Q&A: Episode 200 Livestream!

This is a 2-part question about privacy in online shopping for physical goods (as contrasted with software or digital entertainment). 1. How do you pursue personal data privacy when shopping on sites other than the biggest retailers (e.g. Amazon, Walmart, Target) and what do you think the privacy tradeoffs are? Sure, the largest retailers have the most sophisticated tools to harvest and crunch personal data, but they would also be most interested in retaining the data and conclusions for themselves -- after all, they're well positioned to use them to try to sell you more stuff themselves as opposed to selling the data to others. At the same time, they also have more money for cybersecurity to protect your data against breaches compared to smaller retailers (although of course, larger retailers are probably also a more tempting target for cybercrime) and in the case of Amazon with its AWS line, probably a stronger company-wide stance on cybersecurity overall. In contrast, smaller online retailers may not understand the importance of cybersecurity or data privacy or not have the money to get it right. They may also believe that their principal business advantage consists in providing their specific merchandise at high quality and affordable price with good service, and view privacy/security as a distraction from making their business succeed. They may also be more prone to sell than to hoard your data, and to transfer your data to other corporate entities through mergers/acquisitions. What are your thoughts on the above factors and how do you balance them when shopping for physical goods online? 2. What methods do you know of, and what methods do you use to shop semi-anonymously (not from the state, but from corporate surveillance) for physical goods online? In other words, it is fairly easy to put in any alias when shopping for digital goods and services with an aliased payment, so that your name is not tied to your every purchase, but it seems much harder to have something shipped to you without providing your real name. In particular, it seems that putting a different plausibly human name next on your address on every shipment coming to you is a good way to have them lost/misdelivered or to have USPS start an investigation on you as a potential mule for carders. It may be more practical to use made-up unincorporated organisational names (e.g. "Lubbock vegan metalcore enthusiasts' club"), which people who do contract work for various small clients out of their home might actually do. What approaches have you found or have heard others in the privacy community employ that work reliably without a lot of extra effort and do not cause problems?

David Johnson