Pandemic online shopping boom has generated bumper crop of vulnerable personal data, e-commerce experts warn
‘Dark patterns’ use deception to get consumers to buy
Prior to the pandemic, Deb Pepler had never made a purchase online.
"My concerns initially were privacy and security, the fact that I really want to see something, touch it, feel it, before I buy it, and the personal interactions that I had as well," said Pepler, 69, a retired social worker who lives in Burlington, Ont., west of Toronto.
"Some of the data breaches that I've heard about, like the Lifelabs data breaches, CRA, Equifax ... it's information like that that makes me very wary."
But it was hard to find masks for a while, and the shortage forced Pepler's hand. Her daughter showed her how to shop for them online, walking Pepler through the process until she became comfortable.
Since then she's made numerous buys online using sites like Amazon, Michaels and Mastermind Toys, where she shops for presents for her grandchildren.
Pepler is certainly not the only newbie online shopper on the virtual block. When the pandemic hit, e-commerce went through the roof, more than doubling in May 2020 compared to the same month the year before. Retail giants like Amazon have obviously benefited; Amazon hired more than 400,000 new employees between January and October of last year.
Shopify, an Ottawa-based platform that allows retailers and service providers to build simple, templated e-commerce websites, doubled its revenue in the first quarter of 2020 after the pandemic hit, then nearly doubled it again in the third.
The company also had a significant data breach in September, after two support staff allegedly stole customer data from as many as 200 merchants.
WATCH | Grocery analysts explain why online grocery shopping may not be here to stay:
That's the sort of breach that concerns Pepler.
"My biggest worry is that some banking information could be accessed," she said. "But it's not just the financial stuff; it's identity theft as well."
According to Anteneh Ayanso, a professor of information systems and founding director of the Centre for Business Analytics at Brock University, Pepler's concerns about her personal information are well-founded. Record growth in online sales has created a bonanza in data collection. All those names, email addresses, credit card numbers, locations and purchasing preferences make it easy to sell to us — or to steal from us.
"Right now, what you see is an urgency, the appetite for crunching and collecting data. You don't see the appetite for paying attention to some of the privacy concerns, some of the ethical considerations that need to be in place," he told Spark host Nora Young.
When we pull up a product page on a website, he said, there's a whole "e-commerce ecosystem" that goes beyond the merchant you're looking to for puppy kibble or sweatpants.
Even before you add anything to your cart, data aggregators, including search engines, are already helping the merchant tailor recommendations to you, said Ayanso, who has a PhD in information systems.
Recommending a hoodie is one thing, but the online dossier can have a more sinister applications.
Building better passwords
Every time a merchant site is successful in netting you as a customer, it increases the chance your data could get in the wrong hands, said Alana Staszczyszyn, a cybersecurity consultant at Security Compass, a Toronto-based firm that specializes in software security.
"Just know that the more information you put out, the higher the risk you have of it getting compromised," said Staszczyszyn.
This is all the more likely during the pandemic when public health measures have prompted "everybody and their sister" to put up a website, usually without resources for their own cybersecurity services, she said.
Among the most common abuses of our data is credit card theft, said Staszczyszyn. "They get sorted into packages and get sold to criminals who want to use them for money laundering or just purchasing stuff."
She recommends memorizing only your most important passwords, such as the one you use for your email account, then using a password manager such as LastPass or KeyPass to generate and store complex passwords for things like shopping sites.
Alternatively, you can use long phrases based on a song lyric or movie quote. These are both hard to crack and easier to remember than a series of letters, numbers and symbols — which you'll be tempted to duplicate for multiple uses, said Staszczyszyn.
WATCH | A phone scam nets Canadian credit card numbers sold on the dark web:
While credit card fraud and identity theft are possibilities, consumers should also be on the lookout for seemingly more innocuous, everyday uses of data that work powerfully to get us to spend more time on websites and part with more cash while we're there.
Looking out for 'dark patterns'
Data fuels online shopping in ways that are convenient for us and good for business. But some of these tip over into so-called "dark patterns" — strategies websites use to trick you into giving up information you didn't mean to, or buying things you didn't want, said Arunesh Mathur, a postdoctoral fellow at Princeton University's Center for Information Technology Policy.
There's the "hidden subscription" dark pattern, where you think you're signing up for a one-time product or service, "but in reality, what happens is people end up … being billed over a period of time," said Mathur, who has a PhD in computer science.
His research team built a bot that acts like an online shopper in order to detect dark patterns, uncovering about 15 different kinds, he told Young. These include the deceptive countdown timer that suggests a deal will only be available until a certain date or time. "But in reality, what happens is the timer simply resets," or it disappears yet the deal continues to live on, he said.
The bot also found that e-commerce sites play into the cognitive bias that makes us respond to scarcity, said Mathur. For example, a website might suggest there are only three of one particular item left in stock, when in reality that number was picked randomly.
Consumers can help protect themselves against the problem of dark patterns simply by being aware of them, he said. "If you know what they look like, you're perhaps less likely to be influenced by them and … more likely to call out the company or the service that's using these patterns."
Yet consumers shouldn't be expected to tackle alone a problem that should be handled by regulators and other agencies, he said.
"When they get online or visit an e-commerce website, their job is to buy things and be satisfied with that, not digging into source code to discover what's going on or how their choices are being influenced.
"Relying on consumers to protect themselves can only get us so far."
Written by Brandie Weikle. Produced by Nora Young and Samraweet Yohannes.