Slashdot Mirror
Cursor Software Tracks You On Web
fabrini writes "That cute little animated Comet Cursor, that some websites try to send you when you visit their site, is actually doing more than impressing the kids. It's also tracking your activity on over 60,000 websites using a unique serial number -- and all without asking.
"
For any lawyers out there, is there a reasonable basis for legal action if these accusations are true? Maybe it's time we did more than just complain and flame about it?
"as plurdled gabbleblotchits on a lurgid bee" - Prostetnic Vogon Jeltz. (One man's humorous is another mans flamebait)
They say they don't use it,
So why do they waste bandwidth/storage space collecting it?
Slowly closed source software is shooting itself in the foot with all these "trojans" that they add, but that they "don't use for any purpose". They'll soon not be able to use the security through obscurity catch phrase.
Maybe Open source software should use "Privacy though visibility" as a counterattack.
iain
Fact of the matter is, the only thing this company needs is exactly what they gather: your Web habits.
They're trying to defend themselves by saying they're not actually collecting your name or address, but that's not like this information matters to them.
Working for an e-commerce company, I can tell you what they want: they want list of clients. They want to know exactly what kind of people use their software. They want to target their publicity more closely.
If you ask me, it's BS when they say they're not actually using the info they collect. This information is invaluable to advertising companies, and knowing where everyone goes from your site on is the Holy Grail of target advertising on the Web. Many companies focus solely on providing companies with 'client lists'.
So it's BS when the PR guys say it's harmless. Fact of the matter is, they're doing it without asking permission.
Here's a little gem from the article:
Wow. I know people tend to pick on Gore for that misquoted bit about inventing the Internet, but that's very fair of him. I thought we were the only ones (we being geeks) throwing a temper tantrum about privacy on the net. Way to go. Too bad I'm Canadian, eh? :)
What laws are they breaking?
For starters, there's the Data Protection Act (amended 1998). This requires all databases to be registered, along with a list of their structure, so that people upon whom information is held can serve a data disclosure notice on the database owners and find out what is being said about them. I believe there's also a requirement to notify the subjects that information about them is being stored.
(Violation: up to two years in prison and a honking great fine, although it's very rare for infractions to get as far as a prosecution.)
Next: Computer Misuse Act (1994). This act has teeth -- it was introduced as an anti-hacking measure and it would seem that if they're tampering with or using a computer in the UK for any purpose without the consent of the owner they could be liable for five years as a guest in one of Her Majesty's hotels. It is a criminal offense to run software on a computer without the owner's permission, or to cause software to be run (ditto), or indeed to do anything with a computer without permission from its owner. Oh, and you can be guilty even if you're not in the UK (but meddling with a UK-based computer), or if the computer's not in the UK (but you are).
Finally there's the EU declaration of human rights which, implemented in law, has an explicit right of privacy. The EU recently disseminated some directives on data security -- specifically banning the export of personal information from jurisdictions with strict privacy laws to other jurisdictions with weaker protection -- that means this company is violating the law, right across the EU.
Class action lawsuit, anybody?
Comment removed based on user account deletion
Probably the best thing going for Open Source right now is that the "normal" software companies are shooting themselves in the foot with all this nonsense. I mean really... I *like* certain Microsoft products (flame away), and can't really be considered an advocate of Open Source at all.
But the more of these kinds of cases pile up, they slowly change my mind. I look down at my System Tray right now and wonder just how many of those programs are sending information back to the company about what I do. I wonder what else they're doing. This was never a problem a couple of years ago.
Can we really trust anything that big software companies put out at this point? Time and time again they have proven that self-regulation doesn't work. They've proven they can't be trusted to make software with privacy or security in mind. For that matter, it seems that many of them can't even be trusted to make high quality software at all. (all the bug laiden games out there come to mind... most notably SiN and the 18MB patch required to make it run at all straight out of the box)
If we have any software developers and/or PR people who work for software companies, can you please explain to me how anyone can ever trust anything you put out ever again? Please don't use the "well we don't use the information we collect" lame execuse, I'm not falling for it. Why would you collect it at all if you don't intend to use it? You shouldn't be collecing it at all, you don't have any right to. I want an audio player that *gasp* plays audio! I don't want it monitoring me, if I wanted that I'd install a monitoring program.
-- "So they told me that using the download page to download something was not something they anticipated." - Bill Gates
Consider what you get if you buy the access logs for a bunch of web sites (some with login ids that can be tracked to house addresses, maybe from shipping information) and then add user tracker data like Comet that can identify a user between web sites. You can now track the user's access patterns across all the web sites, even those where he was anonymous.
