Slashdot Mirror
Failed Dot-Coms Selling Private Info
goingware writes: "This article at CNet describes how troubled Internet companies are selling off customer data in an effort to pay off creditors or keep themselves afloat, in violation of stated privacy policies. Among the sites that are doing this are Boo.com and Toysmart. These companies were Truste approved sites before their failure. Note that when a company is bankrupt, its assets are divided up and sold off according to what the court orders, and may not have much to do with what the company tried to promise. I also noticed when checking out the articles that CNet uses doubleclick so you may want to browse the articles with cookies off."
If a video store folded, could they sell the rental records?
This one, at least there's an answer to: no. Those renting Videos are required by law to keep the rental records confidential and not share them with third parties.
I don't attribute it to direct intention as in "Make rejecting cookies hard, so that the user won't do it." I would say, rather, that the default for any UI is "annoying to use", and that the only deliberate decision went something like:
"Boy, cookies are hard to disable, aren't they? Do you think we should fix it?"
"Well, let's see. The users don't pay us for the software. The cookie-senders have strategic partnerships with us. I don't feel like putting any effort into that feature, do you?"
The current cookie options are easy to code; I'd say that's sufficient explanation.
What's chemical waste ? Asset or liability ?
Imagine an asbestos mill that goes bust. One day their pile of raw asbestos is an asset that's an essential part of their business process, the next it's a liability that requires expensive disposal.
If they can be taken over by another asbestos mill, then the raw material turns back into being an asset, because they're another business entity that can make valuable and legitimate usage of this stuff. The material is still being utilised under the terms of the original conditions that applied to it (don't breathe the dust / don't mis-use the data).
Of course, you could instead sell asbestos fibres instead as a cheap and non-fattening filler for cookie dough -- you might even get a really good price for it, as food is a more profitable business than asbestos these days. Fortunately we have laws against this, that recognise that an asset may have attached conditions to it that prevent its simply sale to whoever offers the best possible price (Sadly some countries don't enforce this, and we do find situations like the Spanish cooking oil poisoning disaster).
Boo are selling their whole customer base (both of them), but it's formatted as a 20 minute long Flash animation that opens five browser windows for each customer.
Having a sysadmin, on his hast day wiping the database would have done the job... but....
Remember, these companies couldn't give a fart about you. They dont care about you from the beginning, and they dont care at the end, they care if your credit card clears though. Any company that says that they "care about you the customer." is lying through their teeth. Do you think that Andover or VA is going to care about you if financial troubles hit and they can get another $300K from the email/profile databases they have here? If you think they wont sell it/ delete it before it can be sold/etc.. you are fooling yourself..
A business in there TO MAKE MONEY. Slashdot is here TO MAKE MONEY. I doubt that Mr Taco would flit the bill for this server farm if it came out of his pocket every month.
(Weee, I get to be marked as a troll!)
If anyone ever thinks for one moment that anyone will protect them or their data, for free, then that person is pretty damn stupid.
Cover your Own Arse... Expecting others to do it for you, is the typical Lazy american way.
Do not look at laser with remaining good eye.
Even better, add the following line to your /etc/hosts :
ads.doubleclick.net 127.0.0.1
Even better. Now you don't need to download them at all.
Syllable : It's an Operating System
The main problem I see with the government is the obvious conflict of interest that arises when corporations make laws through lobbying and "donations," which of course is a symptom of business having too much power in the first place.
I submitted this article three days ago but it was refused for some reason, probably because the story also ran on kuro5hin. So far I have read all the posts in this thread and most of them are focussing on DoubleClick which is incidental to the news story instead of discussing the fact that dotcomms are not only selling dotcomm info but are taking out ads to do so.
From the artricle: Toysmart, meanwhile, advertised the sale of its customer list and database in The Wall Street Journal last month after ceasing operations. The company overseeing the sale of Toysmart's assets, the Recovery Group, said several interested parties have bid on the customer information.
