Friday, September 29, 2006
AOL's Privacy Policy on Trial
AOL's privacy policy and how it is interpreted by the courts and federal government will be in the spotlight as two separate actions against the company move forward. In the latest reaction to AOL's erroneous posting of some of its members' search term data this past August, two unnamed California residents and Kasadore Ramkissoon of Richmond County, N.Y., have filed suit against the Internet service provider in the U.S. District Court in Oakland, Calif., alleging violations of the Electronic Communications Privacy Act, as well as California state law. Their suit, which is seeking class action status, follows separate requests made last month by two privacy advocacy groups -- the Electronic Frontier Foundation and the World Privacy Forum -- that the Federal Trade Commission investigate AOL's actions. The search term data disclosure, according to the World Privacy Forum's filing, violated FTC laws that hold companies accountable for statements made in their privacy policies.
AOL's release of the data understandably struck a nerve among Internet users. While it is doubtful that many people would object to the disclosure that they once shopped at the now defunct eToys (the scene of another battle over privacy on the Internet a few years ago when the firm tried to sell its customer list as part of bankruptcy proceedings), many of the AOL revelations were not so innocuous. Many Internet users have at one time or another typed in very personal or unusual requests for information that they would prefer not to be connected with publicly. For the record, AOL maintains that it did not deliberately release users' data, and in actuality, the data was not directly linked to users' names. Due to employee error, the company accidentally posted to an AOL public Web site search term queries made by 650,000 of its users over a three-month period that were meant for the use of academic researchers. Unfortunately, the data was organized so that it was relatively easy to identify some of the members who had made the queries.
While the incident was no doubt personally mortifying to some, there are only a few narrow avenues litigants can explore that might lead to AOL being held liable by the courts or the government. The outcome depends entirely on how the company's privacy policy is interpreted.
"State and federal law, and AOL's own privacy policy, will shape this case," Claudia Callaway, a partner with Manatt Phelps & Phllips said. In previous statements, AOL has acknowledged that the release was a violation of internal policies. However, the company claims that it did not violate the privacy policy provided to its members. In general, privacy policies -- usually vetted by legions of attorneys -- are written to give companies as much wiggle room as possible to play with their customers' data. Vague language can be a doubled-edged sword, however, that can sometimes work to customers' advantage as well. For instance, a privacy policy that states the company will collect data to conduct research about a customer's use of the Internet does not necessarily give the company the right to share that data. Additionally, sharing does not necessarily imply the right to public release. Another subject of dispute is whether AOL actually identified its members or not. Predictably, AOL claims it did not, placing the blame for their exposure on members who conducted so-called "vanity searches," or searches for their addresses or work places. A case can be made, however, that AOL all but connected the dots to identify which users searched for which terms.
Not every argument made by the plaintiffs or by AOL is likely to succeed, attorneys contacted for this article agree. For instance, AOL might argue in court that the employees responsible for the release of member data did not follow internal policies. It will be an uphill climb, though, to sell that argument. "Under most federal and state laws, the burden is on the company to demonstrate that it had adequate controls to prevent an inadvertent release of protected information," Callaway said.
Conversely, if the plaintiffs cannot prove that AOL violated its privacy policy, they may have an equally difficult time in court, suggested Chip Babcock, a partner with Jackson Walker in Houston and Dallas. "There have been a number of different arguments made that could apply -- but have been rejected by various courts," he said. "Claims such as 'I didn't read it,' 'I couldn't be expected to read it,' or 'It is an unconscionable policy,' have all been unsuccessful" in the past, he said.
Brought to you by the Guardian eCommerce Privacy Seal Program.
AOL's release of the data understandably struck a nerve among Internet users. While it is doubtful that many people would object to the disclosure that they once shopped at the now defunct eToys (the scene of another battle over privacy on the Internet a few years ago when the firm tried to sell its customer list as part of bankruptcy proceedings), many of the AOL revelations were not so innocuous. Many Internet users have at one time or another typed in very personal or unusual requests for information that they would prefer not to be connected with publicly. For the record, AOL maintains that it did not deliberately release users' data, and in actuality, the data was not directly linked to users' names. Due to employee error, the company accidentally posted to an AOL public Web site search term queries made by 650,000 of its users over a three-month period that were meant for the use of academic researchers. Unfortunately, the data was organized so that it was relatively easy to identify some of the members who had made the queries.
While the incident was no doubt personally mortifying to some, there are only a few narrow avenues litigants can explore that might lead to AOL being held liable by the courts or the government. The outcome depends entirely on how the company's privacy policy is interpreted.
