Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
The Internet Your Rights Online

Cursor Software Tracks You On Web 312

fabrini writes "That cute little animated Comet Cursor, that some websites try to send you when you visit their site, is actually doing more than impressing the kids. It's also tracking your activity on over 60,000 websites using a unique serial number -- and all without asking. "
This discussion has been archived. No new comments can be posted.

Cursor Software Tracks You On Web

Comments Filter:
  • When will these people learn? I hope they are expecting a HUGE backlash from the community!
  • by SuperguyA1 ( 90398 ) on Tuesday November 30, 1999 @05:02AM (#1493316) Homepage
    For any lawyers out there, is there a reasonable basis for legal action if these accusations are true? Maybe it's time we did more than just complain and flame about it?
  • I honestly believe that they think everyone is a complete and total moron and just won't find out about crap like this.

    Either that, or they really WANT people to hate them.

  • I agree. If companies don't learn from the community backlash, then maybe a harsher lesson is needed.
  • We really need to get a group together that specialized in detecting this kind of activity. You know that it's going to get harder to detect this kind of activity as the network evolves.

    Airgap baby. It's the only way we can be sure.
  • by Nodatadj ( 28279 ) on Tuesday November 30, 1999 @05:04AM (#1493321) Journal
    They say they don't use it,
    So why do they waste bandwidth/storage space collecting it?

    Slowly closed source software is shooting itself in the foot with all these "trojans" that they add, but that they "don't use for any purpose". They'll soon not be able to use the security through obscurity catch phrase.

    Maybe Open source software should use "Privacy though visibility" as a counterattack.

    iain
  • IMHO, this is yet another of those cases were someone implemented a nifty feature without thinking it through. What we have here is a company that can, with some effort, find out what a person is doing. at the moment, all they know is that someone, somewhere, visited a certain number of sites.
    There's be the inevitable massive calls for boycotting, and (as tends to be the case), this will be an overreaction. I'm happy with Comet's response, and I don't think this is a reason to hang them out to dry.
  • I'd be surprised if a company with this intent didn't include a juicy disclaimer in their EULA, permitting them to do anything they damn well please.

    Then again, there is a practical use for this: I'd love to know the sites that people with Garfield cursors hang out at, just so I can avoid them.

    ---

  • Where will it end? All major players in this business have proven not to be trustworthy regarding their software's big mouth.

    Or we have to plug a sniffer in every IP-stack we use, or we have to move to software (and companies) we can trust.

    I believe choosing for open-source software gives you (and the providing company) a trust relationship. You trust the software because you can check it, because you get the actual code.

    Do you want big brother to watch you? Do you want the tiny little bros. watching your every step? I don't think so...


  • Am I the only person who has never heard of this software before?

    Comment ended due to lack of information.

  • to have programs that install but do not inform
    the person that the program they are installing
    will be sending *anything* over the network
    that might entail privacy and/or security?

    this way, when we DO find out that these morons
    are using their fun little programs to track us,
    they get a nice stiff fine from the gov't ?

    ( start conspiracy_theory )

    or *maybe* the gov't is using companies like this as a smokescreen to watch all of us ;)

    ( end conspiracy theory )
  • by Anonymous Coward
    Can someone explain the difference between what they are doing and what cookies can be used for?

    As for what they are doing: it doesn't seem all that bad. Slashdot appears to have gone into a paranoid they're-watching-us mode at the moment (i.e., loads of articles about tracking, NSA, encryption, privacy.... I'm not saying they're not important, just that some are seemingly redundant and the same arguments get trolled out over n over again. Why don't they just allow users to have a list of articles on eff.org or whoever deals with privacy issues, like you can do with bbc/science etc in the custom boxes).

    Just my £0.02

  • by Enoch Root ( 57473 ) on Tuesday November 30, 1999 @05:14AM (#1493331)
    (Sorry; couldn't resist the title.)

    Fact of the matter is, the only thing this company needs is exactly what they gather: your Web habits.

    They're trying to defend themselves by saying they're not actually collecting your name or address, but that's not like this information matters to them.

    Working for an e-commerce company, I can tell you what they want: they want list of clients. They want to know exactly what kind of people use their software. They want to target their publicity more closely.

    If you ask me, it's BS when they say they're not actually using the info they collect. This information is invaluable to advertising companies, and knowing where everyone goes from your site on is the Holy Grail of target advertising on the Web. Many companies focus solely on providing companies with 'client lists'.

    So it's BS when the PR guys say it's harmless. Fact of the matter is, they're doing it without asking permission.

    Here's a little gem from the article:

    The campaign Web site for Vice President Al Gore removed support for the technology Monday, citing privacy concerns.

    ``To the best of the Gore campaign's knowledge, no personally identifiable information was divulged,'' spokesman Chris Lehane said. ``But even this very benign data collection doesn't meet the Gore campaign privacy standards.''

    Wow. I know people tend to pick on Gore for that misquoted bit about inventing the Internet, but that's very fair of him. I thought we were the only ones (we being geeks) throwing a temper tantrum about privacy on the net. Way to go. Too bad I'm Canadian, eh? :)

  • is why people who use this software are not infuriated by it. now maybe they just dont know, but personaly if i knew that some company was making money by selling my browsing patterns i would want a cut of their profits. After all i never did sign up for this. I am not sure about the laws regarding telemarketing but dont telemarketers have to at least let the people know that they are taking part in a survey or whatever? I believe they do, and i think this company should be held to the same standards. Is it too much to ask for a little pop-up that briefly explains the products purpose?

    "The importance of using technology in the right way has never been more clear." [microsoft.com]
  • "There's not a lot of reason to crunch that data because I don't see that it's in anyone's economic interests. We're stating for the record that we don't do that and we never will.''

    Not in anyone's economic interests? Let's see: Joe X (referenced distinctly by his serial number) goes to this Britney Spears site, then the Disney site, then Yahoo, then CNN, etc. I'm sure many companies would be interested to know where people are actually visiting for advertising and marketing purposes, let alone for forming "strategic partnerships" with related sites. Although I know Yahoo, CNN, etc. don't use Comet, the potential does exist for the plugin to be used for these purposes.

    Not knowing anything about the face behind the serial number isn't anything detrimental, in fact it's important because it's with that anonymity they claim they aren't doing anything wrong. Whether or not you know who I am doesn't make a lick of difference, you're still taking my information (essentially, my web browser history in progress).


    Pablo Nevares, "the freshmaker".
  • Websites routinely store the IP addresses of their visitors for many different reasons. You can use it to generate stats for your site--how many unique visitors there are, what country are they from, how often they revisit, etc. You can use it as a unique ID for your users to prevent other users from impersonating them. You can use it to determine if someone is routinely attempting to cause harm to your site and then ban their IP address from visiting again. You can use it to determine the actual identity of someone who has caused serious harm to your site so that you can report them to legal authorities.

    I wouldn't be surprised if Slashdot stores our IP address in our user profile.

    This is common practice, but I've never heard of people getting upset about this. Why?

  • After the (imo) stupid outcry about id's vid card monitoring, I hope that those who complained will realise that there are far more worrying things out there.
  • by MacJedi ( 173 )

    I feel like I have been reading alot about this type of thing lately. It seems like everything is trojened: realplayer and even quake (although in this case it was disclosed) and others that I likely don't remember. I think it is the time for grassroots action.

    Does anyone know of some organizations already set-up to address these issues?

  • I am not a lawyer, but it looks to me as if grounds exist for a criminal prosecution of this company in the UK.

    What laws are they breaking?

    For starters, there's the Data Protection Act (amended 1998). This requires all databases to be registered, along with a list of their structure, so that people upon whom information is held can serve a data disclosure notice on the database owners and find out what is being said about them. I believe there's also a requirement to notify the subjects that information about them is being stored.

    (Violation: up to two years in prison and a honking great fine, although it's very rare for infractions to get as far as a prosecution.)

    Next: Computer Misuse Act (1994). This act has teeth -- it was introduced as an anti-hacking measure and it would seem that if they're tampering with or using a computer in the UK for any purpose without the consent of the owner they could be liable for five years as a guest in one of Her Majesty's hotels. It is a criminal offense to run software on a computer without the owner's permission, or to cause software to be run (ditto), or indeed to do anything with a computer without permission from its owner. Oh, and you can be guilty even if you're not in the UK (but meddling with a UK-based computer), or if the computer's not in the UK (but you are).

