Privacy at risk in e-commerce rush

At least 100 small sites have exposed this information, CNET News.com has learned. One of them is Florida-based Knox Nursery, which launched Home Gardener Direct in February and was unaware it was revealing customer order data on insecure Web pages when contacted by CNET News.com last week. "You've caught us with our pants down," said Rick Grossman, sales manager at GrowerNet, which designed Home Gardener Direct. "We've never had a security problem before."

Home Gardener Direct's security breach was discovered by Joe Harris, a systems administrator at Blarg Online Services, a Bellevue, Washington-based Internet service provider. Harris was investigating a problem on a client's site last week and searched the Internet for other similarly configured sites, using search terms such as "index" "parent" "order" and "log." What he found were more than 100 sites, using various types of shopping cart technology, exposing the same types of information.

The breaches are just the latest in a series of recent privacy and security problems on the Web. But unlike earlier problems, which affected large companies such as Yahoo, Nissan, Excite and AT&T, the latest ones are both more widespread and affect much smaller companies.

The problem, analysts say, is that few small businesses understand the complexities of setting up a Web storefront. Although merchants say they are concerned about customers' security, they often don't have the technical expertise to guarantee it. Lacking that expertise, small businesses are turning to Web designers and service providers who may be just as ill-prepared to set up secure e-commerce sites.

Security "is probably a small concern in the back of their minds," said David Kerley, Web technology analyst at Jupiter Communications.

According to International Data Corporation, the number of small business Web pages doubled last year from 600,000 at the end of 1997 to 1.2 million at the end of 1998. That represents some 17 percent of all small businesses.

Without technical knowledge, Kerley said, small businesses find it difficult to oversee the security of their sites, and many companies don't even know which questions to ask.

"I think it's a huge challenge for the small- to medium-size company who can't afford the expertise in-house," Kerley said.

But entrepreneurs, lured by the promise of reaching new customers online, feel they can't afford not to have a Web presence. Mark Stone, the owner of Stoie's StoGies, has been selling cigars on the Internet for two years as a way to get repeat business from tourists who visit his brick-and-mortar shop in San Francisco's Fisherman's Wharf.

"The Web store is a nice complement to customers who don't live in the Bay Area," Stone said.

Stone, whose site was also recently discovered to be revealing order information, found his hosting service, US1Internet, in the Yellow Pages. He said the ISP had done a "good job" of hosting his store, keeping him updated on the site and making needed changes. Security concerns are "not something that has come up," Stone said.

Small Web merchants aren't only ones who lack the expertise to ensure security. Many site designers have little experience designing retail sites and may not know how to protect private information. Home Gardener Direct, for instance, was the first e-commerce site that GrowerNet designed, according to Grossman.

Ray Boggs, an analyst with IDC, compared small business' hurry to begin selling on the Web to California's Gold Rush. During the Gold Rush, Boggs said, those who got rich provided tools to the miners, and many Internet companies see a similar opportunity in providing e-commerce tools to small businesses.

"It's the ideal entrepreneurial environment," Boggs said. "It really does point to the hyper-evolving nature of the market and the Wild West nature of the market."

Although none of the small-business sites directly linked to the information and no stolen credit card numbers have been reported, the breach is still a significant one, according to Deirdre Mulligan, staff counsel at the Center for Democracy and Technology.

"All it takes is one person to wreak havoc," Mulligan said.

Extropia, a Web developer that created the WebStore shopping cart software used by many of the affected sites, blamed site administrators and store owners for configuring the software incorrectly and exposing customer information.

"They're really excited and they don't want to take the time to make the store right," said Extropia president Eric Tachibana. "To a certain degree, I empathize with them. These people don't want to computer program, they want to sell stuff."