I am very worried at this trend, because I have a lot of personal data at CDNow and considering that they are in serious trouble will my personal data also be sold? I have begun to fear for all the dotcomms I have ever bought anything from because the last thing I'd want is for my address, credit card info and shopping habits to be sold by some failed e-business like some email spam list. The fact that the companies are taking out ads to sell our info and hiring agents to do this shows completely that industry self regulation has failed. I sincerely hope the FTC jumps on this like a porkchop in a dog kennel.
I properly setup escrow would be protected even in the event of a buyout. Certainly things like pension funds and the like can be setup so they can't be touched even during a takeover. Similar things could be done with data. Also note that expiration terms would make the data less valuable anyway.
sigs are a waste of space
I ended up setting up procmail to return EXITCODE=67 to them and never shopped there again.
We don't have that problem. Other problems, maybe, but not that one.
I'm old enough to remember when discussions on Slashdot were well informed.
I agree with you that a well-hacked Mozilla-like program is one option, but there's another one: proxies. As far as keeping cookies off your drive, JunkBuster seems to do a pretty good job, and offers a much more fine-grained control over what's going on than the current option of "Either block all cookies or allow them all or get nagged every five seconds for each individual cookie." (Yes, there's the "trusted sites" zone in IE, but I don't care to mark any site even temporarily trustable.)
Your more general point of "the only way you'll get a cookie-free web experience is hacking one together yourself" is quite correct, though.
> I have never quite understood those opposing laws and regulations, claiming that "consumer power" and other public pressure will keep companies on the rug.
I do... politicians are far better at exactly the same tricks. Regulation isn't an evil thing in itself but I think the best regulations are in the "full disclosure" area where companys (and government agentcys) must be upfront.
Most consummers don't trust companys to collect data to start with. This is just one example of this. Companys change privacy policys or get bought out.
"We won't share with other companys" "Oh by the way we are now owned by Scam-U-Up" wops your screwed...
It is working... Note the Double Click warnning.. "We are Double Click we won't sell your information..." waiting for Scam-U-Up to do a corprate take-over of Double Click.
But.... that is becouse we KNEW about DC...
We take it on faith alone that CmdrTaco dosn't use his weblogs for anything more than security and admin information.
And then there is me. Where did all this junkmail come from? Not e-spam.. not UCE... postal spam.. Let's see.. I sent in my Commodore 64 and 128 warrenty cards... as well as warrenty cards for half a dosen other products to companys that went away in the early 1990s. My ex-employeer was sued. Oh wait... my employment records.. on cort documents? Ok thats government. Hmm most of this junk for dot coms... like... oh wait... MeowPawjects... oh yeah thats public record.. du...
My personal life is pritty well public knowladge and there isn't much I can say about it.
You really think I'm trusting the agentcy that gave away my work records to protect my surfing habbits? I don't care if you know about my surfing habbits (I do mess with the systems used becouse it's just not right but thats about all I do).
I think self regulation dose work to a degree.
Privacy is an area companys usually DO "go off the rug" so we distrust them in this area at every turn.
But I'm not expecting any agentcy to prevent such records from becomming public when they'll publish it on cort documents.
I don't actually exist.
Slashdot should hire us a lawyer.
You know, that's actually not a bad idea. Andover could conceivably pay an actual attorney to review legal issues as they arise, to avoid too many misunderstandings and misinformation from the vast majority of us who need "IANAL" disclaimers...
Would it be worth the cost? I don't know, but it could certainly be a service to the community...
Deven
"Simple things should be simple, and complex things should be possible." - Alan Kay
I worked for a bank for almost 4 years, and I have news for you: Banks sell your information all the time.
Someone please moderate up the parent post? This is significant, and most people probably don't realize it...
Deven
"Simple things should be simple, and complex things should be possible." - Alan Kay
Me, I keep my NYT cookie from last year, my ADS and simbad cookies (astronomy work), and my slashdot cookie. The rest can assign me a new, unique, "look, another user!" cookie every time I happen by, and I flush them to the bit bucket every time I exit netscape.
"I will take the Ring," he said, "though I do not know the way."
Those agreements usually reference the site's privacy policy. They expect that those agreements are binding on you, and for that to be the case, wouldn't the same agreement be binding on them to?
Further, I've seen sites that display their privacy policy or other promiss to never give away and/or sell the data on the order page, too. Are they not by making the promiss when I order --- and send them money --- forming a contract with me not to sell the data?
Do the consumers of these sites have any recourse? If they don't, then how should a privacy policy be constructed such that it is legally enforceable?
It's hard for me to immagine that the silly little links at the bottom of a page saying that "by using this site you agree to..." could possibly be valid if their privacy policies aren't.
--
if your doctor's clinic folded, he could sell your patient info?
if a telco folded, could they sell your phone records?
if a bank collapsed, could they sell your financial transaction history?
if your ISP folded, could they sell your surfing habits?
http://www.doubleclick.net/optout/def ault.asp
Follow the link above so that DoubleClick will issue you a cookie with the string id=OPT_OUT. This will prevent DoubleClick from doing its "DoubleClickish" tracking and serving, and rather just serve you banner ads straight out.
And, yes, I'm aware of the irony of me making a post like this when my site is full of DoubleClick code
--------
Oscarfish.com: tropical fish with attitude. Way t
Another blow to the "industry self regulation" supporters. Maybe sometimes they'll understand that capitalism without limits is just crap. Some things need to be moderated : when it comes to the economic rules, only an elected organisation should set the rules, not the players of the game themselves (aka corporation).
If, say, medical insurance companies were required to set rates only based on their age, how long they have been insured, and (perhaps) state, and no other information, it wouldn't matter what kind of access they had to your medical records.
That's, in fact, how private medical insurance works in many countries. Insurance companies can still compete in all those areas where companies compete well in the free market: lowering costs, improving service, etc., they simply don't have the information to cherry-pick low-risk customers and leave the high risk customers to the public system.
If personal information was kept in some kind of escrow system with guarunteed expiries and the like.
;-)
Ultimately you're always vulnerable to bancrupcies, but presumably a places like Verisign are more likely to exist than Boo.com...
sigs are a waste of space
Could you not argue that you are exchanging your information in return for access to the services the company provides?
tangent - art and creation are a higher purpose
postmoderncore - art and creation are a higher purpose
"Either block all cookies or allow them all or get nagged every five seconds for each individual cookie."
Getting nagged every time is an intentional tactic to make you accept all cookies. What appears to be badly programmed and incompetently designed is actually intentionally annoying--they're spoofing privacy and inconvenience and trackability as ease of use. That's actually interesting.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Interesting approach, this would really be nice to have in the form of a net nanny like application that block privacy intruding sites rather then porn. I once turned cookie notification (turning off is not an option for me becaus then I loose customization on a lot of sites), but after an hour or so I got fed up clicking OK/Cancel for each site so I turned them on again.
Another thing that would be nice is if you could choose which sites are allowed to store cookies and which not (and make the browser remember what you choose). E.g. I want slashdot to remember my settings but CNN.com has no business setting cookies in my browser (I hate their customized site so i don't use it anyway).
Those two things combined would solve some of the privacy intrusions. Of course, as soon as you fill in forms on e-commerce sites, you have no control so be carefull what information you provide. I generally use the need to know principle: only provide the information that you really have to provide. If you need to fill in three pages of information just to buy a book, buy it somewhere else. Also i use a special email address that I provide when untrusted sites require an email address (sometimes I just provide bla@bla.org if I'm annoyed). This helps preventing spam (works quite well for me).
In any case I think the solution for the problem mentioned in the article is that Truste sues the companies trading information (which I assume is not in line with what Truste allows). This would re-establish them as a good brand and may increase the trustworthyness of their other customers.
Jilles
The answer is yes. You're looking at this the wrong way. Let's say another bank buys your bank. Are they going to close all the accounts, send your $37.98 back to you, and say, "Hello. Your bank doesn't exist anymore, and we don't own the records to your account. Would you like to open an account with us?" If that were the case, there would be no reason to buy a bank in the first place!
