Personal Information in the Web 2.0 Era. How Do You Trust?

January 25th, 2007 (8:04am) Judi Sohn 17 Comments

I do all my banking online. I watch my transactions carefully and I’m confident that if any of my accounts were compromised, I’d know soon enough to stop any damage. False sense of security? Maybe. My Aunt refuses to make a single online purchase, much less do her banking online. Is she being overly paranoid?

Aside from banking sites and places we enter credit card information, we put a great deal of trust into the sites we visit, giving them a lot of personal information. We are learning how to protect our children online, but how reckless are we being ourselves?

All too often, web applications ask for a lot of trust from visitors but don’t give it in return. Recently I visited a new site that promised to “budget, plan, forecast, organize and analyze your personal finances to achieve your goals.” It sounded like the perfect site to profile for a post here at WWD. After sign-up, you were expected to enter all of your personal financial information, short of the account numbers or PINs. No “About Us” or “FAQ” page. No forum or blog to reveal the thinking behind the site. The payment for the “enhanced” service was handled through PayPal, and even the domain was registered through Domains by Proxy (to hide the real contact information of the owner). I don’t think so.

Many sites use the “About” or “FAQ” page to talk about their hopes and dreams. That’s nice. But now tell us why we should trust you. If you’re not Google or Yahoo or another publicly traded company (or even if you are), give us a glimpse of the people behind the technology, and give us an idea of the steps you are taking to safeguard the data we are sharing with you. Nowadays, a https:// link isn’t enough to put anyone’s mind at ease. Going on instinct, I look for things like Truste or BBBOnline verification. I search for independent information about the company or site. Nothing is 100%, of course. The more a site asks from me, the more steps I expect the site to take to not only protect my data, but to be transparent about the methods they are using to do so.

Even if all the right pieces are in place, would you use a service like StolenID Search, a web application that searches stolen social security numbers to see if your number is compromised? The catch is that you have to enter that number into the site. For many people, myself included, social security numbers are very closely protected and we will not enter those digitis into a website easily. With good reason.

When it comes to trust, what do you look for in a web application before you hit that “sign up” button? Is there information that you won’t put online no matter what?

Share/Email Sphere

17 Comments Post your own comment

Andrew says: January 25th, 2007 11:19am

I think that the piece above raises a good point – simply having “https://” is simply not enough to put my mind at ease about disclosing my personal information to a website. In terms of what I look for in a web application before I sign up for it, a very important factor for me is if there is a brick-and-mortar component to the company. For instance, I feel confident going to my bank’s website to check the balance of my checking account. If there is a problem, I can call the bank to confirm the problem. Another important attribute for an online service to have is press coverage. Not to beat a dead horse in regards to banks, but if an online banking company has had press coverage, then to me, that means that there has been some investigation of that site, and that any difficulties or suspicious aspects or activities would have been reported. It is after that, that I can do my own investigation of the site.

azman says: January 26th, 2007 2:59am

can we really trust online banking?
i think we should..but its difficult really…

http://www.diyanazman.com

Amie Gillingham says: January 26th, 2007 9:25am

I wouldn’t be so quick to distrust a site that uses PayPal as its online payment component. For many smaller (or newer) online businesses, it’s an excellent way to handle the security issue and actually ensure the safety of one’s financial information. Our business currently uses PayPal exclusively for our subscription service to our website because they’re set up to handle recurrent payments and we don’t have access to any of our members’ financial information. In many ways, it’s like OpenID in that you set up once and can use that information in the places that are set up to accept it.

GigaOM » Web 2.0 and privacy, who do you trust? says: January 26th, 2007 12:33pm

[...] should take care on their own to protect themselves from the perils of sharing too much information. Continue reading. No comments Share/Send Sphere Topic: Asides, Software 2.0 Tags: Web 2.0, [...]

Judi Sohn says: January 26th, 2007 1:42pm

Amie, I wasn’t discounting the site on the fact that payment was through PayPal alone. Like you said, there are a lot of advantages to it. I was looking at their payment method in combination with all the other factors…private domain registration, no information about the company, etc. to form an overall opinion about the level of trust. If they provided a contact address or talked about the technology they used and they happened to use PayPal, I wouldn’t have any complaint.

boredandblogging says: January 26th, 2007 3:19pm

Just playing devil’s advocate here, but whats wrong with just using a fake name? If the site isn’t trying to validate any of the information (which it shouldn’t be), just call yourself “Judi Smith.”

Amie Gillingham says: January 26th, 2007 5:32pm

@Judi

Yes, I agree, that in combination would make me a little leary as well.

jason knight says: January 26th, 2007 9:11pm

Hi,

I’m Jason Knight the CEO of Wesabe, and we seem to be in the same space as the company that Judi writes about. At the risk of plugging our service here is how we handle trust and personal information: You can call me 800.511.8544 (12-4pm PST seven days a week) if you have any queastions about our privacy or security policies (or anything else you want to talk about). You can also email me jason@wesabe.com. All of our support email is handled by the developer who writes the code, and our goal is to be as close as possible to our users.