This isn't anything too new, the banner ad companies do this already.
From what I understand, this silly cursor is just a Trojan horse aimed at user's privacy. What would be the point of the company otherwise? Their business is just based on this invasion of privacy. And BTW, their claim that they can't link to a single user is ridiculous: it just takes one filled up form asking for your email address in any of the 60'000 using, et voilà! you are tracked, welcome to big brother!!!
Any web developer can undertand that. It's so fucking simple to do, just the fact that they claim it 'impossible' is an insult.
http://www.oneofthesites.com/subscribe.cgi?email=IF DEFINED(id) THEN
INSERT INTO bigbrother (email,sexual_orientation, age, crimescommitted, numberofpornbannerclickthrough, hasreceivednicescientologyleaflet)
VALUES ( -- edited for brievety
ELSE IF sexual_orientation = 'perverthomo' THEN
send_blackmail_asking_for_money()
ENDIF
ENDIF
--
I just attempted to load cometzone's web site and it doesn't allow you to unless you allow cookies. God I love junkbuster. The sad thing is I find this to be more and more of an issue. Why do they need to store a cookie for me to load the page? Admittedly they can do whatever they want with the website but I find this just plain stupid.
On a positive note,
I recently went to Axent's site to do some research on their products and foudn that I couldn't view any product information unless I allowed cookies. I thought this was plain stupid and I emailed the webmaster regarding it. Below is the QUICK response from the webmaster at Axent. He was honest and shared more information than he needed to share ( he didn't even have to redspond ). I wish more companies had this attitude. My response back was that since I couldn't find a privacy statement, I wasn't planning on allowing the cookies because I wasn't sure of their purpose. He was a nice guy none the less.
Here's the email:
Subject:
RE: Feedback
Date:
Mon, 29 Nov 1999 11:03:48 -0500
From:
Tony Stephens
To:
"'jvincent@qa.butler.com'"
You will not receive any unsolicited information from us. Thanks for the
heads-up on the feedback page. You are right, it shouldn't say "Submit
Registration". As for the cookies, we have moved to a dynamic, data-driven
site powered by Mainspan. I'm not 100% sure what the cookies are for (I'm
real new at this job, still learning the site...no excuse, but a minor
explanation for my lack of a real explanation) but I'm assuming that they
are to allow the server to track (during the session only) your documents
and allow faster access to the ones you access. It's a variable called
"DocsActiveForUser". Again, I believe that this is what it is for. I will
look into this further. I agree with you in the fact that for the public
site, it shouldn't be cookies, but rather session variables. But I'm sure
it's for the purpose of providing you the information you want
faster...allowing you to kind-of 'keep track' of the documents you have
accessed. I assure you its not for any tracking or informational gathering
uses of ours.
Thanks.
Tony Stephens
Webmaster
AXENT Technologies, Inc.
2400 Research Blvd. #200
p: 301.670.3644
e: tstephens@axent.com
e: webmaster@axent.com
w: www.axent.com
-----Original Message-----
From: jvincent@qa.butler.com [mailto:jvincent@qa.butler.com]
Sent: Monday, November 29, 1999 9:09 AM
To: webmaster@axent.com
Subject: Feedback
Name: John E. Vincent
Phone:
Email: jvincent@qa.butler.com
PageLocation: Products
Feedback: I was browsing your site and noticed that to get information, my
browser has to accept cookies. Please provide me with a good reason that a
security company requires a cookie with an invalid expiration date to allow
me access to the most basic of information about your products. I notice
your submit button says "Submit Registrion". This also serves to say that I
am not registering for anything. I don not want any unsolicited email from
your company other than a response to my question. John E. Vincent Network
Administrator BTSQA
"Fighting the underpants gnomes since 1998!" "Bruce Schneier knows the state of schroedinger's cat"
With the current, disturbing trends towards the invasion of privacy by companies, I think I will never ever use anything but Open Source software anymore. This is really getting too far -- OK, fine, so this software "only" transmits a log of your web surfing to Comet, under the guise of displaying a cute cursor. How do you know one day somebody won't come up with something malicious?! How do you know that the next cute-cursor software you got from somewhere doesn't start transmitting files on your hard drive to some company? This may be paranoid, but I see this as a very likely possibility, given the current trend of increasing infringement of privacy by corporate entities. Gives a totally new meaning to "trojan horse".
At least if you only use Open Source software, there is always source code for you to double-check, to make sure that this piece of code you're going to run isn't going to transmit private files from your home directory to some company out there.
