Privacy and E-Commerce


Published on

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Privacy and Security: The Difference
  • Privacy and E-Commerce

    1. 1. Privacy and e-Commerce Aleksandr Yampolskiy, Ph.D. Director of Security and Compliance Gilt Groupe
    2. 2. Agenda <ul><li>Overview </li></ul><ul><li>Privacy is Dead. Get Over It. </li></ul><ul><li>So What Exactly Is Privacy? </li></ul><ul><li>Privacy and e-Commerce </li></ul><ul><li>Solutions to Your Problems </li></ul>
    3. 3. Who Am I? <ul><li>Currently, head of security and compliance at Gilt Groupe, Gilt JP, Gilt City, Jetsetter companies. </li></ul><ul><li>Prior to that lead technologist in Goldman Sachs, Oracle, Microsoft in various security roles. </li></ul><ul><li>Ph.D. in Cryptography. </li></ul><ul><li>My interests : new types of malware, privacy, elliptic cryptography, distributed systems, cloud computing, security governance, forensics. </li></ul><ul><li>Follow on Twitter: @ayampolskiy </li></ul><ul><li>Email: </li></ul><ul><li>Site: </li></ul>
    4. 4. Gilt Groupe
    5. 5. Gilt Groupe <ul><li>Gilt Groupe is an innovative e-commerce company offering highly coveted products and experiences at insider prices. Each day, Gilt offers its members a new, curated selection of merchandise, including apparel, accessories and lifestyle products for women, men and children, home entertaining and decor, along with luxury travel packages from JETSETTER and fantastic offers on local services and experiences from Gilt CITY. Most sales start at noon ET and last only 36 hours, making an addictive destination for aspirational shoppers from coast to coast. </li></ul><ul><li>Millions of registered users, who trust us to keep their personal data secure and private . </li></ul><ul><li>Leakage of info about even one customer could be catastrophic: “ Christina bought jeans size 24 last month and now she is 25.” </li></ul>
    6. 6. Agenda <ul><li>Overview. </li></ul><ul><li>Privacy is Dead. Get Over It. </li></ul><ul><li>So What Exactly Is Privacy? </li></ul><ul><li>Privacy and e-Commerce </li></ul><ul><li>Solutions to Your Problems </li></ul>
    7. 7. Privacy on the Internet “ Privacy is Dead, Get Over It!” Scott McNealy, Sun Microsystems
    8. 8. Inconvenient Truth <ul><li>Within 1 minute , I can find out your address, your marriage status, SSN, gender, driver’s license, record of prior convictions. </li></ul><ul><li>In 5 minutes , I can check any prior divorces, employment records, lawsuits, and personal photos. </li></ul><ul><li>In half an hour , I’ll know your race, sexual orientation, political preference. I’ll know the books you read, things you like, and the friends you have. </li></ul><ul><li>All that without leaving my desk. </li></ul>
    9. 9. Inconvenient Truth (cont.) <ul><li>All this information is available for download, cross-referenced, and conveniently packaged with a bow on top. </li></ul><ul><li>You just need to know where to look. </li></ul><ul><li>Most of the time we have disclosed this information ourselves . </li></ul>
    10. 10. “ It’s always a good idea not to give out too much personal information.”
    11. 11. Agenda <ul><li>Overview. </li></ul><ul><li>Privacy is Dead. Get Over it. </li></ul><ul><li>So What Exactly Is Privacy? </li></ul><ul><li>Privacy and e-Commerce </li></ul><ul><li>Solutions to Your Problems </li></ul>
    12. 12. What Privacy is Not <ul><li>Security  Privacy </li></ul>
    13. 13. Security <ul><li>Confidentiality </li></ul><ul><li>Integrity </li></ul><ul><li>Authentication </li></ul><ul><li>Non-repudiation </li></ul>continual cat-and-mouse game
    14. 14. Privacy <ul><li>Data Protection </li></ul><ul><li>Fair Information Practice Principles </li></ul>largely understood, social construction
    15. 15. What is Privacy? <ul><li>Where is my data? </li></ul><ul><li>How is it being used? </li></ul><ul><li>Who actually sees it? </li></ul>pri·va·cy   noun   ˈprī-və-sē,  especially British  ˈpri- freedom from unauthorized intrusion <one's right to  privacy >
    16. 16. Why do we disclose personal information? <ul><li>Because we want to </li></ul><ul><li>- Security (ID cards) </li></ul><ul><li>- Convenience (Shop high-end fashion on Gilt in your pajamas) </li></ul><ul><li>- Other benefits (Talk to friends on Facebook) </li></ul><ul><li>Because we have to </li></ul><ul><li>- Legal requirements (Driver’s license) </li></ul><ul><li>- Commercial requirements (Mortage) </li></ul><ul><li>Because we don't care! </li></ul>
    17. 17. Agenda <ul><li>Overview. </li></ul><ul><li>Privacy is Dead. Get Over it. </li></ul><ul><li>So What Exactly Is Privacy? </li></ul><ul><li>Privacy and e-Commerce </li></ul><ul><li>Solutions to Your Problems </li></ul>
    18. 18. <ul><li>Public opinion poll in June 2004 surveyed 2,136 adults online and found that 65% had declined to register at an e-commerce site due to privacy concerns </li></ul>Privacy in E-commerce Today
    19. 19. Privacy in E-commerce Today <ul><li>More and more data is available online . </li></ul><ul><li>E-commerce companies deal with a multitude of 3 rd parties (marketing, logistics, etc.) </li></ul><ul><li>Perimeter of the network no longer clearly defined. </li></ul><ul><li>Companies can be acquired and privacy policies may change. </li></ul><ul><li>Global companies need to deal with different regulations (eg Germany law re dedicated privacy person) </li></ul>
    20. 20. Data Provenance 1. Order placed by user 2. CC is charged 3. Transactional email is sent to customer 4. Warehouse fulfillment 5. Shipping carrier picks up package 6. Order sent to customer 3 rd party company
    21. 21. Agenda <ul><li>Overview. </li></ul><ul><li>Privacy is Dead. Get Over it. </li></ul><ul><li>So What Exactly Is Privacy? </li></ul><ul><li>Privacy and e-Commerce </li></ul><ul><li>Solutions to Your Problems </li></ul>
    22. 22. Privacy Policy <ul><li>Have a clear policy about what data is collected and how it’s used. </li></ul><ul><li>Privacy policy is linked off registration page. </li></ul>
    23. 23. Simplify Your Registration <ul><li>Only ask for data if it’s needed. </li></ul>
    24. 24. New Registration Page <ul><li>Easier registration process. Less data needed. </li></ul>
    25. 25. Legal Agreements <ul><li>Put a process in place so that if PII is shared with a 3 rd party, Security team reviews its security and privacy standards. </li></ul><ul><li>Security needs to give a final sign-off ! </li></ul><ul><li>Contractually obligate all companies acting on your behalf to keep all info confidential and to use the customer info only to provide the services we ask them . </li></ul><ul><li>Incorporate security addendum into legal contracts re data protection, provenance, etc. </li></ul><ul><li>Data needs to be erased after contract’s expiry. </li></ul>
    26. 26. Access Controls <ul><li>Implement production access controls to ensure only authorized people can view info (e.g. Customer Support). </li></ul><ul><li>Least privilege principle and auditing of access for all systems housing PII. </li></ul><ul><li>Use a persistent ID (guid) to refer to customers instead of email, SSN, etc. </li></ul>
    27. 27. Security Strategy <ul><li>Make “maintaining privacy” one of your company’s strategic goals . </li></ul><ul><li>Secure critical data and ensure its privacy (credit cards, customer addresses, etc.) </li></ul><ul><li>Raise company-wide security awareness. </li></ul><ul><li>Institute secure coding practices for Engineering. </li></ul><ul><li>Secure our infrastructure. </li></ul><ul><li>Meet the compliance requirements (PCI, SOX). </li></ul>
    28. 28. Conclusion <ul><li>Have a clear privacy policy linked off your registration page. </li></ul><ul><li>Know all the places your data travels to. </li></ul><ul><li>Add security addendums to your legal agreements. </li></ul><ul><li>Implement access control and auditing for all systems housing customer data. </li></ul><ul><li>Make protecting privacy part of your strategy . </li></ul>
    29. 29. Questions, Comments, Suggestions?