the statutory enquiry both in evidence being given and the inevitable leaking of documents calls into question just how ethical the people involved were. As both an employee and employer you have a duty of care, confidentiality and the like, but just how far do you take that, what do you do if you are knowingly being asked to commit perjury or pursue someone based on evidence that you know is at best tainted but more probably materially flawed? I find some of the evidence being given where people keep saying "I had no knowledge as an investigator of others experiencing the same issue" just not credible or believable. It is hard (impossible) to keep this kind of information secret within a large organisation.

I've always had a view that internally within a company full disclosure of the root cause of the issue no matter how ugly and painful that disclosure is is appropriate, as anyone that has ever worked with me will know. I'm not interested in public shaming and humiliation because people are human and whilst the likes of ChatGPT writes OK code, although I do have to say it needs serious code review and even after multiple ones of those it is not something that doesn't need further modifications by a human and rigorous testing, we are a long way from code generated this way being safe to deploy to production without serious oversight. What I am and always have been interested in in these scenarios is RCA - Root Cause Analysis with appropriate corrective action, that feedback loop where mistake are learnt from and change is made. Now to be clear that doesn't mean if a person consistently makes the same mistakes then appropriate action shouldn't been taken in line with a companies HR policy.

There comes a point where people involved have to question the ethics of a company that pursues people and covers up bugs such as those that existed in Horizon, to be clear there will still be bugs in Horizon, they just haven't found them yet, no IT system is bug free and when your delivering anything like Horizon you have three things to bear in mind, time, features and quality, you can have two from three and it is clear in this case they sacrificed the one that gets sacrificed the most, quality.

I really hope that if the same thing ever happened again (and it will) the IT industry has moved on enough such that someone would be a whistleblower and that people would actually listen to that whistleblower and they could do it in a way that doesn't ruin them personally.

On a personal note I worked with many people at Fujitsu in Japan for twenty years at all levels and I always found their ethics to be beyond reproach even with things that were difficult and I had a lot of respect for them and very much enjoyed working with them.

Building a Spanish Silicon Valley

Living and working on the Costa del Sol has many advantages, not least 300 days of sunshine a year. The overall lifestyle is very different, in the Winter you can snow ski in the Sierra Nevadas above Granada and jet or water ski in the Mediterranean in the afternoon. The availability of fresh fruit and vegetables and the food miles they travel is far less than most places with a very short time from field to table as well.

Driving around the Costa del Sol, actually looks a lot like driving around Silicon Valley in California, even a lot of the place names are the same, to be clear California got the names from countries like Spain, not the other way round.

Back in 1992 the City of Malaga and the Junta de Andalucia started the tech park just to the north of Malaga next to the airport. Since then many companies have opened up offices in and around the tech park and the local area, once such company is VirusTotal, found in 2004 and acquired by google in 2012. Many internationally recognized companies now have offices, such as Oracle and Accenture.

Part of that is connectivity, Malaga airport is literally 20 minutes from the Tech Park. Malaga airport has as much runway capacity as London Heathrow, with none of the restrictions around flight times and is currently at 20% of the volume that goes thru' Heathrow. Another part of connectivity is internet connectivity, I wrote about this several months ago.

Most recently a number of existing and new companies have announced significant investment into the Malaga area, google announced the creation of a Cyber Security centre. Followed in January 2023 by Oracle are both examples of existing companies, with AES being the most recent new arrival.

In the Autumn of 2022, direct flights from Malaga were announced, technically it was a resumption, United announced three times a week flights to Newark airport in New York and just this last week the first tickets went on sale.

Spain provides lots of incentives now for people to come and work in Spain, historically Spain had the Beckham Law, named after a certain footballer and essentially means if you haven't worked in Spain are not a Spanish citizen and have a job to come to you can move to Spain and earn upto 600K/year and pay only 24% tax.

Spain also has the concept of Autonomo aka self-employed, for those that are familiar with IR35 in the UK it is a far more friendly version of that to actively encourage people. The what you can deduct is more expansive and the contributions you need to make to the social security system incentivize you by offering reduced contributions over the first two years.

Finally Spain recently announced incentives for startup companies and the Digital Nomad visa. The Startup Law again offers incentives to companies it has been estimated that the Startup ecosystem in Spain is worth €46B and the law is designed to support this and future growth. The details are all here.

Spain also has the Digital Nomad visa which is essentially designed for people who want to work for a foreign company whilst based in Spain. The tax model for Digital Nomads is based on the 24% for the first 600K/year in the Beckham Law.

If you want to learn more about living and working on the Costa I'd strongly recommend a read of this blog. I'd essentially end up repeating a lot of stuff that is here.

A Bonfire of Common Sense

One of the many things I've discovered about living outside the UK is that the BBC is not the news organisation that many believe it is and definitely does not deliver the impartial view of the world that everyone thinks it does.

