What Do Customers and Businesses Really Want?
Download
Report
Transcript What Do Customers and Businesses Really Want?
The Privacy Debate:
What Do Customers and
Businesses Really Want?
David Strom
[email protected], (516) 944-3407
eBiz June 2001
(c) 2001 David Strom Inc.
1
Summary
•
•
•
•
•
Examine your own behavior
Customer privacy issues
Best practices
Notable eBusiness privacy failures
Creating your own corporate privacy policy
(c) 2001 David Strom Inc.
2
My privacy parameters
• PrivacyX.com advisor
• “Middle initial” tracking of magazine
subscriptions
• Not too upset by spam, usually
• Turned off my office fax number
• But have unlisted home phone
(c) 2001 David Strom Inc.
3
Examine your own surfing
behavior
• What kinds of information do you routinely
provide to web sites: email address,
birthdates, zip codes, age/gender ID, etc.
• What kinds of corporate information do you
routinely provide: business phone/address,
company information, etc.
• Does information show up in your URLs?
• How can you minimize this data flow?
(c) 2001 David Strom Inc.
4
But there are a lot of things you
might not be aware of
• Monitoring your web surfing via how URLs
are constructed
• Monitoring your emails via “wiretaps”
• Tracking you via third-party cookies
(c) 2001 David Strom Inc.
5
Web URL monitoring
• http://dps1.travelocity.com/airgetaisl.ctl?aln
_code=US&dep_date=19921230&dep_arp_
code=PHL&carrarp_code=BOS&flt_numb
er=2386 ….
• Should your URL show all this
information?
(c) 2001 David Strom Inc.
6
Email wiretapping
• Exploits HTML email to embed small
Javascript programs that can monitor who
opens email and where the email goes
• Can be prevented, with the appropriate
security settings, but most people don’t take
these precautions
(c) 2001 David Strom Inc.
7
Third party cookie tracking
• Ad servers like Engage, DoubleClick, and
others put coding inside their ads to identify
users
• But what if this information is tied to your
email or IP address?
• And what if a third-party site obtains
additional information about you this way?
(c) 2001 David Strom Inc.
8
Rate these privacy invasions
• Sending out a single piece of email with
everyone's email address clearly visible in
the header
• A web site that tries to make it easier for its
customers to login and track their accounts
• A piece of software that records the IP
address of the machine it is running on and
reports back to headquarters
(c) 2001 David Strom Inc.
9
Privacy best practices
• What are your expectations?
• What info is collected?
• How are you informed of the collection
process?
• How can you change your address and other
ID information?
• What happens when the company is sold?
(c) 2001 David Strom Inc.
10
What kinds of information is
considered private?
• Your IP address
• Your Ethernet MAC address/Windows
GUID
• Your purchase history with a web storefront
(or physical store)
• Your address and phone
• Your email address
• Your credit card, banking account numbers
(c) 2001 David Strom Inc.
11
How do products inform you of their
information collection practices?
• Before you download them in clear
language on the web site
• At the time you download them
• With obscure privacy policies on their web
site
• In a press release from the vendor after
something bad happens
(c) 2001 David Strom Inc.
12
How can you change your ID?
• With the post office, credit history, and
others, relatively simple
• With software, not so simple
• Many products don’t have any automated
tools for making changes
(c) 2001 David Strom Inc.
13
Who shares this information?
• Do sites offer secure logins or are they in
the clear?
• What about third-party cookies, who makes
use of them?
(c) 2001 David Strom Inc.
14
What happens to this information
when your company gets sold?
• Does a company have a legal right to hold
on to its data?
• Does a customer have a legal right to expect
a company to not sell its data?
• Do we need new consumer protection laws
for these situations?
• Are individuals’ privacy data considered a
corporate asset or a liability?
(c) 2001 David Strom Inc.
15
Case in point: eBay
• Changed its privacy practices 4/01 to
specifically mention what happens if sold
• But hides this deep within their privacy
policies
(c) 2001 David Strom Inc.
16
How do you protect your
customer’s privacy data?
• Secure servers, careful data structures and
policies
• Authorized employees with limited access
• Firewalls
• Do all of these things really work?
(c) 2001 David Strom Inc.
17
Privacy problems
• Email
• Web surfing
• eCommerce
(c) 2001 David Strom Inc.
18
Back to email issues
• Hidden HTML code inside many email messages
these days, called “web bugs”
• Convey information on whether you open the
email message or not, whether you click on this
specific link, and if you want to unsubscribe
• Works even if you use just the preview pane in
MS OE/Outlook
• Supposedly this information is just used in the
aggregate, but can you be sure?
