Slashdot Mirror
Ebay's Flexible Privacy Policy
l2718 writes "Ha'aretz has a disquieting report on a presentation made by eBay's senior counsel to law-enforcement officials. Apparently eBay logs all user interaction with them, and will happily hand over all the information to any law-enforcement official without a warrant -- a fax is quite sufficient. He is actually proud of their 'flexible' privacy policy."
..did *his* soul go for on e-bay?
I don't know another Web site that has a privacy policy as flexible as eBay's," says Joseph Sullivan. A little bit later, Sullivan explains what he means by the term "flexible." Sullivan is director of the "law enforcement and compliance" department at eBay.com, the largest retailer in the world.
Sullivan was speaking to senior representatives of numerous law-enforcement agencies in the United States on the occasion of "Cyber Crime 2003," a conference that was held last week in Connecticut. His lecture was closed to reporters, and for good reason. Haaretz has obtained a recording of the lecture, in which Sullivan tells the audience that eBay is willing to hand over everything it knows about visitors to its Web site that might be of interest to an investigator. All they have to do is ask. "There's no need for a court order," Sullivan said, and related how the company has half a dozen investigators under contract, who scrutinize "suspicious users" and "suspicious behavior." The spirit of cooperation is a function of the patriotism that has surged in the wake of September 11.
eBay is the world's largest auction site. Some 62 million registered users buy and sell a variety of merchandise through the site, which charges commissions for every item sold. Sullivan claims that 150,000 Internet users earn their livelihood from the site, some having left their old jobs to become buyers or sellers on eBay.
The sales method on the site is simple: An individual registers as a user, types in his particulars, and affirms that he accepts the user conditions and the site's privacy policy. Whenever an item is sold, the buyer fills out an evaluation form, telling other users about the treatment he received, whether the merchandise was sent on time, etc. Other eBay users can then avoid buying from sellers who have received poor grades.
Sullivan says eBay has recorded and documented every iota of data that has come through the Web site since it first went online in 1995. Every time someone makes a bid, sells an item, writes about someone else, even when the company cancels a sale for whatever reason - it documents all of the pertinent information.
One would think that preserving privacy of the users, whose moves are so meticulously recorded, would be keenly observed at eBay, whose good name in the Internet community is one of its prime assets. But in the U.S. of the post 9/11 and pre-Gulf War II era, helping the "security forces" is considered a supreme act of patriotism.
Who needs a subpoena?
"We don't make you show a subpoena, except in exceptional cases," Sullivan told his listeners. "When someone uses our site and clicks on the `I Agree' button, it is as if he agrees to let us submit all of his data to the legal authorities. Which means that if you are a law-enforcement officer, all you have to do is send us a fax with a request for information, and ask about the person behind the seller's identity number, and we will provide you with his name, address, sales history and other details - all without having to produce a court order. We want law enforcement people to spend time on our site," he adds. He says he receives about 200 such requests a month, most of them unofficial requests in the form of an email or fax.
The meaning is clear. One fax to eBay from a lawman - police investigator, NSA, FBI or CIA employee, National Park ranger - and eBay sends back the user's full name, email address, home address, mailing address, home telephone number, name of company where seller is employed and user nickname. What's more, eBay will send the history of items he has browsed, feedbacks received, bids he has made, prices he has paid, and even messages sent in the site's various discussion groups.
Attorney Nimrod Kozlovski, author of "The Computer and the Legal Process" (in Hebrew), heard the lecture, and could not believe his ears. "The consent given in the user contract should be seen as `coerced consent,' in the absence of any opportunity to exercise free choice, with no real alternative but to agree. This is most certainly not conscious consent."
Kozlovski is part of the Information Society Project group at Yale Law School, in which he and his colleagues consider the effects of the new media on the structure of society. American law does not authorize searches of a person's home or body, he says, except in exceptional cases such as when the court authorizes a search, or when the individual gives his consent to a search.
