Yet Another Crumby Cookie Story

  • Written By: D. Geller
  • Published: August 8 2000

Yet Another Crumby Cookie Story
D. Geller - August 8, 2000

Event Summary

Coremetrics provides visitor tracking for websites on an ASP basis. That is, they collect your clickstream data and can provide information about both the aggregate and the individual behavior of your visitors. (See TEC's April article Who's That Knocking On Your Web?) This is the same kind of analysis that websites can perform on their own using a variety of eCRM packages. Whereas a website would probably get the data from its web logs, Coremetrics obtains it by having the site embed a JavaScript tag (called a "beacon" or "web bug") on every page. This tag sends page and cookie data to Coremetrics' servers. Like any ASP, Coremetrics provides websites with the ability to incorporate an important function without the need to make a large up-front investment in licensed software and installation services.

Interhack Corporation is a provider of technology products and services generally focused on security, privacy, and network computing. On July 31 they issued a statement titled "Taking a Bold Step Forward in Privacy Invasion" in which they reveal "shocking results" about how Coremetrics system "can build detailed dossiers of unsuspecting Web surfers." This report suggests that Coremetrics is aggregating the data it collects from different websites. It says, "Perhaps users, the US Federal Trade Commission, and our friends in Europe should be more concerned about what Web-based vendors are actually doing online than [about] what they admit they are doing." They note that the JavaScript code is "intentionally made difficult to read by human programmers." They say in bold letters "System tracks Users as They Move from Site to Site."

Another bold headline is "MENE MENE TEKEL PARSIN," a slightly garbled reference to the phrase "Mene Mene Tekel Upharsin" which is written by the disembodied fingers of a human hand in the Biblical Book of Daniel. This phrase is generally used in modern English to mean "the handwriting is on the wall," and under the headline Interhack founder Mathew C. Curtin is quoted as warning "Today we tell the industry that when it comes to invading our privacy, it will get away with nothing." (We can't keep our selves from noting that Mr. Curtin's biography on the company website reads, "Consummate hacker. Java, Perl, C, Lisp, Unix, anything internet. Have XEmacs, will code. Also geeks out on history, physics, languages, and the Bible. Yes, the Bible.")

Not only would anyone familiar with what Coremetrics actually does recognize that this is mostly fallacious or misleading, the report itself also recognizes this. Buried beneath the headlines is a clear recognition that Interhack knows the difference between what a company does do and what the technology it employs might be used to do. After Coremetrics issued a careful refutation of the innuendos in the Interhack report, Interhack posted a reply that said, in part

Coremetrics, in our opinion, needs to spend less time talking about what their policy is and more time getting their technical people to talk about what is technically possible. Interhack has a business of being able to identify the differences between stated policy and what is technically possible: we perform security assessments. Furthermore, I - Matt Curtin - have authored numerous articles and reports that discuss these issues. No one knows better than we how differences between policy and possibility become real vulnerabilities

In other words, the gist of Interhack's report is that Coremetrics is using a technology that someone else might misuse. They might have also noted that such misuse would probably require collusion on the part of the individual websites from which the data were being collected, but didn't.

Market Impact

Luckily Coremetrics is not a publicly traded company. The brouhaha with DoubleClick some months ago showed that investors have even less understanding of these issues than does the average surfer.

What's the story? Yes, it is possible for websites to collect information with bad intent. Not even Interhack claims any reason to assume that Coremetrics is one such. The best that Interhack could claim is that it caught four of Coremetrics customers in a technical foul because they did not reveal that data they collected was being sent to Coremetrics. We agree that they might as well update their Privacy Statements to reveal this, but don't ourselves consider it a foul. To the extent that we'd be worried about nefarious data gathering we'd look to ASP providers of billing and ERP services, where the possibility of putting together much more detailed information about people is rivaled only by the Government's - but that's another conspiracy theory.

Tara Calishain, publisher of the e-zine Research Buzz, recently observed that Yahoo uses a similar technology on HTML e-mails to determine whether they were opened. She also noted that Yahoo's recent purchase of eGroups - a web-based e-mail and community service - creates the possibility of interesting misuses of the technology. If something good comes out of Interhack's attack on Coremetrics it would be that Yahoo reveals its use of these web bugs before it is assaulted by Interhack.

Interhack of course has a valid point that some technologies can be misused. Indeed, we can be sure that they will be misused. Sadly, we think that, like the little boy who cried wolf, Interhack has made it less rather than more likely that a real privacy violation, whether suspected or discovered, will be addressed.

User Recommendations

The message about any of these privacy flaps is the same. Have a clear statement about your policies and procedures; tell what kind of data you collect and what you do with it; make it easy for the unsophisticated user to opt out; and, only partner with companies that have equally scrupulous policies and behaviors.

comments powered by Disqus