Your SlideShare is downloading. ×
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply



Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. The Privacy Debate: What Do Customers and Businesses Really Want? David Strom, (516) 944-3407 eBiz June 2001
  • 2. Summary
    • Examine your own behavior
    • Customer privacy issues
    • Best practices
    • Notable eBusiness privacy failures
    • Creating your own corporate privacy policy
  • 3. My privacy parameters
    • advisor
    • “ Middle initial” tracking of magazine subscriptions
    • Not too upset by spam, usually
    • Turned off my office fax number
    • But have unlisted home phone
  • 4. Examine your own surfing behavior
    • What kinds of information do you routinely provide to web sites: email address, birthdates, zip codes, age/gender ID, etc.
    • What kinds of corporate information do you routinely provide: business phone/address, company information, etc.
    • Does information show up in your URLs?
    • How can you minimize this data flow?
  • 5. But there are a lot of things you might not be aware of
    • Monitoring your web surfing via how URLs are constructed
    • Monitoring your emails via “wiretaps”
    • Tracking you via third-party cookies
  • 6. Web URL monitoring
    • US &dep_date= 19921230 &dep_arp_code= PHL &carrarp_code= BOS &flt_number= 2386 ….
    • Should your URL show all this information?
  • 7. Email wiretapping
    • Exploits HTML email to embed small Javascript programs that can monitor who opens email and where the email goes
    • Can be prevented, with the appropriate security settings, but most people don’t take these precautions
  • 8. Third party cookie tracking
    • Ad servers like Engage, DoubleClick, and others put coding inside their ads to identify users
    • But what if this information is tied to your email or IP address?
    • And what if a third-party site obtains additional information about you this way?
  • 9. Rate these privacy invasions
    • Sending out a single piece of email with everyone's email address clearly visible in the header
    • A web site that tries to make it easier for its customers to login and track their accounts
    • A piece of software that records the IP address of the machine it is running on and reports back to headquarters
  • 10. Privacy best practices
    • What are your expectations?
    • What info is collected?
    • How are you informed of the collection process?
    • How can you change your address and other ID information?
    • What happens when the company is sold?
  • 11. What kinds of information is considered private?
    • Your IP address
    • Your Ethernet MAC address/Windows GUID
    • Your purchase history with a web storefront (or physical store)
    • Your address and phone
    • Your email address
    • Your credit card, banking account numbers
  • 12. How do products inform you of their information collection practices?
    • Before you download them in clear language on the web site
    • At the time you download them
    • With obscure privacy policies on their web site
    • In a press release from the vendor after something bad happens
  • 13. How can you change your ID?
    • With the post office, credit history, and others, relatively simple
    • With software, not so simple
    • Many products don’t have any automated tools for making changes
  • 14. Who shares this information?
    • Do sites offer secure logins or are they in the clear?
    • What about third-party cookies, who makes use of them?
  • 15. What happens to this information when your company gets sold?
    • Does a company have a legal right to hold on to its data?
    • Does a customer have a legal right to expect a company to not sell its data?
    • Do we need new consumer protection laws for these situations?
    • Are individuals’ privacy data considered a corporate asset or a liability?
  • 16. Case in point: eBay
    • Changed its privacy practices 4/01 to specifically mention what happens if sold
    • But hides this deep within their privacy policies
  • 17. How do you protect your customer’s privacy data?
    • Secure servers, careful data structures and policies
    • Authorized employees with limited access
    • Firewalls
    • Do all of these things really work?
  • 18. Privacy problems
    • Email
    • Web surfing
    • eCommerce
  • 19. Back to email issues
    • Hidden HTML code inside many email messages these days, called “web bugs”
    • Convey information on whether you open the email message or not, whether you click on this specific link, and if you want to unsubscribe
    • Works even if you use just the preview pane in MS OE/Outlook
    • Supposedly this information is just used in the aggregate, but can you be sure?
  • 20. Bad boys of web site privacy
    • Doubleclick
    • Real Networks
    • TiVO
  • 21. DoubleClick
    • Made the mistake of combining two businesses: banner ad serving and email marketing
    • Is it a violation of privacy when you aggregate individual information?
    • Third-party cookie issues
  • 22. Real Networks
    • Is it a violation of privacy when you automatically subscribe users to your service, and bury any opt-out information?
    • Should Real record my music listening habits without my explicit permission?
    • And store this data even when I am not connected to the Net?
  • 23.
    • Download an ActiveX control that makes numerous changes to your browser and email configuration, as well as Startup folders – but advertised as a “video player browser enhancement.”
    • First the company didn’t explain these changes, but now they do – in very, very fine print.
  • 24. TiVO
    • Aggregates personal TV viewing habits of its users
    • But doesn’t really make that clear
    • And employees of the company could have access to your privacy data
  • 25. eCommerce privacy mishaps
    • ToySmart trying to sell its customer list
    • Long list of break-ins to obtain customer credit cards and accounts from numerous web sites, including Ikea, Western Union
  • 26. Microsoft’s many problems
    • Hotmail break-ins galore
    • Global ID transmitted inside Word docs
    • Network collapse from poor DNS config
    • Software updates that scan your disk
  • 27. Browser enhancement tools study
    • Privacy Foundation examined 12 different software utilities that work with web browsers, and found numerous privacy problems
    • ALL products sent more data back “home” to vendors’ HQ than required or disclosed to end-users
  • 28. Results: poor notification of privacy violations
    • Poor placement of disclosure statements
    • Users have to return to privacy policy page on web site to check for changes
    • Sites reserve the right to release information when they want to
    • Privacy policies are clouded in technobabble and jargon
    • Policies are vague or wrongly stated
    • Sites use seals of approval from TrustE and BBB to certify their sites, but not any actual software
  • 29. Creating a solid corporate privacy policy
    • First, understand your own actions
    • Examine standards efforts
    • Policy creation software tools
    • Learning from eBay’s example
  • 30. If you develop software
    • Tell the truth about who has access to customer data
    • Have lawyers work with your engineers to review software’s actual privacy practices
    • Design with privacy in mind from the start
    • Use opt-in rather than opt-out
    • Don’t monitor URLs
  • 31. P3P
    • W3C standards-based effort
    • Major multi-vendor contributions
    • Blesses various software tools that can generate privacy policies that are more machine-readable than by humans
  • 32. TrustE’s model privacy statement
    • Available at
    • Can easily copy and modify accordingly
    • More like a legal document than helpful to users
    • A good place to start
  • 33. PrivacyBot
    • $30
    • Browser-based
    • Brief, clear, to the point
    • You can examine my own policy here:
  • 34. IBM’s Privacy Tool
    • Free
    • Java-based
    • Again, machine-readable policies that can be verified by P3P standard checking software
  • 35. eBay’s example
    • Several different versions, charts, and pages
    • Many different levels of detail, including information about spam, cookies, etc.
    • Link from bottom of home page
    • Note how they notify users when it changes
  • 36. The fine print
    • “ It is possible that eBay, its subsidiaries, its joint ventures, or any combination of such, could merge with or be acquired by another business entity. Should such a combination occur, you should expect that eBay would share some or all of your information in order to continue to provide the service. You will receive notice of such event…”
  • 37. Questions?
    • Copies of this presentation:
    • More information can be found: