Cursor Software Tracks You On Web 312
fabrini writes "That cute little animated Comet Cursor, that some websites try to send you when you visit their site, is actually doing more than impressing the kids. It's also tracking your activity on over 60,000 websites using a unique serial number -- and all without asking.
"
They never learn (Score:1)
Legal issues (Score:3)
Silly Marketers, We're not that stupid. (Score:2)
Either that, or they really WANT people to hate them.
Re:Legal issues (Score:1)
Who's the watchdog? (Score:2)
Airgap baby. It's the only way we can be sure.
Shooting off feet (Score:4)
So why do they waste bandwidth/storage space collecting it?
Slowly closed source software is shooting itself in the foot with all these "trojans" that they add, but that they "don't use for any purpose". They'll soon not be able to use the security through obscurity catch phrase.
Maybe Open source software should use "Privacy though visibility" as a counterattack.
iain
Accidental infringement (Score:2)
There's be the inevitable massive calls for boycotting, and (as tends to be the case), this will be an overreaction. I'm happy with Comet's response, and I don't think this is a reason to hang them out to dry.
Time to check the EULA (Score:1)
Then again, there is a practical use for this: I'd love to know the sites that people with Garfield cursors hang out at, just so I can avoid them.
---
Is this a reason to go open-source (Score:1)
Or we have to plug a sniffer in every IP-stack we use, or we have to move to software (and companies) we can trust.
I believe choosing for open-source software gives you (and the providing company) a trust relationship. You trust the software because you can check it, because you get the actual code.
Do you want big brother to watch you? Do you want the tiny little bros. watching your every step? I don't think so...
URL? (Score:1)
Am I the only person who has never heard of this software before?
Comment ended due to lack of information.
why dont they make it against the law? (Score:1)
the person that the program they are installing
will be sending *anything* over the network
that might entail privacy and/or security?
this way, when we DO find out that these morons
are using their fun little programs to track us,
they get a nice stiff fine from the gov't ?
( start conspiracy_theory )
or *maybe* the gov't is using companies like this as a smokescreen to watch all of us
( end conspiracy theory )
Tracking (Score:1)
As for what they are doing: it doesn't seem all that bad. Slashdot appears to have gone into a paranoid they're-watching-us mode at the moment (i.e., loads of articles about tracking, NSA, encryption, privacy.... I'm not saying they're not important, just that some are seemingly redundant and the same arguments get trolled out over n over again. Why don't they just allow users to have a list of articles on eff.org or whoever deals with privacy issues, like you can do with bbc/science etc in the custom boxes).
Just my £0.02
It doesn't matter what your name is! (Score:3)
Fact of the matter is, the only thing this company needs is exactly what they gather: your Web habits.
They're trying to defend themselves by saying they're not actually collecting your name or address, but that's not like this information matters to them.
Working for an e-commerce company, I can tell you what they want: they want list of clients. They want to know exactly what kind of people use their software. They want to target their publicity more closely.
If you ask me, it's BS when they say they're not actually using the info they collect. This information is invaluable to advertising companies, and knowing where everyone goes from your site on is the Holy Grail of target advertising on the Web. Many companies focus solely on providing companies with 'client lists'.
So it's BS when the PR guys say it's harmless. Fact of the matter is, they're doing it without asking permission.
Here's a little gem from the article:
Wow. I know people tend to pick on Gore for that misquoted bit about inventing the Internet, but that's very fair of him. I thought we were the only ones (we being geeks) throwing a temper tantrum about privacy on the net. Way to go. Too bad I'm Canadian, eh? :)
what i dont understand (Score:2)
"The importance of using technology in the right way has never been more clear." [microsoft.com]
Not in anyone's economic interests? (Score:2)
Not in anyone's economic interests? Let's see: Joe X (referenced distinctly by his serial number) goes to this Britney Spears site, then the Disney site, then Yahoo, then CNN, etc. I'm sure many companies would be interested to know where people are actually visiting for advertising and marketing purposes, let alone for forming "strategic partnerships" with related sites. Although I know Yahoo, CNN, etc. don't use Comet, the potential does exist for the plugin to be used for these purposes.
Not knowing anything about the face behind the serial number isn't anything detrimental, in fact it's important because it's with that anonymity they claim they aren't doing anything wrong. Whether or not you know who I am doesn't make a lick of difference, you're still taking my information (essentially, my web browser history in progress).
Pablo Nevares, "the freshmaker".
Our IP Address is Available To Whoever Wants It (Score:1)
I wouldn't be surprised if Slashdot stores our IP address in our user profile.
This is common practice, but I've never heard of people getting upset about this. Why?
This is far more worrying than id's thing (Score:1)
Action (Score:1)
I feel like I have been reading alot about this type of thing lately. It seems like everything is trojened: realplayer and even quake (although in this case it was disclosed) and others that I likely don't remember. I think it is the time for grassroots action.
Does anyone know of some organizations already set-up to address these issues?
Criminally illegal in the UK (Score:5)
What laws are they breaking?
For starters, there's the Data Protection Act (amended 1998). This requires all databases to be registered, along with a list of their structure, so that people upon whom information is held can serve a data disclosure notice on the database owners and find out what is being said about them. I believe there's also a requirement to notify the subjects that information about them is being stored.
(Violation: up to two years in prison and a honking great fine, although it's very rare for infractions to get as far as a prosecution.)
Next: Computer Misuse Act (1994). This act has teeth -- it was introduced as an anti-hacking measure and it would seem that if they're tampering with or using a computer in the UK for any purpose without the consent of the owner they could be liable for five years as a guest in one of Her Majesty's hotels. It is a criminal offense to run software on a computer without the owner's permission, or to cause software to be run (ditto), or indeed to do anything with a computer without permission from its owner. Oh, and you can be guilty even if you're not in the UK (but meddling with a UK-based computer), or if the computer's not in the UK (but you are).
Finally there's the EU declaration of human rights which, implemented in law, has an explicit right of privacy. The EU recently disseminated some directives on data security -- specifically banning the export of personal information from jurisdictions with strict privacy laws to other jurisdictions with weaker protection -- that means this company is violating the law, right across the EU.
Class action lawsuit, anybody?
Re:They never learn (Score:1)
I imagine though, that this could class as "Stalking" or "Harrasment" in many countries, simpoly becuase you are being "followed"... Any legal-type people able to comment on this?
Oh, if you want to beat them at their own game...
Alladvantage [alladvantage.com] pay you (a small fee) to surf, in return they gather data about your surfing habits. You don't get spammed or anything, and I personally think it's pretty cool! Oh, if you sign up, put "GGZ 549" as your referer
Mong.
* Paul Madley
Old adages still apply. (Score:1)
Comment removed (Score:4)
dumb cursor (Score:2)
If it's truly harmless.... (Score:1)
It sure seems to be, its slowly convincing me... (Score:4)
But the more of these kinds of cases pile up, they slowly change my mind. I look down at my System Tray right now and wonder just how many of those programs are sending information back to the company about what I do. I wonder what else they're doing. This was never a problem a couple of years ago.
Can we really trust anything that big software companies put out at this point? Time and time again they have proven that self-regulation doesn't work. They've proven they can't be trusted to make software with privacy or security in mind. For that matter, it seems that many of them can't even be trusted to make high quality software at all. (all the bug laiden games out there come to mind... most notably SiN and the 18MB patch required to make it run at all straight out of the box)
If we have any software developers and/or PR people who work for software companies, can you please explain to me how anyone can ever trust anything you put out ever again? Please don't use the "well we don't use the information we collect" lame execuse, I'm not falling for it. Why would you collect it at all if you don't intend to use it? You shouldn't be collecing it at all, you don't have any right to. I want an audio player that *gasp* plays audio! I don't want it monitoring me, if I wanted that I'd install a monitoring program.
What to learn from this (Score:1)
2.) Never underestimate the creativeness of professional data-collectors.
3.) Don't let your kids use your computer unsupervised or at last make sure they are not able to install anything.
Ciao, Peter
Re:It doesn't matter what your name is! (Score:1)
Re:It doesn't matter what your name is! (Score:1)
dp
Slashdot is doing a good job on this. (Score:1)
I use Slashdot as my tech news source, and this sort of issue is very important to me.
Re:Tracking (Score:1)
now I know that the company said they were not doing this but i do not believe it. there is no other reason why they would gather this type of information. it seems their only mistake is not telling people about it, and the blatant confusion and obscurity over the programs true purpose.
i have no problem with the program, but i do have a problem with their obscure distribution tactics.
"The importance of using technology in the right way has never been more clear." [microsoft.com]
Re:why dont they make it against the law? (Score:1)
Isn't this a geek 'zine? Maybe we should write some code to inform users of connectivity being made on their behalf, and allow them to drop it. This could kick those doubleclick banner ads in the *ss too!
Re:Shooting off feet (Score:2)
information to find out what peoples names and addresse are. A little
bit disingenuous to say `they don't see that it is in anyones economic
interest to do so': there is no doubt that efforts like these are
making it easy for people who do want to do such cross-indexing easy.
I don't see that open source vs. closed source is an issue here: it is
quite easy to provide unintelligible open source to satisfy any formal
`visibility' requirement.
Re:Silly Marketers, We're not that stupid. (Score:1)
Re:Our IP Address is Available To Whoever Wants It (Score:1)
The problem is with taking our information (however minimal) without our consent.
Pablo Nevares, "the freshmaker".
Re:Criminally illegal in the UK (Score:1)
Mostly Harmless (Score:1)
Secondly, the information they're collecting seems to be fairly harmless. I don't know how malicious they could be with it if they want.
Frankly, the thing that worries me is the fact that I have a static IP and hostname. Every site I visit no doubt stores that. I suppose that, in a way, that's less dangerous, because they don't get any sort of picture of what I'm doing, just that I've visited them. But still, it kind of makes my skin crawl.
And now I'll prepare to get flamed. I don't think that comments about the "closed source community" are incredibly appropriate here. Since I haven't seen any sort of open source competition for the comet cursor (which is slightly nifty, in a really dorky way), I don't think that there is any reason to use this as an opportunity to rip on closed source.
Comet's denial has a big loophole. (Score:5)
Consider what you get if you buy the access logs for a bunch of web sites (some with login ids that can be tracked to house addresses, maybe from shipping information) and then add user tracker data like Comet that can identify a user between web sites. You can now track the user's access patterns across all the web sites, even those where he was anonymous.
This isn't anything too new, the banner ad companies do this already.
Nah, this is clearly malevolent (Score:3)
From what I understand, this silly cursor is just a Trojan horse aimed at user's privacy. What would be the point of the company otherwise? Their business is just based on this invasion of privacy. And BTW, their claim that they can't link to a single user is ridiculous: it just takes one filled up form asking for your email address in any of the 60'000 using, et voilà! you are tracked, welcome to big brother!!!
Any web developer can undertand that. It's so fucking simple to do, just the fact that they claim it 'impossible' is an insult.
http://www.oneofthesites.com/subscribe.cgi?email=IF DEFINED(id) THEN
INSERT INTO bigbrother (email,sexual_orientation, age, crimescommitted, numberofpornbannerclickthrough, hasreceivednicescientologyleaflet)
VALUES ( -- edited for brievety
ELSE IF sexual_orientation = 'perverthomo' THEN
send_blackmail_asking_for_money()
ENDIF
ENDIF
--
Interesting issue (Score:4)
On a positive note,
I recently went to Axent's [axent.com] site to do some research on their products and foudn that I couldn't view any product information unless I allowed cookies. I thought this was plain stupid and I emailed the webmaster regarding it. Below is the QUICK response from the webmaster at Axent. He was honest and shared more information than he needed to share ( he didn't even have to redspond ). I wish more companies had this attitude. My response back was that since I couldn't find a privacy statement, I wasn't planning on allowing the cookies because I wasn't sure of their purpose. He was a nice guy none the less.
Here's the email:
Subject:
RE: Feedback
Date:
Mon, 29 Nov 1999 11:03:48 -0500
From:
Tony Stephens
To:
"'jvincent@qa.butler.com'"
You will not receive any unsolicited information from us. Thanks for the
heads-up on the feedback page. You are right, it shouldn't say "Submit
Registration". As for the cookies, we have moved to a dynamic, data-driven
site powered by Mainspan. I'm not 100% sure what the cookies are for (I'm
real new at this job, still learning the site...no excuse, but a minor
explanation for my lack of a real explanation) but I'm assuming that they
are to allow the server to track (during the session only) your documents
and allow faster access to the ones you access. It's a variable called
"DocsActiveForUser". Again, I believe that this is what it is for. I will
look into this further. I agree with you in the fact that for the public
site, it shouldn't be cookies, but rather session variables. But I'm sure
it's for the purpose of providing you the information you want
faster...allowing you to kind-of 'keep track' of the documents you have
accessed. I assure you its not for any tracking or informational gathering
uses of ours.
Thanks.
Tony Stephens
Webmaster
AXENT Technologies, Inc.
2400 Research Blvd. #200
p: 301.670.3644
e: tstephens@axent.com
e: webmaster@axent.com
w: www.axent.com
-----Original Message-----
From: jvincent@qa.butler.com [mailto:jvincent@qa.butler.com]
Sent: Monday, November 29, 1999 9:09 AM
To: webmaster@axent.com
Subject: Feedback
Name: John E. Vincent
Phone:
Email: jvincent@qa.butler.com
PageLocation: Products
Feedback: I was browsing your site and noticed that to get information, my
browser has to accept cookies. Please provide me with a good reason that a
security company requires a cookie with an invalid expiration date to allow
me access to the most basic of information about your products. I notice
your submit button says "Submit Registrion". This also serves to say that I
am not registering for anything. I don not want any unsolicited email from
your company other than a response to my question. John E. Vincent Network
Administrator BTSQA
Lightning vs Lightning Bug (Score:2)
Think of IP logging as analogous to Caller ID: If I call your telephone, you have, IMHO, an inherent right to know who I am.
However, if you twiddle my phone so that when I call YOU it tells you about everyone ELSE I have called, that's invading my privacy. The critical distinction here is the collection of data on my interactions with third parties.
Of course, if a million Web site operators all pooled their IP logs, that would achieve the same result as Comet's dirty trick, but then the public at large would perceive a massive, evil conspiracy, it would make the 6 o'clock news, and they'd be stomped on by the law and public ire.
Hmmm, perhaps not such a bad idea here, either...
Re:Hmmm.. (Score:2)
"we value your security and privacy" =P BS
It'd be easy to avoid (Score:2)
Certainly each customer (that is, website with the cursor-changing support) has a serial number as well. Call this number "C", and call the serial number of the user whose cursor is changed "U". Instead of reporting the pair (C,U) to headquarters, simply report the pair (C,f(C,U)), where f is some one-way hash function. (e.g. MD5)
The information they (say they) want to collect is still collected, and yet it is impossible to do the correlation activity that privacy people are concerned about.
I agree, though, that it seems like someone just didn't think it through. Much as programmers need to be re-educated to think intelligently about security, it appears that privacy concerns need to be addressed similarly.
Re:Is this a reason to go open-source (Score:4)
With the current, disturbing trends towards the invasion of privacy by companies, I think I will never ever use anything but Open Source software anymore. This is really getting too far -- OK, fine, so this software "only" transmits a log of your web surfing to Comet, under the guise of displaying a cute cursor. How do you know one day somebody won't come up with something malicious?! How do you know that the next cute-cursor software you got from somewhere doesn't start transmitting files on your hard drive to some company? This may be paranoid, but I see this as a very likely possibility, given the current trend of increasing infringement of privacy by corporate entities. Gives a totally new meaning to "trojan horse".
At least if you only use Open Source software, there is always source code for you to double-check, to make sure that this piece of code you're going to run isn't going to transmit private files from your home directory to some company out there.
But, to go one step further, I'd say that even Open Source in itself may not be sufficient to prevent such kinds of exploits. Take any typical Linux system, for example. How many of us actually read the source code for all the software that we run?? How many sources can we read before exhausting our patience, and just say "forget it, let's just run this thing."? Of course, the redeeming thing is that if the source base is polluted with some bad code, the maintainer of the code would find out about it pretty quickly. But still, when Open Source becomes more and more widely adopted, there's a possibility that such things get overlooked.
Sounds like privacy is over. Would we just sit here and allow this to happen?
Re:This is far more worrying than id's thing (Score:2)
Re:Executing pedestrians - accusing them of murder (Score:4)
In addition they imght use some of it to do marketing research (although it is neither mentioned nor implied which means they might or they might not). The same things all those banner ads do. You want to worry about privacy? There's the motherlode of your personal viewing habits being sent across the internet - all corresponding nicely to your machine (IP), your e-mail (if your browser sends it - unlikely but possible), uniquely identifying your machine (via cookies unless you delete/disable them), and much more.
However most of this doesn't bother me. Quake 3 sending my GL_RENDERER string? *shrug* Mr Comet Cursor thingy senging a list of websites I visit that use the cursor (considering I've seen that cursor maybe once - EVER)? *shrug* All of this is benign information. Do I care that Carmack knows that someone out there (at IP # blah - if he even stores that data) is running version 1.09 and has a TNT2 Ultra? Or that Sir Cursor Changer knows someone (again, possible from my IP if they
bother to store it) visited some web site?
Now: Send my SSN or CCN or Home Phone across the web without my permission?! Thats in the interest of 'My Rights Online.'
Here's what SHOULD be done: Any app or web site that sends data back to its creators should register with a security watchdog organization such as TRUSTe. They should document their procedures and what they store and what could potentially be stored with out a change on the client end (i.e. modifying the server to collect IP addresses). People can then get full disclosure on issues. Random and directed (in case of dispute) audits can be performed at the watchdog ageny's discretion. If you think that Carmack is privately planning world domination based on the distribution of 3dfx chips in the world, you can complain to the appropriate agency.
