Privacy concern - Scan orders being reported to 3rd parties.

[Paranoid2000]

I've noticed a recent (and unwelcome) change in Scan's ordering process. When an order is confirmed, details of that order are sent to 2 other sites, shopzilla.com and nextag.com. In both cases, the information is sent via https which means that external filters will not detect or block this activity (see the Wilders forum thread The dangers of HTTPS for more information about this).

The following HTML in Scan's webpage causes the connection to shopzilla:

<script language="javascript" src="https://www.shopzilla.com/css/roi_tracker.js"></script>

The Javascript at https://www.shopzilla.com/css/roi_tracker.js appears to be a screen-scraper that presumably obtains the details of the order just placed.

The following HTML in Scan's webpage causes the connection to nextag:

<script type="text/javascript">
<!--
var id = '2191258';
var rev = '63.02';
var order = '<customer order number - removed>';
//-->
</script>

<script type="text/javascript" src="https://imgsrv.nextag.com/imagefiles/includes/roitrack.js"></script>

https://imgsrv.nextag.com/imagefiles...es/roitrack.js creates a new URL which appears to include seller ID, order ID and item codes and quantity.

I would like to ask Scan exactly why this data is collected and passed onto third parties, using a method which would not even have the knowledge, let alone consent, of most customers. In particular, cookies could be set by these sites despite any third-party filters (only browser settings and Firefox extensions could block them) though this does not appear to happen here.

However since this data transfer involves companies outside the EU, it is not covered in Scan Computer's Data Protection Registry entry (purpose 3 specifies no transfers outside the European Economic Area) raising a question about compliance with the Data Protection Act 1998.

[machinist]

Wow, your userID is pretty apt

/me awaits Scan's response

[herulach]

that is indeed worrying, especialy seeing as a quick google on the script names gets this site:
http://www.roitracker.co.uk/index.htm
On further reading it looks to monitor sales brought in by advertsiing companies, rather than the other way around, i assume the advertisers (nextag is a comparison site) get a cut of any inbound sales from their site

[TeleFragX]

Hmm Scan... True, I would like to know also.

[wesleyaldred]

Paranoid2000,

Thank you for posting your concerns.

I can assure you that the tracking code implemented on the page https://secure.scan.co.uk/Shop/ShowInvoice.ASP is in place purely to monitor ROI (Return On Investment) and certainly has no hidden agenda. We do not send any of your personal information.

As with most other Internet retailers, we use various methods to promote ourselves. Part of our strategy includes price comparison sites such as NexTag and ShopZilla.

You can find the London office details for NexTag here:
http://www.nextag.co.uk/serv/uk/about/contact_us.jsp

The registered office in London for ShopZilla can be located using the following site:
http://www.companieshouse.gov.uk/
The Company No. is 05220340

If you have any more concerns, or if you need me to elaborate on anything, I would be more than happy to put your mind at ease, via dan@scan.co.uk if you prefer.

Many thanks,

Dan (borrowing Wesley's Hexus account)
IT Manager
Scan Computers

[Paranoid2000]

Dan,

Thanks for taking the time to post a response here - I would however like to address some specific issues.

I can assure you that the tracking code implemented ... certainly has no hidden agenda.We do not send any of your personal information.

While I have no reason to doubt this, the information sent does include order details and the order number which is unique to an individual. Would you not consider this personal? If there is no hidden agenda, why is this data sent encrypted?

As with most other Internet retailers, we use various methods to promote ourselves. Part of our strategy includes price comparison sites such as NexTag and ShopZilla.

Fair enough, but why does this require the transmission of order details? For a price comparison site, surely the data flow should be the other way, with Scan receiving details on competing offers? The only point I can see in sending them this data would be to allow them to combine it with information from other sites for profiling, data mining, etc. Indeed NexTag's Privacy Policy includes the following paragraph:

INFORMATION ACQUIRED AUTOMATICALLY

We collect certain information on the Websites through the user's experience and activities, cookies, log files, clear gifs, and/or third parties to create a profile of our users. A profile is stored information that we keep on individual users that detail their viewing preferences, activities and interactions with NexTag. Consequently, collected information is tied to the user's personally identifiable information to provide offers and improve the content of the site for the user. This profile is used to tailor a user's visit to the Websites, and, subject to the Communications Policy stated below, to direct pertinent marketing promotions and communications to them.

I personally would object strongly to this level of monitoring to the point of blocking any communications with NexTag. However as I mentioned above, Scan using https to send such data will result in it bypassing almost all third party filters - whether intentional or not, this does result in co-opting customers into a data collection scheme without their knowledge.

Of course, Scan has a valid interest in maintaining its own customer profiles and statistics, but this should not require (or justify) submitting such information to a third party without customer consent.

You can find the London office details for NexTag here:
http://www.nextag.co.uk/serv/uk/about/contact_us.jsp

The registered office in London for ShopZilla can be located using the following site:
http://www.companieshouse.gov.uk/

The data itself is still being sent outside the European Union for processing so this leaves the question of Scan's DP registry entry unanswered.

If you have any more concerns, or if you need me to elaborate on anything, I would be more than happy to put your mind at ease, via dan@scan.co.uk if you prefer.

If you wish to continue this discussion privately, I would be prepared to oblige. However given that this does potentially concern all Scan customers, I do hope that you see fit to continue to address this publicly.

[TeleFragX]

Ok as long as I dont get a phone call form someone named bob from a company trig to sell me volcano insurence all is cool

[BigBry]

I'm interested to know if there's any update on this discussion?

[nvening]

lol, volcano insurance, you never know when your local may erupt!

[FatalSaviour]

My volcano insurance doesn't run out till 2012, so I've no need to worry
Update anyone?

[ExceededGoku]

I'm not worried, Scan can do whatever they like with my data (don't hold me to this )

[Steve A]

Hi All,

This is an email that the MD wanted me to post to re-asure the hexus people of our intentions ::

All valued Hexus customers…

Its been a while since I have posted on here, I do keep an eye on how we are servicing our customers each day and our trust rating speaks for itself.

In short, we can’t please everyone and we have made the occasional booboo…but one thing for sure is that each and every employee in Scan has a commitment to Hexus members.

We are still offering the free carriage and we try very hard to give the best possible service and resolve any issues in the quickest time possible. I really do believe that we bend over backwards.

There are not many companies that give such a valued approach to a given user base.


I am personally aware of any problems with Hexus users as I value our relationship. The latest thread on “privacy concerns” that has been posted deserves my explanation as to why we do this.


There are a number of facts here which I must explain…


We submit our product information and prices (know as feeds)to various price portals such as Dealtime, Kellkoo, Froogle etc.


These feeds our outbound and in most instances cost us money for the submission, on the hope that anyone who browses the feeds may buy from Scan.


As you all are probably aware, when a user clicks on a feed to www.scan.co.uk from a price portal we get billed a “cost per click”.


Almost each and every Etailer in Eurpoe does this.


It is important to distinguish between outbound price feeds and what information we disclose to the price engines about our sales orders.


The feeds are outbound links detailing what we would like displayed on the price portals. These are done PRIOR TO ANY SALE BEING MADE.


If and when a customers purchases a product of a price portal, then we automatically get billed for that transaction.


In order to calculate if the feed is profitable or not, we need to look at the value of the order placed by a customer and then compare it our cost of running a campaign.


This calculation is called “ROI, Return on Investment”. In short, it tells us whether we are “getting shafted” by the price portals.


In order to calculate an ROI, we need to disclose relevant orders to the price portals so they can verify if the sale originated from them…they do this by matching up the cookies from the referral to the sale.

As we do not read 3rd parties cookies we need to disclose the orders so they can pick up their relevant orders to calculate an ROI.


ONE THING FOR SURE IS THAT WE DO NOT DISCLOSE ANY PERSOAL INFORMATION RELATING TO OUR CUSTOMERS.


BY THIS I MEAN

NAME AND ADDRESS

CARD DETAILS

EMAIL ADRESSES OR TELEPHONE

NUMBER OF ORDERS PLACED.



ALL WE DISCLOSE IS THE ORDER ID, THE PRODUCTS AND THE VALUE. AS THESE AR NEEDED TO CALCULATE OUR ROI.


THE ORDER ID DOES NOT RESOLVE TO ANY OTHER PERSONAL INFORMATION THAT THE PRICE PORTALS CAN READ AND POSSIBLY USE FOR DIRECT MARKETING.


THE ONLY INFORMATION THAT THE PRICE PORTALS CAN HAVE IS WHAT PRODUCTS SCAN SELLS AND THE VALUE OF THEIR SALES.


IF ANYONE SHOULD BE WORRED, IT SHOULD BE SCAN!!!


The thread is incorrect as WE DO NOT PASS OVER ANY PERSONAL INFORMATION THAT RELATES AN ORDER TO AN INDIVIDUAL.


I will ask my development team for a fuller reply to the more technical aspects in “Paranoid 2000’s” thread.


My final message to all members is, that I value all the business that comes from Hexus, and that we do bend over backwards to ensure that we give the best service possible. I will make sure that all members of Scan keep our service offering ongoing to ensure we keep members of Hexus happy J


Be assured that we don’t disclose any personal info to any 3rd parties.


Finally, my opinion on the thread is that it is a reflection of the user name…”paranoid 2000 “…





WE COME IN PEACE….

Hope that will clear things up for you

[ExceededGoku]

ye take that paranoid! Scan I still love you <3

[dave87]

Nice to see management still have a sense of humour

[blueball]

Not many companies where the MD would bother to take the time to provide a reasoned reply.

Nice one Scan

[vicar]

I think we all owe paranoid 2000 many thanks for bringing this issue to the surface, confidiently and privacy shuld be any body;s concern, in this age of ID cloning and misuse of info.

Scan's md should be applauded for his clarification of the points raised by paranoid 2000.

I am glad people like paranoid2000 are vigilant, and the boss takes an intrest in his company, staff and customers.

Many Thanks