Slashdot Mirror
eBay Provides No Privacy For Sellers
Phanatic1a writes "Quoted in an article in The Nation, eBay's chief of security Joseph Sullivan brags up eBay's "flexible" privacy policy to LEOs, telling them "If you are a law-enforcement officer, all you have to do is send us a fax with a request for information, and ask about the person behind the seller's identity number, and we will provide you with his name, address, sales history and other details--all without having to produce a court order." The tens of millions of Paypal customers eBay has access to the financial records of might be curious to see what else Sullivan promises..."
we will provide you with his name, address, sales history and other details
Other details... hmmmm, wonder if this means: Seller is super great/fast AAAA+++++++++ recommend to all A+A+A+A+A+A+
I have often regretted my speech, never my silence.
-Xenocrates
I understand this from eBay's perspective to a point:
There is also the genuine anxiety surrounding the potential consequences of not following up on a perceived terrorist threat.
..but this part:
It also expands the category of information that law-enforcement figures can seek with a simple subpoena (no court review required) to include, among other things, IP addresses and credit card and bank account numbers.
Besides buying copies of "Mein Kampf" and "The Anarchist's Cookbook," what sort of flags could be construed as putting one's transactions over the limit?
Mom says my
This story is very simmilar to a very old story here. Anyway, I'm not sure what the big deal is this time. The author says "brag" as if this is a crazy notion. He's bragging because this policy keeps buyers safe. I'm a privacy advocate, but in this case, why the hell should seller information be kept private from the police? I've been ripped off several times on eBay. I'm very glad to hear that sellers aren't anonymous!!!! So, you should be allowed to stay annonymous when accepting money on the promise of delivering goods?? WTF?! Could you imagine some of the anonymous trolls on this stie selling you shit? How does this escalate directly to giving out buyers bank info? I don't think he'd be bragging to customers about that deal. It's COMPLETELY different.
"Question with boldness even the existence of a god." - Thomas Jefferson
So, in essence, sellers on Ebay are as easy to track down as sellers in brick & mortar stores or otuer public places of business, with business licenses, vendor's licenses, or other government checks and controls... I fail to see a problem with that.
Of course, this opens them up for identity theft, just as much as it would normal businesspeople.
Never underestimate the potential of Human stupidity. -Heinlein
Any takers on how long before this is misused and someone sues ebay?
Seems like they are leaving the door wide open for a "law enforcement officer" to get a user's info with a faked fax.
The policy is horrible, but I hope at the very least, they double-check before they start sending any info back.
"I turn away with fright and horror from the lamentable evil of functions which do not have derivatives."
I wonder how many requests they get and what kind of verification they do to make sure that the requests are legit?
Honestly, how hard is it to photoshop up some letterhead and fax it to eBay claiming you're a member of law enforcement? This could be an easy way for crooks to get the credit info of some of eBay's powersellers, who likely have some excess cash.
eBay itself goes further than this, employing six investigators who are charged with tracking down "suspicious people" and "suspicious behavior.
I guess I'd better not post any more "Stable version of Windows" auctions...
*sigh*
Mom says my
I'm trying to think of any large business valued at over a few mill that doesn't bend over backwards to lick the collective asses of law enforcement agencies. It's alot less hassle, avoids possible court time and bad requests for info (whilst they undoubtedly happen) are rare. I guess eBay think most customers will just swallow theses Terms and Conditions and business as usual (which will be the case).
"I am not bound to please thee with my answers" [William Shakespeare]
I'm sleeping easier now.
If it's so easy to get this information, how hard would it be for me to create my own police letterhead, a badge number, and have them fax the info to my local Mailboxes, etc.? I mean, say someone rips me off, this would make it soo easy to get them back. Can you say Identity theft?
"Men lie."
"Yeah, about sleeping with other women, but never about bioluminescent plankton."
-Dan Brown
I work with a relatively large community site, and we work the same way. I'm a bit of a libertarian, so it galls me a bit, but it really does make sense for the most part.
Now, if law enforcement wanted the personal data froms someone who wrote an anti-Bush post, I'd argue for making them produce a court order.
But when law enforcement wants data about someone who we can see has sent hundreds of threatening emails to another user, who has posted in our message boards about how they're going to kill their ex- , or who we've had to ban from chat or message boards for repeated abuse... sure, we'll hand it over, no court order needed. And our privacy policy says so.
And you know what? Of the maybe 100 times law enforcement has asked us for someone's personal data, every single time that I can recall involved a user where we just *knew* the request was coming. In many cases, we had advised someone to *call* law enforcement after they contacted our support group with believable threatening emails originating from our system.
