Ina Steiner EcommerceBytes Blog
News and insight focusing on ecommerce.
by Ina Steiner, Editor of EcommerceBytes.com
Wed July 23 2014 20:53:42

Researchers Say eBay Feedback Leads to Privacy Breach

By: Ina Steiner

Sponsored Link

Academic researchers say they've uncovered a "security breach" and a "privacy flaw" on eBay due to the way the feedback system works.

"The eBay Feedback System as currently implemented has serious privacy flaws. When sellers leave feedback, buyers' purchase histories are exposed through no action of their own. In this paper, we describe and execute a series of attacks, leveraging the feedback system to reveal users' potentially sensitive purchases."



EcommerceBytes explains what the researchers found and why they think it's important in Thursday's newsletter - click here. For example, buyers may not want it known that they are purchasing gun holsters or pregnancy tests.  Here are the recommendations the researchers made in their report - let us know what you think!

Recommendations to eBay: We recommend that the Private Listing option should become the default listing method. This removes any visible link between the buyers and sellers. Alternatively, we propose that eBay use a non-persistent pseudonym for buyers on the sellers' feedback pages; this would make it harder to link feedback. Additionally, the timestamp of the feedback left could be generalized (for example, by displaying only the date) in order to make linkage attacks more difficult.

Recommendations to buyers: Buyers on eBay can make their feedback profile private by changing a setting in their Feedback Forums page. However, accounts with private feedback profiles cannot be used for selling. We therefore recommend that eBay users maintain two separate accounts, a private profile for buying and a public account for selling. (However, this does not obviate the need for an eBay policy change, since it prevents a user's selling account from reaping the benefits of the positive feedback he has earned as a buyer on eBay.) We also recommend that users avoid reusing usernames across different websites in order to retain stronger pseudonymity.

Recommendations to sellers: eBay offers a selling option called a Private Listing which operates exactly like a regular listing while keeping all buyer information anonymous. This is a way for sellers to offer their buyers all buying benefits while retaining privacy. Other users cannot see the list of bids on the item, and all feedback on the item is anonymous for feedback profile views. The listing is included in searches as usual, and it has no extra fees associated with it.




Comments (26) | Leave Comment | Permalink

Readers Comments

Perminate Link for Researchers Say eBay Feedback Leads to Privacy Breach   Researchers Say eBay Feedback Leads to Privacy Breach

This user has validated their user name. by: iheartjacksparrow

Wed Jul 23 22:29:54 2014

As is pointed out, the only issue is Sellers knowing the actual IDs of their buyers since the IDs are switched back to front for everyone else to see. (My ID should be n***o but shows as o***n.) When I was selling on eBay, I never had the inclination to research what other items people were buying. I was just happy to be selling something! It's hard to believe these "researchers" think this is a major problem. It's not like buyers' legal names are being shown.

And why would anyone buy a pregnancy test from an eBay seller when can get them in any drug store or WalMart, Target, etc.?

Perminate Link for Researchers Say eBay Feedback Leads to Privacy Breach   Researchers Say eBay Feedback Leads to Privacy Breach

by: TomH This user has validated their user name.

Wed Jul 23 22:43:25 2014

My first reaction regarding the researchers? ''They are idiots with absolutely no understanding of eBay''.

My second reaction? I'll post it if it (something different) comes to mind.

Th  

Perminate Link for Researchers Say eBay Feedback Leads to Privacy Breach   Researchers Say eBay Feedback Leads to Privacy Breach

by: comet This user has validated their user name.

Wed Jul 23 23:09:40 2014

YES---I have no idea WHAT ebay these "researchers" are seeing.  Unless they were using OLD data that DID show what buyers are-- ya know--buying.  With their actual screen names.

Since this has been changed for --what--a year or so now--it can't be publicly accessed.  So if they ARE looking at "real" screen names--then EBAY has granted them ACCESS.

