Security, privacy issues make Net users uneasy

The new year brings with it a glut of online privacy and security issues, reviving questions about what companies are doing with confidential information about their users.

Greg Sandoval Former Staff writer
Greg Sandoval covers media and digital entertainment for CNET News. Based in New York, Sandoval is a former reporter for The Washington Post and the Los Angeles Times. E-mail Greg, or follow him on Twitter at @sandoCNET.
Greg Sandoval
4 min read
The new year has brought with it a glut of online privacy and security issues, reviving questions about what companies are doing with confidential information about their users.

In the latest example of such issues, a consumer sued Amazon.com subsidiary Alexa Internet for allegedly sending his personal information to the e-commerce giant without his consent. Northwest Airlines users also discovered a security breach in the company's Web site that potentially exposed customers' credit card numbers and other personal information.

In addition, the Federal Trade Commission announced yesterday a settlement with ReverseAuction.com, following accusations from online auction giant eBay that the auction service sent its users misleading, unsolicited email.

The scrutiny by the FTC and by previous media reports of privacy breaches has prompted many consumers to take extra care with their confidential information online, said Forrester Research analyst Christopher Kelley.

"I think that retailers are starting to understand that consumers are taking this seriously," he said.

The recent privacy problems come at a time when advocates and consumers are urging the federal government to regulate what online companies can do with users' personal data. Fifty percent of online consumers want the government to regulate online privacy, according to a recent Forrester study.

Because of consumers' privacy concerns, Forrester estimated that e-commerce companies lost some $2.8 billion last year. Consumers who were wary of how companies would use their personal data either didn't shop online or spent less than other consumers, according to the research firm.

One such company that could have a lot to lose is Amazon, which bought Alexa in April. Used in conjunction with a Web browser, Alexa's software lets users have constant access to relevant links as they browse the Web, while it displays traffic and rating information for the current Web page.

In the lawsuit filed today, Joel D. Newby, who claims he has used Alexa's software since 1998, alleged that the company didn't tell him that it would be collecting his personal information while he used the software. The suit, which Newby filed as a class action suit, follows a complaint filed with the Federal Trade Commission last month by security expert Richard M. Smith, which alleged that Alexa's software violated privacy laws.

Amazon representatives directed callers to an Alexa representative, who was not available for comment.

Andrew Shen, a policy analyst at the Washington, D.C.-based Electronic Privacy Information Center, compared the Alexa case to recent questions raised about how RealNetworks and Microsoft were collecting users' information--apparently without the users' knowledge. The FTC should investigate and crack down on such abuses, he said.

"If a site claims to tell one thing and then does another, that qualifies as an unfair and deceptive practice," Shen said. "It's necessary for the government agencies responsible for guarding privacy to enforce the laws."

Northwest Airlines confirmed today that a programming error recently compromised its Web site security. The breach, which is now closed, involved an area on the site where customers redeem their frequent flier miles, company spokesman Jon Austin said. Austin declined to disclose when the security breach occurred or how long it was open.

Austin blamed the problem on a programmer who forgot to turn the encryption software back on after doing some maintenance on the frequent flier page.

Northwest has contacted customers who used the site while the breach was open, but it has no evidence that any personal information was compromised, Austin said. Northwest values its customers' private information and tries to keep it secure, he added.

"This has never happened to us before," Austin said. "We use outside consultants and our own folks to test the integrity of the site. We want people to feel confident in using our Web site."

Unlike the simple mistake at Northwest, the FTC's settlement with ReverseAuction stemmed from a mass mailing ReverseAuction sent to several hundred thousand eBay users in November. According to eBay and the FTC, the "spam" mailing implied that the users' eBay IDs would soon expire and urged them to sign up with ReverseAuction.

As part of the settlement, ReverseAuction agreed to destroy any personal information it gathered from eBay customers without their consent and refrain from "making misrepresentations in the future." The company did not pay any monetary damages.

Before the settlement, eBay filed suit against ReverseAuction alleging the company had engaged in misleading business practices and had gained unauthorized access to its Web site.

Jack Horton, ReverseAuction' senior vice president of marketing, denied that ReverseAuction violated anyone's privacy. eBay makes public all of its user IDs, and any user can access any other user's email address. In effect, eBay is like a telephone book of auction users, Horton said.

"If users look at their eBay user agreement, it will tell them that this will happen," Horton said. "It says you can expect to get email from third parties. We don't believe that eBay's users have any expectation for privacy for their user ID and email address."

Attitudes like Horton's get privacy advocates such as Shen up in arms.

The FTC's action against ReverseAuction was a "slap on the wrist" because it didn't involve any serious penalties, Shen said.

Shen questioned whether the FTC was taking privacy seriously and called for an independent agency to monitor privacy and security.

"There should be standards, and the agency should be granted the power to level penalties and punishments as it deems necessary," Shen said. "Basically we need something other than companies policing themselves."

But monitoring online privacy is already one of the top priorities of the FTC, said commission spokeswoman Victoria Streitfeld. The commission has an Internet lab devoted to monitoring online privacy concerns, she said. Over the last five years, the commission has worked on protecting children's privacy online and has monitored how companies track clicks made on their advertisements, among other areas.

"We have developed innovative ways to rid out fraud and deception and help protect consumers on the Internet," Streitfeld said.