I believe in the hotly debated "right to privacy," but I don't think that that's incompatible with helping law enforcement in some cases.
In the eBay case, clearly it's in their interest to reduce fraud on their system, so anyone with half a brain would expect them to cooperate with law enforcement. What, do folks have a "right" to defraud folks on eBay? Or is eBay somehow obligated to make investigation of that fraud as difficult as possible?
Cheers
-b
This is why I normally only use cash. True my bank knows I took out money, but they don't know where it went.
.they don't need to know anything about me. Its bad enough I'm on camera, they can even track what car you get into, then trace your plate number.
And I refuse to give any personal info when purchasing.. its cash.
What ever happened to the concept of privacy? And if you tell me its 'for my safety', you deserve to be kicked in the teeth.
---- Booth was a patriot ----
Now of course that is illegal (misrepresenting myself as a law enforcement official), but since fraud is already illegal, what difference does throwing another shrimp on the barbie make?
Manipulate the moderator system! Mod someone as "overrated" today.
I have worked with various 'law enforcment' agencies on various IT projects (Databases) and trust me these guys dont give a damn about privacy policies or information sharing laws.
Most of the time it goes like this: hey do you have any information about such and such? Ok, give it to me.
The only reason there are no 'global law enforcement' databases about all of us is the sheer incompetence and beaurocracy of the public/government institutions...
I knew I read this months ago. And "The Nation" specifically says that they got the story from Ha'aretz, noting that the US news media hadn't picked up on the story. Other then some additional commentary, this is a repeat.
If citizens of the United States are allowed privacy, a presumption of innocence, or the protection of due process, then the terrorists have already won.
Wait... that doesn't sound right. Which of us is smoking crack?
If you were blocking sigs, you wouldn't have to read this.
Those comments were made last winter, so those of you (like me) feeling a sense of Deja Vu - there's a reason.
According to PayPal's privacy policy, your banking info and everything else is safe unless the request is backed by a warrant or court order. It is interesting to note that they do reserve the right to give some of your info to your victims if they find that you've committed a fraud.
Here's the (IMO) relevent passages from the section outlining exceptions to the rule that they don't share your info:
"We disclose information that we in good faith believe is appropriate to cooperate in investigations of fraud or other illegal activity, or to conduct investigations of violations of our User Agreement. Specifically, this means that if we conduct a fraud investigation and conclude that one side has engaged in deceptive practices, we can give that person or entity's contact information (but not bank account or credit card information) to victims who request it.
We disclose information in response to a subpoena, warrant, court order, levy, attachment, order of a court-appointed receiver or other comparable legal process, including subpoenas from private parties in a civil action. "
666-607: 6th floor apartment of the beast
I guess this kills the auction for all those terrorists buying and selling nuclear, chemical, biological weapons online...
Oh, and how much you trust the LEOs.
Here's what some have done with their access to the License Plate Database:
Personally, I trust the gov and the cops...but only as far as citizen oversight allows.
because I have been enjoined by this Holy Office to abandon the false opinion which maintains that the Sun is the centre
No, in this age of state budgets exceeding revenue, it means is that State tax collectors are going ask DoNotCall.gov for a list of email addresses from their area code. From there, the taxman will ask eBay for a list of all sales from each email address along with description of items and amount.
Next, that information is used to demand back taxes + penalty fees, and potential criminal prosecutions for those who have not reported their eBay sales as "income."
Remember, it's only called a conspiracy *theory* until it happens.
Again, here we see a case of an individual unwilling to even make an attempt at a thorough and thoughtful analysis of the issues surrounding what is most definitely a very complex subject. While I fully see the need for a certain level of cooperation with the authorities, I see far more problems with allowing them carte blanche acces to my entire life. When any agency has that much power, there is no point at pretending a democracy exists anymore. Ebay, and Sullivan in particular are taking a cheap and easiy way out simply to avoid dealing with an unpleasant issue.
However, Sullivan may be missing the point that privacy is always a two way street. Customers, like it or not, expect a certain amount - take it away and you drive them off. Advertise that you don't respect your customer's privacy, and you see a flurry of discussion and anger similar to that on display on this page. Sullivan seems to think that bending over for "the man" will make his dealing with law enforcement more pleasant, but he's missing the point that it doesn't grant blanket immunity from personal, or corporate liability, should "the man" make a mistake. God have mercy on the soul of any corporate bigwig who accidentally gets a customer persecuted/prosecuted under false pretenses.
I'm not tense. I'm just terribly, terribly, alert.
