Download - Privacy and E-Commerce
![Page 1: Privacy and E-Commerce](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6b7874a7959e55e8b4584/html5/thumbnails/1.jpg)
1
Privacy and e-Commerce
Aleksandr Yampolskiy, Ph.D.Director of Security and Compliance
Gilt Groupe
![Page 2: Privacy and E-Commerce](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6b7874a7959e55e8b4584/html5/thumbnails/2.jpg)
2
Agenda
Overview• Privacy is Dead. Get Over It.• So What Exactly Is Privacy?• Privacy and e-Commerce• Solutions to Your Problems
![Page 3: Privacy and E-Commerce](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6b7874a7959e55e8b4584/html5/thumbnails/3.jpg)
3
Who Am I?
• Currently, head of security and compliance at Gilt Groupe, Gilt JP, Gilt City, Jetsetter companies.
• Prior to that lead technologist in Goldman Sachs, Oracle, Microsoft in various security roles.
• Ph.D. in Cryptography. • My interests : new types of malware, privacy,
elliptic cryptography, distributed systems, cloud computing, security governance, forensics.
• Follow on Twitter: @ayampolskiy • Email: [email protected]• Site: http://www.alexyampolskiy.com
![Page 4: Privacy and E-Commerce](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6b7874a7959e55e8b4584/html5/thumbnails/4.jpg)
4
Gilt Groupe
![Page 5: Privacy and E-Commerce](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6b7874a7959e55e8b4584/html5/thumbnails/5.jpg)
5
Gilt Groupe
• Gilt Groupe is an innovative e-commerce company offering highly coveted products and experiences at insider prices. Each day, Gilt offers its members a new, curated selection of merchandise, including apparel, accessories and lifestyle products for women, men and children, home entertaining and decor, along with luxury travel packages from JETSETTER and fantastic offers on local services and experiences from Gilt CITY. Most sales start at noon ET and last only 36 hours, making Gilt.com an addictive destination for aspirational shoppers from coast to coast.
• Millions of registered users, who trust us to keep their personal data secure and private.
• Leakage of info about even one customer could be catastrophic: “Christina bought jeans size 24 last month and now she is 25.”
![Page 6: Privacy and E-Commerce](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6b7874a7959e55e8b4584/html5/thumbnails/6.jpg)
6
Agenda
• Overview. Privacy is Dead. Get Over It.• So What Exactly Is Privacy?• Privacy and e-Commerce• Solutions to Your Problems
![Page 7: Privacy and E-Commerce](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6b7874a7959e55e8b4584/html5/thumbnails/7.jpg)
7
Privacy on the Internet
“Privacy is Dead, Get Over It!” Scott McNealy, Sun Microsystems
![Page 8: Privacy and E-Commerce](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6b7874a7959e55e8b4584/html5/thumbnails/8.jpg)
8
Inconvenient Truth
• Within 1 minute, I can find out your address, your marriage status, SSN, gender, driver’s license, record of prior convictions.
• In 5 minutes, I can check any prior divorces, employment records, lawsuits, and personal photos.
• In half an hour, I’ll know your race, sexual orientation, political preference. I’ll know the books you read, things you like, and the friends you have.
• All that without leaving my desk.
![Page 9: Privacy and E-Commerce](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6b7874a7959e55e8b4584/html5/thumbnails/9.jpg)
9
Inconvenient Truth (cont.)
• All this information is available for download, cross-referenced, and conveniently packaged with a bow on top.
• You just need to know where to look.
• Most of the time we have disclosed this information ourselves.
![Page 10: Privacy and E-Commerce](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6b7874a7959e55e8b4584/html5/thumbnails/10.jpg)
10
“It’s always a good idea not to give out too much personal information.”
![Page 11: Privacy and E-Commerce](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6b7874a7959e55e8b4584/html5/thumbnails/11.jpg)
11
Agenda
• Overview.• Privacy is Dead. Get Over it. So What Exactly Is Privacy?• Privacy and e-Commerce• Solutions to Your Problems
![Page 12: Privacy and E-Commerce](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6b7874a7959e55e8b4584/html5/thumbnails/12.jpg)
12
What Privacy is Not
Security Privacy
![Page 13: Privacy and E-Commerce](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6b7874a7959e55e8b4584/html5/thumbnails/13.jpg)
13
Security
• Confidentiality• Integrity• Authentication• Non-repudiation
continual cat-and-mouse game
![Page 14: Privacy and E-Commerce](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6b7874a7959e55e8b4584/html5/thumbnails/14.jpg)
14
Privacy
• Data Protection• Fair Information Practice
Principles
largely understood, social construction
![Page 15: Privacy and E-Commerce](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6b7874a7959e55e8b4584/html5/thumbnails/15.jpg)
15
What is Privacy?
• Where is my data?• How is it being used?• Who actually sees it?
pri·va·cy noun \ˈprī-və-sē, especially British ˈpri-\freedom from unauthorized intrusion <one's right to privacy>
![Page 16: Privacy and E-Commerce](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6b7874a7959e55e8b4584/html5/thumbnails/16.jpg)
16
Why do we disclosepersonal information?
• Because we want to
- Security (ID cards)- Convenience (Shop high-end fashion on Gilt in your pajamas)- Other benefits (Talk to friends on Facebook)
• Because we have to
- Legal requirements (Driver’s license)- Commercial requirements (Mortage)
• Because we don't care!
![Page 17: Privacy and E-Commerce](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6b7874a7959e55e8b4584/html5/thumbnails/17.jpg)
17
Agenda
• Overview.• Privacy is Dead. Get Over it.• So What Exactly Is Privacy? Privacy and e-Commerce• Solutions to Your Problems
![Page 18: Privacy and E-Commerce](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6b7874a7959e55e8b4584/html5/thumbnails/18.jpg)
18
• Public opinion poll in June 2004 surveyed 2,136 adults online and found that 65% had declined to register at an e-commerce site due to privacy concerns
Privacy in E-commerce Today
![Page 19: Privacy and E-Commerce](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6b7874a7959e55e8b4584/html5/thumbnails/19.jpg)
19
Privacy in E-commerce Today
• More and more data is available online.
• E-commerce companies deal with a multitude of 3rd parties (marketing, logistics, etc.)
• Perimeter of the network no longer clearly defined.
• Companies can be acquired and privacy policies may change.
• Global companies need to deal with different regulations (eg Germany law re dedicated privacy person)
![Page 20: Privacy and E-Commerce](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6b7874a7959e55e8b4584/html5/thumbnails/20.jpg)
20
Data Provenance
1. Order placed by user
2. CC is charged
3. Transactional email is sent to customer
4. Warehouse fulfillment
5. Shipping carrier picks up package
6. Order sent to customer
3rd
party
company
![Page 21: Privacy and E-Commerce](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6b7874a7959e55e8b4584/html5/thumbnails/21.jpg)
21
Agenda
• Overview.• Privacy is Dead. Get Over it.• So What Exactly Is Privacy?• Privacy and e-Commerce Solutions to Your Problems
![Page 22: Privacy and E-Commerce](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6b7874a7959e55e8b4584/html5/thumbnails/22.jpg)
22
Privacy Policy
• Have a clear policy about what data is collected and how it’s used.• Privacy policy is linked off registration page.
![Page 23: Privacy and E-Commerce](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6b7874a7959e55e8b4584/html5/thumbnails/23.jpg)
23
Simplify Your Registration
• Only ask for data if it’s needed.
![Page 24: Privacy and E-Commerce](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6b7874a7959e55e8b4584/html5/thumbnails/24.jpg)
24
New Registration Page
• Easier registration process. Less data needed.
![Page 25: Privacy and E-Commerce](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6b7874a7959e55e8b4584/html5/thumbnails/25.jpg)
25
Legal Agreements
• Put a process in place so that if PII is shared with a 3rd party, Security team reviews its security and privacy standards.
• Security needs to give a final sign-off !
• Contractually obligate all companies acting on your behalf to keep all info confidential and to use the customer info only to provide the services we ask them.
• Incorporate security addendum into legal contracts re data protection, provenance, etc.
• Data needs to be erased after contract’s expiry.
![Page 26: Privacy and E-Commerce](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6b7874a7959e55e8b4584/html5/thumbnails/26.jpg)
26
Access Controls
• Implement production access controls to ensure only authorized people can view info (e.g. Customer Support).
• Least privilege principle and auditing of access for all systems housing PII.
• Use a persistent ID (guid) to refer to customers instead of email, SSN, etc.
![Page 27: Privacy and E-Commerce](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6b7874a7959e55e8b4584/html5/thumbnails/27.jpg)
27
Security Strategy
• Make “maintaining privacy” one of your company’s strategic goals.
1. Secure critical data and ensure its privacy (credit cards, customer addresses, etc.)
2. Raise company-wide security awareness.
3. Institute secure coding practices for Engineering.
4. Secure our infrastructure.5. Meet the compliance
requirements (PCI, SOX).
![Page 28: Privacy and E-Commerce](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6b7874a7959e55e8b4584/html5/thumbnails/28.jpg)
28
Conclusion
• Have a clear privacy policy linked off your registration page.• Know all the places your data travels to.• Add security addendums to your legal agreements.• Implement access control and auditing for all systems housing customer data. • Make protecting privacy part of your strategy.
![Page 29: Privacy and E-Commerce](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6b7874a7959e55e8b4584/html5/thumbnails/29.jpg)
29
Questions, Comments, Suggestions?