Heritage Auction's privacy - or lack of it (rant warning)

So I'm in the process of writing a letter to the head of HA due to severe privacy concerns. And I question Ebay's part in this as well since both were in "cahoots" to make this information exchange happen.

This started with an ebay purchase - directly from my wife's unrelated ebay account.

My wife won an ebay auction from hnai (heritage's ebay arm I guess?).

A couple days later, I receive an e-mail on my own unrelated personal e-mail from HA saying that I'd won one of their auctions (which I hadn't bid on) and my package was being shipped. Knowing that I hadn't bid on HA and certainly hadn't paid for anything, I verified that the e-mail was legit (no exploits or malware links) and verified the phone number before calling what was listed in the e-mail.

I reached HA and they told me that "their sales software" had found the same last name for the ebay purchase. They then correlated the purchase of my wife (and address, and complete information disclosed in an e-mail over public internet) to my "view" account with HA. I only ever used the account to view coins and auctions. I've never purchased from them. All they had was my first/last names - not my wife's.

They immediately linked these two accounts (ebay - my wife's and my disparate e-mail account from HA) and built the correlation between the two.

They then AUTOMATICALLY added me to their "My Collection" software which creates an inventory of my coins, and links all my preferences.

All of this happened within HA's sales software from partial information - and without authorization or consent for my permission - or my wife's from her ebay information.

Exact text from HA e-mail (which has no correlation to my wife's ebay account):

"Congratulations on your recent purchase. We have added your purchases to our free MyCollection software. With it, you can manage all aspects of your collection, with features such as the current market value for your coins, easy item entry (bar code, wizard bulk loader, and manual entry), prices realized auction history, data exporting and custom categorization of your collections."

For those that think this is "neat and convenient" you should consider how your information is being shared, and the fact that HA can use this (and probably already is) to build a bid/sell pattern from your ebay account without your permission.

Needless to say, my next two actions are to write a letter to HA regarding their "lack of" privacy and exploitive information controls. And to close my account and request they remove all of my information permanently.

 

Log in or Sign up to hide this ad.

I don't see what eBay has to do with this.

You purchased something from Heritage via their eBay store front (HNAI is Heritage Auctions). They then proceeded to link that information with their already existing database of registered Heritage customers.

This "complaint" would be much more convincing if you would actually read the fine print and point out where this supposed breach of your privacy occurred -- outside of the normal business operations of Heritage. By signing up for Heritage, you agreed to all kinds of fine print. And, having completed a transaction through eBay's front end for Heritage, I don't see the grievance here.

Can you point out exactly where Heritage broke the rules here? As it's currently written, your complaint comes across as a paranoid, tin-foil hat wearing, diatribe.

 

I think he means that all heritage has is his name as its a research-only account with No address or credit card to cross reference his wife's ebay account with his heritage account so how did they link the 2 by last name only? Am I correct brett?

 

100% correct. Wife won an ebay auction on ebay's site. Regardless of seller, that was a disparate transaction. They "magically" linked to my personal account on HA without authorization or confirmation.

Was it correct data correlation? Yes. Had this been another site practicing in this? Different results.

If my wife was buying something and didn't want me to know - now I know. (Birthday present, secret stash, whatever it was). Her privacy was violated without explicit consent to link the accounts.

If this had been another business in another line of work - correlating a purchase would violate privacy of ebay's information.

Linking accounts involved in financial transactions without express written consent is ethically wrong. There was zero relation between HA and Ebay accounts - and there was little - if any - validity to link the two other than a common last name.

For anyone named Smith, Jones, Martinez, etc.... This should be a giant red flag.

 

I'm still waiting for a direct reference to which privacy statements were breached in the respective fine print from Heritage and HNAI (also Heritage). Ethics, morals, and other subjective opinions of wrongdoing are irrelevant unless something broke a contractual privacy statement.

 

I seriously doubt you'd find Bett's description of the scenario in a privacy statement. There are tons of things they wouldn't list in such a privacy statement, and "we won't connect your account to someone else's and tell them about your purchases" is not anything a normal person would expect them to do, let alone tell you in advance that they won't do it. Similar to asking them why "we do not cheat on our taxes" is not listed in their TOS.

 

My overarching point is that there has to be part of the story missing here. Heritage had to have had his address or some other piece of information to make the linkage. The eBay account is not the important point here, but rather the payment method used to pay for the purchase. Maybe the account used to pay had his name on it, despite it being his "wife's account"...? Or maybe Heritage had his address information for his "browsing only" account, and he forgot he entered it there? Concocting some nefarious back story to how Heritage must have had ill intent to do such a thing seems a stretch to me.

It's not as if Heritage sold his contact information to a 3rd party. People get all bent out of shape about things like this all the time, and I'm quite certain that in the details of what really happened there is a logical explanation. I wonder, does the OP also not use credit cards? Never shop at nationwide (or international) retailers? All of these types of transactions are open to being linked and data dredged by marketing analysts. I don't understand the immediate leap to how Heritage linking two accounts is somehow illegal or immoral.

 

I understand and would generally agree with you. There are far too many "the sky is falling" reports about such things. But he tells us:

which unless we aren't to believe him, or to believe that the HA person he talked to just made that up, is a scenario that seems very odd and inappropriate to me. Perhaps as you're thinking, there is more to the story that hasn't been told. Hopefully Brett will hear back from his letter and let us know the conclusion.

 

Hopefully now you have a better understanding of why anyone with knowledge of online data collection procedure - including the Electronic Frontier Foundation - is screaming at the top of their lungs and filing lawsuits over the issue. Everybody who can is doing this kind of data acquisition and sharing. Windows 10 does it for Microsoft by default, for crying out loud.

This is the Internet. They will take, collate and share any information you provide.

 

Disparate accounts, names, no linked banks, no linked credit cards, no linked PayPal information.

I'm veteran of this stuff and work with information security for a living. The link between the two was leveraging disparate account information to make the correlation.

There is ZERO connectivity or correlation between what my wife does on Ebay (with her business account) and my personal login to HA. They made the correlation on name only and without permission.

I do not mix accounts. I know better, and have procedures and protocols that I follow to make sure accounts remain disparate.

I spoke to the HA rep already. They told me how it happened, and even they were shocked at how they assumed and correlated the two disparate entities to link the account.

They have software doing this and it's breaking ethical boundaries that should be in place for privacy.

I'm not here to argue the point, and won't any further.

I could dig into the NIST best practices and quote a bunch of techno mumbo jumbo that most won't get, but it would all fall on deaf ears.

I will leave with this - if they had correlated incorrectly and linked my wife's account to the wrong person and sent them the information of what was purchased - and when to expect the shipment, I'd have justifiable cause for a lawsuit for breach of privacy.

 

But they didn't, and you don't. Just saying.

Whatever "magical" behind the scenes information they had was correct. I'd still put my money on a street address or some unknown (to you) linkage of electronic accounts like a credit card, etc. If you and your wife have any joint accounts, then you could be linked via your credit reports.

 

Added qualification above.

Arguing that "this is okay because they guessed right" doesn't carry any water in the world of actual business policy. Specifically, if you're dealing with businesses that operate with this amount of slack, you'd better be sure you aren't going to, oh, I don't know, move. Or divorce or remarry.

I don't know if there are laws that HA is breaking here. (I do know that if they'd done something similar with health information, under HIPAA regulations they would be in a world of well-defined legal hurt.)

The bigger question, though, is why would they do this in the first place? If someone buys something from them through an eBay auction, they can feel free to set up a new account for that eBay customer, and maybe even ask whether they'd like to use an existing HA account instead. But doing this automatically, and leaking potentially sensitive financial information to boot, is a Really Big Screw-Up. Having the same last name, or address, or even last name AND address as someone else DOES NOT automatically imply permission to share arbitrary purchase information.

 

An auction house with no financial transaction history ought not to be doing this.

I know full well that it can be done, and what correlation of information is available. There is an ethical boundary that is crossed when you do it.

It's like using the credit reporting system for sales leads. It can be done, but it's unethical and there's potential for illegal activity.

 

It's reasonable to expect that Heritage will create their own customer account for you when you make a purchase with them through eBay. The linking was likely done in an attempt to prevent duplicate accounts from being created.

Honestly how many times do you think a numismatic auction house that most people haven't heard of will get two accounts created from the same household with the same last name where it really isn't pretty much okay for them to be linked? Granted it's theoretically possible for this to happen, say if you move and sell your house to another numismatist that shares your last name and then you also forget to update your address with Heritage while they create a new account with their updated address. Is this really happening though?

Your example of a gift purchase makes what you experienced possibly annoying, sure, but saying it's unethical is a big stretch. This isn't protected healthcare information we're talking about.

 

Holy Cow, man, I had no idea it was that bad. And you're obviously far more sophisticated than I (just a half-educated layman) with this stuff; you have to be livid. Wonder how many people are now wondering what the heck Heritage Auctions is spamming them for?

 

What Heritage Auctions did is unneeded and totally unnecessary. I have to wonder exactly how much legitimate business is garnered through all this data dredging. I do know it fuels spam email and junk snail mail. That's obvious.

What we don't know is how many incidents there are of our information landing in the hands of people who we don't want to have our information. That, to me, is the privacy issue.

 

UPDATE - and a great one!

I received a call from HA's privacy and compliance folks this afternoon. I'm not sure it it was prompted by my escalation with their customer service - or if they lurk here and just put 2+2 together.

They understand and agree that there was a boundary that was crossed -and they also understand that this could be a serious issue going forward.

AND - they are going to take active steps to correct the issue. They agree that PII (Personally Identifiable Information) should be treated with the utmost respect and that they need to validate and get some sort of approval before something like this takes place in the future. For lack of a better term - build an ethical firewall.

Whatever the source - the result is - I could not be happier with HA's response to the issue and their commitment to review their customer's data privacy handling procedures.

It was very clear from the call that they "get it" and will do what it takes to protect their customers.

To officially end the rant - I applaud their response and actions. It's absolutely wonderful to hear that a company is truly concerned and takes action in the right direction.

I'm a "white hat" in the cyber security world. I know what is possible, but I also understand the controls that should be in place. I bring this stuff to light in hopes of making good in the world. And surely pointing out what is bad. In this case, good came of the raised flag.

They will have me as a future customer.

 

I am glad to hear that they responded that way and do sincerely hope they are serious about stopping that from happening. The true danger with actions like that is that you have absolutely no way of knowing that the action occurred unless the software guessed right and you ended up with the email. Last names are shared among many people that don't have the slightest clue who each other are

 

Maybe go get a co

They were most likely getting ahead of a potential lawsuit

 

Let's hope that isn't the reason. Let's hope it is because they value their customers, and it's the right thing to do.