Despite privacy policies, some online retailers giving customer information to marketing firm

[InfoSec News <isn () C4I ORG>]

http://www.techserver.com/noframes/story/0,2294,500234509-500341963-501963112-0,00.html

By D. IAN HOPPER, Associated Press

WASHINGTON (August 1, 2000 8:08 a.m. EDT http://www.nandotimes.com) -
Without knowing it, some Internet shoppers are forking over more than
cash for their purchases. Several online retailers have been giving a
market company their customers' personal information.

Privacy groups called the practice an "unforgivable breach" of
confidentiality.

A security and privacy firm that does risk assessments for Internet
retailers says four such sites have forwarded personally identifiable
information to the marketing company, Coremetrics, in violation of the
retailers' privacy policies.

When an Internet retailer breaks its own privacy policy, it can bring
disaster for the company, including eroded customer confidence and
lawsuits from federal regulators.

Two of the retailers, both sportswear vendors, carry the TRUSTe
privacy seal, which is meant to indicate a commitment to customer
privacy.

"If, in fact, these Web sites are transmitting personal information to
third parties that they promised would be kept private, we would
consider this an unforgivable breach of privacy," TRUSTe spokesman
Dave Steer said Monday. "TRUSTe will be looking into this matter to
see if these companies are breaching their privacy statements."

Columbus, Ohio-based Interhack Corp. founder Matt Curtin said he found
four sites that forwarded personal information that Coremetrics said
it was "contractually bound" to keep private: toy retailer ToysRUs and
its baby site BabiesRUs, and sportswear sites Lucy.com and Fusion.com.

The sites use a myriad of tools - data-storing "cookies," invisible
tracking images and the Web language JavaScript - to forward personal
information to Coremetrics.

Coremetrics uses the data to build demographic information for the
vendor Web sites, showing the company which Web pages and promotions
were popular.

Not only does Coremetrics find out a customer's name and address, it
also knows what pages they visit on a site that uses their software
and what goods they browse. It also tracks users between sites that
use Coremetrics software - currently more than 40 clients since their
March launch, including Wal-Mart's Web site.

Curtin said when a customer makes an order on the vendor's site,
portions of their order are encrypted and sent off to Coremetrics.

This use of encryption makes it very difficult for users to find out
what's going on, said Curtin, fooling systems that some
privacy-conscious Web surfers use.

And while Coremetrics explains on its site what it does, and allows
consumers to "opt out" of data collection, the vendor sites make no
reference to Coremetrics. In fact, their privacy policies specifically
state that they don't share personally identifiable information with
third parties.

"BabiesRUs.com keeps your personal information completely
confidential," reads that company's privacy policy.

"That's the problem," said Curtin. "ToysRUs does not have any
indication that Coremetrics is part of this equation."

Privacy advocate Richard Smith, who has discovered several privacy
breaches in the past, looked over Curtin's data on ToysRUs and agreed
with Curtin's conclusions. "They've got a problem," he said.

Gordon Lanpher, a spokesman for Lucy.com, confirmed Curtin's findings
as well. He said his company noticed a week and a half ago that its
privacy policy didn't disclose the company's relationship with
Coremetrics. Lucy.com will relaunch Tuesday morning with a new privacy
policy with specific disclosures and links to Coremetrics' opt-out
page, Lanpher said.

The other vendors did not return calls for comment.

David Farber, a privacy expert, is listed on Coremetrics' board of
advisers. Farber is a computer science professor at the University of
Pennsylvania and advises the Federal Communications Commission on
scientific issues. He is also on the board of the San Francisco-based
Electronic Frontier Foundation, known for its free-speech and privacy
work.

A Coremetrics spokesman said the company is legally bound not to
disclose the data to anyone else, but did admit that Coremetrics
personnel could access it.

Brett Hurt, Coremetrics' CEO and co-founder, said they "strongly
encourage" all of their clients to disclose their relationship with
Coremetrics and provide a link to Coremetrics' opt-out page. But, "we
can't control what our clients do," he said.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".