Interhack Defends Its Release

Coremetrics has issued a statement that seems to misrepresent our July 31 release. So let's cut the crap and take a look at what's happening here.

Our Intentions

Some might rightly question our motives. Why did we issue a press release in the first place? The answer is simple: Coremetrics has designed and implemented a system that surreptitiously tracks what people do online. This system is used so that instead of a vendor having to monitor its own web logs, it can rely on Coremetrics' eLuminate[tm] service to do this. Coremetrics doesn't seem to show this system that they've unleashed enough respect and they don't seem to understand its full potential.

Coremetrics Misses the Point

In its release, Coremetrics has made several statements that simply are not correct. Coremetrics, in our opinion, needs to spend less time talking about what their policy is and more time getting their technical people to talk about what is technically possible. Interhack has a business of being able to identify the differences between stated policy and what is technically possible: we perform security assessments. Furthermore, I -- Matt Curtin -- have authored numerous articles and reports that discuss these issues. No one knows better than we how differences between policy and possibility become real vulnerabilities.

Decide For Yourself

Coremetrics states "There is no reporting of user browsing behavior across unrelated merchant sites."

That's a carefully worded way of saying "we do not do multisite profiling, but there's nothing to prevent us from doing it but policy and the fact that we're good guys."

Here are the questions to ask Coremetrics:

  1. Does Coremetrics use a persistent cookie attached to the blank image (which we call the "web bug" in our report) that the eLuminate service returns to the browser?
  2. Is that cookie attached to, instead of the site that the user is browsing, such as ToysRUs?
  3. If a user is browsing ToysRUs and has that cookie in his browser, will the browser send the cookie to Coremetrics along with the request for the web bug that includes the upload of the Coremetrics data tags?
  4. If the same user browses, will the browser send the same cookie to that it sent when it was uploading Coremetrics data from ToysRUs?

If the answers to these questions is "yes", then the design and implementation of the Coremetrics eLuminate service makes it possible for Coremetrics to track a user who goes from site to site and to build a detailed dossier that includes the sum of all information leaked to third parties.

We have no evidence to suggest that they're actively doing this today. However, our concern is that we -- as consumers (many of us not even knowing who Coremetrics is) -- have no means of verifying that Coremetrics is doing the right thing with the data.

They're saying `just trust us -- there's no need for our system to be designed to manage these kinds of theoretical risks'. Nobody designs a system to be compromised. The fact of the matter is that security problems happen as a result of failure of policy. So if their policy fails in any way, we have no protection against abuse of this information.

We can establish that it's a risk. Ask Coremetrics if it's a risk; they can't possibly say that it's not without being inaccurate. Will this risk turn into an exploitable vulnerability? Only time will tell. What we are saying is that it's a risk that users have not agreed to take and it is they who are being burdened with the risk. It is ultimately information about them and about their lives that is the target.

"But We Let People Opt Out"

Computer systems fail. The question to ask is "what happens when [not if] it fails?" In the case of Coremetrics, someone who has opted out will be opted back in. We have already written reports detailing how these failures have actually happened in the case of DoubleClick and of Netscape.

Opt-out is not a workable solution because systems fail. So this defense is no defense at all.

In Conclusion

I'm not comfortable with the way that Coremetrics manages this risk. Furthermore, attempting to classify our work as "reckless" or "irresponsible" gives me a great deal of reason to wonder about Coremetrics' objectives. Ignoring it will not make it go away.

And there you have it. What is and isn't done with information about you is your decision and your decision alone. I can't tell you if what they're doing is good or bad and neither can they. So we have presented our findings and will await judgment from those who are at risk -- the consumers whose information is being sent to Coremetrics.

corporate | research | news | people | projects | publications | services | feedback | legal

Matt Curtin
Last modified: Wed Aug 2 10:18:05 EDT 2000