• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Privacy and E-Commerce

Privacy and E-Commerce






Total Views
Views on SlideShare
Embed Views



1 Embed 3

http://www.linkedin.com 3



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment
  • Privacy and Security: The Difference

Privacy and E-Commerce Privacy and E-Commerce Presentation Transcript

  • Privacy and e-Commerce Aleksandr Yampolskiy, Ph.D. Director of Security and Compliance Gilt Groupe
  • Agenda
    • Overview
    • Privacy is Dead. Get Over It.
    • So What Exactly Is Privacy?
    • Privacy and e-Commerce
    • Solutions to Your Problems
  • Who Am I?
    • Currently, head of security and compliance at Gilt Groupe, Gilt JP, Gilt City, Jetsetter companies.
    • Prior to that lead technologist in Goldman Sachs, Oracle, Microsoft in various security roles.
    • Ph.D. in Cryptography.
    • My interests : new types of malware, privacy, elliptic cryptography, distributed systems, cloud computing, security governance, forensics.
    • Follow on Twitter: @ayampolskiy
    • Email: yampolskiy@gmail.com
    • Site: http://www.alexyampolskiy.com
  • Gilt Groupe
  • Gilt Groupe
    • Gilt Groupe is an innovative e-commerce company offering highly coveted products and experiences at insider prices. Each day, Gilt offers its members a new, curated selection of merchandise, including apparel, accessories and lifestyle products for women, men and children, home entertaining and decor, along with luxury travel packages from JETSETTER and fantastic offers on local services and experiences from Gilt CITY. Most sales start at noon ET and last only 36 hours, making Gilt.com an addictive destination for aspirational shoppers from coast to coast.
    • Millions of registered users, who trust us to keep their personal data secure and private .
    • Leakage of info about even one customer could be catastrophic: “ Christina bought jeans size 24 last month and now she is 25.”
  • Agenda
    • Overview.
    • Privacy is Dead. Get Over It.
    • So What Exactly Is Privacy?
    • Privacy and e-Commerce
    • Solutions to Your Problems
  • Privacy on the Internet “ Privacy is Dead, Get Over It!” Scott McNealy, Sun Microsystems
  • Inconvenient Truth
    • Within 1 minute , I can find out your address, your marriage status, SSN, gender, driver’s license, record of prior convictions.
    • In 5 minutes , I can check any prior divorces, employment records, lawsuits, and personal photos.
    • In half an hour , I’ll know your race, sexual orientation, political preference. I’ll know the books you read, things you like, and the friends you have.
    • All that without leaving my desk.
  • Inconvenient Truth (cont.)
    • All this information is available for download, cross-referenced, and conveniently packaged with a bow on top.
    • You just need to know where to look.
    • Most of the time we have disclosed this information ourselves .
  • “ It’s always a good idea not to give out too much personal information.”
  • Agenda
    • Overview.
    • Privacy is Dead. Get Over it.
    • So What Exactly Is Privacy?
    • Privacy and e-Commerce
    • Solutions to Your Problems
  • What Privacy is Not
    • Security  Privacy
  • Security
    • Confidentiality
    • Integrity
    • Authentication
    • Non-repudiation
    continual cat-and-mouse game
  • Privacy
    • Data Protection
    • Fair Information Practice Principles
    largely understood, social construction
  • What is Privacy?
    • Where is my data?
    • How is it being used?
    • Who actually sees it?
    pri·va·cy   noun   ˈprī-və-sē,  especially British  ˈpri- freedom from unauthorized intrusion <one's right to  privacy >
  • Why do we disclose personal information?
    • Because we want to
    • - Security (ID cards)
    • - Convenience (Shop high-end fashion on Gilt in your pajamas)
    • - Other benefits (Talk to friends on Facebook)
    • Because we have to
    • - Legal requirements (Driver’s license)
    • - Commercial requirements (Mortage)
    • Because we don't care!
  • Agenda
    • Overview.
    • Privacy is Dead. Get Over it.
    • So What Exactly Is Privacy?
    • Privacy and e-Commerce
    • Solutions to Your Problems
    • Public opinion poll in June 2004 surveyed 2,136 adults online and found that 65% had declined to register at an e-commerce site due to privacy concerns
    Privacy in E-commerce Today
  • Privacy in E-commerce Today
    • More and more data is available online .
    • E-commerce companies deal with a multitude of 3 rd parties (marketing, logistics, etc.)
    • Perimeter of the network no longer clearly defined.
    • Companies can be acquired and privacy policies may change.
    • Global companies need to deal with different regulations (eg Germany law re dedicated privacy person)
  • Data Provenance 1. Order placed by user 2. CC is charged 3. Transactional email is sent to customer 4. Warehouse fulfillment 5. Shipping carrier picks up package 6. Order sent to customer 3 rd party company
  • Agenda
    • Overview.
    • Privacy is Dead. Get Over it.
    • So What Exactly Is Privacy?
    • Privacy and e-Commerce
    • Solutions to Your Problems
  • Privacy Policy
    • Have a clear policy about what data is collected and how it’s used.
    • Privacy policy is linked off registration page.
  • Simplify Your Registration
    • Only ask for data if it’s needed.
  • New Registration Page
    • Easier registration process. Less data needed.
  • Legal Agreements
    • Put a process in place so that if PII is shared with a 3 rd party, Security team reviews its security and privacy standards.
    • Security needs to give a final sign-off !
    • Contractually obligate all companies acting on your behalf to keep all info confidential and to use the customer info only to provide the services we ask them .
    • Incorporate security addendum into legal contracts re data protection, provenance, etc.
    • Data needs to be erased after contract’s expiry.
  • Access Controls
    • Implement production access controls to ensure only authorized people can view info (e.g. Customer Support).
    • Least privilege principle and auditing of access for all systems housing PII.
    • Use a persistent ID (guid) to refer to customers instead of email, SSN, etc.
  • Security Strategy
    • Make “maintaining privacy” one of your company’s strategic goals .
    • Secure critical data and ensure its privacy (credit cards, customer addresses, etc.)
    • Raise company-wide security awareness.
    • Institute secure coding practices for Engineering.
    • Secure our infrastructure.
    • Meet the compliance requirements (PCI, SOX).
  • Conclusion
    • Have a clear privacy policy linked off your registration page.
    • Know all the places your data travels to.
    • Add security addendums to your legal agreements.
    • Implement access control and auditing for all systems housing customer data.
    • Make protecting privacy part of your strategy .
  • Questions, Comments, Suggestions?