Should Retailers Fight For Their Customers' Privacy? Only If You Like Having Customers

Attorney Mark D. Rasch is the former head of the U.S. Justice Department's computer crime unit and today serves as Director of Cybersecurity and Privacy Consulting at CSC in Virginia.

When Ford Motor Company, wanted to investigate the sale of counterfeit parts on eBay (and payments for those parts on its affiliate, PayPal), it subpoenaed seller records from these companies. What it did next, although perfectly legal and even reasonable, may have troubling implications for commerce and privacy. Because the Dearborn, Mich., automaker did not want the sellers to know they were under investigation, Ford got a court order not only requiring eBay and PayPal to pony up the records but also removing the requirement that eBay and PayPal tell the sellers that Ford wanted their names, addresses, records of sales and bank account information.

Remember those pesky privacy policies that say, "We will never give out your information without your knowledge or consent?" Well, not so much. Especially if someone appointed for life by the President of the United States says we can't tell you. The court's secrecy ruling essentially tips the privacy policies of eBay and PayPal on their end and says that anyone can get your records without you knowing about it if that someone has enough well-paid lawyers.

Ford appeared to be concerned that a dozen or so eBay sellers were selling counterfeit Ford parts and filed a John Doe lawsuit in federal court in Detroit against the unnamed sellers. The next step for the carmaker was to find out who these "John Does" really were. So Ford requested that the court permit it to have discovery—before the lawsuit was even served on the unknown defendants—of information about the identities and the activities of the John Does.

Ford requested not only identity information, including names, addresses and contact information, but also transaction information such as bank account information, records of sales and listings. The court essentially said, "OK, fine. But where you have the E-mail addresses of the alleged perpetrators, either eBay or PayPal must notify their customers and let them know both that they are being sued by Ford, that their records are being requested and that they have a right to defend themselves against the lawsuit."

Ford objected, saying that notifying someone that they are being sued "would serve to 'tip-off' or warn the Doe defendants of Ford's investigation. Under the procedure as written, the Does would have notice that Ford was seeking their identities and thus ample time to destroy evidence, the counterfeit and infringing goods, and flee to avoid service all before Ford would be entitled to receive their true identities." So the court removed the requirement that eBay and PayPal notify (actually subpoena) their customers.

The case is troubling for several reasons. First, let's start with the basic idea that if a consumer is being sued, they have a right to know that they are being sued and to defend themselves. Although the allegations of copyright infringement made by Ford are serious, let's not forget that they are just that—allegations. Not a whiff of evidence has been presented to show that they are true—at least not yet.Not only don't these sellers know they are being sued, but they don't know—and have no way to know—that their personal information will soon be in some corporate office in Dearborn being poured over by a bunch of high-priced trademark attorneys. Probably not what they thought would happen when they signed up for PayPal or eBay. But, OK. eBay's privacy policy does say (and it would be true even if it didn't say) that generally, "We will not otherwise disclose your personal information to law enforcement, other government officials or other third parties without a subpoena, court order or substantially similar legal procedure."

So there is a subpoena. And that subpoena trumps the privacy policy. So what's the problem here?

Online merchants, service providers and, indeed, all merchants need to understand who their customers are. Most privacy policies—including those of eBay, PayPal, Google, Amazon, etc., essentially say, "We will protect your privacy but will also comply with subpoenas." Fine, as far as it goes. But who will fight these subpoenas? In a civil context, it is almost trivial to get a subpoena. All you have to do is file a lawsuit (typically a John Doe lawsuit will do), and then with a few simple steps, you—meaning anyone—has the ability to ask a court for information about your customers.

The problem for retailers is that there is no money to be made in fighting a subpoena. It's much easier to just pull together the requested documents, and then shoot them over to the lawyers. This is particularly true when the records relate to old transactions or a former customer or where the customer (buyer or seller) is not the one with whom you have a financial relationship.

So for companies like Google or Facebook, where the customer doesn't pay for the service, is it worth it to them to spend hundreds or thousands of dollars to fight a subpoena for a customer who never pays the company a dime? Probably not. As a compromise, most entities that receive a subpoena do one of two things. Either they simply comply with the subpoena (hey, we are legally protected), or they notify their customer about the subpoena, wait a bit and, if they don't hear from the customer, then comply.

Neither of these options really respects the privacy of the customer, although the notice provisions help.

I think merchants have a duty to at least try to protect the rights of their customers. The information requested by Ford—or, indeed, by anyone—is not just eBay's or PayPal's. It is the customers' information, and the merchant is acting as a custodian for it. When a merchant sells an item or provides a service, it is also saying that it will protect the information about that transaction consistent with its privacy and security policies. A mere piece of paper (which is all a subpoena is) is not sufficient to overcome the privacy rights of the customer. The customer expects the merchant to fight on his or her behalf—at least a little.But what about Ford's concerns? Notice that Ford never provided any evidence that these particular John Does were likely to destroy evidence or avoid service of process. Any time you tell someone they are being sued you "tip off" the defendant, and yet tens of thousands of lawsuits proceed this way every day. In fact, many jurisdictions require, or at least suggest, that entities attempt to negotiate a settlement or resolve a dispute before filing a lawsuit.

Ford certainly had the contact information for the sellers—it arranged purchases from them and had already communicated with them. Most of the records that Ford wanted—the eBay and PayPal transaction records—were not capable of being effectively deleted or destroyed by the John Does, because they were stored by eBay and PayPal. An allegation that someone could avoid service of process or destroy records is not the same as proof that they will. The presumption should be that when you subpoena records about a customer from a third party, the customer is notified and given an opportunity to object and only where there is proof that secrecy is essential can this step be dispensed with. Otherwise, these privacy policies mean nothing.

It's just good business for merchants and service providers to protect the rights of their customers.

One thing overlooked in the Ford v. Doe case is the fact that the court did not order PayPal and eBay not to tell their customers. There was no protective order. The court simply said that PayPal and eBay were no longer required to tell their customers. They were free to do so, if they wanted. And if I were eBay and PayPal, without some evidence of imminent destruction of records or fleeing the jurisdiction, I would certainly tell my customers. And I bet if someone subpoenaed Ford for records about its customers, the automaker would do the same.

According to Motoramic, eBay's policies don't clearly say whether it notifies users in civil cases; it does promise law enforcement agencies investigating crimes to keep their probes secret. Other large Internet firms typically disclose any civil subpoenas or pass them on to users.

If you disagree with me, I'll see you in court, buddy. If you agree with me, however, I would love to hear from you.