Step 1 – Read a site’s privacy policy
Just because it says “privacy” doesn’t necessarily mean it’s about protecting yours. Specifically, it’s supposed to tell you how the site’s owner is going to use your information and how it won’t use it. So it’s conceivable that your email could be up for sale. If they don’t have a policy, be leery. But if they do and you don’t feel comfortable with it, you may wish to reconsider entering things like your email.

Step 2 – Don’t hand out your email to just anyone
Just because a site asks for all that information, doesn’t mean you need to give it to them. Let’s say you’re signing up for a newsletter to be emailed to you. The form asks for your name, mailing address, phone number, email address, etc. Are these pieces of information required? In some cases it may be perfectly understandable and therefore all right to give them what they ask for. Just be aware that you’re not obligated to give them what they want unless you choose to obligate yourself.

Step 3 – Setup a free email account
If you don’t already have one, get one. You have so many to choose from: Gmail, Yahoo Mail, MSN, etc. Most of the offerings you’ll find should have the ability to forward email to another account. (Places like Gmail have it for free, but others may consider it a premium offering.) Using another email account to act as a proxy is a great way to keep something between you and the sender. Just pay attention to which address you should be replying from.

Step 4 – Using a proxy email service
This is your best defense. Services like Sneakemail, GishPuppy, and spambox! allow you to create an email address on-the-fly and forwards emails to a specified account — the account, in this case, is the one you want to protect. Two things to remember here:

• For best results, create a new “temporary” address for each site you submit it to (more on this below).
• These services don’t store your emails, they just forward them on to a destination.

The neat thing about these services is that they allow you to control the expiration of the address it creates for you, anywhere from an hour to indefinitely, depending on which service you use. This is another reason why you should create one for each site you submit to because if you start receiving spam from a site you submitted your “temporary” address, you’ll know which one to expire on demand.

I recently read an article that depicted an interesting scenario. I can’t speak for the other tools listed above, but according to this article Google’s desktop search tool indexes all the files on your computer even if those files are no longer available. Nothing out of the ordinary there, but read on.

The consultant in this story explained that his client kept usernames and passwords on a USB drive. When the client hooked up their USB drive to the consultant’s laptop, all that information became part of the index for Google’s desktop search tool that was installed on the laptop.

I need to be clear here: the tool didn’t upload anything to Google, it just included it in its list of things to search on the consultant’s laptop. The tool is designed to include anything it sees on the hard drive (and connected to it) as part of its searchable content. So when the USB drive was removed from the laptop, the information still remained there.

That’s something easily overlooked. I never would have considered such an unintentional breach of security.

So, I’m not suggesting you go uninstall your desktop search tools. Just bear in mind the possibilty of including information you didn’t intend to include in such a tool.

I came across a privacy policy the other day that inspired me to post about this. I’ve placed a modified version of it here. I want to make it clear that I have nothing against this merchant. They are within their legal rights to do what they’re telling you. As a matter of fact, I applaud them for at least putting it all in writing for their users to see. I only use them as an example to help you increase your awareness of what privacy policies can actually do. They’re not just about keeping you information private; they’re also about telling you how it may not be private.

First, let me just say that I have replaced the merchant’s original name with “XYZ Company”. I have also labeled parts of the document with numbers for easier reference.

Section 1 is pretty straight forward. Section 2 is a little more interesting. Take note of the second sentence is line 1: XYZ Company may combine information about you that we have with information we obtain from business partners or other companies. They don’t tell you who those other business partners are. Could they be health care related? How about financial? The thing is you don’t know unless you ask them, assuming of course, that they’ll tell you if you do ask.

Moving to Section 2.3. So they’re openly (which I commend) telling you that they’re going to review what they already know about you with the new information you’re going to willingly provide them. Bear in mind that it’s with products and services you have already purchased or used with them before. Just give it some thought before you deepen the relationship.

Section 2.4: no worries there. Most every company does that and, as far as I’m concerned, presents no danger to you. Section 2.5 is good, but note the use of “anonymous reporting for internal and external clients”. Still, it’s good that they’re telling you, but it’s the external clients that caught my eye. Nothing to be too worried about as it’s supposed to be anonymous, but I imagine that it could be possible to link up your personal information with the data those external clients already have. Such a link-up would have to rely on your authorization, no doubt, but again something to think about. Maybe you don’t want those guys to know what you purchased no matter if it’s a toothbrush or some lingerie.

Section 2.6: careful here. Unless you don’t mind getting spammed, you may not want to enter into a relationship with them. Personally, I’m troubled by the end of that sentence: without offering you the opportunity to opt-out prior to receiving them. Again, I’ve give them credit for telling you up front, but there’s no telling how long it will take you to get off that list of theirs before they send you all sorts of things in the mail and e-mail.

Sections 3 and 4: no worries there.

Section 5.1: Very important. It’s your choice to provide the information or not, but you may not get what they’re offering. It’s the old “give us what we want, and we’ll give you what you want”; a simple trade. How much is your personal information worth?

Section 5.3: Other companies may have access to the information you provide so that they can fulfill the agreement the merchant is making with you. This could be as simple as the postal service (i.e. providing your mailing address for delivery purposes), or keeping you from being added to yet another list. But it’s good that XYZ Company has told you that these other parties may not use your information for anything else, which I find reassuring.

Section 5.4: Uh-oh. What do you have here? XYZ Company may share, rent or sell personal information about you with other people or non-affiliated companies. Again, it’s good they’re upfront about it, but do you really want your information to be sold to other entities, especially ones you don’t know? This kind of contradicts the above section 5.3, where those parties that they give your information to can’t use it for any other purpose, but parties they sell or rent your information to is perfectly fine. So essentially, what they’re telling you is anyone they do business with has your information.

Skipping down to section 5.8, this is important in that while you may feel good about doing business with this company, it’s quite possible that in the future if they’re bought by or merged with someone, your information is now their information, too.

So, have I got you worried? I hope not. Have I given you reason to look at the next privacy policy you come across a little more closely? I hope so. All this is to say that seeing a privacy policy link does not necessarily mean that your private information will remain private. It could, but it could also be entering you into someone else’s database for further use. Just be careful.

Surf safely!