Online Buyer's Guide

Privacy and Security

How and Why to Protect Your Privacy

Your privacy is valuable and should be guarded! If it is treated carelessly, you could find that unauthorized charges have been made to your credit card, or that your credit has been damaged, or even that your credit profile and financial reputation have been hijacked by another.

Less seriously, you could even find yourself swamped with unsolicited email, an increased amount of junk postal mail, or more telemarketing calls. The benefits of being online far outweigh the risks, but being aware of the risks and knowing about available resources and support is important.

Make sure you know whom you are giving private information to, why they need it, who will have access to it, how it is protected, and what it may be used for. Also find out how you can correct any errors, or remove yourself from a company's database. If you're ordering a gift for a friend, will the recipient mind the disclosure of his or her personal information?

Be especially cautious when asked to provide Personally Identifiable Information (PII), such as:

Remember that any page collecting Personally Identifiable Information (PII) should be linked to a privacy policy. Check it out!

SITES TO SEE:
Electronic Privacy Information Center
http://www.epic.org/
and their online report:
http://www.epic.org/reports/surfer-beware3.html
Privacy Rights Clearinghouse
http://www.privacyrights.org/

Profiling and the Digital You

Profiling, also called "creating a digital profile" or a digital persona, is the practice of compiling information about your habits, preferences, and interests–gathered primarily by tracking your movements online. While your movements and interests at one site may not be significant, the combination of your total movements, interests, and purchases across the Internet paint a more complete (if, at times, false) picture. Using the resulting consumer profiles, advertisers create targeted advertising for any web site you visit. Some consumers enjoy this personalized experience; others consider it an invasion of their privacy.

Some sites work in covert partnership to convey visitor information to each other. Data can then be compiled about you in many ways and places.

If you are concerned about your privacy, you might find it helpful to research some of your interests anonymously, using one of several anonymizing web services as a proxy for your surfing.

SITES TO SEE:
http://www.ftc.gov/bcp/profiling/index.htm
http://www.anonymizer.com/
http://www.epubliceye.com/

Another option is to use a ¹disposableœ email address. A good ¹disposableœ email address is separate from a personal or work email address and prevents strangers from easily gaining information about the sender merely by looking at the address. The email address would not make a good ¹disposableœ address because strangers can easily decipher that the address belongs to someone at NetAction whose last name is ¹Smith.œ But an address like doesnØt reveal anything about the sender.

Good places to obtain ¹disposableœ email addresses are web sites that offer free webmail, such as Yahoo or Hotmail. A list of free email services is at:
http://dir.yahoo.com/Business_and_Economy/Business_to_Business/Communications_and_Networking/Internet_and_World_Wide_Web/Email_Providers/Free_Email/.

Cookies

Cookies, the little bits of text placed on your computer by web sites you visit, help the vendor identify you, including when your last visit was, which pages you visited, and references to past or potential purchases, among many other things. A cookie can stay on your computer for minutes or for years.

Cookies are also placed on your computer by advertising companies as a part of their banner ads. Whenever you click on such an ad, a little bit of data about you gets added to their "digital profile" of who you are and what you're interested in. The Marketing section has more on this.

In your browser's preference settings, you can choose to turn cookies off or receive an alert each time a site wants to set a cookie on your computer. If you turn cookies off, some sites (shopping carts or other features) may be disabled or less functional. However, not all shopping technologies are dependent on cookies, and not all sites tell you if cookies are required. You should feel free to explore your options to find a level of functionality and comfort that suits you.

Low- and no-cost programs are available to edit your cookies file. You may wish to get rid of those cookies from one-time visits or from specific sites or advertisers.

Keeping Track of Your Accounts and Transactions

Remembering all of your data interactions–account identification, password, and other registration details–can be a challenge. In this time of major corporate mergers and acquisitions, the company that collects your data may, along the way, be operating under different policies. Even without changes in administration, information-use policies may be changed, even retroactively, so it is advisable to keep track of your vendor's evolving behavior. Check your accounts and site policies occasionally, and exercise your option to correct information or opt out of your vendor's database.

How to Protect Your Privacy

There are many practical and common sense things you can do to help guard your privacy if you are concerned.