We must earn trust every day, but we are succeeding…we know it because our users tell us so.

Island in the Net says: January 27th, 2007 8:20am

The issue has nothing to do with web security but in the way personal financial information is handled. Your Aunt does not use online banking or shop online because she is worried about data privacy but she most likely gladly hands over her credit or debit card to a waiter or gas attendant who walks away to authorize a purchase.

As long as your financial data is available on a database in some networked environment it is potentially as risk.

An exercpt from this article here:

6.1.5 Financial security

Consumers also have legitimate concerns about using their credit/debit cards to make on-line payments – especially internationally.

There have been some spectacular cases of ‘hacking’ of credit card numbers from on-line banks and other companies (most of which are kept out of the public eye). Mike Webb (one of the authors of this report) himself experienced fraudulent use of his credit card as a result of making legitimate on-line transactions in 1999.

Although standards have improved, security experts such as Bruce Schneir[4] have identified the fundamental insecurity of computer-based systems, ensuring that hackers and others will continue to exploit security weaknesses on computer systems used by both businesses and consumers.

Schneir identifies a number of generic problems in trying to achieve 100% security using computer-based systems:

· Increasingly complex operating systems will inevitably include exploitable weaknesses unforeseen by software designers[5]

· It only takes one person to discover a security hole or weakness, and the information can be published globally (via secret hacking sites) to thousands of other hackers in a matter of minutes

· Security should be considered a process, not a product. It is only as secure as the weakest link, which is almost always people.[6] For example, as has often been reported, most users choose insecure passwords. ‘Cracking’ software can recover 20 per cent of all passwords in a few minutes, and 90 per cent of all passwords in less than a day.[7]

In addition, it should be noted that even in the West, where companies have several years’ experience operating networked systems, many companies have lax security policies. According to figures from the UK Department of Trade and Industry (DTI), about 33 per cent of UK businesses still do not have a firewall between their websites and their internal computer systems, leaving them vulnerable to hackers. And 66 per cent do not have intrusion detection systems, which could detect hackers if they penetrated other defences.[8]

However security experts also acknowledge that on-line financial transactions, such as the use of credit/debit cards, while never 100% secure, are likely in general to be more secure than off-line transactions.

sc says: January 27th, 2007 9:39am

In our society, people trust a website, an individual or an organization because they know that other people trust that website, individual or organization. Pagerank seems to be a good indicator of trustworthiness and I use that a lot. A longer green bar on my google toolbar means (to me) means that a lot of other important websites vouch that the particular website I’m visiting is trustworthy.

alan p says: January 27th, 2007 2:55pm

I think trust will be a bigger issue in 2007 than previously, because so many of the social media services are being “gamed” by less salubrious people far more

Mark Evans says: January 27th, 2007 6:29pm

Excellent post, and relevant to me given my Paypal account was hacked into and I had a bunch of money extracted. Fortunately, the fine folks at Paypal are going to get my account back to normal.

Paul Freet says: January 28th, 2007 7:06am

Can someone explain to me the inherent security risk posed by doing business with a site that uses paypal for processing their credit card transactions? How is that different than using any other mechant processor? At least they were upfront about it.

We use Paypal’s Virtual Terminal, so that might be a bit different, but I still don’t get what the issue is here. But, I’d really like to know because we will change processors if I learn something I don’t like.

Judi Sohn says: January 28th, 2007 12:00pm

Paul, there’s nothing wrong with PayPal. Let me explain my thinking here, as I said it’s an “instinctual” thing with me. PayPal is easy. Anyone at any time can set up a PayPal account and start taking money with an email address. In combination with no information about the company and hidden domain registration it screams “fly-by-night” to me.

So if a company, let’s use BigContacts as an example, has an “About” page that includes information about the developers (right down to a phone number!) and a “Systems & Security” page that explains how the data is protected, I won’t notice or care that you take PayPal for payment. When I’m looking at whether or not I trust a website and I see no other reason to trust, I’ll look to see how they take their money…do they at least have enough of a business to get a merchant account?

I hope that helps, and I apologize if I made anyone nervous about their own sites.

Mark Evans - I was Hacked! says: January 29th, 2007 12:08pm

[...] an interesting post from the person who wrote the first computer virus 25 years ago, while Web Worker Daily has a post looking at people should be careful about giving personal information to Web 2.0 [...]

magazine italy » Personal Information in the Web 2.0 Era. How Do You Trust? says: March 6th, 2007 3:07pm

[...] Original post by Judi Sohn [...]

teen rape says: March 29th, 2007 4:49pm

teen rape

teen rape start page

Web Worker Daily Companion Book

Connect! A Guide to a New Way of Working

Web Worker Daily