|
eBay and Privacy
(Latest News)
· Letter to FTC April 2003
· Letter to FTC Feb 2002
For background and recent developments on our engagement with eBay,
please see our
News page.
![[Feedback]](pics/fb.gif)
Letter April 22, 2003 to FTC
April 22, 2003
Mr Howard Beales
Director, Bureau of Consumer Protection
Federal Trade Commission
Dear Sir
This letter asks your bureau
to investigate whether eBay's
recently changed dual presentations of its privacy practices
constitute unfair or deceptive trade practices
in the sense of Section 5 of the Federal Trade Commission Act.
By letter of February 27, 2002
I asked your office to
investigate eBay over their previous changes their privacy representations.
Because of the Commission's policy generally
not to disclose to the public the existence of
any investigation unless it has come to a significant conclusion,
I cannot know what action your office took, if any.
However, some three weeks after my letter was made public the
company backed down on the change that was the primary focus of my letter.
The secondary
focus of my letter was the gap between
the inital "summary page" stating eBay's "privacy principles"
and its full privacy policy.
They made no amendment on that duplicitous discrepancy.
In the most recently changed materials, this discrepancy has
been widened, and is blatantly deceptive.
As in my earlier complaint, the average prospective bidder
seeking comfort without too much effort might
readily gain from the initial page the impression that if
she uses eBay her privacy will be assured.
She would get a very different picture if she waded into the thousands
of words in the harder-to-read full policy.
(The short version is reproduced below and is available at
http://pages.ebay.com/help/index_popup.html?new=privacy_summary.html
and the long version at
http://pages.ebay.com/help/index_popup.html?policies=privacy-appendix.html
on the Web.)
The short version, which eBay titles
"Privacy Policy Summary"
and calls a statement of core principles,
oversimplifies and makes material omissions,
giving the visitor a sense of privacy that is beyond what
eBay says in the long version that it provides.
This amounts to deception.
For example, on security, the short version simply says:
``We use safe, secure technology and other privacy protection programs to
keep your information secure on eBay.''
The bad news is reserved for the long version, which I
here quote from two different places:
``third parties may unlawfully intercept or access transmissions or
private communications, or users may abuse or misuse your personal
information that they collect from the Site.''
``However, "perfect security" does not exist on the Internet.''
The major and persistent risk of having an email address
``harvested'' by spammers is not there disclosed, despite the fact it
is a common syndrome for eBay users.
The short statements on disclosure go beyond material omissions,
they are are logically inconsistent with the long version
in ways that again amount
to deception. For example, the short version,
after deleting some explanatory embellishments, comes down to:
``Your information will be shared with third parties...
...only when absolutely necessary...
Third parties are
not permitted to ... disclose it
... without your consent.''
The phrase "absolutely necessary"
sounds reassuring and prudently strict, but in the long
version it is weakened to
"as we in our sole discretion believe necessary or appropriate..."
Language in the 2002 version about
"mainting a level of trust"
which I derided as excessively vague in my letter that year
has been deleted,
but if anything this gives eBay even greater latitude.
The long policy also reveals that eBay will disclose to
"law enforcement" (which appears to include litigating copyright attorneys)
a good deal of personal data without any warrant or court order.
The criterion would more honestly
be summarised
as "if we want to" rather than "only when absolutely necessary."
The restriction on onward transfer by third parties seems nonsensical
in the context of litigation and government investigation;
it is difficult to imagine how such third parties would be restrained from
disclosing it further, as the short version warrants.
Ebay also requires users from outside the US to agree to processing
of they personal data below the minimum statutory standards of
many countries. For example,
the short version on access and modification says:
``We let you change your information so that you can keep it up to date.''
It fails to explain that they refuse to allow the data subject
to see all the data that they keep (and might reveal).
The short version does not mention deletion of information;
the long version clearly explains that they refuse to delete
information even if you ask them, and that they will keep it
indefinitely. This is bad privacy by the 1980
standards of the OECD; they should destroy it
after an appropriate period of time on request,
as required by law in many countries.
Ebay operates sites with domain names indicating countries other than
the US, and consumers from those countries
may therefore assume that they are dealing with
a locally established entity
that will abide by their country's laws in the handling of personal
information. I hope that your office might be able to persuade or compel eBay
to disclose the fact that the level of privacy it provides is inadequate
by the statuory standards of many countries.
I urge your bureau to investigate eBay's
new materials and to compel them to modify the materials so as to cease
deceiving consumers. This is an important case not only
because of the large number of consumers who use eBay (and may be
bound to continue doing so by eBay's near-monopoly status)
but also because this style of "layered privacy policy" is becoming
popular with large companies. The style need not be inherently bad
if the short version is representative of the long version,
but if the format degenerates into an unfunny "good news, bad news" joke,
as it does in eBay's case, it is deceptive and should not be tolerated.
