The :CueCat Bar Code Reader
Privacy Foundation
September 22, 2000


Overview

The Privacy Foundation recently completed a technical evaluation of the
:CueCat bar code reader. This handheld device, which is similar in
appearance to a computer mouse, is a product of Digital:Convergence
Corp. of Dallas, Texas. Hundreds of thousands of these devices are
currently being distributed free of charge to consumers through partner
companies including Radio Shack, Wired magazine, and Forbes magazine.
The company has announced plans to distribute 10 million devices by
year-end 2000 and 50 million devices by year-end 2001.

The :CueCat is promoted as an easy way for consumers to visit Web sites
on their PCs by scanning bar codes that have been included in catalogs,
magazine articles, and printed advertisements. By using this device
consumers no longer have to enter URLs in their browser to go to a Web
site to learn more about a product, a service, or a particular subject.

The Privacy Foundation has serious privacy concerns about the product
because the :CRQ software, which accompanies the :CueCat device, appears
to transmit all of the information that Digital:Convergence would need
in order to record every bar code that every user scans. This tracking
feature of the :CRQ software could be used by the company to profile an
individual user.

Profiling is typically used by Internet marketing companies to provide
personalized ads targeted to an individual. The :CueCat tracking ability
does not appear to be disclosed in the documentation or privacy policy
that accompanies the product. In addition, there is no disclosure of
what is currently being done with the bar code scan information once it
arrives at the company.

Digital:Convergence states that individual users are not being tracked
or profiled.

But even if the information is being used only in aggregrate form, or
not at all, there is still the possibility in the future that bar code
scanning information can be tied to individual users. This tying would
require no changes with the :CRQ client-side software.

The tracking feature is made possible because a unique ID number is
assigned to each user when they register their :CueCat with
Digital:Convergence. This unique ID number is sent to
Digital:Convergence servers along with a bar code number each time a bar
code is scanned. This ID number was observed both by investigators with
the Privacy Foundation and by other outside researchers. This ID number
could be associated with personal information and demographic
information that the user supplies during product registration.

We recommend that Digital:Convergence provide a patch that disables the
ID number for current users. The company and its partners – including
Radio Shack, Wired, and Forbes – should notify users of the existence of
the tracking potential, and the availability of the patch to remove it.
In addition, we recommend that future shipments of the product have the
user ID number feature disabled.

In addition, the Privacy Foundation recommends that Digital:Convergence
disclose more details to users about what information is being collected
through the :CueCat system and how it will be used.


Vendor Contact and Response

Digital:Convergence was contacted on Sept. 18, 2000, and again on Sept.
21.

The Privacy Foundation expressed concern that the data transmitted by
the :CRQ software could be used to record every scan of the :CueCat
along with the personal information of its current user.
Digital:Convergence acknowledged that a user ID is associated with each
scan, but said that their current database breaks the link between a
user's activation code and personal information (such as an email
address), so that such tracking is not being done, nor is it
contemplated.

We suggested modifications to the :CRQ software that would remove the
possibility of user-specific tracking. Digital:Convergence indicated
that they would consider modifying their data collection procedures and
provide more disclosure. As soon as a new disclosure statement becomes
available, we will link to it from this web site.


Detailed Problem Description

Installation of the :CRQ software includes a computer video promotion
followed by a registration process that requires some personally
identifiable information:

     full name
     email address
     zip code
     gender
     age range

Registration is followed by a lengthy survey that includes questions
about personal interests, computer and electronics equipment owned,
Internet usage, and shopping habits. This survey can be skipped by a
user. Once registration is completed, an activation code is sent to the
user's email address. The :CueCat and software cannot be used without
registering the product and receiving an activation code.

The Privacy Foundation examined the :CueCat device and the :CRQ software
to determine the sorts of information transmitted from a user's PC to
Digital:Convergence.

With a packet sniffer in place to monitor network connections made by a
PC, we installed the :CRQ software and submitted both the registration
and survey. Submission of the survey showed a network connection to
crq.com with the following data being transmitted:

[Please note that portions of network traffic included in this report
have been modified for illustrative purposes.]

