Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1. The Privacy Debate: What Do Customers and Businesses Really Want? David Strom, (516) 944-3407 eBiz June 2001
  2. 2. Summary <ul><li>Examine your own behavior </li></ul><ul><li>Customer privacy issues </li></ul><ul><li>Best practices </li></ul><ul><li>Notable eBusiness privacy failures </li></ul><ul><li>Creating your own corporate privacy policy </li></ul>
  3. 3. My privacy parameters <ul><li> advisor </li></ul><ul><li>“ Middle initial” tracking of magazine subscriptions </li></ul><ul><li>Not too upset by spam, usually </li></ul><ul><li>Turned off my office fax number </li></ul><ul><li>But have unlisted home phone </li></ul>
  4. 4. Examine your own surfing behavior <ul><li>What kinds of information do you routinely provide to web sites: email address, birthdates, zip codes, age/gender ID, etc. </li></ul><ul><li>What kinds of corporate information do you routinely provide: business phone/address, company information, etc. </li></ul><ul><li>Does information show up in your URLs? </li></ul><ul><li>How can you minimize this data flow? </li></ul>
  5. 5. But there are a lot of things you might not be aware of <ul><li>Monitoring your web surfing via how URLs are constructed </li></ul><ul><li>Monitoring your emails via “wiretaps” </li></ul><ul><li>Tracking you via third-party cookies </li></ul>
  6. 6. Web URL monitoring <ul><li> US &dep_date= 19921230 &dep_arp_code= PHL &carrarp_code= BOS &flt_number= 2386 …. </li></ul><ul><li>Should your URL show all this information? </li></ul>
  7. 7. Email wiretapping <ul><li>Exploits HTML email to embed small Javascript programs that can monitor who opens email and where the email goes </li></ul><ul><li>Can be prevented, with the appropriate security settings, but most people don’t take these precautions </li></ul>
  8. 8. Third party cookie tracking <ul><li>Ad servers like Engage, DoubleClick, and others put coding inside their ads to identify users </li></ul><ul><li>But what if this information is tied to your email or IP address? </li></ul><ul><li>And what if a third-party site obtains additional information about you this way? </li></ul>
  9. 9. Rate these privacy invasions <ul><li>Sending out a single piece of email with everyone's email address clearly visible in the header </li></ul><ul><li>A web site that tries to make it easier for its customers to login and track their accounts </li></ul><ul><li>A piece of software that records the IP address of the machine it is running on and reports back to headquarters </li></ul>
  10. 10. Privacy best practices <ul><li>What are your expectations? </li></ul><ul><li>What info is collected? </li></ul><ul><li>How are you informed of the collection process? </li></ul><ul><li>How can you change your address and other ID information? </li></ul><ul><li>What happens when the company is sold? </li></ul>
  11. 11. What kinds of information is considered private? <ul><li>Your IP address </li></ul><ul><li>Your Ethernet MAC address/Windows GUID </li></ul><ul><li>Your purchase history with a web storefront (or physical store) </li></ul><ul><li>Your address and phone </li></ul><ul><li>Your email address </li></ul><ul><li>Your credit card, banking account numbers </li></ul>
  12. 12. How do products inform you of their information collection practices? <ul><li>Before you download them in clear language on the web site </li></ul><ul><li>At the time you download them </li></ul><ul><li>With obscure privacy policies on their web site </li></ul><ul><li>In a press release from the vendor after something bad happens </li></ul>
  13. 13. How can you change your ID? <ul><li>With the post office, credit history, and others, relatively simple </li></ul><ul><li>With software, not so simple </li></ul><ul><li>Many products don’t have any automated tools for making changes </li></ul>
  14. 14. Who shares this information? <ul><li>Do sites offer secure logins or are they in the clear? </li></ul><ul><li>What about third-party cookies, who makes use of them? </li></ul>
  15. 15. What happens to this information when your company gets sold? <ul><li>Does a company have a legal right to hold on to its data? </li></ul><ul><li>Does a customer have a legal right to expect a company to not sell its data? </li></ul><ul><li>Do we need new consumer protection laws for these situations? </li></ul><ul><li>Are individuals’ privacy data considered a corporate asset or a liability? </li></ul>
  16. 16. Case in point: eBay <ul><li>Changed its privacy practices 4/01 to specifically mention what happens if sold </li></ul><ul><li>But hides this deep within their privacy policies </li></ul>
  17. 17. How do you protect your customer’s privacy data? <ul><li>Secure servers, careful data structures and policies </li></ul><ul><li>Authorized employees with limited access </li></ul><ul><li>Firewalls </li></ul><ul><li>Do all of these things really work? </li></ul>
  18. 18. Privacy problems <ul><li>Email </li></ul><ul><li>Web surfing </li></ul><ul><li>eCommerce </li></ul>