We are fortunate to have frankly channels from more countries than you can possibly watch in a lifetime but when you watch them you get a very different perspective on world events. There seems to be a prevailing view that the BBC has got more like a Tory mouthpiece of recent years (surely that can't have anything to do with the appointment of the new Chairman being a mate of Boris'?).

Anyway that aside it is fair to say that the rest of the EU has long since moved on since Brexit and is very focused on growing the collective economy, sadly the UK is still stuck in that post Brexit rut. Inflation for example is already falling far more sharply in the EU than in the UK, both at a country and as a trading bloc level, growth is going to exceed expectations from the likes of the IMF in 2023 for all G7 countries, except the UK.

Just look at the issues in the UK, most economists say that Brexit is having at least a negative 4% impact on UK growth, the UK economy is the only G7 economy not to be back where it was pre-pandemic plus it'll be the only G7 economy to show negative growth in 2023. Even the Russian economy, despite sanctions will grow in 2023! In fact it is expected to be the slowest growing G7 economy for the next two years!

Why does the UK media like the BBC not lay out these stark facts to the British public? The cost of living crisis in the UK is beyond any joke and it is currently experiencing a "Winter of Discontent" and we all know how the last one of those ended. Then this morning you have stories of energy suppliers actually breaking into homes of vulnerable people to install pre-payment meters, whilst the government and the regulator stand by on a problem that has been know about for years? Why? Because these are the same people that bankroll the corruption in Downing Street.

Then of course the UK has this sunset clause for some 4000+ pieces of EU legislation that it plans to repeal by default on the December 31st 2023, that assumes of course they can actually find them all 🤣. The monetary cost alone of doing this both on the Civil Service and in legislative time is something the UK cannot afford or even achieve in the time. The UK was one of the countries that voted for this legislation and saw real value in it, like consumer and employee protection, data protection, security, anti-money laundering and fraud, the list of laws that will just expire is beyond comprehension and most people resident in the UK have no understanding of the consequences to daily life, why because mainstream media makes no attempt to explain this people. The governments solution is to use the so called Henry VIII clause which allows the government to make decisions on legislation without recourse to parliament, seems like the mother of Parliaments has just got a divorce from the Government.

For those who are employees the impact of the change should be particularly concerning as a long time friend and former colleague of mine posted a few weeks ago here.

The UK Government's excuse in all of this is it is all down to wider economic factors aka The War in Ukraine. If Brexit and the Tory economic policies were such a great decision then the UK should be outperforming the EU as a trading bloc inspite of wider economic factors, reality is Brexit was suicide, the EU has moved on and the UK population is paying a price, sadly no political party, no even The Liberal Democrats is saying rejoin is the right answer. Sir Ed Davey on GMB this morning when pushed multiple times on this, despite it being LD policy refused to say he wanted the UK to rejoin. 

The sad reality is the best the UK can hope for in the short term is closer ties with the worlds largest trading bloc, but that won't happen until the blinkered idiots in the Tory party and to some extent the other parties actually move on. It is not just about trade it is about co-operation on many topics such as security and finance. Reality is a see change in UK politics is required which requires my childrens generation, born in the 80s and 90s at the end of the last century and later who have only ever known the UK in the EU get into politics and change things. A lot of the generation that voted leave have departed this world and left a car crash behind them. Those still around like Truss, Johnson and Sunak having got the guts to admit the reality.

Maybe the UK will benefit from Brexit in 50 years time as JRM says, but by rejoining the EU...

Somewhere over the Atlantic

Been a few years since I've sent anything or posted anything from an Airplane, the last time seriously was on Singapore Airlines, probably 10 years ago, aside from the odd social media post since then.

Spent the majority of the years prior to the pandemic flying on BA, for reasons best known to BA they had this large global network but decided not to fit out the new fleet of planes with WiFi, opting to wait and see what everyone else did and then retrofit, seemed a bit of an odd approach to me, but apparently wasn't just driven by initial upfront cost but also the extra weight and the cost that incurred.

Now post the pandemic global business is very different and with people flying a lot less and relying on the technology I don't often get chance to use the tech that comes in planes.

Today I'm going from Malaga (AGP) to Newark, NJ (EWR) via Lisbon (LIS), the second leg of the flight has onboard WiFi, so I'm taking the opportunity to post something, albeit not very exciting.

TAP Air Portugal use A321LRneos on the route which seems to work, at least on the experience so far pretty well.

We are currently about 3 hours in at 33,000ft or around 10,000m.

Had this been available more broadly on the BA fleet I'd have definitely used it. On TAP Air Portugal is you just want to use simple message services like WhatsApp it is actually free.

The EU has released opened the possibility of using 5G on your handset whilst flying, can't believe it'll be included in yoiur tariff as the operators won't make any money if they do. 

The technology continues to evolve and it won't be long before video conferencing whilst flying is the norm along with streaming from the likes of Netflix.