Etsy’s new social features expose buyer names, histories

Online marketplace Etsy has made a name for itself serving as a clearinghouse for unique hand-made, artisan, and vintage items that have trouble selling in more-general sites like eBay. However, the site is now rankling many of its members through the quiet introduction of a new “Circles” feature apparently intended to enable users to easily find other Etsy users with similar interests…but which has exposed many users’ names and purchase histories to the entire Internet.

Etsy billed the new feature as a way to “find your friends,” and mostly touts the new functions as a way to import contact lists from services like Gmail and Yahoo Mail to automatically set up connections with Etsy users people know. However, Etsy’s new offering also includes a feature search, enabling users to search on user names and full names (if one has been entered); those searches not only show a user’s entire purchase history, but are accessible without logging into Etsy first. And that means they’re indexable—and searchable—via search engines like Google and Bing, creating scenarios where searching for someone’s name in Google might pull up a link of embarrassing Etsy purchases. Purchase histories are exposed via feedback left between sellers and users—even if a user has never left feedback of their own, their account would be exposed if a seller left feedback to that user.

Ars Technica‘s Jacqui Cheng has likened Etsy’s new Circles to Facebook’s disastrous Beacon feature, which exposed users’ actions and purchases on other sites as part of their Facebook history without first requiring consent. Facebook was quickly targeted by a class-action lawsuit and FTC complaint over the feature; it shuttered the service in 2009 as part of a settlement, and donated almost $10 million to an organization advocating online privacy.

In a post in a forum frequented mostly by sellers, Etsy founder Rob Kalin has indicated the ability to make purchases private is “on our product roadmap.”

Etsy may well face legal action: although the company did send an email message to users announcing the new Circle’s feature, Etsy enabled the feature for all users without consent, rather than enabling users to opt-in if they were interested. As a result, Etsy’s action may be the legal equivalent of changing their privacy policy without user consent—actions like that have gotten technology companies in trouble going back as far as 2004, when the FTC found computer maker Gateway had disclosed customer information without consent.

Get our Top Stories delivered to your inbox: