33 Privacy Questions

Tom Nardone Answers 33 Questions About Privacy

33 Personal Privacy Questions and Answers

Questions and answers by Tom Nardone, President of PriveCo - Specialists in Online Privacy.

Since 1998 Mr. Nardone and PriveCo have held customer privacy in the highest regard. His company's privacy policies are the most complete in the industry. PriveCo has served over 350,000 customers. Mr. Nardone and his small team hold their personal data as securely as possible.

We have prepared these questions and answers as a tool for people the use when making decision about their personal information. We hope it will help you solve issues related to increased unsolicited e-mail or bulk mail. We hope you find it informative.

1. Who are the worst privacy offenders?
Spammers (people who send unsolicited e-mail) and now marketers are driven by the same reasons. Greed is highest. It is unlikely they will stop as many organizations have been built around doing business in this manner. It is unlikely that executives at a company that is using e-mail marketing will suddenly decided to stop, will lay off a percentage of their employees, and take the pay cut necessary to stay in business without these inexpensively acquired customers.

Some major offenders are:

Credit card companies
Banks
Schools
Publishing companies
Mail order companies
Direct Marketing companies
Phone companies
Many online retailers

2. Who are the best companies at maintaining personal information?
The best businesses are businesses that do not collect the information in the first place. Small businesses are good at not collecting information. A good second choice is a businesses that is designed specifically to keep your information private. Our business falls into this second category. Some businesses' privacy practices are regulated by the government. Hospitals and doctors are currently monitored so they do a great job.

Cash businesses
Hospitals
Doctors
Many very small businesses
Our Business and others like us.

3. Which businesses are most surprising in their lack of privacy?
It seems to me that businesses that hold the most important information about us should also hold it the most privately. This is often not the case. The banks that we deal with report our financial information to each other and to interested parties in the form of our credit report. Other businesses that are shocking are publishers. Magazine subscription lists are very popular with direct marketers. Some publishes make a substantial amount of money on selling our personal information to mail order companies. This explains why a yearly subscription to a magazine can be so inexpensive. We are essentially selling our personal information when we sign up.

4. Who has the most effect on our personal privacy?
There is no doubt the your personal information can best be defended by yourself. Caution when distributing your information is the best way to prevent future trouble. It is true that you can try to keep companies from sharing your information after they have it, but it is far easier to not give the information away in the first place.

5. What is the worst thing that can happen?
While identity theft is a possibility, it is usually conducted by individuals in your area, not by companies you do business with. Violations of your personal information are more likely to included excessive e-mail, excessive physical mail, and wasted time organizing and deleting this junk on a daily basis. In our case, the e-mail addresses for customer service on our websites get over 1,000 unsolicited and wasteful e-mails each day. Finding the 20-30 legitimate e-mails every day is a major chore.

While we may be unusual in our problem, we are probably just an indicator of what will happen to others in the not-distant future. If everyone in the US had to filter through 1,000 e-mails each day, e-mail would no longer be a useful form of communication. The loss in productivity would be significant.

6. Who collects all of this personal information?
It used to be that companies kept a list or file of their customers for their own use. In fact, while the catalog business began in the 1870's the business of brokering mailing lists didn't begin until the 1960's. Acxiom, the largest publicly traded list broker began in 1969 and took in $700M last year. The CEO of Acxiom earned $4,587,000 last year in salary and stock options. These days, typical costs for a customer list is 3.6 cents per name. Two things are striking about this. The first is that companies will sell us out for much less than 3.6 pennies, the second is that Acxiom had to sell over 120,000,000 mailing addresses just to pay their CEO. That represents half of the household in the United States.

7. Who is immune to these violations of trust?
Unless you live in a cabin that you built yourself, pay all of your bills with money orders, make all of your purchases with cash, and read your magazines at the city library your information is being bought and sold. So really, no one is immune. We all just suffer in varying degrees. Minimizing the effects should be your goal.

8. Who is doing this to us?
Sometimes marketers convince themselves that they provide a great service by telling us about products that we may like. But rarely do customers ever think this is true. My belief is that a small amount of greed combined with a mob mentality drives this. Some folks know that using your personal information will make them money and others follow suit because everyone else is doing it. My company and our customers know that it is wrong.

9. What can be done to prevent this?
Regulation seems unlikely to solve some of the problems (especially spam) but it could make a significant impact. Regulation recently made a large difference in homes that have become listed on the do not call registry here in the US. Regulation would likely reduce the amount of e-mail we get from US companies, but would that even be 10% of the unsolicited e-mail we currently receive?

Careful sharing is important. It keeps your information in the hands of people that won't share or use it. Sometimes this is not possible. One example is my company's e-mail addresses. We have to share our information so that our customers can reach us. Unfortunately, by posting our e-mail address on our websites we receive buckets of unsolicited e-mail.

Spam filters can be effective, but rarely do they catch everything and often they remove valuable e-mails from your inbox. Either way, it is difficult and time consuming to administer these methods.

10. What changes could be made?
Since profitability drives much of the direct marketing, I would like to suggest that we increase the cost of direct marketing. Here are my suggestions.

