Slashdot Mirror
Ebay's Flexible Privacy Policy
l2718 writes "Ha'aretz has a disquieting report on a presentation made by eBay's senior counsel to law-enforcement officials. Apparently eBay logs all user interaction with them, and will happily hand over all the information to any law-enforcement official without a warrant -- a fax is quite sufficient. He is actually proud of their 'flexible' privacy policy."
I don't know another Web site that has a privacy policy as flexible as eBay's," says Joseph Sullivan. A little bit later, Sullivan explains what he means by the term "flexible." Sullivan is director of the "law enforcement and compliance" department at eBay.com, the largest retailer in the world.
Sullivan was speaking to senior representatives of numerous law-enforcement agencies in the United States on the occasion of "Cyber Crime 2003," a conference that was held last week in Connecticut. His lecture was closed to reporters, and for good reason. Haaretz has obtained a recording of the lecture, in which Sullivan tells the audience that eBay is willing to hand over everything it knows about visitors to its Web site that might be of interest to an investigator. All they have to do is ask. "There's no need for a court order," Sullivan said, and related how the company has half a dozen investigators under contract, who scrutinize "suspicious users" and "suspicious behavior." The spirit of cooperation is a function of the patriotism that has surged in the wake of September 11.
eBay is the world's largest auction site. Some 62 million registered users buy and sell a variety of merchandise through the site, which charges commissions for every item sold. Sullivan claims that 150,000 Internet users earn their livelihood from the site, some having left their old jobs to become buyers or sellers on eBay.
The sales method on the site is simple: An individual registers as a user, types in his particulars, and affirms that he accepts the user conditions and the site's privacy policy. Whenever an item is sold, the buyer fills out an evaluation form, telling other users about the treatment he received, whether the merchandise was sent on time, etc. Other eBay users can then avoid buying from sellers who have received poor grades.
Sullivan says eBay has recorded and documented every iota of data that has come through the Web site since it first went online in 1995. Every time someone makes a bid, sells an item, writes about someone else, even when the company cancels a sale for whatever reason - it documents all of the pertinent information.
One would think that preserving privacy of the users, whose moves are so meticulously recorded, would be keenly observed at eBay, whose good name in the Internet community is one of its prime assets. But in the U.S. of the post 9/11 and pre-Gulf War II era, helping the "security forces" is considered a supreme act of patriotism.
Who needs a subpoena?
"We don't make you show a subpoena, except in exceptional cases," Sullivan told his listeners. "When someone uses our site and clicks on the `I Agree' button, it is as if he agrees to let us submit all of his data to the legal authorities. Which means that if you are a law-enforcement officer, all you have to do is send us a fax with a request for information, and ask about the person behind the seller's identity number, and we will provide you with his name, address, sales history and other details - all without having to produce a court order. We want law enforcement people to spend time on our site," he adds. He says he receives about 200 such requests a month, most of them unofficial requests in the form of an email or fax.
The meaning is clear. One fax to eBay from a lawman - police investigator, NSA, FBI or CIA employee, National Park ranger - and eBay sends back the user's full name, email address, home address, mailing address, home telephone number, name of company where seller is employed and user nickname. What's more, eBay will send the history of items he has browsed, feedbacks received, bids he has made, prices he has paid, and even messages sent in the site's various discussion groups.
Attorney Nimrod Kozlovski, author of "The Computer and the Legal Process" (in Hebrew), heard the lecture, and could not believe his ears. "The consent given in the user contract should be seen as `coerced consent,' in the absence of any opportunity to exercise free choice, with no real alternative but to agree. This is most certainly not conscious consent."
Kozlovski is part of the Information Society Project group at Yale Law School, in which he and his colleagues consider the effects of the new media on the structure of society. American law does not authorize searches of a person's home or body, he says, except in exceptional cases such as when the court authorizes a search, or when the individual gives his consent to a search.
"In the case before us, the Web site signs the user to a document that says it can do whatever it wants with his information. The eBay contract signed by the user concedes his or her rights to protection from the government; in essence, as soon as the contract is signed, eBay can invite the government to do whatever it wants with the information, he says.
