PRIVACY Forum Archive Document

PRIVACY Forum Home Page

PFIR - "People For Internet Responsibility" Home Page

Vortex Technology Home Page

PRIVACY Forum Digest      Saturday, 15 April 2000      Volume 09 : Issue 12


            Moderated by Lauren Weinstein (         
              Vortex Technology, Woodland Hills, CA, U.S.A.
                       ===== PRIVACY FORUM =====              

                 The PRIVACY Forum is supported in part by
               the ACM (Association for Computing Machinery)     
                 Committee on Computers and Public Policy,      
                 Cable & Wireless USA, Cisco Systems, Inc., 
                           and Telos Systems.
                                 - - -
             These organizations do not operate or control the     
          PRIVACY Forum in any manner, and their support does not
           imply agreement on their part with nor responsibility   
        for any materials posted on or related to the PRIVACY Forum.

        Web Security, Privacy, and the Big Lie
           (Lauren Weinstein; PRIVACY Forum Moderator)

 *** Please include a RELEVANT "Subject:" line on all submissions! ***
            *** Submissions without them may be ignored! ***

The Internet PRIVACY Forum is a moderated digest for the discussion and
analysis of issues relating to the general topic of privacy (both personal
and collective) in the "information age" of the 1990's and beyond.  The
moderator will choose submissions for inclusion based on their relevance and
content.  Submissions will not be routinely acknowledged.

All submissions should be addressed to "" and must have
RELEVANT "Subject:" lines; submissions without appropriate and relevant
"Subject:" lines may be ignored.  Excessive "signatures" on submissions are
subject to editing.  Subscriptions are via an automatic list server system;
for subscription information, please send a message consisting of the word
"help" (quotes not included) in the BODY of a message to:
"".  Mailing list problems should be reported to

All messages included in this digest represent the views of their
individual authors and all messages submitted must be appropriate to be
distributable without limitations. 

The PRIVACY Forum archive, including all issues of the digest and all
related materials, is available via anonymous FTP from site "ftp",
in the "/privacy" directory.  Use the FTP login "ftp" or "anonymous", and
enter your e-mail address as the password.  The typical "README" and "INDEX"
files are available to guide you through the files available for FTP
access.  PRIVACY Forum materials may also be obtained automatically via
e-mail through the list server system.  Please follow the instructions above
for getting the list server  "help" information, which includes details
regarding the "index" and "get" list server commands, which are used to access
the PRIVACY Forum archive.  

All PRIVACY Forum materials are available through the Internet Gopher system
via a gopher server on site "".  Access to PRIVACY Forum
materials is also available through the Internet World Wide Web (WWW) via
the Vortex Technology WWW server at the URL: "";
full keyword searching of all PRIVACY Forum files is available via
WWW access.


     Quote for the day:

        "There's never a cop around when you need one!"

                Robert Neville (Charlton Heston)
                "The Omega Man" (Warner Bros.; 1971)

Date:    Sat, 15 Apr 2000 10:04:01 -0700 (PDT)
From: (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: Web Security, Privacy, and the Big Lie

Greetings.  Even as the grand shakeout begins in the "dot com" universe,
with venture capital drying up, profits usually non-existent, and even
some of the most visible e-commerce firms threatened with insolvency,
the public relations campaigns continue unabated.

Consumers are urged to be comfortable with online transactions, to trust
them.  The litany is soothing: "You're safe--you're protected--you have
friends in the machines."  But recent events are telling a different story,
illustrating how the lack of security in many Web-based systems threatens the
release of data that can cause financial and privacy problems to the victims
for years to come.

This situation was easy to predict for anyone who has ever looked "behind
the curtain" at the innards of many e-commerce systems.  Web sites that are
replete with flashy graphics and even reassuring privacy policies are
frequently held together with the software equivalents of bubble gum,
masking tape, and bent paper clips.  Add to this such goodies as the newly
revealed Microsoft FrontPage 98 Web-authoring "back door" pass-phrase
("Netscape engineers are weenies"), which not only raise new security
fears, but should also trigger a reevaluation of both quality control
worries and concerns about the emotional maturity of the authors of such
important software systems.

