Privacy Times, January 5, 2000
SMIFFED: AMAZON-ALEXA DATA COLLECTION
COULD BUBBLE OVER
Amazon.com and its subsidiary
Alexa seemed determined to plow ahead with a Web software
launch, despite a complaint to the Federal Trade Commission
that the program collects personal data in contravention of
the companies' privacy policies.
Although the two companies
insist they never used any of the personal data that their
systems quietly collected, concern is rising that the data
could be vulnerable to "hijacking." Moreover, it's possible
that Alexa's software is capable of capturing data that is
supposed to be protected by Secure Sockets Layer (SSL), a
common encryption program for credit card data.
The two firms joined Microsoft,
Real Networks and a growing list of Internet firms that have
been "Smiffed," that is, caught in a privacy faux pas by Massachusetts-based
computer expert Richard Smith. Whenever he sniffs around,
Smith seems to find that major Internet companies are secretly
capturing personal data on Internet users.
In his latest endeavor, Smith
discovered that Alexa's trial software, which is designed
to track aggregate data on Internet shopping, in fact collects
personal data on Internet users. This is possible because
the software captures the web addresses, or "URLs," previously
visited by a user. If, while at previous Web sites, the user
filled out forms or made queries, then his personal data becomes
attached to the URLs collected by Alexa's software.
Smith's finding is significant
because Amazon.com, the Web's most popular shopping site,
plans on using Alexa's software for its "zBubbles" service,
which aims to let Internet shoppers compare notes and make
web site usage data and traffic pattern data with respect
to your activity both within and across web sites - all of
which remains anonymous." Alexa's policy for its Web navigational
service says, "When using the service, we collect information
on Web usage which remains anonymous." Amazon.com's acquisition
of Alexa was seen as integral to its "customization" strategy,
i.e. getting to know its customers better.
In a letter to Amazon Chairman
Jeff Bezos, that also went to the FTC, Smith said the transfer
of personal data on Internet users "is a breach of zBubbles
License and Usage Agreement. In addition," he added, "the
software may also violate a number of federal laws including
the Computer Fraud and Abuse Act and the Electronic Communications
Alexa Founder Brewster Kahle
acknowledged that personal information is collected, but only
because it was attached to URLs. The information is not stored
permanently and is not used to connect Web activity to an
individual by name," Kahle told The New York Times.
The Alexa technology tries
to offer online shoppers improved guidance on how to retrieve
information about goods and services. It does this by studying
the paths followed by many Web surfers so that individual
consumers can benefit from an aggregation of shopping experiences.
Upon installing the Alexa
"plug-in," Smith used a "packet sniffer" to monitor all data
going from his computer to the Internet. He quickly noticed
that the entire URL, including the so-called query string,
was sent to Alexa's servers. A query string, for example,
would show what a visitor searched for at a Web site.
"On certain Web pages, query
strings can contain personal data such as names, addresses,
phone numbers, and e-mail addresses," Smith said in a letter
to Bezos. "In addition, query strings can also include information
about what people are searching for, what products they are
buying, and travel reservations. Pretty clearly, no software
package should ever be transmitting this kind of personal
information to another party without the knowledge and consent
of a user."
Smith said an additional
risk in the Alexa-zBubbles format is that the data could be
"hijacked" -- stolen after its collection, but before its
destruction. Moreover, it's possible that Alexa's technology
could capture surfers' data protected by Secure Sockets Layer
(SSL), the encryption program that commonly protects credit
Kahle and Alexa Media Spokeswoman
Cynthia Lohr did not return Privacy Times' calls. In an e-mail,
Kahle said he was traveling. He added, "We live under the
rule of thumb said to me by Marc Rotenberg of EPIC before
we launched the service 3 years ago: "If you dont know who
is who, then you don't have a privacy issue".