Web Co. Getting Personal Info
WASHINGTON (AP) _ An Internet marketing company is secretly receiving names and addresses of customers while visiting some popular e-commerce sites, which one privacy group called ``unforgivable.″
A security and privacy firm that does risk assessments for Internet retailers has found that four retailers are forwarding the personally identifiable information of customers to another firm, in violation of the retailers’ stated privacy policies.
Two of the retailers, both sportswear vendors, sport the TRUSTe privacy seal, which is meant to indicate a commitment to customer privacy. The privacy group had harsh words for Coremetrics, which receives the information.
``If, in fact, these Web site are transmitting personal information to third parties that they promised would be kept private, we would consider this an unforgivable breach of privacy,″ said TRUSTe spokesman Dave Steer. ``TRUSTe will be looking into this matter to see if these companies are breaching their privacy statements.″
Columbus, Ohio-based Interhack Corp. founder Matt Curtin said he found four sites that forwarded personal information on to Coremetrics, despite the companies’ privacy policies: toy retailer ToysRUs and its baby site BabiesRUs, and sportswear sites Lucy.com and Fusion.com.
Curtin said when a customer makes an order on the vendor’s site, portions of their order are encrypted and sent off to Coremetrics.
This use of encryption makes it very difficult for users to find out what’s going on, said Curtin, fooling systems that some privacy-conscious Web surfers use.
And while Coremetrics explains on its site what they do, and allow consumers to ``opt out″ of data collection, the vendor sites make no reference to Coremetrics. In fact, their privacy policies specifically state that they don’t share personally identifiable information with third parties.
``That’s the problem,″ said Curtin. ``ToysRUs does not have any indication that Coremetrics is part of this equation.″
Privacy advocate Richard Smith, who has discovered several privacy breaches in the past, looked over Curtin’s data on ToyRUs and agreed with Curtin’s conclusions. ``They’ve got a problem,″ he said.
The other vendors did not return calls for comment.
Coremetrics uses the data to build demographic information for the vendor Web sites, showing the company which Web pages and promotions were popular. David Farber, a privacy expert, is listed on Coremetrics’ board of advisers. Farber is a computer science professor at the University of Pennsylvania, and advises the Federal Communications Commission on scientific issues. He is also on the board of the San Francisco-based Electronic Frontier Foundation, known for its free-speech and privacy work.
Coremetrics’ activity appears to rival even DoubleClick, the largest Internet advertising network. DoubleClick has so far refrained from using any personally identifiable data to target ads. A Coremetrics spokesman did not return calls for comment.
``I’m concerned, because it seems that there’s a lot of lip service being paid to privacy,″ Interhack’s Curtin said, ``but there are not sufficient mechanisms for consumers to be able to tell what information is being collected about them.″