Junkbusters

The Comet Cursor

[Feedback]  Background

For background and news on this story, see our news page.

[Feedback]  Related links


  1. Comet's web site offers an uninstall program. Let's hope it doesn't secretly do anything else.
  2. An Industry Standard article January 29 noted ``The cursor has some tracking capabilities, as well, because each download includes a unique user ID.'' but left the question of what was tracked there; no mention was made of URL reporting.
  3. A New York Times story November 22 titled Internet Company Offers Customized Cursors.
  4. A Red Herring article January 29 titled Comet Systems' cursor points to more Web advertising.
  5. The Police Department of Manchester, NH used Comet Cursor.
  6. Until Monday the http://www.algore2000.com/kids/ page included a large Comet Cursor ad. [Click here to view old version cached by Google]

[Feedback]  Open Letter 1999/11/29 to Eliot Spitzer, NY Attorney General

Dear Sir

This open letter asks your office to investigate the unfair information practices of Comet Systems Inc. of 143 Varick St., New York City (Comet).

According to information from Richard M. Smith, a widely respected computer security consultant, Comet's software product exceeds its apparent function of changing the web browser's cursor on web sites that use its service. Rather, Comet's software also reports to its Web server the pages on the web sites its software users visit at which the feature is installed by the Web publisher, along with unique identification number specific to the user. This reporting function appears to have been kept secret by Comet until Smith discovered it by technical means. Comet's own promotional material claims that the Comet Cursor is installed on more than 20% of the computers on the Web. It also claims more than 60,000 Websites use its product, with more than fifteen million downloads so far and close to a million downloads per week. This extensive surreptitious collection of data about the online behavior of millions of people who use their software is unfair, and I hope that your office will act swiftly to ensure that the parties responsible will be held accountable for this wholesale violation of its users' privacy.

After calls from the Associated Press over the Thanksgiving weekend, Comet posted a Privacy Policy at http://www.cometsystems.com/contact/privacy.shtml disclosing some details of the surreptitious data collection and making certain assertions about uses that have and have not been made of the gathered information. I also spoke today with officers of the company who told me that the data has not been provided to any other party. However, I consider that the circumstances warrant independent investigation. Furthermore, the degree of notice provided by this new policy and by companies using the product is inadequate, particularly in the light of the manner in which it is installed during a user's visit to a participating web site.

Incidents of this kind have become disturbingly frequent, raising the question of whether existing law can deter unfair information practices such as those undertaken by Comet. It may be that the Computer Fraud and Abuse Act of 1986 is applicable here, as well as other Federal and/or state laws. The question of the adequacy of current law is both a practical question for you in your role of law enforcement, and is also a policy question in the context of the failure of Washington's present policy of self-regulation to protect Internet users' privacy. I address this letter to you because of your leadership in both the enforcement and legislative fronts, and because of your authority over the main company concerned.

I believe that a thorough investigation is needed to determine the answers to the following questions.

  1. What data has Comet collected, and what has it done with this data?
  2. Has Comet or any other company linked any Global User IDs or cookie or any other electronic identifier with individual offline identity?
  3. What profiles, if any, has Comet created using the data?
  4. Has the data (or any profiles built using it) been disclosed to any other parties? If so, to whom and under what terms?
  5. Who within and outside Comet was aware of the surreptitious data collection? Key parties here include the officers of Comet, investors, the sales staff who promoted it to other companies, and the technical and marketing staff at those companies that installed or promoted the feature. According to Comet there are more than than 60,000 Websites in this category, including Yahoo!, Lycos, AltaVista, Mattel, Warner Bros., United Media, Gore 2000, and BellSouth.
  6. To what extent were ad networks such as Flycast, DoubleClick and Ad Knowledge, who were reported as early users of the technology, aware of the data collection or involved in the use of the data?
  7. To what extent were the companies that enabled the collection of clickstream data from their web sites aware of the collection, and was that collection consistent with those sites' privacy policies? Any inconsistency may be in breach of Section 5 of the Federal Trade Commission Act. Prior knowledge makes this more serious.

    A failure to disclose the collection is particularly significant in the case of companies who are members of the Online Privacy Alliance. (The OPA is an industry group that lobbies against privacy laws.) In its self-regulatory principles its member companies undertake to disclose what individually identifiable information is collected, so a failure to do this may be a breach of Section 5 or various laws. OPA member Yahoo for example discloses in its privacy policy that ``Yahoo! advertisers... may collect personally identifiable information about you.'' Privacy experts consider that notice is only one of many requirement for fair information practices, but an important question for consumer protection is what constitutes adequate notice in an environment where many parties are collecting information but the typical consumer perceives only a visit to a single site.

Finally, I hope your office will take an active hand in Comet's remediation of the intolerable data highway they have built. They should not only stop the excessive data collection, but also appropriately treat the data already gathered. They should be required to develop a remediation plan together with privacy experts, government authorities, and an independent auditor, to stop the data collection from present and future users. Cooperation with its business partners will also be necessary. The data already collected should be frozen until it can be destroyed of possibly reduced to aggregate form under appropriate supervision.

I am also sending a copy this letter to the major parties mentioned here and to leading privacy groups. If I can assist your office in any manner, please let me know. I hope that your investigations and responses from the parties concerned will lead to just treatment for them, and serve as a case study guiding the protection of privacy in the next century.

Sincerely

Jason Catlett
President
Junkbusters Corp.

Copies to:
Tom Schmitter, CTO and COO, Comet Systems, Inc.
Jeff Richards, Internet Alliance / Online Privacy Alliance
Bureau of Consumer Protection, Federal Trade Commission
Privacy groups: EPIC, CME, Privacy International

Home · · Site Map · Legal · Privacy · Cookies · Banner Ads · Telemarketing · Mail · Spam · Opt Out
  ·  Surf The Web Faster Without Ads, Free!

Copyright © 1996-2005 Guidescope Inc ®. Copying and distribution permitted under the GNU General Public License. 2005/01/15 http://www.junkbusters.com/comet.html