From...

April 26, 1999
Web posted at: 12:15 p.m. EDT (1615 GMT)

by Jack McCarthy and Elinor Mills

(IDG) -- Recent breaches of customer privacy by online stores show that early concerns for Internet security were justified, industry experts said, adding that smaller businesses rushing to get online are often the culprits.

Last week, an employee at an Internet service provider in Bellevue, Washington, posted a warning on the Internet to systems administrators and Web developers about the potential for Web sites exposing information as a result of misconfigured e-commerce software.

Joe Harris, systems administrator for Blarg Online Services, which hosts e-commerce sites for companies, said he discovered last week that more than 100 online stores hosted by Blarg were inadvertently revealing customer names, addresses, credit card numbers and other purchasing information. One of the ways random Internet users could access the information was by using certain keywords while doing searches on the sites, he said.

Since he posted the warning, many of the affected Web sites have corrected the problem, Harris said, but at least two stores were still exposing customer information on their sites last week.

MORE COMPUTING INTELLIGENCE
	IDG.net home page
Industry Standard home page
Industry Standard email newsletters
Industry Standard daily Media Grok
Industry Standard financial news
Reviews & in-depth info at IDG.net
IDG.net's personal news page
Questions about computers? Let IDG.net's editors help you
Subscribe to IDG.net's free daily newsletter for computer industry cognoscenti
Search IDG.net in 12 languages
News Radio
	Fusion audio primers
	Computerworld Minute

Such privacy breaches are expected to increase as more retailers go online.

"With the growth of the Internet and the use of e-commerce, you're going to get more and more of these situations," said Bob Lewin, executive director of TRUSTe, a Cupertino, Calif.-based group that monitors online privacy practices and offers seals of approval to Web sites that agree to follow basic privacy guidelines.

Experts say the privacy breaches seem to be happening primarily with smaller companies that might not have the expertise and sophistication to properly install electronic commerce software or the money to hire experienced firms to do it for them.

"It's definitely an issue that impacts smaller online merchants that are either using multiple site hosting services or are building their own using these simpler [turnkey] commerce packages," said David Kerley at Jupiter Communications market research firm in New York. "It's an area that larger online merchants are more sensitive to and more knowledgeable about."

Along with the dramatic growth of e-commerce, smaller companies are racing to sell online and creating greater demand than can be met for people who know how to create secure Web sites, according to Kerley, "so people who aren't as experienced are getting into the business."

Amateur Web designers can fail to follow instructions in using shopping-cart software that takes orders from customers, Harris said. When the software is improperly installed, the information can be exposed, for instance by being stored on a file that is accessible to web surfers, he said.

Many small retailers use friends or untested companies to develop their Web sites, Harris said. "They hear that their sister-in-law's cousin can do it, so they hire him," he said.

Basically, companies should be careful in selecting firms to set up and host their e-commerce sites by getting references, using established firms and asking about privacy and security upfront, the experts said. If they don't they'll not only lose customers but growth of e-commerce in general will be impeded, Lewin of TRUSTe said. "If you are going to put your store on the Web, you are responsible for the information that's there," Harris said. "Your client is trusting you to make sure you do everything in your power to make sure that data is safe."

While smaller companies may be primarily at fault for privacy breaches lately, data exposures at Web sites run by larger companies also can happen and when they do they can pose an even greater risk, according to Ari Schwartz, policy analyst at the Center for Democracy and Technology in Washington, D.C.

"Smaller companies do cut corners, but the larger companies usually have large databases and there's a lot more at stake, he said. "So both [types of companies] need to pay adequate attention, especially those people implementing software solutions for large numbers of small companies."

At the same time, companies are becoming more aware of the necessity for security. Nearly 700 Web sites are members of Truste and more are joining all the time, Lewin said. "The majority of our licensees are smaller organizations," he said. They "don't have time to do the necessary investigations to find out what they should be doing in the first place."

On their end, consumers should try to find out how secure the sites they buy things from are. "It's no different than other markets. Buyer beware," said Kerley of Jupiter.

There also need to be technical solutions that make it easier for people to read privacy notices online so they can determine whether the Web site is as secure as they want it to be, said Schwartz of the CDT.

"Seems as though it takes a violation of peoples' privacy to make people pay attention," Schwartz added.

The federal government may eventually give online merchants a push in the direction of guaranteeing security. Although the Clinton administration favors allowing the industry to regulate itself, agencies such as the Department of Commerce and the Federal Trade Commission have been discussing how to encourage privacy protection and lawmakers have talked about enacting laws that would make Web sites liable for privacy breaches on their sites.

Despite the privacy lapses that are occurring in the retailer rush to sell online, the risk is still minimal to most consumers, according to Kerley at Jupiter.

"There's not a huge risk for the consumer except to maybe have to cancel a credit card," he said. "There are far more shady businesses that are not on the Internet that have access and do access personal information of a more sensitive nature. All it takes is a few dollars to get a credit rating and credit report," for example, Kerley said.

Jack McCarthy and Elinor Mills write for the IDG News Service.