TUCoPS :: Privacy :: fallout.htm

"What's Related?" Fallout
"What's Related?" Fallout

"What's Related?" Fallout

Since the release of our report "What's Related?"--Everything But Your Privacy, a number of things have happened. Those interested in their privacy or in working to protect privacy might be especially interested in the fallout.

This is my (cmcurtin) accounting of the series of events that led up to the release of that report, as well as events afterward. It has been reviewed and verified by gfe and monwel.

Executive summary

In January 1999, I was contacted by Netscape regarding a report that I coauthored that was critical of the implementation of their "Smart Browsing" service. Netscape incorrectly claimed that the report is "incorrect or misleading" and that it "misrepresents" the Smart Browsing service. The same claim was made to Anonymizer Inc, who mirror the article on their web site. I disagreed strongly with Netscape's claims.

Later that month, I became aware that Netscape's "Smart Browsing" service claimed that the report I coauthored was "related" to The Unabomber Manifesto. I made my displeasure clear to Netscape, at which point, my email went unanswered.

There are numerous issues at hand here: the dangers of having a technology provider having editorial control over material being presented and the business of reputation and character assassination. I do not know to whom else Netscape has claimed that the report is incorrect, but there is reason to believe that it includes journalists who might otherwise be inclined to write about the service's problems.

In any event, the service still has rather severe privacy invasion problems and a FAQ that does not tell the whole story. Now anyone reading an article critical of the service can use the service to be told that this work is somehow related to the manifesto of an anti-technology murderer. And the media doesn't seem interested in covering the problems. Something is clearly amiss.

Detailed summary of events and timeline

Mid-August 1998
Gary Ellison writes Doug Monroe and Matt Curtin about the completely undocumented "what's related" button on Netscape's new browsers, namely 4.5 beta and 4.06 about how such a feature could be implemented and potential privacy and/or security risks. Collectively, we look into the matter and release "What's Related?"--Everything But Your Privacy on August 26.
September 1998
Ramanathan Guha of Netscape contacted us to identify himself as the "implementor" at Netscape and to ask us to clarify what our privacy issues were. When Doug asked Guha on September 10 about the source of the data returned by the Netscape "what's related" service, he wrote "We are using their [Alexa's] data". Gary spoke to Guha by phone and suggested that the largest part of the problem could be solved by moving the domain of the cookie to *.netscape.net from *.netscape.com, thereby making it impossible to correlate the "what's related" data with other Netcenter data, such as secure software downloads, which require the signing of a legal affidavit confirming one's name, address, and telephone number.

Gary wrote Doug and Matt, indicating that Guha (and probably others at the level of engineering and implementation) "get it" and are sympathetic to our concerns. Gary left the conversation with Guha with the impression that the cookie's domain might be changed in a yet-to-be-announced Communicator 4.51.

October 1998
The report is entered into the Ohio State University CIS department technical report series and a pointer to the document is made in Lauren Weinstein's PRIVACY Forum Digest.

The report is widely reported in such places as Slashdot, Yahoo!, and in the German-language community via German, Swiss, and Austrian news web sites. Only passing interest is observed by mainstream US media.

January 13, 1999
Ken Hickman of Netscape addresses a letter to Doug, Gary, and me claiming that the report misrepresents Netscape's service. It is further claimed that our report is inaccurate:
  • Links followed from Smart Browsing were made via redirects through Netscape's web site at the time of publication. Since that time, that behavior has changed; I have verified that links are now made directly.
  • He claims the service does not use cookies, but that the cookie is present because the Smart Browsing servers are in the same domain as the Netcenter cookie (i.e., *.netscape.com). Whether they're logging that data today is irrelevant; the potential for a change in policy and abuse of the data still exists. What we wrote is still completely accurate.
  • He claims that our section on "frequency of the fetch" has confused many users about which behavior is default. I honestly don't see how we can make this any more clear.
  • He further wrote that "there are other errors" without giving any other details. Since he did not enumerate any real errors in what we had written, I tend to doubt that there are any such errors. Perhaps there are minor cases of the service changing since the time of publication, but the core issues remain the same, and the fact remains that what we wrote was accurate at its time of release.
January 13
I reply to Ken's note, maintaining that "at best, the information is dated" and, after a few abrasive counterpoints, concluding with a translated quote of Pontius Pilate, "what I have written, I have written". I freely admit that I did not optimize for tact. Sorry. But don't expect to be able to make bald statements about my work and not be on the receiving end of a stern correction.
January 14
Ken replies to my reply, agreeing that the only real problem is information that is now out of date and complains that he has had to deal with journalists seeking information from Netscape about the issues raised by the article.
January 15
Someone from Anonymizer Inc (which mirrors the report on their web site) wrote me seeking clarification on a number of points on the article. Ken wrote them on January 15, stating "Mr. Curtin's article has mutliple [sic] sections that include information that is wrong or misleading, for example..." The rest of the email is identical to the one I received on January 13.
January 29
A reader sends me email informing me that clicking on the "what's related" button when viewing the report will show the WIRED magazine reprint of The Unabomber Manifesto is related.
January 31
I make my extreme displeasure about the whole situation known, in no uncertain terms, to Ken, in response to his January 14 mail. In it, I question the value of linking to Netscape's Smart Browsing FAQ more prominently, asking whether it will only serve to provide Netscape an opportunity to baldly contradict our work or give them another opportunity to portray us as somehow sympathetic or related to a terrorist. I receive no reply.
March 7
I contact Lauren Weinstein again, making him aware of developments since the most recent Smart Browsing article to appear in the PRIVACY Forum Digest.
March 21
Lauren writes to inform us that he's checked links again, and Netscape appears to have picked up additional "what's related" data for our report, all of which matches what I found on Alexa's site on March 8. Both Netscape and Alexa show the Unabomber's manifesto to be the first on the list of related links.
I hope that this is helpful in showing that some potential risks of giving the providers of a product or service a form of editorial power are no longer purely theoretical.

We found a problem, studied it, and explained our findings in a publication that should be understandable by anyone with an interest in their privacy. Netscape has had the ability to make minor modifications to the operation of their service in order to solve these problems, but has not. Instead, we have seen our work called "inaccurate" and "misleading".

This is a real problem and I'm disgusted with Netscape's handling of it.

Netscape used to be cool.

interhack | news | about | people | projects | publications | feedback | rent | legal

Matt Curtin
Last modified: Sat Apr 17 17:49:48 EDT 1999

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH