TRUSTe Learns a Privacy Lesson the Hard Way
- — 28 August, 2000 15:21
"I appreciate the irony," said Dave Steer, a TRUSTe spokesman, calling the incident an example of the complexity of high-tech privacy issues. "As ironic as this is for us, it happens to other sites. Most privacy incidents are accidents and aren't willfully intended. As soon as we found out about it, it was off of our site in a half an hour."
TRUSTe site administrators had wanted to know which pages received the most visitors, according to Steer. "We're a nonprofit [organisation], and we didn't have the resources to engineer a solution in-house," he said.
TheCounter.com's software gives Web masters a weekly tally of the number of hits a page gets, along with the type of browsers used and the percentage of which are Java-enabled. "We had actually considered using other services and didn't like them," Steer said. "From what we understood, the only thing that was being sent was personally unidentifiable IP [Internet Protocol] addresses."
In order to get that information, a GIF (graphics interchange format) file appears on the page which must be downloaded from TheCounter.com's servers. When a visitor's browser requests the image, it also sends the server the desired information, along with the IP address of the computer requested. Counter images routinely appear at the bottom of pages -- little boxes, sometimes with the current hit count on them.
However, in TRUSTe's case, the organisation chose to use a GIF file as small as possible, one pixel by one pixel, said Internet.com Chief Technology Officer Mark Burnes. In effect, TRUSTe chose to install a "Web bug" version on its Web page -- an invisible image used to track site hits that also holds a malevolent potential for tracking and profiling Web surfers without their permission, without their knowledge and without using a cookie.
Steer denied that GIF file was intentionally made invisible.
A Web bug, or any image uploaded from a server other than the one producing a site's Web page, opens the door for a tracking trick called the "Meantime exploit," said Matt Curtin, president of security group Interhack. A Meantime tracker notes the exact time a Web bug is downloaded, effectively tagging the page it's on. When a visitor returns to a site and refreshes the page, the tracker learns the last time the Web bug was refreshed and thus, the last time that particular browser had been there, according to Curtin.
When combined with cookies, knowledge of IP addresses or personal information gathered elsewhere, Web bugs can secretly track users all over the Internet, and can even be planted in bulk e-mail to let spammers learn who reads their messages. Web bugs can defeat users who simply turn off cookies on their browsers.
Internet.com officials said repeatedly that they don't track surfers. "We don't have a database with clients' data. We don't charge anyone to use the counter. We don't have any business selling data here," said Alan Meckler, chairman and chief executive officer of Internet.com. Data collected by TheCounter.com is held just long enough to compile the tracking report, then sent by e-mail to the participating site, he added.
That's not the issue for Interhack's Curtin, who said after talking to Internet.com officials that he believes no tracking took place, despite finding that TheCounter.com software code could potentially use time-date tracking. "I have no reason not to believe them," he said.
But Internet.com could track surfers if it wanted, Curtin added, and that's his problem with TRUSTe's security. There's no way TRUSTe could know Internet.com isn't tracking surfers short of dissecting TheCounter.com's servers. TheCounter.com is capable of compiling a profile of a user by comparing Web bugs potentially placed on any of the 900,000 Web sites operated by the tracking company's clients, Curtin added.
Security professionals make evaluations based on capabilities and potential, not intent, Curtin explained. "For Web designers, if an application does what it's supposed to do, great, and if it does more, then it's an added victory," he said. "For security guys, if it does no more than what it's supposed to do, that's a victory, and anything more it can do is a loss."
Conceding the possibility that the tracking service "may be engaging in other techniques to track Web site visitors and that the possibility exists that Internet.com may be gathering Web site visitors' personally identifiable information," TRUSTe removed the tracking software from its site, TRUSTe said in a statement posted on its site. TRUSTe chose the service "solely on the belief that Internet.com was not collecting any personally identifiable information on visitors to the TRUSTe Web site," the statement said.
"I want to emphasise that, at this point, there is no verifiable evidence that any personally identifiable information was gathered by Internet.com. But, as we advise other Web sites, the best practice in a case like this is to immediately eliminate the possibility that any information is being improperly transferred," said Bob Lewin, CEO and executive director of TRUSTe, in the statement.
"I wouldn't be surprised if they just installed the software and weren't planning any dastardly activities and didn't know the implications of running this software," said Internet privacy advocate Ray Everett-Church. "I would much rather believe that it was just a dumb mistake," he added.
Pulling the software immediately, and informing visitors of the potential breach are the first two steps a Web site operator should perform if a problem is discovered, said TRUSTe's Steer. Evaluating the privacy problem and determining the next course of action as TRUSTe is doing is the last step, he added.