Tag Archives: privacy

Ebay and their encryption double standard

9 May

I am not often using Ebay, but every so often it happens to be one of the only options for a specific kind of purchase. I recently bought a product to expand my MPC’s internal memory, and tried to communicate with the seller by using my email account (as an Ebay “guest” user).

I have been automatically signing my emails with PGP for a while now, and haven’t had any major problem (except for a Brisbane council issue that somehow filtered my emails because of the unrecognised attachment, an issue that was fixed a while ago, at least in the particular section I have been volunteering at).

Interestingly enough, Ebay rejected my signed (unencrypted) email, with the following explanation:

To better protect our members from identity theft and unwanted emails, we don’t allow encrypted emails. Because your recent email message to [xxx] was encrypted, we didn’t send it.

Please remove the encryption and resend your message.

The notification email links to a messaging help page [snapshot] that states the following:

Emails that are encrypted before they are sent (or are automatically encrypted when sent) will not be delivered through eBay Messages. Encryption is a way of scrambling or coding information before it’s sent, and then decoding the same information when it’s received. If you’re using encryption software, you may need to turn it off before sending messages.

At first, I thought I sort of understood why they would filter out encrypted emails: so they can apply a keyword-based spam filter. However, I still haven’t heard about spammers making use of encryption. It seems to me that encrypting is an obvious massive obstacle to the main objective of spamming: sending large amounts of emails that are not specifically targeted. Encrypting would require the spammer to collect each recipient’s public key and scramble each separate message accordingly… It does not sound likely to become a common spamming practice, which leads me to think that there might be other incentives for Ebay to only have plain-text messages transiting through their servers (data collection and analysis, anyone?).

Add to that the fact that Ebay obviously does a terrible job at telling apart signed plain-text emails from encrypted emails…

In their help page titled “Keeping you safe on Ebay” [snapshot], they state the following:

We use procedural and technical safeguards, including firewalls, encryption and Secure Socket Layers (SSL) to help protect your personal information against loss, theft and unauthorised access and disclosure by users inside and outside the company.

In “Protecting your privacy” [snapshot], it is said that Ebay provide:

Secure communication for all external parties—including customers, vendors, and any business partners outside of eBay—by monitoring every email message, except in countries that have laws prohibiting monitoring of email. If an email contains private information, it will be encrypted through our eBay Secured Email system.

However, the users using encryption themselves (or even just PGP signatures) are considered a threat and denied privacy. What about people who want to make sure they are keeping a particular transaction private from a member of their family, a threatening community, a potential online criminal organisation, or from an oppressive government, for whatever reason?

Funnily enough, at the time of writing, the link to “eBay Secured Email” is a dead link, so good luck if you want to find out more about this particular “system”…

This issue draws me further away from Ebay – as if I needed more reasons.


Reset the Net

5 Jun

Reset the Net is happening today, the 5th of June 2014. It is a global day of action to make government surveillance on the Internet more difficult. It was instigated by the American organisation Fight for the Future, “a nonprofit advocacy group in the area of digital rights founded in 2011″ (see the Wikipedia article). This effort is scheduled a year after Edward Snowden started revealing the NSA’s, and more generally the Five Eyes members’ global surveillance activities. The day of action echoes others like The Day We Fight Back, organised by Aaron Swartz’ Demand Progress in February this year.

Reset the Net is a great event, and I really hope it has a lasting effect on the Internet. However, this kind of change is one that needs to be durable, and this probably means that it won’t be done in a day. I will try and write posts related to government surveillance and general online privacy in the next few day to show examples of how we can switch to safer options, and report on the efforts I made myself. This will be my little contribution towards giving people ideas and making this issue more visible.

For the moment, have a look at the Reset the Net “privacy pack” to get you started on this. There is quite an array of actions you can take, from a simple switch from one app to another, to more elaborate geeky things: everyone can find something that looks doable to them.

Reset the Net on the 5th of June

11 Apr


On the 5th of June 2014, Internet users and organisations around the world will unite to promote openness, privacy and digital rights – in other words, “Reset the Net“.

This is a project started by Fight for the Future, an organisation that describes itself as “a nonprofit working to expand the Internet’s power for good”. The American organisation was founded in 2011 and is known for its engagement in the fight against SOPA and PIPA.

Watch the video below to learn more and head to this website to see how you can help.