The Privacy Debate What Do Customers and Businesses Really by hjh63417


									  The Privacy Debate:
What Do Customers and
Businesses Really Want?

          David Strom, (516) 944-3407
         eBiz June 2001

          (c) 2001 David Strom Inc.   1
•   Examine your own behavior
•   Customer privacy issues
•   Best practices
•   Notable eBusiness privacy failures
•   Creating your own corporate privacy policy

                  (c) 2001 David Strom Inc.      2
       My privacy parameters
• advisor
• “Middle initial” tracking of magazine
• Not too upset by spam, usually
• Turned off my office fax number
• But have unlisted home phone

                 (c) 2001 David Strom Inc.   3
    Examine your own surfing
• What kinds of information do you routinely
  provide to web sites: email address,
  birthdates, zip codes, age/gender ID, etc.
• What kinds of corporate information do you
  routinely provide: business phone/address,
  company information, etc.
• Does information show up in your URLs?
• How can you minimize this data flow?
                (c) 2001 David Strom Inc.   4
 But there are a lot of things you
      might not be aware of
• Monitoring your web surfing via how URLs
  are constructed
• Monitoring your emails via “wiretaps”
• Tracking you via third-party cookies

               (c) 2001 David Strom Inc.   5
        Web URL monitoring
  er=2386 ….
• Should your URL show all this

                  (c) 2001 David Strom Inc.    6
          Email wiretapping
• Exploits HTML email to embed small
  Javascript programs that can monitor who
  opens email and where the email goes
• Can be prevented, with the appropriate
  security settings, but most people don’t take
  these precautions

                 (c) 2001 David Strom Inc.    7
    Third party cookie tracking
• Ad servers like Engage, DoubleClick, and
  others put coding inside their ads to identify
• But what if this information is tied to your
  email or IP address?
• And what if a third-party site obtains
  additional information about you this way?

                  (c) 2001 David Strom Inc.    8
   Rate these privacy invasions
• Sending out a single piece of email with
  everyone's email address clearly visible in
  the header
• A web site that tries to make it easier for its
  customers to login and track their accounts
• A piece of software that records the IP
  address of the machine it is running on and
  reports back to headquarters

                  (c) 2001 David Strom Inc.         9
       Privacy best practices
• What are your expectations?
• What info is collected?
• How are you informed of the collection
• How can you change your address and other
  ID information?
• What happens when the company is sold?
                (c) 2001 David Strom Inc.   10
   What kinds of information is
      considered private?
• Your IP address
• Your Ethernet MAC address/Windows
• Your purchase history with a web storefront
  (or physical store)
• Your address and phone
• Your email address
• Your credit card, banking account numbers
                 (c) 2001 David Strom Inc.   11
How do products inform you of their
 information collection practices?
• Before you download them in clear
  language on the web site
• At the time you download them
• With obscure privacy policies on their web
• In a press release from the vendor after
  something bad happens
                 (c) 2001 David Strom Inc.     12
  How can you change your ID?
• With the post office, credit history, and
  others, relatively simple
• With software, not so simple
• Many products don’t have any automated
  tools for making changes

                 (c) 2001 David Strom Inc.    13
  Who shares this information?
• Do sites offer secure logins or are they in
  the clear?
• What about third-party cookies, who makes
  use of them?

                 (c) 2001 David Strom Inc.   14
What happens to this information
 when your company gets sold?
• Does a company have a legal right to hold
  on to its data?
• Does a customer have a legal right to expect
  a company to not sell its data?
• Do we need new consumer protection laws
  for these situations?
• Are individuals’ privacy data considered a
  corporate asset or a liability?
                 (c) 2001 David Strom Inc.   15
         Case in point: eBay
• Changed its privacy practices 4/01 to
  specifically mention what happens if sold
• But hides this deep within their privacy

                 (c) 2001 David Strom Inc.    16
      How do you protect your
      customer’s privacy data?
• Secure servers, careful data structures and
• Authorized employees with limited access
• Firewalls
• Do all of these things really work?

                 (c) 2001 David Strom Inc.      17
          Privacy problems
• Email
• Web surfing
• eCommerce

                (c) 2001 David Strom Inc.   18
          Back to email issues
• Hidden HTML code inside many email messages
  these days, called “web bugs”
• Convey information on whether you open the
  email message or not, whether you click on this
  specific link, and if you want to unsubscribe
• Works even if you use just the preview pane in
  MS OE/Outlook
• Supposedly this information is just used in the
  aggregate, but can you be sure?

