PDA

View Full Version : Amazon.de mystery concerning my privacy


EinsteinsHund
02-03-2011, 04:48 AM
I'm a long time customer on amazon.de (German), and considering their well matching recommendations, fully aware about them storing and tracking my personal data. I'm okay with that, as long as it's restricted to my personal account.

But then this happened:

A friend of mine wanted to order from amazon.de and asked me if there was something I'd like to have he could add to his order (to save shipping fee). So I checked my wish list on amazon and emailed my friend three direct links to items (one book, two CDs) from the list he should order for me. He did so, the items were sent, and everything went the usual way.

A few days after the order had been processed, I checked my amazon wish list, and to my big surprise, two of the articles now are marked as purchased items, although the whole transaction was done outside of my account.

How the heck do they know I got the articles via a friend? The only possibility I can imagine is that they tracked my email with the links to the items, but that would have bee an extreme invasion of my privacy.

Does anybody know what was going on here, or maybe had a similar experience?

Mops
02-03-2011, 04:59 AM
WAG: you followed the links from your wish list, and the resulting URL (that you mailed to your friend) still contained a parameter connecting it to your wish list.

EinsteinsHund
02-03-2011, 05:24 AM
Mops, that's a possibility I hadn't considered. Indeed, I followed the links from my wish list, copied the URLs and pasted them into the email to my friend. So if he followed them directly from the email and then put the articles in his shopping cart, there could have been a continuous passing on of any information that was part of these URLs.

Okay, that's a good explanation, and better than spying my emails, but still, I would find it borderline invasion of privacy.

Telemark
02-03-2011, 07:30 AM
Okay, that's a good explanation, and better than spying my emails, but still, I would find it borderline invasion of privacy.
It's inevitable when information is put on the URL. It's pretty standard usage, not something I would consider an invasion of privacy at all. If anything, it works against Amazon and they would like to avoid it.

EinsteinsHund
02-03-2011, 07:42 AM
It's inevitable when information is put on the URL. It's pretty standard usage, not something I would consider an invasion of privacy at all. If anything, it works against Amazon and they would like to avoid it.

My point is that this way, my personal handle is encoded to these URLs and later decoded in a transaction that doesn't involve my own account, just to be used afterwards by amazon to assume changes to the personal data in my account, e. g. my private wish list. It's not that big a deal, but I'm still uncomfortable with this kind of process. If they want to avoid it, why do they use the information to manipulate my data?

Ferret Herder
02-03-2011, 08:21 AM
The wish list feature is designed to let other people buy you presents off of it, without the risk of you getting multiples of the same item. Many people just point friends and family to their wish list if they're asked about gifts.

EinsteinsHund
02-03-2011, 08:44 AM
The wish list feature is designed to let other people buy you presents off of it, without the risk of you getting multiples of the same item. Many people just point friends and family to their wish list if they're asked about gifts.

Yeah, I know, but the default setting for the wish list is private, so you have to actively set it to public to make it available to others. My use (and I'm sure that of many others) for the wish list is to keep track of items I'm interested in, but don't want to buy immediately.

Nava
02-03-2011, 08:55 AM
EinsteinsHund, did the shipment go directly to your address?

If your friend used the same address that amazon has on record for you (not only that, but with your name on it) that seems like something the dumbest of code monkeys should be able to identify as being for you.

Omar Little
02-03-2011, 09:00 AM
There was nothing nefarious here. Your wish list is not private. Your friend purchased items from your wishlist.

EinsteinsHund
02-03-2011, 09:19 AM
EinsteinsHund, did the shipment go directly to your address?

No, the whole shipment went to my friend's address, the only connection between my wish list and my friend's order were the links to the items in the mentioned email to him.

And Omar Little, please see post #7. I didn't set my wish list to public, and my friend didn't add the articles directly from my wish list. I assumed that by mailing him the links, it would be the same as if I had told him my wishes over the phone or in a direct conversation.

But anyway, I didn't want to make a big deal about it, I was mostly curious how this all worked. I just assumed that by setting the wish list to private, there wouldn't be a mechanism to register changes that happened outside of my own account.

Telemark
02-03-2011, 09:50 AM
I assumed that by mailing him the links, it would be the same as if I had told him my wishes over the phone or in a direct conversation.
Clearly, that is not the case. It's hard to know exactly what information is being stored in the URL unless you take a close look at it, so emailing links generated by a site is a possible way for your information to get out. Is there a "Mail this item to a friend" link on the site? That may (or may not) strip identifiable information out of the URL based on your privacy settings.

EinsteinsHund
02-03-2011, 02:05 PM
Is there a "Mail this item to a friend" link on the site? That may (or may not) strip identifiable information out of the URL based on your privacy settings.

No, that doesn't seem to be the case, but I will be more cautious in the future when mailing or posting links from sites I'm currently logged in to.

I think I now fully understand what happened. There seems to have been a flag encoded in the URL from when I was logged in that tells the site's software:

IF (this.article is_purchased_ following this.URL) THEN
EinsteinsHund.wishlist.article.purchased = TRUE

Am I thinking right? In this case, there really was nothing dubious going on. It was just my carelessness.

Thanks to all for clearing my confusion.