Back OpEd News | |||||||
Original Content at https://www.opednews.com/articles/opedne_geoffrey_080318_what_are_the_ebay_se.htm (Note: You can view every article as one long page if you sign up as an Advocate Member, or higher). |
March 20, 2008
What are the Ebay Seller Tool Websites Really Doing with Buyer Information?
By Geoffrey Anderson
Ebay buyers are being ordered by sellers and Ebay itself into following through with entering private information into the unverified web sites of fourth parties who are seemingly ungoverned by Ebay's security policies. Buyers are unaware until too late that they are agreeing to share information -- some of it private -- on strange websites. Nobody seems to know what is being done with it. Ebay doesnt seem to want to know.
::::::::
(Alternative title suggestion:)Are Some Ebay Sellers Using Fourth-Party "Seller-Tool" Websites to Do End-runs Around Ebay's Policies Against Spam and Information Harvesting, and Profiting as a Result?
March 17, 2008
The crux of the matter is that Ebay buyers are being ordered by sellers and Ebay itself into following through with entering private information into the unverified web sites of fourth parties who are seemingly ungoverned by Ebay's security policies. Buyers are unaware until too late that they are agreeing to share information -- some of it private -- on strange websites. Nobody seems to know what is being done with the customer information as some of these unregulated web sites publish no information security policy. Ebay seemingly does not vouch for anything that happens on these unregulated web sites, just their own website. Yet, Ebay is ordering buyers to follow through with sellers' demands to enter information into these fourth-party unregulated web sites. If the buyer is too afraid to enter his information into the unknown website, Ebay's choice is to suspend the buyer's Ebay account, apparently. Could spam and other information abuse be coming from ungoverned, unpolicied websites being employed by Ebay sellers? I do not know, for nobody has audited them it seems, not the sellers, not the buyers, not even Ebay. One can only guess what the ungoverned are apt to do with their information assets when there is zero transparency and zero policy to constrain their behavior.
If you are an Ebay user, were you ever dealt an unpleasant suprise when you were asked (or required) by a seller to provide your private phone number and other personal information, some of which are above and beyond what is required by Ebay or Paypal, in order to complete a purchase you had made on Ebay? Were you left wondering uncomfortably for what possible purpose your extra personal information would be used for by that web site or seller? Is entering your private information into a little-known third-party web site -- actually more accurately described as a fourth-party web site, as it is a web site which intercedes in the Ebay transaction between the buyer, the seller, and the Ebay website (in which I will include PayPay since it is a property of Ebay) -- something which makes you a little worried?
Was the fourth-party web site's information privacy policy statement provided to you only after you had committed to the purchase, or maybe you were provided with no information privacy policy statement at all?
While there are undoubtedly other profitability benefits for sellers, is it possible that fourth-party "ebay seller systems" are being used for the additional purpose of harvesting excessive and apparently valuable private information about the buyers, beyond what is permitted on Ebay's website?
Is it possible that the prices of the items being sold by such Ebay sellers, are being subsidized by the value of the private information they collect from the buyers, private information which may in turn be potentially traded with unknown parties?
Are you comfortable trading your private information, in addition to your money, when it was not revealed that your private data was also maybe going to be the coin of your trade, until well after you had placed a bid?
Are you comfortable typing in your private information to a fourth-party web site, of which you have little or no knowledge?
These questions started to run through my mind one day a week ago, after I had purchased a movie DVD on Ebay. I 'won' the 'benefit' of being allowed to buy the DVD from the seller. I clicked the Pay Now button on Ebay, at which point I was redirected to another web site which I am not familiar with. What I saw on the seller's fourth-party website, was that the site required me to type in a lot of private information. The web form at this fourth party site wanted data which I have not given out to other sellers on ebay before, such as my home phone number and other private data which had proven unnecessary for other previous purchases and sales at Ebay. I am both a seller on ebay, as well as a buyer, and as a seller I have never needed any of a buyer's private information beyond what Ebay and Paypal themselves have already provided to the seller. Furthermore this site's information privacy policy link existed, but strangely enough, there was no page there: Clicking the link merely redirected my browser to the home page of the site. That did it for me -- I began to think twice about typing in all my private information into that fishy -- or shall I call it phishy – fourth-party website.
I wonder how valuable the additional private information of a buyer really is. Could the private information be valuable enough for such fourth-party websites, to resell? I do not know about these fourth-party "seller tool" systems. What I do know is, some of the "seller tool" systems appear to be absent any sort of clear, uniform and before-the-purchase customer information privacy policy. For all I know my private information as a buyer would soon be resold to internet spammers, sourcing from the buyer databases of these fourth-party web systems.
Then I used Google and it turned up something interesting. I gleaned some idea about the spirit of Ebay's anti-spam, anti-private-information-selling policy from a document hosted by the New Zealand government:
"As an overview, eBay does not rent or sell any personal information about its users to any
third party, nor does it authorize users to make use of eBay features to send spam. See Privacy
Policy, Use of Email Tools, at . These
policies help to ensure that users' personal information is not subject to data mining for the
purposes of spam. In addition, eBay aggressively pursues parties, whether or not eBay users,
that violate our users' expectations of privacy and our policies by surreptitiously harvesting email
addresses from our site. We are constantly improving our anti-harvesting policies, and the
technological measures employed to implement them and to detect and pursue violations."
