Information Security News mailing list archives
Despite privacy policies, some online retailers giving customer information to marketing firm
From: InfoSec News <isn () C4I ORG>
Date: Wed, 2 Aug 2000 03:16:37 -0500
http://www.techserver.com/noframes/story/0,2294,500234509-500341963-501963112-0,00.html By D. IAN HOPPER, Associated Press WASHINGTON (August 1, 2000 8:08 a.m. EDT http://www.nandotimes.com) - Without knowing it, some Internet shoppers are forking over more than cash for their purchases. Several online retailers have been giving a market company their customers' personal information. Privacy groups called the practice an "unforgivable breach" of confidentiality. A security and privacy firm that does risk assessments for Internet retailers says four such sites have forwarded personally identifiable information to the marketing company, Coremetrics, in violation of the retailers' privacy policies. When an Internet retailer breaks its own privacy policy, it can bring disaster for the company, including eroded customer confidence and lawsuits from federal regulators. Two of the retailers, both sportswear vendors, carry the TRUSTe privacy seal, which is meant to indicate a commitment to customer privacy. "If, in fact, these Web sites are transmitting personal information to third parties that they promised would be kept private, we would consider this an unforgivable breach of privacy," TRUSTe spokesman Dave Steer said Monday. "TRUSTe will be looking into this matter to see if these companies are breaching their privacy statements." Columbus, Ohio-based Interhack Corp. founder Matt Curtin said he found four sites that forwarded personal information that Coremetrics said it was "contractually bound" to keep private: toy retailer ToysRUs and its baby site BabiesRUs, and sportswear sites Lucy.com and Fusion.com. The sites use a myriad of tools - data-storing "cookies," invisible tracking images and the Web language JavaScript - to forward personal information to Coremetrics. Coremetrics uses the data to build demographic information for the vendor Web sites, showing the company which Web pages and promotions were popular. Not only does Coremetrics find out a customer's name and address, it also knows what pages they visit on a site that uses their software and what goods they browse. It also tracks users between sites that use Coremetrics software - currently more than 40 clients since their March launch, including Wal-Mart's Web site. Curtin said when a customer makes an order on the vendor's site, portions of their order are encrypted and sent off to Coremetrics. This use of encryption makes it very difficult for users to find out what's going on, said Curtin, fooling systems that some privacy-conscious Web surfers use. And while Coremetrics explains on its site what it does, and allows consumers to "opt out" of data collection, the vendor sites make no reference to Coremetrics. In fact, their privacy policies specifically state that they don't share personally identifiable information with third parties. "BabiesRUs.com keeps your personal information completely confidential," reads that company's privacy policy. "That's the problem," said Curtin. "ToysRUs does not have any indication that Coremetrics is part of this equation." Privacy advocate Richard Smith, who has discovered several privacy breaches in the past, looked over Curtin's data on ToysRUs and agreed with Curtin's conclusions. "They've got a problem," he said. Gordon Lanpher, a spokesman for Lucy.com, confirmed Curtin's findings as well. He said his company noticed a week and a half ago that its privacy policy didn't disclose the company's relationship with Coremetrics. Lucy.com will relaunch Tuesday morning with a new privacy policy with specific disclosures and links to Coremetrics' opt-out page, Lanpher said. The other vendors did not return calls for comment. David Farber, a privacy expert, is listed on Coremetrics' board of advisers. Farber is a computer science professor at the University of Pennsylvania and advises the Federal Communications Commission on scientific issues. He is also on the board of the San Francisco-based Electronic Frontier Foundation, known for its free-speech and privacy work. A Coremetrics spokesman said the company is legally bound not to disclose the data to anyone else, but did admit that Coremetrics personnel could access it. Brett Hurt, Coremetrics' CEO and co-founder, said they "strongly encourage" all of their clients to disclose their relationship with Coremetrics and provide a link to Coremetrics' opt-out page. But, "we can't control what our clients do," he said. ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Despite privacy policies, some online retailers giving customer information to marketing firm InfoSec News (Aug 02)