Buyer Beware

Buyer Beware

Speaking at a conference this winter on Internet crime,’s director of law enforcement and compliance, Joseph Sullivan, offered law-enforcement officials extensive access to personal cust


Speaking at a conference this winter on Internet crime,’s director of law enforcement and compliance, Joseph Sullivan, offered law-enforcement officials extensive access to personal customer information.

Founded in 1995 as a niche site for collectibles, eBay quickly grew into one of the Internet’s largest websites, currently boasting 69 million daily visitors, who place an average of 7.7 million bids each day. The company, now valued at $29.6 billion, has become synonymous with online shopping, and is rapidly expanding overseas.

The talk, “Working with Law Enforcement,” was delivered at the CyberCrime 2003 conference in Mashantucket, Connecticut. Sullivan, who left the Justice Department to become senior counsel for rules, trust and safety at eBay last year, told the audience of law-enforcement officials and industry executives that he didn’t “know another website that has a privacy policy as flexible as eBay’s,” seemingly meaning that eBay acts particularly quickly to grant law enforcement extensive access to user information without regard to established legal procedures that protect individuals from civil rights abuses by the state.

Brags Sullivan, “If you are a law-enforcement officer, all you have to do is send us a fax with a request for information, and ask about the person behind the seller’s identity number, and we will provide you with his name, address, sales history and other details–all without having to produce a court order.” (eBay itself goes further than this, employing six investigators who are charged with tracking down “suspicious people” and “suspicious behavior.”)

Seventy percent of eBay customers, as well as a significant portion of the rest of the online commercial world, make their purchases using (eBay-owned) Paypal, which provides clearing services for online financial transactions. Through Paypal, eBay has access to the financial records of tens of millions of customers. “If you contact me,” said Sullivan to assembled law-enforcement authorities, “I will hook you up with the Paypal people. They will help you get the information you’re looking for…. In order to give you details about credit-card transactions, I have to see a court order. I suggest that you get one, if that’s what you’re looking for.”

Sullivan even offered to conscript eBay’s employees in virtual sting operations: “Tell us what you want to ask the bad guys. We’ll send them a form, signed by us, and ask them your questions. We will send their answers directly to your e-mail.”

Sullivan’s statements were first reported by Yuval Dror in the Tel Aviv-based daily Ha’aretz; surprisingly, they have received no coverage in the US media. And, while they may seem extreme, Sullivan’s eBay policies seem to fit into a larger pattern of eroding online privacy.

In the fall of 2001 a Stanford-educated Pakistani scientist, a permanent resident of the United States, was visited at his home in the Bay Area by the FBI, who asked about several books he’d recently purchased on eBay. The man’s lawyer said the FBI agent reported having been alerted by eBay. eBay denied having provided the information to the FBI, and the bureau refused to comment.

eBay avoids legal trouble with its customers by giving itself carte blanche to divulge any and all personal information. Its hard-to-find privacy policy says: “Due to the existing regulatory environment, we cannot ensure that all of your private communications and other personal information will never be disclosed in ways not otherwise described in this Privacy Policy.”

Until recently, in the Internet world “cooperation with government was seen as a betrayal of the unwritten contract between the user and service provider,” says Nimrod Kozlovski of the Information Society Project, a Yale-based center that studies democracy and freedom in the digital age. This understanding held that the “provider would protect the consumer from government snooping.” Kozlovski believes that “September 11th changed things dramatically,” much as it did for privacy and civil-liberties issues in other realms. He observes that eBay followed the trend by rebranding itself and changing its privacy and policy statements “to accommodate this new vision of the company as one which was [not only] cooperative with the government [but] actually a private law enforcement entity.” eBay has also felt the sting of tough new laws: On March 28 its unit PayPal was charged by the Justice Department with violating the Patriot Act for providing money transfer services to gambling companies. eBay may be wary of turning down law-enforcement requests, and in this political climate, being pliant to law enforcement may be sound business in the sense that it can lead to better treatment from government and lower administrative costs associated with a company’s security division. There is also the genuine anxiety surrounding the potential consequences of not following up on a perceived terrorist threat.

Company spokesperson Kevin Pursglove calls eBay “a pioneer when it comes to customer privacy” and denies that eBay’s privacy rules are in any way influenced by increased concerns about homeland security or that eBay has been the subject of increased pressure from law enforcement.

The attack on Internet privacy, like all civil liberties, has been growing since September 11 in the form of the Patriot Act and other federal and state-based legislation. Many provisions in the new laws undermine online privacy, and are in keeping with eBay’s information-sharing policies. The Patriot Act allows ISPs to voluntarily hand over all “non-content” information to law enforcement without the need for a court order or subpoena. It also expands the category of information that law-enforcement figures can seek with a simple subpoena (no court review required) to include, among other things, IP addresses and credit card and bank account numbers.

While Sullivan’s statements are the most extreme examples of the blurring between law enforcement and private corporations, eBay is not the only large online companies to have diluted its customer-privacy provisions. Traditionally, it was standard practice not to reveal customer information to third parties; now, however, Internet companies are making exceptions for the government. And massive online vendors from Travelocity to Amazon are using vague language to give themselves virtually complete discretion as to what customer information they will turn over to law-enforcement officials. Whether there will be a consumer backlash against these relaxed privacy policies remains to be seen.

If so, then companies like eBay may have to question their current willingness to become quasi-private law-enforcement agencies themselves. In liberal democracies it is assumed that criminal investigation and law enforcement are the sole domain of government. But the trend in the United States, as evidenced by eBay, among many companies, now sees huge private-sector commercial entities becoming, in effect, agents of law enforcement. It’s an arrangement between government and the private sector, which Kozlovski calls the “invisible handshake”–Internet companies promise to open their files to law enforcement, while law enforcement insures that citizens stay in the dark. This new relationship raises crucial questions regarding civic life in the United States, and our rights as citizens and consumers. According to Sullivan, “when someone uses [eBay’s] site and clicks on the ‘I agree’ button, it is as if he agrees to let us submit all of his data to the legal authorities…” Is this more than we bid for?

Ad Policy