"In the case before us, the Web site signs the user to a document that says it can do whatever it wants with his information. The eBay contract signed by the user concedes his or her rights to protection from the government; in essence, as soon as the contract is signed, eBay can invite the government to do whatever it wants with the information, he says.
A brief visit to the company's Web site reveals that the "user contract" that visitors are supposed to read before agreeing to the conditions is 4,023 words long. One paragraph makes reference to the site's "privacy policy." The user has to click on a link and is diverted to another document that is some 3,750 words long. It then takes another 2,390 words to reach the section about which Sullivan told the legal authorities: The user's privacy is solely up to eBay.
"The users are asked to read and agree to the site policy before they can make use of it," eBay spokesman Kevin Pursglove told Haaretz. "We provide a link to our privacy policy on every single page of our site, and provide summaries of this policy, all so that users will be familiar with our policy."
We will work for you
Nevertheless, eBay does not make do with simply sharing its data with the legal authorities. Sullivan says the company employs six investigators, all of whom have experience in police investigations. Their job is "to track down suspicious people and suspicious behavior." To that end, they scan for patterns that are atypical - different from "normal patterns." For example, if a person sold baseball tickets for two months and suddenly switches to selling a car, the eBay system will "wave a red flag" and signal the seller as someone behaving unusually. Who asks eBay to do it? No one. eBay volunteers.
eBay goes even further. In his lecture, Sullivan spoke about how he helped investigators locate a user who had been suspected of selling stolen cars through the site. "We tried to buy the car from the thief and in that way incriminate him. But the bad guy was smart. He saw there wasn't a single feedback in the history of the person who was making the purchase. He told us he didn't want to make a deal with us."
Sullivan explained that the incident taught the company a lesson, and that since then it has used pseudo buyers for which it constructs comprehensive simulated histories, including simulated feedbacks, all for the sake of incriminating those suspected of theft. "eBay is not willing to tolerate acts of fraud carried out on its site," explains Pursglove. "We believe that one of the ways to fight fraud is to cooperate with the legal authorities at the various levels.
Sullivan is even more forthcoming. Aware of how hard the police work, he decided to help as much as possible. "Tell us what you want to ask the bad guys. We'll send them a form, signed by us, and ask them your questions. We will send their answers directly to your e-mail." Essentially, by engaging in what seems like impersonation, eBay is exploiting its relationship with customers to pass on information to law enforcement authorities. Why? "We take various steps in order to fight fraud and provide a safe buying environment for our numerous users," says Pursglove.
"In order to prevent misuse of authority, the law ensures that authorized impersonation will only be used with persons suspected of carrying out illegal activity," says Pursglove. But eBay's practice is to impersonate people on a regular basis, for law-enforcement objectives. However, "there need not be a proven connection or well-founded suspicion of a crime having been performed," claims Kozlovski.
In July 2002, eBay bought PayPal, Inc. for $1.45 billion. PayPal, which offers the most popular means of payment on eBay, provides clearing services for the execution of online transactions. It enables Internet users to open accounts on the company site, transferring money from their credit card or bank account. When carrying out a transaction, the seller receives a certificate with which money can be withdrawn from the buyer's account in cash. The system obviates the need to reveal personal financial data.
When Paypal was acquired, the company reported 16 million users, as well as 3 million business accounts and 28,000 new visitors to the site each day. About 60 percent of PayPal's income derives from commissions received from users buying goods on eBay. About 70 percent of eBay buyers use PayPal.
Two years earlier, eBay bought Half.com, a site that specializes in sales of CDs and books. Sullivan explained that these acquisitions help eBay to provide lawmen with a full picture. "Every book or CD comes with a bar code. So we know who bought what. The acquisition of PayPal helps us to locate people more precisely. In the old days, we had to trace IP addresses (unique address given to computers linked to the Internet), to locate the buyer, but now Paypal supplies us with the money trail.