A company "folding" in each of these cases just means they sell to someone else at a discount to their actual value. As I see it, the problem isn't with them selling the accounts/histories/data. It's whether or not the new company is willing to abide by the same ground rules. This could very easily be negotiated into the agreement between the old {.com|doctor|ISP|telco|bank} and the new one.
This has actually happened to me with a doctor's office. The old doc retired and sold out to a new doctor, and included all my records. A good thing, because when I went to the new doctor, there was no break in service. The new doctor was bound by the same legal restrictions on sharing information as the old one, however!
I can see a bigger problem when a business goes under, liquidates, and as part of the liquidation sells customer information to inappropriate parties, with no strings attached. But let's make sure that's what we rail against, not just selling the information to the party who buys the business.
The KDE browser (and some other browsers) allow you to "reject forever" or "accept forever" cookies. So you can select on a case by case basis.
:)
So unless your logging into a website.. "reject forever" and you'll be happy
I don't actually exist.
Of course, it's a Windoze-only solution; works with the following browsers according to their web site:
Costs a couple bucks after a trial period. To paraphrase JWZ, other solutions are free only only if your time is worthless ...
One simple rule for its versus it's
Yeah thats kinda scary...
For a silly (yet sereous) note...
After all the weak DotComs sell off colected information....
COM collection copration... we sell databases full of all the information colected by the dot coms...
It is pritty scary....
So who's gona buy your Amazon records?
Who will buy you CD Now data?
Hay... All you people who have my.mp3.com accounts... wouldn't you just LOVE to let some record company buy out a record of YOUR cd collection?
"hay he has lots of punk rock.. and dosn't have any 'Smelly Boot' CDs... let's go sell him some Smelly Boot..."
"But I don't like Smelly Boot..."
or worse... people buying 1970s Disco [Ohh yuck.. ok bad tast to start with] get ads for 1960s Disco [It gose by a diffrent name I just don't know it becouse I was born in 1969].. I heard some of it... Trust me.. even if you LOVE 1970s Disco... you won't like the 1960s counterpart..
(Yes they call it Disco... they didn't back then but they do now.. I guess the lable was stapped by someone who hates both...)
I wonder if the FTC will care...
This is an OLD busness practace...
When my ex-employer was sold they did nothing more than sell the database, the name and the main office. Everything else got sold to other companys. Not a big issue as the information stayed with the name. But for any real sense of being the company no longer exists.
I'm sure you'll find when any given company folds the costumer records are right there for anyone who has the money.
I don't actually exist.
Are you trying to imply that TRUSTe certified sites don't break their policies, change them without notice, and/or have sucky policies anyway?
eBay broke their policy, changed it without notice to allow for what they did, then broke the new policy anyway. They still have a seal. I don't think you can consider TRUSTe to mean anything.
As I understand it, there has been some talk of forming a seal program with a funding source other than the companies reviewed. It might mean something.
Honestly, what would surprise me would be if a company that *didn't* have a TRUSTe seal suddenly turned around and broke its policy. For some reason, I've never had privacy problems with a company that doesn't have one of those seals...
My blog: http://www.seebs.net/log/ --- My iPhone/iPad app: http://www.seebs.net/seebsfrac/
Mozilla does this just fine.
In fact, I have mine configured to
1) automatically reject off-site cookies
2) Ask me before accepting any cookie
3) Remember which sites are allowed to set cookies.
I only use cookies when they offer some benefit to me, the consumer. 99.99% of all cookies only offer benefits to the server. And that should not be mandatory. Mozilla seems to develop more for the benefits of the consumer.
Don't read my postings in these threads until you send me $1 :)
hawk, esq.
Hmmm., please tell me more:
I am by now way a legal expert, but if I understand you correctly a company can promise their customers almost anything concerning the handling of their customers information and data, but as soon as they go bankrupt they don't need to follow any agreements made with their customers?
Do you have any references to actual law or practicies in this case? Who decides that the "protected" data is an asset that may be sold - is the company or a legal institution? Is this specific for US law?