Seals, Privacy Programs, and Other "Guardians"

You may see privacy seals on some web sites. These seals are part of voluntarily programs used to validate a vendor's web site's policies and practices. These seals are intended to help ensure "consumer confidence." However, buyers are not always well protected by such policies due to a vendor's changing behavior or patterns. (Amazon.com is one example. They originally posted a privacy policy referring to their intent to keep customer information private. More recently, Amazon informed its customers that the policy had changed and they were no longer assuring customers that their information would remain private.)

These voluntary seal programs vary widely in their use and effectiveness. Some programs are new, while others may sound familiar. There are no significant punishments for violators. None of these programs is legally enforceable, and not all businesses displaying these seals are valid program participants.

Here are some guidelines for reviewing privacy policies, as suggested by the Online Privacy Alliance (OPA). The privacy policy should be clearly stated, be available on the page where the information is collected, and include the company's statements regarding disclosure, choice, and data security. Look for the following details:

Three of the more widely-recognized programs are briefly discussed below.

BBBOnline Privacy Seal Program and the Children's Privacy Seal Program

The Better Business Bureau offers a program and web site seal (BBBOnline) that indicates vendors have established a privacy policy to protect consumer information in a way that meets the BBB's standards. This means that "businesses must include notification to consumers of how information is collected, used, and shared; provide adequate data security; provide opt-outs for third-party information transfers; provide reasonable access to information; and use encryption for the receipt and transfer of sensitive information."

Web sites and online services displaying a BBBOnline Privacy Seal have also committed to the BBBOnline dispute resolution process, and are subject to random independent audits of their information practices. Penalties for violators are minimal.

P3P

The Platform for Privacy Preferences Project (P3P) enables privacy practices to be retrieved automatically, interpreted easily, and responded to automatically, in a standard format, as part of your interactions with a web site. The focus is to automate decision-making and transfer of basic visitor information when appropriate. This approach is not yet widely adopted and lacks enforcement mechanisms.

TRUSTe

TRUSTe is a partnership and seal program that requires a web site to have a posted policy explaining its privacy practices. That policy "will openly share, at a minimum, what personal information is being gathered; how it will be used; with whom it will be shared; who is gathering the information; what options the user has; what security procedures are in place to prevent misuse or loss and how users can correct information to control its dissemination." TRUSTe came out of efforts lead by the Electronic Frontier Foundation; it remains controversial. One reason: several TRUSTe members were found to violate their own privacy policies.

Finding and Using Secure Sites

Most of the information moving around the Internet is designed to be as widely read as possible. In order to protect private or sensitive information from wide dissemination, some form of encryption, or coding–like that used in a secure server–should be used.

Online ordering systems generally use a secure server, allowing your personal informaton to be encrypted as it moves across the Internet. However, the costs of setting up and maintaining a secure server are not trivial, and smaller vendors may offer other options. Some include using a third party's secure server (whose privacy policies may be different from your chosen vendor's); online ordering without the benefit of a secure server and encryption; or possibly offering an order form to be returned by fax or email. Remember that if you send credit card or personal information in a regular email message, it is not going to be secure. The level of security offered by any vendor is a matter for your consideration and trust. Don't order from any sites using methods that you don't trust. For more information on payment options, see the section on Paying Online.

Most web browsers have a little key or a lock in the lower left corner to indicate your browser's connection to a regular or secure server. See how your browser looks.

Not-Secure
Connection
SECURE
Connection
no lock locked padlockInternet Explorer
no lock seen

broken key
locked lock seen
solid key
Netscape Navigator

It's generally considered risky to type in any Personally Identifiable Information (PII), such as your credit card number or Social Security number, if the key or padlock is broken. If you aren't sure, call the merchant on the phone or make your purchase from another online store. Pay attention to all requests for personal information. Never share your password.

Here's a little more information about secure sites.

Secure Socket Layer

The Secure Socket Layer (SSL) creates a protected, encrypted connection between your home or work computer and your store's server. The URL (web address) of a secure site always begins with https:// (you will need to type it in). The more common, but insecure, http:// is assumed when you type a regular URL.

Public Key Encryption

SSL uses technology called public key encryption, one of the strongest safeguards available today. Encryption is a process by which plain text (what you type into the order form) is "scrambled" into a code that can't be read without a special key that unscrambles the code. Your vendor, if he offers a secure site for taking your orders, has this special private key.

Next: Prevention from Fraud | Contents