"State and federal law, and AOL's own privacy policy, will shape this case," Claudia Callaway, a partner with Manatt Phelps & Phllips said. In previous statements, AOL has acknowledged that the release was a violation of internal policies. However, the company claims that it did not violate the privacy policy provided to its members. In general, privacy policies -- usually vetted by legions of attorneys -- are written to give companies as much wiggle room as possible to play with their customers' data. Vague language can be a doubled-edged sword, however, that can sometimes work to customers' advantage as well. For instance, a privacy policy that states the company will collect data to conduct research about a customer's use of the Internet does not necessarily give the company the right to share that data. Additionally, sharing does not necessarily imply the right to public release. Another subject of dispute is whether AOL actually identified its members or not. Predictably, AOL claims it did not, placing the blame for their exposure on members who conducted so-called "vanity searches," or searches for their addresses or work places. A case can be made, however, that AOL all but connected the dots to identify which users searched for which terms.
Not every argument made by the plaintiffs or by AOL is likely to succeed, attorneys contacted for this article agree. For instance, AOL might argue in court that the employees responsible for the release of member data did not follow internal policies. It will be an uphill climb, though, to sell that argument. "Under most federal and state laws, the burden is on the company to demonstrate that it had adequate controls to prevent an inadvertent release of protected information," Callaway said.
Conversely, if the plaintiffs cannot prove that AOL violated its privacy policy, they may have an equally difficult time in court, suggested Chip Babcock, a partner with Jackson Walker in Houston and Dallas. "There have been a number of different arguments made that could apply -- but have been rejected by various courts," he said. "Claims such as 'I didn't read it,' 'I couldn't be expected to read it,' or 'It is an unconscionable policy,' have all been unsuccessful" in the past, he said.
Brought to you by the Guardian eCommerce Privacy Seal Program.
Friday, September 15, 2006
How to Choose the Right Web Host for Your Business
It may seem simple, yet it is often overlooked. When it comes to choosing the right Internet hosting provider for their Web sites, the majority of business owners or companies know very little about making the best Internet/Web hosting decisions. What makes a good Internet/Web hoster for a business Web site? What makes a bad one? How can the wrong Internet/Web hoster help/harm your business? What are the different types of Internet/Web hosting services? Which ones are best for which industries? Here are some tips to help you make the right decisions:
1. Understand the distinctions between shared, collocated, unmanaged dedicated and managed dedicated hosting so you choose the one that is right for your business. It is crucial to understand the difference between the types of hosting offered. As the hosting industry has matured, hosting offers have split into a couple of distinct categories, each with its own strengths and weaknesses.
Shared hosting (sometimes called virtual hosting), means that you are sharing one server with a number of other clients of that company. The host manages the server almost completely (though you maintain your site and your account). They can afford to charge you little since many clients are paying for use of the server. However, companies other than yours are using the resources of that server. That means heavy traffic to one of the other sites on the server can really hammer the performance of your site. Also, you are typically not able to install special software programs on these types of machines, because the host will need to keep a stable environment for all of the clients using the server.
Collocated hosting means that you purchase a server from a hardware vendor, like Dell or Hewlett-Packard, for example, and you supply this server to the host. The host will then plug your server into its network and its redundant power systems. The host is responsible for making sure its network is available, and you are responsible for all support and maintenance of your server. Good hosters will offer management contracts to their collocation clients so that you can outsource much of the support to them, and come to an arrangement similar to managed dedicated hosting. Most collocation hosts do not offer this service, however.
Unmanaged dedicated hosting is very similar to collocation, except that you lease a server from a host and do not actually own it yourself. Some very limited support (typically Web-based only) is included, but the level of support varies widely from unmanaged dedicated host to unmanaged dedicated host. This type of server can be had for around US$99/month. Support levels are typically only provided in general terms. Ask the host to go into specifics about what support they will provide -- will they apply security patches to your server? -- before signing up. This service is typically good for gaming servers (like Doom or Counterstrike servers) or hobbyist servers, but not for serious businesses that need responsive, expert-level service.
Managed dedicated hosting means leasing a server from a host and having that company provide a robust level of support and maintenance on the server that is backed by quality guarantees. This maintenance typically includes services such as server uptime monitoring, a hardware warranty, security patch updates and more. Make sure your managed dedicated host is specific about its managed services included so that you can be sure they are not disguising an unmanaged dedicated offering as a managed dedicated server. This has been known to happen, unfortunately, which is why it is important to do your homework and ask the right questions.
2. Ask if your potential host's network has blackholed IPs. Many hosts care little about who is actually hosting on their networks, so long as the clients pay their bill. That means many hosters will allow porn sites, spammers and servers that create security issues on their network for the sake of the dollar. Even if you are to place ethical issues aside, this does have a negative impact on customers in general, such as when a network gets blackholed for spamming, for example.
Getting blackholed means that other networks will refuse e-mail originated from IPs that are blacklisted. Some hosts have a number of entire class C (up to 256 IPs) networks blackholed, and redistribute these tainted IPs to new clients. That means if your business relies on legitimate closed loop opt-in e-mail marketing to drive sales, being on such a network can severely cut response to your campaign because your e-mail may never get to its destination. Check with any hosts you are considering to see if their networks are blackholed. Also, here is a link to a third party source that tracks blackholed networks and lists them: www.spamhaus.org/sbl/isp.lasso
The following URL is a good resource to help you understand what is labeled spam and what isn't: www.spamhaus.org/mailinglists.html
3. Don't confuse size with stability. Just because a Web hosting company is big does not mean it is stable and secure. In fact, many of the biggest filed for bankruptcy protection or were saved by being sold to some other company -- in some cases causing uncomfortable transitions in service for their clients. How do you protect yourself? Ask some key questions: How long has the host been in business? Is current ownership the same as always? Are they profitable and cash flow positive from operation-generated revenue?
4. Don't make price your only priority. The old saying "you get what you pay for" applies to most things in life, and hosting is certainly one of those things. When you over-prioritize price, you run the risk of ending up with a host that will provide you with a connection to the Internet and little else in terms of support (and even that connection may be running at maximum capacity or have uptime issues).
5. Make sure your host has fully redundant data centers. When dealing with smaller vendors, make sure that they have their own data centers, and that those data centers are fully redundant in terms of power and connectivity. Here are a few questions to ask: How many lines do they have coming into the facility? What is the average utilization of their connections? (No matter how large the connection, if it is running at maximum capacity it will be slow.) Do they have redundant power to the servers? Do they have a generator on-site? How often do they test their generator? What sort of security measures do they have in place for the network? What physical security do they have?
What type of fire suppression systems do they have in place?
6. Find out if they have actual experienced systems administrators on their support staff. When you call in for technical support, it can be a frustrating experience to be stuck talking with a non-technical "customer service" representative when you really need to talk to a systems administrator who can resolve your issues. Find out the structure of their support department, how quickly you can get to an actual systems administrator when you need to, and which systems administrators can help you when you need help.
7. Make sure the host is flexible. It is important that the hoster understands how important quality servers are to their clients' businesses. Even most managed dedicated hosts will not go near supporting applications that are not part of their initial server setup. Find a hoster that has a vast amount of experience to support a wide variety of applications, and one that can bring that expertise to you through their services.
8. Find out what their former/current clients say about them. Can your prospective host provide you with success stories for clients with similar configurations to yours? Are they able to provide references from clients who can tell you about their experience using that company?
9. Make sure the host's support doesn't include extra charges. Make sure any host you consider provides you with a comprehensive list outlining the support they offer so that you can have an understanding of what is supported for free, what is supported at a fee, and what is not supported at all. Many hosts will try to hide a sub-standard level of free support behind non-specific statements of high quality support, so make them get specific to win your business.
Brought to you buy the Guardian eCommerce Privacy Seal Program.
1. Understand the distinctions between shared, collocated, unmanaged dedicated and managed dedicated hosting so you choose the one that is right for your business. It is crucial to understand the difference between the types of hosting offered. As the hosting industry has matured, hosting offers have split into a couple of distinct categories, each with its own strengths and weaknesses.
Shared hosting (sometimes called virtual hosting), means that you are sharing one server with a number of other clients of that company. The host manages the server almost completely (though you maintain your site and your account). They can afford to charge you little since many clients are paying for use of the server. However, companies other than yours are using the resources of that server. That means heavy traffic to one of the other sites on the server can really hammer the performance of your site. Also, you are typically not able to install special software programs on these types of machines, because the host will need to keep a stable environment for all of the clients using the server.
Collocated hosting means that you purchase a server from a hardware vendor, like Dell or Hewlett-Packard, for example, and you supply this server to the host. The host will then plug your server into its network and its redundant power systems. The host is responsible for making sure its network is available, and you are responsible for all support and maintenance of your server. Good hosters will offer management contracts to their collocation clients so that you can outsource much of the support to them, and come to an arrangement similar to managed dedicated hosting. Most collocation hosts do not offer this service, however.