Most of the 'Your Rights Online' articles have been, IMO, non-issues, this one included. People say "If we let them do this then they will keep going until they send our entire lives back!" No. If someone starts sending back e-mail addresses without permission or other very private information THEN we start boycotting and raising hell. Until then just relax, vote with your dollar, send polite e-mails if you don't agree with something and just deal with the larger issues.
And just think how much information CmdrTaco has collected from you.
Not practical (Score:2)
Hmmm.. So much for all the sites like
Technical solutions are rarely suitable to these kinds of problems. The only reason that this sort of thing happens is because of the inherent openness and flexibility of the net. That flexibility makes it very hard to pin down a weakness and plug it. There is no design weakness here - merely an unfortunate usage.
Personally I'd far rather have an Internet that provided no technological means for me to stop this sort of thing, than an Internet that was restrictive and full of rules and regulations.
Re:Legal issues (Score:2)
For the paranoid, and the prudent... (Score:2)
http://www.cometsystems.com/ [cometsystems.com]
And here's a link to help get rid of the Comet Cursor program. It's from the Comet Cursor people, but it probably does what it claims to. I think this is just a case of stupidity, not eeevil.
http://www.cometsystems.com/down load/cleaner.shtml [cometsystems.com]
Re:Legal issues (Score:2)
...phil
Re:Company URL here (Score:2)
...phil
Why bother hacking them ? (Score:2)
Read old Slashdot on cookies and banner ads.
Cookie "security" relies on cookies not being shared between servers. For a simple site, this works fine. When banner ad companies sell banners to many sites, then a loophole has opened whereby they can see cookies that were placed there by many sites that share the same banner servers. As banner servers are near monopoly industries, then that's a big source of cross-tracking data.
The fix is obvious, but it needs to be done in the browsers (or by a filter near to the browser).
Hacking obscure browser loopholes just isn't worth it for commercially honest (sic) data capture. There's not enough good data to be had that way(If you still use Mosaic on an Amiga with an unpatched ActiveX hole, then I doubt that you'd buy my product anyway). Illegal cracking (stealing credit card info etc.) is maybe worth looking for obscure browser holes, but market research is by its very nature a mass-market task.
Consent, not software, the issue (Score:2)
What is deplorable is that they did not release such information to the people who downloaded the software.
If a company wants to produce software that monitors every keystroke I ever type on my computer, fine. If I want to use it, fine. However, I should be told before installing the software that such information will be collected.
If we are going to condem their actions, then let us condem them for their real crime. Collecting this information was not a crime. Collecting this information without the consent of their users is a crime, if not in a legal since, then certainly in a moral since.
I would expect the people here to understand this better than most. Software is never the issue, it's what's done with the software and in what manner that is the issue. The government wants to regulate crypto because it can be used for illegal purposes. The music and vidio industry want software and hardware that can reverse engineer/defeat copy protection to be illegal because it can be used for pirating. Yet, crypto allows private communication, e-commerce, and user identification that is desperately needed in a world that is rapidly becoming dependant on computer communications. And the same software and hardware that can be used to defeat copy protection can be used to help debug programs, burn CD archives of our work, and play DVD's on our linux boxes.
A tool is just that. A tool. However, someone who uses a crowbar to break into people's homes is a far cry from someone who uses a crowbar in the process of construction.
Please. Remember their crime. It's not the software, it's the lack of consent.
Re:Criminally illegal in the UK (Score:2)
Run a database? Register it or go to prison. (That's the principle.) The original DPA draft dates back to before the government knew you could store data on anything smaller than a mainframe (early to mid eighties).
There are exemptions for non-profit clubs, and private address books. That's about it. The DPA actually had to clarify a couple of years ago that usenet spools and private email folders weren't considered databases within the meaning of the law -- but structured data repositories (like this sort of thing) are subject to the act.
Software Filter Needed (Score:2)
What won't stop invasion of privacy is so-called disclosure in license agreements and readme files. First, nobody reads those, and second, they're too vague. I think that the info that ID gathered was perfectly acceptable, while what RealJukebox did was definitely not, and yet one generic disclosure statement would cover both.
I think that what we need is something similar to anti-virus software that sits between applications and the TCP/IP stack, and limits what different applications can do, putting up warnings and confirmation dialogs as necessary. I expect that my web browser will connect to internet sites. I don't expect that of most other software, and I want to be warned whenever that happens.
This should be similar in concept to some virus protection software. I expect FORMAT.EXE to format disks. I don't expect any other program to do so, and if anything else calls the INT13h or whatever it is (apologies for the DOS-isms), I want to know about it.
Of course, clever programmers could code around anything, just as virus writers avoid detection, but if any company employed such tricks, they'd really have a lot of explaining to do.
Active Server Pages (.asp) Require Cookies (Score:2)
I just attempted to load Cometzone [cometzone.com]'s website and it doesn't allow you to unless you allow cookies. God, I love Junkbuster. [...] Why do they need to store a cookie for me to load the page?
I know all you Linux/Apache hippies are going laugh or something at this...
After CometZone's website struggles with your browser, it ends up at the page cookie.asp. Notice the extension-- asp. That stands for Active Server Page, referring to Active Server Pages, a server-side scripting technology from Microsoft. ASP normally runs on NT Servers running IIS3.0 and above.
When you visit an ASP site, it may send a session-level cookie to your browser, to identify you while you are on the site. Session-level means it lasts only as long as your browser is open. It is never stored on your hard drive in any cookie file. The cookie name usually starts with ASPSESSION followed by a bunch of randon letters.
The reason this is sent is because some ASP sites use session variables-- global variables for all the scripts in the site that pertain to the current site visitor. The server stores these variables in its memory and uses the cookie it sent you to tell your session variables from everyone else's.
Now, as an ASP programmer, I can say that using session variables is a bad idea. Firstly, most users don't like cookies, and will disable or refuse them, meaning that the website will not be able to retain session information for the website users. Secondly, they use up server memory! If you have 400 users on your site, that's 400 copies of every session variable! (No jokes about NT Servers' load capacity, please.) Thankfully, it's possible to disable them and stick with only application variables (of which there is only one copy of, regardless of the user load). There are also other ways of maintaining state information, too.
Re:They never learn (Score:2)
They, the people that go "hmmm, let me run that useless software just for the hell of it".
Or they, that allow users to use the software they developed for free, and just happened to forget to mention thewy wanted something in return?
Too me, it would seem fairly obvious that somethings amiss about their offering. So little in the world is free. On the internet, almost all the free stuff comes at the cost of personal information. It doesn't excuse them for not attempting to tell users about the tracking functions. But why wasn't anyone asking?
Re:Consent, not software, the issue (Score:2)
Me, I've seen these "comet cursors" on the Dilbert page, and thought they were bad enough there. As a gimmic they don't interest me one way or another, and if they destroy my Dinosaurs cursor theme, even for just a few mouse-over events, then they're blydi annoying.
I think the limit should be the regular web server logging, no more. It's fair enough that an httpd should know where you're coming from and with what agent, as there are folks out here who need to maintain stats on the above; but asking the browser to give up any more information than that is immoral, and writing a browser that allows more to be sent is in league with those who want such info.
Web server logs, no more.
Re:Not practical (Score:3)
It's not an 'Internet' issue -- it's a browser issue.
I can see a technical solution for this problem in my head right now. It wouldn't be detrimental to anyone, and would allow users to control what their browsers are doing for them.
OK, here goes:
Comments?
Re:Criminally illegal in the UK (Score:2)
On the one hand, it would be impossible for Europeans to touch Yahoo directly. On the other, it may be possible to sue the backbone providers with breach of EU export laws, for transmitting personal information to an unprotected country.
(On the other hand, the backbone providers are likely to cry "carriers", which does offer immunity under certain circumstances. However, in the case of "Private Eye", in the UK, carriers who knowingly transmit information lose carrier immunity.)
It also kind-of goes a little deeper. If enough people launched a massive Class Action against one of the backbones, for not blocking Yahoo, the negative publicity may force a settlement and may encourage other backbones to bulk-block Yahoo.
That, in turn, will severely impact Yahoo on the advertising front. Even portal sites can't run on thin air.
Re:This is far more worrying than id's thing (Score:2)
Id secretly monitored people because they hadn't really thought about it at all. It just seemed natural and beneficial and, hey, who expects privacy and we're not matching up names...
It's this lax attitude that leads to another company saying "Hey, why not take this to the next level and completely track the user".
I got spammed recently by Barbes & Noble and they had a hidden img tag in the HTML version of their spam. The hidden image contained a unique number so that B&N new exactly when I looked at their crap. (See Privacy Digest [vortex.com] for more).
B&N thinks there's nothing wrong with this. Comet thinks there's nothing wrong. Id thinks there's nothing wrong. They all think they haven't crossed the line yet. If we keep allowing them to push this line, you can bet that people will keep pushing this line.
If you weren't mad at id, then where exactly do you draw the line? Comet isn't tracking names (yet). Sure, kids use Comet's Cursors... but kids also play video games. If you accept what id did, then you set yourself up for Comet.
Re:Comet's denial has a big loophole. (Score:2)
I would not be surprised if the next cracker that gets busted has his Comet Cursor file subpoenaed...
Mess 'em up (Score:3)
Any takers?
What's most worrying... (Score:2)
... is if this is installed on a developer/tester's workstation in an e-commerce/web design shop.
What kind of information could be gleamed from them by the record of all thier internal urls?
In certain circumstances, this could be espionage.
(note : I know that now all sysadmins everywhere are banning this software, and they shouldn't have run it in the first place, but up until now, it's just been a harmless desktop toy. Who would have cared about it?)
Removing CometCursor once installed (Score:2)
Tools->Internet Options
Temporary Internet Files - Settings
View Objects to see all ActiveX controls that have been downloaded
Right-click the Comet Cursor->Remove
I did this in NT4. Dunno about 9x or 2k.
CometZone's Privacy Agreement (Score:4)
"Registration
Comet Systems gathers information about our Cometeers that allows us to offer compelling services in a manner that provides personal privacy protection as well. When you join CometZone, we ask you to provide us with some required information such as your email address and home page URL, and some optional information such as your name and address."
"Account Activity Logs
As a result of joining CometZone, a Cometeer account is set up for you on our system that contains your user settings and preferences, e.g., which Comet Cursor you've selected for each of your Cometeer web pages. Every time you login to CometZone, or change your CometZone settings or preferences, your Cometeer Activity Log ("Activity Log") is updated to reflect this activity. Comet Systems uses Activity Logs as a means for better understanding our Cometeers and their interests."
"...Any information you provide to Comet Systems when registering for CometZone is maintained and is accessible only by Comet Systems and a few of Comet Systems's content sponsors. We use the information collected during registration to better understand your interests, and to provide you with the best products and services on the web... "
Anyway... I'm a little appalled that they appear to have tried to hide their privacy agreement, and furthermore, that the CEO's explaination seems incompatible with this information.
Sincerely,
Ryan Taylor
---
Just when you think you've invented something idiot proof, someone goes and invents a better idiot.
Hand in the Cookie Jar (Score:2)
To claim that no business will collect data illeagaly for fear of being caught is like claiming no business will break environmental laws for fear of being caught by environmental watchgroups. It happens all the time. Some are caught - even some well-known names. Many others are not.
Our only defense is to make examples of those who are caught in the hopes that fewer will be willing to risk such business practices. It won't put a utopian end to such behavior, but it might help to prevent abusing privacy from becoming a standard business practice.
Re:Did you read the article? (Score:2)
If you worry more about whether I got a name right or not, and ignore the contents of what I wrote, it's no wonder you're an AC. If you accuse me of posting without reading, you might want to look up a word in the dictionary. Hypocrite.
Re:Legal issues (Score:2)
Re:Active Server Pages (.asp) Require Cookies (Score:2)
Some kindly moderator moderate this highly informative post up. Great information for alot of people.
Great Post AC.
Re:Interesting issue (Score:2)
Sol
Go them one better? (Score:2)
What we need is for some enterprising network programmer to provide us with an emulator app that will let us generate bogus messages of the right format and directed to the proper destination. Have it create a message with random content, or perhaps read strings from a user customization file that will allow insertion of fake but plausible text.
Better yet, have it read a database of known snoopers, so that a new program doesn't have to be written every time a new snooper is discovered: just have a cron job pick a random known snooper once per hour, and send out a bogus message. Then whenever you see a "Your Rights On-Line" post to
Don't generate enough messages to rate as a DOS attack, mind you: just enough to make sure their "sucker databases" are useless due to pollution with bogus messages.
--
It's October 6th. Where's W2K? Over the horizon again, eh?
Re:Hand in the Cookie Jar (Score:2)
It seems like EVERY DAY we hear something about someone discovering a new way company X is recording data and tracking our movements. If one of these companies REALLY overstepped the boundaries of law and knowingly broke such a law in order to do something horribly unethical with this information, WE WOULD DISCOVER IT. It's practically a 100% certainty.
The result would be a horrible PR shitstorm, class action lawsuits, perhaps criminal proceedings. In short: the company would be destroyed and its owners (assuming they aren't in prison) would be penniless.
No company on earth would take such a monumental risk for something as insigificant as this. This company is in business because of their nifty little Cursor software, they're not in business to collect and sell blackmail material.
If someone really wanted to destroy your life, there are LOTS of better ways to do it than this that don't require Yet Another YRO Conspiracy Theory.
Re:so... how do we uninstall it??? (Score:2)
PS: You might also want to search for impression.log, and then examine every file with a similar creation date.
Re:Who's the watchdog? (Score:2)
proxies like junkbuster try to do some of this, but they suffer from being a proxy: they can't be as closely integrated with the browser as one would like, and they make the whole browsing slower and less responsive because of the proxying overhead.
I have a serious suggestion here: write a program that does this kind of job (based on a config file), by intercepting the browser's (e.g netscape navigator 4.x) calls to libc, using LD_PRELOAD to get itself loaded. the library would basically filter all network related syscalls (select, read, write, connect, close, shutdown, setsockopt), monitor HTTP connections, rewrite headers as appropriate, and decide which requests to allow or not. (think of this as a stop-gap measure; as soon as mozilla is ready, the core of this can be directly integrated in it, without shared lib hackery, and more fine grained things like selective access to javascript functions can be added ; a libc wrapper can't do that cleanly).
as far as I know this hasn't been done yet, with the LD_PRELOAD approach (as opposed to proxies, which are abundant), so I'm definitely going to start work on it myself, probably during xmas break. in the meantime, I want to get the ideas ready (casey-b's domains are a good one), so that when i start coding, i know what to type :)
if anyone else is interested enough, let me know by mail [mailto]... help is always appreciated :)
Enough with the fucking conspiracy theories (Score:2)
Stop trying to break apart their statements and look for hidden sinister intentions here. It's clear they know what we're objecting to, and his statement was meant to try and remove those fears from our minds. There is NO reason to assume that they have, are or ever intend to use the information they've collected for any purpose other than what they've stated.
And I'd be very interested to know what sort of login ID you can gleam from a URL that allows you to discover private information like a name or address. That sounds like a pretty piss-poor implementation of something and the maintainers need to be e-mailed.
Your identity is totally meaningless to these people. Your name serves no purpose in their efforts to bill their customers for use of their software. It makes no sense at all for them to ever want to record it, and even if they DID, and managed to sell your identity with a long list of rather questionable web sites (and userID's, whatever else you want to add to the conspiracy theory), SOMEONE WILL FIND OUT ABOUT IT. Things like this don't go undiscovered (look at the long line of YRO articles if you don't believe me). They will be caught and the PR shitstorm that results would leave the company penniless, perhaps even with their owners behind bars. Think about it.
Bonded downloads like bonded cleaning people? (Score:2)
If there were laws to support bonding of visiting software (I mean laws with consequences that can (really, really) NOT be absorbed by the unscrupulous as cost of doing business), then users could choose to lower their risks in a way backed with predictable legal recourse.
Big commercial operations could afford to provide this kind of assurance (assuming they aren't dependent on deception), but there ought to be a way for a small contributor to give assurances too. Open source is great, but I am not sure I have time to inspect all the code myself, especially if you include OS and libraries (;-), so it would be nice to have versions signed by trusted reviewers. Anybody have a list of trusted reviewers? Should they be bonded ?? Paid?
Umm, this wouldn't be illegal. (Score:2)
When I visited the page I was presented with a dialog asking if I wanted to install the component. I explicitely indicated my desire to do so.
Even if it didn't ask me, it would still not be considered illegal. Nobody forced you to visit that web site, and the component is part of the content rendered on that site. If you don't want your browser automatically loading and displaying images or applets, DISABLE THEM. You can do that, you know. You are implicitely allowing them to run as part of your browser's normal operation. To say that this even remotely violates any law is absurd and unfounded. Consult a lawyer before you go off saying something is a criminal offense.
It's like saying, "I only authorized this web page to deliver one paragraph of text to be rendered in my browser, but instead, it caused my browser to render THREE paragraphs of text. Those two paragraphs are UNAUTHORIZED uses of my browser and computer's resources! I want to sue!"
You do realize your web browser itself is guilty of delivering far more trackable information than this little applet, yes? Why aren't you jumping up and down asking for web browsers to be banned?
Re:Tracking (Score:2)
as regards this cursor software thing, i'm amazed to see people saying that "logging someone's list of visited sites" is harmless!
Re:Action (Score:2)
If they really were, they'd be breaking laws and they would have been prosecuted and convicted. This hasn't happened, nor will it, because they aren't breaking any laws.
If you really find the idea of sending an objective ID back to an application's source morally offensive, don't do business with that company. Vote with your pocketbook.
I personally don't see what the fuss is about. Things like this are rather benign and are FAR more numerous than you folks seem to think. The only impact these companies are ever going to have on my life is the continued presence of these YRO articles, since there will never be a shortage of topic material for them if every one of these instances is worthy of a daily YRO red alert.
nothing free? (Score:2)
I might be likely to run a little app if it looked intresting, and I certanly wouldn't exspect it to actively track my web surfing
--
"Subtle mind control? Why do all these HTML buttons say 'Submit' ?"
No more conspiracies, please, we have quite enough (Score:2)
Why does everything have to be a conspiracy theory with you guys? When something doesn't work is it always because the company responsible is being evil and trying to hide something from you?
Did it ever occur to you that they might have been using a form of JavaScript to load the privacy page? It seems that you're either using an obsolete browser or you've disabled JavaScript for some reason (which is pretty typical of YRO posters I bet).
The privacy policy loaded up just fine for me.
Enough with the lame conspiracy theories.
Anyway... I'm a little appalled that they appear to have tried to hide their privacy agreement, and furthermore, that the CEO's explaination seems incompatible with this information.
The information you quoted was relevant to the information they collect as part of their member signup process. When you sign up to use their software on your web page, you have to give them enough information to create an account from which you can do things like specify settings for their application on your web page. It sounds perfectly logical and reasonable to me.
Thus, it has nothing at all to do with the data sent by their software client.
Web site privacy policies deal with the web sites only, not software delivered or advertised on those sites. That's why they call them "Web site privacy policies."
but the internet already alows it (Score:2)
surely, you're not saying that individuals shouldn't have the ability to block out information they don't want to see. I wouldn't want an internet where I didn't have (however theoreticaly) control over my packets
--
"Subtle mind control? Why do all these HTML buttons say 'Submit' ?"
Re:nothing free? (Score:2)
Yeah, there's lots of cool shareware and freeware out there for Windows, Macs and everything else... But with the advent of the internet, there's become a way that people can use freeware as a marketing ploy... and we get all shocked when they do.
For instance, RealJukebox. Sounded like an awesome piece of software. With it's on the fly MP3-ripping, CD playing, etc... there's no guarentee that Real would see anything in return for it, except maybe a bunch of good karma and brownie points. Unfortunately, they messed up and didn't tell anyone what they were doing.
Same as with this cursor thing... If only they'ed said...
What's really funny though, is how people defend Id for only taking their video hardware without their knowledge, as if that's okay, but these other two privacy violations are not...
Assumption (Score:2)
Large multi-corporate conspiracies to ruin the lives of CUSTOMERS not only sounds silly, but it doesn't sound like it's in the best interests of the companies themselves.
Think about this for a bit. If a company did started handing your personal information over (going against their posted privacy policies and likely breaking laws in the process), this would almost *certainly* be discovered. The resulting PR shitstorm would put both companies out of business, and depending on what they did with this information, the owners/CEO's would likely be in prison.
I'm not saying companies don't break the law occasionally, but you'll find few companies that are willing to risk felony convictions, bankruptcy, a tremendous amount of negative PR, and alienating and destroying the lives of the very customers that are giving them money in the first place. All for a marginal amount of marketing revenue.
It just doesn't make good business sense.
Re:Interesting issue (Score:2)
Re:Accidental infringement (Score:2)
Who said this was based on hardware? I was under the impression this was a simple ID number handed out to requesting clients.
The programmer(s) needed a way to generate auditable information in order to bill their customers. They could have done this by IP address, but that would have masqueraded lots of people behind a single proxy IP while duplicating the roamings of a single user getting multiple dynamic IP addresses, so it was determined that a single ID would be needed to get an accurate usage count. The programmer(s) probably just didn't think it would be a big deal (and I still don't). It sounds perfectly logical and doesn't require an evil conspiracy.
The information they are gathering may seem to be benign, but its just another step towards making us all akin to tagged animals in the wild, tracking and analyzing our every move.
It's this attitude among YRO posters that I despise the most. Do you have any idea how many people and organizations out there are exactly 1 step away from your little conclusion there? I run a number of web servers where, if I so desired, I could pump the access logs through a system, collect access logs from my fellow conspirators, ad infinitum and get enough information to destroy the lives of countless thousands of people. Am I suddenly an evil conspirator with the rest of the evil corporations and governments? We'd have to lock up half of the planet if this is how you're defining 'evil'.
The technology is there, but you should NEVER judge a company based on what they are THEORETICALLY capable of doing. Instead, you should be judging them on what they ARE and ARE NOT doing, and their reasons behind it.
IPs (Score:2)
Exsept I hardly ever use search engens any more, Just Yahoo, if I'm looking for a particular topic. Maybe altavista in the rare case I need a particular string. With this, though *one* company knows *all* your surfing habits, not just that you looked up x86 assembly coding on Yahoo last june, or you looked for the string 'netbus 17' on altavista.
I suppose it might matter for those that use searches a lot, But I do think that this is a little diffrent. esp since they tried to do it covertly (unlike the q3a thing)
--
"Subtle mind control? Why do all these HTML buttons say 'Submit' ?"
Not qute (Score:2)
In other words, CmndrTaco knows everything I do on slashdot, but he dosn't know what I do elsewhere. With this software, the 'commet' people know what you do on over 60k sites. (although, this isn't really that diffrent that what doubleclick is capable of)
--
"Subtle mind control? Why do all these HTML buttons say 'Submit' ?"
Re:Enough with the fucking conspiracy theories (Score:2)
A list saying "Cursor UserID 12345 visited sites http://abc.com and http://xyz.org"?
Potentially, yes.
There is NO WAY to correlate this information with any other bit of information without all of the member web sites being in on the conspiracy and coughing up their access logs in real time, and even then, proxy servers and dynamic IP addressing would render this data virtually unusable
Uh... No.
First off, it would only require one site to give out logs and user information in order to determine with reasonable certainty the identity of any users who visit more than once. Multiple sites would let you get anyone who visited more than one, even if they only go once to each. (User 12345 visited site X at times Y and Z. Joe Schmoe is the only person who visited X at both of those times. Now let's see what else Joe/User 12345 has been up to...)
Secondly, the logs wouldn't be needed in real time. After-the-fact analysis would work just as well. (Probably better, since you need to correlate multiple web site visits.)
And, finally, dynamic IP addressing and proxys don't matter because this doesn't use your IP address. It correlates a Comet-assigned serial number with one or more user accounts on a site that exchanges data with Comet.
Personally, I don't think they're doing this. My point is just that they could. And it wouldn't be that difficult.
Re:why dont they make it against the law? (Score:2)
Just a quick question. (Score:2)
There's not Linux version, so only people who are on Win9x or Mac were affected. Under Win9x, I've never seen one of these popups in the browser I use (Opera), although I get them in Linux (using Netscape). But even not having been directly affected by this, it makes you wonder. What exactly was that flash of the modem/NIC tx/rx lights for? Was it some closed-source app that is designed to work with an internet connection (IE 5.0, Real Player, Comet Cursor, etc) that can just go ahead and give away privacy information?
Don't use closed source if possible. If you have to, limit it, and make sure you have a firewall that blocks things going in and things going out.
---
Re:Why isnt this considered a Trojan Horse.... (Score:2)
If you use such a loose definition of 'trojan', the vast majority of software in use today would be classified as such.
Did you know your web browser sends not only its own browser version (complete with a description of your operating system) but the URL of the web page whose link you just followed to get there? Nowhere in the browser's documentation does it say it's going to do this, and I was never asked. Is it a trojan?
No, of course not.
Calling people kiddies is acting like a kiddie yourself. Grow up.
I wasn't calling you a kiddie. I was referring to the class of Slashdot poster that makes knee-jerk posts, responses and tends to bring the average IQ down a few dozen points. Stop taking these things so personally. I wasn't talking about you, unless you fit this profile, but that's out of the scope of this thread.
Its called degree. (Score:2)
there is a huge diffrence between what Id did, and what these people did, if you cant see that, then there is really somthing wrong with you. Is there a diffrence between a guy who grows pot in his back yard for him and a few frends, and a guy who runs a Crystal Meth lab, and poisons hundreds of people? well, yes.
--
"Subtle mind control? Why do all these HTML buttons say 'Submit' ?"
Re:No more conspiracies, please, we have quite eno (Score:2)
What line?
The source code for the privacy link is as follows:
<a href="#" onClick='window.open("privacy.asp","","width=600,
If you had JavaScript disabled or were using a browser that didn't support it, the above would be equivalent to <a href="#">, which is simply a no-op link (perhaps reloading the same page).
In any event, this is the same link that's been there all day. I read the privacy statement some 10 minutes before you wrote your comment, and I tried it again when I read your comment, and it functioned the same both times.
If your browser is normal and the link didn't work for you one moment, but did the next, then I don't know what to tell you. Either your browser is buggy or you're right in that they were having problems with their site. I can't imagine any reason they would want to hide their privacy statement from people, though. There was nothing about it that put them in a bad light at all.
I do however despise spam with all my heart and soul. This company appears to make money through "direct marketing", or spamming people.
They make their money by putting a little advertising banner on web sites that use their Cursor code. Spam? Hardly. They do send out e-mails, however. Their privacy policy has this to say about it:
This seems like a fairly standard way for a company to act with respects to your e-mail address. I don't think this qualifies as spam in the least. They make you completely aware of what they're doing and always give you the option to refuse. What is the big deal here?
I'm angry because you've chosen to associate me with the conspiracy theorists.
I was annoyed that you jumped to the conclusion that they were Yet Another Evil Company based on the fact that it *looked* like they were trying to hide their privacy policies from everyone, which simply doesn't make any sense. Just because 'malice' is one possible explanation doesn't mean it's the correct one. In this case, it isn't even the logical explanation.
I'm sorry if my post came out sounding bitter -- I've written a dozen or two messages in this thread trying to combat the conspiracy theories that permeate most every YRO article, and some of these posts just get really moronic and I lose my patience. Sorry if that was the case here.
Re:Assumption (Score:2)
Classic YRO material (FUD?).
I'm not even going to begin to try to respond to this one...
you're calling him a hypocrite? (Score:2)
But really, you're *obviously* uninformed. Not only did you not read the story, you didn't even read the little blurb fully! And yet, when someone calls you on it, you instult them!
That's classic. And by the way, anyone reading your post will think your an idiot, wether or not the ideas are valid or not. If you don't even know who the story's about, how can we exspect you to have any clue as to the impleplications of whats going on?
--
"Subtle mind control? Why do all these HTML buttons say 'Submit' ?"
quake3 (Score:2)
--
"Subtle mind control? Why do all these HTML buttons say 'Submit' ?"
Re:Executing pedestrians - accusing them of murder (Score:2)
I'm reminded of a quotation by Benjamin Franklin: "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety."
If we value our rights, then those rights must be vigorously and unyieldingly defended. If we give in a little now, then we have eroded the foundation on which our liberty stands, and it becomes easier to give in again tommorow, and the day after tommorow.
History has shown, again and again, that little injustices if tolerated, lead to greater and greater injustices. Take World War II as an extreme example.
What we've seen so far is only the start. Without vigorous resistance now to violations of privacy, our right to privacy may disappear overnight. In this case, the line is very clear: software must not covertly send back data to their companies. Anything else is unacceptable.
Re:This is far more worrying than id's thing (Score:2)
Oh, D'oh!
Re:Its called degree. (Score:2)
It's true that Id did take the time to mention that what they were doing in a form of techie jargon that some people might even understand, but they didn't really ask for consent. It's kind of like if your next Visa bill included a notice in finest legal-font that said that, unless you called them immediately, they would be free to come to your house and have a look around.
Unless people start viewing the contents of their computer as their own property, companies like Comet will be sure to come along and take what you want to keep private.