Slashdot Mirror
Toysmart Database To Be Destroyed
deebaine writes: "CNN has this article describing the settlement of the case of Toysmart.com's customer database, which Toysmart proposed to sell to the highest bidder in order to pay off their creditors. Apparently, the settlement stipulates that a Disney subsidiary will pay Toysmart $50,000, and they will destroy their own records. The FTC is hailing it as a victory."
Theres only one way to assure that a privacy agreement is followed by a corporation. Make it a part of the contract. If its part of the contract you sign (or usually click) when you sign up, they can't legally break it. If they do, not only can the comnpany be sued, but sometimes the employees who knowingly broke the contract.
Of course some sites put in those agreements that they have the right to change it at any time. Simply avoid those sites. I do anyway- any site who isnt willing to agree to one policy probably isn't trustworthy anyway. Find a competitor or a brick and mortar version of the service.
I still have more fans than freaks. WTF is wrong with you people?
Too bad we find out when they are out of business.
The truth shall set you free!
The sad thing is that this probably happens all the time, just this was a high enough profile case to be caught.
The way I read that article, a company may be 100% willing to uphold their promises to maintain the privacy of their customers, but bankrupcy laws force them to sell off all assets, including their list of customers.
Ok.. fine. They can sell off their list of customers. However, what if their list of customers only includes those customers that have purchased something in the last 30 days.
If I'm a brick&morter operation, sure.. MAYBE I want to send my customers advertisements every once in a while. After all, happy customers will come back for more. For this very reason, there is no need to keep their information on file. THEY WILL RETURN BY THEMSELVES.
If they don't return, well, they probably aren't all that interested anyways, and there's no reason to keep their records on file. All you need is the record of the transaction.
If the computer system automatically deletes the records of any customer who has not purchased something in the last 30 days, then the only customers who will have an open account are the ones that purchase something regularly. When the company plans to go out of business, simply disable the order screen but keep the system online for an extra month. Those customers will automatically be deleted by default, but at no time has the company intentionally destroyed any assets, as the customer list was never considered an asset to begin with.
On the other hand, most likely the companies in question actually WANT to sell it off because thats less money they'll have to come up with later to cover the debts after bankrupcy if any.
-Restil
Play with my webcams and lights here
If Toysmart itself was bought by Disney and they were going to continue to run the toystore site, that's one thing. I would not approve of my registration information with (for example) ComputerStuff.com being sold to russianbrides.com when they go out of business. After all, I was providing my information to have an account and services of a computer service -- not a russian bride thing. Same goes in this case. If people wanted to have their information owned by disney, they would have registered with disney. But they didn't. They registered with Toysmart.
I say, when a company/entity goes out of business, the personal data needs to be trashed. If a parent company continued to run a purchased company, that would be acceptible. But to just shell out what you want from a dead company and use that personal data -- OUR -- personal data for your own completely seperate purpose, is wrong.
---
seumas.com
Winning in the private sector is kind of like winning a video game. While it might help to slow the geometric growth of junk mail arriving at you from all quarters, it won't stop you from getting your ass hauled off to a concentration camp.
Some would suggest that there are bigger fish to fry. (True, some would also be called crazy, but there's some interesting food for thought out there nonetheless.)
To those interested in looking at what some of those bigger fish might be, check out this amazing site I just found: (Real or not, who cares? Clean and intelligent writing, it makes for the BEST sci-fi I've read in years! The Swiss watch of conspiracy theories. And frankly, any geek who isn't familiar with this cutting edge, web-based story telling technique can just turn in his membership card and kick his lame ass out the door. This is actually something new.) (Once you get past the cheesy opening page, it gets good fast.)
-Fantastic Lad. -Ten Steps Ahead and Lost With Confidence!
Is this some sort of censorship of the records? Seems to me any destruction of databases has to have a reason...
Seeka
Hmmm - if I clicked on a the word "Asses", that was hyperlinked in an offtopic comment, I think that I for one would have an idea what I was going to see!
The Master Of Muppets,
CAPTAIN: TAKE OFF EVERY "SIG"!!
Would make sense in order to keep clients' information safe and this is first time I've heard a corporation turning down more money. I remember NSI's and ICANN's bickering over the whois database and some might have said the issue revolved around the same means however it was not.
Personally I dont think this will set any standard and in the article it mentioned complaints by privacy groups which is the foundation for the decision to take legal action, only one would hope ethical questions would've outweighed a watchful eye, but hey money talks.
I wonder what will happen when some of the bigger fish go out like Doubleclick, Netcreations.com, etc, are there standards in place already set to avoid this from happening or is information just going to end up on the eBay selling block? What about with mergers and takeovers, will the same rules apply if the newer parent company doesn't have the rules the other company did?
SourceForge Spoof
360 degrees of Karma
This case was already delayed by a judge, a while ago in August. The reason why was that she couldn't do anything until a buyer showed up.4 0651,00.html
resource:
http://boston.internet.com/news/article/0,,2001_4
IAMAL, but it would seem that Company Z wouldn't then have the right to use the information for whatever purposes they want. The same would seem to go for a contract/agreement where the customer provides information to Company X. Company Z may have bought it, but there should be nothing that they can do with it, because it is outside the terms of the agreement.
At least, that seems like natural law. It would appear to hold some water, though.
Could be viewed along with the arguements associated with PKI, just because a company is selling certificates why should one trust that company, are their servers secure from intrusion, just exactly who gave them that authority to sell certs, (government, god, allah, etc.) its all in open view; privacy buffs were opposed to it and I'm sure companies saw the problems down the road with allowing the database to be sold { else $PRIVACY_BUFFS_COMPLAIN >= $FUTURE_LOSES } ...
I'm sure if watchful eyes weren't kept it'd been sold.
AOL to implement security
360 degrees of Karma
The actions of the lawyers are to be expected: "What can we sell, what can we sell??"
The truly disgusting issue is that the courts would allow a company to do this. Toysmart clearly announced that this information would not be divulged, and blatantly turned around and tried to sell it.
This was not a victory, it was a close call that was saved by the fact that Disney was more worried about its rep than the money this would generate.
Won't be surprised when the next company in this situation has no rep to lose and sells its promises.
---"What did I say that sounded like 'Tell me about your day?'"---
"You're sworn to sell whatever assets you have and give it to the creditors. You're caught between a rock and a hard place," Leahy said.
But that information is not an asset, because the company doesn't have complete control over it. If I put my name in that pot, it would have been under an agreement between Toysmart and myselft that stipulates that my name would not be sold. That contract does not change under bankruptcy proceedings does it? They don't own my information, they've only been given leave to hold it for a while. If a bank goes under, can it take all the deposits and hand it out to creditors? If one of those companies that provide small storage spaces goes out of business, are they suddenly allowed to open all the shed and start auctioning off what they find?
You can't call something you don't own an asset, and I think the bankruptcy court erred when it assumed that Toysmarts marketing list was under the companies control.
Aah, change is good. -- Rafiki
Yeah, but it ain't easy. -- Simba
It doesn't take much to misappropriate a backup tape. It doesn't take much to copy a backup tape. It isn't a big thing to sell and read a backup tape.
I doubt very much that this database is going to magically disappear, even for 50 grand.
Remember, there's probably a backup tape with at least part of this database on it for EVERY DAY this company has been doing business. That's a lot of tapes. Will every one be inventoried?
I doubt it.
...and while the sun and moon endure, luck's a chance, but trouble's sure.... -A.E. Housman
"The FTC is hailing it as a victory." Yeah, like the Federal Toy Commision can say who can and can't sell there customer database.:)
From the article:
Toysmart is majority owned by Disney
Dunno if they were owned by Disney before they had problems, in which case you had already sort of registered with Disney anyway, or not, but the transaction (selling the database to another subsidiary of Disney) is a dummy transaction which keeps the federal bankrupty court happy in assigning a value to the database, whilst avoiding the need for a long expensive legal argument. This way both the bankrupty court is happy 'cos Toysmart obtained value for an asset, and Toysmart get to keep their no disclosure promise.....
Donte Alistair Anderson Roberts - hi son!
Karma: Chameleon
If the company goes under, there's no other side to sue.
Back to the good ole days of slavery where we are bought and sold like common cattle. Except that "we"==information in a database.
Lousy facepalm.
This case represents another issue where social/legal policy has not kept pace with technology. So many of the laws and mores that define how we interact in the public forum were crafted in such a different atmosphere that they cannot hope to answer the problems of today. I think that we will see more and more cases where the courts - of and of public opinion - are challenged to decide whether action X is permissable in situation Y (which they never encountered) using an analogy to make it seem like situation Z with which they are comfortable. OF course, the trick is find the right analogy, and there-in lay the problem. Blah blah blah - http://www.hyperorg.com makes a lot more sense about the analogy issue than I do.
There is no guarantee that the content has been read or understood.
Sure, this is pure speculation, but that's the advantage of being a pessimist; you're either proven right or pleasantly surprised.
"Ancillary does not mean you get to rule the world." --U.S. Circuit Judge Harry Edwards, speaking to the FCC's lawyer
check out this amazing site I just found: (Real or not, who cares? [...] it makes for the BEST sci-fi I've read in years!
I did. What's good about it ? It's just another bunch of self-deluding New Age Loons doing bad science that Elron would be ashamed to have penned.
"Swiss watch of conspiracy theories" ? I get weirder things in my cornflakes.
There is alot of "well, what if they use/sell the database anyhow, even though they said they wouldn't?"
Like, duh. Of course they could. The point is, that it would be illegal of them to do so, where, before, it was questionably legal. This case sets a precedent that doing such a thing, is, in vact, a violation of consumer privacy.
If something has never been said/seen/heard before, best stop to think about why that is.
"Old man yells at systemd"
Who's going to buy it? Other .com's can't afford it and real businesses already have our info. Besides, there's only 250,000 people in that database, once an existing company does a scrub against its own internal database that number will drastically decrease. I know the company I work for (5,000 employee company) loses about 30% of leads when they buy a database like that.
-p4
(c) All Rights Released.
On a related note, does anyone know how the Motorola thing turned out?
I used to work for Gazelle.com, a 9 month flameout. When the company turfed, the founders did sell off the mailing list, in violation of the terms that people signed up under. But far worse things happened as well.
The company was set up at a co-lo, where they didn't own the servers. But at the San Francisco office, there was a data mining server that collected all the clickstream data, all the credit card info, etc, into a honking SQL database.
When the company folded, the boxes were simply shut down. No cleanup was done at all. When the company sold all the systems that had been used for building the site, they advertised thm as including softare (non transferable, and never paid for anyhow), so they continued to not be erased.
The company that bought the data mining server apparently decided that rather than flattening, and rebuilding, it would be more fun to crack the box. So they hired someone to break open the security on the systems. Thus getting them a COMPLETE copy of every session ever opened to the production site. Including all the aforementioned credit card info.
"Politicians are interested in people. Not that this is always a virtue. Fleas are interested in dogs." P.J. O'Rourke
One effect that this will have is an increased number of privacy policies that specifically leave the door open for a sale of the customer lists in the event that they are acquired or go out of business. The startup that I'm working for recently formulated its privacy policy, and they're aware of the need to keep their options open. The result is a privacy policy that I don't like.
In this case, we can say that Toysmart ("the Company") owns the list of names. However, in submitting your name to the list, you ("the User") entered into a contract with the Company that personal information about the User would not be shared with any entity which was not the Company, for any purpose.
If Toysmart were bought by another firm, that firm would become the Company in a legally binding way, and therefore would have rights to the list. They would also be under the same contract that Toysmart began under.
However, the Company has dissolved, and by taking its assets, creditors in no way take on the role of the Company. As the contract stated that information about the User would not be shared with non-Company groups under ANY circumstances, the list must be destroyed upon dissolution of the Company. Simple.
"This is a landmark case because it tells other companies that the privacy promises you make while you're in business must be kept when you go out of business," said Dave Steer, spokesman for privacy seal-of-approval group TRUSTe.
/.'ers can really get behind. Here's to hoping for a future story: New Bill to Protect Customer Privacy. Write your senators and congressmen!
Unfortunately, it doesn't mean that at all. It just means that's what happened in this case. Next time, it might not go the right way, and what we really need is a fix in the legislation. Encouragingly enough, the article also has this bit of information: Sen. Patrick Leahy, D-Vt., said in an interview that he would like to reform those laws this year to protect consumer privacy.
Keep an eye out for those bills. His statement implied there's something in the bankruptcy laws that allows this sort of thing to happen. So rather than just rail against all the bad legislation (which we should still do), it'd be nice to have some legislation that most