I believe that the majority of e-commerce websites deliver what they say they will, but you need to know how to avoid the few that won’t. Interestingly, the huckster who runs the site described in the NYTimes article provides the answer:

Selling on the Internet, Mr. Borker says, attracts a new horde of potential customers every day. For the most part, they don’t know anything about DecorMyEyes, and the ones who bother to research the company — well, he doesn’t want their money. If you’re the type of person who reads consumer reviews, Mr. Borker would rather you shop elsewhere.

Mr. Borker doesn’t want cautious, conscientious customers because those customers reduce his hourly wage. Why bother selling to these people when there are plenty of shoppers who will give up trying to get their money back without much fuss? That is why, amazingly, the owner of this scam website isn’t troubled by the bad publicity that makes it easy to protect yourself.

Before clicking “Buy”

Just as changing your password to something marginally more complex than the typical internet user’s password makes you an undesirable target, doing a bit of research on the net makes you vastly less likely to fall victim to an e-commerce scam.

When I say “a bit”, I really mean it. It takes two seconds to type “decormyeyes fraud” into Google’s search engine. Every search result I got when I did that clued me in to the fact that this website is bad news:

A Better Business Bureau search piles on the evidence:

So that’s it. The next time you are thinking of buying from an online retailer, just do a quick Google search like “companyname fraud” or “companyname scam” and then check out the Better Business Bureau rating. Most people spend a good amount of time researching their internet purchases — allocating just a couple of seconds to protecting yourself from fraud should not be too much of a burden.

Trustworthy search engines

Last fall, when the United States Justice Department asked for private search records to aid its case in a court battle, some of the biggest search engines, including AOL, Yahoo, and Microsoft, gave in to the request immediately. Google refused to hand over the data and a subsequent court ruling on the matter took Google’s side. So, when it comes to search, Google is probably the safest.

Who’s paranoid?

At the risk of joining the tinfoil hat crowd, there is something you can do to avoid suffering even if one of the major search engines decides to give up on your privacy. Blackboxsearch.com lets you search Google, Yahoo, and MSN anonymously (and for free).

Here’s how it works: every time someone performs a search on Blackboxsearch, the website sends the request to the appropriate search engine while hiding your IP address. All searches arriving at Google or Yahoo or MSN appear to come from Blackboxsearch’s IP address, which means that if ever an entity like the Justice Department gets its hands on the search terms, all it would get is a mass of words and phrases, all seemingly coming from the same place. There would be nothing there that would help them match up searches to IP addresses and individuals.

Then again, using Google for your searches is probably more convenient, since it doesn’t involve navigating and getting accustomed to a new website. Privacy and security always involve tradeoffs in terms of time and effort, so decide for yourself how severely a data compromise would affect you, and either go directly to Google for your searches or use a proxy like Blackboxsearch.

America Online fired two employees and its chief technology officer because of the release of user search data earlier this month, says the New York Times:

‘This incident took place because some employees did not exercise good judgment or review their proposal with our privacy team,’ Miller said in a second memo. ‘We are taking appropriate action with the employees who were responsible.’

Accountability is a good thing when it comes to enforcing privacy requirements in any organization, and AOL seems to be taking it seriously. The company is taking several steps to ensure that this never happens again, such as keeping tighter controls on employee access to data, educating employees about privacy issues, and reviewing data retention and privacy policies.

I hope other companies that harbour large collections of user data are paying close attention. Then again, AOL didn’t take the hint from privacy fiascos that came before it (for example, it has been just over a year since ChoicePoint, a company that gathers and sells data about consumers, announced that it gave up sensitive information on more than 160,000 people to criminals posing as ChoicePoint customers – the media coverage on the story was extensive).

It may be that more companies won’t take their customers’ privacy seriously until they are the ones that pay for mishandling. If people lose or relinquish control over their private details to be used for commercial purposes, it is reasonable to demand that the information be treated delicately. If a company fails to meet this burden, it should suffer economic consequences.

Once the onus is on the gate-keepers of the data (a title long ago given up by the true owners of personal data, individuals), I have little doubt that business minds will come to adequate solutions. And if they don’t, injured parties should be compensated accordingly.

Anything less than full responsibility would be rather lopsided. After all, companies use collections of personal data to improve marketing, build better products, and grow profits; they should suffer the downside of these activities as well, particularly if it is due to negligence, incompetence, or lack of concern.

In it, questions such as “Why did AOL release the records?” and “AOL says it anonymized the data by replacing the AOL user ID with a randomized number. Is it possible for someone to figure out who I am just from my searches?” are posed and answered in a straightforward way.