I only have one problem with this policy: that it isn't extended to anyone one. Why should law enforcement have this right, but I - an eBay buyer - not have this right?
/. world believe that absolute privacy is a right. Well, it isn't. When you enter into certain situations, you set aside your rights, in order to embrace other rights. One of these situations is the area of commerce. If you have business and I am about to enter into a trans action with you, I have the right to perform a background check on you. To determine if you are a con person or rip-off artist.
I don't see that someone who is selling things should have a right to hide their identity, background on transactions, etc., from others. Transparency, and the accountability that it fosters, is key to commerece and trust.
Too many people out in the
What reasons might the police have to request ebay info? Think about it - probably 98% is fraud related. Being hornswaggled is the most worrisome thing about using ebay. It makes me feel safer to know that the sellers info is easily available to law enforcement. I want dishonest sellers to know they may be being monitored by the police. If you are an honest seller, you are more likely to make a sale if the buyers know that the police can get your info. It makes them feel safer. This is a good thing from the honest seller's perspective.
The other 2% may be odds and ends like possible terrorist sales and child porn and the like. I don't want that crap on any site I go on either. I just wanna buy my used VCR so I can illegally copy rented DVDS ;-).
I would feel differently if ebay was so willing to disclose buyer information. Buying is something everyone must do, and there should be some privacy protections. What you buy is a window into your personal life. Too much can be deduced, and wrongly assumed from that data for it to be a good idea for law enforcement to have it. What you sell is another matter. The only info it reveals is how you made your money. There is not much chance that law enforcement will start persecuting hot dog vendors just because they are hot dog vendors.
Eat at Joe's.
There are a lot of comments about this being any easy hole for the bad guys to exploit by simply forging some letterhead to get a seller's info for identity theft and the like.
First of all, I don't remember ever having given eBay my Social Security number, the Holy Grail of identity theft. Second, eBay is only going to respond to "verified requests" when they have a "good faith belief" that there is criminal activity or the threat of "imminent physical harm."
So, I would say at a minimum they're going to verify that the request comes from a real-life LEA - it only takes about 2 minutes to look up any LEA's address and phone number, and if it doesn't match, to call it any verify. They're not going to risk getting sued for millions for giving out your personal info to a stalker. Come in off the ledge folks.
From eBay's privacy policy:
Legal Requests. eBay cooperates with law enforcement inquiries, as well as other third parties to enforce laws, such as: intellectual property rights, fraud and other rights, to help protect you and the eBay community from bad actors. Therefore, in response to a verified request by law enforcement or other government officials relating to a criminal investigation or alleged illegal activity, we can (and you authorize us to) disclose your name, city, state, telephone number, email address, UserID history, fraud complaints, and bidding and listing history without a subpoena. Without limiting the above, in an effort to respect your privacy and our ability to keep the community free from bad actors, we will not otherwise disclose your personal information to law enforcement or other government officials without a subpoena, court order or substantially similar legal procedure, except when we believe in good faith that the disclosure of information is necessary to: prevent imminent physical harm or financial loss; or report suspected illegal activity. Further, we can (and you authorize us to) disclose your name, street address, city, state, zip code, country, phone number, email, and company name to eBay VeRO Program participants under confidentiality agreement, as we in our sole discretion believe necessary or appropriate in connection with an investigation of fraud, intellectual property infringement, piracy, or other unlawful activity."
666-607: 6th floor apartment of the beast
On many occasions people report scam artist's auctions, often on hijacked IDs, and eBay does nothing for days. Shill bidding [bidding on your own items] is strictly forbidden, but if you present eBay with the evidence, they often don't suspend all of the accounts involved.
m l user agreement
c y. html privacy policy
h read=36 270&start=0&msRange=189
Remember a few months ago when the chat boards were comprimised because Live World who runs the boards left an admin tool open to users on the Internet? Dozens of people's account information, and snitch information was made available to hackers that just needed to modify an address in Internet Explorer.
http://pages.ebay.ca/help/community/png-user.ht
http://pages.ebay.ca/help/policies/privacy-poli
The "six investigators" bit is a joke. eBay would be even more ripe with fraud if hundreds of users didn't make reports to the "support" staff.
Read what a joke the support is like:
http://forums.ebay.ca/thread.jsp?forum=7&t
Saskboy's blog is good. 9 out of 10 dentists agree.
It's been pointed out that identity theives could simply use a forged letterhead to get private information, but I'm concerned about other possible misuses:
- Abusive spouses - Someone running from a batterer would likely change bank accounts, etc. but I doubt they'd wipe an eBay account. Likely just change the old one to match those new accounts. Viloa - the S.O.B has an address.
- Scammers might use personal info and a little human engineering ("No, I just forgot my password. Here's my some info as proof of ID...") to hijack an account, then run their scams through it.
- A seller who feels he's being undercut by another might somehow trash their rival (although, I admit, you'd have to be disturbingly obsessed about eBay to even think to pull this one off).
- Stalkers, stalkers, stalkers!
The list goes on and on. I think I'll stick with garage sales, thanks."Prepare for the worst - hope for the best."
...is that they are beginning to be perceived as a hotbed of seller fraud. I'm not surprised that they are bending over backwards to cultivate good relationships with law enforcement.
The anarchists Cookbook was published by a covert government organization and was intended to cause physical harm to any who tried to execute the plans included in it.
Regardelss of whether it was a deliberate hoax or simple incompetence, the recipies in it are indeed dangerous, and likely to blow up in your face (literally) if followed.
For instance: The nitroglycerine recipe completely ignores the temperature control (i.e. ice bath) necessary to keep the heat of the reaction from setting off the product - demolishing the lab AND splashing the remains with the nitric and sulphuric acid not yet consumed by the reaction.
Don't try thiose recipes at home, kiddies.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
How many people and companies out there have had their domain hijacked via Network Solutions with just a fax? Now eBay is going to have available NAME, ADDRESS, CREDIT CARDS and BANK ACCOUNTS to anyone who can forge a fax from a law-enforcment agency. Just need to find someone selling some used 72" plasma TV or some other expensive trinket - there's a good mark.
Anyone know if this is this international, or just US?
Because auctions are part of the stolen property loop of old.
In the days before UV pens etc. it was nigh on impossible for anyone to know if an item they were being offered was stolen or not. This was a problem if your business was buying and selling used goods. And if you were a police force with a lot of recovered property for whom you have no identified owner. And if you wanted to buy something, it's a bit risky if your goods could turn out to be stolen because the goods are returned to the owner and you become out of pocket.
What was devised was the public auction with public viewing. It was your responsibility to visit auctions and see if any your stolen property was there and then discuss it with the auction house and from there a resolution could be reached.
Once purchased from an auction stolen property is deemed clean. It was the previous owners fault for not turning up at the publicly announced public auction.
Under this situation the privacy of the seller is not an issue, indeed, disclosure of the identity of the seller is of prime importance, only the privacy of the buyer is assured.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
What is more worrisome is what this implies for *buyers*! If eBay can and will, at the drop of a fax, give a seller's sales transaction history for any reason, what prevents them supplying a buyer's purchase history?
All merchants give up a lot of privacy in order to business in any arena. None of this is surprising or scary.
However, what scares the hell out of me is the thought law enforcement officials could see I was the winning bidder on some blacklisted book, movie, object and request my bidding history from eBay.
The potential loss of privacy for buyers is what *everyone* should be screaming about.
This is the absolute least of the problems with eBay!
Unless eBay can sort out the massive amount of fraud [msnbc.com] that's going on right now then I'm never using it again.
There seems to be an absolutely massive problem at the moment with people hijacking eBay accounts and their associated e-mail addresses and eBay don't seem to want to anything about it.
Anyone who uses eBay and has a weak password on their e-mail account (or an obvious answer to their secret question) is vulnerable to having their eBay account taken over (complete with e-mail account and credit card details) and used by a Western Union scammer.
What's a Western Union scammer? Someone who asks to be paid though Western Union (who offer zero buyer protection or tracking of funds) and then simply never ships the item. Western Union seem happy to dish out funds to anyone so the fact that the account is in the wrong name doesn't seem to cause any problems.
eBay should make it so it's impossible to take over an account by changing the password/and/or e-mail address unless you know lots of personal information (D.O.B., mothers maiden name, etc etc).
I'm finding it very difficult to get eBay to reply or for any news agencies to give this any publicity.
Over the weekend I saw about 30 Sony plasma screens advertised (usually "pre-approved bidders only") - almost none of which were legitiate. When you contact the seller - you get a similar message every time - "The item will be shipped from and I would like you to pay though Western Union". They remove them eventually if you complain, but the point is, the fact that more are appearing means that they're still finding it very easy to hijack your account.
Nick...
When I choose who I'm going to do business with I make a number of choices and at every stage it is a trade off.
I choose my ISP, connectivity providers, on-line shops and many more on the basis of how I feel about the company ethical and morally. This leads me directly to not having anything to do with ebay or paypal what so ever
It is not as if they are lying (something I have serious problems with) it is laid out in black and white in the EULA.
If you happen to use eBay and never read the click through bits you can get to them here Ebay's EULA.
One request don't wine about it afterwards, it is after all your responsibility to know what contracts you entered into even if as I suspect the click thru EULA will be shown to be indefenceable in the courts.
Since when is that an indicator of criminal behavior? Millions of each book were sold, probably only a handful of nasty people in the US were found with those books, with the exception of skinheads.
I own both books, I bought the Anarchist Cookbook when I was 12 just because it was a regulated and semi-banned book. I didn't do anything illegal besides a few backyard experiments.
I read Mein Kamph for two history classes, WW II history and a class on the history of the Holocaust. Should I be investigated for this?
....ebay can't even guarantee that your ID and information is completely deleted from their system if you terminate your account with them....either willingly or forcibly. so in theory even though you think you have no relationship with them anymore. They could have all of your personal info somewhere either on a backup or in some active database....scary!
Per the above, it appears that eBay is also offering to help law enforcement agencies avoid giving Miranda warnings. However, this could backfire.
Only Women Bleed (Sex, Sharia remix)
This is a good thing. I refuse to buy stuff on Ebay cause I've gotten screwed twice. If I get screwed at WalMart(c), I can goto the store manager. If I get Screwed at "Mom and Pop's Local 5&Dime and Cow Manure Emporium", I can contact the Better Business Bureau or my local law enforcement officials. But when I get screwed on Ebay, I'm screwed.
Ebay ignores everything except the most extreme of cases, at worst cancelling the seller's account and leaving the fleeced buyer up a creek without a paddle. This allows for some culpability on the sellers part. When I go into a store, I can see the business license on the wall (ask, they are required to post it for all potential customers to see, even if that is often in the management offices) and know who is ultimately responsible.
Now, I admit, I would PREFER to see Ebay require by default, Sellers to list verified contact info, but that's a pipe dream cause it would cost too much. I would also PREFER that a warrant or subpeona be required to release information such as credit card numbers, bank accounts, and transactions, even to law enforcement officials.
Anonymity and privacy are great things, but they only extend as far as you are willing to stay private. When you enter a public domain, your expectaion of privacy is highly deminished. Ebay is very much a public area where people freely go (no different than a department store). At a department store, the store is never private, but the customers can choose to be by purchasing in cash, or they can wave that privacy and use traceable credit/debit cards or checks.
-Ab
Nothing fails quite like prayer.
They say in this written policy that they will verify the request as coming from law enforcement. This is a contract. If they do not honor it, they are (presumably) subject to legal action, especially if somebody experiences a material loss as a result (maybe unlikely, but still).
I'm not talking about what they do in the real world, or what anybody says in any particular interview. But what they say in writing does have some weight (even if they may choose to disregard it).
IANAL, yadda.
Currently, credit card companies and phone companies happily send info with calling and billing records to law enforcement without a warrant. This eBay policy is a naturally parallel to that and to my mind, no big deal.
Like most privacy questions, you trade convenience and/or discount for privacy. If you don't want there to be a record of your transaction, use cash in a place that charges more but which employs particularly forgetful help and doesn't have videocams. If you want the cheapest price or things delivered to you in your pajamas, expect there to be some record of your purchase.
It's psychosomatic. You need a lobotomy. I'll get a saw.
Is this legal? On the $20 note in my billfold it states, "This note is legal tender for all debts, public and private." Given this, how can a store refuse cash? Perhaps some exceptions can be made if you can't give change or are ordering through the mail/online so cash can't be processed, but other than that I can't see a reason for a store being able to refuse cash for a purchase. I mean, if I wanted to buy a $1400 laptop at CompUSA and gave them 70 $20 bills, 14 Benjamins, or 1.4 x 10^5 pennies, that's legal according to the US Treasury, right? (They being the ones issuing the legal tender I'm using.)
Anyone have an answer?
My company recently had a Linux server with an open port that was used to spoof email from an eBay seller. We know because we were contacted by the FBI. Needless to say, the server is no longer open.
Here's what the Serbian hackers were/are up to.
They place an ad on eBay for an item at a very attractive price. When they make a sale, they choose a valid credit card number from their list whose owner lives within 100 miles of the buyer. They place an order for the item using the purloined credit card number and have it drop-shipped to the buyer. The purchase meets with the buyer's approval, and he makes payment by PayPal.
A few weeks later the cops arrest the buyer for using a stolen credit card. It takes a while for them to figure out what is going on before the buyer is cleared.
That's what eBay is trying to stop.
We must be alert to the danger that public policy could become captive to a scientific-technological elite. - Eisenhower