Since the release of our report
"What's Related?"--Everything But Your
Privacy, a number of things have happened. Those
interested in their privacy or in working to protect privacy might
be especially interested in the fallout.
This is my (cmcurtin) accounting of the series of events that
led up to the release of that report, as well as events
afterward. It has been reviewed and verified by gfe and
monwel.
Executive summary
In January 1999, I was contacted by Netscape regarding a report
that I coauthored that was critical of the implementation of their
"Smart Browsing" service. Netscape incorrectly claimed that the
report is "incorrect or misleading" and that it "misrepresents"
the Smart Browsing service. The same claim was made to
Anonymizer Inc, who
mirror the article on their web site. I disagreed strongly with
Netscape's claims.
Later that month, I became aware that Netscape's "Smart
Browsing" service claimed that the report I coauthored was
"related" to The Unabomber Manifesto. I made my displeasure
clear to Netscape, at which point, my email went unanswered.
There are numerous issues at hand here: the dangers of having a
technology provider having editorial control over material being
presented and the business of reputation and character
assassination. I do not know to whom else Netscape has claimed
that the report is incorrect, but there is reason to believe
that it includes journalists who might otherwise be inclined to
write about the service's problems.
In any event, the service still has rather severe privacy
invasion problems and a FAQ that does not tell the whole story.
Now anyone reading an article critical of the service can use
the service to be told that this work is somehow related to the
manifesto of an anti-technology murderer. And the media doesn't
seem interested in covering the problems. Something is clearly
amiss.
Detailed summary of events and timeline
Mid-August 1998
Gary Ellison writes
Doug Monroe and
Matt Curtin
about the completely undocumented "what's related" button on
Netscape's new browsers, namely 4.5 beta and 4.06 about how
such a feature could be implemented and potential privacy
and/or security risks. Collectively, we look into the matter
and release
"What's Related?"--Everything But Your Privacy
on August 26.
September 1998
Ramanathan Guha of Netscape contacted us to identify
himself as the "implementor" at Netscape and to ask us to
clarify what our privacy issues were. When Doug asked Guha on
September 10 about the source of the data returned by the
Netscape "what's related" service, he wrote "We are using
their [Alexa's] data". Gary spoke to Guha by phone and
suggested that the largest part of the problem could be solved
by moving the domain of the cookie to
*.netscape.net from *.netscape.com,
thereby making it impossible to correlate the "what's related"
data with other Netcenter data, such as secure software
downloads, which require the signing of a legal affidavit
confirming one's name, address, and telephone number.
Gary wrote Doug and Matt, indicating that Guha (and probably
others at the level of engineering and implementation) "get
it" and are sympathetic to our concerns. Gary left the
conversation with Guha with the impression that the cookie's
domain might be changed in a yet-to-be-announced
Communicator 4.51.
October 1998
The report is entered into the Ohio State University CIS
department technical report series and a pointer to the
document is made in Lauren Weinstein's
PRIVACY Forum
Digest.
The report is widely reported in such places as Slashdot,
Yahoo!, and in the German-language community via German,
Swiss, and Austrian news web sites. Only passing interest is
observed by mainstream US media.
January 13, 1999
Ken Hickman of Netscape addresses a letter to Doug, Gary,
and me claiming that the report misrepresents Netscape's
service. It is further claimed that our report is inaccurate:
Links followed from Smart Browsing were made via redirects
through Netscape's web site at the time of publication.
Since that time, that behavior has changed; I have
verified that links are now made directly.
He claims the service does not use cookies, but that the
cookie is present because the Smart Browsing servers are
in the same domain as the Netcenter cookie (i.e.,
*.netscape.com). Whether they're logging
that data today is irrelevant; the potential for a change
in policy and abuse of the data still exists. What we
wrote is still completely accurate.
He claims that our section on "frequency of the fetch" has
confused many users about which behavior is default. I
honestly don't see how we can make this any more clear.
He further wrote that "there are other errors" without
giving any other details. Since he did not enumerate any
real errors in what we had written, I tend to doubt that
there are any such errors. Perhaps there are minor cases
of the service changing since the time of publication, but
the core issues remain the same, and the fact remains that
what we wrote was accurate at its time of release.
January 13
I reply to Ken's note, maintaining that "at best, the
information is dated" and, after a few abrasive counterpoints,
concluding with a translated quote of Pontius Pilate, "what I
have written, I have written". I freely admit that I did not
optimize for tact. Sorry. But don't expect to be able to
make bald statements about my work and not be on the receiving
end of a stern correction.
January 14
Ken replies to my reply, agreeing that the only real problem
is information that is now out of date and complains that he
has had to deal with journalists seeking information from
Netscape about the issues raised by the article.
January 15
Someone from Anonymizer Inc (which mirrors the report on their
web site) wrote me seeking clarification on a number of points
on the article. Ken wrote them on January 15, stating
"Mr. Curtin's article has mutliple [sic] sections that include
information that is wrong or misleading, for example..." The
rest of the email is identical to the one I received on
January 13.
January 29
A reader sends me email informing me that clicking on the
"what's related" button when viewing the report will show the
WIRED magazine reprint of The Unabomber Manifesto is related.
January 31
I make my extreme displeasure about the whole situation known,
in no uncertain terms, to Ken, in response to his January 14
mail. In it, I question the value of linking to Netscape's
Smart Browsing FAQ more prominently, asking whether it will
only serve to provide Netscape an opportunity to baldly
contradict our work or give them another opportunity to
portray us as somehow sympathetic or related to a terrorist.
I receive no reply.
March 7
I contact Lauren Weinstein again, making him aware of
developments since the most recent Smart Browsing article to
appear in the PRIVACY Forum Digest.
March 21
Lauren writes to inform us that he's checked links again, and
Netscape appears to have picked up additional "what's related"
data for our report, all of which matches what I found on
Alexa's site on March 8. Both Netscape and Alexa show the
Unabomber's manifesto to be the first on the list of related
links.
I hope that this is helpful in showing that some potential risks
of giving the providers of a product or service a form of
editorial power are no longer purely theoretical.
We found a problem, studied it, and explained our findings in a
publication that should be understandable by anyone with an
interest in their privacy. Netscape has had the ability to make
minor modifications to the operation of their service in order
to solve these problems, but has not. Instead, we have seen our
work called "inaccurate" and "misleading".
This is a real problem and I'm disgusted with Netscape's
handling of it.