Wednesday, July 11, 2007

E-commerce and Privacy

Privacy should be a main concern for everyone, not because you have something to hide, but because you deserve it, it's your right, while on the other hand, the thin line between a sales department preservation of your purchasing history to later one contact you, or vice-versa to serve you better, is where the dilemma starts. Should you always have an opt-out capability, thus ruining someone's marketing data aggregation model, or should you be willing to share it in order to receive a better customer experience?

In a recently conducted study, researchers at Carnegie Mellon University came to the conclusion that people are in fact willing to pay more when their privacy is ensured, but mind you - in a merchant's privacy policy only. Is this a feasible protective measure or just a compliance-centered and automatically generated text you come across to on every merchant's web site? Or how harsh is in fact reality in this case?

"The study, led by Lorrie Cranor, director of the Carnegie Mellon Usable Privacy and Security (CUPS) Lab, found that people were more likely to buy from online merchants with good privacy policies, as identified by Privacy Finder and were also willing to pay about 60 cents extra on a $15 purchase when buying from a site with a privacy policy they liked."

One of the most famous breaches of personal data aggregators that really made it all over the world was Choicepoint, a U.S based personal data aggregator. Famous mainly because of the huge number of affected individuals, which doesn't mean a bigger breach hasn't happened somewhere around the world already, the thing is, across the world it is still not very popular to report a security breach, even regulated by law -- perhaps even if you were you wouldn't be able to report something you're not aware of at the first place, would you? Looking at a merchant's/data aggregator's privacy policy given you have enough experience to detect the authentic policy from the automatically generated one you often see something like this line in Choicepoint's privacy policy for instance :

"Once we receive personally-identifiable information, we take steps to protect its security on our systems. In the event we request or transmit sensitive information, such as credit card information or Social Security Numbers, we use industry standard, secure socket layer ("SSL") encryption. We limit access to personally-identifiable information to those employees who need access in order to carry out their job responsibilities."

The same is the case with Amazon, Ebay and the rest of the E-commerce icons. In 2007, even phishers use SSL certificates to make their spoofs look more legitimate, and again in 2007 the majority of reported data breaches are due to laptop losses compared to network or even insider related vulnerabilities. Therefore, even though compliance with law regarding the need for a privacy policy, having it doesn't mean privacy of purchasing history and personal data wouldn't get exposed.

Common privacy assurance criteria on major merchant's sites remain :

- TRUSTe certificate
- Hackersafe check
- Compliance with industry standard security best practices

Best practices are a necessary evil, evil because what they're missing is exactly what attackers are exploiting - the pragmatic vulnerabilities to obtain the data in question compared to entering the target through the main door. Back in the times of the dotcom boom when Web 2.0's mature business models were a VC's dream come true, the overall perspective of Internet crime had to do with the concept of directly transferring funds from the a hacked through network vulnerabilities bank, while in reality, from an attacker's point of view it's far more effective to target its customers directly. Which is exactly the same case with E-commerce and privacy, either the merchant will store your business relationship with them and expose it, or you will somehow leak it out.

Whatever the case, a privacy policy is words, and common sense obviously remains a special mode of thinking for the majority of web shoppers.

Related posts:
Afterlife Data Privacy
The Future of Privacy = Don't Over-empower the Watchers
Anonymity or Privacy on the Internet?
U.K's Telecoms Lack of Web Site Privacy
Big Brother Awards 2007
A Comparison of U.S and European Privacy Practices