     12:01:35.535139 pc.example.com.1570 >
     beta1.crq.com.80: P 232:1050(818) ack 1 win 8280
     (DF).lastname=Doe&firstname=John&email=
     johndoe%40example.com&zip=80208
     &gender=A&age=D&minorlastname=
     &minorfirstname=&minoremail=
     &travel=B&airline=B&tripcount=A&hotel=
     A&rentalcar=E&movietype=B
     &moviefreq=F&moviefood=F&tv=A&tvcount=
     B&vcr=A&dvd=C&dvdwhen=
     &hometheater=B&cable=A&satellite=
     B&gamecenter=B&videofreq=F
     &moviesbuy=D&musictype=B&musicformat=
     B&cdwhere=C&radio=B&mp3=A
     &booktype=CG&bookbuy=AF&bookcount=
     D&mags=ABK&clubs=A&cdrom=B
     &monitorsize=AB&scanner=A&printer=
     A&processor=C&dcamera=A
     &dcamerawhen=&stereospeakers=
     A&onlinefreq=A&internetfor=ACD
     &onlinebuy=A&onlinebuywhat=AE&home=
     B&dineoutfreq=C&pizza=B
     &pizzakind=&wine=B&winewhere=
     A&coupons=A&trading=B&banking=A
     &bills=B&profession=A&vitamins=
     B&vitaminswhere=&vitaminskids=
     &toyswho=A&toyswhere=B&toyskind=
     C&makeuptype=&makeupbrand=
     &makeupwhere=&hobby=G&sports=
     BCD&education=E

The transmission above shows the user's personal information (John Doe,
johndoe@example.com) being transmitted to the :CRQ server along with the
results of about 60 consumer profile questions.

When the registration was completed another connection was made:

     12:15:23.912215 pc.example.com.1140 >
     beta1.crq.com.80
     POST /confirm.cfm HTTP/1.1
     firstname=John&lastname=Doe&email=
     johndoe@example.com&zip=80208
     &gender=A&age=D&OptIn=1&addButton=Register

The above transmission appears to confirm the registration and request
that an activation code be sent to johndoe@example.com via email.

We received an activation code via email from digitalconvergence.com and
plugged it into the prompt box that was presented when we first started
the :CRQ software. After activation of the software, we noted changes to
the Windows Registry that included our email address, activation code,
and default browser:

     [HKEY_LOCAL_MACHINE\Software\
     DigitalConvergence.Com\CRQ\Users\John Doe]
     "UserEmail"="johndoe@example.com"
     "RegCode"="Qh98AlkowF6cRTHtDJEjWe"
     "DefBrowserName"="Internet Explorer"

These transactions alone provide enough information to create a profile
of personal information that can be linked to a globally unique ID
(GUID) assigned by Digital:Convergence. This GUID, as we also found, is
transmitted to Digital:Convergence with each and every bar code scanned
using the :CueCat device.

The :CueCat bar code scanner connects to a PC by way of a cable that
connects between the keyboard plug and the keyboard socket on the PC.
The :CueCat scanner effectively "types" a product code received by the
:CRQ software each time a bar code is scanned. The :CRQ software then
includes the "typed" product code within an HTTP GET request to a
Digital:Convergence server that, in turn, responds with a specialized
Web address related to the product code.

We made a scan of one of the proprietary ":Cues" in Forbes magazine
which was associated with an article about the National Gallery of Art.
The :CRQ software subsequently made a network connection to a
Digital:Convergence server.

     21:01:35.888710 pc.example.com.1320 >
     o.dcnv.com.80: P 1718746:1718855(109)
     ack 342313744 win 7444 (DF)GET
     /CRQ/1..Qh98AlkowF6cRTHtDJEjWe.
     04.c3Nzc3Nzc3NzdnN3d3d6cXNx.
     AABi.Y2NgY2B k.0 HTTP/1.1
     Host: o.dcnv.com

The server [see Note at end of advisory] responded with some data that
pointed our Web browser to the address of the National Gallery of Art
(http://www.nga.gov).