(c) 2001 David Strom Inc.
19
Bad boys of web site privacy
•
•
•
•
Doubleclick
Real Networks
GoHip.com
TiVO
(c) 2001 David Strom Inc.
20
DoubleClick
• Made the mistake of combining two
businesses: banner ad serving and email
marketing
• Is it a violation of privacy when you
aggregate individual information?
• Third-party cookie issues
(c) 2001 David Strom Inc.
21
Real Networks
• Is it a violation of privacy when you
automatically subscribe users to your
service, and bury any opt-out information?
• Should Real record my music listening
habits without my explicit permission?
• And store this data even when I am not
connected to the Net?
(c) 2001 David Strom Inc.
22
GoHip.com
• Download an ActiveX control that makes
numerous changes to your browser and
email configuration, as well as Startup
folders – but advertised as a “video player
browser enhancement.”
• First the company didn’t explain these
changes, but now they do – in very, very
fine print.
(c) 2001 David Strom Inc.
23
TiVO
• Aggregates personal TV viewing habits of
its users
• But doesn’t really make that clear
• And employees of the company could have
access to your privacy data
(c) 2001 David Strom Inc.
24
eCommerce privacy mishaps
• ToySmart trying to sell its customer list
• Long list of break-ins to obtain customer
credit cards and accounts from numerous
web sites, including Ikea, Western Union
(c) 2001 David Strom Inc.
25
Microsoft’s many problems
•
•
•
•
Hotmail break-ins galore
Global ID transmitted inside Word docs
Network collapse from poor DNS config
Software updates that scan your disk
(c) 2001 David Strom Inc.
26
Browser enhancement tools study
• Privacy Foundation examined 12 different
software utilities that work with web
browsers, and found numerous privacy
problems
• ALL products sent more data back “home”
to vendors’ HQ than required or disclosed to
end-users
(c) 2001 David Strom Inc.
27
Results: poor notification of
privacy violations
• Poor placement of disclosure statements
• Users have to return to privacy policy page on
web site to check for changes
• Sites reserve the right to release information when
they want to
• Privacy policies are clouded in technobabble and
jargon
• Policies are vague or wrongly stated
• Sites use seals of approval from TrustE and BBB
to certify their sites, but not any actual software
(c) 2001 David Strom Inc.
28
Creating a solid corporate
privacy policy
•
•
•
•
First, understand your own actions
Examine standards efforts
Policy creation software tools
Learning from eBay’s example
(c) 2001 David Strom Inc.
29
If you develop software
• Tell the truth about who has access to
customer data
• Have lawyers work with your engineers to
review software’s actual privacy practices
• Design with privacy in mind from the start
• Use opt-in rather than opt-out
• Don’t monitor URLs
(c) 2001 David Strom Inc.
30
P3P
• W3C standards-based effort
• Major multi-vendor contributions
• Blesses various software tools that can
generate privacy policies that are more
machine-readable than by humans
(c) 2001 David Strom Inc.
31
TrustE’s model privacy statement
• Available at
www.truste.com/webpublishers/pub_modelp
rivacystatement.html
• Can easily copy and modify accordingly
• More like a legal document than helpful to
users
• A good place to start
(c) 2001 David Strom Inc.
32
PrivacyBot
•
•
•
•
$30
Browser-based
Brief, clear, to the point
You can examine my own policy here:
strom.com/privacypolicy.html
(c) 2001 David Strom Inc.
33
IBM’s Privacy Tool
• Free
• Java-based
• Again, machine-readable policies that can
be verified by P3P standard checking
software
(c) 2001 David Strom Inc.
34
eBay’s example
• Several different versions, charts, and pages
• Many different levels of detail, including
information about spam, cookies, etc.
• Link from bottom of home page
• Note how they notify users when it changes
(c) 2001 David Strom Inc.
35
The fine print
“It is possible that eBay, its subsidiaries, its joint
ventures, or any combination of such, could
merge with or be acquired by another business
entity. Should such a combination occur, you
should expect that eBay would share some or all
of your information in order to continue to
provide the service. You will receive notice of
such event…”
(c) 2001 David Strom Inc.
36
Questions?
• Copies of this presentation:
strom.com/pubwork/privacy.ppt
• More information can be found:
www.privacyfoundation.org/pdf/bea.pdf
(c) 2001 David Strom Inc.
37