• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content







Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    presentation presentation Presentation Transcript

    • The Privacy Debate: What Do Customers and Businesses Really Want? David Strom david@strom.com, (516) 944-3407 eBiz June 2001
    • Summary
      • Examine your own behavior
      • Customer privacy issues
      • Best practices
      • Notable eBusiness privacy failures
      • Creating your own corporate privacy policy
    • My privacy parameters
      • PrivacyX.com advisor
      • “ Middle initial” tracking of magazine subscriptions
      • Not too upset by spam, usually
      • Turned off my office fax number
      • But have unlisted home phone
    • Examine your own surfing behavior
      • What kinds of information do you routinely provide to web sites: email address, birthdates, zip codes, age/gender ID, etc.
      • What kinds of corporate information do you routinely provide: business phone/address, company information, etc.
      • Does information show up in your URLs?
      • How can you minimize this data flow?
    • But there are a lot of things you might not be aware of
      • Monitoring your web surfing via how URLs are constructed
      • Monitoring your emails via “wiretaps”
      • Tracking you via third-party cookies
    • Web URL monitoring
      • http://dps1.travelocity.com/airgetaisl.ctl?aln_code= US &dep_date= 19921230 &dep_arp_code= PHL &carrarp_code= BOS &flt_number= 2386 ….
      • Should your URL show all this information?
    • Email wiretapping
      • Exploits HTML email to embed small Javascript programs that can monitor who opens email and where the email goes
      • Can be prevented, with the appropriate security settings, but most people don’t take these precautions
    • Third party cookie tracking
      • Ad servers like Engage, DoubleClick, and others put coding inside their ads to identify users
      • But what if this information is tied to your email or IP address?
      • And what if a third-party site obtains additional information about you this way?
    • Rate these privacy invasions
      • Sending out a single piece of email with everyone's email address clearly visible in the header
      • A web site that tries to make it easier for its customers to login and track their accounts
      • A piece of software that records the IP address of the machine it is running on and reports back to headquarters
    • Privacy best practices
      • What are your expectations?
      • What info is collected?
      • How are you informed of the collection process?
      • How can you change your address and other ID information?
      • What happens when the company is sold?
    • What kinds of information is considered private?
      • Your IP address
      • Your Ethernet MAC address/Windows GUID
      • Your purchase history with a web storefront (or physical store)
      • Your address and phone
      • Your email address
      • Your credit card, banking account numbers
    • How do products inform you of their information collection practices?
      • Before you download them in clear language on the web site
      • At the time you download them
      • With obscure privacy policies on their web site
      • In a press release from the vendor after something bad happens
    • How can you change your ID?
      • With the post office, credit history, and others, relatively simple
      • With software, not so simple
      • Many products don’t have any automated tools for making changes
    • Who shares this information?
      • Do sites offer secure logins or are they in the clear?
      • What about third-party cookies, who makes use of them?
    • What happens to this information when your company gets sold?
      • Does a company have a legal right to hold on to its data?
      • Does a customer have a legal right to expect a company to not sell its data?
      • Do we need new consumer protection laws for these situations?
      • Are individuals’ privacy data considered a corporate asset or a liability?
    • Case in point: eBay
      • Changed its privacy practices 4/01 to specifically mention what happens if sold
      • But hides this deep within their privacy policies
    • How do you protect your customer’s privacy data?
      • Secure servers, careful data structures and policies
      • Authorized employees with limited access
      • Firewalls
      • Do all of these things really work?
    • Privacy problems
      • Email
      • Web surfing
      • eCommerce
    • Back to email issues
      • Hidden HTML code inside many email messages these days, called “web bugs”
      • Convey information on whether you open the email message or not, whether you click on this specific link, and if you want to unsubscribe
      • Works even if you use just the preview pane in MS OE/Outlook
      • Supposedly this information is just used in the aggregate, but can you be sure?
    • Bad boys of web site privacy
      • Doubleclick
      • Real Networks
      • GoHip.com
      • TiVO
    • DoubleClick
      • Made the mistake of combining two businesses: banner ad serving and email marketing
      • Is it a violation of privacy when you aggregate individual information?
      • Third-party cookie issues
    • Real Networks
      • Is it a violation of privacy when you automatically subscribe users to your service, and bury any opt-out information?
      • Should Real record my music listening habits without my explicit permission?
      • And store this data even when I am not connected to the Net?
    • GoHip.com
      • Download an ActiveX control that makes numerous changes to your browser and email configuration, as well as Startup folders – but advertised as a “video player browser enhancement.”
      • First the company didn’t explain these changes, but now they do – in very, very fine print.
    • TiVO
      • Aggregates personal TV viewing habits of its users
      • But doesn’t really make that clear
      • And employees of the company could have access to your privacy data
    • eCommerce privacy mishaps
      • ToySmart trying to sell its customer list
      • Long list of break-ins to obtain customer credit cards and accounts from numerous web sites, including Ikea, Western Union
    • Microsoft’s many problems
      • Hotmail break-ins galore
      • Global ID transmitted inside Word docs
      • Network collapse from poor DNS config
      • Software updates that scan your disk
    • Browser enhancement tools study
      • Privacy Foundation examined 12 different software utilities that work with web browsers, and found numerous privacy problems
      • ALL products sent more data back “home” to vendors’ HQ than required or disclosed to end-users
    • Results: poor notification of privacy violations
      • Poor placement of disclosure statements
      • Users have to return to privacy policy page on web site to check for changes
      • Sites reserve the right to release information when they want to
      • Privacy policies are clouded in technobabble and jargon
      • Policies are vague or wrongly stated
      • Sites use seals of approval from TrustE and BBB to certify their sites, but not any actual software
    • Creating a solid corporate privacy policy
      • First, understand your own actions
      • Examine standards efforts
      • Policy creation software tools
      • Learning from eBay’s example
    • If you develop software
      • Tell the truth about who has access to customer data
      • Have lawyers work with your engineers to review software’s actual privacy practices
      • Design with privacy in mind from the start
      • Use opt-in rather than opt-out
      • Don’t monitor URLs
    • P3P
      • W3C standards-based effort
      • Major multi-vendor contributions
      • Blesses various software tools that can generate privacy policies that are more machine-readable than by humans
    • TrustE’s model privacy statement
      • Available at www.truste.com/webpublishers/pub_modelprivacystatement.html
      • Can easily copy and modify accordingly
      • More like a legal document than helpful to users
      • A good place to start
    • PrivacyBot
      • $30
      • Browser-based
      • Brief, clear, to the point
      • You can examine my own policy here: strom.com/privacypolicy.html
    • IBM’s Privacy Tool
      • Free
      • Java-based
      • Again, machine-readable policies that can be verified by P3P standard checking software
    • eBay’s example
      • Several different versions, charts, and pages
      • Many different levels of detail, including information about spam, cookies, etc.
      • Link from bottom of home page
      • Note how they notify users when it changes
    • The fine print
      • “ It is possible that eBay, its subsidiaries, its joint ventures, or any combination of such, could merge with or be acquired by another business entity. Should such a combination occur, you should expect that eBay would share some or all of your information in order to continue to provide the service. You will receive notice of such event…”
    • Questions?
      • Copies of this presentation: strom.com/pubwork/privacy.ppt
      • More information can be found:
      • www.privacyfoundation.org/pdf/bea.pdf