lynx-dev lynx: something about cookies we should know about (long)

[David Combs]

I signed up for this mailing-list by Phil Agre.  Pretty darned
good.  The guy seems very bright; his stuff always interesting
and worth reading.  Don't know how he has the time to do all this 
stuff (unlike with this one that he got from elsewhere, 
he himself writes most of them).

Anyway, this one is certainly apropos Lynx-dev, re cookies, java-script,
some kind of 'one-pixel web-"bug"' being a security hole or
something -- surely you'll understand it better than I do.

Anyway, here it is.  Sorry for the length, but it ALL
seems relevant to our group -- maybe VERY relevant.

David

PS: the java-script stuff comes at the very end.


> From address@hidden Sat May 27 13:03:28 2000
> From: Phil Agre <address@hidden>
> To: "Red Rock Eater News Service" <address@hidden>
> Subject: [RRE]it just gets worse and worse
> Sender: <address@hidden>
> List-Software: LetterRip Pro 3.0.7 by Fog City Software, Inc.
> List-Subscribe: <mailto:address@hidden>
> List-Unsubscribe: <mailto:address@hidden>
> Lines: 211

[Both messages have been heavily reformatted.]

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
This message was forwarded through the Red Rock Eater News Service (RRE).
You are welcome to send the message along to others but please do not use
the "redirect" option.  For information about RRE, including instructions
for (un)subscribing, see http://dlis.gseis.ucla.edu/people/pagre/rre.html
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Date: Fri, 26 May 2000 13:23:25 -0700 (PDT)
From: PRIVACY Forum <address@hidden>

PRIVACY Forum Digest      Friday, 26 May 2000      Volume 09 : Issue 16

                (http://www.vortex.com/privacy/priv.09.16)

            Moderated by Lauren Weinstein (address@hidden)         
              Vortex Technology, Woodland Hills, CA, U.S.A.
                         http://www.vortex.com 
        
                       ===== PRIVACY FORUM =====              

----------------------------------------------------------------------

Date:    Fri, 26 May 2000 12:15 PDT
From:    address@hidden (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: Cogit.com: Making DoubleClick Look Good?

Greetings.  No matter how far you dig into a cesspool, it's not always
easy to tell when you've reached bottom.  In the case of Internet
technologies that many persons consider invasive, we may be dealing
with a bottomless pit of slime, a veritable cornucopia of crassness
that is breathtaking to behold.

When DoubleClick, Inc. announced plans to link user Web activities
with outside commercial data sources, there was an immediate outcry,
and DoubleClick backed down--for now.  But as many had feared would be
the case, other firms have been plowing ahead into the vast, largely
unregulated frontier of Big Brother, Inc.

One of the newer players is Cogit.com (http://www.cogit.com), a recent
spinoff from Cogit Corporation.  They offer (and have implemented
for various customers) an array of Web user tracking and outside
data personalization "linkage" services.  Their two main products
are called "RealProfile" and "RealTarget" (please note that neither
of these have any relationship to RealNetworks, Inc.  These names
are starting to get Real confusing...)

According to the product and technology description proudly displayed
at Cogit's Web site (http://www.cogit.com/services.htm):

    "RealTarget uses offline behavior indicators such as high-tech
     preferences, automotive history, publications subscribed, and
     mail-order purchases, and relates them to consumer behavior on
     your site to make accurate predictions.  Proven by Fortune 100
     companies for direct marketing success, RealTarget's Master
     Models deliver highly improved results on the web."

and:

    "RealProfile is a web-based consumer analysis service that helps
     emarketers understand who visits their web site and who drives
     site revenues. Enabled by an exclusive, long-term agreement with
     The Polk Company, RealProfile draws from offline demographic and
     lifestyle characteristics on 110 million US households to create
     in-depth anonymous profiles of your online visitors."

They describe the underlying technology, which involves the usual cast
of nefarious characters, including cookies, invisible one-pixel Web
"bugs"--and other goodies, at http://www.cogit.com/technology.htm and
related pages.  Their Web site really does make for some fascinating
reading, in the Orwellian sense, that is.  They also identify some of
their current Web site customers.

Cogit *of course* explains that all of this is not intrusive, since
they say that they remove the personally-identifiable information
from the consumer profiles, and then link the data anonymously.  More
on what this really seems to mean in a moment.  Deja vu all over again
-- the usual, "We consider it anonymous, so you shouldn't care if we
track your every move" sort of argument.  One starts to suspect that
most of the folks coming up with these various ideas must all be
attending the same "Invasive E-Marketing For Fun and Profit" seminars.
(A thought experiment--who would you choose to keynote such an event?)