A brief visit to the company's Web site reveals that the "user contract" that visitors are supposed to read before agreeing to the conditions is 4,023 words long. One paragraph makes reference to the site's "privacy policy." The user has to click on a link and is diverted to another document that is some 3,750 words long. It then takes another 2,390 words to reach the section about which Sullivan told the legal authorities: The user's privacy is solely up to eBay.
"The users are asked to read and agree to the site policy before they can make use of it," eBay spokesman Kevin Pursglove told Haaretz. "We provide a link to our privacy policy on every single page of our site, and provide summaries of this policy, all so that users will be familiar with our policy."
We will work for you
Nevertheless, eBay does not make do with simply sharing its data with the legal authorities. Sullivan says the company employs six investigators, all of whom have experience in police investigations. Their job is "to track down suspicious people and suspicious behavior." To that end, they scan for patterns that are atypical - different from "normal patterns." For example, if a person sold baseball tickets for two months and suddenly switches to selling a car, the eBay system will "wave a red flag" and signal the seller as someone behaving unusually. Who asks eBay to do it? No one. eBay volunteers.
eBay goes even further. In his lecture, Sullivan spoke about how he helped investigators locate a user who had been suspected of selling stolen cars through the site. "We tried to buy the car from the thief and in that way incriminate him. But the bad guy was smart. He saw there wasn't a single feedback in the history of the person who was making the purchase. He told us he didn't want to make a deal with us."
Sullivan explained that the incident taught the company a lesson, and that since then it has used pseudo buyers for which it constructs comprehensive simulated histories, including simulated feedbacks, all for the sake of incriminating those suspected of theft. "eBay is not willing to tolerate acts of fraud carried out on its site," explains Pursglove. "We believe that one of the ways to fight fraud is to cooperate with the legal authorities at the various levels.
Sullivan is even more forthcoming. Aware of how hard the police work, he decided to help as much as possible. "Tell us what you want to ask the bad guys. We'll send them a form, signed by us, and ask them your questions. We will send their answers directly to your e-mail." Essentially, by engaging in what seems like impersonation, eBay is exploiting its relationship with customers to pass on information to law enforcement authorities. Why? "We take various steps in order to fight fraud and provide a safe buying environment for our numerous users," says Pursglove.
"In order to prevent misuse of authority, the law ensures that authorized impersonation will only be used with persons suspected of carrying out illegal activity," says Pursglove. But eBay's practice is to impersonate people on a regular basis, for law-enforcement objectives. However, "there need not be a proven connection or well-founded suspicion of a crime having been performed," claims Kozlovski.
In July 2002, eBay bought PayPal, Inc. for $1.45 billion. PayPal, which offers the most popular means of payment on eBay, provides clearing services for the execution of online transactions. It enables Internet users to open accounts on the company site, transferring money from their credit card or bank account. When carrying out a transaction, the seller receives a certificate with which money can be withdrawn from the buyer's account in cash. The system obviates the need to reveal personal financial data.
When Paypal was acquired, the company reported 16 million users, as well as 3 million business accounts and 28,000 new visitors to the site each day. About 60 percent of PayPal's income derives from commissions received from users buying goods on eBay. About 70 percent of eBay buyers use PayPal.
Two years earlier, eBay bought Half.com, a site that specializes in sales of CDs and books. Sullivan explained that these acquisitions help eBay to provide lawmen with a full picture. "Every book or CD comes with a bar code. So we know who bought what. The acquisition of PayPal helps us to locate people more precisely. In the old days, we had to trace IP addresses (unique address given to computers linked to the Internet), to locate the buyer, but now Paypal supplies us with the money trail.
PayPal has about 20 million customers, which means that we have 20 millions files on its users," Sullivan proudly relates. "If you contact me, I will hook you up with the Paypal people. They will help you get the information you're looking for," he tells his listeners. "In order to give you details about credit card transactions, I have to see a court order. I suggest that you get one, if that's what you're looking for." It isn't certain that visitors to the site are aware of the thick hints eBay gives the lawmen.
"By buying PayPal, eBay is merging the information about the goods trail with the money trail," explains Kozlovski. "Thus, in spite of the protective mechanisms of the law against disclosure of details on transactions, eBay is in a position to analyze the full set of data and `advise' investigators when it might be `worthwhile' for them to ask for a subpoena to disclose the details of a financial transaction. Essentially, this bypasses the rules on non-disclosure of details of financial transactions and the confidentiality of the banker-client relationship."
Kozlovski mentions how special investigator Kenneth Starr issued a court order that ordered the bookstore where Monica Lewinsky bought her books to report to him the names of the books she bought. "Then, there was a huge fuss. Now you don't need a special order - eBay does the work for the investigators."
Kozlovski feels that eBay's practice should be seen as part of a worrisome trend in the West to curtail protection of individual rights. In communist regimes, he says, the state would assign watchers to follow every citizen, who would pass incriminating information on to the authorities. Now the state doesn't have to do a thing. People come to it of their own free will. This is also the case for eBay, which exploits its stature in the market to have users accept contracts that strip them of their privacy. Perhaps the regime is different, but the outcome is most assuredly the same.
A million new items a day
eBay has no operations in Israel. But in the U.S., Europe and even the Far East, the name eBay is uttered in the same breath with names like Yahoo, Google and Amazon. The company created an electronic business arena where sellers offer their wares and buyers purchase them. eBay's trick is that both the sellers and the buyers are ordinary citizens. On eBay, you can find people selling used chewing gum (and there are buyers), torn soccer balls, 18th century forks, sunflower seeds and luxury cars (in 2002 alone, some 3,000 cars were sold on the site, at a total of $30 million.)
eBay is one of the few Internet companies that shows huge profits quarter after quarter. The company completed the fourth quarter of 2002 with revenues of $414 million and net profits of $87 million. The company had overall income in 2002 of $1.2 billion, and net profits of $250 million. It is traded on Nasdaq at a company value of $23.4 billion - three times that of Amazon, twice that of Yahoo and eight times that of the Israeli security behemoth, Checkpoint.
At any given moment, eBay is conducting some 12 million auctions, divided into about 18,000 different categories. About two million new items are offered for sale every day, and 62 million registered users scour the site to find them. These users have given eBay the monopoly on online auctions in America. Companies such as Yahoo and Amazon tried to get into the auction market, but were forced to give up. An estimated 150,000 people earn their livelihoods solely from buying and selling items by Internet. The company maintains local sites in Britain, Germany, Italy, South Korea, Ireland, Australia, Spain, Singapore and Sweden.
eBay is a monster that churns out money 24 hours a day, 365 days a year - for itself and for its millions of users.
They don't store the data in the UK, and so are not bound by the Data Protection act. Dabs use the same system on their auction site to get around UK law.
I am TheRaven on Soylent News
I can web-scrape all that same info off the site.
Bid histories for each auction, items you've bidded on, auctions you've won... Yep.. It's all there.
I've been spammed to death because of eBay (luckily I use a hotmail address with them). I bought a couple of old SNES games, next thing you know 100 yahoos are offering me CD's full of ROM images for 20 bucks or so.
Tracing your email address to the actual person is a small hoop to jump through.
Any real privacy on eBay is a figment of your imagination. It's like expecting your trip to the mall to be 'private'.
I don't need no instructions to know how to rock!!!!
yes, Ebay now owns paypal-
However what I'm referring to is problems where people paid through paypal, never got an item in return, and paypal said "sucks to be you. What do you want me to do about it?!"
Here is a link to Paypal's class action suits... read the front page story.
In the future, I would want to not be isolated from my friends in the Space Station.
AFAIK if the data goes out of Europe, you need to opt-in...
As an Ebay user, 200 request a month for personal information seems high to me.
I could have a buddy that works at the police department. If I visit him frequently, nobody would see a problem with me saying he is expecting me and I will just wait in his office. While he is at lunch, I could use his fax machine and request the information of anybody I want.
When all else fails, piss on it. At least you will feel better in some kind of way.
The space shuttle still belongs to NASA. They need it to analyze what went wrong so less people die in the future.
Mac OS X and Windows XP working side by side to fight back the night.
If you are selling on ebay. Read the agreement.
Thanks for your attention.
My Ass hurts.
Prior to that, a phone call is all that is necessary to a service provider to legally obligate them to preserve whatever records they already have for the given subject. This power comes from 18 USC 2703 (f) and is known as an "Order to Preserve." It does not require the service provider to start collecting new information, or collect more than they previously were, just to preserve what they already have. That gives law enforcement time to draft the court order and get it signed.
Legal counsel at service providers know these issues very well. eBay is apparently choosing to make life easier on the legal end of things by offering a certain level of cooperation. Notice it did say they would require a warrant in certain situations, so it's not 100%.
How about the Top 10 List of Police Database Abuses?
Cheers, Joel
Columbus is Ohio's Capital City.
Capitals Map
There are two kinds of people: 1) those that need closure
Hmm, no, I don't remember him saying that.
What? You mean you haven't heard of the famous "Saralee" speach?
Oh man. You missed a good one. Some other choice quotes:
"I can't give you a brain, so I'll give you a diploma" - The Great Oz (blatently stolen sig)
IAAL.
.co.uk domain indicating an intention to focus on UK users which would persuade a court to take jurisdiction.
Where you store the data is irrelevant. The Data Protection Act 1998 regulates the acquisition transmission and processing of data. It prevent you from transferring such data out of the jurisdiction without safeguards.
If Dabs or eBay serve web pages in the UK/EU (even if they do it from servers in the US) and gather personal data from that web page that activity is governed by the DPA since user interaction takes place with the UK/EU. Some other actions on the data (e.g. automated decision making & processing) may be lawful if they occur outside the EU but the gathering and transmission of the data to the US falls with UK law. Also eBay has a
see privacy
-he who laughs last, is a bit slow.
journal
No matter how hard you try, you cannot legally sell yourself into slavery, because freedom is inalienable. Any such contract is illegal and void.
I would claim that this kind of privacy is equally inalienable.
Otherwise, we end up with a police state by proxy.
I can only hope that this proves to be true in court. There's nothing that can stop eBay from reporting what they think is a crime to police (in fact, I think that's fine). However, that's very different from having the police request that they release your private information.
Maybe that seems like a narrow legalistic distinction to some, but it's a very important one.
Three cheers! One of the *first* things to remember when the police come knocking is you do not have to answer any of their questions. Don't do it! You never know when a seemingly minor bit of information will damage you or a friend.
Knowing your rights, and following the letter of the law in regards to them, is crucial to maintaining a free society. It keeps everyone honest, keeps you free.
A few links for the google impaired:Remember, the police have plenty of ways to legally get information from you if they need it for an investigation. If they need your help, they get it through the proper channels.
"I think we should tax people who stand in water! " - Mr. Gumby
That was an illegal threat on their part. They can't do that. They can make copies of hard drives, but they can't shut you down.
Ask Steve Jackson or the Secret Service about it. It isn't everybody who can claim to have gotten $300,000 in punitive damages, and had the lead agent called incomptent by the judge, on the record, against a federal police agency.
I posted much the same message on the OC Systems thread yesterday, but it also applies here. There seem to be a lot of "Yeah, I got ripped off, but eBay wouldn't do anything about it so now I'm hosed" responses. If you've been ripped off, COMPLAIN. Complain to the company first, but if they don't give you any satisfaction, have the charge blocked on your credit card. If that isn't enough, or that isn't an option, then you need to bring out the big guns and rat them out to the feds! And here are just the websites to do it on:
a udComplaint.htm: The US Postal Inspector's Mail Fraud Report Form. I've used this for a few small value (less than $50) items I've returned to ebay merchants who then didn't send the refund despite repeated e-mails and phone calls. After complaining to the USPS, the rip-off artist got a letter from them and paid up darn quick. And you CAN follow up if no action is taken. I have a lot of criticisms of the U.S. Snail, but this is one area where government action actually seems to work.
http://www.usps.com/postalinspectors/fraud/MailFr
https://www.ifccfbi.gov/cf1.asp : The FBI's Fraud Complaint Form. The FBI seems a lot less active in prosecuting small cases than USPS, but i get the impression that if they get a LOT of complaints from people on the same company, they start to look in on it. Worth a try.
Remember: Every time you let someone rip you off without calling them on it, it makes it that much easier for them to rip off other people down the line.
Lawrence Person (lawrencepersonh@gmailh.com (remove all "h"s to mail)
http://www.lawrenceperson.com/