FTC: Consumer Privacy Comments Concerning NSClean Privacy Software--P954807
Consumer Privacy - Comment, Project No. P954807
NSClean Privacy Software
On behalf of NSClean Privacy Software, I thank the Commission for the opportunity to comment on consumer privacy issues and the Global Information Infrastructure. Our privately held company manufactures software which affords consumers a significant and easy to use means of controlling information placed on their machines by browsers which can result in risks to their privacy.
While I will touch on many of the concerns from the standpoint of the consumer and attempt to correct some misimpressions as to the severity of certain items, my discussion here primarily deals with the technical issues of these concerns and to a lesser degree the mechanisms by which our products provide a technological means to address them.
"Cookies," a small single database or group of files created by most browsers, has come under a great deal of scrutiny in the trade and technical media as well as public media and has generated concern far beyond that which is warranted in most cases. Cookies are largely inoccuous in general usage and are actually beneficial to the end user when used without benefit of external information to which they can be associated. It is only when cookies are matched up with other data that they can become a genuine privacy concern as most cookies can only identify a particular machine and not an individual owing to their remarkably unsophisticated design.
Cookies are used by commercial shopping sites to store items selected for purchase to relieve the need to enter the order information manually as the user navigates through a number of pages. This function is commonly referred to in internet commerce as a "shopping basket." Other beneficial uses of cookies are customizations of the appearance of a particular site or for storing user preferences or passwords to limited access sites such as the New York Times newspaper for the convenience of the end user. The popular Yahoo site as an example allows its users to preset a selection of particular stock market symbols they wish to follow or to customize information to be delivered to them when they visit.
Software exists that block these cookies and these designs often interfere with the legitimate uses of cookies as well as interfere with proper operation of many legitimate sites. Some sites will not function at all unless the cookies are allowed to be used to permit users to move among their various pages on their sites. The vast majority of "cookie" software simply blocks all cookies including the beneficial ones. Software that permits editing or deletion after the fact is a better solution as the real danger is when cookies become persistent, remaining on the hard disk as a tracking tool for years after they have been placed.
Many of the later versions of browsers permit the user to engage a warning when a cookie has been received from a site by their browser. Some of these warnings also permit the user to selectively reject each received cookie, however some sites which dispense cookies often dispatch so many cookies that users become frustrated and will often turn these warnings off after a time.
Many individual sites may pass one or two cookies to the user for whatever purpose, but there is a particular program called the Apache http server which, when misconfigured, can send dozens of cookies with each delivered page on such sites. Apache "cookies" aren't actually cookies since persistent cookies (ones that remain behind on a client machine after a session with a particular site) have an expiration date and these Apache cookies which so frustrate the public do not.
An examination of the cookies database on a user's hard disk will not contain any of these apparent cookies as they do not follow a valid format. The sheer number of these ersatz cookies in particular are what cause users to turn off the notification of cookies in their browsers as the Apache http server is quite widely used by many sites. Apache has fixed this problem in later versions of their internet server product but it is still possible for a system administrator to accidentally misconfigure their server resulting in this "barrage."
As stated above, there are many legitimate and useful purposes for cookies. There are also genuine concerns about cookies which involve "rogue" sites as well as certain providers of banner advertising on web pages. Most of our evidence here is anecdotal based upon comments from our customers in personal email to us. There is a widespread perception that companies such as Doubleclick, focalink, and myriad others are watching people as they move from one web site to another which carries their advertising banners. People are concerned they are being profiled for their patterns of usage.
In ads placed on the home pages of the above mentioned sites in the past, they proclaimed to prospective advertising clients that they did indeed "profile" their clickthroughs by recording the user's IP (internet protocol) address and other data collected in order to deliver "highly specific targetted advertising" to the user based upon their preferences, likes and desires. Since a small number of internet providers also pass along the user's real name and/or email address with the link to these sites, it is technically possible for them to correlate the cookies with the log entries in their server containing the user's identity and thus it would appear that this concern could be valid.
These claims are no longer made on their sites and have since been replaced with explanations to the public that they don't really do such things. Those among us who have been following this for a long time remember the original claims. In fact we provided a link directly to those pages for a very long time to educate our customers on the claims made by the banner advertisers.
Only these providers can satisfactorily answer what information they gather and whether or not they reference the serial numbers they provide in their cookies and whether or not these cookies are used as keys to index detailed databases collected on consumers from other information exchanged for commercial purposes. I note the absence of comment by any of the above banner advertisers.
The newest version of Netscape's Communicator browser product provided for the first time the ability to reject "third party" cookies. These "third party" cookies are those sent not by the site that the user has linked to, but rather another unidentified site that serves up banners and cookies for their own purpose. Since the cookie givers' address is different, it was possible to reject those cookies in Communicator without adversely impacting the desired site. As soon as Communicator provided that capability, the cookie givers began serving up their cookies with the site address of the first party site in their domain appended to their domain and thus defeated this wonderful idea Netscape had. Clearly there is a strong desire on some of the banner advertiser's part to get those cookies through no matter what and this too has raised great suspicion among the public.
NSClean Privacy Software provides products which permit the end user to turn off the cookie warnings and through the use of our software can accept cookies while online and subsequently use our software to remove them from their hard disk. Owing to the need for legitimate cookies to be kept for the convenience of users for legitimate sites, our product line beginning with NSClean32 version 4.10 (soon to be extended to all of our products) now permits users complete control over cookies. 4.10 and future versions of our products permit the user to select which cookies they find useful and desire to keep and remove all other cookies at their option. Prior to these new versions, our NSClean and IEClean software removed all cookies after the user had completed their travels.
Voluntary surrender of privacy
Users often compromise their privacy in ways they may not realize. In order to send or receive email or send or receive postings to usenet newsgroups, a user must enter their real name, email address and their choice of additional information into their browser simply in order to connect and utilize these services. By doing so, they then make their real name, email address and other information voluntarily available to web sites and ftp sites simply by requesting data.
When a user chooses to submit a form to a remote web site, the form is usually posted as an email message or it is provided as a CGI (Common Gateway Interface) response to a database front end at the web site along with their request for data. These requests commonly consist of search requests of a database or other submission a site requests in order for the user to continue. The email address of the user is usually sent along with the request. The browser will put up some warning that they are about to submit data but the desire to receive the data compels them to click "OK" to submit the form regardless of the warning. The user's email address is sent and received at the other end where it is at least stored in the system's logs if not entered into a database without any warning at all.
If a user decides to download a file from a site, it is sent to them by ftp (file transfer protocol). As a normal part of accessing files by ftp, it is customary to login to the ftp site using a username of "anonymous" and a password is also required to access a file. On anonymous logins, it is customary to send the user's email address as the password. The browsers do this automatically and again without warning. This too is an opportunity for an unsuspecting user to provide a disreputable site with information that could later be used to send them unsolicited commercial email or even to steal their identity for possibly nefarious purposes.
When posting to usenet newsgroups, the user's email address is placed in the headers of messages which they place in newsgroups. Generators of Unsolicited Commercial Email ("Spammers") run harvesting software that collects these names from newsgroups en masse to turn around and sell to unscrupulous parties and are far and away the largest source of junk email. Again, the user has voluntarily surrendered their identity while merely attempting to exercise their right to free speech in a public forum. If a user finds themselves on a junk email list, they are often enticed into responding to the junk email by requesting that their name be removed. In reality, very few sites will remove their name upon this request. Instead, the "remove" request acts as verification that this is a "good" address which increases its value on a mailing list as "verified."
In addition, sites like Dejanews archive all postings from usenet. By entering the email address of an active usenet user, anyone can gather an unofficial "psychological profile" of any party by entering their email address into the Dejanews server and rapidly obtain a listing of all newsgroups that person has participated in and from that listing, discover what any person's interests and passions are. While Dejanews exists to allow people to search for interesting topics and read comments placed there, this ability to profile strangers is ripe for concern since the news postings usually have the genuine name and email address of usenet users readily available from the web without even having access to usenet newsgroups.
Another privacy risk is the new "Push" technology sites which provide a closed environment for the tracking of personal interests. Among the oldest and most noteworthy is a service called PointCast which delivers a stream of news and advertising to desktops. PointCast monitors the items you wish to see and gathers up your selections of topics you are interested in and delivers advertising customized for your desired interests. Just like web browsers, it also stores a huge amount of data on your hard disk and watches you while you watch it. Fortunately PointCast is a reputable company which is unlikely to represent a serious hazard, but it is gathering data and relaying it forward just like so many web sites do. PointCast users I know personally have told PointCast they did not want junk email from their advertisers yet received it anyway. A product to cleanup PointCast installations is in development.
In each of the above situations, a person is only able to protect their privacy by providing a false identification or to in some way modify their name to render it useless to those who gather these names for various purposes. NSClean Privacy Software products permit a user to optionally switch between their real name and an alias of their choosing to allow them to post anonymously to usenet newsgroups, thus foiling "spammers" as well as present the false identity when submitting forms to a site to continue on or when downloading a file. It allows the use of their real identity when they wish to receive responses or when sending email if they so choose and thus places the decision to disclose personal data squarely in their own hands.
Snooping on a person's machine - sensitive files
Web browsers compile a number of files which are saved to the user's hard disk in the course of normal operation. These files include, but are not limited to a history database which maintains a list of all sites visited, what pages were viewed, which pictures were seen and other data on the contents of every site they visit. There is also a cache directory which contains copies of the actual files seen on web sites viewed, the actual pictures seen and another database index of those sites. By rummaging through the cache files, the actual sites a user has seen can be completely reconstructed at a later time.
The cookies collected are also maintained by browsers as are details of their newsgroup activities including the message numbers read, the names of each newsgroup they visit and in later versions of the browsers, the actual messages they've read are all stored on their hard disks. Even their most personal and private email messages are stored in these databases on their machine. While much of this data is useful while navigating the web, much of this information is useless once the user has ended their online visits. The vast majority of cached data cannot be used even while online since travels backward and forward break the links that would allow this data to be used as intended, which is to cut down on reload time of pages already seen. Most of it is therefore unusable.
The information persists however and any person with a modicum of knowledge in looking through the contents of a machine can browse these files and determine precisely what a person did on the net. Multiple sessions are kept in here and thus a pattern of a user's interests and activities can be gathered by examining these files on the user's machine. Employers, family members, children and others who have physical access to the machine can discover highly personal information that the user may never have intended to be discovered and most likely was never aware of. There have been repeated reports of people who were terminated by their employer or faced divorce or prosecution for their activities on the net as a result of this stored data on their own hard disk.
Since the history and cache databases also store listings of files accessed in private corporate intranets, if these files are pulled by an outside site, it can provide information as to the structure and locations of sensitive internal files and thus this becomes a potential security issue that can assist crackers to locate data they would otherwise never know existed on a corporate or governmental lan. Another issue is public access internet machines provided by libraries and schools.
Assume if you will that an adult has just left a machine and exercised their right as an adult to visit "naughty" sites. If a child were to be the next user of the machine, all of the information and locations the previous user visited would be readily available for that child to click on and travel to without having to know the location of the sites to manually type in. The descriptive names of sites alone could evoke the exploratory curiosity that tend to help youngsters find "trouble."
Now we are all aware that this data can actually be snatched right out of their machine by a rogue site. Netscape has made great efforts to quickly fix the security issues while Microsoft has merely band-aided the problems with warning signage most of the time rather than cure the core faults in their code. Since Microsoft gives away their product for free instead of a fair market price, it is anticipated that their product will eventually be the primary browser for most people.
When you type in an internet address in the window of your browser, each manually typed entry is stored in a "URL window" database which allows you to review sites you've visited. Anyone with access to your machine can also view this listing and see what you've been doing. The inspiration for us to write our software in the first place came from personal friends whose employers had popped down the window and questioned them about the sites they visited at work. The remainder of the issues we handle came later.
Our NSClean and IEClean software allow the end user to optionally remove any or all of this potentially sensitive data with a simple click of a button. The software will allow them to remove their newsgroup activities, newsgroup databases, cache files, history databases, cookies, email messages, URL window data, bookmarks and all other sensitive data kept by their browser as well as the ability to use an "alias" while online as they desire. Ours is the only comprehensive package we are aware of that provides such extensive privacy controls for users and was designed to be easy to use for those who need it the most, those who are not experienced enough to manually edit their hard disk contents and edit the delicate Windows registry database where a great deal of the sensitive information is maintained. One slipup in the registry can render the computer completely broken and thus even experts avoid playing with the registry unless absolutely necessary.
Risks of broadband technologies and Microsoft 32 bit Windows
Recently the relatively secure internet access by dialup modem to the internet has given way to high speed broadband technologies such as Cable modems, local area networks and xDSL. While these new high speed technologies offer great promise, they are fraught with risks to privacy as well for users of Microsoft Windows95 and WindowsNT. These high speed technologies exceed the capabilities of the relatively secure serial ports previously used in telcommunications.
Thus in order to access these new services, providers must install ethernet cards into customer machines in order to provide the promise of high speed internet access. Ethernet cards are a mature technology primarily used in local area networks where all machines on the LAN are under common ownership and control. The IEEE 802.3 and derivative protocols utilized with ethernet cards are promiscuous in nature - that is all connections are "trusted." Under normal circumstances, the ability of one computer to see the contents of another computer on the local network was a desirable event.
Microsoft made use of ethernet cards to allow users of Windows95 and WindowsNT to set up private networks of two or more machines to enable the convenience of "file and printer sharing" using the NETBEUI/LANMAN protocols. This capability dates back to Windows for Workgroups version 3.11 and has been most helpful in enabling the sharing of resources among multiple computers to reduce the cost of ownership.
The problem from a privacy standpoint with this arrangement is that when a consumer connects their Windows95 or WindowsNT computer through an ethernet card to an external service provider such as their cable or telephone company where they have enabled "file and printer sharing" is that their computer becomes available to everyone else on the service. By simply knowing the name of the machine as presented to the ethernet, (the default name for all computers is "My Computer" unless changed from the default) strangers can access or change any or all of the files on the victim's computer without the knowledge of the victim. This issue was reported recently on the ZDNet news service without much coverage in the conventional media.
We have addressed this issue as well with a product called "ShareClean" which permits a user to turn the file sharing portions of Windows95 on or off as required to assure that outsiders can not access their machine. WindowsNT users will find it somewhat easier to enable or disable these features and we anticipate an NT version of ShareClean in the next few weeks. NSClean Privacy Software strongly supports these emerging high speed technologies and is providing this product at a reduced cost and also is providing special bundling arrangements for those in need of this protection. The problem is not limited to cable modems as described in the article, it applies to any situation where an ethernet card is used to connect to the internet where "file and print sharing" is enabled in Windows 32 bit products including corporate networks. A rogue user on a company network could very well determine what the upper eschelon of the company is doing on their machines by exploiting this security hole inherent in Microsoft products.
While there is probably a political desire to regulate the internet based on so many horror stories and likely many more to come, the real issue is privacy violations which are already sanctioned under existing law. It is my own personal opinion that existing telemarketing and consumer fraud regulations can readily be extended to include the internet without raising the ire of internet users who justifiably fear government intrusion into the modern equivalent of the printing press. Privacy is clearly the greatest single concern to internet users and those who willfully violate that privacy should be held accountable under existing regulations already in place for other telecommunications entities. Fraud is fraud no matter where it is perpetrated.
Users need to have the right to actually have their name removed from all lists and a central clearing house similar to the Direct Mail Marketing Association in the paper based junk mail world needs to be strongly encouraged. Severe sanctions should be made available to users in the event that this removal request is not honored under the same guidelines as telemarketing calls and junk faxes. This should be easy to satisfy by amendment to existing law without the need to create new law specific to the internet.
People should have the right to be "unlisted" as far as UCE is concerned and the burden of paying for this should be placed squarely on those who generate UCE. Junk emailers already have the advantage of a significant cost benefit in sending bulk junk mail on the internet and such costs would serve to level the playing field and perhaps if it were high enough would help the USPS keep postage rates under control. Providers should also be granted the right to collect from spammers for use of their facilities for junk email as the burden is unfairly placed on the providers and recipients for the technical facilities to handle this ever expanding deluge of unwanted email now.
Laws which prohibit or restrict the use of alias names on the internet as long as these issues remain unresolved should not be permitted to stand. In particular the Georgia statute which made it a crime to use an anonymous name on the internet stands as a manifest example of failure to address the greater issue. So long as real identities are placed in jeopardy by "spam harvesters," the public should retain the right to not provide these people with the means to provide an onslaught of junk email. We would all like to observe proper internet etiquette by not hiding behind an alias but it is not a good idea when using your real identity only results in not being able to receive desired email because your mailbox is stuffed with junk.
A means of backcharging spammers for unsolicited email is being discussed among experts as a possible self-regulating approach where the user is at least entitled to some compensation for having to pay to receive junk email. After all, mass mailers using the postal system have to pay for each piece of junk mail they send and such would be reasonable on the internet. Proper exemptions should be provided for junk email which is sent to those who requested placement on lists to receive such messages so that desired email is not affected by the bad actors.
The dangers of browser/operating system integration
Both companies insist that they will only allow such deep penetration of a person's systems to those who provide a "signed" document which will identify the perpetrator after the damage is done. This is woefully inadequate as such documents can be readily forged. The user is merely handed a familiar box warning them that they are accepting an applet that could be dangerous. Many users disregard all such warnings as they are delivered all too frequently and most people do not read them before hitting the "OK" button to proceed.
It is my own personal opinion and NOT that of NSClean Privacy Software that Microsoft in particular should not be in both the operating system and application software business as the potential risks of such tight integration between the operating system and their browser represents a substantial threat to the public's privacy. There should be a solid wall between applications and the operating system and tight integration makes it highly probable that unauthorized activity can readily occur without effective warning as to the scope of the security breach to the end user.
In the computer security trade, firewalls are what protect large scale computer facilities. Similar firewalls to protect users against outsiders rummaging through their systems need to be provided for all users of the internet. Integration of browsers and operating systems clearly defeats this public interest. Even the most secure facilities of government agencies are now at risk as the integrated browser and operating system now allows the best firewalls to be completely compromised and bypassed by any external site at whim.
In order to prevent this integrated browser environment from causing a severe security threat to all corporate and governmental entities, the system administrator would be forced to block all http daemon access and with that, all internet access would have to be eliminated in order to secure their systems. This has risen to the status of a National Security risk and should be carefully considered and evaluated strenuously in my opinion as the implications are significant and disturbing.
Thank you once again for this opportunity to express my concerns. Once again, the opinions which I have expressed do not reflect those of NSClean Privacy Software.
- Kevin McAleavey, author of NSClean and IEClean privacy software -