And I will "confess" that I did often look and see what my buyers were buying---esp for the motorcycle parts I buy---as often I would see something the buyer had uncovered--or even offered for sale!---that I wanted and then bought.  Since I often am looking for interesting and one-off items or uncommon items I don't even know EXIST I now have to sit and wade thru THOUSANDS of DUPLICATE LISTINGS for light bulbs and brake pads and batterys and---you get the point.  In fact I did one of these marathon searches just before I came here and DID discover a few things and bought them--BUT I probably would have found them SOONER and more OF them if I had the access I used to have ---and I assume that MY buyers and sellers were looking at MY purchases for the SAME reason.  And IT WORKED.  

Now---I don't have TIME to look often thru thousands of listings. So ebay--once again---screwed themselves.  They are not getting MY purchases. And surely these sellers are losing money or leaving.   Because I often can't SEE what is being sold.  That USED to be one of the great things about ebay---the sense of being able to find amazing things you didn't know existed and BUY them.

That also served as a "heads up" as to who was PAYING for what and how long it took them TO pay---and that WAS valuable info.

So of COURSE this was sabotaged by ebay.  No reason to let sellers KNOW that the buyer who just hit BUY IT NOW or placed a bid was really NOT planning to actually---pay.  

Once again--ebay took something that WORKED and HELPED both seller AND buyer and made it vanish.

Sad little ebay.

 

Perminate Link for Researchers Say eBay Feedback Leads to Privacy Breach   Researchers Say eBay Feedback Leads to Privacy Breach

This user has validated their user name. by: LasVagueness

Wed Jul 23 23:19:23 2014

I like the default transparency of listing items in feedback profiles for two reasons: 1) since I sell luxury goods, buyers often want to see a sale history in feedback. This gives them confidence in the seller. For example, I won't purchase a $1,000 handbag from a seller who sells flea market items (with corresponding price points) because it is probably a replica. 2) I will on occasion research the purchase history of a buyer. Sometimes, I need to get a feel of who I am dealing with. On the buying end, I sometimes research purchase history as well. I have found items purchased on eBay (neg or neutral FB left) and then they try to re-sell the same item on eBay!    

Perminate Link for Researchers Say eBay Feedback Leads to Privacy Breach   Researchers Say eBay Feedback Leads to Privacy Breach

by: cayenna This user has validated their user name.

Wed Jul 23 23:23:08 2014

They say sellers cannot sell if their feedback is private; this is not true. I had a problem with another seller re her feedback and she got away with her misusing the feedback system by changing it to private and eBay was fine with it instead of stopping her bad practices. She was advertising her web address in her feedback she left for others. She;s still selling.

Perminate Link for Researchers Say eBay Feedback Leads to Privacy Breach   Researchers Say eBay Feedback Leads to Privacy Breach

by: AgendaSwallowsAll This user has validated their user name.

Wed Jul 23 23:31:04 2014

This would explain why search by bidder no longer functions as many thought was the case some months ago.

There is no doubt in my mind JD and/or his cronies are the ''Academic Researchers'' or are behind the ''Academic Research''. Not in a million years do I envision Donahoe allowing an outside entity of any type access to what would be needed in order to draw such a conclusion.

Perminate Link for Researchers Say eBay Feedback Leads to Privacy Breach   Researchers Say eBay Feedback Leads to Privacy Breach

This user has validated their user name. by: Marie

Thu Jul 24 02:11:57 2014

For the past 2 or 3 days, I have not been able to view a buyer's recent purchase/bid history.  The "page not responding" error message appears.  So we may already be toast on this function, which was very handy in helping to identify problem buyers.

Perminate Link for Researchers Say eBay Feedback Leads to Privacy Breach   Researchers Say eBay Feedback Leads to Privacy Breach

by: sasikat9 This user has validated their user name.

Thu Jul 24 05:46:19 2014

Are these researchers funded by taxpayers or schools etc....They obviously have to much spare time on their hands and maybe should be put into the unemployment lines...

Perminate Link for Researchers Say eBay Feedback Leads to Privacy Breach   Researchers Say eBay Feedback Leads to Privacy Breach

by: ignatz This user has validated their user name.

