Galexia

  Research

Article - 2000 - a chronology of Internet privacy debacles (March 2001)


[ Galexia Dots ]

Related Galexia services and solutions

Published

The risk of adverse media publicity has now become a major reason for online businesses to review and change their privacy practices, after an unprecedented year of privacy debacles in 2000. Several high-profile businesses have had their reputations tarnished by lax, inadequate and in some cases illegal information practices. Despite the fact that for several years surveys have highlighted the importance of privacy to consumers, it is only more recently with far greater media coverage of privacy issues that privacy has been recognised as an issue which can significantly harm the public reputation of businesses, especially those engaged in major e-commerce initiatives.

In some respects, it is not surprising that increasing public attention on privacy issues is likely to expose some organisations for bad information practices. Survey research has indicated that many organisations do not have clearly developed or well implemented privacy policies; and while online privacy practices are improving, they fall well short of any well-accepted privacy benchmark. Even in sectors where a substantial amount of personal information is collected such as online recruitment services, many websites still do not have privacy policies. Among those that have a policy, many do not have adequate privacy standards.

As the spotlight on internet practices has intensified in recent years, a growing list of companies have come under attack for careless, unethical or even deceptive information practices. The public reputations of businesses can be damaged by:

  • bad information collection practices, such as collecting unnecessary information;
  • failing to explain how personal information will be used (and broadly, failing to develop a privacy policy);
  • passing on personal information to other companies without the consent of the person;
  • failing to implement the privacy policy;
  • security breaches, including unauthorised access to personal information, unintended disclosure, and problems with credit card numbers;
  • making mistakes, such as sending the wrong personal information to individuals or recording mistaken information, and
  • denying people anonymity, such as in their usage of a website.

These risks are illustrated by some of the privacy stories which hit the news during 2000.

1. Real Networks: Failing to disclose information practices

The year began with online software distributor Real Networks still smarting from a blitz of negative publicity after the New York Times revealed that it was collecting information about the musical tastes of 13.5m Real product users without their knowledge. Real Jukebox, software downloaded through the Real Networks site, was scanning users’ hard drives and transmitting information about their musical interests and music player back to Real Networks. This information was then added to pre-existing customer profile information. Although Real Networks is a member of TRUSTe and displayed its logo on its website, TRUSTe refused to launch an investigation into Real Networks because its licence only covers information collected from consumers over a website, and since the information was actually collected by software downloaded from a website, Real Networks had not violated its TRUSTe licence. TRUSTe did announce, however, that it would review its licence agreements.

2. DoubleClick: Customer profiling without consent

In perhaps the best-known incident of the year, online advertising agency DoubleClick came under seige from public outrage for unlawfully obtaining and selling customers personal information. DoubleClick is the leading online advertiser, with revenues which had grown from $9m in 1995 to $258m in 1999. By the end of 1999 DoubleClick was serving 30 billion targeted ads per month, and serving ads to around 12,000 web sites. In late 1999, DoubleClick began combining and cross referencing personal information from the web browsing habits of users with the database of a direct marketing firm, Abacus, which it had recently acquired. DoubleClick planned to match home address, name and purchasing habits to individuals’ web usage patterns. Following extensive publicity, a consumer backlash, legal action by the Michigan State Attorney-General, an FTC investigation and a drop of one third in its share price, DoubleClick suspended its matching practices in March 2000. Estimates of the cost to DoubleClick of the incident - which occurred at the time of its second capital raising - range as high as $2.2 billion.

3. PSINet: Pink contracts for spammers

Controversy erupted for internet service provider PSINet when CNetNews.com claimed that PSINet was covertly profiting from spamming while publicly opposing it. CNet News.com obtained a ‘pink contract’ which indicated that a marketing firm in Louisiana was paying PSINet an extra $27,000 in a one-off payment for ‘increased risks associated with this agreement’. Cajunnet, the marketing firm, sent out 5-20 million spam messages at one time, helping to explain the additional payment given the likelihood of a large number of complaints and the risk of damage to PSINet’s reputation if the arrangement came to light. At the same time, PSINet’s stated policy on spam had indicated that customers would be cut off if caught using spam. PSINet subsequently terminated the relationship and embarked on new compliance and training efforts internally to avoid the repetition of any such incidents.

4. Toysmart - selling a bankrupt business’s database

American toy e-tailer Toysmart drew criticism when it announced that it intended to sell off its customer database after the company filed for bankruptcy on May 19. The decision to sell off the 250,000 customer records contradicted an express promise on Toysmart’s web site never to sell customer information. This reversal in policy prompted the intervention of the Federal Trade Commissioner (FTC) who sued Toysmart for engaging in deceptive conduct. 42 states also sought a court injunction from the Federal Court to prevent the sale taking place for violations of their individual consumer protection schemes. The FTC eventually came to an agreement with the company that precluded the sale of the database as a separate asset, such that Toysmart could only sell the customer database as part of the sale of the whole web site. No company came forward to buy Toysmart, and in early January 2001 Toysmart’s majority owner, Disney, paid $50,000 to destroy the database.

5. Amazon - Revising a privacy policy

Amazon.com created a storm of protest when it informed customers that it was revising its privacy policy in light of the confusion about the capacity of businesses to sell their databases after the Toysmart.com debacle. The revisions to Amazon’s policy stated that the 23 million strong customer database is an asset of the business which may be sold to a third party in the future, without obtaining any further consent from customers. Amazon’s changes provoked widespread criticism and several complaints have been filed against Amazon’s subsidiaries in Europe were made for breaching local European privacy standards.

