Spark

Pandemic online shopping boom has generated bumper crop of vulnerable personal data, e-commerce experts warn

The pandemic has driven consumers online for everything from groceries to outdoor heaters. But e-commerce experts caution that online sellers are netting not just revenue, but a treasure trove of personal data, too.

‘Dark patterns’ use deception to get consumers to buy

Online shopping in Canada has more than doubled since pandemic restrictions hit, and that has important implications for consumers and the privacy of their data, e-commerce experts say. (Giordano Ciampini/The Canadian Press)

Prior to the pandemic, Deb Pepler had never made a purchase online.

"My concerns initially were privacy and security, the fact that I really want to see something, touch it, feel it, before I buy it, and the personal interactions that I had as well," said Pepler, 69, a retired social worker who lives in Burlington, Ont., west of Toronto. 

"Some of the data breaches that I've heard about, like the Lifelabs data breaches, CRA, Equifax ... it's information like that that makes me very wary."

But it was hard to find masks for a while, and the shortage forced Pepler's hand. Her daughter showed her how to shop for them online, walking Pepler through the process until she became comfortable.

Since then she's made numerous buys online using sites like Amazon, Michaels and Mastermind Toys, where she shops for presents for her grandchildren.

Pepler is certainly not the only newbie online shopper on the virtual block. When the pandemic hit, e-commerce went through the roof, more than doubling in May 2020 compared to the same month the year before. Retail giants like Amazon have obviously benefited; Amazon hired more than 400,000 new employees between January and October of last year.

Shopify, an Ottawa-based platform that allows retailers and service providers to build simple, templated e-commerce websites, doubled its revenue in the first quarter of 2020 after the pandemic hit, then nearly doubled it again in the third

The company also had a significant data breach in September, after two support staff allegedly stole customer data from as many as 200 merchants.

WATCH | Grocery analysts explain why online grocery shopping may not be here to stay:

Boom in online grocery shopping may not continue post pandemic, experts say

The National

2 months ago
2:00
Canada’s three major grocery retailers made big investments in their online offerings when demand boomed during the pandemic, but some analysts don’t expect demand to continue at that level once the pandemic ends. 2:00

That's the sort of breach that concerns Pepler.

"My biggest worry is that some banking information could be accessed," she said. "But it's not just the financial stuff; it's identity theft as well."

Anteneh Ayanso, professor of information systems Brock University, said that before you add anything to your cart, data aggregators are already helping the merchant tailor recommendations to you. (Submitted by Anteneh Ayanso)

According to Anteneh Ayanso, a professor of information systems and founding director of the Centre for Business Analytics at Brock University, Pepler's concerns about her personal information are well-founded. Record growth in online sales has created a bonanza in data collection. All those names, email addresses, credit card numbers, locations and purchasing preferences make it easy to sell to us — or to steal from us.

"Right now, what you see is an urgency, the appetite for crunching and collecting data. You don't see the appetite for paying attention to some of the privacy concerns, some of the ethical considerations that need to be in place," he told Spark host Nora Young.

When we pull up a product page on a website, he said, there's a whole "e-commerce ecosystem" that goes beyond the merchant you're looking to for puppy kibble or sweatpants. 

Even before you add anything to your cart, data aggregators, including search engines, are already helping the merchant tailor recommendations to you, said Ayanso, who has a PhD in information systems.

Recommending a hoodie is one thing, but the online dossier can have a more sinister applications.

Building better passwords

Every time a merchant site is successful in netting you as a customer, it increases the chance your data could get in the wrong hands, said Alana Staszczyszyn, a cybersecurity consultant at Security Compass, a Toronto-based firm that specializes in software security. 

"Just know that the more information you put out, the higher the risk you have of it getting compromised," said Staszczyszyn.

This is all the more likely during the pandemic when public health measures have prompted "everybody and their sister" to put up a website, usually without resources for their own cybersecurity services, she said.

Cybersecurity consultant Alana Staszczyszyn said there are steps people can take to improve the safety of their passwords. (Laura MacNaughton/CBC)

Among the most common abuses of our data is credit card theft, said Staszczyszyn. "They get sorted into packages and get sold to criminals who want to use them for money laundering or just purchasing stuff."

She recommends memorizing only your most important passwords, such as the one you use for your email account, then using a password manager such as LastPass or KeyPass to generate and store complex passwords for things like shopping sites.

Alternatively, you can use long phrases based on a song lyric or movie quote. These are both hard to crack and easier to remember than a series of letters, numbers and symbols — which you'll be tempted to duplicate for multiple uses, said Staszczyszyn.

WATCH | A phone scam nets Canadian credit card numbers sold on the dark web:

Credit Card Scam: Is Your Stolen Identity for Sale on the Dark Web

Marketplace

2 years ago
22:31
Marketplace has obtained a secret list revealing the names and identities of almost 3000 Canadians targeted by a phone scam promising to lower your credit card interest rate. 22:31

While credit card fraud and identity theft are possibilities, consumers should also be on the lookout for seemingly more innocuous, everyday uses of data that work powerfully to get us to spend more time on websites and part with more cash while we're there.

Looking out for 'dark patterns'

Data fuels online shopping in ways that are convenient for us and good for business. But some of these tip over into so-called "dark patterns" — strategies websites use to trick you into giving up information you didn't mean to, or buying things you didn't want, said Arunesh Mathur, a postdoctoral fellow at Princeton University's Center for Information Technology Policy.

There's the "hidden subscription" dark pattern, where you think you're signing up for a one-time product or service, "but in reality, what happens is people end up … being billed over a period of time," said Mathur, who has a PhD in computer science.

His research team built a bot that acts like an online shopper in order to detect dark patterns, uncovering about 15 different kinds, he told Young. These include the deceptive countdown timer that suggests a deal will only be available until a certain date or time. "But in reality, what happens is the timer simply resets," or it disappears yet the deal continues to live on, he said.

Arunesh Mathur, a postdoctoral fellow at Princeton University's Center for Information Technology Policy, said regulators need to get more involved in protecting consumer data. (David J. Phillip/The Associated Press)

The bot also found that e-commerce sites play into the cognitive bias that makes us respond to scarcity, said Mathur. For example, a website might suggest there are only three of one particular item left in stock, when in reality that number was picked randomly. 

Consumers can help protect themselves against the problem of dark patterns simply by being aware of them, he said. "If you know what they look like, you're perhaps less likely to be influenced by them and … more likely to call out the company or the service that's using these patterns."

Yet consumers shouldn't be expected to tackle alone a problem that should be handled by regulators and other agencies, he said. 

"When they get online or visit an e-commerce website, their job is to buy things and be satisfied with that, not digging into source code to discover what's going on or how their choices are being influenced.

"Relying on consumers to protect themselves can only get us so far."


Written by Brandie Weikle. Produced by Nora Young and Samraweet Yohannes.

Comments

To encourage thoughtful and respectful conversations, first and last names will appear with each submission to CBC/Radio-Canada's online communities (except in children and youth-oriented communities). Pseudonyms will no longer be permitted.

By submitting a comment, you accept that CBC has the right to reproduce and publish that comment in whole or in part, in any manner CBC chooses. Please note that CBC does not endorse the opinions expressed in comments. Comments on this story are moderated according to our Submission Guidelines. Comments are welcome while open. We reserve the right to close comments at any time.

now