Email This Post Email This Post

Academic Researchers Uncover Privacy Flaw on eBay

In the old days of eBay, when you made a purchase or sold an item, complete transparency was assumed thanks to the feedback system. Buyers and sellers left feedback for each other that everyone could see, including information about the item purchased.

Over the years, eBay has become less and less transparent. So while many longtime eBay sellers call for greater transparency to help them identify bad buyers, it’s possible that buyers may not realize the extent to which some of their purchase data is publicly available.

Academic researchers at NYU published a report showing they could access information about eBay shoppers’ purchases by taking some extra steps, and they called it a “privacy flaw” and a “security breach.” In fact, they conducted a survey that showed only 9% of respondents were aware that anyone could view their purchase history even when not signed in to the site.

Sponsored Link

press release about the research on NYU’s website was headlined:

Buyer Beware: NYU Researchers Uncover Security Breach that Reveals EBay Purchases – Privacy Flaw Makes it Possible to Track Buyers of Gun Accessories, Medical Tests, and More

So what’s the new discovery that leads the researchers to be so dramatic?

“The privacy flaw operates as follows: Every eBay user’s profile includes a “Feedback as a Buyer” page, where those who have sold items to that person can post comments. An estimated 70 percent of sellers leave feedback for buyers, and this section is entirely public – a user need not even sign into eBay to access this information. Along with their comments, the seller also leaves a record of his or her own username and the time of sale but does not disclose the actual item purchased. By visiting the seller’s feedback page, however, it is relatively easy to match the time stamp of the sale and thus identify the item that was purchased.”

They outlined various scenarios describing cases where this could be harmful to eBay buyers.

Cracking the Buyer-Pseudonym Code
Many sellers dislike the fact that eBay masks buyers’ identities on feedback pages, and some have wondered if there was a way to break the code. Here’s what the researchers found:

“In the event that more than one sale matches the time stamp, which may happen with automated sales, the researchers still found it fairly straightforward to identify purchase histories. eBay assigns a pseudonym to each username listed in sales records, and that pseudonym follows a formula that makes deriving the username possible in nearly every case: In a test database of 5,580 feedback records, the researchers matched 96 percent of buyers’ feedback records to a single seller feedback record, complete with purchase details.”

Linking eBay and Facebook Accounts
According to the press release, “In some cases, the researchers were able to take this attack one step further: Among a database of nearly 131,000 eBay usernames, they were able to link 17 percent to Facebook profiles, thus revealing the users’ real names.”

First, they didn’t say what percent of those users were also sellers, who deliberately attempt to publicize their brands.

Secondly, the actual report shows the figure of 17% is overly optimistic:

“It is important to note that this method does not conclusively match accounts. For example, the accounts using a common name such as “bob123″ on Facebook and eBay may very well belong to two different people. As such, the match rate of 17.2% should be considered an upper bound which includes some false positives.”

(We quickly tried this using the methodology described in the report to test three eBay User IDs of people we know: Two came up with false positives – in other words, the eBay User ID did not belong to the Facebook account suggested. The other – one of our accounts – came up with no result at all on Facebook.)

Researchers recommended that eBay users maintain two separate accounts, a private profile for buying and a public account for selling. While the casual seller may not do this, many serious sellers already do this.

Why Sellers Say They Need Buyers’ Purchase History
Here’s what one eBay seller had to say about the importance of the 30-day buyer purchase history:

“Sellers use the Buying History to defend ourselves in a Claim. All claims are an instant DEFECT unless we cannot defend the claim. This 30-day Buying History activity is all we have left to find out if a buyer is lying… to find out things like if they bought another item like ours for less money… if they bought a bigger size from other sellers etc etc. I am a No-Returns seller and I use this Buyer’s 30-day Buying History on every claim. It will be extremely difficult to gather evidence to fight a claim without this 30 days history information.”

Fallout from the Report
eBay has already been taking away the ability for sellers to view information about buyers, and this may hasten the process. In fact, one reader contacted me to say she believed that as a result of the research published by a news outlet, eBay had taken away the ability for sellers to view buyers’ 30-day purchase history, which can help them identify bad buyer behavior. (We’ve got an email and phone inquiry into eBay about this but have yet to hear back by press time.)

And secondly, eBay has been in the news due to the hacking incident earlier this year and now about fraud on StubHub. More articles screaming about privacy flaw and security breach will make shoppers even more wary of the site.

Comment on the EcommerceBytes Blog.

Ina Steiner on EmailIna Steiner on LinkedinIna Steiner on Twitter
Ina Steiner

Ina Steiner is co-founder and Editor of EcommerceBytes and has been reporting on ecommerce since 1999. Send news tips to ina@ecommercebytes.com.


Leave a Reply