Slashdot Mirror
Failed Dot-Coms Selling Private Info
goingware writes: "This article at CNet describes how troubled Internet companies are selling off customer data in an effort to pay off creditors or keep themselves afloat, in violation of stated privacy policies. Among the sites that are doing this are Boo.com and Toysmart. These companies were Truste approved sites before their failure. Note that when a company is bankrupt, its assets are divided up and sold off according to what the court orders, and may not have much to do with what the company tried to promise. I also noticed when checking out the articles that CNet uses doubleclick so you may want to browse the articles with cookies off."
I don't attribute it to direct intention as in "Make rejecting cookies hard, so that the user won't do it." I would say, rather, that the default for any UI is "annoying to use", and that the only deliberate decision went something like:
"Boy, cookies are hard to disable, aren't they? Do you think we should fix it?"
"Well, let's see. The users don't pay us for the software. The cookie-senders have strategic partnerships with us. I don't feel like putting any effort into that feature, do you?"
The current cookie options are easy to code; I'd say that's sufficient explanation.
Boo are selling their whole customer base (both of them), but it's formatted as a 20 minute long Flash animation that opens five browser windows for each customer.
I submitted this article three days ago but it was refused for some reason, probably because the story also ran on kuro5hin. So far I have read all the posts in this thread and most of them are focussing on DoubleClick which is incidental to the news story instead of discussing the fact that dotcomms are not only selling dotcomm info but are taking out ads to do so.
From the artricle: Toysmart, meanwhile, advertised the sale of its customer list and database in The Wall Street Journal last month after ceasing operations. The company overseeing the sale of Toysmart's assets, the Recovery Group, said several interested parties have bid on the customer information.
I am very worried at this trend, because I have a lot of personal data at CDNow and considering that they are in serious trouble will my personal data also be sold? I have begun to fear for all the dotcomms I have ever bought anything from because the last thing I'd want is for my address, credit card info and shopping habits to be sold by some failed e-business like some email spam list. The fact that the companies are taking out ads to sell our info and hiring agents to do this shows completely that industry self regulation has failed. I sincerely hope the FTC jumps on this like a porkchop in a dog kennel.
I ended up setting up procmail to return EXITCODE=67 to them and never shopped there again.
I agree with you that a well-hacked Mozilla-like program is one option, but there's another one: proxies. As far as keeping cookies off your drive, JunkBuster seems to do a pretty good job, and offers a much more fine-grained control over what's going on than the current option of "Either block all cookies or allow them all or get nagged every five seconds for each individual cookie." (Yes, there's the "trusted sites" zone in IE, but I don't care to mark any site even temporarily trustable.)
Your more general point of "the only way you'll get a cookie-free web experience is hacking one together yourself" is quite correct, though.
Slashdot should hire us a lawyer.
You know, that's actually not a bad idea. Andover could conceivably pay an actual attorney to review legal issues as they arise, to avoid too many misunderstandings and misinformation from the vast majority of us who need "IANAL" disclaimers...
Would it be worth the cost? I don't know, but it could certainly be a service to the community...
Deven
"Simple things should be simple, and complex things should be possible." - Alan Kay
Me, I keep my NYT cookie from last year, my ADS and simbad cookies (astronomy work), and my slashdot cookie. The rest can assign me a new, unique, "look, another user!" cookie every time I happen by, and I flush them to the bit bucket every time I exit netscape.
"I will take the Ring," he said, "though I do not know the way."
Those agreements usually reference the site's privacy policy. They expect that those agreements are binding on you, and for that to be the case, wouldn't the same agreement be binding on them to?
Further, I've seen sites that display their privacy policy or other promiss to never give away and/or sell the data on the order page, too. Are they not by making the promiss when I order --- and send them money --- forming a contract with me not to sell the data?
Do the consumers of these sites have any recourse? If they don't, then how should a privacy policy be constructed such that it is legally enforceable?
It's hard for me to immagine that the silly little links at the bottom of a page saying that "by using this site you agree to..." could possibly be valid if their privacy policies aren't.