  19. 19. Back to email issues <ul><li>Hidden HTML code inside many email messages these days, called “web bugs” </li></ul><ul><li>Convey information on whether you open the email message or not, whether you click on this specific link, and if you want to unsubscribe </li></ul><ul><li>Works even if you use just the preview pane in MS OE/Outlook </li></ul><ul><li>Supposedly this information is just used in the aggregate, but can you be sure? </li></ul>
  20. 20. Bad boys of web site privacy <ul><li>Doubleclick </li></ul><ul><li>Real Networks </li></ul><ul><li> </li></ul><ul><li>TiVO </li></ul>
  21. 21. DoubleClick <ul><li>Made the mistake of combining two businesses: banner ad serving and email marketing </li></ul><ul><li>Is it a violation of privacy when you aggregate individual information? </li></ul><ul><li>Third-party cookie issues </li></ul>
  22. 22. Real Networks <ul><li>Is it a violation of privacy when you automatically subscribe users to your service, and bury any opt-out information? </li></ul><ul><li>Should Real record my music listening habits without my explicit permission? </li></ul><ul><li>And store this data even when I am not connected to the Net? </li></ul>
  23. 23. <ul><li>Download an ActiveX control that makes numerous changes to your browser and email configuration, as well as Startup folders – but advertised as a “video player browser enhancement.” </li></ul><ul><li>First the company didn’t explain these changes, but now they do – in very, very fine print. </li></ul>
  24. 24. TiVO <ul><li>Aggregates personal TV viewing habits of its users </li></ul><ul><li>But doesn’t really make that clear </li></ul><ul><li>And employees of the company could have access to your privacy data </li></ul>
  25. 25. eCommerce privacy mishaps <ul><li>ToySmart trying to sell its customer list </li></ul><ul><li>Long list of break-ins to obtain customer credit cards and accounts from numerous web sites, including Ikea, Western Union </li></ul>
  26. 26. Microsoft’s many problems <ul><li>Hotmail break-ins galore </li></ul><ul><li>Global ID transmitted inside Word docs </li></ul><ul><li>Network collapse from poor DNS config </li></ul><ul><li>Software updates that scan your disk </li></ul>
  27. 27. Browser enhancement tools study <ul><li>Privacy Foundation examined 12 different software utilities that work with web browsers, and found numerous privacy problems </li></ul><ul><li>ALL products sent more data back “home” to vendors’ HQ than required or disclosed to end-users </li></ul>
  28. 28. Results: poor notification of privacy violations <ul><li>Poor placement of disclosure statements </li></ul><ul><li>Users have to return to privacy policy page on web site to check for changes </li></ul><ul><li>Sites reserve the right to release information when they want to </li></ul><ul><li>Privacy policies are clouded in technobabble and jargon </li></ul><ul><li>Policies are vague or wrongly stated </li></ul><ul><li>Sites use seals of approval from TrustE and BBB to certify their sites, but not any actual software </li></ul>
  29. 29. Creating a solid corporate privacy policy <ul><li>First, understand your own actions </li></ul><ul><li>Examine standards efforts </li></ul><ul><li>Policy creation software tools </li></ul><ul><li>Learning from eBay’s example </li></ul>
  30. 30. If you develop software <ul><li>Tell the truth about who has access to customer data </li></ul><ul><li>Have lawyers work with your engineers to review software’s actual privacy practices </li></ul><ul><li>Design with privacy in mind from the start </li></ul><ul><li>Use opt-in rather than opt-out </li></ul><ul><li>Don’t monitor URLs </li></ul>
  31. 31. P3P <ul><li>W3C standards-based effort </li></ul><ul><li>Major multi-vendor contributions </li></ul><ul><li>Blesses various software tools that can generate privacy policies that are more machine-readable than by humans </li></ul>
  32. 32. TrustE’s model privacy statement <ul><li>Available at </li></ul><ul><li>Can easily copy and modify accordingly </li></ul><ul><li>More like a legal document than helpful to users </li></ul><ul><li>A good place to start </li></ul>
  33. 33. PrivacyBot <ul><li>$30 </li></ul><ul><li>Browser-based </li></ul><ul><li>Brief, clear, to the point </li></ul><ul><li>You can examine my own policy here: </li></ul>
  34. 34. IBM’s Privacy Tool <ul><li>Free </li></ul><ul><li>Java-based </li></ul><ul><li>Again, machine-readable policies that can be verified by P3P standard checking software </li></ul>
  35. 35. eBay’s example <ul><li>Several different versions, charts, and pages </li></ul><ul><li>Many different levels of detail, including information about spam, cookies, etc. </li></ul><ul><li>Link from bottom of home page </li></ul><ul><li>Note how they notify users when it changes </li></ul>
  36. 36. The fine print <ul><li>“ It is possible that eBay, its subsidiaries, its joint ventures, or any combination of such, could merge with or be acquired by another business entity. Should such a combination occur, you should expect that eBay would share some or all of your information in order to continue to provide the service. You will receive notice of such event…” </li></ul>
  37. 37. Questions? <ul><li>Copies of this presentation: </li></ul><ul><li>More information can be found: </li></ul><ul><li> </li></ul>