So here's what appears to be happening.  Cogit apparently purchases
masses of information about your purchasing habits, magazine
subscriptions, and all sorts of other nifty data regarding your
behavior.  This is data that many firms consider to be their
treasure-trove to exploit as they see fit.  Once Cogit has managed
to pick up your identity from a customer site (e.g., presumably from
an online registration or online purchase), they then can link your
activities on those sites to the external data sources.  Once this
linkage is made, the name/address/etc. information is apparently
deleted.

Then, using cookies and Web bugs (the latter of which are almost
impossible to disable in any normal sense for most Web users) your
movements can be tracked through the related sites, controlling the
content displayed based on the perceived view of what you're all
about.  To quote from Cogit's privacy policy
(http://www.cogit.com/policy.htm):

    "Cogit.com's service matches personally identifiable consumer
     information (i.e., name, address, telephone number, etc.)
     supplied by its clients to a file of individual household
     information that Cogit.com licenses from the Polk Company.
     Immediately upon completion of this matching process and internal
     quality assurance, all personally identifiable information is
     irreversibly discarded to create anonymous user profiles devoid
     of any personally identifiable information."

Cogit doesn't ask you ahead of time whether you wish to participate in
their data matching extravaganza.  They do offer you a way to opt-out
however, as described at http://www.cogit.com/opt_info.htm.  They're
using the same technique as DoubleClick--you must accept a cookie to
stay out of the maws of the Cogit system.  This presents the usual
problems.  First, you must have your cookies enabled to avail yourself
of this opt-out--a privacy gotcha of the first order.  Secondly, most
people using various Cogit client Web sites are unlikely to ever even
learn about this procedure.

So, we end up back at square one once again.  Perhaps you feel
that the tracking, matching, analysis, and manipulation of your Web
browsing, based on the myriad everyday details of your life (reading
choices, purchasing habits, and much more) is a great idea!  If so,
you'll just love the Cogit.com system.  Browse away!

However, if you consider such activities to be an invasion of your
life and privacy, regardless of the extent to which Cogit's data is
"anonymized" in the process, then your options are far more limited.
You might want to express your opinion to Cogit client sites (to the
extent that you can identify them) and of course we can always hope
for a saner regulatory environment concerning the use and abuse of
your personal information.

Don't hold your breath.

--Lauren--
Lauren Weinstein
address@hidden or address@hidden
Co-Founder, PFIR: People for Internet Responsibility - http://www.pfir.org
Moderator, PRIVACY Forum - http://www.vortex.com
Member, ACM Committee on Computers and Public Policy

------------------------------

End of PRIVACY Forum Digest 09.16
************************


Date: Sat, 27 May 2000 11:39:06 -0700 (PDT)
From: PRIVACY Forum <address@hidden>


                        PRIVACY Forum Bulletin
                        ----------------------
                                5/27/00

        
       Important warning regarding COGIT.COM "opt-out" procedures!

                    -----------------------------

Greetings.  I apologize for this message outside of the normal flow
of PRIVACY Forum Digests, but I felt that this was important enough
to warrant it.

In yesterday's Digest (http://www.vortex.com/privacy/priv.09.16) I
reported on "Cogit.com" and their system for taking information about
your routine purchasing habits, lifestyle, and other similar data,
then combining it to control and modify your Web browsing activities
at their client sites.

In that report, I referenced Cogit's page that (supposedly)
allowed you to "opt-out" by accepting a special opt-out Web cookie
(http://www.cogit.com/opt_info.htm).  It has now been discovered that
the operations on that page will only work if you have both cookies
*and* javascript enabled.  If you have disabled javascript due to
any number of reasonable security concerns, the pages will tell you
that an opt-out cookie has been set and that you will not be profiled.
Again, this is *not* the case unless you had javascript *and* cookies
enabled.  Then you would have to leave cookies enabled for the opt-out
to have any chance of being effective.  As I've pointed out in the
past, it is my recommendation that cookies be left disabled at all
times except when you're browsing specific sites that need them--and
they should be re-disabled immediately afterwards.

It is unfortunate that many persons, apparently assuming that Cogit's
display of TRUSTe certification on those pages actually meant that
the opt-out would always function, may be greatly surprised by the
reality.

It's bad enough that you need to opt-out of such marketing schemes
in the first place, instead of being able to choose opting-in if you
were interested.  It's dismal that both cookies and javascript are
required to exercise the opt-out.  It's abysmal that there are common
conditions under which you'll be told that you've opted-out when you
really haven't.  But frankly, this is all pretty much along the lines
of what we've come to expect in so many of these dismal situations.

I'll be adding a note to yesterday's archived Digest reflecting this
new information.  Again, sorry for the interruption.

--Lauren--
Lauren Weinstein
address@hidden or address@hidden
Co-Founder, PFIR: People for Internet Responsibility - http://www.pfir.org
Moderator, PRIVACY Forum - http://www.vortex.com
Member, ACM Committee on Computers and Public Policy




; To UNSUBSCRIBE: Send "unsubscribe lynx-dev" to address@hidden