Abstract
E-shopping has grown considerably in the last years, providing customers with convenience, merchants with increased sales, and financial entities with an additional source of income. However, it may also be the source of serious threats to privacy. In this paper, we review the e-shopping process, discussing attacks or threats that have been analyzed in the literature for each of its stages. By showing that there exist threats to privacy in each of them, we argue our following position: “It is not enough to protect a single independent stage, as is usually done in privacy respectful proposals in this context. Rather, a complete solution is necessary spanning the overall process, dealing also with the required interconnections between stages.” Our overview also reflects the diverse types of information that e-shopping manages, and the benefits (e.g., such as loyalty programs and fraud prevention) that system providers extract from them. This also endorses the need for solutions that, while privacy preserving, do not limit or remove these benefits, if we want prevent all the participating entities from rejecting it.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
In this work, we restrict ourselves to the context of B2C (business-to-consumer). B2B (business-to-business) may require additional considerations.
- 2.
See “Amazon.com Privacy Policy” at https://www.amazon.com/gp/help/customer/display.html?nodeId=468496. Last access on January 13th, 2015.
- 3.
See eBay’s “User Privacy Notice” at http://pages.ebay.com/help/policies/privacy-policy.html. Last access on January 13th, 2015.
- 4.
http://www.magentocommerce.com. Last access on June 27th 2015.
- 5.
See https://payments.amazon.com/help/5968. Last access on June 29th, 2015.
References
Anderson, R.J.: Risk and privacy implications of consumer payment innovation (2012). http://www.cl.cam.ac.uk/rja14/Papers/anderson-frb-kansas-mar27.pdf
Anderson, R.J., Barton, C., Böhme, R., Clayton, R., van Eeten, M., Levi, M., Moore, T., Savage, S.: Measuring the cost of cybercrime. In: WEIS 2012, Germany, pp. 25–26, June 2012
Androulaki, E., Bellovin, S.: An anonymous credit card system. In: Fischer-Hübner, S., Lambrinoudakis, C., Pernul, G. (eds.) TrustBus 2009. LNCS, vol. 5695, pp. 42–51. Springer, Heidelberg (2009)
Androulaki, E., Bellovin, S.: APOD: anonymous physical object delivery. In: Goldberg, I., Atallah, M.J. (eds.) PETS 2009. LNCS, vol. 5672, pp. 202–215. Springer, Heidelberg (2009)
Antoniou, G., Batten, L.M.: E-commerce: protecting purchaser privacy to enforce trust. Electron. Commer. Res. 11(4), 421–456 (2011)
Blaze, M., Ioannidis, J., Keromytis, A.D.: Offline micropayments without trusted hardware. In: Syverson, P.F. (ed.) FC 2001. LNCS, vol. 2339, p. 21. Springer, Heidelberg (2002)
Chen, L., Escalante B., A.N., Löhr, H., Manulis, M., Sadeghi, A.-R.: A privacy-protecting multi-coupon scheme with stronger protection against splitting. In: Dietrich, S., Dhamija, R. (eds.) FC/USEC 2007. LNCS, vol. 4886, pp. 29–44. Springer, Heidelberg (2007)
de Montjoye, Y.-A., Radaelli, L., Singh, V.K., Pentland, A.: Unique in the shopping mall: on the reidentifiability of credit card metadata. Science 347(6221), 536–539 (2015)
Dingledine, R., Mathewson, N., Syverson, P.F.: Tor: the second-generation onion router. In: USENIX Security Symposium (2004)
The Eurostat. E-commerce by individuals and enterprises (December 2014). http://epp.eurostat.ec.europa.eu
Karame, G.O., Androulaki, E., Roeschlin, M., Gervais, A., Capkun, S.: Misbehavior in bitcoin: a study of double-spending and accountability. ACM Trans. Inf. Syst. Secur. 18(1), 2 (2015)
