Abuse of your Web Shop?

What to do if your online shop is attacked by criminals: an IT lawyer’s view.

In times of digitalization it is extremely attractive to offer your products online – this has several advantages. No sales room is needed, the offers are available around the clock and there are no annoying sales talks. Sounds good at first? Of course, it is! As long as there are no problems with the web shop…

A real life example of how an online shop can be hacked

Here’s what happened to one of our clients, who runs an online shop in Germany. The client was faced with complaints by angry customers who wanted to know where the ordered goods were which they had ordered through an online shop weeks and months ago. Completely surprised by this, our client had no record of such orders.

What had happened?

Fraudsters have picked our client’s online whop to completely rebuild his web shop in every detail. In other words: They cloned his online shop. The product descriptions, the product pictures and an extremely appealing layout were adopted. Even the imprint was taken over to give the impression that the company of our client operates the website here.

After the order process had been completed, the website – which of course had a completely different domain – displayed a summary of the order and immediately asked the customers to pay. Since the order entry seemed fully legitimate, many customers also promptly paid. It was not even surprising that the payments should be made via bank transfer and the IBAN did not start with DE (for Germany). In reality, of course, the money went to a bank account somewhere in the Baltic States, which had nothing to do with our client.

The customers, which had fallen for this online fraud, which had nothing to do with our client, were still mad at our client. Obviously, our client could not ignore this web shop identity theft.

But what is to be done in concrete terms in the event of such abuse?

First of all, a so-called Whois query should be carried out to find out who is behind the corresponding page. However, it is important to know that the information can be manipulated very easily in the context of a Whois query. What is not so easily manipulated is the registrar’s entry. Based on this information we were able to find out that the website is hosted in the USA.

Okay, but then how does this information help me?

With the information, i.e. who the registrar is, it is very easy to contact the website provider. Here we could quickly submit a so-called DMCA takedown request, so that the website is taken off the net.

Is such a DMCA takedown request enough to take a website off the net?

Usually, yes. This registrar was (to put it mildly) a particularly lazy registrar. This required the involvement of the U.S. registrar regulatory agency (ICANN).

What does ICANN do? 

It is ICANN’s job to address these issues. After we filed the complaint, that is, the registrar did not move, we received a commitment within 96 hours that the problem would be addressed. With this trick, it is quite easy to get even the laziest registrar to deal with the problem.

Within four days after we contacted ICANN, the website was already offline.

Do I have to pay attention to anything in such a procedure? 

Yes, there are many things to consider. For example, it should be clear how to write a DMCA takedown request. Also, it is to know what happens if the registrar is located in a country other than the USA (this is already much more complicated in Russia) and much more.

In such cases, it is strongly recommended to consult a lawyer experienced in IT law if you need or want to remove the website from the Internet quickly.

Especially in case of problems with a foreign registrar it is hardly possible to get the situation under control quickly without a lawyer – with appropriate experience.

German IT & Online Lawyer Stephan Hendel

If you have any questions about IT law, data protection, online commerce or other internet related legal issues, do not hesitate to contact German lawyer and IT law expert Stephan Hendel.

Having a Canadian family background, Stephan is fluent in English and is well aware of the different business mentalities of Anglo-American as well as German entrepreneurs. Our German and international clients appreciate Stephan’s pragmatic hands on approach.

Within the Cross-Channel-Lawyer network, Stephan is the expert for all legal matters surrounding IT, cyber law, data protection issues and compliance with German law.

For more on German business and corporate law see these posts:

Google Analytics vs. GDPR – is that even possible?

We are currently receiving many inquiries from uncertain clients regarding the new General Data Protection Regulation (GDPR). During an initial analysis of the homepage, it immediately becomes apparent that most clients use an analysis tool – mostly Google Analytics or Matomo (formerly Piwik). Such tools are useful and indispensable for good online marketing.

But now the question arises: to what extent can these tools still be used to be compliant with the GDPR?

