September 24, 2003

eBay Privacy: The Latest Oxymoron

Think the RIAA is being aggressive in serving DMCA-sanctioned subpoenas upon ISPs without prior court approval (not to mention the individual lawuits)? According to this disturbing article, eBay could have them beat by comparison. In essence, eBay officials freely distribute their member's private information to any law enforcement agency who requests it -- without requiring any subpoena in many cases.

If this account is accurate, then Joseph Sullivan, eBay's director of "law enforcement and compliance", told numerous law enforcment officials in a closed session that "There's no need for a court order," and further stated:

"We don't make you show a subpoena, except in exceptional cases," Sullivan told his listeners. "When someone uses our site and clicks on the `I Agree' button, it is as if he agrees to let us submit all of his data to the legal authorities. Which means that if you are a law-enforcement officer, all you have to do is send us a fax with a request for information, and ask about the person behind the seller's identity number, and we will provide you with his name, address, sales history and other details - all without having to produce a court order. We want law enforcement people to spend time on our site."

The article goes on to state:

The meaning is clear. One fax to eBay from a lawman - police investigator, NSA, FBI or CIA employee, National Park ranger - and eBay sends back the user's full name, email address, home address, mailing address, home telephone number, name of company where seller is employed and user nickname. What's more, eBay will send the history of items he has browsed, feedbacks received, bids he has made, prices he has paid, and even messages sent in the site's various discussion groups.

Have we really agreed to this? On this point, the article states:

A brief visit to the company's Web site reveals that the "user contract" that visitors are supposed to read before agreeing to the conditions is 4,023 words long. One paragraph makes reference to the site's "privacy policy." The user has to click on a link and is diverted to another document that is some 3,750 words long. It then takes another 2,390 words to reach the section about which Sullivan told the legal authorities: The user's privacy is solely up to eBay.

It gets even better when you factor in PayPal's information, as eBay acquired them in July 2002:

PayPal has about 20 million customers, which means that we have 20 millions files on its users," Sullivan proudly relates. "If you contact me, I will hook you up with the Paypal people. They will help you get the information you're looking for," he tells his listeners. "In order to give you details about credit card transactions, I have to see a court order. I suggest that you get one, if that's what you're looking for." It isn't certain that visitors to the site are aware of the thick hints eBay gives the lawmen.

"By buying PayPal, eBay is merging the information about the goods trail with the money trail," explains Kozlovski. "Thus, in spite of the protective mechanisms of the law against disclosure of details on transactions, eBay is in a position to analyze the full set of data and `advise' investigators when it might be `worthwhile' for them to ask for a subpoena to disclose the details of a financial transaction. Essentially, this bypasses the rules on non-disclosure of details of financial transactions and the confidentiality of the banker-client relationship."

It's a small comfort knowing they have to get a court order somewhere along the way -- my, what an inconvenience that must be. When I set up a PayPal account earlier this year, on several occasions their service strongly encouraged me to "verify" my account by providing my financial institution's account information. In fact, they place certain limits on your PayPal account until you do so. Somehow, I just didn't think it a bright idea to hook up my checking or savings account in this manner, so I declined. In hindsight, I'm pleased with that decision.

However, they're free to require this to continue using PayPal (arguably the number #1 payment option on eBay-hosted auctions) and my only two choices will be to a) provide it begrudgingly and hope blindly that my funds stay secure (not a prudent thing to do), or b) lose my PayPal account "privileges", which will necessarily foreclose me from participating in any eBay auction or transaction where the seller only accepts PayPal as the method of payment. Then I can't use it to collect payment as a seller either. And I'm a normal, law-abiding guy who just wants to find a good deal or buy something that's hard to find elsewhere (again, legally).

This is not the first time these issues have been raised with eBay. They've been criticized by PCWorld and most notably JunkBusters in its April 2003 letter to the FTC describing why they believe eBay's privacy policies and summaries (and the gap between them) constitute unfair or deceptive trade practices.

So that I'm not misunderstood here: eBay has its share of scammers, con artists and gray/black market sellers, and they need to be stopped for the protection of its legitimate buyers and sellers. This, by itself, is a worthy goal. On one hand, it's comforting to know that eBay is being "policed", because eBayers benefit from that (as does eBay, the credit card companies, etc.)

However, the wealth of information tracked, collated, analyzed, and distributed under eBay's control is more than a bit concerning. Remember all the hullabaloo years ago when many fought against having their personal video rentals disclosed? And somewhat more recently, all the hype surrounding DoubleClick's data collection practices? For frequent eBay participants, that could be chump change by comparison.

Yes, eBayers have a choice in using the service, but I don't think that is a fair thing on which to hang one's hat. In my humble opinion, I truly believe there needs to be a better balance between fighting crime and opening our private lives to the State just because we're trying to find a good deal online. It's one thing for my local supermarket to track my local purchases via my "saver card". It's another when they start sharing it with others. (By the way, what do they do with all that information anyway?) I'm reminded of the old standby: "If you haven't done anything wrong, you have nothing to worry about." Why doesn't that console me in this electronic age?

I'll stress that this is my personal opinion: I don't think it's even close to "fair" to expect the average lay person to read several thousand words of legal gobbledygook when all they're trying to do is get a good deal on a used CD, PDA, or what-have-you. And I'm seeing a pattern here where organizations' "summaries" of their policies can be quite misleading. A recent case in point is the ongoing discussion about the Creative Commons warranty provisions, which do not appear in their policy "summaries" (you have to read the fine print to find them).

Granted, the latter has to do with copyright licensing and not privacy. But again, this is a real problem for the average person to understand in a meaningful way. We need some "Truth in Labeling" standards. Hey, wasn't that what TRUSTe and similar organizations were supposed to address? Hmmm... Yes, the criminals need to be caught and brought to justice, and we benefit from those efforts. It sounds like the PATRIOT Act debate all over again. However, in this context, it just seems a bit too "over the top" for my taste -- especially eBay's Sullivan's imputed enthusiasm to give away our information.

As the recent onslaught of RIAA lawsuits illustrates, it's just too easy to catch the dolphins along with the tuna in their nets. In this electronic age, Orwell's head would have been mimicking my new hard drive -- spinning around at 7,200 rpm.

Topic(s):   Privacy & Security
Posted by Jeff Beard
Comments