It's easy for sites to claim that they're protecting your personal
information when you engage in e-commerce.  It's much harder (that is,
nearly impossible) for consumers to determine if such information is really
secure.  You should certainly expect the use of "SSL" (Secure Sockets Layer)
encryption to protect your personal data--and you can check that it's really
enabled within your Web browser (usually via a little "lock" icon symbol).
It is very important to check--some Web pages claim to be encrypted with
SSL but actually aren't due to purposeful omission or accidental errors.
But most of the more dramatic cases involving release of personal data from
Web sites, including credit card information, financial data, and all manner
of other important information, haven't related to SSL problems at all, but
rather to other Web site failings and data kept inappropriately on publicly
accessible machines.

Poor software and systems design, inept configurations, and the lack of
maintenance or qualified operations personnel at Web sites often result in
hollow vessels that are great at collecting your credit card data,
but in reality provide a level of privacy and security straight out of a
"Twilight Zone" episode...

Submitted for your approval, the case of "The Memory Broker"
(  This popular online memory seller and buyer
allows customers to access their order invoice information on their "secure"
Web site via SSL-protected pages.  Just one problem--any user can access
any invoice on the system, simply be incrementing or decrementing an
"order id" field in the URL.  Oops!

The records available include all of the order data except the actual credit
card numbers.  Names, physical addresses, e-mail addresses, phone numbers,
credit card types, expiration dates, products ordered, etc., are all
included.  While it could be worse (if the credit card numbers were also
present), most of the rest of this information would well be considered
private by most customers.  If nothing else, customers might not wish their
information to be mined for mailing lists and spam by outside observers of
the data, nor have their physical addresses or phone numbers publicly
available.  The data records go back a number of years and forward to
(apparently) the present time.

The PRIVACY Forum reader who discovered this problem informed the firm by
e-mail (no working phone number was immediately apparent from the site's Web
pages), but reported that no response was received and that the order
information continued to be available.  

I also tried contacting the firm, to no avail.  The apparently valid phone
number I found associated with their domain registration led to an order
line that was never answered live, and the voicemail messages I left were
not returned.  Their announced 800 "tech support" line was never 
answered at all.  

I did manage to contact the firm's ISP (Isat Network in Las Vegas), but was
unable to reach anyone in authority to discuss this situation.  I also
contacted "The Netcheck Commerce Bureau" which my searches revealed had
listed "The Memory Broker" for a number of years with a good rating.
Netcheck's Web site ( says that they "promote
ethical business practices worldwide"--a laudable goal.  But I also learned
that they haven't considered privacy issues to be part of their evaluations,
and they apparently don't attempt to keep track of firms once they've signed
up, relying totally on consumer complaints. 

Since Netcheck doesn't require member firms to mention their connection with
Netcheck on the member firms' own Web pages, it isn't clear how the average
consumer would even think to file a complaint with Netcheck if they did
have a problem!  And in fact, "The Memory Broker" does not appear to mention
Netcheck in any immediately apparent location.  Netcheck said that they'd
try to contact the firm and let me know what they could find out--so far I
haven't heard back.  I might also add that the 800 number listed on Netcheck
for "The Memory Broker" leads to a seemingly unrelated individual's
voicemail message.

So we see the results of building our e-commerce empire upon a foundation of
sand.  Untrustworthy and even "rigged" software systems abound.  Companies
that give lip service to security and privacy, but it seems really couldn't
care less when it comes to responding to concerns and complaints, spoil the
environment for everyone, particularly for the good and honest firms who are
genuinely trying to operate high-quality, ethical e-commerce systems.  Add
into the mix an antiquated regulatory environment that largely treats
e-commerce like the rough-and-tumble days of the Old West, rampant political
opportunism, and a hype level to make P.T. Barnum proud.  It's easy to see
why e-commerce consumers feel confused, abused, and increasingly not at all

Happy shopping, viewers.

Lauren Weinstein or
Co-Founder, PFIR: People for Internet Responsibility -
Moderator, PRIVACY Forum -
Member, ACM Committee on Computers and Public Policy


End of PRIVACY Forum Digest 09.12

PRIVACY Forum Home Page

Vortex Technology Home Page

Copyright © 2005 Vortex Technology. All Rights Reserved.