Bulk Mail - The postal service prices bulk mail based upon their cost to deliver it. Why not include the cost of disposing of the mail and possibly even the cost of each person's time to look at it. At this true cost, bulk mail would be less profitable and less of it would be sent.

E-mail - Spam has become so prevalent because it is free to send. If each e-mail sent required a micropayment then spam would quickly stop. Regular folks don't send enough e-mail to spend much, but spammers send millions of e-mail a day. A micropayment of 1/10 of a cent would be enough to put most spammers out of business.

Unsolicited Phone Calls - The national do not call registry has all but ceased calls to my home phone. If you haven't signed up yet do so here: http://www.donotcall.gov

Unsolicited Faxes - The worst of the bunch, in my opinion, unsolicited faxes require us to pay to receive them. Many local areas have outlawed unsolicited faxes but they still used to arrive regularly in our office. We signed our fax line up to the do not call registry and it has been unsolicited-fax free since.

11. What can we do?
If you want to, you could call your congressman and tell them to do something about spam and that you think a micropayment method would be a good idea. If you don't want to do that, don't worry. But if you hear anyone say that the government wants to tax e-mail, explain that you think it is a good idea. Although opponents and some business interest groups will try to make the proposal sound unattractive by calling it a tax on e-mail, the amount of the tax will be incredibly small and will harm the people sending you unsolicited e-mail far more than it will harm you. Being a supporter is easy, you don't have to be a fanatic about it, but an e-mail micropayment method might be a great idea.

12. What should we not do?
You should not expect that the current system of checks and balances on marketers and corporate communications is adequate. Sure, there are some businesses like mine that are strict with your personal information, but there are very few of us. Most businesses are joining the mob that is sending you messages constantly. The noise is only increasing and nothing in place today is going to stop it from doing so.

13. What happens when you order from PriveCo?
When we receive your order we use your address to ship the package. We also use your e-mail to send you a shipping confirmation if you requested one. After that we are done using your information so we just protect it. We keep it on hand to allow us to process returns and repeat orders only. It is pretty simple really.

14. Where is the information stored?
The information is stored securely on our web-based credit card processing server for 30 days. After 30 days it is deleted. While it is stored on this server, it is accessible only by three different individuals. After 30 days it is stored locally at our company where the same three individuals have access to it. Each individual has unique access to the information with two levels of password protection. The local system is firewall protected and powered-up only during business hours. The web-based system is protected by 128-bit encryption, two levels of password protection, and can only be accessed by certain Internet locations. The system is very well protected.

15. Is the encryption on Internet sites effective?
Internet encryption is an interesting topic. The technology has been sophisticated enough that it is uncrackable but people are still unsure about trusting Internet companies with their information. To describe how powerful the technology is, I will quote an article in the Washington Post which does a great job of describing what 128 bit encryption is:

Modern encryption is achieved with algorithms that use a "key" to encrypt and decrypt
messages by turning text or other data into digital gibberish and then by restoring it to its
original form.

The longer the "key," the more computing required to crack the code. To decipher an encrypted message by brute force, one would need to try every possible key.
Computer keys are made of "bits" of information, binary units of information that can have the value of zero or one. So an eight-bit key has 256 (2 to the eighth power) possible values. A 56-bit key creates 72 quadrillion possible combinations. If the key is 128 bits long, or the equivalent of a 16-character message on a personal computer, a brute-force attack would be 4.7 sextillion (4,700,000,000,000,000,000,000) times more difficult than cracking a 56-bit key. Given the current power of computers, a 56-bit key is considered crackable; a 128-bit key isn't. I suppose that when computers are 4.7 sextillion times as fast as they are today, the technology will be crackable. That should take a long, long time.

16. Where do we work? From where do we ship orders?
We process and ship orders all of the orders from our office/warehouse. Your personal information is not sent to another company or location. Your order is packed and shipped by our company at our location in Hazel Park, Michigan. No person outside of our small team will see the contents of your package.

17. Where do our customers live?
We have shipped items to customers in all 50 states and 74 different countries. People all over the world value their privacy.

18. How do spammers get our e-mail address?
A study done by Consumer Reports showed that spammers get e-mail address through a number of methods.

1. Through finding your e-mail address listed on the Internet. Posting to newsgroups, posting the e-mail address on a website, or by creating your own homepage.

2. Spammers get your e-mail address when you respond to other spam. Even when you respond to the "remove" link in some spam! It is important to remember that spammers aren't honest, so don't expect to be removed.

3. Spammers get your e-mail address if you or a friend is infected with an e-mail bug.

4. Spammers create your name on their own. Since they pay nothing to send e-mail they can afford to generate random e-mail addresses and to try sending mail to them. If your e-mail address is John@hotmail.com you should probably expect to get a lot of spam.

19. Where do junk mailers get my address?
Junk mail is usually simpler and more targeted. Since sending bulk mail costs money they are more careful in their approach. They approach each mailing as scientifically as possible. An example might be a company that sell golf equipment. It would make sense for them to send a catalog to people who subscribe to golf magazines. If their golf equipment is expensive, they may only send the catalog to people who both subscribe to golf magazines and live in an expensive area.