Unmanaged dedicated hosting is very similar to collocation, except that you lease a server from a host and do not actually own it yourself. Some very limited support (typically Web-based only) is included, but the level of support varies widely from unmanaged dedicated host to unmanaged dedicated host. This type of server can be had for around US$99/month. Support levels are typically only provided in general terms. Ask the host to go into specifics about what support they will provide -- will they apply security patches to your server? -- before signing up. This service is typically good for gaming servers (like Doom or Counterstrike servers) or hobbyist servers, but not for serious businesses that need responsive, expert-level service.
Managed dedicated hosting means leasing a server from a host and having that company provide a robust level of support and maintenance on the server that is backed by quality guarantees. This maintenance typically includes services such as server uptime monitoring, a hardware warranty, security patch updates and more. Make sure your managed dedicated host is specific about its managed services included so that you can be sure they are not disguising an unmanaged dedicated offering as a managed dedicated server. This has been known to happen, unfortunately, which is why it is important to do your homework and ask the right questions.
2. Ask if your potential host's network has blackholed IPs. Many hosts care little about who is actually hosting on their networks, so long as the clients pay their bill. That means many hosters will allow porn sites, spammers and servers that create security issues on their network for the sake of the dollar. Even if you are to place ethical issues aside, this does have a negative impact on customers in general, such as when a network gets blackholed for spamming, for example.
Getting blackholed means that other networks will refuse e-mail originated from IPs that are blacklisted. Some hosts have a number of entire class C (up to 256 IPs) networks blackholed, and redistribute these tainted IPs to new clients. That means if your business relies on legitimate closed loop opt-in e-mail marketing to drive sales, being on such a network can severely cut response to your campaign because your e-mail may never get to its destination. Check with any hosts you are considering to see if their networks are blackholed. Also, here is a link to a third party source that tracks blackholed networks and lists them: www.spamhaus.org/sbl/isp.lasso
The following URL is a good resource to help you understand what is labeled spam and what isn't: www.spamhaus.org/mailinglists.html
3. Don't confuse size with stability. Just because a Web hosting company is big does not mean it is stable and secure. In fact, many of the biggest filed for bankruptcy protection or were saved by being sold to some other company -- in some cases causing uncomfortable transitions in service for their clients. How do you protect yourself? Ask some key questions: How long has the host been in business? Is current ownership the same as always? Are they profitable and cash flow positive from operation-generated revenue?
4. Don't make price your only priority. The old saying "you get what you pay for" applies to most things in life, and hosting is certainly one of those things. When you over-prioritize price, you run the risk of ending up with a host that will provide you with a connection to the Internet and little else in terms of support (and even that connection may be running at maximum capacity or have uptime issues).
5. Make sure your host has fully redundant data centers. When dealing with smaller vendors, make sure that they have their own data centers, and that those data centers are fully redundant in terms of power and connectivity. Here are a few questions to ask: How many lines do they have coming into the facility? What is the average utilization of their connections? (No matter how large the connection, if it is running at maximum capacity it will be slow.) Do they have redundant power to the servers? Do they have a generator on-site? How often do they test their generator? What sort of security measures do they have in place for the network? What physical security do they have?
What type of fire suppression systems do they have in place?
6. Find out if they have actual experienced systems administrators on their support staff. When you call in for technical support, it can be a frustrating experience to be stuck talking with a non-technical "customer service" representative when you really need to talk to a systems administrator who can resolve your issues. Find out the structure of their support department, how quickly you can get to an actual systems administrator when you need to, and which systems administrators can help you when you need help.
7. Make sure the host is flexible. It is important that the hoster understands how important quality servers are to their clients' businesses. Even most managed dedicated hosts will not go near supporting applications that are not part of their initial server setup. Find a hoster that has a vast amount of experience to support a wide variety of applications, and one that can bring that expertise to you through their services.
8. Find out what their former/current clients say about them. Can your prospective host provide you with success stories for clients with similar configurations to yours? Are they able to provide references from clients who can tell you about their experience using that company?
9. Make sure the host's support doesn't include extra charges. Make sure any host you consider provides you with a comprehensive list outlining the support they offer so that you can have an understanding of what is supported for free, what is supported at a fee, and what is not supported at all. Many hosts will try to hide a sub-standard level of free support behind non-specific statements of high quality support, so make them get specific to win your business.
Brought to you buy the Guardian eCommerce Privacy Seal Program.
Saturday, September 02, 2006
Get The Privacy Seal
Deny customer assurance, lose your customer. The Guardian eCommerce Privacy Seal Program is an extremely affordable Internet business solution essential to help increase online sales. Online customers will buy often from your Internet business, if they can trust it. Site credibility pays! Visit Guardian eCommerce to learn more about the Privacy Seal Program.
