Event Summary
Comet Systems Inc., a privately held company that gives away software that can
convert your cursor into an animated shape of your choosing when you surf the
Web, has been collecting information about where the estimated six to fourteen
million users of the Comet Cursor point their browsers. The discovery was made
by a private security consultant, Richard Smith, a founder of Phar Lap Software,
who was also responsible for revealing security problems in Windows and for
independently tracking down the Melissa virus.
Comet
uses a unique serial number for each user to that they can accurately report
to their websites the number of cursor-using visitors. Comet is paid for bringing
users to some of these sites, and it must be able to recognize that a single
user is viewing more than one page on the site. This is quite similar to the
kind of data collected by websites and advertising software. (See TEC Technology
Research Note: "Counting
Website Traffic - The Skinny On Hits, Impressions, Visitors and Clickthroughs"
December 1st, 1999). Smith discovered that the serial numbers were created with
a Microsoft Windows random number generator that sometimes uses information
that identifies the individual machine. Comet spokesperson Ben Austin stated
that Comet immediately began implementing a different way of creating serial
numbers as soon as Mr. Smith notified it of the problem.
Comet
Systems has arrangements with more than 60,000 websites, each of which can serve
Comet's cursors to their visitors. While many of these are personal sites, Comet
has been making deals with such sites as StarTrek.com, Paramount's official
Star Trek web site, multimedia specialist RealNetworks, ISP MindSpring,
and spaceKids.com, the kids' section of space.com, a space exploration site
whose President is astronaut Dr. Sally Ride. Comet recently announced a partnership
with advertising network 24/7 Media. Users of Comet's plug-in software who pass
their cursor will see their cursors change to an icon related to the product
being advertised. Preliminary results indicated that Comet's technology increases
clickthroughs from 50 to 300 percent.
Changing
the method of calculating the serial number removes any way of tying the data
collected by Comet to an individual's machine. However, privacy advocates have
expressed concern about keeping these data for three additional reasons. First,
that there was no notification to Comet users that these data would be collected;
second, that many of the websites that support the Comet cursor are targeted
to children; and third, that the data could potentially be tied with data that
identifies individuals, such as on the "My" pages offered by most portals.
Comet
Systems has responded that because they did not use the data for any purpose
other than counting website visits, they did not see that there was a privacy
issue. They have now posted a privacy statement on their website. This statement
says, in part,
Any information you provide to Comet Systems when registering
for CometZone is maintained and is accessible only by Comet Systems and a
few of Comet Systems's content sponsors. We use the information collected
during registration to better understand your interests, and to provide you
with the best products and services on the web.
We
analyze Activity Logs in the hope of presenting our Cometeers with the most
relevant and valuable content and advertising. We develop summary -- not individual
-- reports for our sponsors. The sponsors who make it possible for you to
use CometZone for free need information to determine the effectiveness of
their advertising investments. We never tell our sponsors who it was that
saw or clicked on their advertisements unless you have specifically told us
this is acceptable.
Mr.
Austin also stated that the data collected about surfing behavior is only kept
long enough to generate a report - about 30 days - and is then deleted. He reiterated
that no use is made of the data other than for the purpose of counting the number
of "cometeers" visiting the client sites.
User
Recommendations
The issue for the average company is the privacy of the data collected on web
surfers in the normal course of business. It is difficult to blame Comet for
using faulty software not part of the operating system, but once the issue became
newsworthy, Comet became vulnerable to criticism about the lack of a privacy
policy and to questions about why the data were being collected. Comet has probably
lost users because of this, because people seem to be especially sensitive about
data being collected or used surreptitiously. While few users would have read
Comet's privacy policy prior to this incident, an earlier posting of it would
have blunted much of the criticism. Posting a privacy policy, and adhering to
it, is a good business practice - and a good way to keep out of trouble.