IP: Web firm receiving personal information [and see end for Coremetrics reply djf]

[Dave Farber <farber () cis upenn edu>]

> Web firm receiving personal information
>
> July 31, 2000, 10:20 p.m. PT
>
> http://news.cnet.com/news/0-1005-200-2403836.html?tag=st.ne.1005.saslnk.sase
> ml
>
>
> WASHINGTON--An Internet marketing company is secretly receiving names and
> addresses of customers while visiting some popular e-commerce sites, which
> one privacy group called "unforgivable."
>
> A security and privacy firm that does risk assessments for Internet
> retailers has found that four retailers are forwarding the personally
> identifiable information of customers to another firm, in violation of the
> retailers' stated privacy policies.
>
> When an Internet retailer breaks its own privacy policy, it can bring
> disaster for the company, including eroded customer confidence and lawsuits
> from federal regulators.
>
> Two of the retailers, both sportswear vendors, sport the TRUSTe privacy
> seal, which is meant to indicate a commitment to customer privacy. The
> privacy group had harsh words for Coremetrics, which receives the
> information.
>
> "If, in fact, these Web site are transmitting personal information to third
> parties that they promised would be kept private, we would consider this an
> unforgivable breach of privacy," said TRUSTe spokesman Dave Steer. "TRUSTe
> will be looking into this matter to see if these companies are breaching
> their privacy statements."
>
> Columbus, Ohio-based Interhack founder Matt Curtin said he found four sites
> that forwarded personal information on to Coremetrics, despite the
> companies' privacy policies: toy retailer Toysrus.com and its baby site
> Babiesrus.com, and sportswear sites Lucy.com and Fusion.com.
>
> The sites use a myriad tools--data-storing "cookies," invisible tracking
> images and the Web language JavaScript--to forward personal information to
> Coremetrics. Not only does Coremetrics find out a customer's name and
> address, it also knows what pages they visit on a site that uses their
> software and what goods they buy. It also tracks users between sites that
> use Coremetrics software.
>
> Curtin said when a customer makes an order on the vendor's site, portions of
> their order are encrypted and sent off to Coremetrics.
>
> This use of encryption makes it very difficult for users to find out what's
> going on, fooling systems that some privacy-conscious Web surfers use,
> Curtin said.
>
> And while Coremetrics explains on its site what they do and allows consumers
> to "opt out" of data collection, the vendor sites make no reference to
> Coremetrics. In fact, their privacy policies specifically state that they
> don't share personally identifiable information with third parties.
>
> "That's the problem," Curtin said. "Toysrus does not have any indication
> that Coremetrics is part of this equation."
>
> Privacy advocate Richard Smith, who has discovered several privacy breaches
> in the past, looked over Curtin's data on Toysrus and agreed with Curtin's
> conclusions. "They've got a problem," he said.
>
> Gordon Lanpher, a spokesman for Lucy.com, confirmed Curtin's findings as
> well. He said his company noticed a week and a half ago that its privacy
> policy didn't disclose the company's relationship with Coremetrics. Lucy.com
> will relaunch tomorrow morning with a new privacy policy with specific
> disclosures and links to Coremetrics' opt-out page, Lanpher said.
>
> The other vendors did not return calls for comment.
>
> <snip>
>
> "I'm concerned, because it seems that there's a lot of lip service being
> paid to privacy," Interhack's Curtin said, "but there are not sufficient
> mechanisms for consumers to be able to tell what information is being
> collected about them."

Official Response to the Interhack Release:
o       Interhack's press release is speculative and misleading.  Their 
statements are based entirely on the assumption that Coremetrics collects 
data across multiple sites with the intention of reselling it to third 
parties.  This is entirely untrue.
o       Coremetrics acts as an agent for its customers, so it neither owns 
nor has rights to the data it collects. Any data Coremetrics tracks and 
reports is owned solely by our customers and we are contractually precluded 
from reselling or using this data.

How is Coremetrics collecting information on Web users?
o       We collect information on behalf of our clients using patent 
pending Cookie and Java-script based technology.  We use this technology to 
transmit the data that would normally be captured on our client's servers 
to our outsourced Web site usage reporting service.  We do not capture 
personally identifiable information unless a consumer has already disclosed 
this information through a purchase or through registration.

Which sites does Coremetrics collect data for?
o       Currently, we have signed over 40 customers.  We are currently 
collecting data for the following companies: ToysRUs.com,

What are we doing with the data we collect?
o       We are storing online consumer data on behalf of our clients and 
reporting the data to our customers.  We do not own this data and we do not 
resell it to third parties.

How do we disclose to users that we collect data on them?
o       Under the advisement of David Farber, Online Privacy Expert, we 
have a very clear privacy policy located on our Web site which very clearly 
informs consumer what we track and collect.  We also enable consumers to 
globally opt out of Coremetrics tracking on all our client sites.  In 
addition, we encourage our clients to post very clear privacy policies with 
a link to our opt-out feature.

How do we link personally identifiable information with online profiles?
o       Once the consumer has volunteered personally identifiable 
information to our customer's Web site, this information become part of 
their consumer profile. Again, this is information that is voluntarily 
disclosed by the consumer and Coremetrics does not use or resell this 
information.