--
if your doctor's clinic folded, he could sell your patient info?
if a telco folded, could they sell your phone records?
if a bank collapsed, could they sell your financial transaction history?
if your ISP folded, could they sell your surfing habits?
http://www.doubleclick.net/optout/def ault.asp
Follow the link above so that DoubleClick will issue you a cookie with the string id=OPT_OUT. This will prevent DoubleClick from doing its "DoubleClickish" tracking and serving, and rather just serve you banner ads straight out.
And, yes, I'm aware of the irony of me making a post like this when my site is full of DoubleClick code
--------
Oscarfish.com: tropical fish with attitude. Way t
Another blow to the "industry self regulation" supporters. Maybe sometimes they'll understand that capitalism without limits is just crap. Some things need to be moderated : when it comes to the economic rules, only an elected organisation should set the rules, not the players of the game themselves (aka corporation).
If, say, medical insurance companies were required to set rates only based on their age, how long they have been insured, and (perhaps) state, and no other information, it wouldn't matter what kind of access they had to your medical records.
That's, in fact, how private medical insurance works in many countries. Insurance companies can still compete in all those areas where companies compete well in the free market: lowering costs, improving service, etc., they simply don't have the information to cherry-pick low-risk customers and leave the high risk customers to the public system.
If personal information was kept in some kind of escrow system with guarunteed expiries and the like.
;-)
Ultimately you're always vulnerable to bancrupcies, but presumably a places like Verisign are more likely to exist than Boo.com...
sigs are a waste of space
"Either block all cookies or allow them all or get nagged every five seconds for each individual cookie."
Getting nagged every time is an intentional tactic to make you accept all cookies. What appears to be badly programmed and incompetently designed is actually intentionally annoying--they're spoofing privacy and inconvenience and trackability as ease of use. That's actually interesting.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Are you trying to imply that TRUSTe certified sites don't break their policies, change them without notice, and/or have sucky policies anyway?
eBay broke their policy, changed it without notice to allow for what they did, then broke the new policy anyway. They still have a seal. I don't think you can consider TRUSTe to mean anything.
As I understand it, there has been some talk of forming a seal program with a funding source other than the companies reviewed. It might mean something.
Honestly, what would surprise me would be if a company that *didn't* have a TRUSTe seal suddenly turned around and broke its policy. For some reason, I've never had privacy problems with a company that doesn't have one of those seals...
My blog: http://www.seebs.net/log/ --- My iPhone/iPad app: http://www.seebs.net/seebsfrac/
Hmmm., please tell me more:
I am by now way a legal expert, but if I understand you correctly a company can promise their customers almost anything concerning the handling of their customers information and data, but as soon as they go bankrupt they don't need to follow any agreements made with their customers?
Do you have any references to actual law or practicies in this case? Who decides that the "protected" data is an asset that may be sold - is the company or a legal institution? Is this specific for US law?
Basically, I am not surprised that these things happen - if a company can use a loophole in the laws and make money out of it they will. The only way to make them not do it is to make laws that regulate what companies can do and can not do.
I have never quite understood those opposing laws and regulations, claiming that "consumer power" and other public pressure will keep companies on the rug.
I am a lawyer, but this is not legal advice. If you need legal advice, contact an attorney licensed in your jurisdiction.
There are a number of factors at play here. The bottom line will be that, for the most part this data cannot be sold.
Forming a contract is *very* easy. Put up a message that says, "give me this information, and I promise not to reveal it," and you have an offer. Anyone providing the information accepts the contract, and the recipient is contractually bound not to reveal it. Selling it would be a breach.
Given a breach, the consumers would be entitled to "specific performance," a court order enforcing the terms of the contract.
But then comes bankruptcy, which can do all kinds of strange things to contracts, setting aside large parts of the contract, which *might* allow a sale--but this introduces a new catch, namely that every single person who provided a name becomes a creditor with rights in the bankruptcy.
There's a couple of ways that this could play out. It certainly isn't crystal clear that privacy wins, but my money is on privacy. Given that the expectation of continued privacy covered the gathering of the information, the potential sale of that information could not have been looked upon as an asset by the other creditors. THere's a couple of ways to reach this, the simplest being the contract.
Sale of the *entire* company might be a different matter. If thugs.com branches out from lockpicks to handgus, would they have been allowed to use the information they gathered to promote their new product line? If so, the entire company can probably be sold, and the new parent company can likely use the information in a similar manner. If not, the new parent company would be similarly barred from the information.
hawk, esq.