Thu Jul 24 06:13:49 2014

This research was probably funded by ebay, to provide the pretext for turning off the ability to see what a buyer has been purchasing.  They recently buried that functionality, indicating they were interested in de-emphasizing it.  Eliminating it would get them one step closer to their goal of being Just Like Amazon.

Perminate Link for Researchers Say eBay Feedback Leads to Privacy Breach   Researchers Say eBay Feedback Leads to Privacy Breach

This user has validated their user name. by: Basset

Thu Jul 24 07:37:15 2014

It is a good resource to have available when contacted with questions that put you on alert. A quick look at the buying FB left can turn up someone that has an itchy trigger finger for negatives.

Perminate Link for Researchers Say eBay Feedback Leads to Privacy Breach   Researchers Say eBay Feedback Leads to Privacy Breach

by: maxmad This user has validated their user name.

Thu Jul 24 07:46:58 2014

I am sure ebay is doing many illegal things, but

As a buyer, You can make your feedback private....

Perminate Link for Researchers Say eBay Feedback Leads to Privacy Breach   Researchers Say eBay Feedback Leads to Privacy Breach

by: unknown This user has validated their user name.

Thu Jul 24 08:19:05 2014

The only 'privacy' issue in that report is the number of facebook users who include their ebay IDs on their profiles.

If the user puts it there, it's not ebay's privacy problem.

We really need to get that purchase by bidder report back. Many highjacked accounts have been discovered using it.  

Perminate Link for Researchers Say eBay Feedback Leads to Privacy Breach   Researchers Say eBay Feedback Leads to Privacy Breach

by: FREDDY This user has validated their user name.

Thu Jul 24 08:30:54 2014

What would happen if no seller or buyer used the feedback system???

Perminate Link for Researchers Say eBay Feedback Leads to Privacy Breach   Researchers Say eBay Feedback Leads to Privacy Breach

by: sickandtired This user has validated their user name.

Thu Jul 24 09:02:54 2014

Privacy in this day and age is really an illusion.  The laws are 10 to 15 years behind the times because the wheels of government grind slow.  By the time updates or new laws are proposed, there technology has already outstripped whatever the law proposes.

If you want privacy for what you buy then the only real solution is to shop in person and pay cash.

When ebay starting scrambling ids, it took very little time for serious collectors to amass  list of the new *ooo* names matched up to the actual users. Those pools of buyers and sellers of those specific goods still knew who was who.  I know because at one time I sold a huge amount of a certain collectable that had a rather tight knit community of buyers and sellers.

All the anonamizing did was hide info from those who didn't want to bother to track it down or from casual buyers. Big waste of time

Now that I sell a much broader range of merch it is a pita....most of my buyers are single sale customers so it isn't worth the time to track them down.

Users of all venues on the net need to take responsibility for their own privacy (whatever is left of it). The stub hub hack was really done at the simplest level- no massive invasion or crunching of data. This was not high level cyber spying.

The info was gathered by phishing or malware, then the accounts that were hacked that belonged to users who had the same user name and password on more than one site were used to get into their stub hub account.

Since ebay does not offer any real seller protection and we are going to be downgraded pretty well no matter what, I don't know if it will make any difference if every transaction becomes totally blind.

Once the item is bought and paid for, it is too late to do anything but pack and ship then cross fingers until arrives and no case is opened.

Perminate Link for Researchers Say eBay Feedback Leads to Privacy Breach   Researchers Say eBay Feedback Leads to Privacy Breach

by: a_c_green This user has validated their user name.

Thu Jul 24 13:28:41 2014

Frankly, eBay's amazingly sloppy programming skills were the only reason why we could still do an Advanced Search by Bidder up to as recently as last week.

That search-by-bidder option was originally available as a link from several other pages, appearing as one of several links in the left-hand margin adjacent to the Advanced Search form and similar pages.

Some time ago (maybe a year or two, even), they made an attempt to remove that search-by-bidder functionality by removing the links to the form, leaving only search-by-seller as an option. However, they forgot one location where that link survived: the Advanced Search by Seller page itself. If you navigate there, you can then make the jump over to the old Advanced Search by Bidder form, still there and still functional.

Unfortunately, in the past few days, possibly as a result of that study, eBay finally noticed the oversight, and appears to have now disabled the code behind that form. I rather doubt we're going to see that useful tool ever returning.

Ina, I would love to be proven wrong, but I very much doubt that you will ever learn the name of whoever made that incredibly stupid decision, nor do I think it's likely that you're going to be able to have any meaningful dialogue with them over whether their disabling a number of useful seller tools could remotely be considered a good idea.

Perminate Link for Researchers Say eBay Feedback Leads to Privacy Breach   Researchers Say eBay Feedback Leads to Privacy Breach

This user has validated their user name. by: Puck

Thu Jul 24 16:04:20 2014

''And why would anyone buy a pregnancy test from an eBay seller when can get them in any drug store or WalMart, Target, etc.?''

The niche single female market who prefer cheap, Chinese made pregnancy tests that always result in a Not Pregnant reading.

Like The Hopeful 1 Pregnancy Test made in Beijing. - 99¢ with Free Shipping

Perminate Link for Researchers Say eBay Feedback Leads to Privacy Breach   Researchers Say eBay Feedback Leads to Privacy Breach

This user has validated their user name. by: Philip Cohen
Web Site

Thu Jul 24 16:19:09 2014

eBay's concept of "privacy" has absolutely nothing to do with protecting (honest) buyers or seller, it’s only for protecting eBay’s unscrupulous shill bidding sellers; in other words, it’s only purpose is to protect eBay’s bottom line …

eBay Inc, where the incompetent mingle with the malevolent and the outright criminal, and the just plain stupid ... http://bit.ly/11F2eas

Perminate Link for Researchers Say eBay Feedback Leads to Privacy Breach   Researchers Say eBay Feedback Leads to Privacy Breach

by: Opalie This user has validated their user name.

Thu Jul 24 18:35:03 2014

I hope buyers aren't too upset when the way they've asked a question raises enough seller neckhairs to slap them on the BBL when their history can't be seen.

As a seller I say better safe than sorry.

Perminate Link for Researchers Say eBay Feedback Leads to Privacy Breach   Researchers Say eBay Feedback Leads to Privacy Breach

by: fashionista This user has validated their user name.

Thu Jul 24 20:53:36 2014

a few months ago I sold a white cashmere sweater to canada, buyer said I sent her a blue sweater, I thought it was impossible, I asked her to send a pic, she did, she insisted that was the sweater I sent, well I went back through her purchase history and found the sweater she sent me the picture of, it was from another seller. Scam? If her history wasn't available, I wouldn't have been able to win the case.

Perminate Link for Researchers Say eBay Feedback Leads to Privacy Breach   Researchers Say eBay Feedback Leads to Privacy Breach

by: sickandtired This user has validated their user name.

Thu Jul 24 21:22:05 2014

I have had the same experiences as fashionista....sold 3 cup & saucer sets (all same pattern) to a buyer in the US.

Got a really nasty email from him accusing me of scamming him -  and informing me he would neg me, get his money back and had no intention of returning the package.

Did some checking and found he was buying this pattern in quantity from several different sellers.  Found his transaction for the 4 sets so I knew what had happened. He confused the shipments.

This in spite of the fact that I include item info in the box as well as write the buyers name & address on the inside of a box flap along with a thank you and my user id.  Just shows how few people actually read info provided.

I averted a nasty situation only because I could do some digging.  I can't imagine that if that info were not available that I would be able to get an ebay c/s agent to look back through a buyer's history to see if something twigged.

Click to view more comments
1 2  [Next Page]


Login is required to post comments.
To sign in to leave a comment using your AB Verify User Name, fill in the form below. If you have not yet signed up for AB Verify, or if you'd like more information, go to the Registration Page
.

Login for AB Verify
Be sure and use your email address and password to log in.

 
Email:
Password:
 
 Forgot Your Password?
 Even though you are signed in with the AuctionBytes Blog, you will have to sign in to the EcommerceBytes blog. But you can sign in with your existing AB Verify info.