Are E-tailers Using Customers as Guinea Pigs?

By Paul Chin

Originally published in Intranet Journal's Chin Music (19-Nov-2008)

back back to portfolio

With the holiday season fast approaching, shoppers will be flocking to the Internet to beat the crowds and the long lineups, but are e-tailers doing everything they should to protect consumers' information? Or do online retailers think so little of their customers' digital security and privacy as to make them their system development guinea pigs?

As a fairly regular online shopper, for both personal and professional reasons, I've encountered my fair share of "hiccups". Some were minor inconveniences and inconsistencies; others were unconscionable and unforgivable. My most recent online shopping misadventure with an irresponsible e-tailer fell into the latter category.

There was nothing extraordinary or unique about the site. Its shopping cart and checkout process was intuitive and easy to use, and the transaction was adequately secured with SSL. There was, however, something that differentiated this e-tailer from others Iíve used or reviewed: It sent back credit card information via email.

Upon completion of the order, I was automatically sent a confirmation email detailing the order. It contained the order number, a list of the items in the order, addresses, and shockingly, credit card information in plain text for the entire world to see. What good is implementing an elaborate data encryption method when that very same data is then sent back to customers in a plain text email? This is like spending thousands of dollars on a home security system and then leaving the keys and alarm codes to the house sitting on your driveway under a rusty tin can. Data encryption is only as good as how that same data is handled before and after encryption.

When I promptly informed the e-tailer's customer service reps of their grave mistake, they replied, "We didn't know that was happening." And therein lies the problem: They're supposed to know. They're the ones who are supposed to test every step of their own online shopping process to ensure that it works, and that their customers' information is securely transmitted over a very insecure environment. Perhaps pleading ignorance is the biggest clue as to why it happened.

This e-tailer made a change to its online shopping solution but didn't bother to verify the impact of that change. Software is finicky. Even small changes can have big consequences. This is why developers have a system testing phase using dummy data. This is why they go to great lengths to verify that their changes won't negatively impact users in a production environment. But it seems some e-tailers can't grasp this fundamental rule, choosing instead to make changes directly in production with live data—customers' data.

The onus of system testing and debugging is on the e-tailer, not the customer. So, why was I the one who pointed out this obvious mistake to them? Why do some e-tailers insist on treating its customers as unpaid, freelance software debuggers? We're doing e-tailers' development work for them, helping them correct their mistakes at an extremely high, and dangerous, cost to ourselves.

As a former software developer, I understand the severity of this e-tailer's mistake and how easy it was to prevent. But you don't need to be a neurologist to know that it's not healthy to take a hockey stick to the head. Anyone working for this e-tailer would have caught the error immediately if they bothered to test their changes.

I cancelled the compromised credit card immediately after I noticed this lapse in security, but I wonder how many other customers had their credit card information compromised before I contacted the e-tailer with details of its mistake. Will these customers be notified of the e-tailer's error and informed as to the severity of that mistake? Probably not... It would tarnish the e-tailer's brand image and even possibly open them up to legal action if a litigious customer was affected.

Apologies and assurances of "this has never happened before" are of little consolation to those who are eventually affected. Rather than apologizing to customers for its mistakes, perhaps it would be far more productive for e-tailers to spend more time ensuring the mistakes never reach customers. Although online shopping and data encryption have matured over the years, sadly, many retailers have not.

Copyright © 2008 Paul Chin. All rights reserved.
Reproduction of this article in whole or part in any form without prior written permission of Paul Chin is prohibited.