From the article:
"CraftShop promised that it wouldn't release the names without approval," Mackey said. "So we just can't take the names and sell them to anyone interested. We couldn't deal them independently. (The company name and customer list) had to go together."
While such a transfer may be perfectly legal, some privacy advocates find that to be little solace.
Such a sale is taking advantage of a loophole, according to Andrew Shen, policy analyst with the Electronic Privacy and Information Center (EPIC), a privacy watchdog group based in Washington, D.C.
"This is why the (Federal Trade Commission) act is not a sufficient manner in which to protect privacy," Shen said. "We need stronger laws to prevent the exchange of customer information when companies merge or are sold."
An area like this can get complicated. If, say, little.com says it won't share it's customer info with anyone, and big.com buys little.com, I don't see any reason why they should just have to throw out little.com's customer info at that point; little.com has just become a part of big.com, so big.com should be able to inhert little.com's customer info (with all the original privacy argreemts on it still legal binding on big.com).
But if, say, marketing.com buys the little.com "name" along with it's customer info, they shouldn't be able to set up a subsidiary "little-marketing.com" which markets to the customers of little.com as little.com; that's violating the spirit of the agreement, if perhaps not the letter of it.
Looks like places like TrustE will have to get some more comprehensive (and, unfortunatly, more complicated) privacy policies for dot-coms to follow.
Suppose you were an idiot. And suppose that you were a member of Congress. But I repeat myself.
Give a man a fire, and he'll be warm for a day, but set him on fire, and he'll be warm for the rest of his life.
Note that when a company is bankrupt, its assets are divided up and sold off according to what the court orders, and may not have much to do with what the company tried to promise.
I'm not a lawyer, but if the company was not legally able to sell someone's private details before it went bankrupt as per a privacy agreement, I can't see how it could be considered an asset. If anything, it's a liability because the information would have to be destroyed or withheld from people who wanted it illegally.
If this is true, how could any court treat it as such to be broken up and sold to pay creditors Isn't this whole thing more about what's in an original privacy agreement than what a court orders?
Did you eat paint chips when you were a kid? Some businesses do need to be regulated in order to protect the interests of the people at large. Granted, we can't control all aspects of the economy, but I hardly think blaming the courts for business' mistakes is in order. Comparing a major corporation to a little kid is a little off, too. The kid can't bribe his parents to get them to shut up - most kids I know aren't financially independent.
Take a look at these Supreme Court Cases:
Helvering v. Watts 296 U.S. 387
Procter & Gamble v. U.S. 225 U.S. 387
U.S. v. Amer. Bldg. Maint. Industries 422 U.S. 271
The last case quotes Section 7 of the Clayton Act, 15 U.S.C. 18: "No corporation engaged in commerce shall acquire, directly or indirectly, the whole or any part of the stock or other share capital and no corporation subject to the jurisdiction of the Federal Trade Commission shall acquire the whole or any part of the assets of another corporation engaged also in commerce, where in any line of commerce in any section of the country, the effect of such acquisition may be substantially to lessen competition, or to tend to create a monopoly."
The Clayton Act was created for a reason - to protect the American people from the rapacious greed of monolithic corporations. Perhaps your mental image would be better supplanted with an incubus whose parents don't allow him to do anything, and he ends up devouring their souls.
Unless you wipe out your cookie folder(yes, the one that says OH MY GOD DEAR GOD NO YOU'RE DELETING A COOKIE NO NO NO YOU REALLY DONT WANT TO DO THIS NOOOO care of Microsoft), cookies still function whether or not they've been "disabled" by the browser.
This behavior occurs in both Netscape and Internet Explorer, and of course completely contradicts expected behavior.
Browsers recently joined Crypto code in my eyes as things that companies have serious trouble being able to do securely once they get too big. Mozilla's hiring(they sent me a letter, not that I'm looking for new work). The thought of a functional browser that I can easily patch to not violate my privacy is more than tempting...we may really need Mozilla more for its security considerations than even for its standards compliance.
The bottom line may just be that browser makers are just be too vulnerable to the demands of unethical marketers. The spasms that Windows goes into when you try to delete a cookie; that cookies are still served even if they're disabled in the browser...these just aren't accidental bugs, and shouldn't be treated as such.
Thoughts?
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com