FOR IMMEDIATE RELEASE
Interhack Corporation's Internet Privacy Project has yielded shocking results that reveal how marketers' tracking of Internet users has moved well beyond "impersonal" data collection. We reveal how the Coremetrics system can build detailed dossiers of unsuspecting Web surfers that include names, physical addresses, telephone numbers, email addresses, and other personally-identifiable information.
Among the sites that use Coremetrics are four that specifically state that they do not share personal information with third parties, namely Toys "R" Us (NYSE:TOY) sites toysrus.com and babiesrus.com, as well as Lucy.com, and Fusion.com.
On today's Internet, aggregation of such data is not only inconvenient, but it can place unsuspecting Web surfers -- including children -- at risk of becoming victims of real-world crimes including stalking and identity theft.
"Perhaps consumers, the US Federal Trade Commission, and our friends in Europe should be more concerned about what Web-based vendors are actually doing online than what they admit to doing," said Matt Curtin, Interhack's founder. He added, "The industry does not want to be regulated; it wants to do whatever it can get away with. Today we tell the industry that when it comes to invading our privacy, it will get away with nothing."
The data collection facility is part of a service offered by
Coremetrics to observe and to track the behavior of users as
they use a vendor's Web site. Though Coremetrics' Web site
contains a rather complete and lucid description of what they
are doing and how users can "opt out" of the system, not all
sites inform their users that information expected to be
confidential will be reported to Coremetrics. Some of those
that do bury the information deep within a bunch of legal
gobbledygook. In any case, many users are unknowingly providing
all of the details of their Web-based purchases (except for the
credit card number used for the purchase) to a third party that
saves the information and makes a business of analyzing it.
Furthermore, "opt out" systems fail, as we have previously
described in the technical reports DoubleClick Opt Out
Protocol Failure == Opt In and Opting In, By
Accident, available online at
Perhaps most alarming of all is that at least one site using this technology is an online toy store. How can such a site tell the difference between an adult browsing the site and a child? The technology itself does not distinguish among users. A parent who makes a purchase on such a Web site will make the Coremetrics database aware of his name, address, and phone number. Subsequent visits to the site -- including visits by children from that same computer (and the same browser) -- will be recorded and associated with the parent's profile. Or if an adult chooses to have a gift shipped directly to a child, entering the child's name and address in the "ship to" field of the order, that information will be sent to Coremetrics.
This system works such that instead of knowing everything about users and what they do on a particular site, the database can know everything about all users and what they do on every Coremetrics-enabled site. The more sites that use Coremetrics' tracking software, the greater the privacy invasion would become. Whether this is actually taking place, we cannot say -- there is no way to tell the difference between what is technically possible and what is actually happening without examining Coremetrics' data handling practices and auditing the code regularly.
Tracking is not limited to purchases. Very detailed profiles are built as users browse Coremetrics-enabled pages, including products examined but not purchased. At the point where a user gives his name to the vendor to make a purchase, that name (as well as how much was spent and other information) is associated with the profile.
fusion.com claim not to
send information about users to third parties. For example,
babiesrus.com displays this text at the bottom of
the page during the checkout process:
Babiesrus.com keeps your personal information completely confidential. Click here to learn how our site is 100% safe and secure.
Following that link will take the user to a page that says:
About SSL Encryption
The Login, My Account, and Checkout areas of the site are fully secured using a technology called Secure Socket Layer (SSL). SSL Encryption ensures that your credit card number and personal data are always sent over the Internet safely. The information is encoded on your computer before it is sent, and then decoded on the our site's server. Furthermore, all personal data (such as mailing addresses, e-mail and billing information) is stored on a highly secured server within the data center.
What it doesn't tell you is that an encrypted connection is also
being made to
data.coremetrics.com that includes
all of that personal data except the credit card number itself.
Failing to advise site visitors that Coremetrics is watching
them results in visitors having no way to know that the
monitoring technology is even being deployed.
At the very least, it is interesting to note that the sites that do not reveal their connection with Coremetrics do so against Coremetrics' advice. Coremetrics describes what it does and the principles that guide it on its privacy page at http://www.coremetrics.com/privacy.html. We encourage everyone to take note of this issue and become fully informed by seeing what all parties have to say. It is our belief that every Web user should know exactly what is being done with information about him and use that knowledge to avoid any unnecessary exposure to unpleasant surprises later.
Coremetrics and some sites that use its service, namely
licensees of the TRUSTe symbol, used to build consumer
confidence! You'll be hearing more from us on this topic.
Complete details, including some defense mechanisms, are
available in the Interhack Technical Report
Getting to Know You (Intimately): Surreptitious Privacy
Invasion on the E-Commerce Web, online at
Interhack Corporation is a provider of services and tools for
building the Internet with security and privacy in mind. Based
in Columbus, Ohio, Interhack serves clients all across North
America, helping them to determine compliance to security and
design, development, and deployment of network-based systems.
Interhack Corporation can be found on the Web at
The Interhack Privacy Project page is at
Media contact: Matt Curtin, +1 614 206 3413, <firstname.lastname@example.org>.