Basically, I am not surprised that these things happen - if a company can use a loophole in the laws and make money out of it they will. The only way to make them not do it is to make laws that regulate what companies can do and can not do.
I have never quite understood those opposing laws and regulations, claiming that "consumer power" and other public pressure will keep companies on the rug.
I am a lawyer, but this is not legal advice. If you need legal advice, contact an attorney licensed in your jurisdiction.
There are a number of factors at play here. The bottom line will be that, for the most part this data cannot be sold.
Forming a contract is *very* easy. Put up a message that says, "give me this information, and I promise not to reveal it," and you have an offer. Anyone providing the information accepts the contract, and the recipient is contractually bound not to reveal it. Selling it would be a breach.
Given a breach, the consumers would be entitled to "specific performance," a court order enforcing the terms of the contract.
But then comes bankruptcy, which can do all kinds of strange things to contracts, setting aside large parts of the contract, which *might* allow a sale--but this introduces a new catch, namely that every single person who provided a name becomes a creditor with rights in the bankruptcy.
There's a couple of ways that this could play out. It certainly isn't crystal clear that privacy wins, but my money is on privacy. Given that the expectation of continued privacy covered the gathering of the information, the potential sale of that information could not have been looked upon as an asset by the other creditors. THere's a couple of ways to reach this, the simplest being the contract.
Sale of the *entire* company might be a different matter. If thugs.com branches out from lockpicks to handgus, would they have been allowed to use the information they gathered to promote their new product line? If so, the entire company can probably be sold, and the new parent company can likely use the information in a similar manner. If not, the new parent company would be similarly barred from the information.
hawk, esq.
Can I buy some Visa/Master Card numbers and expiration dates?
Oh, it's already on eBay. I see...
From the article:
"CraftShop promised that it wouldn't release the names without approval," Mackey said. "So we just can't take the names and sell them to anyone interested. We couldn't deal them independently. (The company name and customer list) had to go together."
While such a transfer may be perfectly legal, some privacy advocates find that to be little solace.
Such a sale is taking advantage of a loophole, according to Andrew Shen, policy analyst with the Electronic Privacy and Information Center (EPIC), a privacy watchdog group based in Washington, D.C.
"This is why the (Federal Trade Commission) act is not a sufficient manner in which to protect privacy," Shen said. "We need stronger laws to prevent the exchange of customer information when companies merge or are sold."
An area like this can get complicated. If, say, little.com says it won't share it's customer info with anyone, and big.com buys little.com, I don't see any reason why they should just have to throw out little.com's customer info at that point; little.com has just become a part of big.com, so big.com should be able to inhert little.com's customer info (with all the original privacy argreemts on it still legal binding on big.com).
But if, say, marketing.com buys the little.com "name" along with it's customer info, they shouldn't be able to set up a subsidiary "little-marketing.com" which markets to the customers of little.com as little.com; that's violating the spirit of the agreement, if perhaps not the letter of it.
Looks like places like TrustE will have to get some more comprehensive (and, unfortunatly, more complicated) privacy policies for dot-coms to follow.
Suppose you were an idiot. And suppose that you were a member of Congress. But I repeat myself.
Give a man a fire, and he'll be warm for a day, but set him on fire, and he'll be warm for the rest of his life.
Note that when a company is bankrupt, its assets are divided up and sold off according to what the court orders, and may not have much to do with what the company tried to promise.
I'm not a lawyer, but if the company was not legally able to sell someone's private details before it went bankrupt as per a privacy agreement, I can't see how it could be considered an asset. If anything, it's a liability because the information would have to be destroyed or withheld from people who wanted it illegally.
If this is true, how could any court treat it as such to be broken up and sold to pay creditors Isn't this whole thing more about what's in an original privacy agreement than what a court orders?
The amazing thing is these stores and their signs have been there for years and a handfull of owners take turns selling the store to each other thus making it legal to have a propetual going out of buisness sale for the times square tourists who think they're getting a deal.