6. Toysrus.com - Failing to inform consumer of third party use

The toy store e-tail industry was rocked by a further privacy debacle in August 2000 when it was revealed that Toysrus.com, the e-commerce web site of the Toys R Us chain, was outsourcing data analysis of its consumer database to a third party company, Coremetrics, which was then retaining and using the data for its own data analysis purposes. The company’s privacy policy made no mention of the outsourcing relationship, which involved the provision of customers personal details including names, postal and email addresses, and phone numbers to Coremetrics. Toys R Us had reserved the right to gather and analyse customer information in its privacy policy, however its failure to disclose the fact that this analysis would be done by another company (which retained the data after analysis) prompted numerous complaints. Two separate class actions were launched against Toys R Us and Coremetrics, forcing the companies to terminate their business relationship in the wake of overwhelming negative publicity.

7. Security breaches

Stories of website security security breaches which placed customer information at risk became a familiar story during 2000.

  • The year began with online music seller CD Universe losing more than 300,000 credit cards to a Russian hacker. Credit card cleaning house Creditcards.com lost another 55,000 records and in December it was reported that the hackers had broken into the Egghead website, potentially gaining access to 3.7 million customer profiles. The company later reported that investigations indicated that the hackers had not gained access to the customer records.
  • At the year’s end, a hacker broke into the customer database of GlobalCentral.com, a Wyoming internet service provider, and sent information on customers including their credit card number, bank account numbers, address, telephone number and terms of their contract with GlobalCentral. The hacker was reportedly motivated by opposition to GlobalCentral’s support of a conservative family values organisation.
  • Furniture retailer Ikea attracted attention when it was revealed that its customer database, containing names, phone numbers and postal and email addresses, was publicly accessible on the web for over two days in early September 2000. The company claimed that the security breach was caused by a hacker, a claim disputed by experts who cited the lack of adequate authentication or firewall software as a contributing factor. The incident was Ikea’s second privacy slip-up that year, with the company drawing criticism in March for adopting a spam-based advertising strategy. The company had offered a $75 discount coupon to any customer who emailed a promotional e-card to ten of their friends. The scheme generated 37,000 emails within one week before Ikea stopped the promotion in response to severe public criticism.
  • On 7 July 2000, a customer of British power utility, Powergen, while attempting to pay a bill on-line, managed to accidentally uncover the unencrypted, publicly accessible credit card numbers and payment and personal details of 7,000 Powergen customers. In an attempt to defray criticism, Powergen at first denied the leak, then later accused the would-be-customer of ‘hacking’ their site. The story was picked up by on-line magazine, Silicon.com which attained from the customer proof of the leak. Despite originally threatening legal action against both the customer and the magazine, Powergen later admitted that the blunder had not be caused by the customer but by the company, assuring customers that its system was now safe.
  • In April, web search engines revealed pages containing the personal registration of some 35,000 members of the adiamondisforever.com website, a site which gives information about diamonds and which is sponsored by De Beer’s.
  • Similarly, a computing error on the Amazon.com website resulted in the email address of Amazon members being disclosed on an affiliate partner’s website in September.

8. Australian Taxation Office: Failing to identify a major privacy issue

Over 3 million applications for ABNs were received during its first months of operation, although Australian Bureau of Statistics figures indicate that there are only 1.1m businesses in Australia - suggesting most ABNs were for individuals. But the ATO had not taken into account the extent to which individuals would obtain ABNs, and the fact that ABN records would contain a substantial amount of personal information. Legislation relating to the ABN established a publicly available online Australian Business Register, including information on the holders of ABN drawn from the ABN registration forms, and in addition the Tax Office was making available (at a charge of $20) records of registration-related information. Although the ABN registration booklet mentioned that some ABN information would be publicly available, the details of this availability were not clear and applicants were not informed of this on the pages where they entered information. After a substantial public reaction, and intervention by the Privacy Commissioner, the Treasurer agreed to legislative amendments and the Tax Office agreed to limit the amount of information available publicly, and give individuals the option of limiting disclosure of their information if this disclosure could present a danger to them.

Privacy concerns with the Tax Office were highlighted further when a hacker accessed the business and bank account details of up to 27,000 businesses in Australia who were accredited suppliers of GST information and assistance packages to businesses through the GST Start-up Assistance Office. The ‘hacker’ reportedly obtained the information without actually hacking the site, as the information was provided on an ordinary page accessible through a URL on the site (the web address of which had not been disclosed). He then emailed 17,000 of the businesses to inform them of the security breach.

9. Other legal action

In other incidents, Auction site ReverseAuction agreed to a settlement with the FTC in January 2000, agreeing to cease from engaging in unlawful practices including collecting personal information of eBay users and deceptive spamming. Other legal action on privacy grounds was also launched against Amazon.com (through its subsidiary Alexa Internet, accused of sending personal information to Amazon.com without consent), and a class action suit was filed in Texas against Yahoo! on the basis of a Texan anti-stalking law, and arguing that cookies are the cyberspace equivalent of stalking.

The court of public opinion

The sequence of privacy incidents involving recognised businesses, often discovered only through a coincidence or random event, suggests that many organisations are vulnerable because of their failure to address information privacy issues. Indeed, 2000 was the year when even the TRUSTe organisation, an industry self-regulation organisation which polices privacy standards, , was found to have been using a third party software program which tracked individual web users’ traffic on the TRUSTe website, in breach of its own privacy policy.

Media publicity will never be a substitute for a consistent, industry-wide set of information practices. Media coverage is, after all, highly selective, open to bias and it often trivialises complex issues. Nevertheless, the media plays a critical role as a check on the conduct of large organisations - both government and business. Regardless of legal developments, that role is likely to remain highly significant - after all, privacy debacles are likely to cost online businesses more in the court of public opinion than in courts of law.

Tim Dixon
Consultant, Baker and McKenzie
Associate, Galexia
Thanks to Rob Yezerski for research assistance.



[ Galexia Dots ]