INTERHACK  


FOR IMMEDIATE RELEASE

Taking a Bold Step Forward in Privacy Invasion

Interhack Corporation's Internet Privacy Project has yielded shocking results that reveal how marketers' tracking of Internet users has moved well beyond "impersonal" data collection. We reveal how the Coremetrics system can build detailed dossiers of unsuspecting Web surfers that include names, physical addresses, telephone numbers, email addresses, and other personally-identifiable information.

Among the sites that use Coremetrics are four that specifically state that they do not share personal information with third parties, namely Toys "R" Us (NYSE:TOY) sites toysrus.com and babiesrus.com, as well as Lucy.com, and Fusion.com.

On today's Internet, aggregation of such data is not only inconvenient, but it can place unsuspecting Web surfers -- including children -- at risk of becoming victims of real-world crimes including stalking and identity theft.

Mene Mene Tekel Parsin

"Perhaps consumers, the US Federal Trade Commission, and our friends in Europe should be more concerned about what Web-based vendors are actually doing online than what they admit to doing," said Matt Curtin, Interhack's founder. He added, "The industry does not want to be regulated; it wants to do whatever it can get away with. Today we tell the industry that when it comes to invading our privacy, it will get away with nothing."

Leaks Not Accidental; Formatted for Database Entry

These "leaks" to a third party data collection facility are not accidental or due to bad web site design or implementation. Using JavaScript, web bugs, and cookies in concert, an increasing number of sites are taking information that users report to them during the course of making a purchase and cause the users' browsers to send the information to an Internet-based data collection facility in a standardized format for entry into a database.

The data collection facility is part of a service offered by Coremetrics to observe and to track the behavior of users as they use a vendor's Web site. Though Coremetrics' Web site contains a rather complete and lucid description of what they are doing and how users can "opt out" of the system, not all sites inform their users that information expected to be confidential will be reported to Coremetrics. Some of those that do bury the information deep within a bunch of legal gobbledygook. In any case, many users are unknowingly providing all of the details of their Web-based purchases (except for the credit card number used for the purchase) to a third party that saves the information and makes a business of analyzing it. Furthermore, "opt out" systems fail, as we have previously described in the technical reports DoubleClick Opt Out Protocol Failure == Opt In and Opting In, By Accident, available online at http://www.interhack.net/pubs/dc-proto-fail/ and http://www.interhack.net/pubs/netscape-doubleclick/, respectively.

System Designed To Resist Discovery

Several steps to avoid detection have been taken. The information is sent to Coremetrics by using a web bug -- a tiny invisible image that serves no purpose but to track Web surfers. The JavaScript code used to implant the web bugs and to format the data for submission to Coremetrics is obfuscated -- intentionally made difficult to read by human programmers. Finally, in typical cases where personally-identifiable information is being uploaded, the connection to Coremetrics is encrypted, preventing packet sniffers and privacy-defending systems from being able to read what is being sent.

System Likely Tracks Children Online

Perhaps most alarming of all is that at least one site using this technology is an online toy store. How can such a site tell the difference between an adult browsing the site and a child? The technology itself does not distinguish among users. A parent who makes a purchase on such a Web site will make the Coremetrics database aware of his name, address, and phone number. Subsequent visits to the site -- including visits by children from that same computer (and the same browser) -- will be recorded and associated with the parent's profile. Or if an adult chooses to have a gift shipped directly to a child, entering the child's name and address in the "ship to" field of the order, that information will be sent to Coremetrics.

System Tracks Users as They Move from Site to Site

This system works such that instead of knowing everything about users and what they do on a particular site, the database can know everything about all users and what they do on every Coremetrics-enabled site. The more sites that use Coremetrics' tracking software, the greater the privacy invasion would become. Whether this is actually taking place, we cannot say -- there is no way to tell the difference between what is technically possible and what is actually happening without examining Coremetrics' data handling practices and auditing the code regularly.

Tracking is not limited to purchases. Very detailed profiles are built as users browse Coremetrics-enabled pages, including products examined but not purchased. At the point where a user gives his name to the vendor to make a purchase, that name (as well as how much was spent and other information) is associated with the profile.

Sites Using System Violate Their Own Privacy Policies

Sites toysrus.com, babiesrus.com, lucy.com, and fusion.com claim not to send information about users to third parties. For example, babiesrus.com displays this text at the bottom of the page during the checkout process:

Babiesrus.com keeps your personal information completely confidential. Click here to learn how our site is 100% safe and secure.

Following that link will take the user to a page that says:

About SSL Encryption
The Login, My Account, and Checkout areas of the site are fully secured using a technology called Secure Socket Layer (SSL). SSL Encryption ensures that your credit card number and personal data are always sent over the Internet safely. The information is encoded on your computer before it is sent, and then decoded on the our site's server. Furthermore, all personal data (such as mailing addresses, e-mail and billing information) is stored on a highly secured server within the data center.

What it doesn't tell you is that an encrypted connection is also being made to data.coremetrics.com that includes all of that personal data except the credit card number itself. Failing to advise site visitors that Coremetrics is watching them results in visitors having no way to know that the monitoring technology is even being deployed.

At the very least, it is interesting to note that the sites that do not reveal their connection with Coremetrics do so against Coremetrics' advice. Coremetrics describes what it does and the principles that guide it on its privacy page at http://www.coremetrics.com/privacy.html. We encourage everyone to take note of this issue and become fully informed by seeing what all parties have to say. It is our belief that every Web user should know exactly what is being done with information about him and use that knowledge to avoid any unnecessary exposure to unpleasant surprises later.

Coremetrics and some sites that use its service, namely lucy.com and fusion.com, are licensees of the TRUSTe symbol, used to build consumer confidence! You'll be hearing more from us on this topic.

Complete details, including some defense mechanisms, are available in the Interhack Technical Report Getting to Know You (Intimately): Surreptitious Privacy Invasion on the E-Commerce Web, online at http://www.interhack.net/pubs/intimately/.

About Interhack Corporation

Interhack Corporation is a provider of services and tools for building the Internet with security and privacy in mind. Based in Columbus, Ohio, Interhack serves clients all across North America, helping them to determine compliance to security and privacy policy, in addition to assistance in all aspects of design, development, and deployment of network-based systems. Interhack Corporation can be found on the Web at http://www.interhack.net/. The Interhack Privacy Project page is at http://www.interhack.net/projects/privacy/.

Media contact: Matt Curtin, +1 614 206 3413, <cmcurtin@interhack.net>.

###


corporate | research | news | people | projects | publications | services | feedback | legal

Matt Curtin
Last modified: Tue Jul 24 15:46:24 EDT 2001