Companies in your neighborhood that sell pizza or groceries may deliver a mailing to everyone in the area. These companies usually call us by the endearing name "resident".

The next time you sign up to buy something use a slightly strange spelling for your name and then see how much mail Johxn Smith starts to receive. It may surprise you how quickly and how much mail Johxn starts to receive.

20. Where do we sign up to be removed from lists?
E-mail - There is currently no such place to sign up.
Mail - There is currently no such place.
Phone - In the US the do not call registry is working well. http://www.donotcall.gov

21. Where can I report obscene e-mails?
There is no place that will do anything about this. Most obscene e-mail comes from overseas where it is not governed by US Law. Replying to it is a bad idea because the reply-to address is rarely the person who sent it.

22. Where can I report an obscene website?
For websites that are owned and operated in the US, you can try to report them to the attorney general. It is unlikely to work, but you can try. To lookup who owns and operates the site go here: http://www.networksolutions.com/en_US/whois/index.jhtml . Your best bet would be look up the office of the federal government in their state and try to file a report.

23. When will this be fixed?
Until the entire earth has one government, it is unlikely this will be fixed. Otherwise, there will always be some strange country that won't mind hosting the servers for unsolicited e-mail.

24. When will the Internet be cleaned up?
Based upon the fact that the pornography industry is responsible for much of the development on the Internet and is still fairly popular, it is unlikely that the Internet will ever be cleaned up.

25. When will my information be safe?
It is very likely that much of your information is already safe. Although some spammers know your e-mail address and possibly even your name, it is unlikely that they know much else. Legitimate businesses may know your name, address, and phone number. There is little financial risk with legitimate businesses though. Even if they are a little loose with this information they have too much to risk to actually steal from you. So, in general your theft risk is low but your risk of being bothered constantly is high. Of course, if you only shopped with my company, your risk on both issues is lower than with other companies.

26. When will we violate our privacy policy?
We will never violate our privacy policy. Our company was founded and grew using a very strict privacy policy. When we began Money Magazine doubted that we would be able to succeed because we would be unable to make money from repeat sales. Money Magazine was wrong of course. Our business has grown steadily over the last 5 1/2 years and customers order from us time and time again. We don�t have to remind people to shop in private because they have a great experience the first time.

27. When has 128 bit encryption ever been hacked?
As of this writing there are no reports of 128 bit encryption ever being hacked.

28. Have we ever had complaints about violating our privacy policy.
In five and 1 1/2 years and after 150,000 orders we have received 3 complaints. I can't say for sure that these people were incorrect in assuming that we sent them unsolicited e-mail or were responsible for the increase in e-mail they were receiving but we think that the percentage of people who have complained may indicate that they have been mistaken in their accusation.

29. When will other businesses change their privacy policies and stop e-mailing their existing customer base?
In early 1999 drugstore.com launched with a strict privacy policy. It was almost as comprehensive as our own. Later, they changed the policy and began e-mail their customers with "reminders" of when their items may need to be replaced. Their sales have grown and now a large percentage of their business comes as a result of these e-mail "reminders". It is unlikely that they will be willing to stop now.
Many businesses seem to be caught up in this situation. They started e-mail marketing and now they can't stop. Their profitability, their personal performance, their stock options, their employment, and their paychecks all depend upon e-mail marketing. They can't possibly stop.
Our business has never used e-mail marketing. We don't need it. We aren't addicted to it and we never will be.

30. How does a large business get away with sending all that unsolicited e-mail?
One day someone at Drugstore.com decided that they should change their privacy policy and they did. They didn't make a big stink about it. They just changed it. Since that time the company has been able to send e-mail to any new customers. Customers that ordered before the change are protected, but if they ordered again they are not.
Other companies work the same way. Their privacy policy states that they can share your information with "partners" or that they will be use you name and address to alert you about special offers. This is marketing speak for "bothering you".

31. It doesn't seem fair. Will the government ever stop big companies from e-mail marketing?
Even the do not call registry allows companies that you have previously conducted business with to phone you. E-mailing you incessantly is not against the law and some companies are happy to do it.

32. How can I prevent this?
Read the privacy policy. If the privacy policy isn't up to standard, don't shop. Always uncheck the box that says "alert me about special offers". Our sites don't even have one, but most do. Failing to uncheck the box is an invitation to a weekly e-mail that you will begin to loathe.

33. What does the future hold in terms of my privacy and ?
The future doesn't look good. Unless you are prepared to change your e-mail frequently, you should expect to get more and more unsolicited e-mail. The problem will only get worse.
Regulation in the near future doesn't look likely. But it could be effective against spam. Hopefully special interest groups won't make it ineffective.
Internet credit card transactions will continue to be safe but the ability of people to steal credit card numbers from other people when they handle their card in person will continue. Within 2-3 years we may have a digital signature that will prevent even that. At present, the beneficiaries of decreased credit card fraud are the merchants. It is a little known fact that merchants are the primary sufferers of credit card fraud. Individuals are only responsible for $50 in credit card fraud at present and the credit card processing companies are not responsible for any amount they only have to facilitate the refund process.