PayPal has about 20 million customers, which means that we have 20 millions files on its users," Sullivan proudly relates. "If you contact me, I will hook you up with the Paypal people. They will help you get the information you're looking for," he tells his listeners. "In order to give you details about credit card transactions, I have to see a court order. I suggest that you get one, if that's what you're looking for." It isn't certain that visitors to the site are aware of the thick hints eBay gives the lawmen.
"By buying PayPal, eBay is merging the information about the goods trail with the money trail," explains Kozlovski. "Thus, in spite of the protective mechanisms of the law against disclosure of details on transactions, eBay is in a position to analyze the full set of data and `advise' investigators when it might be `worthwhile' for them to ask for a subpoena to disclose the details of a financial transaction. Essentially, this bypasses the rules on non-disclosure of details of financial transactions and the confidentiality of the banker-client relationship."
Kozlovski mentions how special investigator Kenneth Starr issued a court order that ordered the bookstore where Monica Lewinsky bought her books to report to him the names of the books she bought. "Then, there was a huge fuss. Now you don't need a special order - eBay does the work for the investigators."
Kozlovski feels that eBay's practice should be seen as part of a worrisome trend in the West to curtail protection of individual rights. In communist regimes, he says, the state would assign watchers to follow every citizen, who would pass incriminating information on to the authorities. Now the state doesn't have to do a thing. People come to it of their own free will. This is also the case for eBay, which exploits its stature in the market to have users accept contracts that strip them of their privacy. Perhaps the regime is different, but the outcome is most assuredly the same.
A million new items a day
eBay has no operations in Israel. But in the U.S., Europe and even the Far East, the name eBay is uttered in the same breath with names like Yahoo, Google and Amazon. The company created an electronic business arena where sellers offer their wares and buyers purchase them. eBay's trick is that both the sellers and the buyers are ordinary citizens. On eBay, you can find people selling used chewing gum (and there are buyers), torn soccer balls, 18th century forks, sunflower seeds and luxury cars (in 2002 alone, some 3,000 cars were sold on the site, at a total of $30 million.)
eBay is one of the few Internet companies that shows huge profits quarter after quarter. The company completed the fourth quarter of 2002 with revenues of $414 million and net profits of $87 million. The company had overall income in 2002 of $1.2 billion, and net profits of $250 million. It is traded on Nasdaq at a company value of $23.4 billion - three times that of Amazon, twice that of Yahoo and eight times that of the Israeli security behemoth, Checkpoint.
At any given moment, eBay is conducting some 12 million auctions, divided into about 18,000 different categories. About two million new items are offered for sale every day, and 62 million registered users scour the site to find them. These users have given eBay the monopoly on online auctions in America. Companies such as Yahoo and Amazon tried to get into the auction market, but were forced to give up. An estimated 150,000 people earn their livelihoods solely from buying and selling items by Internet. The company maintains local sites in Britain, Germany, Italy, South Korea, Ireland, Australia, Spain, Singapore and Sweden.
eBay is a monster that churns out money 24 hours a day, 365 days a year - for itself and for its millions of users.
I've got a fax machine...
Maybe you need letterhead.
Oh, I've got an Internet connection, and plenty of places have seals and official logos online. The quality isn't great, but hey - it's a fax, right?
Maybe you need a phone number.
Oh, I've gota phone I can sit by and pretend to be whoever I want when I answer it.
What was it Kevin Mitnick said about social engineering?
That what was all this school was for... to teach us how to solve our own problems. -- janeowit
Don't complain about eBay and other companies doing this--complain about the laws that don't protect our privacy. Talk to your representative and make the case for protecting such information if this kind of thing bothers you (and it should).
In this current age of "let's go get them badguys", is anyone really surprised that a company would so willingly acquiesce to the government? Should they? Good question, but are you surprised that they DO?
http://www.ebay.co.uk/
. ht ml
It appears they have a presence in the UK. Therefore the Data Protection Act applies to them. They make no mention of this in their Privacy Policy:
http://pages.ebay.co.uk/help/community/png-priv
Oh, dear. Looks like someone should shop them to the Data Protection Registrar...
