Posts belonging to Category Privacy



Gator Suckage

Gator is a piece of software that a lot of freeware applications bundle with their product to offset the cost of development and distribution.  It runs on the user’s PC and gathers information about the user’s surfing habits, reporting this data back to Gator’s central servers.  Gator then uses this information to target ads to the user.  Many users are unaware that this software is being installed when they install things like Kazaa or similar peer-to-peer programs.  Because of its reporting capabilities, it has deservedly earned the distinction of being known as “spyware.”  However, because of the (again, deserved) negative connotations associated with that term, Gator doesn’t like being referred to by it.  They prefer to be called “adware”.

The distinction between such “adware,” which can report back to its creator with information about the computer user’s surfing habits, so as to allow for supposedly more effective ad serving, and “spyware,” which similarly monitors surfing habits and serves up ads, is sometimes a hazy one, and lies at the heart of Gator’s libel suit.

Gator maintains that its software differs from spyware in that people are clearly notified before they download it, and in that they do so in exchange for a service, like the peer-to-peer software. 

Spyware, the company maintains, is surreptitiously installed and gives the unwitting computer user no benefit.

But critics of adware companies question how clearly such downloads are marked—PC users may suddenly be deluged with pop-ups and have no idea where they’re coming from—and protest that companies like Gator are collecting information without sufficiently accounting for what they do with it.

They now intend to go after anyone who refers to their product as spyware.  Their protestation that it isn’t spyware because it isn’t installed “surreptitiously” doesn’t work with me.  Frankly, they’re full of crap and I’m going to continue to refer to them as spyware because I consider any software that reports on anything you do as spyware.  These semantic games won’t convince me that their product isn’t spyware.

Further, most installations of Gator are hidden behind a wall of legalese or snuck in through a pop-up on a website (sometimes even with the logic reversed so that when the user hits “Cancel” Gator is installed).  If the use of Gator is fully spelled out such that even the most naive user understands it (i.e. it’s up front, in large print, and in plain English) and if Gator would tell people exactly what data they collect and what they’re doing with it, perhaps I wouldn’t have a problem with them.  As it is, I am very careful to avoid any chance that Gator will get installed on my systems and I avoid any software that bundles it.

And in case Gator’s legal eagles are trolling the internet to find stuff like this, don’t forget about that pesky little thing called the First Amendment.  I honestly believe that your product is SPYWARE, and by the common sense definition of the term, it most definitely is (i.e. what the average person perceives it to be).  As such, I feel that I have an absolute right to say so and will continue to do so.  You may be able to shut down some websites through your legal intimidation tactics, but that doesn’t change the reality of the situation.  Anything that reports on usage habits will be considered SPYWARE by the common user, even if they derive a benefit from it.  If the user thinks the benefit is great enough, then they’ll consent to use it.  I don’t have a problem with people making such free-marked decisions, provided they’re fully informed.  I do have a problem with people who use the legal system as a club to try to do stupid things like change the common sense definitions of words.

Of course, if the Gator lawyers keep doing stupid things like this, people will just come up with more “interesting” terms for it.  Some of the commentors on the Slashdot thread were using terms like “suckware,” “crapware,” and “malware.”  I somehow doubt that this is what Gator intended…

Link via Slashdot.

Spam And Telemarketers

Last night when I got home and checked my email I’d gotten a spam from some company calling itself “As Seen On Television”, which was sent via servers at Catfish Software using a mailing list.  As usual when confronted with spam I investigate the headers to see what address of mine they’re sending it to.  The address looked like one that I would have created when doing business online, but I could not find any evidence that I’d ever done business with that company.  So, I began to suspect that perhaps the spammers were on to my trick of making up names and were trying to take advantage of that.

Even though the email included an “opt-out” link to a web form, I reported them to SpamCop, since I never respond to spam (it only encourages the bastards).  When I checked email again this morning I’d gotten an email from Jerry Hilburn, the founder of Catfish Software.

You purchased a product from us long ago. I would be happy to remove you from the list if you would supply me with the footer code which you cutoff in your report. You can goto our unsubscribe which really does remove you permanently from the list. Or you can send me that number and I will send you a copy of your order with the proof that we did do business with you. Or you can keep sending me these notices without the full message body and we can keep going through this process.

Please advise…

Jerry Hilburn – Founder
Catfish Software, Inc.
[phone removed]

I found his tone to be annoying at best.  First, there was the assumption that simply because I’d done business with them (if I had actually done so, as I am not convinced that I would have), that I would be receptive to SPAM from them.  Then there was the snide comment about not sending the full message body.  I know that I entered the ENTIRE message body into SpamCop’s reporting form.  If he didn’t get the whole thing, then perhaps SpamCop is cutting them and only sending the headers.

In any event, I wrote back to him to inform him that I didn’t care if I’d done business with them because I would never have given permission to receive this kind of junk.  Further, that I’d included the full text of the message in the report, but that I would include the footer of the message since it seemed important to him.  I also asked him to tell me exactly what I purchased and when I did so.  We’ll see if he can make good on his promise.  Finally, I told him that all email sent to the address used in the spam would now be sent directly to their list manager address (owning your own domain and having control over the disposition of email aliases is a handy thing when dealing with spammers; they don’t like it when spam gets sent back to their contact address).

But all this got me to thinking about the cavalier way a lot of online businesses treat the email addresses of their customers.  Most of them seem to think that a single business transaction with them justifies putting me on their email list.  A good example of this is Plantronics (who makes telephone headsets).  I had ordered an accessory kit for my headset from their website.  It turns out that Plantronics farms out fulfillment to a number of other companies.  The one that fulfilled my order was based in Kansas.  When I got a spam at the Plantronics address from this company in Kansas, it took me a little while to put it together.  But once I did I was furious because they had ignored my explict instructions not to be sent emails unrelated to my order (I never, ever, ever allow this kind of email and I always check the “opt-out” box if available).  I reported them via SpamCop and set the email address to bounce (although I should have redirected it to their marketing address).

Let me make this clear.  My expectation is that if I engage in a transaction with a company that my email address will be used solely for the purposes of fulfilling that transaction (i.e. questions about the order and sending me updates on the status of the order).  I will not, do not, and will never give permission to receive marketing emails.  This means that as far as I am concerned, absense of the “opt-out” checkbox on a checkout form does not imply consent to receive email.  And frankly, I don’t give a flying damn if the company thinks otherwise.  I’m going to report them to SpamCop, redirect the email back to them, and raise a stink about it.  Why?  Because to me it’s the electronic equivalent of having a salesman running out of the store after you trying to get you to buy unrelated crap after you just completed a sale.  I won’t put up with that in real life and I won’t put up with it online just because it’s easy for them to do it.  Maybe once a company has earned my trust I might consider what else they can do for me, but not before that and that won’t happen based on a single sale.

Telemarketing ties into spam in my mind because they both represent an intrusion into your private space in an attempt to sell you something.  I was glad to hear that a higher court has reversed the order against the do-not-call list.  While the use of government to enforce such a thing offends my libertarian sensibilities, I don’t see it as violating the free speech rights of the telemarketers (although one could probably make a valid argument that Congress has no explicit Constitutional authority to pass such regulation).

We all have the right to speak our minds and say whatever we want.  However there is no corresponding right to be heard.  Since such a thing would impose a duty on the listener, it cannot be a right.  But that appears to me to be exactly what the telemarketers and the spammers want.  All I want is to be able to establish the telephonic and email equivalent of a “No Solicitors” sign on my door.  As a property owner I have the right to exclude any person I choose from my property, and the “No Soliciting” sign is simply a manifestation of that right.  I regard my email account and my phone in a similar manner.  They are my property and I control who may enter said property. 

With regards to telemarketing, the phone companies missed an opportunity to avoid regulation in this area.  They could have used technological means to establish a do-not-call flag on my phone, and required telemarketing companies to check and obey that flag.  Further, they could have charged a small monthly fee and turned it into a profit center (like they do with everything else) (and I would be willing to pay a few dollars a month to put up a telephonic “No Solicitors” sign). 

The overwhelming popularity of the do-not-call registry and the near-universal loathing that people have for spam should serve as a wake-up call to the “intrusion industry”.  They have lost the battle for public perception and it’s time to admit it and move on.  Email is not going to be a viable medium unless it’s done through verifiable (and overt) opt-in (i.e. no assumptions and it has to be obvious to the user when and how his address will be used).  Opt-out email will just associate the company with spammers in the user’s mind, forever tarnishing their reputation (and damaging their bottom line, since I will never do business with a spammer).  Opt-out links and “reply to this email to be removed” methods will be ignored, even for truly honest companies because they’re operating in an environment filled with unscruplous bastards who have polluted it for everyone.  Likewise, telemarketing has been forever tarnished by carefully-scripted high-pressure marketing scams.  Even if the product isn’t a scam, I make it a point never to do business with a telemarketer.

In the end I think people are sick and tired of being marketed to every single minute of the day.  All they want is to be able to reclaim their private spaces, both in their homes and in their electronic inboxes.  All I want it to be able to put up my electronic “No Solicitors” sign and to be left alone at home. 

But then I’m a curmudgeon who prefers to be left the hell alone anyway.

Update:  Well, it turns out that I did purchase something from them.  Specifically it was a video that was advertised on TV (one of those stupid funniest home video things—yes, I know…).  But I bought it on 12/10/2000!  No wonder I couldn’t remember them.  In his response to me he tried to justify sending the email, claiming it was legal under California code (i.e. because of past business relationship).  The only problem with that is that the current site that they’re spamvertising bears no directly discernable relationship to the one I originally purchased from.  He also said that the order form has an “opt-out” checkbox.  If it did back then, I would have checked it.  I’m very careful about that sort of thing.  I think this was yet another case where they were lax about checking the privacy choices of the customers on their email list.  In the end he apologized, so I suppose I should just let the matter drop.  He claims that I won’t be getting any more email from them.  Let’s hope so.  Of course, if I did, I wouldn’t know it, since that address is now redirected to his list operator address…

For Me But Not For Thee

Via Slashdot we learn that some people in the telemarketing industry are on the national do-not-call list.

The home telephone numbers of 11 top executives of the Direct Marketing Association – which has waged a bitter court battle to kill a federal no-call list – are on the new registry, which would make them off-limits to those annoying sales calls.

The Courant found the DMA employees, and top executives from two large telemarketing companies, among the 50 million numbers on the Federal Trade Commission’s anti-telemarketing do-not-call list.

The DMA executives, some of whom admit they signed up to protect their own privacy, did so even as their organization waged a legal campaign to prevent federal regulators from blocking telemarketers’ calls to millions of other Americans.

Hypocritical bastards…

Bloody Hell…

The Federal District Court in Oklahoma City has issued an order blocking implementation of the National Do Not Call list.

The U.S. District Court in Oklahoma City said the Federal Trade Commission overstepped its authority when it set up the popular anti-telemarketing measure, according to a court decision filed late on Tuesday.

The FTC has signed up some 50 million phone numbers for the list, which was due to take effect on Oct. 1.

I wonder what the effect of the owners of those 50 million numbers calling the court would be?

Privacy Breach, Part III

It’s always a little amusing and a little annoying to be accused of “whining” whenever I make a post about privacy rights.  Someone calling themselves “Johanna” (the Yahoo profile identifies this person as male, though) posted a comment to this post I made on June 5th (I really need to start turning off comments on old posts).  I find “her” tone odd and it really makes me wonder if this is some sort of astroturf campaign on the part of Sunglass Hut.  I’m not outright making that accusation, but it does come to mind.  The only way this person could have found that page was to have done a web search for Sunglass Hut, since the page hasn’t been on the front of my site for over two months.  I’m starting to notice a bit of this kind of activity.  People stumble across one of my archived posts and then post a comment several months later.  In at least one other case it appears that there was some corporate interest.  In this case, I have determined that the user came in via AOL (user agent “MSIE 5.5; AOL 8.0; Windows 98” from “cache-rg05.proxy.aol.com”) after doing a Google search for “sunglass hut customer service”.

Anyway, it bugged me a little and I responded a couple of times via email.  I posted those emails to the article as comments.

Hang Onto Your Bits, Here Comes The FBI Again

The FBI has quietly requested that the FCC rule that Voice over IP (VoIP) services fall under CALEA (the federal statute that requires communications providers to provide the ability for the FBI to tap all calls).  This would require broadband and VoIP providers to reengineer their networks to allow this kind of surveillance.

Representatives of the FBI’s Electronic Surveillance Technology Section in Chantilly, Va., have met at least twice in the past three weeks with senior officials of the Federal Communications Commission to lobby for proposed new Internet eavesdropping rules. The FBI-drafted plan seeks to force broadband providers to provide more efficient, standardized surveillance facilities and could substantially change the way that cable modem and DSL (digital subscriber line) companies operate.

The new rules are necessary, because terrorists could otherwise frustrate legitimate wiretaps by placing phone calls over the Internet, warns a summary of a July 10 meeting with the FCC that the FBI prepared. “Broadband networks may ultimately replace narrowband networks,” the summary says. “This trend offers increasing opportunities for terrorists, spies and criminals to evade lawful electronic surveillance.”

In the last year, Internet telephony (also called voice over Internet Protocol, or VOIP) has grown increasingly popular among consumers and businesses with high-speed connections. Flat-rate plans cost between $20 and $40 a month for unlimited local and long-distance calls. One of the smaller VOIP providers, Vonage, recently said it has about 34,000 customers and expects to have 1 million by late 2004.

According to the proposal that the FCC is considering, any company offering cable modem or DSL service to residences or businesses would be required to comply with a thicket of federal regulations that would establish a central hub for police surveillance of their customers. The proposal has alarmed civil libertarians who fear that it might jeopardize privacy and warn that the existence of such hubs could facilitate broad surveillance of other Internet communications such as e-mail, Web browsing and instant messaging.

The FBI also contends that if the providers can’t provide access to individual users’ data streams that they must be given access to the whole pipe.

The FBI appears to have first presented its proposal to the FCC last year. But in the July 10 and July 22 meetings, the bureau extended it to say that if broadband providers cannot isolate specific VOIP calls to and from individual users, they must give police access to the “full pipe”—which, by including the complete simultaneous communications of hundreds or thousands of customers, could raise substantial privacy concerns.

A summary of the meeting prepared by the FBI said the FCC could “require carriers to make the full pipe available and leave law enforcement to perform the required minimization. This approach is already used when ISPs provide non-CALEA technical assistance for lawfully ordered electronic surveillance.”

I tend to have an instinctive reaction against giving such broad capability to any law enforcement agency, and I also have an instinctive distrust of the FBI given the serious problems that they have yet to address.  My anarchist tendencies tell me that this would open up a market for an anonymous peer-to-peer VoIP program that included strong encryption.  Let the FBI tap all they want, but (so far) there’s nothing that says what we’re sending back and forth has to be readable.

Smile, You’re On RFID Camera

I’ve previously written about RFID tags and their privacy implications.  Today, Slashdot had this article that includes details of a scheme being introduced in England that would snap your picture when you remove a tagged item from the shelf and then use that to identify you at checkout (supposedly to match you to the item to prevent shoplifting).

Alan Robinson, manager at the Tesco store on Newmarket Street, Cambridge, seems excited about this store’s current trials of RFID tags in Gillette Mach3 razorblades. Speaking to Smart Labels Analyst magazine in April this year, he said: “We are cooperating with this trial in every way we can – we would like to be a test bed for many more trials of this kind.” He adds: “We haven’t had a single customer ask what the tag is doing in their packet of razors!” Notoriously subject to theft (small, expensive and easily resold), these blades were tagged by Gillette, which earlier this year ordered 500m radio-frequency ID tags from the aptly named Alien Technology Corp. At the Tesco Cambridge store, reports the magazine, a camera trained on the Gillette blade shelf, and triggered by the tags, captures a photo of each customer who removes a Mach3 pack. Another photo is taken at the checkout and security staff compare the two images to ensure they always have a pair.

A spokesman for Tesco confirmed that this set-up is in operation. He says: “Generally in retailing, razorblades are stolen more than other products, but that is not why we are doing the trial. We have plenty of security measures in place to stop things being stolen. [This trial] is not to do with security or theft, it is a supply chain trial.” According to the spokesman,”there are certainly not any privacy concerns” in relation to these tags. He adds that there is plenty of in-store signage indicating the supermarket’s use of CCTV cameras.

Still, customers might not infer from this information that these cameras are being used to take a digital photo of them each time they lift a Gillette razorblade from the store’s shelf – it only takes one to prompt the camera – and again when they present the pack at the checkout. Tesco says that the photos are “temporarily stored”, but does not specify for how long. However, Smart Labels Analyst magazine explains that this system enables the store to “blacklist certain shoppers and keep an eye on them”. In his interview with the magazine, Alan Robinson recounts an occasion when his Cambridge store was able to show the police a photograph of a shoplifter in the act of removing two packets of razors from the shelf: “The police were completely flabbergasted, having never seen anything like it in their lives.”

The two passages I’ve added emphasis to are quite telling.  No privacy concerns my ass.  These guys are the perfect examples of retailers who are eager to track your every move and link it all together to either market more crap to you or blacklist you from their stores.  And don’t think that the blacklisting will be confined to just shoplifters for long.  Complained about the service the other day and caused an employee to take too much time (but you don’t usually buy a lot of stuff in the store)?  You will be flagged as a costly complainer.  When you show up at the store next time they may try to drive you away, since you’re not worth enough for them to waste their time with you.  I know one person that Fry’s would probably love to keep out of their computer section (since he is known to them for questioning them about every sale item; which is quite aggravating to them, since their sales are often deceptive).

I just hope this never makes it here, but I’m not confident that the people in England will make enough fuss about it to make the trial unsuccessful.  They’ve gotten so used to meekly submitting to surveillance schemes that I fear for them as a people.

The rest of the article has more information about loyalty cards, which also makes for interesting reading.

Spam Spam Spam Spam

Here’s an interesting article about spam and the Direct Marketing Association’s attempt to water down any anti-spam legislation.  Particularly interesting is their self-serving definition of spam.

Robert Wientzen, president of the Direct Marketing Association, has an unusual view of what types of junk e-mail qualify as spam.

Wientzen said during an appearance on CBS News last week that spam is only “e-mail that misrepresents an offer or misrepresents the originator—or in some way attempts to confuse or defraud people.”

Let’s parse that sentence closely. The DMA claims that unwanted e-mail is spam if, and only if, it happens to be fraudulent or confusing. Because the DMA’s members are legitimate, established businesses, Weintzen tells us, their unsolicited e-mail entreaties to us shouldn’t be considered spam.

Somebody needs to tell this wanker that it’s spam if I say it’s spam.  And I have a simple rule to determine whether I say it’s spam:  If I didn’t ask for it and it’s likely to part me with my money if I take up the offer, then it’s spam.

You’d think these idiots at the DMA would have learned from the national do-not-call registry that if you piss off enough people that sooner or later your deep pocket lobbying efforts will become ineffective.  And it definitely doesn’t sound like they understand just how much people loathe spam.

If I had my way spammers would be hung from their toes and bled slowly.  I guess Weintzen is lucky I’m not in charge.  smile  In the meantime, I guess I’ll just redirect all my spam to him.  He shouldn’t object, as long as it’s not misleading.  Right?

Pay Online With Cash

An inventor has patented a way for people to send cash anonymously online.  The device is kind of like an ATM in that it both accepts and dispenses cash (as well as coins in this case).  The article is a bit sparse on the details, but I’m assuming that one would deposit cash and get a receipt with a code.  The code would then be sent to the payee who could go to another machine to obtain the cash.

I actually like the idea, since it would allow me to bypass PayPal and to avoid leaving a money trail (if I so desired).  I cancelled my PayPal account because I just didn’t trust them anymore (I also cancelled my eBay account for the same reason—I lost confidence in PayPal when eBay bought them and of course the way they changed their AUP didn’t help).  This looks like it would also be a convenient way to get money to people quickly, if needed.

As I see it, the major stumbling blocks for this concept are that this machine would need to be widely adopted (so it would be convenient to use) and I would expect that banks might not want to be involved with it (since they seem quite content to spy on you for the government; they wouldn’t want to upset their masters by contributing to anonymous payments).  There is also the fact that cash becomes inconvenient to handle in large amounts (and tends to set off alarms with the aforementioned bankers when withdrawn).

Anyway, I wish him success with the endeavour.  Anything that we can do to win back a little financial privacy is a good thing.

Privacy Breach Part II

I have previously written about my privacy concerns with Sunglass Hut, and I sent them an email concerning my problems.  It’s been well over a month and I’ve never gotten a response.  However, their customer profiling activities have continued and they’ve ratcheted up their marketing to a new level.  They sent me a birthday discount coupon, which looked like a birthday card.  This did not thrill me, since I never gave them my birth date.  The only way they could have gotten this would have been through nefarious backdoor methods (i.e. pulling data from the credit card at the point of sale).

If they think this is going to encourage me to do business with them, they’re sadly mistaken.  Given their lack of response and their continued unauthorized use of my personal data I have now decided that I will never do business with them again in any form.  I will find other places to buy sunglasses (I see that Bass Pro carries Oakleys now, so I may check with them).

Update:  I called their “customer support” number.  After waiting for 5 minutes on hold for a representative, their system disconnected me.  I called back and managed to get someone after a couple of minutes (right about the time I was getting sick of the instrumental version of Bruce Hornsby’s “The Way It Is”).  I asked how they would have gotten my personal information, including my birthdate.  The representative told me that the only way they could get it would have been through the warranty registration.  I found this dubious, since I generally don’t fill out warranty registrations unless the object in question is of high value.  But it’s been more than a year, and I can barely remember what I did yesterday, so I didn’t argue about it.  I just told her that I wanted to be off the mailing list.

In any event, if I did give them my information, and the request for it was presented to me as a warranty registration, then they’d still be using it against my wishes, since I would not have given permission to use it for marketing purposes.