Your SlideShare is downloading. ×
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply



Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. The Privacy Debate: What Do Customers and Businesses Really Want? David Strom, (516) 944-3407 eBiz June 2001
  • 2. Summary
    • Examine your own behavior
    • Customer privacy issues
    • Best practices
    • Notable eBusiness privacy failures
    • Creating your own corporate privacy policy
  • 3. My privacy parameters
    • advisor
    • “ Middle initial” tracking of magazine subscriptions
    • Not too upset by spam, usually
    • Turned off my office fax number
    • But have unlisted home phone
  • 4. Examine your own surfing behavior
    • What kinds of information do you routinely provide to web sites: email address, birthdates, zip codes, age/gender ID, etc.
    • What kinds of corporate information do you routinely provide: business phone/address, company information, etc.
    • Does information show up in your URLs?
    • How can you minimize this data flow?
  • 5. But there are a lot of things you might not be aware of
    • Monitoring your web surfing via how URLs are constructed
    • Monitoring your emails via “wiretaps”
    • Tracking you via third-party cookies
  • 6. Web URL monitoring
    • US &dep_date= 19921230 &dep_arp_code= PHL &carrarp_code= BOS &flt_number= 2386 ….
    • Should your URL show all this information?
  • 7. Email wiretapping
    • Exploits HTML email to embed small Javascript programs that can monitor who opens email and where the email goes
    • Can be prevented, with the appropriate security settings, but most people don’t take these precautions
  • 8. Third party cookie tracking
    • Ad servers like Engage, DoubleClick, and others put coding inside their ads to identify users
    • But what if this information is tied to your email or IP address?
    • And what if a third-party site obtains additional information about you this way?
  • 9. Rate these privacy invasions
    • Sending out a single piece of email with everyone's email address clearly visible in the header
    • A web site that tries to make it easier for its customers to login and track their accounts
    • A piece of software that records the IP address of the machine it is running on and reports back to headquarters
  • 10. Privacy best practices
    • What are your expectations?
    • What info is collected?
    • How are you informed of the collection process?
    • How can you change your address and other ID information?
    • What happens when the company is sold?
  • 11. What kinds of information is considered private?
    • Your IP address
    • Your Ethernet MAC address/Windows GUID
    • Your purchase history with a web storefront (or physical store)
    • Your address and phone
    • Your email address
    • Your credit card, banking account numbers
  • 12. How do products inform you of their information collection practices?
    • Before you download them in clear language on the web site
    • At the time you download them
    • With obscure privacy policies on their web site
    • In a press release from the vendor after something bad happens
  • 13. How can you change your ID?
    • With the post office, credit history, and others, relatively simple
    • With software, not so simple
    • Many products don’t have any automated tools for making changes
  • 14. Who shares this information?
    • Do sites offer secure logins or are they in the clear?
    • What about third-party cookies, who makes use of them?
  • 15. What happens to this information when your company gets sold?
    • Does a company have a legal right to hold on to its data?
    • Does a customer have a legal right to expect a company to not sell its data?
    • Do we need new consumer protection laws for these situations?
    • Are individuals’ privacy data considered a corporate asset or a liability?
  • 16. Case in point: eBay
    • Changed its privacy practices 4/01 to specifically mention what happens if sold
    • But hides this deep within their privacy policies
  • 17. How do you protect your customer’s privacy data?
    • Secure servers, careful data structures and policies
    • Authorized employees with limited access
    • Firewalls
    • Do all of these things really work?
  • 18. Privacy problems
    • Email
    • Web surfing
    • eCommerce
  • 19. Back to email issues
    • Hidden HTML code inside many email messages these days, called “web bugs”
    • Convey information on whether you open the email message or not, whether you click on this specific link, and if you want to unsubscribe
    • Works even if you use just the preview pane in MS OE/Outlook
    • Supposedly this information is just used in the aggregate, but can you be sure?
  • 20. Bad boys of web site privacy
    • Doubleclick
    • Real Networks
    • TiVO
  • 21. DoubleClick
    • Made the mistake of combining two businesses: banner ad serving and email marketing
    • Is it a violation of privacy when you aggregate individual information?
    • Third-party cookie issues
  • 22. Real Networks
    • Is it a violation of privacy when you automatically subscribe users to your service, and bury any opt-out information?
    • Should Real record my music listening habits without my explicit permission?
    • And store this data even when I am not connected to the Net?
  • 23.
    • Download an ActiveX control that makes numerous changes to your browser and email configuration, as well as Startup folders – but advertised as a “video player browser enhancement.”
    • First the company didn’t explain these changes, but now they do – in very, very fine print.
  • 24. TiVO
    • Aggregates personal TV viewing habits of its users
    • But doesn’t really make that clear
    • And employees of the company could have access to your privacy data
  • 25. eCommerce privacy mishaps
    • ToySmart trying to sell its customer list
    • Long list of break-ins to obtain customer credit cards and accounts from numerous web sites, including Ikea, Western Union
  • 26. Microsoft’s many problems
    • Hotmail break-ins galore
    • Global ID transmitted inside Word docs
    • Network collapse from poor DNS config
    • Software updates that scan your disk
  • 27. Browser enhancement tools study
    • Privacy Foundation examined 12 different software utilities that work with web browsers, and found numerous privacy problems
    • ALL products sent more data back “home” to vendors’ HQ than required or disclosed to end-users
  • 28. Results: poor notification of privacy violations
    • Poor placement of disclosure statements
    • Users have to return to privacy policy page on web site to check for changes
    • Sites reserve the right to release information when they want to
    • Privacy policies are clouded in technobabble and jargon
    • Policies are vague or wrongly stated
    • Sites use seals of approval from TrustE and BBB to certify their sites, but not any actual software
  • 29. Creating a solid corporate privacy policy
    • First, understand your own actions
    • Examine standards efforts
    • Policy creation software tools
    • Learning from eBay’s example
  • 30. If you develop software
    • Tell the truth about who has access to customer data
    • Have lawyers work with your engineers to review software’s actual privacy practices
    • Design with privacy in mind from the start
    • Use opt-in rather than opt-out
    • Don’t monitor URLs
  • 31. P3P
    • W3C standards-based effort
    • Major multi-vendor contributions
    • Blesses various software tools that can generate privacy policies that are more machine-readable than by humans
  • 32. TrustE’s model privacy statement
    • Available at
    • Can easily copy and modify accordingly
    • More like a legal document than helpful to users
    • A good place to start
  • 33. PrivacyBot
    • $30
    • Browser-based
    • Brief, clear, to the point
    • You can examine my own policy here:
  • 34. IBM’s Privacy Tool
    • Free
    • Java-based
    • Again, machine-readable policies that can be verified by P3P standard checking software
  • 35. eBay’s example
    • Several different versions, charts, and pages
    • Many different levels of detail, including information about spam, cookies, etc.
    • Link from bottom of home page
    • Note how they notify users when it changes
  • 36. The fine print
    • “ It is possible that eBay, its subsidiaries, its joint ventures, or any combination of such, could merge with or be acquired by another business entity. Should such a combination occur, you should expect that eBay would share some or all of your information in order to continue to provide the service. You will receive notice of such event…”
  • 37. Questions?
    • Copies of this presentation:
    • More information can be found: