Freeware Vendor's Web Tracking Draws Curses

  • Written By:
  • Published:

Event Summary

Comet Systems Inc., a privately held company that gives away software that can convert your cursor into an animated shape of your choosing when you surf the Web, has been collecting information about where the estimated six to fourteen million users of the Comet Cursor point their browsers. The discovery was made by a private security consultant, Richard Smith, a founder of Phar Lap Software, who was also responsible for revealing security problems in Windows and for independently tracking down the Melissa virus.

Comet uses a unique serial number for each user to that they can accurately report to their websites the number of cursor-using visitors. Comet is paid for bringing users to some of these sites, and it must be able to recognize that a single user is viewing more than one page on the site. This is quite similar to the kind of data collected by websites and advertising software. (See TEC Technology Research Note: "Counting Website Traffic - The Skinny On Hits, Impressions, Visitors and Clickthroughs" December 1st, 1999). Smith discovered that the serial numbers were created with a Microsoft Windows random number generator that sometimes uses information that identifies the individual machine. Comet spokesperson Ben Austin stated that Comet immediately began implementing a different way of creating serial numbers as soon as Mr. Smith notified it of the problem.

Comet Systems has arrangements with more than 60,000 websites, each of which can serve Comet's cursors to their visitors. While many of these are personal sites, Comet has been making deals with such sites as, Paramount's official Star Trek web site, multimedia specialist RealNetworks, ISP MindSpring, and, the kids' section of, a space exploration site whose President is astronaut Dr. Sally Ride. Comet recently announced a partnership with advertising network 24/7 Media. Users of Comet's plug-in software who pass their cursor will see their cursors change to an icon related to the product being advertised. Preliminary results indicated that Comet's technology increases clickthroughs from 50 to 300 percent.

Changing the method of calculating the serial number removes any way of tying the data collected by Comet to an individual's machine. However, privacy advocates have expressed concern about keeping these data for three additional reasons. First, that there was no notification to Comet users that these data would be collected; second, that many of the websites that support the Comet cursor are targeted to children; and third, that the data could potentially be tied with data that identifies individuals, such as on the "My" pages offered by most portals.

Comet Systems has responded that because they did not use the data for any purpose other than counting website visits, they did not see that there was a privacy issue. They have now posted a privacy statement on their website. This statement says, in part,

Any information you provide to Comet Systems when registering for CometZone is maintained and is accessible only by Comet Systems and a few of Comet Systems's content sponsors. We use the information collected during registration to better understand your interests, and to provide you with the best products and services on the web.

We analyze Activity Logs in the hope of presenting our Cometeers with the most relevant and valuable content and advertising. We develop summary -- not individual -- reports for our sponsors. The sponsors who make it possible for you to use CometZone for free need information to determine the effectiveness of their advertising investments. We never tell our sponsors who it was that saw or clicked on their advertisements unless you have specifically told us this is acceptable.

Mr. Austin also stated that the data collected about surfing behavior is only kept long enough to generate a report - about 30 days - and is then deleted. He reiterated that no use is made of the data other than for the purpose of counting the number of "cometeers" visiting the client sites.

User Recommendations

The issue for the average company is the privacy of the data collected on web surfers in the normal course of business. It is difficult to blame Comet for using faulty software not part of the operating system, but once the issue became newsworthy, Comet became vulnerable to criticism about the lack of a privacy policy and to questions about why the data were being collected. Comet has probably lost users because of this, because people seem to be especially sensitive about data being collected or used surreptitiously. While few users would have read Comet's privacy policy prior to this incident, an earlier posting of it would have blunted much of the criticism. Posting a privacy policy, and adhering to it, is a good business practice - and a good way to keep out of trouble.

comments powered by Disqus