I don't care how small a point font it was printed in,
as long as it was printed on the site when I registered, or sent to me in an e-mail update.
Now, the legality of defining their policy and having you click-thru is still up in the air with EULAs; just because its printed in legalese doesn't mean it will hold up in court.
But to give me a warm fuzzy, disclose it to me.
Why? Because there are a lot of rip-off artists on e-bay. If it makes it easier for law enforcement to find and fine these scummy ebayers, that is a GOOD THING.
Honestly, I'd rather have E-bay in my corner if I get screwed than to have them go the PayPal route.
In the future, I would want to not be isolated from my friends in the Space Station.
I can web-scrape all that same info off the site.
Bid histories for each auction, items you've bidded on, auctions you've won... Yep.. It's all there.
I've been spammed to death because of eBay (luckily I use a hotmail address with them). I bought a couple of old SNES games, next thing you know 100 yahoos are offering me CD's full of ROM images for 20 bucks or so.
Tracing your email address to the actual person is a small hoop to jump through.
Any real privacy on eBay is a figment of your imagination. It's like expecting your trip to the mall to be 'private'.
I don't need no instructions to know how to rock!!!!
If you have ever been ripped off or defrauded on ebay, you would look at this from a different perspective.
The last thing I want to do when someone defrauds me using ebay is jump through the many legal hoops to obtain a warrant.
As stated, this information can only be requested by law enforcement, and trust me, law enforcement officials don't get off of from violating your privacy and requesting it just for kicks. This is a welcome move that will help people that got screwed recover their money a little easier and a little faster. I, and many other ebayers, welcome the policy.
Witold
www.witold.org
witold.org
Not that I condone it for even a second - how can eBay (yes, /. editors, that's how it's spelt, how can you not get that much right?) be sure that the person requesting the information is a legitimate law enforcement official?
Even if they were, any information garnered in this way would immediately be thrown out of court in most countries (including the US) as inadmissible, because the source would be deemed an illegal search if the proper warrants hadn't been obtained.
Without even examining the link it's obvious why eBay would do this - verifying the legality and scope of every warrant that it is presented with takes time, and time costs money. Rather than spend this time and money unproductively (cooperating with police officers doesn't produce revenues), they choose the path of least resistance.
Unfortunately, eBay is sufficiently large enough (or at least it thinks it is) that it doesn't see this as a reason for people to defect to less popular rival online auction sites.
"Accept that some days you are the pigeon, and some days you are the statue." - David Brent, Wernham Hogg
Even scarier ... who owns PayPal these days?
I hear some people use it like a bank. Would you want your financial info tossed around like that?
One more reason so stay way from Paypal.
I work for a banking service provider (one of the guys who run the banking software for the little 1-50 branch banks). A few years ago we used to get excited because the Secret Service or FBI wanted us to pull some records. These days we almost need a full time person to track this stuff down. This week we got a call from a homicide detective in Columbus, OH. (Is that really a city?) The detail we can provide these guys is pretty complete - even if it's just a lame web banking hack attempt, we can often link that attempt back to a specific ISP user (because the ISP often attaches additional information to web requests - ahem, AOL) as well as tell ever single transaction that account, that IP, that user has done since XXX. And what does it take for people to get the information? At first we only trusted agents with ID at the door, but it really is getting to the point of a phone call and a fax; in fact, the best way to social engineer these days might just be to pretend you're a cop - the person on the other end of the phone (at least at my place) will generally roll over and cough up whatever you want by the second phone call. Fortunately, some management types have started to pay attention to the hack opportunity provided and are beginning to educate the first-line responders to these kind of calls that just because they say they are cops, doesn't mean they really are....
Yesterday I tried to delete my account, but I can not, it will not let me.
I do not ever intend to use ebay, but it seems my account will forever be there.
Annoying that.
This should be the final proof, if proof were required, that privacy policies and TRUSTe seals audits and seals are ineffective at protecting consumers.
"How to Do Nothing," kids activities, back in print!
As an Ebay user, 200 request a month for personal information seems high to me.
I could have a buddy that works at the police department. If I visit him frequently, nobody would see a problem with me saying he is expecting me and I will just wait in his office. While he is at lunch, I could use his fax machine and request the information of anybody I want.
When all else fails, piss on it. At least you will feel better in some kind of way.
Public use of any portable music system is a virtually guaranteed indicator of sociopathic tendencies. -- Zoso
I work in Student Records at a technical college in MN. I will NOT allow anyone to request information over the phone. They must either MAIL or FAX me a request with a hand written signature in order for me to release this information to them...
State and Federal law states that people can request information over the phone if it is going directly to them and *I* feel that it is really that person. Problem here is that I cannot verify if it is really them and the social engineering thing comes into play. So basically I won't accept any phone requests. I feel that I cannot safely determine who the person is if I don't see a handwritten request.
Oh, for chrissakes - handwritten requests are completely and utterly useless. Let me guess, it has to be on letterhead? See parent post regarding availability thereof...
So I fax you a request. It has Police Department letterhead...or something similar. I mean, you don't know what the Jackass Police Department's letterhead looks like. And I sign it as the chief of Jackass Police Department. You don't know what his signature looks like either. And I put my phone number on it - but it has the same area code and extension as the main number, so it could be a non-main phone line. Or maybe I made up a police department that doesn't even exist.
How many E-bay knobs are going to fully check this? Are they going to get a directory assistance to find the PD and check the number? Are they going to talk to the chief, from the phone number they looked up, to make sure he ordered the data? What if they can't find the department's listing (could be a small department, could be I made it up)? Probably none of the above.
When you get down to it, faxed requests are pretty much worthless. Which is why I would want a warrant served by law enforcement personnel who I could easily check up on. As for DNR, I don't believe that helps with ebay.
-Looking for a job as a materials chemist or multivariat
From the article:
Attorney Nimrod Kozlovski, author of "The Computer and the Legal Process" (in Hebrew), heard the lecture, and could not believe his ears. "The consent given in the user contract should be seen as `coerced consent,' in the absence of any opportunity to exercise free choice, with no real alternative but to agree. This is most certainly not conscious consent."
I think this says it all. We are rapidly becoming a society in which corporations can strip individuals of their liberties not by virtue of law, but by using onerous contracts.
Imagine if the utility companies forced a person to hand over keys to their residence when they signed up for service, so that the company could "inspect the premises in the interests of public safety". It wouldn't be long before the utility company would realize that they can make additional income by "renting" your key to law enforcement agencies on demand. But you, the resident would effectively have no say in this - you either agree to their terms, or you do without gas/electric/phone service.
You see, the danger of this is that by "renting" the key, law enforcement no longer needs a warrant to search your house; you implicitly gave consent for entry to the utility company, who then resold that consent to law enforcement. It is these kinds of agreements which allow law enforcement to circumvent the checks and balances gauranteed by the constitution, and this is what makes them so dangerous.
How long will it be before our lives and liberties are entirely beholden to corporate interests?
The society for a thought-free internet welcomes you.
There is actually no Constitutional right to privacy.
There is in California...83chrise.nuf
It's not a freedom/safety issue. It's not about violent criminal behavior. It's about money.
Specifically, states are busy passing laws allowing collection of taxes on internet sales, but most of these sales go unreported. (Think about it, did you list last year's eBay sales on your 1040? Well, neither did anyone else.) So this is their method for reporting. And thanks to eBay's "flexible" reporting system, a simple fax request is all that's needed. No need for a time-consuming, cumbersome warrant with all those messy rules about Judge's signatures and prior evidence... just a bored cop's desire to go trolling for evil tax evaders.
"Dear eBay,
Please send us a list of all the transactions in the past 7 years from customers in the 90210 area code.
Thank you,
Sgt. Jackass, Podunk California Police Department."
It's simple. If they want to collect taxes on unreported sales, they start with records from the largest online retailer, the one who hands out information no questions asked. Thanks for nothing, eBay!