     21:01:36.144731 o.dcnv.com.80
     > pc.example.com.1328:
     P 1:266(265) ack 109 win 8192
     HTTP/1.1 200 OK
     Date: Tue 12 Sep 2000 03:02:52
     Expires: Tue 12 Sep 2000 03:03:01
     Content-Length: 132
     Content-Type: text/plain
     cat=39
     url=http://www.nga.gov
     desc=BOW - Collecting Art Museums
     char=0
     img=
     but=
     ban=
     tab=12,26,34
     tas=39
     fixed=1,2,50,20

We took a look at the encoded string that was sent in the request to
Digital:Convergence. The entire string can be broken up into segments
delineated by the periods. Four of these segments appeared to be
particularly interesting. The first segment of the string
(Qh98AlkowF6cRTHtDJEjWe) matched the GUID activation code used in
setting up the :CRQ software. The third, fourth, and fifth segments were
run through a :CueCat decoder written by Kevin Fowlks and published at
FreshMeat.Net.

The third segment (c3Nzc3Nzc3NzdnN3d3d6cXNx) decoded to
"000000000504449202", which is a serial number for the reader device
itself. The fourth segment (AABi) decoded to "CC!", which identifies the
type of bar code that has been scanned. In this case, it refers to a
:CueCat bar code. The fifth segment (Y2NgY2Bk) is an encoded version of
the bar code itself.

Scanning an ISBN bar code from a book (ISBN:045622900857) produced a
similar transmission to Digital:Convergence with the following data in
the request:

     Qh98AlkowF6cRTHtDJEjWe.04.c3Nzc3Nzc3Nzdn
     N3d3d6cXNx.FhMC.c3d2dXFxenNze3Z0.0

Again, the third segment of the data string remained unchanged. The
fourth segment decoded to "UPA", a type of product code. The fifth
segment decoded to the actual ISBN number of the book we scanned,
"045622900857".

We conclude from this investigation that by distributing the :CueCat
device and software, Digital:Convergence could collect not only the
personal information provided via the registration and installation
survey, but also a history of product bar codes that have been scanned
by specific users. Furthermore, all of this personal information and bar
code history data could be linked through the GUID activation code
provided through Digital:Convergence.

Beyond this, we observed no further monitoring of a user’s Internet
activities. In particular, we witnessed no clickstream monitoring and no
use of cookies by the :CRQ software. Note, however, that the :CRQ
software’s use of GUIDs would obviate the need for tracking cookies.


TV/ Computer Interface

A specialized cable is also provided with the :CueCat that can be used
to connect the audio jacks from a user's TV to the sound card of the PC.
Once this connection is made, the :CRQ software listens for special
signals embedded within the audio of television programs and
advertisements. These signals, in a manner similar to scanned bar codes,
prompt the Web browser to load a specific address related to the program
or advertisement viewed.

Due to the limited availability of :CueCat audio signals via television
broadcasts, the Privacy Foundation was unable to comprehensively
research this aspect of the :CRQ software. However, our technical review
determined that the :CRQ software does indeed listen to the audio input
ports attached to the computer's sound card. With the appropriate audio
port connected to a TV or other audio source, the :CRQ software listens
for special beeps that encode information comparable to a barcode.

Upon receiving such an "audio cue", the :CRQ software behaves much as if
the user had manually scanned a barcode using the :CueCat. It transmits
a request to the :CRQ server that includes the user's GUID activation
code and a representation of the information in the audio cue. In
response, the :CRQ server delivers information about an appropriate Web
page.

In the configuration suggested by Digital:Convergence, the user connects
a TV broadcast signal to the computer so that Web pages relevant to the
viewed programming and advertisements are conveniently presented on the
user's Web browser. This computer, connected to the Internet and the
television, will quietly report to the :CRQ server whenever it hears an
audio cue. Since no user intervention is required, such a computer could
effectively become an in-house television tracking device for
Digital:Convergence.


Privacy Policy

Digital:Convergence includes their privacy policy with the :CueCat
product as well as on their Web site. The policy states, in more than
one place, that Digital:Convergence "will never release your personal
data to any third party to solicit you unless you have expressly elected
to permit it."

However, the current privacy policy does not disclose why the software
appears to track bar code scans by individual users. In addition, users
are not told what happens to this data after it is sent to the
Digital:Convergence servers.

At the Web site of a subsidiary, DigitalDemographics, the company
promotes its ability to gather user data. This site provides information
about the :CueCat product for advertisers and marketing partners. Here’s
what the site has to say about the use of data collected from consumers:

http://www.digitaldemographics.com/services/index.html

     "DigitalDemographics' parallel mission is to gather demographic and
     psychographic information from our :CRQ users, subscribers, and
     :CueCat device users. Our goal is two-fold.

     Enhance the Membership Experience Members develop a personal web
     history that can be culled to provide relevant content and define
     new special offers. Member histories can also help promote
     long-term usage of our technologies. On :CRQ enables direct
     communication with our Members and allows us to poll their
     interests, direct relevant content, and offer e-commerce savings
     from major online retailers.

     Provide Aggregate Information to Sponsors
     A cumulative databank is a compelling information
     tool. Ours is powered by multiple sources:
     Demographic Profiles
     Historical Cue Data
     Responsiveness to Relevant Information on the Tabs
     Responsiveness to Relevant Information on the On:CRQ Web site
     Polling Data
     Panelist Data (from volunteers who
     participate in special interest panels)
     Specific Program Cue and Scratch Data
     Survey Data from Opt-In Respondents and volunteer panelists
     Direct Responsiveness to Offers
     Cross-Media Response Profiles
     Multiple Response Profiles from Same Segment/Media
     Industry Specific Demographic profiling"

Furthermore, in a section of an SEC filing titled "Risk Factors" and
subtitled, "Our Right to Keep Information Collected in Our Databases May
be Challenged in the Future," Digital:Convergence acknowledges that
privacy concerns by consumers may affect acceptance and use of the
service.

     "Under our privacy policy, individual user information will not be
     made available to outside parties and will be used internally by us
     only if a user gives express permission for such use. Some summary
     demographic data, however, may be made available to outside
     parties. Privacy concerns may cause users to resist providing the
     personal data necessary to support this profiling capability. More
     importantly, even the perception of security and privacy concerns,
     whether or not valid, may inhibit Internet user acceptance of our
     technology and products. Furthermore, users may bring lawsuits
     against us seeking to prohibit us from collecting this data. Even
     if without merit, lawsuits could impair Internet user acceptance of
     our technology and products."


Recommend Corrective Actions

The Privacy Foundation recommends the removal of GUID activation codes
from the network transactions that result from use of the :CueCat. If
the company promises to "never release your personal data to any third
party," then there does not appear to be a reason that a GUID needs to
be transmitted or stored in conjunction with personal information.

We also recommend that Digital:Convergence provide a patch that disables
the ID number for current users. The company and its partners –
including Radio Shack, Wired, and Forbes – should notify users of the
existence of the tracking potential, and the availability of the patch
to remove it. In addition, we recommend that future shipments of the
product have the user ID number feature disabled.

In October 1999, Richard M. Smith uncovered similar tracking techniques
involving GUIDs in RealNetwork's RealJukeBox product. When the
privacy-related issues of GUIDs were brought to the company's attention,
RealNetworks determined that linking usage data with personal data was
an unnecessary and unacceptable practice. The company promptly provided
a patch to remove GUIDs from existing RealJukeBox software.

In addition, the Privacy Foundation recommends that Digital:Convergence
disclose more details to users about what information is being collected
through the :CueCat system and how it will be used.


Note

A Whois lookup of dcnv.com produced the following record from
whois.networksolutions.com:

Registrant:
DigitalConvergence.Com, Inc. (DCNV-DOM)
5968 W. Northwest Highway Suite 1813
Dallas, TX 75225
US

Domain Name: DCNV.COM