Personal Information in the Web 2.0 Era. How Do You Trust?

By Judi Sohn Jan. 25, 2007, 8:04am PT 17 Comments

I do all my banking online. I watch my transactions carefully and I’m confident that if any of my accounts were compromised, I’d know soon enough to stop any damage. False sense of security? Maybe. My Aunt refuses to make a single online purchase, much less do her banking online. Is she being overly paranoid?

Aside from banking sites and places we enter credit card information, we put a great deal of trust into the sites we visit, giving them a lot of personal information. We are learning how to protect our children online, but how reckless are we being ourselves?

All too often, web applications ask for a lot of trust from visitors but don’t give it in return. Recently I visited a new site that promised to “budget, plan, forecast, organize and analyze your personal finances to achieve your goals.” It sounded like the perfect site to profile for a post here at WWD. After sign-up, you were expected to enter all of your personal financial information, short of the account numbers or PINs. No “About Us” or “FAQ” page. No forum or blog to reveal the thinking behind the site. The payment for the “enhanced” service was handled through PayPal, and even the domain was registered through Domains by Proxy (to hide the real contact information of the owner). I don’t think so.

Many sites use the “About” or “FAQ” page to talk about their hopes and dreams. That’s nice. But now tell us why we should trust you. If you’re not Google or Yahoo or another publicly traded company (or even if you are), give us a glimpse of the people behind the technology, and give us an idea of the steps you are taking to safeguard the data we are sharing with you. Nowadays, a http:// link isn’t enough to put anyone’s mind at ease. Going on instinct, I look for things like Truste or BBBOnline verification. I search for independent information about the company or site. Nothing is 100%, of course. The more a site asks from me, the more steps I expect the site to take to not only protect my data, but to be transparent about the methods they are using to do so.

Even if all the right pieces are in place, would you use a service like StolenID Search, a web application that searches stolen social security numbers to see if your number is compromised? The catch is that you have to enter that number into the site. For many people, myself included, social security numbers are very closely protected and we will not enter those digitis into a website easily. With good reason.

When it comes to trust, what do you look for in a web application before you hit that “sign up” button? Is there information that you won’t put online no matter what?

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

Your Blog, Your To-Do List Manager

Easy 3G Sharing on Mac with FONspot

Comments
17

View all comments »

Andrew Thursday, January 25 2007

I think that the piece above raises a good point – simply having “https://” is simply not enough to put my mind at ease about disclosing my personal information to a website. In terms of what I look for in a web application before I sign up for it, a very important factor for me is if there is a brick-and-mortar component to the company. For instance, I feel confident going to my bank’s website to check the balance of my checking account. If there is a problem, I can call the bank to confirm the problem. Another important attribute for an online service to have is press coverage. Not to beat a dead horse in regards to banks, but if an online banking company has had press coverage, then to me, that means that there has been some investigation of that site, and that any difficulties or suspicious aspects or activities would have been reported. It is after that, that I can do my own investigation of the site.

Share
Facebook

Tweet
azman Friday, January 26 2007

can we really trust online banking?
i think we should..but its difficult really…

http://www.diyanazman.com

Share
Facebook

Tweet
Amie Gillingham Friday, January 26 2007

I wouldn’t be so quick to distrust a site that uses PayPal as its online payment component. For many smaller (or newer) online businesses, it’s an excellent way to handle the security issue and actually ensure the safety of one’s financial information. Our business currently uses PayPal exclusively for our subscription service to our website because they’re set up to handle recurrent payments and we don’t have access to any of our members’ financial information. In many ways, it’s like OpenID in that you set up once and can use that information in the places that are set up to accept it.

Share
Facebook

Tweet
Judi Sohn Friday, January 26 2007

Amie, I wasn’t discounting the site on the fact that payment was through PayPal alone. Like you said, there are a lot of advantages to it. I was looking at their payment method in combination with all the other factors…private domain registration, no information about the company, etc. to form an overall opinion about the level of trust. If they provided a contact address or talked about the technology they used and they happened to use PayPal, I wouldn’t have any complaint.

Share
Facebook

Tweet
boredandblogging Friday, January 26 2007

Just playing devil’s advocate here, but whats wrong with just using a fake name? If the site isn’t trying to validate any of the information (which it shouldn’t be), just call yourself “Judi Smith.”

Share
Facebook

Tweet
Amie Gillingham Friday, January 26 2007

@Judi

Yes, I agree, that in combination would make me a little leary as well.

Share
Facebook

Tweet
jason knight Friday, January 26 2007

Hi,

I’m Jason Knight the CEO of Wesabe, and we seem to be in the same space as the company that Judi writes about. At the risk of plugging our service here is how we handle trust and personal information: You can call me 800.511.8544 (12-4pm PST seven days a week) if you have any queastions about our privacy or security policies (or anything else you want to talk about). You can also email me jason@wesabe.com. All of our support email is handled by the developer who writes the code, and our goal is to be as close as possible to our users.

We must earn trust every day, but we are succeeding…we know it because our users tell us so.

Share
Facebook

Tweet
Island in the Net Saturday, January 27 2007

The issue has nothing to do with web security but in the way personal financial information is handled. Your Aunt does not use online banking or shop online because she is worried about data privacy but she most likely gladly hands over her credit or debit card to a waiter or gas attendant who walks away to authorize a purchase.

As long as your financial data is available on a database in some networked environment it is potentially as risk.

An exercpt from this article here:

6.1.5 Financial security

Consumers also have legitimate concerns about using their credit/debit cards to make on-line payments – especially internationally.

There have been some spectacular cases of ‘hacking’ of credit card numbers from on-line banks and other companies (most of which are kept out of the public eye). Mike Webb (one of the authors of this report) himself experienced fraudulent use of his credit card as a result of making legitimate on-line transactions in 1999.

Although standards have improved, security experts such as Bruce Schneir[4] have identified the fundamental insecurity of computer-based systems, ensuring that hackers and others will continue to exploit security weaknesses on computer systems used by both businesses and consumers.

Schneir identifies a number of generic problems in trying to achieve 100% security using computer-based systems:

· Increasingly complex operating systems will inevitably include exploitable weaknesses unforeseen by software designers[5]

· It only takes one person to discover a security hole or weakness, and the information can be published globally (via secret hacking sites) to thousands of other hackers in a matter of minutes

· Security should be considered a process, not a product. It is only as secure as the weakest link, which is almost always people.[6] For example, as has often been reported, most users choose insecure passwords. ‘Cracking’ software can recover 20 per cent of all passwords in a few minutes, and 90 per cent of all passwords in less than a day.[7]

In addition, it should be noted that even in the West, where companies have several years’ experience operating networked systems, many companies have lax security policies. According to figures from the UK Department of Trade and Industry (DTI), about 33 per cent of UK businesses still do not have a firewall between their websites and their internal computer systems, leaving them vulnerable to hackers. And 66 per cent do not have intrusion detection systems, which could detect hackers if they penetrated other defences.[8]

However security experts also acknowledge that on-line financial transactions, such as the use of credit/debit cards, while never 100% secure, are likely in general to be more secure than off-line transactions.

Share
Facebook

Tweet
sc Saturday, January 27 2007

In our society, people trust a website, an individual or an organization because they know that other people trust that website, individual or organization. Pagerank seems to be a good indicator of trustworthiness and I use that a lot. A longer green bar on my google toolbar means (to me) means that a lot of other important websites vouch that the particular website I’m visiting is trustworthy.

Share
Facebook

Tweet
alan p Saturday, January 27 2007

I think trust will be a bigger issue in 2007 than previously, because so many of the social media services are being “gamed” by less salubrious people far more

Share
Facebook

Tweet

View all comments »

Join the conversation