Slashdot Mirror
eBay Provides No Privacy For Sellers
Phanatic1a writes "Quoted in an article in The Nation, eBay's chief of security Joseph Sullivan brags up eBay's "flexible" privacy policy to LEOs, telling them "If you are a law-enforcement officer, all you have to do is send us a fax with a request for information, and ask about the person behind the seller's identity number, and we will provide you with his name, address, sales history and other details--all without having to produce a court order." The tens of millions of Paypal customers eBay has access to the financial records of might be curious to see what else Sullivan promises..."
we will provide you with his name, address, sales history and other details
Other details... hmmmm, wonder if this means: Seller is super great/fast AAAA+++++++++ recommend to all A+A+A+A+A+A+
I have often regretted my speech, never my silence.
-Xenocrates
I understand this from eBay's perspective to a point:
There is also the genuine anxiety surrounding the potential consequences of not following up on a perceived terrorist threat.
..but this part:
It also expands the category of information that law-enforcement figures can seek with a simple subpoena (no court review required) to include, among other things, IP addresses and credit card and bank account numbers.
Besides buying copies of "Mein Kampf" and "The Anarchist's Cookbook," what sort of flags could be construed as putting one's transactions over the limit?
Mom says my
So, in essence, sellers on Ebay are as easy to track down as sellers in brick & mortar stores or otuer public places of business, with business licenses, vendor's licenses, or other government checks and controls... I fail to see a problem with that.
Of course, this opens them up for identity theft, just as much as it would normal businesspeople.
Never underestimate the potential of Human stupidity. -Heinlein
Any takers on how long before this is misused and someone sues ebay?
Seems like they are leaving the door wide open for a "law enforcement officer" to get a user's info with a faked fax.
The policy is horrible, but I hope at the very least, they double-check before they start sending any info back.
"I turn away with fright and horror from the lamentable evil of functions which do not have derivatives."
I wonder how many requests they get and what kind of verification they do to make sure that the requests are legit?
Honestly, how hard is it to photoshop up some letterhead and fax it to eBay claiming you're a member of law enforcement? This could be an easy way for crooks to get the credit info of some of eBay's powersellers, who likely have some excess cash.
eBay itself goes further than this, employing six investigators who are charged with tracking down "suspicious people" and "suspicious behavior.
I guess I'd better not post any more "Stable version of Windows" auctions...
*sigh*
Mom says my
I'm sleeping easier now.
I work with a relatively large community site, and we work the same way. I'm a bit of a libertarian, so it galls me a bit, but it really does make sense for the most part.
Now, if law enforcement wanted the personal data froms someone who wrote an anti-Bush post, I'd argue for making them produce a court order.
But when law enforcement wants data about someone who we can see has sent hundreds of threatening emails to another user, who has posted in our message boards about how they're going to kill their ex- , or who we've had to ban from chat or message boards for repeated abuse... sure, we'll hand it over, no court order needed. And our privacy policy says so.
And you know what? Of the maybe 100 times law enforcement has asked us for someone's personal data, every single time that I can recall involved a user where we just *knew* the request was coming. In many cases, we had advised someone to *call* law enforcement after they contacted our support group with believable threatening emails originating from our system.
I believe in the hotly debated "right to privacy," but I don't think that that's incompatible with helping law enforcement in some cases.
In the eBay case, clearly it's in their interest to reduce fraud on their system, so anyone with half a brain would expect them to cooperate with law enforcement. What, do folks have a "right" to defraud folks on eBay? Or is eBay somehow obligated to make investigation of that fraud as difficult as possible?
Cheers
-b
Now of course that is illegal (misrepresenting myself as a law enforcement official), but since fraud is already illegal, what difference does throwing another shrimp on the barbie make?
Manipulate the moderator system! Mod someone as "overrated" today.
If citizens of the United States are allowed privacy, a presumption of innocence, or the protection of due process, then the terrorists have already won.
Wait... that doesn't sound right. Which of us is smoking crack?
If you were blocking sigs, you wouldn't have to read this.
Those comments were made last winter, so those of you (like me) feeling a sense of Deja Vu - there's a reason.
According to PayPal's privacy policy, your banking info and everything else is safe unless the request is backed by a warrant or court order. It is interesting to note that they do reserve the right to give some of your info to your victims if they find that you've committed a fraud.
Here's the (IMO) relevent passages from the section outlining exceptions to the rule that they don't share your info:
"We disclose information that we in good faith believe is appropriate to cooperate in investigations of fraud or other illegal activity, or to conduct investigations of violations of our User Agreement. Specifically, this means that if we conduct a fraud investigation and conclude that one side has engaged in deceptive practices, we can give that person or entity's contact information (but not bank account or credit card information) to victims who request it.
We disclose information in response to a subpoena, warrant, court order, levy, attachment, order of a court-appointed receiver or other comparable legal process, including subpoenas from private parties in a civil action. "
666-607: 6th floor apartment of the beast
I guess this kills the auction for all those terrorists buying and selling nuclear, chemical, biological weapons online...
No, in this age of state budgets exceeding revenue, it means is that State tax collectors are going ask DoNotCall.gov for a list of email addresses from their area code. From there, the taxman will ask eBay for a list of all sales from each email address along with description of items and amount.
Next, that information is used to demand back taxes + penalty fees, and potential criminal prosecutions for those who have not reported their eBay sales as "income."
Remember, it's only called a conspiracy *theory* until it happens.
There are a lot of comments about this being any easy hole for the bad guys to exploit by simply forging some letterhead to get a seller's info for identity theft and the like.
First of all, I don't remember ever having given eBay my Social Security number, the Holy Grail of identity theft. Second, eBay is only going to respond to "verified requests" when they have a "good faith belief" that there is criminal activity or the threat of "imminent physical harm."
So, I would say at a minimum they're going to verify that the request comes from a real-life LEA - it only takes about 2 minutes to look up any LEA's address and phone number, and if it doesn't match, to call it any verify. They're not going to risk getting sued for millions for giving out your personal info to a stalker. Come in off the ledge folks.
From eBay's privacy policy:
Legal Requests. eBay cooperates with law enforcement inquiries, as well as other third parties to enforce laws, such as: intellectual property rights, fraud and other rights, to help protect you and the eBay community from bad actors. Therefore, in response to a verified request by law enforcement or other government officials relating to a criminal investigation or alleged illegal activity, we can (and you authorize us to) disclose your name, city, state, telephone number, email address, UserID history, fraud complaints, and bidding and listing history without a subpoena. Without limiting the above, in an effort to respect your privacy and our ability to keep the community free from bad actors, we will not otherwise disclose your personal information to law enforcement or other government officials without a subpoena, court order or substantially similar legal procedure, except when we believe in good faith that the disclosure of information is necessary to: prevent imminent physical harm or financial loss; or report suspected illegal activity. Further, we can (and you authorize us to) disclose your name, street address, city, state, zip code, country, phone number, email, and company name to eBay VeRO Program participants under confidentiality agreement, as we in our sole discretion believe necessary or appropriate in connection with an investigation of fraud, intellectual property infringement, piracy, or other unlawful activity."
666-607: 6th floor apartment of the beast
The anarchists Cookbook was published by a covert government organization and was intended to cause physical harm to any who tried to execute the plans included in it.
Regardelss of whether it was a deliberate hoax or simple incompetence, the recipies in it are indeed dangerous, and likely to blow up in your face (literally) if followed.
For instance: The nitroglycerine recipe completely ignores the temperature control (i.e. ice bath) necessary to keep the heat of the reaction from setting off the product - demolishing the lab AND splashing the remains with the nitric and sulphuric acid not yet consumed by the reaction.
Don't try thiose recipes at home, kiddies.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Because auctions are part of the stolen property loop of old.
In the days before UV pens etc. it was nigh on impossible for anyone to know if an item they were being offered was stolen or not. This was a problem if your business was buying and selling used goods. And if you were a police force with a lot of recovered property for whom you have no identified owner. And if you wanted to buy something, it's a bit risky if your goods could turn out to be stolen because the goods are returned to the owner and you become out of pocket.
What was devised was the public auction with public viewing. It was your responsibility to visit auctions and see if any your stolen property was there and then discuss it with the auction house and from there a resolution could be reached.
Once purchased from an auction stolen property is deemed clean. It was the previous owners fault for not turning up at the publicly announced public auction.
Under this situation the privacy of the seller is not an issue, indeed, disclosure of the identity of the seller is of prime importance, only the privacy of the buyer is assured.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
This is the absolute least of the problems with eBay!
Unless eBay can sort out the massive amount of fraud [msnbc.com] that's going on right now then I'm never using it again.
There seems to be an absolutely massive problem at the moment with people hijacking eBay accounts and their associated e-mail addresses and eBay don't seem to want to anything about it.
Anyone who uses eBay and has a weak password on their e-mail account (or an obvious answer to their secret question) is vulnerable to having their eBay account taken over (complete with e-mail account and credit card details) and used by a Western Union scammer.
What's a Western Union scammer? Someone who asks to be paid though Western Union (who offer zero buyer protection or tracking of funds) and then simply never ships the item. Western Union seem happy to dish out funds to anyone so the fact that the account is in the wrong name doesn't seem to cause any problems.
eBay should make it so it's impossible to take over an account by changing the password/and/or e-mail address unless you know lots of personal information (D.O.B., mothers maiden name, etc etc).
I'm finding it very difficult to get eBay to reply or for any news agencies to give this any publicity.
Over the weekend I saw about 30 Sony plasma screens advertised (usually "pre-approved bidders only") - almost none of which were legitiate. When you contact the seller - you get a similar message every time - "The item will be shipped from and I would like you to pay though Western Union". They remove them eventually if you complain, but the point is, the fact that more are appearing means that they're still finding it very easy to hijack your account.
Nick...
Since when is that an indicator of criminal behavior? Millions of each book were sold, probably only a handful of nasty people in the US were found with those books, with the exception of skinheads.
I own both books, I bought the Anarchist Cookbook when I was 12 just because it was a regulated and semi-banned book. I didn't do anything illegal besides a few backyard experiments.
I read Mein Kamph for two history classes, WW II history and a class on the history of the Holocaust. Should I be investigated for this?
In other words, sellers, as they enrich ebay, agree to give up any reasonable expectation of privacy. What ebay is saying is a lot worse than you realize. If a seller rips you off, why shouldn't the same rules apply to ebay as they do in other criminal situations? As it stands, ebay doesn't require even a subpoena to release information such as your name, address, and telephone number. No involvement with the justice system is required, nobody has to talk to a judge and justify invading your privacy.
You are aware aren't you, that there is NO legal way to set up a storefront retail operation without some form of contact info being a matter of public record? Why should a seller on eBay be any different? What person in their right mind thinks it's a good idea to have a market in which vendors are anonymous??? Do you really think it's fair as a seller to offer your buyers no reliable, verifiable way to contact you? Would you really buy anything off eBay if you thought for a minute that sellers were immune to being located except via extraordinary means?
Think in terms of "meatworld" for a second. How would you feel if you went to a store, bought a product which turned out to be defective, went back and found the store had just disappeared? What if you then tried to track down the store's owner, and found only a fake address? Worse, what if you went to your local government to find out the info about the store's ownership, and were told that the info was "private" and that you'd need to hire a lawyer, go to court, and get an order to see it?
Now, again, why should eBay sellers have some cloak of anonymity???
However, elsewhere I use only cash, and I ran into some serious problems already. Examples:
- Buying a TV and VCR at BestBuy, total value slightly over $1000. The store does not accept so much cash; I had to buy the two on two separate trips.
- Buying a laptop at CompUSA for $1400. Same problem; since it was a single item I could not buy it at all with cash.
- Buying some furniture of total value of slightly over $2000 (I also came with my own truck to drive it home). The clerk wanted my name, address and copy of my driver's license. The manager confirmed those requirements I left and bought it elsewhere.
I'm wondering when cash transactions over a certain value would be outlawed altogether.