                   (c) 2001 David Strom Inc.        19
     Bad boys of web site privacy
•   Doubleclick
•   Real Networks
•   TiVO

                    (c) 2001 David Strom Inc.   20
• Made the mistake of combining two
  businesses: banner ad serving and email
• Is it a violation of privacy when you
  aggregate individual information?
• Third-party cookie issues

                 (c) 2001 David Strom Inc.   21
            Real Networks
• Is it a violation of privacy when you
  automatically subscribe users to your
  service, and bury any opt-out information?
• Should Real record my music listening
  habits without my explicit permission?
• And store this data even when I am not
  connected to the Net?

                 (c) 2001 David Strom Inc.     22
• Download an ActiveX control that makes
  numerous changes to your browser and
  email configuration, as well as Startup
  folders – but advertised as a “video player
  browser enhancement.”
• First the company didn’t explain these
  changes, but now they do – in very, very
  fine print.
                 (c) 2001 David Strom Inc.      23
• Aggregates personal TV viewing habits of
  its users
• But doesn’t really make that clear
• And employees of the company could have
  access to your privacy data

                (c) 2001 David Strom Inc.    24
   eCommerce privacy mishaps
• ToySmart trying to sell its customer list
• Long list of break-ins to obtain customer
  credit cards and accounts from numerous
  web sites, including Ikea, Western Union

                 (c) 2001 David Strom Inc.    25
     Microsoft’s many problems
•   Hotmail break-ins galore
•   Global ID transmitted inside Word docs
•   Network collapse from poor DNS config
•   Software updates that scan your disk

                  (c) 2001 David Strom Inc.   26
Browser enhancement tools study
• Privacy Foundation examined 12 different
  software utilities that work with web
  browsers, and found numerous privacy
• ALL products sent more data back “home”
  to vendors’ HQ than required or disclosed
  to end-users

                (c) 2001 David Strom Inc.     27
    Results: poor notification of
        privacy violations
• Poor placement of disclosure statements
• Users have to return to privacy policy page on
  web site to check for changes
• Sites reserve the right to release information when
  they want to
• Privacy policies are clouded in technobabble and
• Policies are vague or wrongly stated
• Sites use seals of approval from TrustE and BBB
  to certify their sites, but not any actual software
                    (c) 2001 David Strom Inc.       28
       Creating a solid corporate
            privacy policy
•   First, understand your own actions
•   Examine standards efforts
•   Policy creation software tools
•   Learning from eBay’s example

                   (c) 2001 David Strom Inc.   29
      If you develop software
• Tell the truth about who has access to
  customer data
• Have lawyers work with your engineers to
  review software’s actual privacy practices
• Design with privacy in mind from the start
• Use opt-in rather than opt-out
• Don’t monitor URLs
                 (c) 2001 David Strom Inc.     30
• W3C standards-based effort
• Major multi-vendor contributions
• Blesses various software tools that can
  generate privacy policies that are more
  machine-readable than by humans

                 (c) 2001 David Strom Inc.   31
TrustE’s model privacy statement
• Available at
• Can easily copy and modify accordingly
• More like a legal document than helpful to
• A good place to start

                 (c) 2001 David Strom Inc.     32
•   $30
•   Browser-based
•   Brief, clear, to the point
•   You can examine my own policy here:

                 (c) 2001 David Strom Inc.   33
         IBM’s Privacy Tool
• Free
• Java-based
• Again, machine-readable policies that can
  be verified by P3P standard checking

                 (c) 2001 David Strom Inc.    34
            eBay’s example
• Several different versions, charts, and pages
• Many different levels of detail, including
  information about spam, cookies, etc.
• Link from bottom of home page
• Note how they notify users when it changes

                 (c) 2001 David Strom Inc.    35
             The fine print
“It is possible that eBay, its subsidiaries, its joint
ventures, or any combination of such, could
merge with or be acquired by another business
entity. Should such a combination occur, you
should expect that eBay would share some or all
of your information in order to continue to
provide the service. You will receive notice of
such event…”

                  (c) 2001 David Strom Inc.          36
• Copies of this presentation:
• More information can be found:

                 (c) 2001 David Strom Inc.   37

To top