Admittedly, we believe that the GDPR and in particular the German implementation of this has gone far beyond the target. This creates enormous uncertainty in most companies and regular business operations are hardly possible without fear of violating any GDPR standard. But back to the actual topic: Is the tracking of user data of a website still permissible from the point of view of the basic data protection regulation?

Basically no! At least not without a few special adjustments. This is also confirmed by the position of the Conference of Independent Data Protection Authorities of the Federal Government. The statement of the German authorities can be found here:

https://www.ldi.nrw.de/mainmenu_Datenschutz/submenu_Technik/Inhalt/TechnikundOrganisation/Inhalt/Zur-Anwendbarkeit-des-TMG-fuer-nicht-oeffentliche-Stellen-ab-dem-25_-Mai-2018/Positionsbestimmung-TMG.pdf

But now to the real thing: How did I implement Google Analytics in compliance with the law? This requires a look at the provisions in accordance with Art. 6 para. 1 lit. f GDPR. You should therefore follow these steps:

  1. sign a Data Processing Agreement (DPA) with Google. You can find this contract here: 

     http://static.googleusercontent.com/media/www.google.de/de/de/analytics/terms/de.pdf

  2. accept the addendum for data processing with Google. You may have wondered what the “Data Processing Supplement” option in your Google Analytics account settings is for. This is appropriate here for GDPR. Once you enable this feature, your site visitors’ interests will be protected. It is also important that you enter the following information manually:
    1. The person responsible (i.e. the legal person responsible for data processing),
    2. A contact (i.e. a person/contact to whom the communications relating to the data processing conditions can be sent,
    3. a data protection officer (if to be appointed),
    4. an EEA Representative (but this is only important for companies that are not in the European Union).

3.  install an easy way for your website users to opt-out.

You can use the following two Java scripts:

first, implement the JavaScript alert:

<a onclick=”alert(‘Google Analytics has been disabled);” href=”javascript:gaOptout()”>deactivate Google Analytics</a>

For the upper code to work, the following code must be installed globally on the website:

<img src=”data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBR AA7″ data-wp- preserve=”%3Cscript%20type%3D%22text%2Fjavascript%22%3E%0A%2F%2F%20Set%20to%20th e%20same%20value%20as%20the%20web%20property%20used%20on%20the%20site%0Avar%2 0gaProperty%20%3D%20’UA-XXXX- Y’%3B%0A%0A%2F%2F%20Disable%20tracking%20if%20the%20opt- out%20cookie%20exists.%0Avar%20disableStr%20%3D%20’ga-disable- ‘%20%2B%20gaProperty%3B%0Aif%20(document.cookie.indexOf(disableStr%20%2B%20’%3Dtrue ‘)%20%3E%20- 1)%20%7B%0A%20%20window%5BdisableStr%5D%20%3D%20true%3B%0A%7D%0A%0A%2F%2F %20Opt- out%20function%0Afunction%20gaOptout()%20%7B%0A%20%20document.cookie%20%3D%20di sableStr%20%2B%20’%3Dtrue%3B%20expires%3DThu%2C%2031%20Dec%202099%2023%3A59% 3A59%20UTC%3B%20path%3D%2F’%3B%0A%20%20window%5BdisableStr%5D%20%3D%20true %3B%0A%7D%0A%3C%2Fscript%3E” data-mce-resize=”false” data-mce-placeholder=”1″ class=”mce-object” width=”20″ height=”20″ alt=”&lt;script&gt;” title=”&lt;script&gt;” />

  1. implement IP anonymization – this will nullify the last two blocks of the IP (e.g. 108.138.0.0) so that it is no longer possible to identify the respective website visitor;
  2. integrate a data protection declaration in accordance with the law within the meaning of Art. 12, 13 GDPR;
  3. don’t activate the user ID.

We hope that with this short explanation we could take away the horror of the GDPR in relation to Google Analytics (as well as further analysis tools).

If you have any questions about GDPR, do not hesitate to contact German lawyer Stephan Hendel who specialises in data protection and IT law. Having a Canadian family background, Stephan is fluent in English and is well aware of the different business mentalities of Anglo-American as well as German entrepreneurs. Our German and international clients appreciate Stephan’s pragmatic hands on approach.

Within the Cross-Channel-Lawyer network, Stephan is the expert for all legal matters surrounding IT, cyber law, data protection issues and compliance with German law.

For more on German business and corporate law see these posts:

Data Protection and German Businesses: New GDPR 2018 will cause a Flood of Lawsuits

Company Managers and British Parent Companies of German Subsidiaries better take this issue very seriously, because the German version of the GDPR is much stricter than the GDPR rules as applied in the UK.

So if you are running a business in Germany, you should ensure that your German company is in full compliance. For instance in accounting and human resources. Because the German business mentality is to torture competitors with costly cease and desist letters (more here).

Germans are Data Protection Extremists

When it comes to data protection in a company, it is often overlooked that sensitive personal data is also processed in areas that do not immediately spring to mind, like accounting for instance. While other legal regulations in accounting prescribe processing or long-term storage, this is usually not the case in controlling.

With regard to the requirements of the EU Data Protection Regulation (GDPR), in particular with regard to all data processing in accounting and controlling should be checked and, if necessary, adjusted. An adaptation could be achieved, for example, by pseudonymization (removal of all directly identifiable features) or anonymization (removal of all personal data).

These are presented as examples in this article:

(1) Data protection for personal data

The data protection regulations apply when personal data is processed. This means (according to Art. 4 para. 1 GDPR) all information relating to an identified or identifiable natural person (…). In accounting, such data is regularly found in Accounts Payable and Accounts Receivable. If the accounting department also takes over the data management of the employees and carries out payroll accounting, “special categories of personal data” are even processed.

(2) Sensitive data due to processing or quantity

However, even if no data of employees is processed in accounting or controlling, personal data may still be available there, which can have an impact on those affected if they are viewed by unauthorized persons. This is obvious, for example, for notes on (negative) payment behavior (creditworthiness index).

Sometimes the context (the accompanying circumstances) of the processing is also sufficient, even if no financial or health data is stored for it. As very descriptive examples these would be e.g. the debtor evaluation of a specialist with the special field for cosmetic operations or in addition, the customer file of an erotic dispatch.

(3) Risks in practice

In accounting it is often the case that personal data is exported, e.g. for various evaluations from the hopefully well secured accounting programs. Often these “Excel files” are then sent by e-mail without further protection. Even if this alone often violates data protection regulations, it also increases the risk that third parties can view the data. In the case of e-mails, for example, an inadvertently wrong recipient is sufficient.

(4) Pseudonymization: identification via detours possible

Apart from a secure form of transmission, pseudonymisation offers a further advantage.

possibility of reducing the risk of data misuse for those affected. For this purpose, all personal data are essentially removed – with the exception of one value – that enable a person to be clearly identified. The remaining data may not directly identify the person concerned. Only by consulting another file or another document may the person be identifiable.

(5) Conclusion

Pseudonymisation and anonymisation offer two suitable ways of reducing data protection risks. Particularly with regard to evaluations, it is worth checking to pseudonymize short-term evaluations, for which detailed checks may still be necessary, and then to summarize and further process this data anonymously after a specified time interval.

If you have any questions about GDPR, do not hesitate to contact German lawyer Stephan Hendel who specialises in data protection and IT law. Having a Canadian family background, Stephan is fluent in English and is well aware of the different business mentalities of Anglo-American as well as German entrepreneurs. Our German and international clients appreciate Stephan’s pragmatic hands on approach.

Within the Cross-Channel-Lawyer network, Stephan is the expert for all legal matters surrounding IT, cyber law, data protection issues and compliance with German law.

For more on German business and corporate law see these posts: