Privacy concern - Scan orders being reported to 3rd parties.

[Paranoid2000]

Apologies for the delay in replying - I wanted to review the details in greater depth before commenting. Since this issue only occurs once an order is confirmed at Scan though, it does make detailed investigation a little more difficult.

I have taken a closer look at the Shopzilla javascript (https://www.shopzilla.com/css/roi_tracker.js) and can give some good news for those concerned. It does a page scan only with Yahoo websites (this was my major concern, since Scan's order confirmation page does include personal details which could be picked up in this way). With other sites (like Scan) it instead creates a URL for Bizrate.com, including customer type (E for Scan - would this mean eggheads by any chance? ), order ID, value and number - Bizrate then returns a web bug (see this link for an example). The downside however is that Bizrate sets a cookie (with a Tuesday, May 31st 2016 expiry date) which would allow it to correlate this order with any future ones (plus any placed with other sites using this tracker). Since the connection to Bizrate is via https: this cookie would bypass any third-party cookie filters, including firewalls with privacy features enabled.

Now to separate the chaff from the wheat...

I'm not worried, Scan can do whatever they like with my data (don't hold me to this )

This is not about whether people should trust Scan or not (if you didn't trust them, you presumably wouldn't order from them!) but whether that trust should be extended to third parties like ShopZilla and NexTag. I personally had not even heard of these sites beforehand so cannot reasonably be expected to have any confidence in them. Unfortunately, the method used to send them data bypasses any third party filters installed meaing that it is very difficult for most users to even see it take place, let alone stop it.

ye take that paranoid! Scan I still love you <3

If that is your viewpoint, then I would ask you to kindly refrain from further comments in this thread unless you have something more relevant to post.

This is an email that the MD wanted me to post to re-asure the hexus people of our intentions ::

Thanks for including this response - no name is attached so may we presume this is Elan Raja? Hope you'll excuse me for referring to you as "Scan MD" in the rest of this post.

In short, we can’t please everyone and we have made the occasional booboo…but one thing for sure is that each and every employee in Scan has a commitment to Hexus members.

First of all, thanks for taking the time to address the concerns posted in this thread. There is no intention to criticise Scan itself or its employees, but instead to draw attention to a particular function on Scan's website and its consequences for customer privacy.

In order to calculate if the feed is profitable or not, we need to look at the value of the order placed by a customer and then compare it our cost of running a campaign.

This calculation is called “ROI, Return on Investment”. In short, it tells us whether we are “getting shafted” by the price portals.

In order to calculate an ROI, we need to disclose relevant orders to the price portals so they can verify if the sale originated from them…they do this by matching up the cookies from the referral to the sale.

If only "relevant orders" need this calculation, then why are details of every order submitted in this way? Regardless of how a customer reaches Scan (via a pricing engine or, as in my case, via typing Scan's URL in directly without using a pricing engine at all), this submission of data to Shopzilla/Nextag still takes place. Also there are far more search engines out there than Shopzilla/Nextag - why aren't similar steps taken with these?

As we do not read 3rd parties cookies we need to disclose the orders so they can pick up their relevant orders to calculate an ROI.

If someone visits Scan via a search engine link, Scan could verify this by checking the referer (where present) or by noting the entry URL (which is almost always customised by the search engine to include extra parameters like affiliate ID) with far less risk to users' privacy. Why isn't this approach taken?

Almost each and every Etailer in Eurpoe does this.

Supplying data to search engines yes. Supply data on completed orders, no - while I won't claim to have used every other European etailer, the only other European example of this I have encountered (and noted in the Wilders' thread) is PCWorld.co.uk who sends details on every page visited to Doubleclick.

THE ORDER ID DOES NOT RESOLVE TO ANY OTHER PERSONAL INFORMATION THAT THE PRICE PORTALS CAN READ AND POSSIBLY USE FOR DIRECT MARKETING.

THE ONLY INFORMATION THAT THE PRICE PORTALS CAN HAVE IS WHAT PRODUCTS SCAN SELLS AND THE VALUE OF THEIR SALES.

This is true, until you consider the consequences of data aggregation by the portals. Shopzilla does not set a cookie, but Bizrate certainly does. That means that until Bizrate's cookie expires (Tuesday, May 31st 2016 in my case), it has the ability to correlate all orders placed with Scan, plus any other stores providing data in a similar fashion. All it then requires is one "partner" website to include personal data (name/address) for them to be able to attach this to their order history.

From a security perspective also, Shopzilla can extract any data they want from Scan's order confirmation page just by amending their Javascript code. Allowing third party sites to include their own Javascript on Scan's website poses more dangers than just having a web bug (as with NexTag) since such scripts could alter page contents - and the more widespread Shopzilla's ROITracker becomes, the more attractive a target it becomes to crackers or malware pushers looking for a new way of compromising end-users' systems.

The thread is incorrect as WE DO NOT PASS OVER ANY PERSONAL INFORMATION THAT RELATES AN ORDER TO AN INDIVIDUAL.

So far, your statements about data sent appear to confirm the information included in this thread. While such data on its own cannot be related to an individual, the real danger for consumers (and the real benefit correspondingly for marketeers) is aggregation of this data allowing subsequent identification. Scan obviously has no means of controlling this, but it is fuelling it with its own order data.

In addition users should be aware that whenever they visit a site, details like their IP address, operating system (Windows version in most cases) and browser can be logged (see BrowserSpy for a comprehensive list of the information a website can obtain). In the case of data aggregators like Bizrate, this could be useful in determining if an IP address was dynamic/shared or static/single - static/single addresses could then have a real-world address assigned to then with a higher degree of confidence.

I will ask my development team for a fuller reply to the more technical aspects in “Paranoid 2000’s” thread.

Thanks for this, and I look forward to seeing their response. Scan isn't the only site to use this method of transferring data to third parties - but it could be the first to properly address consumer concerns about it.

Finally, my opinion on the thread is that it is a reflection of the user name…”paranoid 2000 “…

I'd rather keep opinion out of this - let's stick to hard facts shall we?

[ExceededGoku]

I'm sorry, but lol at paranoid 2000...

[MantisCSS]

i havent been conned, im happy big up SCAN yeeeehaa!

[Agent]

I have taken a closer look at the Shopzilla javascript (https://www.shopzilla.com/css/roi_tracker.js) and can give some good news for those concerned. It does a page scan only with Yahoo websites (this was my major concern, since Scan's order confirmation page does include personal details which could be picked up in this way). With other sites (like Scan) it instead creates a URL for Bizrate.com, including customer type (E for Scan - would this mean eggheads by any chance? ), order ID, value and number - Bizrate then returns a web bug (see this link for an example). The downside however is that Bizrate sets a cookie (with a Tuesday, May 31st 2016 expiry date) which would allow it to correlate this order with any future ones (plus any placed with other sites using this tracker). Since the connection to Bizrate is via https: this cookie would bypass any third-party cookie filters, including firewalls with privacy features enabled.

Bottom line is folks, what Scan sells is forward to a 3rd party company so they can track it.
The effort needed to identify a person (physically in the real world) from the information provided is huge. In fact, with just the information of customer type, order id, value / number and IP address, to purely get your name and spending habbits would not be resourceful.

but whether that trust should be extended to third parties like ShopZilla and NexTag. I personally had not even heard of these sites beforehand so cannot reasonably be expected to have any confidence in them. Unfortunately, the method used to send them data bypasses any third party filters installed meaing that it is very difficult for most users to even see it take place, let alone stop it.

I personally don’t see where there is a trust issue. What do you have to “trust” these sites with exactly?
No personal details are passed from Scan to these company’s, only information on Scans sales.

If only "relevant orders" need this calculation, then why are details of every order submitted in this way? Regardless of how a customer reaches Scan (via a pricing engine or, as in my case, via typing Scan's URL in directly without using a pricing engine at all), this submission of data to Shopzilla/Nextag still takes place.

Its fairly reasonable to assume that the data is passed, then the 3rd party has a list of what is relevant at that time. It’s a lot better to have a dump of all data then sift through what you need as opposed to saving what you “think” you need at the time, only to find out you don’t have everything.
This also helps should the “relevant” data criteria change. With complete past data, its possible to search this to meet the new criteria.

Also there are far more search engines out there than Shopzilla/Nextag - why aren't similar steps taken with these?

Why would they need to submit it to more services to see things like ROI (probably amongst other things) which the above sites already offer for Scan?

If someone visits Scan via a search engine link, Scan could verify this by checking the referer (where present) or by noting the entry URL (which is almost always customised by the search engine to include extra parameters like affiliate ID) with far less risk to users' privacy.

Im not sure what your getting at here?
How does the point of entry for the site have anything to do with scan passing on non-personal details to 3rd parties?

Why isn't this approach taken?Supplying data to search engines yes. Supply data on completed orders, no - while I won't claim to have used every other European etailer, the only other European example of this I have encountered (and noted in the Wilders' thread) is PCWorld.co.uk who sends details on every page visited to Doubleclick.

Actually you’ll find that what Scan said is pretty close to the truth. The difference being that details from orders are usually logged by the company you order from then passed on to 3rd parties “behind your back” and totally invisible to you.
While other companies will still be operating in the same manor as Scan (passing non-personal details on), at least with Scans method you have the option to see what is being passed (going from your post – I have not checked the data myself)

This is true, until you consider the consequences of data aggregation by the portals. Shopzilla does not set a cookie, but Bizrate certainly does. That means that until Bizrate's cookie expires (Tuesday, May 31st 2016 in my case), it has the ability to correlate all orders placed with Scan, plus any other stores providing data in a similar fashion. All it then requires is one "partner" website to include personal data (name/address) for them to be able to attach this to their order history.

Under the data protection act, when passing your details over to a company; if this data is going to be shared with other 3rd parties (as in your situation above), you must be given notification of this, and in the majority of cases, the option to opt out. The option to opt out is not normal presented for situations where the data must be passed for part of the service (for example – Scan passing your name + address to City link so they can deliver an order to you). However, even in this situation, you have to be notified (it will be in the T&C)

Furthermore, while your scenario above is possible, it would certainly take a lot of effort (and more impotently resources) to pull off such an act. So much so, that it probably wouldn’t be cost effective considering all “they” would have is who you are and your ordering history. Even if the data was ‘breached’ to this ‘extreme’ level, as per your situation above, what’s the worst that “they” can do with it? – send you marketing leaflets through the post ?

From a security perspective also, Shopzilla can extract any data they want from Scan's order confirmation page just by amending their Javascript code. Allowing third party sites to include their own Javascript on Scan's website poses more dangers than just having a web bug (as with NexTag) since such scripts could alter page contents - and the more widespread Shopzilla's ROITracker becomes, the more attractive a target it becomes to crackers or malware pushers looking for a new way of compromising end-users' systems.

You can look at anything from a “security perspective” though and assume a worst case scenario.
Here is a better target for malware publishers : Windows update. Millions of PC’s are set to auto update – it wouldn’t even need user intervention !
However, this is going from a simple “what data gets passed to 3rd parties” discussion to a “what could happen if a big corporate website was hacked”.

So far, your statements about data sent appear to confirm the information included in this thread. While such data on its own cannot be related to an individual, the real danger for consumers (and the real benefit correspondingly for marketeers) is aggregation of this data allowing subsequent identification. Scan obviously has no means of controlling this, but it is fuelling it with its own order data.

Again, your talking extreme, worst case, unlikely, resource hungry situations, but I have covered this above.

In addition users should be aware that whenever they visit a site, details like their IP address, operating system (Windows version in most cases) and browser can be logged (see BrowserSpy for a comprehensive list of the information a website can obtain).

You should go for a job at Bonzi Buddy
What can be logged from visiting a webpage is basic HTML and webpage skills. This is rapidly turning into a “the perils of going online” thread

In the case of data aggregators like Bizrate, this could be useful in determining if an IP address was dynamic/shared or static/single - static/single addresses could then have a real-world address assigned to then with a higher degree of confidence.

There is a heck of a lot easier way of doing this – just get the IP, cross check it against the ISP to see if they assign dynamic or static IP’s, and viola !
You’re not factoring in the thousands of people that change ISP every week, Nor people that use proxies (intentionally or not), or the fact that dynamic IP’s would make it extremely difficult in the first place and almost impossible to keep up to date.

Thanks for this, and I look forward to seeing their response. Scan isn't the only site to use this method of transferring data to third parties - but it could be the first to properly address consumer concerns about it

I think its more of “but it could be the first site to properly address my concerns”
The situations you are talking about are, in large, unfeasible.
Im curious what other company’s haven’t responded to you on issues raised such as these ?

[FatalSaviour]

I think we all owe paranoid 2000 many thanks for bringing this issue to the surface, confidiently and privacy shuld be any body;s concern, in this age of ID cloning and misuse of info.

Scan's md should be applauded for his clarification of the points raised by paranoid 2000.

I am glad people like paranoid2000 are vigilant, and the boss takes an intrest in his company, staff and customers.

Many Thanks

Hear Hear,
Well said, and I'd like to reiterate vicar's praise

[Paranoid2000]

The effort needed to identify a person (physically in the real world) from the information provided is huge. In fact, with just the information of customer type, order id, value / number and IP address, to purely get your name and spending habbits would not be resourceful.

If that third party obtains name/address information from another source, the effort to correlate it would be trivial.

I personally don’t see where there is a trust issue. What do you have to “trust” these sites with exactly?
No personal details are passed from Scan to these company’s, only information on Scans sales.

And why should they have this information in the first place? Don't we, as customers, have an expectation of privacy with the companies that we deal with? A comparison could be drawn with the "real world" example of a gossipy doctor who keeps telling stories about his patients. Although he may not mention names, at some point he will provide enough details about patient X (either by discussing their case with someone already familiar with X or by supplying enough information to allow others to narrow down the possibilities to one person) to allow others to determine X's real identity.

Its fairly reasonable to assume that the data is passed, then the 3rd party has a list of what is relevant at that time. It’s a lot better to have a dump of all data then sift through what you need as opposed to saving what you “think” you need at the time, only to find out you don’t have everything.
This also helps should the “relevant” data criteria change. With complete past data, its possible to search this to meet the new criteria.

Yes, it may be more convenient for the search engine to have data on orders, regardless of whether it came via them or not - however this is contrary to the justification given by Scan for supplying the data in the first place.

Why would they need to submit it to more services to see things like ROI (probably amongst other things) which the above sites already offer for Scan?

Well, how about because NexTag and Shopzilla are only providing data for their own search engines, and not covering others like PriceGuideUK, Pricerunner, etc?

Im not sure what your getting at here?
How does the point of entry for the site have anything to do with scan passing on non-personal details to 3rd parties?

The reason given by Scan for supplying this data is to check which orders resulted from a search engine placement. If Scan checks referers or the first page accessed by a user (to check for a search engine affiliate code), then they have that information without any need to send order details to third parties.

While other companies will still be operating in the same manor as Scan (passing non-personal details on), at least with Scans method you have the option to see what is being passed (going from your post – I have not checked the data myself)

Please take the time to read this thread from the beginning and check the links I supply in my first post. Purchasers are not being given the option to see what is passed on (if you've ever purchased from Scan yourself, you'd know this). It is not even possible to detect this transfer happening unless you have a very tightly secured setup (as mentioned in the Wilders Dangers of HTTPS thread).

The option to opt out is not normal presented for situations where the data must be passed for part of the service (for example – Scan passing your name + address to City link so they can deliver an order to you). However, even in this situation, you have to be notified (it will be in the T&C)

As I have mentioned above, no consent is sought and Scan's Data Protection Register specifically limits data transfers to within the European Economic Area (which doesn't apply in this case - the transfer is to a server based in the United States).

Furthermore, while your scenario above is possible, it would certainly take a lot of effort (and more impotently resources) to pull off such an act. So much so, that it probably wouldn’t be cost effective considering all “they” would have is who you are and your ordering history. Even if the data was ‘breached’ to this ‘extreme’ level, as per your situation above, what’s the worst that “they” can do with it? – send you marketing leaflets through the post ?

Again, little effort would be needed since all that needs to be done is to aggregate data. Of course, doing this for one person only would not be economic which is why data aggregators aim to build hundreds of thousands of profiles. As for the "worst" - well that comes down to who subsequently they sell this data on to. The key point though, is that when such data is collected, you have no control over who gains access to it - much like when a spammer gains your email address, you lose control over who gets it in future.

Here is a better target for malware publishers : Windows update. Millions of PC’s are set to auto update – it wouldn’t even need user intervention !

Which is why Microsoft include digital signatures with their code - assuming that a malware publisher could set up their own network of servers on the scale of Akamai's distribution network to cope with the volume of requests...

However, this is going from a simple “what data gets passed to 3rd parties” discussion to a “what could happen if a big corporate website was hacked”.

Agreed, but it is also pointing out that the business risk to Scan is greater than if their webpage just used a web bug for Shopzilla as it does with NexTag.

Again, your talking extreme, worst case, unlikely, resource hungry situations, but I have covered this above.

If you review NexTag's privacy policy, your "unlikely...situation" happens to be their business objective. Bizrate's privacy policy (which covers Shopzilla) includes this paragraph:

"Agents
From time to time, we employ other companies and individuals to perform various functions on our behalf. Examples include sending postal mail and e-mail, analyzing shopper data, and providing other data and services. In such instances, they may have access to personal information needed to perform their functions, but will be prohibited from using it for other purposes."

In "privacy-policy" speak, this means they collect personal information, even if they may less frequently (i.e. for a higher price perhaps?) disclose it.

What can be logged from visiting a webpage is basic HTML and webpage skills. This is rapidly turning into a “the perils of going online” thread

Going online to the wrong sites can certainly be dangerous. The point I was trying to make here is that this "basic" information can be used to help build not-so-basic conclusions.

There is a heck of a lot easier way of doing this – just get the IP, cross check it against the ISP to see if they assign dynamic or static IP’s, and viola !

Virtually all ISPs will have both static and dynamic IPs with little or no indication of which is which (no, reverse DNS lookup is not a reliable method).

You’re not factoring in the thousands of people that change ISP every week, Nor people that use proxies (intentionally or not), or the fact that dynamic IP’s would make it extremely difficult in the first place and almost impossible to keep up to date.

Most people don't change ISPs on a weekly basis or use proxies (aside from ISP-required ones). As for dynamic IPs, yes they do make tracking location more difficult which is why being able to identify if a person is on a dynamic IP or not is useful. This however is getting off-topic.

I think its more of “but it could be the first site to properly address my concerns”
The situations you are talking about are, in large, unfeasible.
Im curious what other company’s haven’t responded to you on issues raised such as these ?

Read the threads I've linked to, the answers (or lack of them) are there.

Vicar/FatalSaviour,

Thanks for your feedback - apologies if I appear to be spending less effort replying to you as I am with the sceptics.

[vicar]

No problem, keep on being vigilant

[oclocker]

OK my 10 cents..

Whilst Paranoids initial post did raise some worrying points - the MDs (Shelley) reply was perfectly adaquete. the info from scan sent may contain an order number but without access to scans system its not likely to identify anyone or anything.

Also Paranoids replies contain deliberate twisting of information ie
"Most people don't change ISPs on a weekly basis "

I know as do you paranoid that the original poster was NOT refering to individuals but to the vast number of people who do migrate between isps weekly, changing isps for the majority is a several week thing def not weekly!

Ok maybe the NSA want all your info but get a perspective or dump the net is my advice, but as i agree that you are indeed paranoid I doubt you will!

And I may even have been accused of being paranoid myself in the old days (was once called the computer vendors worst nightmare

[SHISH]

Hi All,

This is an email that the MD wanted me to post to re-asure the hexus people of our intentions ::




Hope that will clear things up for you

Fromhis yacht in the Caribean no doubt
I love you Scan
regards,
Mr Jealous.

[Steve A]

No im posting from the Yacht

I've borrowed it for the weekend ..

[Chris P]

I'm next

[SHISH]

Can I come when I get released from the clinic?
I could do with some quality R & R if only to recover from the morphine.
Mind you I could always sell some to finance a trip if somebody could trace me from this post Don`t bother burglars, I won`t be keeping much at home when I get out, it`s delivered dail;y...and not worth the effort cos it`s in a special delivery system and easily rtraceable.
Seriously tho` cos that`s something I wouldn`t do, it`s OK to be paranoid in this world of the nanny state and human whatchamacallits but there is a limit as to how much worry anybody can keep up and it`s likely life shortening. I know, my other half, `er indoors, can worry for the rest of the world (penalty of having rich and pushuy "VERY CORRECT" parents and being half Scot, half German) except where it comes down to credit card balances.
Anyway, kudos to Paranoid for bringing it up but it`s getting a bit nit picking now.

[kalniel]

Just wanted to add my thanks to both paranoid and the scan dudes for engaging in dialogue about this kind of thing.

For the rest of us, this isn't a A vs B to take sides on or claim ownage or lol at - this is a valid concern and it's being discussed reasonably. If people want to discuss the small details or nit pick then let them, but it's just that, discussion of a technical nature. Not a 'Diouf is a genius/idiot' arguement

[Steve A]

Although "Diouf" IS an idiot tbh , but yes i agree with the above statment

[danmac]

Dan here again ... Trying not to get bogged down in what has turned into a largely hypothetical debate with a healthy dose of FUD, but there are some points which require clarification, particularly from a technical perspective. Also I will refrain from humour since my particular brand of dark poetry doesn't always go down well, as I'm sure my fellow Scanners can testify

Since the connection to Bizrate is via https: this cookie would bypass any third-party cookie filters, including firewalls with privacy features enabled.

This is incorrect, or at least misleading depending on how you look at it. Internet Explorer 6 can block these cookies very easily, as I'm sure most other browsers can. This has been a standard part of IE for quite some time now.

If you mean you want to block these cookies by inspecting the packets *after* they leave your browser, as I've just illustrated that is not necessary. Even if you wanted to, it is quite easy using a multitude of varying techniques. (IP / DNS blacklist, SSL proxy, etc)

So this traffic would probably bypass some third-party software, but Windows itself has plenty of capabilities at your disposal which would work, and can be leveraged by third parties. (ie. SpywareBlaster, SpyBot S&D's immunization)

From a security perspective also, Shopzilla can extract any data they want from Scan's order confirmation page just by amending their Javascript code. Allowing third party sites to include their own Javascript on Scan's website poses more dangers than just having a web bug (as with NexTag) since such scripts could alter page contents - and the more widespread Shopzilla's ROITracker becomes, the more attractive a target it becomes to crackers or malware pushers looking for a new way of compromising end-users' systems.

All I can say to this is ...

let's stick to hard facts shall we?

In addition users should be aware that whenever they visit a site ...

Most users can't even nail keeping their systems patched, having up-to-date antivirus, not clicking install on every ActiveX popup, etc. I realise in a forum like this, everyone is now starting a sentence with "but I" ... The point I'm making is that the overwhelming majority of people really don't care because they use their computers to accomplish tasks - they're not interested in how it all works. You click "buy", stuff comes to your door. You certainly don't get spammed etc, and we certainly don't do anything underhand like selling your details to third parties which is not uncommon these days. In addition Scan doesn't get ripped off on marketing, so we can offer lower prices, so everyone's a winner.

In the case of data aggregators like Bizrate, this could be useful in determining if an IP address was dynamic/shared or static/single - static/single addresses could then have a real-world address assigned to then with a higher degree of confidence.

This is assuming a retailer sends your address details. We don't. We don't even suggest which country you are in, although this can be sometimes ascertained by your IP using the GeoIP database. If someone allows Bizrate or whoever to get hold of your personal details, that's something you need to take up with Bizrate and the retailer which sent the information in the first place.

Anyway to summarise:

1. There is no hidden agenda here. Scan have your interests (and by extension, the long term interests of the business) at heart. To do otherwise would be commercial suicide.
2. We implemented this code on advice from our marketing partners for the sole purpose of monitoring ROI.
3. We do not send any personal information.
4. The fact we do not send personal information means the Data Protection Act is irrelevant to this discussion.
5. If you want to block this traffic, there are many ways at your disposal.
6.

You can look at anything from a “security perspective” though and assume a worst case scenario.

I am sure this thread will continue, but I am confident Scan have already gone above and beyond the call of duty explaining this situation in a public forum. In addition to this, we are currently reviewing the situation with regards to sales reporting on a management level, but obviously not from a user privacy perspective, as we have illustrated, we've already got that covered. (and will ensure it remains that way)

[Michael]

Out of interest, Paranoid2000, what preventative measures do you take to ensure that you are not followed home from your local Spar shop (Where other shoppers not only see what you bought, but also see your face and hear your voice!), at which point they might see an oppertunity to 'brute force' their way into your front door, steal all your ID, your belongings, and then drive off in your car?

After all, they know what bread you like; What's to say they don't want to dedicate weeks of their time to spying on your so that they can get a look at your living room?