As users of the internet, we're like a bunch of tourists. We pull into town with our browsers, drop off a little peronal data, and zip off to the next site before we remember the name of the site.
This is why:
1) By law companies should have attain my informed consent before collecting information from me.
2) The copyright and distrobution rights to my digital biography should remain mine untill I relinquish that right to a 3rd party.
When it comes to colecting information, think of your digital biography like loading a progresively interlavced GIF or PNG file. With a little information, a vague outline the picture becomes clear. On the next pass, as more data is filled in, some smaller details become understandable. With all the data in place, a complete picture of the persona life comes on-line. It's a picture of your life. You should have at least a little distrobution control.
___
By the power vested in me by the United States Constitution, I declare you a raging idiot.
The Captain
Of course it does. It means the site involved has impure motives and wishes to put up a fake appearance of trustworthiness that doesn't actually mean anything :)
I use it here, works like a dream.
http://www.mp3.com/tib - be lamer than lame
lynx has the best behaviour of all: it gives you four choices to each
incoming cookie: accept, reject, accept all from this site, reject all
from this site, plus it is very easy to change your mind about these
choices using the `cookie jar'. I wish there was a graphical browser
out there that duplicated lynx's functionality in this respect.
Did you eat paint chips when you were a kid? Some businesses do need to be regulated in order to protect the interests of the people at large. Granted, we can't control all aspects of the economy, but I hardly think blaming the courts for business' mistakes is in order. Comparing a major corporation to a little kid is a little off, too. The kid can't bribe his parents to get them to shut up - most kids I know aren't financially independent.
Take a look at these Supreme Court Cases:
Helvering v. Watts 296 U.S. 387
Procter & Gamble v. U.S. 225 U.S. 387
U.S. v. Amer. Bldg. Maint. Industries 422 U.S. 271
The last case quotes Section 7 of the Clayton Act, 15 U.S.C. 18: "No corporation engaged in commerce shall acquire, directly or indirectly, the whole or any part of the stock or other share capital and no corporation subject to the jurisdiction of the Federal Trade Commission shall acquire the whole or any part of the assets of another corporation engaged also in commerce, where in any line of commerce in any section of the country, the effect of such acquisition may be substantially to lessen competition, or to tend to create a monopoly."
The Clayton Act was created for a reason - to protect the American people from the rapacious greed of monolithic corporations. Perhaps your mental image would be better supplanted with an incubus whose parents don't allow him to do anything, and he ends up devouring their souls.
On the note of personal information, just think how much info yahoo and slashdot have on you if you have an account on either. Slashdot know what sites you like as well as what authors you don't like, and what your opinions are. Hmm makes you think a bit. If you have yahoo mail, they have all your sent mail if they want to keep it as well as all your recieved mail if they want to keep that too. If you have any of their other services, like calendar or my.yahoo, they know more about you. The www is not an information trading formum. YOu want a service you must give up information on your self. If they hav laws about protecting childrenm why do we not start to implemnet laws to protect the adults as well?
send flames > /dev/null
Only 'flamers' flame!
Unless you wipe out your cookie folder(yes, the one that says OH MY GOD DEAR GOD NO YOU'RE DELETING A COOKIE NO NO NO YOU REALLY DONT WANT TO DO THIS NOOOO care of Microsoft), cookies still function whether or not they've been "disabled" by the browser.
This behavior occurs in both Netscape and Internet Explorer, and of course completely contradicts expected behavior.
Browsers recently joined Crypto code in my eyes as things that companies have serious trouble being able to do securely once they get too big. Mozilla's hiring(they sent me a letter, not that I'm looking for new work). The thought of a functional browser that I can easily patch to not violate my privacy is more than tempting...we may really need Mozilla more for its security considerations than even for its standards compliance.
The bottom line may just be that browser makers are just be too vulnerable to the demands of unethical marketers. The spasms that Windows goes into when you try to delete a cookie; that cookies are still served even if they're disabled in the browser...these just aren't accidental bugs, and shouldn't be treated as such.
Thoughts?
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com