Tag Archives: security

Ebay and their encryption double standard

9 May

I am not often using Ebay, but every so often it happens to be one of the only options for a specific kind of purchase. I recently bought a product to expand my MPC’s internal memory, and tried to communicate with the seller by using my email account (as an Ebay “guest” user).

I have been automatically signing my emails with PGP for a while now, and haven’t had any major problem (except for a Brisbane council issue that somehow filtered my emails because of the unrecognised attachment, an issue that was fixed a while ago, at least in the particular section I have been volunteering at).

Interestingly enough, Ebay rejected my signed (unencrypted) email, with the following explanation:

To better protect our members from identity theft and unwanted emails, we don’t allow encrypted emails. Because your recent email message to [xxx] was encrypted, we didn’t send it.

Please remove the encryption and resend your message.

The notification email links to a messaging help page [snapshot] that states the following:

Emails that are encrypted before they are sent (or are automatically encrypted when sent) will not be delivered through eBay Messages. Encryption is a way of scrambling or coding information before it’s sent, and then decoding the same information when it’s received. If you’re using encryption software, you may need to turn it off before sending messages.

At first, I thought I sort of understood why they would filter out encrypted emails: so they can apply a keyword-based spam filter. However, I still haven’t heard about spammers making use of encryption. It seems to me that encrypting is an obvious massive obstacle to the main objective of spamming: sending large amounts of emails that are not specifically targeted. Encrypting would require the spammer to collect each recipient’s public key and scramble each separate message accordingly… It does not sound likely to become a common spamming practice, which leads me to think that there might be other incentives for Ebay to only have plain-text messages transiting through their servers (data collection and analysis, anyone?).

Add to that the fact that Ebay obviously does a terrible job at telling apart signed plain-text emails from encrypted emails…

In their help page titled “Keeping you safe on Ebay” [snapshot], they state the following:

We use procedural and technical safeguards, including firewalls, encryption and Secure Socket Layers (SSL) to help protect your personal information against loss, theft and unauthorised access and disclosure by users inside and outside the company.

In “Protecting your privacy” [snapshot], it is said that Ebay provide:

Secure communication for all external parties—including customers, vendors, and any business partners outside of eBay—by monitoring every email message, except in countries that have laws prohibiting monitoring of email. If an email contains private information, it will be encrypted through our eBay Secured Email system.

However, the users using encryption themselves (or even just PGP signatures) are considered a threat and denied privacy. What about people who want to make sure they are keeping a particular transaction private from a member of their family, a threatening community, a potential online criminal organisation, or from an oppressive government, for whatever reason?

Funnily enough, at the time of writing, the link to “eBay Secured Email” is a dead link, so good luck if you want to find out more about this particular “system”…

This issue draws me further away from Ebay – as if I needed more reasons.