Marketplace Fairness Act – Big Data Privacy Concerns

The Marketplace Fairness Act (MFA) would allow for a concentration of  big data that raises privacy concerns and would be a ripe target for hackers.

As it stands now, states don’t have detailed information about purchases made, by who or what was purchased in any detail.  Typically, an online retailer located in one state would submit a monthly or quarterly summary of purchases.

  • Total Sales
  • Taxable Sales
  • Exempt Sales (out of state, for resale, to government agencies, etc..)
  • Sales Tax Collected

So the retailer fills out this form along with payment for that period’s sales tax collected.  The only time the state has access to detailed sales information is in the event of a sales tax audit.  But the data would still be local to the retailer.  Other states would have no access to this data, as a single-state retailer isn’t required to collect sales tax in other states.

How will this change under the Marketplace Fairness Act?

  • Data will be concentrated in a small number of locations – Certified Solutions Providers (CSPs)
  • Currently 6 companies are certified
  • Data will be for all states with sales tax
  • Data will contain items/types/values of item purchased
  • Data will contain shipping address of order
  • Data will contain retailer info
  • Unprecedented aggregation of shopping data per location
  • States (and hopefully not hackers) will have access to this data which they didn’t in the past.

Assuming I was wearing a black hat and had access to this data, there’s a LOT of things that could be done with it.  Sorting by store would be easy.  Or by address to see what things or types of things people in a household buy.  Some types of items are more sensitive than others, such as items of a medical or an adult nature.  And it’s trivial to tie shipping addresses to people or families with publicly or commercially available tools online.

This is truly big-data, but not in a good way.  The Marketplace Fairness Act will allow a significant concentration of data across numerous states, retailers and consumers that has never existed before.

 

 

Comments

  1. David campbell says:

    I would agree with your concerns if they were justified, but I dont think they are. Lets go through a brief Q&A based upon your post:

    Question 1: Does the CSP know the identity of the customer?
    Answer: No.

    Question 2: Does the CSP know what the anonymous customer purchased?
    Answer: No.

    Question 3: Does the CSP know if the item the anonymous customer purchased is taxable?
    Answer: Yes.

    Question 4: How does the CSP know an item is taxable (or exempt)?
    Answer: The retailer knows categorically what they are selling; if it is clothing, or consumer electronics, or pharmaceuticals for human use by prescription, etc. The CSP doesn’t know exactly what the customer purchased, just the category of goods identified by the retailer at the time of sale.

    Discussion:
    Every CSP is already required (and has been tested and verified) to meet or exceed privacy and security laws in each and every state they service; accordingly, CSPs are not attractive points of attack for bad guys (there are many more vulnerable targets for bad guys). Beyond that general statement, any further articulation of techniques, processes, and procedures (which all exceed industry pest practices) would provide tactical intelligence for would-be attackers, and so will not be discussed in open forum.

    The fact is, any retailer NOT using a CSP is a much more vulnerable target with substantially with more valuable data than anything a CSP would ever have access to. This statement is true regardless of whether Congress enacts the Marketplace Fairness Act

    The Marketplace Fairness Act has minimal (if any) data privacy impact, and actually may improve many retailers’ transaction data handling and retention practices (if they elect to use a CSP).

    -David

    • Rick Smith says:

      I don’t think you understood the point of the article. It’s not anti-CSP, nor is it “caring” about the CSP knowing what the customer purchased.

      It’s that right now, states don’t really have any info about people’s purchases from retailers. Individual retailers don’t share that info and only retailers have the info.

      If MFA passes, many retailers will start passing much more detail to a fairly small number of CSPs. This aggregate big-data will have a fairly large database of purchases and the address they shipped to. Addresses are easily reversed to households and possibly people. The aggregation is the issue I raise.
      To your replies:
      1: Didn’t say you had their info.
      2: You DO collect data on what was purchased in your API and manual upload template. So I do question your answer to this, at least for your CSP.
      At a minimum, you obviously have the type of item. But your own API and manual upload templates have more information than your reply admits to. For each item in the cart, a SKU or part number is passed to Taxcloud, along with the cost of the items (obviously, to compute tax). Manual transactions have a spreadsheet template to upload which also So unless this information is discarded somehow, it’s being collected. The spreadsheet: https://taxcloud.net/support/TaxCloud.Transactions.Upload.Template.csv
      3: Not relevant, never brought up.
      4: I didn’t bring this up, but going back to #2, it would appear items being purchased are being collected.

      The requirements for CSPs seemed cursory in the documents I read. Frankly, PCI compliance if answering SAQ-D’s questionaire has a LOT more details about security requirements. I’m sure industry-standard types of security are implemented, but I didn’t see that much detail and certainly not specific compliance rules like PCI.. But motivated attackers have shown quite the ability to breach defenses, especially of interesting targets.

      “The fact is, any retailer NOT using a CSP is a much more vulnerable target with substantially with more valuable data than anything a CSP would ever have access to. ” Our data requirements don’t vanish if we also use a CSP. The data is merely duplicated elsewhere. Any CSP would be an interesting target on a variety of levels, more so than an individual retailer. Looking for an address’s purchases? One retailer probably doesn’t have any. A CSP probably would have it since they have multiple retailers.

      “The Marketplace Fairness Act has minimal (if any) data privacy impact, and actually may improve many retailers’ transaction data handling and retention practices (if they elect to use a CSP).” Copying retailer’s purchase records across many retailers and states to a central warehouse can not HELP data security. The only direction it can go is hurting… the question is how much.

      • Rick has not only provided accurate support for his comments, but also correctly notes that the requirements made of those who would be required to comply with the MFA (almost exclusively smaller businesses since the big retailers who dominate over 83% of Internet sales, support the MFA because they already pay sales taxes, and would not be affected) are being targeted, in effect, in my opinion, scapegoated. Many of the Pro MFA campaigns lead smaller local businesses that non-remitted Internet sales taxes are wide spread when in fact, it’s far from the case. And that some how the MFA will help them compete better when in fact the MFA would create a system in which state taxpayers (who would pay the implementation costs) further subsidize the growth of big retail companies.

        Passage of the MFA would produced great profits for both the tax cloud companies and the big retailers but in contrast, contrary to the illusion being created, often through anonymously run sites, meaningless platitudes, and even abject manipulation and deception, would further crush smaller retail businesses of all types, whether it be local, via the Internet, or brick n click.

Speak Your Mind

*

*