The following question is probably the most pertinent for those who would like to avoid search engine privacy infringements:

Has the government ever requested such records before?

Yes. One attempt was made public last fall when Google fought a subpoena from the Justice Department which asked for similar records from AOL, MSN, Yahoo and Google. The feds wanted the records to help defend an ongoing court challenge to the Child Online Protection Act. Google largely won that battle, but Yahoo, MSN and AOL all turned over records to the government. The government may have also asked for large quantities of search records as part of antiterrorism efforts, but those subpoenas and warrants typically come with gag orders that would prevent the search engines from publicly discussing them.

As far as I know, MSN, Yahoo, and AOL didn’t put up the slightest resistance. Google is not beyond reproach on all things privacy related, but the company is certainly a big step ahead of its competition in this instance.

That’s not to say that you should give up on keeping your information secure – you shouldn’t. But try to be prepared when the worst happens, as it did on August 4, 2006.

Last Friday, AOL posted on one of its websites a compressed text file holding 20 million search terms and phrases for about 650,000 users. The data was collected between March and May of 2006.

AOL has since removed the text file and issued an apology, but the damage is done (especially since the file is still available through other sources – once something is on the internet, it doesn’t disappear easily). This was taken from TechCrunch, which has been following the story closely:

AOL has released very private data about its users without their permission. While the AOL username has been changed to a random ID number, the abilitiy [sic] to analyze all searches by a single user will often lead people to easily determine who the user is, and what they are up to. The data includes personal names, addresses, social security numbers and everything else someone might type into a search box.

The most serious problem is the fact that many people often search on their own name, or those of their friends and family, to see what information is available about them on the net. Combine these ego searches with porn queries and you have a serious embarrassment. Combine them with “buy ecstasy” and you have evidence of a crime. Combine it with an address, social security number, etc., and you have an identity theft waiting to happen. The possibilities are endless.

This New York Times article demonstrates how easy it is to analyze search results in combination with the associated ID number to uncover an individual’s identity:

No. 4417749 conducted hundreds of searches over a three-month period on topics ranging from “numb fingers” to “60 single men” to “dog that urinates on everything.”

And search by search, click by click, the identity of AOL user No. 4417749 became easier to discern. There are queries for “landscapers in Lilburn, Ga,” several people with the last name Arnold and “homes sold in shadow lake subdivision gwinnett county georgia.”

It did not take much investigating to follow that data trail to Thelma Arnold, a 62-year-old widow who lives in Lilburn, Ga., frequently researches her friends’ medical ailments and loves her three dogs. “Those are my searches,” she said, after a reporter read part of the list to her.

Google, by partnering with the StopBadware Organization, has begun to issue warnings when users click on search results that lead to dangerous websites.

StopBadware keeps a list (so far it appears to be quite limited) of user-submitted websites that are known to host spyware, adware, and other malware. After receiving submissions, the organization analyzes the purported malware using a list of seven categories of bad behaviour that help to identify malicious software.

This list includes:

…deceptive installations, unclearly [sic] identification, causing harm to other computers, modifying other software, transmitting user data, interfering with computer use, and being difficult to uninstall completely.

You can see one of the warnings in action by doing a search for “seriall” and clicking on the first result (SeriAll.com is a website that publishes serial numbers for pirated software). After clicking on the link, you should see a screen similar to the one shown at the top of this post.

Will Google and StopBadware prevail?

Most solutions to this problem, such as downloadable antispyware scanners, are reactive rather than preventative. They help minimize the damage from malware that has managed to nestle into a user’s computer, but do little to prevent the installation in the first place.

Preventative initiatives like Google’s have the potential to greatly decrease the harm and reach of malware. Many websites, including those that deal in malware, depend on search engine results for a good number of their visitors; if this source of internet traffic dries up, malware providers will need to look elsewhere for their victims.

Still, let us hope the execution of this strategy is transparent and level-headed. Because a website’s fortunes can change dramatically depending on the traffic it receives from search engine results, collateral damage to websites that are mistakenly or negligently targeted would be unfortunate indeed.

Happily, the idea so far is not to irrevocably block traffic to a searcher’s intended destination, but to provide a warning en-route. If someone wishes to continue to the website, even after reading the warning, it is fully possible. I hope the policy remains that way and abstains from taking up a censorship position.

Another way to avoid spyware

There is another way to use search engine results to help you vet software before you download it, and I will provide a detailed how-to in an upcoming post. I think you will find it quite useful.