But, to go one step further, I'd say that even Open Source in itself may not be sufficient to prevent such kinds of exploits. Take any typical Linux system, for example. How many of us actually read the source code for all the software that we run?? How many sources can we read before exhausting our patience, and just say "forget it, let's just run this thing."? Of course, the redeeming thing is that if the source base is polluted with some bad code, the maintainer of the code would find out about it pretty quickly. But still, when Open Source becomes more and more widely adopted, there's a possibility that such things get overlooked.
Sounds like privacy is over. Would we just sit here and allow this to happen?
mikre he sophia he tou Mikrosophou.
They do use it. They just don't use it to track people. From what I gather from the article, the Comet people use this serial number to charge it's customers (some of the people that use the software on their site). It's one of their methods for efficiently and accurately tracking this particular stream of revenue.
:) No one is safe.
In addition they imght use some of it to do marketing research (although it is neither mentioned nor implied which means they might or they might not). The same things all those banner ads do. You want to worry about privacy? There's the motherlode of your personal viewing habits being sent across the internet - all corresponding nicely to your machine (IP), your e-mail (if your browser sends it - unlikely but possible), uniquely identifying your machine (via cookies unless you delete/disable them), and much more.
However most of this doesn't bother me. Quake 3 sending my GL_RENDERER string? *shrug* Mr Comet Cursor thingy senging a list of websites I visit that use the cursor (considering I've seen that cursor maybe once - EVER)? *shrug* All of this is benign information. Do I care that Carmack knows that someone out there (at IP # blah - if he even stores that data) is running version 1.09 and has a TNT2 Ultra? Or that Sir Cursor Changer knows someone (again, possible from my IP if they
bother to store it) visited some web site?
Now: Send my SSN or CCN or Home Phone across the web without my permission?! Thats in the interest of 'My Rights Online.'
Here's what SHOULD be done: Any app or web site that sends data back to its creators should register with a security watchdog organization such as TRUSTe. They should document their procedures and what they store and what could potentially be stored with out a change on the client end (i.e. modifying the server to collect IP addresses). People can then get full disclosure on issues. Random and directed (in case of dispute) audits can be performed at the watchdog ageny's discretion. If you think that Carmack is privately planning world domination based on the distribution of 3dfx chips in the world, you can complain to the appropriate agency.
Most of the 'Your Rights Online' articles have been, IMO, non-issues, this one included. People say "If we let them do this then they will keep going until they send our entire lives back!" No. If someone starts sending back e-mail addresses without permission or other very private information THEN we start boycotting and raising hell. Until then just relax, vote with your dollar, send polite e-mails if you don't agree with something and just deal with the larger issues.
And just think how much information CmdrTaco has collected from you.
It's not an 'Internet' issue -- it's a browser issue.
I can see a technical solution for this problem in my head right now. It wouldn't be detrimental to anyone, and would allow users to control what their browsers are doing for them.
OK, here goes:
Comments?
Well, if they aren't using the information, then they should have no problem with someone reverse engineering their protocol and sending millions of bogus "hits" on random sites to their servers.
:-)
Any takers?
Rather hard to find... ehehe... I tried the link labeled "Privacy Agreement" on the main page, which links back to the main page. Convienent misshap. I tried the link in the liscence agreement which is incidently labeled, "8. Privacy -- See our Privacy Statement"... this links back to the liscence agreement. So I tried "http://cometzone.cometsystems.com/privacy.asp#".. . this worked. Here's what I found:
"Registration
Comet Systems gathers information about our Cometeers that allows us to offer compelling services in a manner that provides personal privacy protection as well. When you join CometZone, we ask you to provide us with some required information such as your email address and home page URL, and some optional information such as your name and address."
"Account Activity Logs
As a result of joining CometZone, a Cometeer account is set up for you on our system that contains your user settings and preferences, e.g., which Comet Cursor you've selected for each of your Cometeer web pages. Every time you login to CometZone, or change your CometZone settings or preferences, your Cometeer Activity Log ("Activity Log") is updated to reflect this activity. Comet Systems uses Activity Logs as a means for better understanding our Cometeers and their interests."
"...Any information you provide to Comet Systems when registering for CometZone is maintained and is accessible only by Comet Systems and a few of Comet Systems's content sponsors. We use the information collected during registration to better understand your interests, and to provide you with the best products and services on the web... "
Anyway... I'm a little appalled that they appear to have tried to hide their privacy agreement, and furthermore, that the CEO's explaination seems incompatible with this information.
Sincerely,
Ryan Taylor
---
Just when you think you've invented something idiot proof, someone goes and invents a better idiot.