xml:space="preserve">
xml:space="preserve">
Advertisement
Advertisement

If you've ever bought a book or CD from Amazon.com, try this little experiment: point your Web browser to www.seti.org.

You say you've never heard of this outfit? Well, it appears they've heard of you. In fact, when you arrive at the SETI Web page, you'll probably see a little box that welcomes you by name and asks for a donation. Now try browsing around couple of other sites you've probably never heard of, such as satire wire.com, or chank.com, or indigenousrocks.com. They all seem to know who you are.

Big Brother at work? No, Big Amazon, flexing its muscle to make a few million extra bucks and let you know how easy it is to track your comings and goings, even when you're surfing far away from the bookseller's Web site.

Amazon's trick is one of several Internet privacy busters that surfaced in the past week or so, proving that every time I think I'm getting paranoid, something comes along to prove that I have good reason to look over my shoulder.

For example, consider the clever folks who send you junk mail that automatically notifies them that you've read it - thereby ensuring that your address will be permanently inscribed in their "Make Big $$$" database. Or another little e-mail security glitch that not only alerts the sender that you've read a message, but also passes on information about everyone to whom it's forwarded, along with any comments they've added along the way.

We'll take these little horrors one at a time.

Amazon's latest contribution is known, ironically, as the "Honor System." It's a scheme that allows its customers to donate money to a worthy Web site by clicking on a graphic inviting the contribution. If you choose to give, Amazon uses its billing system to charge your credit card. The Web site profits, and the bookseller makes money by taking a cut of the donation.

Amazon has used a benign variant of this scheme to sign up hundreds of thousands of "associate" Web sites. They offer visitors a link to Amazon in exchange for a small commission on any sales the link generates. No ethical or privacy problem here.

But the Honor System is different because Amazon knows where you are even if you haven't clicked on the Amazon link.

That's because the graphic in the Honor System box is actually stored on Amazon's site. When your Web browser requests the graphic from Amazon (which happens invisibly in the background), Amazon queries your browser to see if an Amazon customer's "cookie" is stored on your hard drive. This is a tiny file with information about you that Amazon uses when you visit its Web site. If such a cookie exists, Amazon looks you up and displays your name in the graphic. To you, it appears that the Web site you're visiting knows who you are.

Given Amazon's reach and the lure of free money to Web site operators, it won't be long before Amazon can track its customers all over the Web - without their knowledge.

In its official pronouncement, Amazon naturally said it doesn't store this information and has no intention of using it. But Amazon is known for changing its mind. Last year it abandoned a longstanding promise never to sell information about its customers' book-buying habits. Critics point to Amazon's track record.

"Amazon's policy may change significantly, as it has in the past," said Jason Catlett, president of Junkbusters, an Internet privacy monitor (www.junkbusters.com). "Amazon didn't use the word 'never' in this statement, and even if they did, why should we trust them? They've betrayed that trust before."

Let's move on to e-mail. If you use Microsoft Outlook, Outlook Express or Netscape Messenger, you're probably viewing mail in "HTML" format. This is the coding system used to create Web pages. It allows you (and advertisers) to create mail with attractive typefaces, colors and graphics. Unfortunately, HTML can hide programming features that turn an e-mail message into an Internet spy.

Try it yourself. Send a message to a friend who uses Outlook or Netscape, but append ".confirm.to" to the address. If your friend is johndoe@someplace.com, make the address johndoe@someplace.com.confirm.to.

When John sees it, you'll get e-mail telling you when he read it, along with the Internet address of his computer. And here's the kicker - John doesn't even have to open the message. If his mail preview window is open, that's enough to trigger the response.

For this we can thank a Korean company called Postel Services Inc. (www.postel.co.kr), which intercepts any message addressed this way and attaches a piece of HTML code that links to a tiny, invisible graphic stored on a company Web server. Because your computer has requested the graphic from Postel, it knows that you're reading the mail.

These graphics are known in the trade as "Web bugs," and they're nothing more than tiny, invisible spies. They operate under the same principle as Amazon's Honor System graphic. Displaying a message with a Postel Web bug is all that's needed to let Postel know that John has seen it. Postel forwards the information to you.

Postel will let you send 30 bugged messages per month free of charge (no signup required). After that, it charges 2 cents apiece. But the company hopes to make its real money selling the service to commercial e-mail advertisers.

An even more insidious e-mail weakness - publicized recently by the Colorado-based Privacy Foundation (www.privacyfoundation.org) - allows a programmer to embed invisible JavaScript code in an HTML message that secretly forwards the contents of the message back to the sender every time it's read - along with any text that's been added to it.

A business memo thus bugged and circulated for comment could conceivably give a competitor amazing insights into a company's thinking - making e-mail an invisible tool of corporate espionage. Law enforcement agencies could also use the technology to spy on any group of associates without the niceties of a search warrant or wiretap order.

So I'm not paranoid. People are out there watching and snooping, and they're finding new tools every day. You should be worried, too. Next time, we'll discuss steps you can take to protect your privacy.

Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement