Shopper Trust and the Zappos Ordeal

Monday, January 23, 2012

Bill Mathews

D03c28fd5a80c394905c980ee1ecdc88

During my early morning Twitter-lurking I ran across this gem, which basically says that a good chunk of folks surveyed just give up their personal information to their “favorite” merchants.

Now usually I always doubt the veracity of such surveys but for the sake of this post let’s assume this is true. If folks are more than willing to hand over their information to merchants I think on some level they have to trust the merchants, or should at least.

The bigger question is, what have merchants done to earn that trust? The short answer is, not much.

I am actually one of those knuckle headed “consumers” who doesn’t mind sharing my email, address, phone number, etc with merchants whom I buy from regularly, in fact, I might sell my soul to Johnston & Murphy.

The point is, in the back of my head, I’m imparting some sort of trust to these guys with my data. What shoes did I buy? Where did I buy them? How much did I spend? Am I more likely to buy in the Spring or Winter?

These are trivial details to any one person but take on a mass scale they can help a marketer figure out where to bump up advertising and where to scale back. They can tell them how to build a display or what shoes to discontinue.

The data is very valuable to a marketer and also to fraudsters and scammers. This is the rub as they say. You give your information and trust to these vendors and what do they do with it?

For the most part, I’m certain the data lives in some database, usually in the “cloud” but sometimes it lives on the vendor’s own network. There are quite a few so-called data mining tools out there that will allow them to carve out the data in the ways I’ve described and probably in ways I cannot begin to imagine.

Then there are also folks out there who will chop up your data and sell it to other vendors to market to you. For instance, a grocery store might roll up all of your fruit purchases along with their other shoppers from your zip code and send it to a fruit vendor to do other “cooperative” types of marketing.

Often it is that benign and then sometimes they’ll just sell it outright to make some more revenue off the data they’ve collected. Usually this is reserved for more nefarious merchants and sometimes it is done out of ignorance of their own policies. But make no mistake – it DOES happen.

Want to test it? Sign up for an email address you’ll never use anywhere else, register it with one, just one online vendor or some local chain. Watch how much your spam increases for that address you never use. This is a violation of that implied trust.

I was thinking quite a bit about this after reading that article and wondering if maybe I’m just being ultra paranoid. Am I overreacting by removing myself from all these programs?

From an identity theft perspective I’m probably not being paranoid enough but I should definitely not trust these places with my credit card numbers. I like one-click buying as much as the next person but typing in my credit card number is a small inconvenience to trade so that my number isn’t stored in every online store I’ve ever been to.

This was all before 6:00 am so quite a bit to think about before the sun came up. I was just contemplating all the “legitimate” things marketers do with your data then this showed up on Twitter: http://www.zappos.com/passwordchange (okay not this EXACT one but this news).

Nearly 24 million accounts hacked? Lots of media hype, etc. Bottom line – a whole lot of personal information just got leaked. Zappos claims no credit card information was stolen but enough data was probably leaked that the thieves will make some money from identities, etc.

The larger points are that you should not only be careful about who you share information with but what you allow them to store. I don’t personally use Zappos (even though I’m a shoe freak) but I probably would’ve let them have my email, etc. to send me deals.

I would’ve imparted that trust to them. It depends on how they handle this situation as to if they’ll get that sort of implied trust from me (their parent company Amazon certainly has that trust from me)…but this isn’t about me, it’s about you.

When you get a letter like this, how do you respond to the vendor? Do you just change your password, keep on shopping and move on? Or do you hold their feet to the fire and ask more questions? I’d love to hear how you handle it (blog@hurricanelabs.com).

Cross-posted from Hurricane Labs

Possibly Related Articles:
13219
Breaches
Information Security
breaches Identity Theft fraud Privacy Trust Personally Identifiable Information Data Consumers Merchants vendors Zappos.com Bill Mathews
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.