|
PureBytes Links
Trading Reference Links
|
Last week there was mention of Alexa and them getting caught with their hands
in the cookie jar, so to speak. Doing some research, I came across the detail
which is pasted below. There is much more that is of interest at this site
http://www.tiac.net/users/smiths/. For example, check out the article on web
bugs...
---
JW
Privacy problems with the Alexa and zBubbles browser plugins
--------------------------------------------------------------------------------
http://www.tiac.net/users/smiths/privacy/alexa.htm
Web Programming > Internet Privacy > Alexa and zBubbles
Richard M. Smith (smiths@xxxxxxxx)
December 28, 1999
Dear Jeff Bezos,
My name is Richard M. Smith and I am an Internet consultant from Brookline,
Massachusetts. This morning I downloaded the new zBubbles browser plugin from
Amazon.com. Using a packet sniffer which can monitor all network traffic between
my computer and the Internet, I discovered that the zBubbles plugin under
certain circumstances is sending off personal data to Web servers at Alexa
Internet. Alexa runs the zBubbles service for Amazon and is also a wholly owned
subsidiary of Amazon.
I believe that the transmission of this personal data is a breach of the
zBubbles License and Usage Agreement. In addition, the software may also violate
a number of Federal laws including the Computer Fraud and Abuse Act and the
Electronic Communications Privacy Act. The privacy leak in the zBubbles software
is extremely serious and I believe that this matter requires the immediate
attention of Amazon.com and Alexa Internet.
The privacy problems in the zBubbles plugin is present because it transmits the
full URL of the Web page someone is visiting including the query string. On
certain Web pages, query strings can contain personal data such as names,
addresses, phone numbers, and Email addresses. In addition, query strings can
also include information about what people are searching for, what products they
are buying, and travel reservations. Pretty clearly, no software package should
ever be transmitting this kind of personal information to another party without
the knowledge and consent of a user.
Here is one example of the problem. Over at the AltaVista, there is a Web page
for looking up phone numbers in the Yellow Pages. One can restrict the lookup to
only locate businesses near one's home. AltaVista asks a user for their home
address to determine near-by businesses. This information is then stored in the
query string of an AltaVista URL. If the ZBubble plugin is active on this
AltaVista page, then Alexa and Amazon are sent a person's home address.
Here is what my packet sniffer saw being sent back to a Alexa server when I
visited the AltaVista page:
GET /data?cli=10&dat=snbamz&url=live.av.com/scripts/search.dll
%3Fep%3D7%26gca%3Daddress%26orderby%3Ddistance%26sstreet%3D
172+mason+terr%26scity%3Dbrookline%26sstate%3DMA%26
szip%3D02446%26scountry%3DUSA%26query%3Dfurniture%26qname
%3D%26sic%3D%26ck%3D%26userid%3D161421220%26userpw%3D.
%26uh%3D161421220%2C0%2C%26ccity%3Dbrookline%26cstate%3DMA
HTTP/1.0
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)
Host: data.alexa.com
Proxy-Connection: Keep-Alive crunch!
Cookie: aid=FKbUlpTAUbKfM2
As you can see, my full home address (172 Mason Terr, Brookline, MA, 02446)
appears encoded in the URL.
I believe that the transmission of personal data by the zBubbles plugin is in
breach of the zBubbles Privacy Policy (http://zbubbles.amazon.com/privacy.html)
which is part of the zBubbles License and Usage Agreement
(http://zbubbles.amazon.com/terms.html).
In particular, this clause is where the breach
occurs:
"In connection with your use of the Service,
we collect web site usage data and traffic
pattern data with respect to your activity
both within and across web sites - all of
which remains anonymous."
Pretty clearly people's home addresses are not anonymous.
To solve the problem in the zBubble plugin software is straight-forward. It
should remove all query strings from URLs before they are sent to Alexa servers.
This change is required in order for the zBubbles software to meet the standards
set by the privacy policy.
Given the seriousness of this privacy breach, I recommend that the zBubbles
software be pulled immediately from the Amazon.com Web site until the problem be
fixed. I also recommend that the data.alexa.com Web server be temporarily turned
off so there is no possibility of receiving personal data from current zBubbles
users.
As you are probably aware, the zBubbles technology is based on the Alexa
navigator plugin. This plugin has the same privacy problems as zBubbles. I've
attached a list of many different privacy leaks that my packet sniffer saw with
the Alexa plugin. As you can see, personal data such as my two Email addresses,
my home address, a plane reservation, and my sister's name and phone number
where sent off by the plugin to an Alexa Web server without my permission.
Yesterday, I was in touch with senior management at Alexa and they confirmed the
Alexa plugin will indeed send off personal data to Alexa Web servers if the data
is present in URLs. I am still in discussions with them to find out exactly what
happens to this data at the Alexa Web severs.
I think that the privacy problems in the Alexa plugin need to be fixed in the
same way as the zBubbles plugin. That is, the plugin should remove all query
strings from URLs before they are sent off to Alexa servers.
I hope to see Amazon.com and Alexa address the privacy problems in the zBubbles
and Alexa plugins as soon as possible. Over the past year, I have been looking
at privacy problems in other software packages including RealJukeBox, the
Windows 98 registration wizard, and Microsoft Word documents. The privacy
problems with the zBubbles and Alexa plugins are the worse by far of all of the
software packages that I have investigated.
If you or anyone else at Amazon would like to discuss this issue further, I can
be reached at (XXX) XXX-XXXX..
Sincerely,
Richard M. Smith
--------------------------------------------------------------------------------
Alexa is sent my full home address when I did
a Yellow page look-up at AltaVista:
GET /urlplus/=?live.av.com/scripts/search.dll?ep=7&gca=address&
orderby=distance&sstreet=172+mason+terr&scity=brookline&sstate=MA&
szip=02446&scountry=USA&query=furniture&qname=&sic=&ck=&
ccity=brookline&cstate=MA HTTP/1.0
--------------------------------------------------------------------------------
Alexa gets the name of my Hotmail Email account:
GET /urlplus/=?lw3fd.law3.hotmail.msn.com/cgi-bin/compose?WCID=hmletterIN&
disk=209.185.240.65_d573&login=avhunt&f=33792&curmbox=ACTIVE&_lang=&
msg=MSG945396515.110&src=k.law3.hotmail.com:/home/d1/surveys/
hmletterIN.991214:5965&type=f HTTP/1.0
--------------------------------------------------------------------------------
Alexa gets my real Email address here:
GET /urlplus/=?hotwired.lycos.com/email/signup/wirednews-ascii.html?
listname0=wn_ascii&output=success&email=smiths@xxxxxxxx HTTP/1.0
--------------------------------------------------------------------------------
Hey, what can I say. We all know that nobody reads the articles! :-)
GET /urlplus/=?www.playboy.com/digital/pictorial/index.html HTTP/1.0
--------------------------------------------------------------------------------
Hmm, here is an interesting message on DejaNewa about Alexa:
GET /urlplus/=?www.deja.com/%5BST_rn=ps%5D/qs.xp?ST=PS&svcclass=dnyr&
QRY=alexa+%26+privacy&defaultOp=AND&DBS=1&OP=dnquery.xp&LNG=ALL&
subjects=&groups=&authors=&fromdate=&todate=&showsort=score&maxhits=25
HTTP/1.0
GET /urlplus/=?www.deja.com/%5BST_rn=ps%5D/profile.xp?
author=dejaserd@xxxxxxxxxxx HTTP/1.0
--------------------------------------------------------------------------------
Alexa watches we purchase a plane ticket from Boston to Vegas:
GET
/urlplus/=?dps1.travelocity.com/airgrules.ctl?dep_arp_code=BOS&arr_arp_code=LAS&
dep_dt=20000106&fare_bss_cd=WSE0HOLN&aln_code=HP&eqp_name=&
flt_num=68&SEQ=946248145055738&last_pgd_page=airgprice.pgd HTTP/1.0
GET /urlplus/=?dps1.travelocity.com/retrcobrand.ctl?Service=YHOE&
smls=Y&y=hci_f70hb0f/o&data=c2h%2bY0pOTjcxNTM1NTU1MzFOMSFzaHdjSkYwN1Y3Q25G&S
EQ=25 HTTP/1.0
GET /urlplus/=?dps1.travelocity.com/glblreview.ctl?res_loc=RANJWD&
previous_page=retrrqst&SEQ=946248207742456&last_pgd_page=retrrqst.pgd
HTTP/1.0
--------------------------------------------------------------------------------
Alexa watches me confirm my 14-year daugther's flight home:
GET /urlplus/=?dps1.travelocity.com/airgdetails.ctl?aln_code=US&
dep_dt=19991230&dep_arp_code=PHL&arr_arp_code=BOS&flt_num=2386&
aln_name=US%20Airways&rqs_dow=Thursday&SEQ=946248230535298&
last_pgd_page=glblretrieve.pgd HTTP/1.0
--------------------------------------------------------------------------------
Interesting article at Salon about sleazy marketing tactics
employed by the Internet porn business:
GET /urlplus/=?www.salon.com/21st/feature/1997/12/cov_01feature.html
HTTP/1.0
--------------------------------------------------------------------------------
Alexa monitors a phone call to my sister Aileen who lives
in Florida:
GET /urlplus/=?call.click2talk.net2phone.com/cgi-bin/c2tdial.cgi?
name=Aileen XXXXXXXX&number=(941)XXX-XXXX&key=KD8757FG&orig=yahoops&
img=yahoo&ext=x.n2p HTTP/1.0
--------------------------------------------------------------------------------
Alexa is sent off information about what DVD's I'm interesting
purchasing from www.buy.com:
GET /urlplus/=?www.buy.com/videos/product.asp?sku=40112371&qutype=0 HTTP/1.0
--------------------------------------------------------------------------------
Alexa gets my AltaVista search strings:
GET /urlplus/=?www.altavista.com/cgi-bin/query?pg=q&sc=on&
q=%22electronic+communication+privacy+act%22&kl=XX&stype=stext&
search.x=25&search.y=10 HTTP/1.0
GET /urlplus/=?www.perkinscoie.com/resource/ecomm/priv.htm HTTP/1.0
|