FOR IMMEDIATE RELEASE
Interhack Corporation's Internet Privacy Project has yielded shocking results that reveal how marketers' tracking of Internet users has moved well beyond "impersonal" data collection. We reveal how the Coremetrics system can build detailed dossiers of unsuspecting Web surfers that include names, physical addresses, telephone numbers, email addresses, and other personally-identifiable information.
Among the sites that use Coremetrics are four that specifically state that they do not share personal information with third parties, namely Toys "R" Us (NYSE:TOY) sites toysrus.com and babiesrus.com, as well as Lucy.com, and Fusion.com.
On today's Internet, aggregation of such data is not only inconvenient, but it can place unsuspecting Web surfers -- including children -- at risk of becoming victims of real-world crimes including stalking and identity theft.
"Perhaps consumers, the US Federal Trade Commission, and our friends in Europe should be more concerned about what Web-based vendors are actually doing online than what they admit to doing," said Matt Curtin, Interhack's founder. He added, "The industry does not want to be regulated; it wants to do whatever it can get away with. Today we tell the industry that when it comes to invading our privacy, it will get away with nothing."
These "leaks" to a third party data collection facility are not accidental or due to bad web site design or implementation. Using JavaScript, web bugs, and cookies in concert, an increasing number of sites are taking information that users report to them during the course of making a purchase and cause the users' browsers to send the information to an Internet-based data collection facility in a standardized format for entry into a database.
The data collection facility is part of a service offered by
Coremetrics to observe and to track the behavior of users as
they use a vendor's Web site. Though Coremetrics' Web site
contains a rather complete and lucid description of what they
are doing and how users can "opt out" of the system, not all
sites inform their users that information expected to be
confidential will be reported to Coremetrics. Some of those
that do bury the information deep within a bunch of legal
gobbledygook. In any case, many users are unknowingly providing
all of the details of their Web-based purchases (except for the
credit card number used for the purchase) to a third party that
saves the information and makes a business of analyzing it.
Furthermore, "opt out" systems fail, as we have previously
described in the technical reports DoubleClick Opt Out
Protocol Failure == Opt In and Opting In, By
Accident, available online at http://www.interhack.net/pubs/dc-proto-fail/
and http://www.interhack.net/pubs/netscape-doubleclick/,
respectively.
Several steps to avoid detection have been taken. The information is sent to Coremetrics by using a web bug -- a tiny invisible image that serves no purpose but to track Web surfers. The JavaScript code used to implant the web bugs and to format the data for submission to Coremetrics is obfuscated -- intentionally made difficult to read by human programmers. Finally, in typical cases where personally-identifiable information is being uploaded, the connection to Coremetrics is encrypted, preventing packet sniffers and privacy-defending systems from being able to read what is being sent.
Perhaps most alarming of all is that at least one site using this technology is an online toy store. How can such a site tell the difference between an adult browsing the site and a child? The technology itself does not distinguish among users. A parent who makes a purchase on such a Web site will make the Coremetrics database aware of his name, address, and phone number. Subsequent visits to the site -- including visits by children from that same computer (and the same browser) -- will be recorded and associated with the parent's profile. Or if an adult chooses to have a gift shipped directly to a child, entering the child's name and address in the "ship to" field of the order, that information will be sent to Coremetrics.
This system works such that instead of knowing everything about users and what they do on a particular site, the database can know everything about all users and what they do on every Coremetrics-enabled site. The more sites that use Coremetrics' tracking software, the greater the privacy invasion would become. Whether this is actually taking place, we cannot say -- there is no way to tell the difference between what is technically possible and what is actually happening without examining Coremetrics' data handling practices and auditing the code regularly.
Tracking is not limited to purchases. Very detailed profiles are built as users browse Coremetrics-enabled pages, including products examined but not purchased. At the point where a user gives his name to the vendor to make a purchase, that name (as well as how much was spent and other information) is associated with the profile.
Sites toysrus.com, babiesrus.com,
lucy.com, and fusion.com claim not to
send information about users to third parties. For example,
babiesrus.com displays this text at the bottom of
the page during the checkout process:
Babiesrus.com keeps your personal information completely confidential. Click here to learn how our site is 100% safe and secure.
Following that link will take the user to a page that says:
About SSL Encryption
The Login, My Account, and Checkout areas of the site are fully secured using a technology called Secure Socket Layer (SSL). SSL Encryption ensures that your credit card number and personal data are always sent over the Internet safely. The information is encoded on your computer before it is sent, and then decoded on the our site's server. Furthermore, all personal data (such as mailing addresses, e-mail and billing information) is stored on a highly secured server within the data center.
What it doesn't tell you is that an encrypted connection is also
being made to data.coremetrics.com that includes
all of that personal data except the credit card number itself.
Failing to advise site visitors that Coremetrics is watching
them results in visitors having no way to know that the
monitoring technology is even being deployed.
At the very least, it is interesting to note that the sites that do not reveal their connection with Coremetrics do so against Coremetrics' advice. Coremetrics describes what it does and the principles that guide it on its privacy page at http://www.coremetrics.com/privacy.html. We encourage everyone to take note of this issue and become fully informed by seeing what all parties have to say. It is our belief that every Web user should know exactly what is being done with information about him and use that knowledge to avoid any unnecessary exposure to unpleasant surprises later.
Coremetrics and some sites that use its service, namely
lucy.com and fusion.com, are
licensees of the TRUSTe symbol, used to build consumer
confidence! You'll be hearing more from us on this topic.
Complete details, including some defense mechanisms, are
available in the Interhack Technical Report
Getting to Know You (Intimately): Surreptitious Privacy
Invasion on the E-Commerce Web, online at
http://www.interhack.net/pubs/intimately/.
Interhack Corporation is a provider of services and tools for
building the Internet with security and privacy in mind. Based
in Columbus, Ohio, Interhack serves clients all across North
America, helping them to determine compliance to security and
privacy policy, in addition to assistance in all aspects of
design, development, and deployment of network-based systems.
Interhack Corporation can be found on the Web at
http://www.interhack.net/.
The Interhack Privacy Project page is at http://www.interhack.net/projects/privacy/.
Media contact: Matt Curtin, +1 614 206 3413, <cmcurtin@interhack.net>.
###