Interesting People mailing list archives
IP: Web firm receiving personal information [and see end for Coremetrics reply djf]
From: Dave Farber <farber () cis upenn edu>
Date: Tue, 01 Aug 2000 05:00:00 -0400
Web firm receiving personal information July 31, 2000, 10:20 p.m. PT http://news.cnet.com/news/0-1005-200-2403836.html?tag=st.ne.1005.saslnk.sase ml WASHINGTON--An Internet marketing company is secretly receiving names and addresses of customers while visiting some popular e-commerce sites, which one privacy group called "unforgivable." A security and privacy firm that does risk assessments for Internet retailers has found that four retailers are forwarding the personally identifiable information of customers to another firm, in violation of the retailers' stated privacy policies. When an Internet retailer breaks its own privacy policy, it can bring disaster for the company, including eroded customer confidence and lawsuits from federal regulators. Two of the retailers, both sportswear vendors, sport the TRUSTe privacy seal, which is meant to indicate a commitment to customer privacy. The privacy group had harsh words for Coremetrics, which receives the information. "If, in fact, these Web site are transmitting personal information to third parties that they promised would be kept private, we would consider this an unforgivable breach of privacy," said TRUSTe spokesman Dave Steer. "TRUSTe will be looking into this matter to see if these companies are breaching their privacy statements." Columbus, Ohio-based Interhack founder Matt Curtin said he found four sites that forwarded personal information on to Coremetrics, despite the companies' privacy policies: toy retailer Toysrus.com and its baby site Babiesrus.com, and sportswear sites Lucy.com and Fusion.com. The sites use a myriad tools--data-storing "cookies," invisible tracking images and the Web language JavaScript--to forward personal information to Coremetrics. Not only does Coremetrics find out a customer's name and address, it also knows what pages they visit on a site that uses their software and what goods they buy. It also tracks users between sites that use Coremetrics software. Curtin said when a customer makes an order on the vendor's site, portions of their order are encrypted and sent off to Coremetrics. This use of encryption makes it very difficult for users to find out what's going on, fooling systems that some privacy-conscious Web surfers use, Curtin said. And while Coremetrics explains on its site what they do and allows consumers to "opt out" of data collection, the vendor sites make no reference to Coremetrics. In fact, their privacy policies specifically state that they don't share personally identifiable information with third parties. "That's the problem," Curtin said. "Toysrus does not have any indication that Coremetrics is part of this equation." Privacy advocate Richard Smith, who has discovered several privacy breaches in the past, looked over Curtin's data on Toysrus and agreed with Curtin's conclusions. "They've got a problem," he said. Gordon Lanpher, a spokesman for Lucy.com, confirmed Curtin's findings as well. He said his company noticed a week and a half ago that its privacy policy didn't disclose the company's relationship with Coremetrics. Lucy.com will relaunch tomorrow morning with a new privacy policy with specific disclosures and links to Coremetrics' opt-out page, Lanpher said. The other vendors did not return calls for comment. <snip> "I'm concerned, because it seems that there's a lot of lip service being paid to privacy," Interhack's Curtin said, "but there are not sufficient mechanisms for consumers to be able to tell what information is being collected about them."
Official Response to the Interhack Release: o Interhack's press release is speculative and misleading. Their statements are based entirely on the assumption that Coremetrics collects data across multiple sites with the intention of reselling it to third parties. This is entirely untrue. o Coremetrics acts as an agent for its customers, so it neither owns nor has rights to the data it collects. Any data Coremetrics tracks and reports is owned solely by our customers and we are contractually precluded from reselling or using this data. How is Coremetrics collecting information on Web users? o We collect information on behalf of our clients using patent pending Cookie and Java-script based technology. We use this technology to transmit the data that would normally be captured on our client's servers to our outsourced Web site usage reporting service. We do not capture personally identifiable information unless a consumer has already disclosed this information through a purchase or through registration. Which sites does Coremetrics collect data for? o Currently, we have signed over 40 customers. We are currently collecting data for the following companies: ToysRUs.com, What are we doing with the data we collect? o We are storing online consumer data on behalf of our clients and reporting the data to our customers. We do not own this data and we do not resell it to third parties. How do we disclose to users that we collect data on them? o Under the advisement of David Farber, Online Privacy Expert, we have a very clear privacy policy located on our Web site which very clearly informs consumer what we track and collect. We also enable consumers to globally opt out of Coremetrics tracking on all our client sites. In addition, we encourage our clients to post very clear privacy policies with a link to our opt-out feature. How do we link personally identifiable information with online profiles? o Once the consumer has volunteered personally identifiable information to our customer's Web site, this information become part of their consumer profile. Again, this is information that is voluntarily disclosed by the consumer and Coremetrics does not use or resell this information.
Current thread:
- IP: Web firm receiving personal information [and see end for Coremetrics reply djf] Dave Farber (Aug 01)