The FTC
may want to consider the feasibility and effectiveness
of some kind of compulsory labelling for short privacy policies,
along the lines of cigarette package warnings.
In eBay's current case for example, the short version might be required
to include statements such as:
Warning: If you use this service,
-
your email address may be harvested by spammers;
-
the company will retain your personal information indefinitely, even if you
ask them to delete it;
-
the company will collect and maintain information
about you which it will not be permit you to access;
-
the company may give your personal information
to parties investigating
you or litigating against you without a court order and without telling you.
My view is that substandard practices should be prohibited rather than
merely made transparent.
But such warnings would make for a more balanced version
of the short statement.
Thank you for considering this complaint.
I do not know whether your office investigated eBay in 2002 or
whether such an investigation might have caused their partial backdown,
but if it did, I thank you for that also.
Sincerely
Jason Catlett
President
Junkbusters Corp.
Copy of eBay's short summary of its privacy policy
(This page was copied from
http://pages.ebay.com/help/index_popup.html?new=privacy_summary.html
on April 21, 2003. We added numbers to the bullet points for ease of reference.)
Privacy policy summary
The following points are the core principles of
eBay's privacy policy.
-
We will not sell or rent your information to third parties for
marketing purposes and will only disclose your information in accordance
with our Privacy Policy and/or with your permission.
-
We do share your information with third parties to help provide
our services, to allow members to contact you, to enforce our terms and
conditions, and to help keep our community safe.
-
Your information will be shared with third parties for services
or features on eBay that you have chosen (such as insurance, escrow,
dispute resolution) only when absolutely necessary and under
confidential restrictions.
-
Third parties are not permitted to sell the information we
provide to them or to disclose it in any other way without your consent.
-
We give you choices about how you wish to be contacted by eBay.
-
We use safe, secure technology and other privacy protection
programs to keep your information secure on eBay.
-
We will provide you with notice if our privacy policy changes and
an opportunity to reject such changes.
-
We let you change your information so that you can keep it
up to
date.
-
Other eBay companies that have access to your information in
accordance with the policy are required to protect your information at
least as strictly as we do.
[The remainder of the page consisted of four links to "Related Help Topics."]
eBay's Privacy Policy changes in 2002
eBay's change and partial backdown in February 2002
eBay's
FAQ on its change of privacy policy
included a summary of the main change Junkbusters objected to.
Conflict of Terms. We added this section because we are beginning to
offer a variety of helpful privacy pages, summaries, and technologies
that will help you evaluate our privacy practices. However, we to
be absolutely clear that the Privacy Policy is what you should rely
upon and is the default document in the event of a dispute.
What we believe eBay is really saying in that last sentence is:
However, you cannot rely on any of these helpful materials;
you cannot assert any legal right based on them or anything we
tell you different than the Privacy Policy because we have imposed
on you an agreement that allows us to repudiate them.
And if you don't like it, get off our site.
The last sentence is based on the statement at the bottom of eBay's pages that
"Use of this Web site constitutes acceptance of the eBay User Agreement and Privacy
Policy."
The replacement for Section 11 that eBay made
on March 19 is the following:
It is our goal to make our privacy practices easy to understand. We have
created easy-to-read summaries, privacy principles, a privacy chart and, are
working on privacy enhancing technology to help summarize our full privacy
policy. If you have questions about any part of this summary or if you
would like more detailed information, we encourage you to review our full
privacy policy.
That version
of the privacy policy became effective immediately for new users.
Letter February 2002 to FTC
February 27, 2002
Mr Howard Beales
Director, Bureau of Consumer Protection
Federal Trade Commission
Dear Sir
This letter asks your bureau
to investigate whether certain parts of
eBay's most recent privacy policy
constitute unfair or deceptive trade practices
in the sense of Section 5 of the Federal Trade Commission Act.
In my view the most outrageous change is the addition of a new section
next to the last, some 3,600 words into the policy.
It appears at
http://pages.ebay.com/help/community/png-priv2.html
in all-capitals but is quoted below in lower case
for readability, in full.
11.Conflict of Terms. Please note that this privacy policy alone
governs our privacy practices. If there is a conflict between the terms
and conditions in this privacy policy and other privacy representations
that may appear on our site (e.g. privacy tools, easy to read summaries,
charts and P3P statements), you agree that the terms and conditions of
this privacy policy shall control.
I believe such an attempt to repudiate explicit representations is
as a principle and on its face deceptive, but I will briefly give some
concrete instances
from eBay site to illustrate how grossly unfair it actually is in this case.
The first words of the previous version of the privacy policy
http://pages.ebay.com/help/community/png-priv.html
referred
to one such "easy to read summary":
To view a more user friendly description of our Privacy Policy and
to answer questions regarding this policy, please go to our
Privacy Central web pages at
http://pages.ebay.com/help/privacycentral1.html.
where the only immediate substantive matter the reader finds are these
reassuring principles.
-
We do not sell or rent your information to third parties.
-
We do not give your personally identifiable information to advertisers.
-
We let you select how you may be contacted by us when you join our community.
-
We use safe, secure encryption technology to protect your
personally identifiable information.
-
We have no tolerance for spam (unsolicited, commercial email).
An average prospective bidder
seeking comfort without too much effort might
readily gain from this page the impression that her privacy on eBay is assured.
She would get a very different picture if she discovered within the thousands
of words in the harder-to-read but controlling policy the link
http://pages.ebay.com/help/community/privacy-appendix.html
to a separate appendix containing a matrix of
dozens of disclosures of various kinds of information
to multiple categories of recipients.
I ask your bureau to examine this and to comment in public on
whether such a tactic of providing a misleadingly rosy picture of
a company's practices in one place, particulary
the more prominent, while explicitly repudiating
those representations elsewhere is on its face unfair, deceptive, and illegal.
An easier-to-read and more accurate summary of
eBay's practices would be
a page headed "Non-Privacy Policy" containing the single sentence
"Abandon all hope of privacy, ye who bid here."
For example,
with new language in its non-privacy policy under the heading "Legal Requests,"
(a place where a user might expect to find a statement that her information could
be subpoenaed, for example) eBay now gives itself the right
to make any disclosure about users it in its sole discretion considers
appropriate "to maintain a level of trust,"
an excessively vague and non-determinative criterion.
Additionally, eBay reserves the right (and you authorize eBay) to
communicate any information about you... to other users,
law enforcement and VeRO members as we in our sole discretion determine
necessary or appropriate to maintain a level of trust and safety in
our community and to enforce our User Agreement, Privacy Policy and any
posted policies or rules applicable to services you use through our site.
The new Section 11 specifically repudiates P3P statements.
This move potentially allows eBay to receive benefits such as
cookies based on a misrepresentation, which would illegal.
However, I am not recommending the bureau make P3P a focus of any enforcement
action.
Even prior to this repudiation I had no expectation that P3P would
improve consumer privacy in any way -- a view I expressed in an
open letter in 1999 --
but I draw your attention to it because it exposes
P3P for the cynical dilatory lobbying tactic that it has always been.
Since 1997, large Internet companies and trade assocations have been parading
P3P before the FTC and other goverment agencies as the pot of Internet privacy
gold at the end of the technological rainbow.
For example, the DMA's comments of July 6, 1998 before the Department
of Commerce claimed that the soon-to-arrive P3P would bring on a future where
"it will be the individual user, rather than industry or government,
who will determine the uses of information."
eBay's repudiation of P3P in Section 11
seems aimed at ensuring that it is eBay who chooses how its customers' personal
information is used,
despite any technological system supposedly intended to protect the consumer.
A related tactic that I urge your bureau to address
is what I call
the "moving target" phenomenon in privacy policies.
Companies routinely change their policies
and attempt to impose worse terms retrospectively on users who
may not notice that even their continued use of the web site is supposed
to constitute acceptance of the new terms.
(See for example, a
letter at
http://www.junkbusters.com/amazon.html#FTC
about Amazon.com to your predecessor
from EPIC and Junkbusters, December 4, 2000)
eBay's previous privacy policy stated:
We provide you with thirty (30) days notice to allow you the
opportunity to notify eBay
if you do not agree to such changes as described in Section 8.
eBay deleted that sentence in its newest policy, apparently weakening the
user's privacy.
Like many so-called privacy policies, eBay's is a repulsive
confection of excessively broad disclaimers of liability
coated in marketing sugar that deceitfully
attempts to disguise the awfulness of its position.
Under present law the Commission may not be able to compel eBay to
improve its actual information practices, but it can and should stop them
from deceiving people
and from imposing unconscionable new terms
on its millions of users.
I urge your bureau to act swiftly to protect eBay users from this unlawful
exploitation and to deter other companies from similarly
using their so-called privacy policies
to lower consumers' privacy below their already debased standards.
Sincerely
Jason Catlett
President
Junkbusters Corp.
Copyright © 1996-2003 Junkbusters ® Corporation.
Copying and distribution permitted under
the GNU General Public License.
2003/04/22
http://www.junkbusters.com/ebay.html
|