Low, S.H., Maxemchuk, N.F., Paul, S.: Anonymous credit cards and their collusion analysis. IEEE/ACM Trans. Netw. 4(6), 809–816 (1996)
Minkus, T., Ross, K.W.: I know what you’re buying: privacy breaches on eBay. In: De Cristofaro, E., Murdoch, S.J. (eds.) PETS 2014. LNCS, vol. 8555, pp. 164–183. Springer, Heidelberg (2014)
Molloy, I., Li, J., Li, N.: Dynamic virtual credit card numbers. In: Dietrich, S., Dhamija, R. (eds.) FC/USEC 2007. LNCS, vol. 4886, pp. 208–223. Springer, Heidelberg (2007)
Moreno-Sanchez, P., Kate, A., Maffei, M., Pecina, K.: Privacy preserving payments in credit networks: enabling trust with privacy in online marketplaces. In: NDSS 2015, San Diego (2015)
Murdoch, S.J., Anderson, R.: Verified by visa and mastercard securecode: or, how not to design authentication. In: Sion, R. (ed.) FC 2010. LNCS, vol. 6052, pp. 336–342. Springer, Heidelberg (2010)
Nakamoto, S.: Bitcoin: a peer-to-peer electronic cash system (2009)
Narayanan, A., Shmatikov, V.: Robust de-anonymization of large sparse datasets. In: IEEE Symposium on Security and Privacy (S&P 2008), 18–21 May 2008. Oakland (2008)
U.S. Department of Commerce. The 2nd quarter retail e-commerce sales report (2013)
Parra-Arnau, J., Rebollo-Monedero, D., Forné, J.: Optimal forgery and suppression of ratings for privacy enhancement in recommendation systems. Entropy 16(3), 1586–1631 (2014)
Partridge, K., Pathak, M.A., Uzun, E., Wang, C.: PiCoDa: privacy-preserving smart coupon delivery architecture (2012)
Preibusch, S., Peetz, T., Acar, G., Berendt, B.: Purchase details leaked to PayPal (short paper). In: Böhme, R., Okamoto, T. (eds.) FC 2015. LNCS, vol. 8975, pp. 217–226. Springer, Heidelberg (2015)
Ramakrishnan, N., Keller, B.J., Mirza, B.J., Grama, A., Karypis, G.: Privacy risks in recommender systems. IEEE Internet Comput. 5(6), 54–62 (2001)
Rial, A.: Privacy-preserving e-commerce protocols. Ph.D. thesis, Arenberg Doctoral School, KU Leuven (2013)
Sadeh, N.M.: M-Commerce: Technologies, Services, and Business Models. John Wiley & Sons Inc., New York (2002)
Stolfo, S., Yemini, Y., Shaykin, L.: Electronic purchase of goods over a communications network including physical delivery while securing private and personal information of the purchasing party. US Patent App. 11/476,304, 2 November 2006
Tsai, J.Y., Egelman, S., Cranor, L.F., Acquisti, A.: The effect of online privacy information on purchasing behavior: an experimental study. Inf. Syst. Res. 22(2), 254–268 (2011)
Visa. Verified by Visa - acquirer and merchant implementation guide (2011)
Acknowledgements
This work was supported by project S2013/ICE-3095-CM (CIBERDINE) of the Comunidad de Madrid and MINECO TIN2010-19607, TIN2012-30883, TIN2014-54580-R. The work of Seung Geol Choi was supported in part by the Office of Naval Research under Grant Number N0001415WX01232. The work of Moti Yung was done in part while visiting the Simons Institute for Theory of Computing, UC Berkeley. The work of Jesus Diaz was done in part while visiting the Network Security Lab at Columbia University.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Diaz, J., Choi, S.G., Arroyo, D., Keromytis, A.D., Rodriguez, F.B., Yung, M. (2016). Privacy Threats in E-Shopping (Position Paper). In: Garcia-Alfaro, J., Navarro-Arribas, G., Aldini, A., Martinelli, F., Suri, N. (eds) Data Privacy Management, and Security Assurance. DPM QASA 2015 2015. Lecture Notes in Computer Science(), vol 9481. Springer, Cham. https://doi.org/10.1007/978-3-319-29883-2_14
Download citation
DOI: https://doi.org/10.1007/978-3-319-29883-2_14
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-29882-5
Online ISBN: 978-3-319-29883-2
eBook Packages: Computer ScienceComputer Science (R0)