    Finally there's the EU declaration of human rights which, implemented in law, has an explicit right of privacy. The EU recently disseminated some directives on data security -- specifically banning the export of personal information from jurisdictions with strict privacy laws to other jurisdictions with weaker protection -- that means this company is violating the law, right across the EU.

    Class action lawsuit, anybody?

  • But we never WILL do anything, we'll bitch and flame and maybe even start a working group (I hate that term, but it fits), but we'll never actually do anything about it. When it is seen that we don't, then techniques such as this will get more widespread. It sux, but that's the way it goes. I mean, what are they using this for? Do they look at your config (to get your email addy), then spam you with "relevant" stuff, based on the sites you visit?

    I imagine though, that this could class as "Stalking" or "Harrasment" in many countries, simpoly becuase you are being "followed"... Any legal-type people able to comment on this?

    Oh, if you want to beat them at their own game...
    Alladvantage [alladvantage.com] pay you (a small fee) to surf, in return they gather data about your surfing habits. You don't get spammed or anything, and I personally think it's pretty cool! Oh, if you sign up, put "GGZ 549" as your referer :) (blatant plug, I know, I know....)

    Mong.

    * Paul Madley ...Student, Artist, Techie - Geek *
  • You get what you pay for in most cases. [Open Source not included. I don't want to don an abestos suit today.] I'm pretty sure they would have to have had something in their EULA. Simply put, almost no company gives away a product without getting something out of it. All in all, if the only place Comet mentioned their real purpose was in the EULA, that was pretty sneaky. I bet they have piled up a ton of data. Considering about 80% of the people who downloaded these cursors probably don't read tech news, they will probably be able to continue reaping the data.
  • by account_deleted ( 4530225 ) on Tuesday November 30, 1999 @05:21AM (#1493343)
    Comment removed based on user account deletion
  • I year or few ago I saw some report on TV or read somewhere about this Comet Cursor startup company. They made it out as if the idea of having a custom cursor was some sort of amazing and ingenious thing, and that it was cool. I didn't really see the point and thought it was just plain stupid (yeah, I'm Mr. Joe consumer, I am SO impressed that your site made my cursor into some stupid animation...yay, let me buy your product).
  • why don't these companies just ask permission up front? I find it really tiresome to listen to them say that it's justifiable to discretely get any information from me they want because it makes their jobs easier or increases the potential profit they can make.
  • by Tridus ( 79566 ) on Tuesday November 30, 1999 @05:23AM (#1493346) Homepage
    Probably the best thing going for Open Source right now is that the "normal" software companies are shooting themselves in the foot with all this nonsense. I mean really... I *like* certain Microsoft products (flame away), and can't really be considered an advocate of Open Source at all.

    But the more of these kinds of cases pile up, they slowly change my mind. I look down at my System Tray right now and wonder just how many of those programs are sending information back to the company about what I do. I wonder what else they're doing. This was never a problem a couple of years ago.

    Can we really trust anything that big software companies put out at this point? Time and time again they have proven that self-regulation doesn't work. They've proven they can't be trusted to make software with privacy or security in mind. For that matter, it seems that many of them can't even be trusted to make high quality software at all. (all the bug laiden games out there come to mind... most notably SiN and the 18MB patch required to make it run at all straight out of the box)

    If we have any software developers and/or PR people who work for software companies, can you please explain to me how anyone can ever trust anything you put out ever again? Please don't use the "well we don't use the information we collect" lame execuse, I'm not falling for it. Why would you collect it at all if you don't intend to use it? You shouldn't be collecing it at all, you don't have any right to. I want an audio player that *gasp* plays audio! I don't want it monitoring me, if I wanted that I'd install a monitoring program.
  • 1.) There is no such thing as unsupectible and harmless software.
    2.) Never underestimate the creativeness of professional data-collectors.
    3.) Don't let your kids use your computer unsupervised or at last make sure they are not able to install anything.

    Ciao, Peter
  • I agree that "we don't know you're name, so it's okay to spy on you" is a pathetically weak excuse. By that argument, a camera in the changing-room is acceptable. dp
  • I agree that "we don't know you're name, so it's okay to spy on you" is a pathetically weak excuse. By that argument, a camera in the changing-room is acceptable.

    dp

  • by Anonymous Coward
    Actually, I'm _glad_ that Slashdot is bringing these things up.

    I use Slashdot as my tech news source, and this sort of issue is very important to me.

    ...AC. (no, not _THE_ AC. just a random AC)

  • cookies were created so that a particular web site could tell wether you have been to their site before. this is especially important if the web site is customizable for each client. cookies allow for the data regarding a web site to be saved on your computer and used later to reconstruct the appearance of a web site based on your preferences. cookies are also safe because no code ever gets executed from them. now this program differs from cookies in that it looks at cookies and other web pages you visit, records this information and sends it back to their servers. this info is recorded and sold to company XYZ for a large sum of money. company XYZ uses this information and places banner ads on the web sites most visited by their target crowd. they also do statistical analysis of the data to determine consumer trends based on consumer profiles so they can estimate where they can best advertise. after all marketing is what is key to selling any product.

    now I know that the company said they were not doing this but i do not believe it. there is no other reason why they would gather this type of information. it seems their only mistake is not telling people about it, and the blatant confusion and obscurity over the programs true purpose.

    i have no problem with the program, but i do have a problem with their obscure distribution tactics.

    "The importance of using technology in the right way has never been more clear." [microsoft.com]
  • Why doesn't *who* make it against the law? California? The U.S.? The E.U.? Why is it the first reation people have to something perceived as bad is to 'make a law' against it? Do you really think that the government will help the process?

    Isn't this a geek 'zine? Maybe we should write some code to inform users of connectivity being made on their behalf, and allow them to drop it. This could kick those doubleclick banner ads in the *ss too!
  • I understood that they meant they were not cross-indexing this
    information to find out what peoples names and addresse are. A little
    bit disingenuous to say `they don't see that it is in anyones economic
    interest to do so': there is no doubt that efforts like these are
    making it easy for people who do want to do such cross-indexing easy.

    I don't see that open source vs. closed source is an issue here: it is
    quite easy to provide unintelligible open source to satisfy any formal
    `visibility' requirement.

  • They do care, becasue if enough people get angry, then sites using this software will be boycotted and they lose money, the all holy dollar. Anyway, in this case, although I think they are wrong, i also believe THEY honestly thought they were doing nothing wrong. think about it, yes they are invading privacy, but they are doing it, as far as they can see, the same way a cookie would. To them they are gathering no private info, just simple stats. i think they went about it the wrong weay, but they, for a change, were not being evil, just stupid.
  • The server you're visiting stores your IP, obviously because you're giving it to them when you request a page - but for instance, MS doesn't program IE to send your IP to them (right? =)

    The problem is with taking our information (however minimal) without our consent.


    Pablo Nevares, "the freshmaker".
  • This may be (and is the case) here in the UK, but what if it is a non-UK company holding the database outside the juristiction of our laws. We are no loger protected by them. What we need is an international agreement on privacy. Although there is the EU declaration, this only holds in the EU. Our privacy can be and is invaded from outside, and there is little we can do about it.
  • I think this is relatively harmless for a couple of reasons. First, at least in my case, I don't visit very many web sites that use the comet cursor. Unless I missed something, it can only track what you're doing on sites that use the cursor. I may have misread that, though.

    Secondly, the information they're collecting seems to be fairly harmless. I don't know how malicious they could be with it if they want.

    Frankly, the thing that worries me is the fact that I have a static IP and hostname. Every site I visit no doubt stores that. I suppose that, in a way, that's less dangerous, because they don't get any sort of picture of what I'm doing, just that I've visited them. But still, it kind of makes my skin crawl.

    And now I'll prepare to get flamed. I don't think that comments about the "closed source community" are incredibly appropriate here. Since I haven't seen any sort of open source competition for the comet cursor (which is slightly nifty, in a really dorky way), I don't think that there is any reason to use this as an opportunity to rip on closed source.

  • by victim ( 30647 ) on Tuesday November 30, 1999 @05:34AM (#1493363)
    Quoting from the article...
    ``We don't know your gender, your age or anything except you're a Web browser visiting sites,'' Comet spokesman Ben Austin said. ``There's not a lot of reason to crunch that data because I don't see that it's in anyone's economic interests. We're stating for the record that
    we don't do that and we never will.''
    Ok, Comet won't do the correlation analysis, but then they don't have enough information to successfully correlate either. I'd feel much better if they promised not to sell their information to others. The large market analysis firms are the ones that will do the correlation.

    Consider what you get if you buy the access logs for a bunch of web sites (some with login ids that can be tracked to house addresses, maybe from shipping information) and then add user tracker data like Comet that can identify a user between web sites. You can now track the user's access patterns across all the web sites, even those where he was anonymous.

    This isn't anything too new, the banner ad companies do this already.

  • From what I understand, this silly cursor is just a Trojan horse aimed at user's privacy. What would be the point of the company otherwise? Their business is just based on this invasion of privacy. And BTW, their claim that they can't link to a single user is ridiculous: it just takes one filled up form asking for your email address in any of the 60'000 using, et voilà! you are tracked, welcome to big brother!!!

    Any web developer can undertand that. It's so fucking simple to do, just the fact that they claim it 'impossible' is an insult.

    http://www.oneofthesites.com/subscribe.cgi?email=c mdrtaco%40slashdot.org SELECT id FROM bigbrother where email like 'cmdrtaco@slashdot.org'
    IF DEFINED(id) THEN
    INSERT INTO bigbrother (email,sexual_orientation, age, crimescommitted, numberofpornbannerclickthrough, hasreceivednicescientologyleaflet)
    VALUES ( -- edited for brievety
    ELSE IF sexual_orientation = 'perverthomo' THEN
    send_blackmail_asking_for_money()
    ENDIF
    ENDIF

    --

  • by tweek ( 18111 ) on Tuesday November 30, 1999 @05:41AM (#1493367) Homepage Journal
    I just attempted to load cometzone's [cometzone.com] web site and it doesn't allow you to unless you allow cookies. God I love junkbuster. The sad thing is I find this to be more and more of an issue. Why do they need to store a cookie for me to load the page? Admittedly they can do whatever they want with the website but I find this just plain stupid.

    On a positive note,
    I recently went to Axent's [axent.com] site to do some research on their products and foudn that I couldn't view any product information unless I allowed cookies. I thought this was plain stupid and I emailed the webmaster regarding it. Below is the QUICK response from the webmaster at Axent. He was honest and shared more information than he needed to share ( he didn't even have to redspond ). I wish more companies had this attitude. My response back was that since I couldn't find a privacy statement, I wasn't planning on allowing the cookies because I wasn't sure of their purpose. He was a nice guy none the less.
    Here's the email:

    Subject:
    RE: Feedback
    Date:
    Mon, 29 Nov 1999 11:03:48 -0500
    From:
    Tony Stephens
    To:
    "'jvincent@qa.butler.com'"




    You will not receive any unsolicited information from us. Thanks for the
    heads-up on the feedback page. You are right, it shouldn't say "Submit
    Registration". As for the cookies, we have moved to a dynamic, data-driven
    site powered by Mainspan. I'm not 100% sure what the cookies are for (I'm
    real new at this job, still learning the site...no excuse, but a minor
    explanation for my lack of a real explanation) but I'm assuming that they
    are to allow the server to track (during the session only) your documents
    and allow faster access to the ones you access. It's a variable called
    "DocsActiveForUser". Again, I believe that this is what it is for. I will
    look into this further. I agree with you in the fact that for the public
    site, it shouldn't be cookies, but rather session variables. But I'm sure
    it's for the purpose of providing you the information you want
    faster...allowing you to kind-of 'keep track' of the documents you have
    accessed. I assure you its not for any tracking or informational gathering
    uses of ours.

    Thanks.
    Tony Stephens
    Webmaster
    AXENT Technologies, Inc.
    2400 Research Blvd. #200
    p: 301.670.3644
    e: tstephens@axent.com
    e: webmaster@axent.com
    w: www.axent.com


    -----Original Message-----
    From: jvincent@qa.butler.com [mailto:jvincent@qa.butler.com]
    Sent: Monday, November 29, 1999 9:09 AM
    To: webmaster@axent.com
    Subject: Feedback


    Name: John E. Vincent
    Phone:
    Email: jvincent@qa.butler.com
    PageLocation: Products
    Feedback: I was browsing your site and noticed that to get information, my
    browser has to accept cookies. Please provide me with a good reason that a
    security company requires a cookie with an invalid expiration date to allow
    me access to the most basic of information about your products. I notice
    your submit button says "Submit Registrion". This also serves to say that I
    am not registering for anything. I don not want any unsolicited email from
    your company other than a response to my question. John E. Vincent Network
    Administrator BTSQA





  • I am unconcerned by Slashdot (or anyone else, for that matter) recording my IP address because that information does not snoop my browsing habits, nor invade my privacy.

    Think of IP logging as analogous to Caller ID: If I call your telephone, you have, IMHO, an inherent right to know who I am.

    However, if you twiddle my phone so that when I call YOU it tells you about everyone ELSE I have called, that's invading my privacy. The critical distinction here is the collection of data on my interactions with third parties.

    Of course, if a million Web site operators all pooled their IP logs, that would achieve the same result as Comet's dirty trick, but then the public at large would perceive a massive, evil conspiracy, it would make the 6 o'clock news, and they'd be stomped on by the law and public ire.

    Hmmm, perhaps not such a bad idea here, either...
  • Hahahah notice the "Security Info" button as well.

    "we value your security and privacy" =P BS
  • Thing is, it would be easy to achieve their stated goals (count of unique visitors to a site) without raising the same privacy concerns.

    Certainly each customer (that is, website with the cursor-changing support) has a serial number as well. Call this number "C", and call the serial number of the user whose cursor is changed "U". Instead of reporting the pair (C,U) to headquarters, simply report the pair (C,f(C,U)), where f is some one-way hash function. (e.g. MD5)

    The information they (say they) want to collect is still collected, and yet it is impossible to do the correlation activity that privacy people are concerned about.

    I agree, though, that it seems like someone just didn't think it through. Much as programmers need to be re-educated to think intelligently about security, it appears that privacy concerns need to be addressed similarly.
  • by Gurlia ( 110988 ) on Tuesday November 30, 1999 @05:44AM (#1493373)

    With the current, disturbing trends towards the invasion of privacy by companies, I think I will never ever use anything but Open Source software anymore. This is really getting too far -- OK, fine, so this software "only" transmits a log of your web surfing to Comet, under the guise of displaying a cute cursor. How do you know one day somebody won't come up with something malicious?! How do you know that the next cute-cursor software you got from somewhere doesn't start transmitting files on your hard drive to some company? This may be paranoid, but I see this as a very likely possibility, given the current trend of increasing infringement of privacy by corporate entities. Gives a totally new meaning to "trojan horse".

    At least if you only use Open Source software, there is always source code for you to double-check, to make sure that this piece of code you're going to run isn't going to transmit private files from your home directory to some company out there.

    But, to go one step further, I'd say that even Open Source in itself may not be sufficient to prevent such kinds of exploits. Take any typical Linux system, for example. How many of us actually read the source code for all the software that we run?? How many sources can we read before exhausting our patience, and just say "forget it, let's just run this thing."? Of course, the redeeming thing is that if the source base is polluted with some bad code, the maintainer of the code would find out about it pretty quickly. But still, when Open Source becomes more and more widely adopted, there's a possibility that such things get overlooked.

    Sounds like privacy is over. Would we just sit here and allow this to happen?

  • Sure, but do you stop persecuting thieves because there are murderers?
  • by GhostCoder ( 108387 ) on Tuesday November 30, 1999 @05:47AM (#1493376)
    They do use it. They just don't use it to track people. From what I gather from the article, the Comet people use this serial number to charge it's customers (some of the people that use the software on their site). It's one of their methods for efficiently and accurately tracking this particular stream of revenue.

    In addition they imght use some of it to do marketing research (although it is neither mentioned nor implied which means they might or they might not). The same things all those banner ads do. You want to worry about privacy? There's the motherlode of your personal viewing habits being sent across the internet - all corresponding nicely to your machine (IP), your e-mail (if your browser sends it - unlikely but possible), uniquely identifying your machine (via cookies unless you delete/disable them), and much more.

    However most of this doesn't bother me. Quake 3 sending my GL_RENDERER string? *shrug* Mr Comet Cursor thingy senging a list of websites I visit that use the cursor (considering I've seen that cursor maybe once - EVER)? *shrug* All of this is benign information. Do I care that Carmack knows that someone out there (at IP # blah - if he even stores that data) is running version 1.09 and has a TNT2 Ultra? Or that Sir Cursor Changer knows someone (again, possible from my IP if they
    bother to store it) visited some web site?

    Now: Send my SSN or CCN or Home Phone across the web without my permission?! Thats in the interest of 'My Rights Online.'

    Here's what SHOULD be done: Any app or web site that sends data back to its creators should register with a security watchdog organization such as TRUSTe. They should document their procedures and what they store and what could potentially be stored with out a change on the client end (i.e. modifying the server to collect IP addresses). People can then get full disclosure on issues. Random and directed (in case of dispute) audits can be performed at the watchdog ageny's discretion. If you think that Carmack is privately planning world domination based on the distribution of 3dfx chips in the world, you can complain to the appropriate agency.

    Most of the 'Your Rights Online' articles have been, IMO, non-issues, this one included. People say "If we let them do this then they will keep going until they send our entire lives back!" No. If someone starts sending back e-mail addresses without permission or other very private information THEN we start boycotting and raising hell. Until then just relax, vote with your dollar, send polite e-mails if you don't agree with something and just deal with the larger issues.

    And just think how much information CmdrTaco has collected from you. :) No one is safe.
  • "No remote images"

    Hmmm.. So much for all the sites like /. that use another server for images.

    Technical solutions are rarely suitable to these kinds of problems. The only reason that this sort of thing happens is because of the inherent openness and flexibility of the net. That flexibility makes it very hard to pin down a weakness and plug it. There is no design weakness here - merely an unfortunate usage.

    Personally I'd far rather have an Internet that provided no technological means for me to stop this sort of thing, than an Internet that was restrictive and full of rules and regulations.
  • What are you going to sue for? How have you been damaged by this?
  • For those of you asking what their Web address is...

    http://www.cometsystems.com/ [cometsystems.com]

    And here's a link to help get rid of the Comet Cursor program. It's from the Comet Cursor people, but it probably does what it claims to. I think this is just a case of stupidity, not eeevil.

    http://www.cometsystems.com/down load/cleaner.shtml [cometsystems.com]

  • They keep doing it because there hasn't been a real backlash yet. A few hundred people bitching on one web site (Slashdot) doesn't mean much. In order to get companies to sit up and take notice will involve lots and lots of media exposure, in front of millions of people.


    ...phil
  • Thanks. Another site to add to the 'absolutely forbidden' list in my firewall.


    ...phil
  • Read old Slashdot on cookies and banner ads.

    Cookie "security" relies on cookies not being shared between servers. For a simple site, this works fine. When banner ad companies sell banners to many sites, then a loophole has opened whereby they can see cookies that were placed there by many sites that share the same banner servers. As banner servers are near monopoly industries, then that's a big source of cross-tracking data.

    The fix is obvious, but it needs to be done in the browsers (or by a filter near to the browser).

    Hacking obscure browser loopholes just isn't worth it for commercially honest (sic) data capture. There's not enough good data to be had that way(If you still use Mosaic on an Amiga with an unpatched ActiveX hole, then I doubt that you'd buy my product anyway). Illegal cracking (stealing credit card info etc.) is maybe worth looking for obscure browser holes, but market research is by its very nature a mass-market task.

  • Personally, I don't think that the "feature" they put in their software is a great sin. It collects information which they need to get paid for their efforts (even if /I/ don't think it's worth a penny, obviously they have customers who do). Yes, it can potentially be cross-referenced with legal identities. Of course, there are a lot of ways to do that now (cookies, web logs, etc).

    What is deplorable is that they did not release such information to the people who downloaded the software.

    If a company wants to produce software that monitors every keystroke I ever type on my computer, fine. If I want to use it, fine. However, I should be told before installing the software that such information will be collected.

    If we are going to condem their actions, then let us condem them for their real crime. Collecting this information was not a crime. Collecting this information without the consent of their users is a crime, if not in a legal since, then certainly in a moral since.

    I would expect the people here to understand this better than most. Software is never the issue, it's what's done with the software and in what manner that is the issue. The government wants to regulate crypto because it can be used for illegal purposes. The music and vidio industry want software and hardware that can reverse engineer/defeat copy protection to be illegal because it can be used for pirating. Yet, crypto allows private communication, e-commerce, and user identification that is desperately needed in a world that is rapidly becoming dependant on computer communications. And the same software and hardware that can be used to defeat copy protection can be used to help debug programs, burn CD archives of our work, and play DVD's on our linux boxes.

    A tool is just that. A tool. However, someone who uses a crowbar to break into people's homes is a far cry from someone who uses a crowbar in the process of construction.

    Please. Remember their crime. It's not the software, it's the lack of consent.
  • IIRC, the DPA covers all databases, whether or not they're about people.

    Run a database? Register it or go to prison. (That's the principle.) The original DPA draft dates back to before the government knew you could store data on anything smaller than a mainframe (early to mid eighties).

    There are exemptions for non-profit clubs, and private address books. That's about it. The DPA actually had to clarify a couple of years ago that usenet spools and private email folders weren't considered databases within the meaning of the law -- but structured data repositories (like this sort of thing) are subject to the act.

  • Now that it's uncommon for a computer not to have an internet connection, and with full-time connections becoming more common, this is only the tip of the iceberg.

    What won't stop invasion of privacy is so-called disclosure in license agreements and readme files. First, nobody reads those, and second, they're too vague. I think that the info that ID gathered was perfectly acceptable, while what RealJukebox did was definitely not, and yet one generic disclosure statement would cover both.

    I think that what we need is something similar to anti-virus software that sits between applications and the TCP/IP stack, and limits what different applications can do, putting up warnings and confirmation dialogs as necessary. I expect that my web browser will connect to internet sites. I don't expect that of most other software, and I want to be warned whenever that happens.

    This should be similar in concept to some virus protection software. I expect FORMAT.EXE to format disks. I don't expect any other program to do so, and if anything else calls the INT13h or whatever it is (apologies for the DOS-isms), I want to know about it.

    Of course, clever programmers could code around anything, just as virus writers avoid detection, but if any company employed such tricks, they'd really have a lot of explaining to do.

  • by Anonymous Coward

    I just attempted to load Cometzone [cometzone.com]'s website and it doesn't allow you to unless you allow cookies. God, I love Junkbuster. [...] Why do they need to store a cookie for me to load the page?

    I know all you Linux/Apache hippies are going laugh or something at this...

    After CometZone's website struggles with your browser, it ends up at the page cookie.asp. Notice the extension-- asp. That stands for Active Server Page, referring to Active Server Pages, a server-side scripting technology from Microsoft. ASP normally runs on NT Servers running IIS3.0 and above.

    When you visit an ASP site, it may send a session-level cookie to your browser, to identify you while you are on the site. Session-level means it lasts only as long as your browser is open. It is never stored on your hard drive in any cookie file. The cookie name usually starts with ASPSESSION followed by a bunch of randon letters.

    The reason this is sent is because some ASP sites use session variables-- global variables for all the scripts in the site that pertain to the current site visitor. The server stores these variables in its memory and uses the cookie it sent you to tell your session variables from everyone else's.

    Now, as an ASP programmer, I can say that using session variables is a bad idea. Firstly, most users don't like cookies, and will disable or refuse them, meaning that the website will not be able to retain session information for the website users. Secondly, they use up server memory! If you have 400 users on your site, that's 400 copies of every session variable! (No jokes about NT Servers' load capacity, please.) Thankfully, it's possible to disable them and stick with only application variables (of which there is only one copy of, regardless of the user load). There are also other ways of maintaining state information, too.

  • They.... You mean the people who expect something for nothing by putting links to their software on their website?

    They, the people that go "hmmm, let me run that useless software just for the hell of it".

    Or they, that allow users to use the software they developed for free, and just happened to forget to mention thewy wanted something in return?

    Too me, it would seem fairly obvious that somethings amiss about their offering. So little in the world is free. On the internet, almost all the free stuff comes at the cost of personal information. It doesn't excuse them for not attempting to tell users about the tracking functions. But why wasn't anyone asking?
  • Absolutely. As far as I'm concerned, it is a crime against one's privacy that this information, however "insignificant" it might be of itself, has been stolen (ie without consent).

    Me, I've seen these "comet cursors" on the Dilbert page, and thought they were bad enough there. As a gimmic they don't interest me one way or another, and if they destroy my Dinosaurs cursor theme, even for just a few mouse-over events, then they're blydi annoying.

    I think the limit should be the regular web server logging, no more. It's fair enough that an httpd should know where you're coming from and with what agent, as there are folks out here who need to maintain stats on the above; but asking the browser to give up any more information than that is immoral, and writing a browser that allows more to be sent is in league with those who want such info.
    Web server logs, no more.
  • by CaseyB ( 1105 ) on Tuesday November 30, 1999 @06:36AM (#1493438)
    Personally I'd far rather have an Internet that provided no technological means for me to stop this sort of thing, than an Internet that was restrictive and full of rules and regulations.

    It's not an 'Internet' issue -- it's a browser issue.

    I can see a technical solution for this problem in my head right now. It wouldn't be detrimental to anyone, and would allow users to control what their browsers are doing for them.

    OK, here goes:

    1. First, let the user turn on the 'explicit hosts only' checkbox to 'on' from the default 'off'. There, any issue people have with 'breaking the web as we know it' is irrelevant. It's optional.
    2. Go to your favourite page. (slashdot of course!) The browser runs off to slashdot.org to grab the page.
    3. The browser finds an IMG tag with an SRC of http://209.207.224.245/Slashdot/pc.gif?/comments.p l,3713971. That's not the same host as the page I explicitly asked for!
    4. A prompt pops up. "Do you want to add 209.207.224.245 to slashdot.org's trust realm?" Meaning, any request to slashdot.org will also allow 'incident' requests to 209.207.224.245. I say 'yes' because I like pretty pictures. OR, I say 'no' because where the hell is 209.207.224.245 anyway, and why should my machine go there if I didn't ask it to? Repeat for all such 'incident requests'. The browser remembers my answers, and doesn't bother asking again.
    5. The page renders all the data I OK'd.

    Comments?

  • The UK laws cover the UK, true, but the European acts provide that personal information may not be lawfully exported to nations with weaker privacy laws.

    On the one hand, it would be impossible for Europeans to touch Yahoo directly. On the other, it may be possible to sue the backbone providers with breach of EU export laws, for transmitting personal information to an unprotected country.

    (On the other hand, the backbone providers are likely to cry "carriers", which does offer immunity under certain circumstances. However, in the case of "Private Eye", in the UK, carriers who knowingly transmit information lose carrier immunity.)

    It also kind-of goes a little deeper. If enough people launched a massive Class Action against one of the backbones, for not blocking Yahoo, the negative publicity may force a settlement and may encourage other backbones to bulk-block Yahoo.

    That, in turn, will severely impact Yahoo on the advertising front. Even portal sites can't run on thin air.

  • I was wondering how the people who *weren't* mad at id can still say id did nothing wrong.

    Id secretly monitored people because they hadn't really thought about it at all. It just seemed natural and beneficial and, hey, who expects privacy and we're not matching up names...

    It's this lax attitude that leads to another company saying "Hey, why not take this to the next level and completely track the user".

    I got spammed recently by Barbes & Noble and they had a hidden img tag in the HTML version of their spam. The hidden image contained a unique number so that B&N new exactly when I looked at their crap. (See Privacy Digest [vortex.com] for more).

    B&N thinks there's nothing wrong with this. Comet thinks there's nothing wrong. Id thinks there's nothing wrong. They all think they haven't crossed the line yet. If we keep allowing them to push this line, you can bet that people will keep pushing this line.

    If you weren't mad at id, then where exactly do you draw the line? Comet isn't tracking names (yet). Sure, kids use Comet's Cursors... but kids also play video games. If you accept what id did, then you set yourself up for Comet.

  • You not only have to worry about them selling the data, but someone buying their company.

    I would not be surprised if the next cracker that gets busted has his Comet Cursor file subpoenaed...
  • by jms ( 11418 ) on Tuesday November 30, 1999 @06:55AM (#1493457)
    Well, if they aren't using the information, then they should have no problem with someone reverse engineering their protocol and sending millions of bogus "hits" on random sites to their servers.

    Any takers? :-)

  • ... is if this is installed on a developer/tester's workstation in an e-commerce/web design shop.

    What kind of information could be gleamed from them by the record of all thier internal urls?

    In certain circumstances, this could be espionage.

    (note : I know that now all sysadmins everywhere are banning this software, and they shouldn't have run it in the first place, but up until now, it's just been a harmless desktop toy. Who would have cared about it?)
  • For any IE user who doesn't trust the cleaner provided by the company:

    Tools->Internet Options
    Temporary Internet Files - Settings
    View Objects to see all ActiveX controls that have been downloaded
    Right-click the Comet Cursor->Remove

    I did this in NT4. Dunno about 9x or 2k.
  • by Ryan Taylor ( 32647 ) on Tuesday November 30, 1999 @07:08AM (#1493467)
    Rather hard to find... ehehe... I tried the link labeled "Privacy Agreement" on the main page, which links back to the main page. Convienent misshap. I tried the link in the liscence agreement which is incidently labeled, "8. Privacy -- See our Privacy Statement"... this links back to the liscence agreement. So I tried "http://cometzone.cometsystems.com/privacy.asp#".. . this worked. Here's what I found:

    "Registration

    Comet Systems gathers information about our Cometeers that allows us to offer compelling services in a manner that provides personal privacy protection as well. When you join CometZone, we ask you to provide us with some required information such as your email address and home page URL, and some optional information such as your name and address."

    "Account Activity Logs

    As a result of joining CometZone, a Cometeer account is set up for you on our system that contains your user settings and preferences, e.g., which Comet Cursor you've selected for each of your Cometeer web pages. Every time you login to CometZone, or change your CometZone settings or preferences, your Cometeer Activity Log ("Activity Log") is updated to reflect this activity. Comet Systems uses Activity Logs as a means for better understanding our Cometeers and their interests."

    "...Any information you provide to Comet Systems when registering for CometZone is maintained and is accessible only by Comet Systems and a few of Comet Systems's content sponsors. We use the information collected during registration to better understand your interests, and to provide you with the best products and services on the web... "

    Anyway... I'm a little appalled that they appear to have tried to hide their privacy agreement, and furthermore, that the CEO's explaination seems incompatible with this information.

    Sincerely,

    Ryan Taylor

    ---
    Just when you think you've invented something idiot proof, someone goes and invents a better idiot.












  • No company is going to break the law on purpose to get private information on you. The government will, but the private sector WON'T because the private sector is not above the law. If they get caught (and they will get caught, what with the watchful eye of the leet opensourcer always on alert) it's not pretty. And THAT'S the thing that most people don't get.
    I have to strongly disagree with you here. In any arena of business, there will be companies who will intentionally break the law if they see financial reward for doing so. Getting caught is just one of the many risks of doing business.

    To claim that no business will collect data illeagaly for fear of being caught is like claiming no business will break environmental laws for fear of being caught by environmental watchgroups. It happens all the time. Some are caught - even some well-known names. Many others are not.

    Our only defense is to make examples of those who are caught in the hopes that fewer will be willing to risk such business practices. It won't put a utopian end to such behavior, but it might help to prevent abusing privacy from becoming a standard business practice.

  • Same difference. Off-shore companies can't be touched, directly, but they CAN be affected by a kick in the pockets.

    If you worry more about whether I got a name right or not, and ignore the contents of what I wrote, it's no wonder you're an AC. If you accuse me of posting without reading, you might want to look up a word in the dictionary. Hypocrite.

  • Yes, but isn't that a crimial law, not a basis for a civil suit?
  • I know all about the session-level cookies. I knew that it wouldn't be stored but I still found it entirely useless for viewing a single page. It is the comapnie's perogrative. The sad part is, the type of people who get concerned about cookies aren't the type of people they are interested in. heheh

    Some kindly moderator moderate this highly informative post up. Great information for alot of people.

    Great Post AC.
  • Errr....Did Mr. Stephens give you permission to post his work address, phone #, and e-mail addresses? It'd be rather ironic if he hadn't considering this whole article is about privacy....

    Sol
  • > here is what it contains:

    What we need is for some enterprising network programmer to provide us with an emulator app that will let us generate bogus messages of the right format and directed to the proper destination. Have it create a message with random content, or perhaps read strings from a user customization file that will allow insertion of fake but plausible text.

    Better yet, have it read a database of known snoopers, so that a new program doesn't have to be written every time a new snooper is discovered: just have a cron job pick a random known snooper once per hour, and send out a bogus message. Then whenever you see a "Your Rights On-Line" post to /., you'll know it's time to download an updated database.

    Don't generate enough messages to rate as a DOS attack, mind you: just enough to make sure their "sucker databases" are useless due to pollution with bogus messages.

    --
    It's October 6th. Where's W2K? Over the horizon again, eh?
  • Getting caught is just one of the many risks of doing business

    It seems like EVERY DAY we hear something about someone discovering a new way company X is recording data and tracking our movements. If one of these companies REALLY overstepped the boundaries of law and knowingly broke such a law in order to do something horribly unethical with this information, WE WOULD DISCOVER IT. It's practically a 100% certainty.

    The result would be a horrible PR shitstorm, class action lawsuits, perhaps criminal proceedings. In short: the company would be destroyed and its owners (assuming they aren't in prison) would be penniless.

    No company on earth would take such a monumental risk for something as insigificant as this. This company is in business because of their nifty little Cursor software, they're not in business to collect and sell blackmail material.

    If someone really wanted to destroy your life, there are LOTS of better ways to do it than this that don't require Yet Another YRO Conspiracy Theory.
  • Hopefully, it would show up on your installed applications list ("Add/remove applications" on the Control Panel). It didn't show up on mine, so I had to use regedit to find and erase every key associated with it. I just did a search on "comet", and when I was done I erased comet.dll from my system32 directory. The next time I went to Comedy Central, it asked if I wanted to install it and told me that Comet was quite safe and benign. This time I knew better.

    PS: You might also want to search for impression.log, and then examine every file with a similar creation date.

  • your comments really hit home here; I've been thinking very closely along these lines: on the www, the client software controls everything (pulling content from the net) on behalf of the user. no site can possibly shove anything on my screen if I don't want it, it's just that the current generation of browsers make it hard for me to make fine-grained choices like: when loading slashdot.org, feel free to fetch content from anywhere, but when loading salon.com, ignore embedded content from 208.178.101.41, and when loading random pages, ignore all embedded content from other domains, unless the URL contains an added command not to; also, on geocities and xoom, disable new window creation from javascript.

    proxies like junkbuster try to do some of this, but they suffer from being a proxy: they can't be as closely integrated with the browser as one would like, and they make the whole browsing slower and less responsive because of the proxying overhead.

    I have a serious suggestion here: write a program that does this kind of job (based on a config file), by intercepting the browser's (e.g netscape navigator 4.x) calls to libc, using LD_PRELOAD to get itself loaded. the library would basically filter all network related syscalls (select, read, write, connect, close, shutdown, setsockopt), monitor HTTP connections, rewrite headers as appropriate, and decide which requests to allow or not. (think of this as a stop-gap measure; as soon as mozilla is ready, the core of this can be directly integrated in it, without shared lib hackery, and more fine grained things like selective access to javascript functions can be added ; a libc wrapper can't do that cleanly).

    as far as I know this hasn't been done yet, with the LD_PRELOAD approach (as opposed to proxies, which are abundant), so I'm definitely going to start work on it myself, probably during xmas break. in the meantime, I want to get the ideas ready (casey-b's domains are a good one), so that when i start coding, i know what to type :)

    if anyone else is interested enough, let me know by mail [mailto]... help is always appreciated :)

  • What the hell would these guys actually SELL here? A list saying "Cursor UserID 12345 visited sites http://abc.com and http://xyz.org"? How REMOTELY USEFUL is that information going to be to any potential marketer? At MOST, they'll be able to determine web site "genres" ("People visiting abc.com also seem to frequently visit xyz.org"). There is NO WAY to correlate this information with any other bit of information without all of the member web sites being in on the conspiracy and coughing up their access logs in real time, and even then, proxy servers and dynamic IP addressing would render this data virtually unusable (and nearly impossible to effectively mine, given the volume of data, and the low percentage of useful information).

    Stop trying to break apart their statements and look for hidden sinister intentions here. It's clear they know what we're objecting to, and his statement was meant to try and remove those fears from our minds. There is NO reason to assume that they have, are or ever intend to use the information they've collected for any purpose other than what they've stated.

    And I'd be very interested to know what sort of login ID you can gleam from a URL that allows you to discover private information like a name or address. That sounds like a pretty piss-poor implementation of something and the maintainers need to be e-mailed.

    Your identity is totally meaningless to these people. Your name serves no purpose in their efforts to bill their customers for use of their software. It makes no sense at all for them to ever want to record it, and even if they DID, and managed to sell your identity with a long list of rather questionable web sites (and userID's, whatever else you want to add to the conspiracy theory), SOMEONE WILL FIND OUT ABOUT IT. Things like this don't go undiscovered (look at the long line of YRO articles if you don't believe me). They will be caught and the PR shitstorm that results would leave the company penniless, perhaps even with their owners behind bars. Think about it.
  • Maybe a new business opportunity. IRL there is a risk to letting people into your home. Some services advertise that their people are "bonded and insured," meaning (more or less, IANAL) there's money deposited somewhere which can be tapped in case of trouble.

    If there were laws to support bonding of visiting software (I mean laws with consequences that can (really, really) NOT be absorbed by the unscrupulous as cost of doing business), then users could choose to lower their risks in a way backed with predictable legal recourse.

    Big commercial operations could afford to provide this kind of assurance (assuming they aren't dependent on deception), but there ought to be a way for a small contributor to give assurances too. Open source is great, but I am not sure I have time to inspect all the code myself, especially if you include OS and libraries (;-), so it would be nice to have versions signed by trusted reviewers. Anybody have a list of trusted reviewers? Should they be bonded ?? Paid?

  • Huh?

    When I visited the page I was presented with a dialog asking if I wanted to install the component. I explicitely indicated my desire to do so.

    Even if it didn't ask me, it would still not be considered illegal. Nobody forced you to visit that web site, and the component is part of the content rendered on that site. If you don't want your browser automatically loading and displaying images or applets, DISABLE THEM. You can do that, you know. You are implicitely allowing them to run as part of your browser's normal operation. To say that this even remotely violates any law is absurd and unfounded. Consult a lawyer before you go off saying something is a criminal offense.

    It's like saying, "I only authorized this web page to deliver one paragraph of text to be rendered in my browser, but instead, it caused my browser to render THREE paragraphs of text. Those two paragraphs are UNAUTHORIZED uses of my browser and computer's resources! I want to sue!"

    You do realize your web browser itself is guilty of delivering far more trackable information than this little applet, yes? Why aren't you jumping up and down asking for web browsers to be banned?
  • cookies, like too many things on the web, are only harmless (for your privacy) if you're tech oriented enough to handle them. in my case, "handling cookies" means allowing them during a browsing session, then clearing the cookie file at the end (possibly leaving one or two that i trust, like /.). so everything works, including those annoying sites that depend on ASPSESSIONID or something like that, but doubleclick can't do anything bad. let them store hundreds of short lived sessions if it amuses them... (well, not exactly doubleclick now that i've /etc/hosts'ed them to 127.0.0.2, but any similar sites).

    as regards this cursor software thing, i'm amazed to see people saying that "logging someone's list of visited sites" is harmless!

  • They aren't being trojaned.

    If they really were, they'd be breaking laws and they would have been prosecuted and convicted. This hasn't happened, nor will it, because they aren't breaking any laws.

    If you really find the idea of sending an objective ID back to an application's source morally offensive, don't do business with that company. Vote with your pocketbook.

    I personally don't see what the fuss is about. Things like this are rather benign and are FAR more numerous than you folks seem to think. The only impact these companies are ever going to have on my life is the continued presence of these YRO articles, since there will never be a shortage of topic material for them if every one of these instances is worthy of a daily YRO red alert.
  • Are you actualy saying, on slashdot, that there is nothing free? what about linux or perl? Even in the windows world, there's lots of free, closed source software (such as the origional winamp and mIRC, they went shareware when it became aperant that millions of people were using it and even if only 1% registerd...)

    I might be likely to run a little app if it looked intresting, and I certanly wouldn't exspect it to actively track my web surfing
    --
    "Subtle mind control? Why do all these HTML buttons say 'Submit' ?"
  • I tried the link labeled "Privacy Agreement" on the main page, which links back to the main page. Convienent misshap.

    Why does everything have to be a conspiracy theory with you guys? When something doesn't work is it always because the company responsible is being evil and trying to hide something from you?

    Did it ever occur to you that they might have been using a form of JavaScript to load the privacy page? It seems that you're either using an obsolete browser or you've disabled JavaScript for some reason (which is pretty typical of YRO posters I bet).

    The privacy policy loaded up just fine for me.

    Enough with the lame conspiracy theories.

    Anyway... I'm a little appalled that they appear to have tried to hide their privacy agreement, and furthermore, that the CEO's explaination seems incompatible with this information.

    The information you quoted was relevant to the information they collect as part of their member signup process. When you sign up to use their software on your web page, you have to give them enough information to create an account from which you can do things like specify settings for their application on your web page. It sounds perfectly logical and reasonable to me.

    Thus, it has nothing at all to do with the data sent by their software client.

    Web site privacy policies deal with the web sites only, not software delivered or advertised on those sites. That's why they call them "Web site privacy policies."
  • but, the internet already alows you to do this, just block the host that this commet thing is sending to. you could simply kill acess to adfu.blockstakers.com, or whatever slashdot is using now to get rid of the ads.

    surely, you're not saying that individuals shouldn't have the ability to block out information they don't want to see. I wouldn't want an internet where I didn't have (however theoreticaly) control over my packets
    --
    "Subtle mind control? Why do all these HTML buttons say 'Submit' ?"
  • I don't know about PERL's license, but Linux is certainly not free. Yeah, it's free as in beer, but as in speech, because you can't restrict it in anyway, it's not exactly free... Free would be if you could do whatever you wanted to do with it and decide for yourself if you wanted your changes redistributed with the whole or not. But aside from that....

    Yeah, there's lots of cool shareware and freeware out there for Windows, Macs and everything else... But with the advent of the internet, there's become a way that people can use freeware as a marketing ploy... and we get all shocked when they do.

    For instance, RealJukebox. Sounded like an awesome piece of software. With it's on the fly MP3-ripping, CD playing, etc... there's no guarentee that Real would see anything in return for it, except maybe a bunch of good karma and brownie points. Unfortunately, they messed up and didn't tell anyone what they were doing.

    Same as with this cursor thing... If only they'ed said...

    What's really funny though, is how people defend Id for only taking their video hardware without their knowledge, as if that's okay, but these other two privacy violations are not...
  • You're making the classic YRO assumption here, that all of the companies this Cursor group does business with are in on the conspiracy together. The only way they would be able to make the link you're suggesting is if they had the cooperation of all of their customers.

    Large multi-corporate conspiracies to ruin the lives of CUSTOMERS not only sounds silly, but it doesn't sound like it's in the best interests of the companies themselves.

    Think about this for a bit. If a company did started handing your personal information over (going against their posted privacy policies and likely breaking laws in the process), this would almost *certainly* be discovered. The resulting PR shitstorm would put both companies out of business, and depending on what they did with this information, the owners/CEO's would likely be in prison.

    I'm not saying companies don't break the law occasionally, but you'll find few companies that are willing to risk felony convictions, bankruptcy, a tremendous amount of negative PR, and alienating and destroying the lives of the very customers that are giving them money in the first place. All for a marginal amount of marketing revenue.

    It just doesn't make good business sense.
  • Actually that may have been a mistake on my part but this information is readilly available on the company website. I'm not approaching him in a negative light by any means. There would be no need for retribution.
  • Maybe when it was first implemented, the designer didn't think out the ethical implications first, and just thought it would be a cool idea to track people using a unique ID based on hardware.

    Who said this was based on hardware? I was under the impression this was a simple ID number handed out to requesting clients.

    The programmer(s) needed a way to generate auditable information in order to bill their customers. They could have done this by IP address, but that would have masqueraded lots of people behind a single proxy IP while duplicating the roamings of a single user getting multiple dynamic IP addresses, so it was determined that a single ID would be needed to get an accurate usage count. The programmer(s) probably just didn't think it would be a big deal (and I still don't). It sounds perfectly logical and doesn't require an evil conspiracy.

    The information they are gathering may seem to be benign, but its just another step towards making us all akin to tagged animals in the wild, tracking and analyzing our every move.

    It's this attitude among YRO posters that I despise the most. Do you have any idea how many people and organizations out there are exactly 1 step away from your little conclusion there? I run a number of web servers where, if I so desired, I could pump the access logs through a system, collect access logs from my fellow conspirators, ad infinitum and get enough information to destroy the lives of countless thousands of people. Am I suddenly an evil conspirator with the rest of the evil corporations and governments? We'd have to lock up half of the planet if this is how you're defining 'evil'.

    The technology is there, but you should NEVER judge a company based on what they are THEORETICALLY capable of doing. Instead, you should be judging them on what they ARE and ARE NOT doing, and their reasons behind it.
  • by delmoi ( 26744 )
    storms-168-12.res.iastate.edu. That's always me (exsept when I'm running linux, atwitch the 12 changes to a 92 or somthing), and I can't imagen that it would be hard for a search site to corolate my IP with other information

    Exsept I hardly ever use search engens any more, Just Yahoo, if I'm looking for a particular topic. Maybe altavista in the rare case I need a particular string. With this, though *one* company knows *all* your surfing habits, not just that you looked up x86 assembly coding on Yahoo last june, or you looked for the string 'netbus 17' on altavista.

    I suppose it might matter for those that use searches a lot, But I do think that this is a little diffrent. esp since they tried to do it covertly (unlike the q3a thing)
    --
    "Subtle mind control? Why do all these HTML buttons say 'Submit' ?"
  • While, yes an individual website will know more about what you did at *there site*, this little bugger tracks you over the entire web, or at least would like to (right now, it has only 60,000).

    In other words, CmndrTaco knows everything I do on slashdot, but he dosn't know what I do elsewhere. With this software, the 'commet' people know what you do on over 60k sites. (although, this isn't really that diffrent that what doubleclick is capable of)
    --
    "Subtle mind control? Why do all these HTML buttons say 'Submit' ?"
  • Time to indulge in a little paranoia...

    A list saying "Cursor UserID 12345 visited sites http://abc.com and http://xyz.org"?

    Potentially, yes.

    There is NO WAY to correlate this information with any other bit of information without all of the member web sites being in on the conspiracy and coughing up their access logs in real time, and even then, proxy servers and dynamic IP addressing would render this data virtually unusable

    Uh... No.

    First off, it would only require one site to give out logs and user information in order to determine with reasonable certainty the identity of any users who visit more than once. Multiple sites would let you get anyone who visited more than one, even if they only go once to each. (User 12345 visited site X at times Y and Z. Joe Schmoe is the only person who visited X at both of those times. Now let's see what else Joe/User 12345 has been up to...)

    Secondly, the logs wouldn't be needed in real time. After-the-fact analysis would work just as well. (Probably better, since you need to correlate multiple web site visits.)

    And, finally, dynamic IP addressing and proxys don't matter because this doesn't use your IP address. It correlates a Comet-assigned serial number with one or more user accounts on a site that exchanges data with Comet.

    Personally, I don't think they're doing this. My point is just that they could. And it wouldn't be that difficult.

  • I am sick of people expecting government to solve our problems. Aparently, we can't protect ourselves from the mean, nasty corporations.
    Government creates the mean nasty corporations. I'd like it to reign in its pets. Or have its creations become its masters?
    I agree that comet was wrong for not disclosing the full truth. But a far more insidious evil is a government that decides to regulate everything and everyone.
    We don't need more laws and regulations to deal with fsckheads like these guys. What's they've perpetrated is fraud, pure and simple, and that's well covered by exisiting law. Same as if Sony sold me you VCR that (they "forgot to disclose) happens to send to Sony HQ a list of your viewing habits, as well as sending back photographs of you slouched on the couch watching whatever gives you naughty thoughts.
  • When you went to some newbie webpage with the tacky "Always under construction" animated gif, scrolling status area javascript, and various HTML errors, and you had the "this site uses something called Comet Cursor as silly eye candy -- click to download" popup come up... how many of you actually got the damned thing?

    There's not Linux version, so only people who are on Win9x or Mac were affected. Under Win9x, I've never seen one of these popups in the browser I use (Opera), although I get them in Linux (using Netscape). But even not having been directly affected by this, it makes you wonder. What exactly was that flash of the modem/NIC tx/rx lights for? Was it some closed-source app that is designed to work with an internet connection (IE 5.0, Real Player, Comet Cursor, etc) that can just go ahead and give away privacy information?

    Don't use closed source if possible. If you have to, limit it, and make sure you have a firewall that blocks things going in and things going out.

    ---
  • Seems like a trojan to me

    If you use such a loose definition of 'trojan', the vast majority of software in use today would be classified as such.

    Did you know your web browser sends not only its own browser version (complete with a description of your operating system) but the URL of the web page whose link you just followed to get there? Nowhere in the browser's documentation does it say it's going to do this, and I was never asked. Is it a trojan?

    No, of course not.

    Calling people kiddies is acting like a kiddie yourself. Grow up.

    I wasn't calling you a kiddie. I was referring to the class of Slashdot poster that makes knee-jerk posts, responses and tends to bring the average IQ down a few dozen points. Stop taking these things so personally. I wasn't talking about you, unless you fit this profile, but that's out of the scope of this thread.
  • first of all, what id did was not secret, it was clearly described in most of the readmes, and they *didn't* have any identifying information (such as mac address, or somthing)

    there is a huge diffrence between what Id did, and what these people did, if you cant see that, then there is really somthing wrong with you. Is there a diffrence between a guy who grows pot in his back yard for him and a few frends, and a guy who runs a Crystal Meth lab, and poisons hundreds of people? well, yes.
    --
    "Subtle mind control? Why do all these HTML buttons say 'Submit' ?"
  • Earlier today, that line either didn't exist

    What line?

    The source code for the privacy link is as follows:

    <a href="#" onClick='window.open("privacy.asp","","width=600,h eight=500,scrollbars=yes,resizable=yes,l ocation=no,toolbar=no");'>Privacy Statement</a>

    If you had JavaScript disabled or were using a browser that didn't support it, the above would be equivalent to <a href="#">, which is simply a no-op link (perhaps reloading the same page).

    In any event, this is the same link that's been there all day. I read the privacy statement some 10 minutes before you wrote your comment, and I tried it again when I read your comment, and it functioned the same both times.

    If your browser is normal and the link didn't work for you one moment, but did the next, then I don't know what to tell you. Either your browser is buggy or you're right in that they were having problems with their site. I can't imagine any reason they would want to hide their privacy statement from people, though. There was nothing about it that put them in a bad light at all.

    I do however despise spam with all my heart and soul. This company appears to make money through "direct marketing", or spamming people.

    They make their money by putting a little advertising banner on web sites that use their Cursor code. Spam? Hardly. They do send out e-mails, however. Their privacy policy has this to say about it:

    Occasionally, we will send you communications via email providing you useful information about product enhancements or new products and services. It is our policy only to send email to customers who give us permission to do so. Instructions for unsubscribing are included in these emails. For further instructions, please see the "Opt-Out Policy" below.


    Opt-Out Features

    Comet Systems believes its Cometeers should control the communications directed to them. Every time we collect name and address information about you:

    You can tell us if you don't want to receive communication from CometZone such as email newsletters announcing contests or new features.

    You can tell us if you don't want to receive communication from third-party companies who offer a product or service that we think would be of value to you.
    This seems like a fairly standard way for a company to act with respects to your e-mail address. I don't think this qualifies as spam in the least. They make you completely aware of what they're doing and always give you the option to refuse. What is the big deal here?

    I'm angry because you've chosen to associate me with the conspiracy theorists.

    I was annoyed that you jumped to the conclusion that they were Yet Another Evil Company based on the fact that it *looked* like they were trying to hide their privacy policies from everyone, which simply doesn't make any sense. Just because 'malice' is one possible explanation doesn't mean it's the correct one. In this case, it isn't even the logical explanation.

    I'm sorry if my post came out sounding bitter -- I've written a dozen or two messages in this thread trying to combat the conspiracy theories that permeate most every YRO article, and some of these posts just get really moronic and I lose my patience. Sorry if that was the case here.
  • They are in the business of selling marketing information. Disguising it as animated cursor was their way of doing this.

    Classic YRO material (FUD?).

    I'm not even going to begin to try to respond to this one...
  • Well, the part where you said "even a portal can't run on thin air" didn't make much sense, when you changed the words.

    But really, you're *obviously* uninformed. Not only did you not read the story, you didn't even read the little blurb fully! And yet, when someone calls you on it, you instult them!

    That's classic. And by the way, anyone reading your post will think your an idiot, wether or not the ideas are valid or not. If you don't even know who the story's about, how can we exspect you to have any clue as to the impleplications of whats going on?
    --
    "Subtle mind control? Why do all these HTML buttons say 'Submit' ?"
  • ug, id WAS NOT sending the data without any warning. all of the readme files up to the 1.09 demotest contained the info, and how to disable it. aperantly the readme for 1.09 was cut down qute a bit, and thats one of the things that was removed
    --
    "Subtle mind control? Why do all these HTML buttons say 'Submit' ?"
  • Most of the 'Your Rights Online' articles have been, IMO, non-issues, this one included. People say "If we let them do this then they will keep going until they send our entire lives back!" No. If someone starts sending back e-mail addresses without permission or other very private information THEN we start boycotting and raising hell. Until then just relax, vote with your dollar, send polite e-mails if you don't agree with something and just deal with the larger issues.

    I'm reminded of a quotation by Benjamin Franklin: "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety."

    If we value our rights, then those rights must be vigorously and unyieldingly defended. If we give in a little now, then we have eroded the foundation on which our liberty stands, and it becomes easier to give in again tommorow, and the day after tommorow.

    History has shown, again and again, that little injustices if tolerated, lead to greater and greater injustices. Take World War II as an extreme example.

    What we've seen so far is only the start. Without vigorous resistance now to violations of privacy, our right to privacy may disappear overnight. In this case, the line is very clear: software must not covertly send back data to their companies. Anything else is unacceptable.
  • D'oh! My bad... Hmm, let's hope nobody here is also reading my flame on ntsecurity's spelling....
    Oh, D'oh! :-)
  • Id took data from my computer without asking first. Here's a better analogy: Id sneaked into my house and took a picture of my living room (and I wasn't even in the picture). Comet came into my house and took a picture of me in the shower. While Comet was a lot more malicious and reckless, I have a problem with ANYONE coming into my house uninvited.

    It's true that Id did take the time to mention that what they were doing in a form of techie jargon that some people might even understand, but they didn't really ask for consent. It's kind of like if your next Visa bill included a notice in finest legal-font that said that, unless you called them immediately, they would be free to come to your house and have a look around.

    Unless people start viewing the contents of their computer as their own property, companies like Comet will be sure to come along and take what you want to keep private.

Real programmers don't bring brown-bag lunches. If the vending machine doesn't sell it, they don't eat it. Vending machines don't sell quiche.

Working...