Back in September and over on DataBreaches.net, I posted a breach involving Etsy.com, an online marketplace that boasts over 7.2 million members, over 400,000 sellers, and 971 million page views per month.
At the time, the exposure of sellers’ names was accidental. But what was an accidental breach in September seems to have become policy by October – and a retroactive one at that, applying to both sellers and buyers.
This week, PogoWasRight.org was contacted by “DeeplyOffended” about Etsy.com:
Etsy.com has recently made all users’ real names and purchase history available on the web. They can be searched from Google. They are also refusing to contact buyers to alert them to this change.
They do allow names to be changed, but only with a two day waiting period. There is a thread on their forum about it here http://www.etsy.com/teams/7718/site-help/discuss/6811996/page/1 where they have refused to respond to serious concerns for customer privacy.
Etsy.com’s privacy policy appears to have been last updated on January 27. It reads, in part:
Your username, Etsy ID or alias is displayed throughout Etsy (and so available to the public) and is connected to all of your Etsy activity. Other people can see your purchases, items for sale, store, feedback, ratings and associated comments. You have the option to publicly display your full name.
So the policy does seem to alert users as to what happens with their information within Etsy. But what about outside of Etsy?
“Deeply Offended” writes:
… anyone who’s ever purchased on their site has their name and what they bought posted online, not just sellers this time.
Deeply Offended explains (emphasis added by PogoWasRight.org):
Starting around October 2010 Etsy’s registration changed. It used to ask to create a user name, and for an email address that would be kept private. Users had to go to their profile after registering and manually enter their name. From the old privacy policy “Your username, Etsy ID or alias is displayed throughout Etsy (and so available to the public) and is connected to all of your Etsy activity. Other people can see your purchases, items for sale, store, feedback, ratings and associated comments. You have the option to publicly display your full name.”
Now, they ask for first and last name at sign up, with the message “Your full name will appear on your public profile. This is optional.”
Nowhere is it disclosed that first and last names are now automatically inserted into the user’s profile at creation, unlike before, and any previously created accounts where you signed up under your real name but did not add it to your profile now have that name retroactively added.
Also searchable (but only to etsy members, not through Google) are email addresses. New users signing up are prompted to allow access to their email’s contact list, and those are then cross-referenced with registered Etsy accounts.
Users with seller accounts were notified of this update; buyer-only accounts (the default when you sign up) still have not been. If you go to this topic http://www.etsy.com/teams/7718/site-help/discuss/6762009/page/1 they discuss it – it’s very, very long, but by the last page buyers have come to ask why they’re getting found by these people after opting out. The first page is a collection of administrator posts from through the conversation, out of order, It becomes chronological after that.
So how bad can this be in terms of privacy? Deeply Offended sent me some sample urls from a Google search. I’m just posting one of them, after redaction:
A search for “[redacted]” on the etsy domain, turns up her profile as [username], of Gainesville, Florida, US. From here, looking at her feedback, I can see that she purchased the 6″ Cupid’s Arrow dildo in pink on 11/12/2010. She’s also a fan (Etsy has ‘Favorites’ like website based bookmarks, linkable from the profile) of the slightly larger 6.5″ Cupid’s Magic Wand in cobalt blue, but hasn’t bought it yet. I can also see that she joined [date], her gender is listed, and that her birthday is [redacted month and date]. It doesn’t appear she’s logged on since December 2010, so she may have no idea that anyone Googling her name can see all this.
I just googled her name on it’s own, and her Etsy profile is the 5th link, after 4 links to her online resumes on Linkedin and Quora. Her Etsy page even beats out her Facebook page.
It should probably be noted that Etsy carries lots of items most buyers would rather not advertise, such as bongs, fetish gear, menstrual art, hand made soap sculpted to look like genitals, gay porn, LGBT pride items, feminine lingerie sized for men, and other things people would rather not parents, neighbors, or potential employers see.
Has Etsy.com done anything wrong? Maybe not if they revised their policy to correspond with their actions, but to retroactively publish people’s names and have them indexed by Google, even if you’ve warned people that your privacy policy may change over time? Not a policy or practice that this site would ever endorse.
Yes, I know there are those who will remind us all that you have no expectation of privacy on the Internet.
But seriously folks, even if you are just concerned about the ecommerce aspects, will customers buy as much if they have to be concerned about their purchases showing up in the first page of results for a Google search of their name?
I emailed Etsy to get a statement or response to the concern, but as was the case in September, they did not respond at all to the inquiry.