Event
Summary
Coremetrics provides visitor tracking for websites on an ASP basis. That
is, they collect your clickstream data and can provide information about
both the aggregate and the individual behavior of your visitors. (See
TEC's April article Who's
That Knocking On Your Web?) This is the same kind of analysis that
websites can perform on their own using a variety of eCRM packages. Whereas
a website would probably get the data from its web logs, Coremetrics obtains
it by having the site embed a JavaScript tag (called a "beacon" or "web
bug") on every page. This tag sends page and cookie data to Coremetrics'
servers. Like any ASP, Coremetrics provides websites with the ability
to incorporate an important function without the need to make a large
up-front investment in licensed software and installation services.
Interhack
Corporation is a provider of technology products and services generally
focused on security, privacy, and network computing. On July 31 they issued
a statement titled "Taking a Bold Step Forward in Privacy Invasion" in
which they reveal "shocking results" about how Coremetrics system "can
build detailed dossiers of unsuspecting Web surfers." This report suggests
that Coremetrics is aggregating the data it collects from different websites.
It says, "Perhaps users, the US Federal Trade Commission, and our friends
in Europe should be more concerned about what Web-based vendors are actually
doing online than [about] what they admit they are doing." They note that
the JavaScript code is "intentionally made difficult to read by human
programmers." They say in bold letters "System tracks Users as They Move
from Site to Site."
Another
bold headline is "MENE MENE TEKEL PARSIN," a slightly garbled reference
to the phrase "Mene Mene Tekel Upharsin" which is written by the disembodied
fingers of a human hand in the Biblical Book of Daniel. This phrase is
generally used in modern English to mean "the handwriting is on the wall,"
and under the headline Interhack founder Mathew C. Curtin is quoted as
warning "Today we tell the industry that when it comes to invading our
privacy, it will get away with nothing." (We can't keep our selves from
noting that Mr. Curtin's biography on the company website reads, "Consummate
hacker. Java, Perl, C, Lisp, Unix, anything internet. Have XEmacs, will
code. Also geeks out on history, physics, languages, and the Bible. Yes,
the Bible.")
Not
only would anyone familiar with what Coremetrics actually does recognize
that this is mostly fallacious or misleading, the report itself also recognizes
this. Buried beneath the headlines is a clear recognition that Interhack
knows the difference between what a company does do and what the technology
it employs might be used to do. After Coremetrics issued a careful refutation
of the innuendos in the Interhack report, Interhack posted a reply that
said, in part
Coremetrics,
in our opinion, needs to spend less time talking about what their policy
is and more time getting their technical people to talk about what is
technically possible. Interhack has a business of being able to identify
the differences between stated policy and what is technically possible:
we perform security assessments. Furthermore, I - Matt Curtin - have authored
numerous articles and reports that discuss these issues. No one knows
better than we how differences between policy and possibility become real
vulnerabilities
In
other words, the gist of Interhack's report is that Coremetrics is using
a technology that someone else might misuse. They might have also noted
that such misuse would probably require collusion on the part of the individual
websites from which the data were being collected, but didn't.
Market
Impact
Luckily Coremetrics is not a publicly traded company. The brouhaha with
DoubleClick some months ago showed that investors have even less understanding
of these issues than does the average surfer.
What's
the story? Yes, it is possible for websites to collect information with
bad intent. Not even Interhack claims any reason to assume that Coremetrics
is one such. The best that Interhack could claim is that it caught four
of Coremetrics customers in a technical foul because they did not reveal
that data they collected was being sent to Coremetrics. We agree that
they might as well update their Privacy Statements to reveal this, but
don't ourselves consider it a foul. To the extent that we'd be worried
about nefarious data gathering we'd look to ASP providers of billing and
ERP services, where the possibility of putting together much more detailed
information about people is rivaled only by the Government's - but that's
another conspiracy theory.
Tara
Calishain, publisher of the e-zine Research Buzz, recently observed that
Yahoo uses a similar technology on HTML e-mails to determine whether they
were opened. She also noted that Yahoo's recent purchase of eGroups -
a web-based e-mail and community service - creates the possibility of
interesting misuses of the technology. If something good comes out of
Interhack's attack on Coremetrics it would be that Yahoo reveals its use
of these web bugs before it is assaulted by Interhack.
Interhack
of course has a valid point that some technologies can be misused. Indeed,
we can be sure that they will be misused. Sadly, we think that, like the
little boy who cried wolf, Interhack has made it less rather than more
likely that a real privacy violation, whether suspected or discovered,
will be addressed.
User
Recommendations
The message about any of these privacy flaps is the same. Have a clear
statement about your policies and procedures; tell what kind of data you
collect and what you do with it; make it easy for the unsophisticated
user to opt out; and, only partner with companies that have equally scrupulous
policies and behaviors.