Source: Smith & Metalitz LLP, Comments of Ebay, Inc, on New Zealand's Discussion Paper, "Legislating Against Spam"
Sellers are users of Ebay, and so are bound by Ebay's policies. By contrast, apparently the "seller tool websites" are not users of Ebay – and therefore are apparently not bound by any Ebay policy. Yet, they participate in Ebay transactions some how. The Ebay policies seem to only address the Ebay web site, and the buyers, and sellers: three parties in total. The fourth-party systems are ungoverned by the Ebay policy it seems. Moreover, the sellers are apparently free to make profitable arrangements with the "ungoverned" elements. The seller's inclusion of an aloof fourth party might give the seller the potential for cover, for plausible deniability for any questionable actions of the ungoverned assignee. These "ungoverned" elements do manage though, by the invitation of sellers, to wedge themselves into Ebay transactions all the same.
Specifically, it seems from this policy that Ebay itself does not sell personal information about users, and Ebay itself does not authorize Ebay users to send spam to each other. But what about the other parties, the "fourth party seller tools" who participate in some Ebay transactions, but whom are not "Ebay users" apparently? Are users to be comforted that Ebay pursues parties who harvest email addresses "from our site" (Ebay.com) while allowing anything under the sun to be done with your email address at those other fourth-party web sites? Ebay users are not the only parties to the transactions now. There seems to be a loophole here, which needs clarification. In Ebay's opinion, is it OK for "seller-tools" be permitted to sell personal information about users? In Ebay's opinion, is it OK for "seller-tools" be permitted to send spam? As a buyer, I can tell you my opinion that it is totally not OK if 1 of the 4 parties in my Ebay transaction display behaviors which appear consistent with behaviors of spammers or private information resellers. I shall prefer to do business with no spammers, nor private information resellers, nor those who appear to be.
Has Ebay shown any signs of paying attention to the whole buyer experience? Has Ebay ever audited any of these fourth-party "seller tools" which buyers are subjected to at Ebay, to see what they are doing with the private information of the buyers? I don't know what these private companies are doing with the private data of the buyers. The appearance of what they are doing is what I do know, and the appearance is not good. The goodness of the Ebay brand and franchise might be strained by these fourth-party "seller-tool" web sites in my opinion. By contrast there are some alternative web sites with very big brand names who do not seem to expose buyers to fourth-party "seller-tool" risks. At the end of the day Ebay will do what it wants with its reputation; but as for me, I will no longer risk giving my private information to unknown web sites.
If you ask me, Ebay needs to clean up some sellers whose behaviors, or their assigns, appear to be consistent with violating Ebay's information privacy policy in spirit and intent, if not the letter. It's time for Ebay to do its part and demonstrate it is serious about preventing spam with regard to these fourth-party web sites doing business at Ebay, "user" or not. The whole buying experience needs to be a safe place for a buyer. While some buyers may be OK with paying for items by handing their private information to fourth parties, just as many buyers are not OK with that. In all cases, the informed choice needs to be given to the buyer, not just the seller, whether additional buyer information is part of the cost of the purchase.
Buyers should not be so easily surprised and then frog-marched by Ebay into completing transactions in which buyers are required to type in their private information into unknown web sites. Typing private information into unknown web sites is a classic losing move of the highest order. Setting the web browser to trust one of these unknown web sites to allow the site to run its scripts and ActiveX code on the buyer's computer is also unsafe computing of the highest order.
As a buyer, I may trust Ebay and Paypal with my information, but I do not trust other web sites whose business dealings and reputations are unknown to me, and maybe even unknowable. Ebay and Paypal have information privacy policies which they share with customers, and they are public corporations whose activities as such, are monitored to a degree by the government as well as stockholders and Wall Street. Extra parties getting involved in my business transaction tend to throw a cautionary flag in my mind especially when they are "free" for me, and doubly so when they are unconstrained by the Ebay policy and "free" to do whatever they want. "Free" business typically means free in one way, but cost you something in another way. Common sense says there is no business on Earth that can trade something away, but get nothing in return, and still be in business tomorrow. Who is monitoring all these fourth-party "seller-tool" web sites? Who is vouching for them? Nobody is, apparently not even Ebay. So then I must ask, why has Ebay itself not vouched for them?
Not all web sites are dangerous, but some certainly are. I would say the ones without privacy policies are the more dangerous sort. I would say the ones that demand or even just ask for information above and beyond what Ebay allows on its own site are the more dangerous sort. I would say the ones that are not publicly traded companies in my own country are the more dangerous sort. This is how I choose web sites to share personal information with, and who do financial transactions with. Your mileage may vary, as they say.
The reputation of Ebay only stands to improve, if sellers and private sellers-system-vendors, who trade in the coin of buyers' personal information, not just their money, are scrutinized by Ebay, cleaned up, and their operations made transparent to buyers. Maybe certain sellers should be "assisted" by Ebay to take their business elsewhere, or perhaps be shunted to a parallel "wild-side Ebay for haxx0rs" where anything goes, if that's what some sellers really demand, and they can continue using their sketchy fourth-party "selling tools" there. As for me, I would prefer to stick to the "nice Ebay" and never leave the premises.
Buyers at Ebay today are no longer sure of what certain sellers – especially those who use fourth-party tool-systems -- are really "selling," and whom they are selling it to. Buyers would do well to reconsider entering their personal information into untrusted web sites that have surrounded Ebay and its buyers. This reminds me of the time that I walked out of the Atlantic City casinos in the Boardwalk area, and decided to try to cross town by foot to get to the other cluster of casinos in the Marina area with my buddy. It turned out we were naive. Let me just say, after hearing what some sellers hanging out of windows and standing on corners offered to passers by, you couldn't even force me to walk that way again. I would just say no.