Source

Automatically imported from: http://commons.somewhere.com:80/rre/1999/RRE.web.tracking.online..html

Content

| | | | --- | --- | | Red Rock Eater Digest | Most Recent Article: Mon, 22 May 2000 |

[RRE]web tracking, online mailing lists, PKI competition

``` [I have abridged these but have not reformatted them]

---

This message was forwarded through the Red Rock Eater News Service (RRE). Send any replies to the original author, listed in the From: field below. You are welcome to send the message along to others but please do not use the "redirect" option. For information about RRE, including instructions for (un)subscribing, see http://dlis.gseis.ucla.edu/people/pagre/rre.html or send a message to requests@lists.gseis.ucla.edu with Subject: info rre

---

Date: Fri, 24 Dec 1999 11:24:57 -0800 From: PRIVACY Forum To: PRIVACY-Forum-List@vortex.com Subject: PRIVACY Forum Digest V08 #22

PRIVACY Forum Digest Friday, 24 December 1999 Volume 08 : Issue 22

(http://www.vortex.com/privacy/priv.08.22)

Moderated by Lauren Weinstein (lauren@vortex.com) Vortex Technology, Woodland Hills, CA, U.S.A. http://www.vortex.com ===== PRIVACY FORUM =====

------------------------------------------------------------------- The PRIVACY Forum is supported in part by the ACM (Association for Computing Machinery) Committee on Computers and Public Policy, Cable & Wireless USA, Cisco Systems, Inc., and Telos Systems.

* - - -

These organizations do not operate or control the PRIVACY Forum in any manner, and their support does not imply agreement on their part with nor responsibility for any materials posted on or related to the PRIVACY Forum. -------------------------------------------------------------------

CONTENTS Web Tracking and Data Matching Hit the Campaign Trail (Lauren Weinstein; PRIVACY Forum Moderator) Who owns your mailing list? Topica.com may have bought it. (Allyn Weaks) Re: Defective crypto in Netscape mail password saver [V08 #20] (Ethan Benson)

Please include a RELEVANT "Subject:" line on all submissions! Submissions without them may be ignored!

---

The Internet PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged.

All submissions should be addressed to "privacy@vortex.com" and must have RELEVANT "Subject:" lines; submissions without appropriate and relevant "Subject:" lines may be ignored. Excessive "signatures" on submissions are subject to editing. Subscriptions are via an automatic list server system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "privacy-request@vortex.com". Mailing list problems should be reported to "list-maint@vortex.com".

All messages included in this digest represent the views of their individual authors and all messages submitted must be appropriate to be distributable without limitations.

The PRIVACY Forum archive, including all issues of the digest and all related materials, is available via anonymous FTP from site "ftp.vortex.com", in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and enter your e-mail address as the password. The typical "README" and "INDEX" files are available to guide you through the files available for FTP access. PRIVACY Forum materials may also be obtained automatically via e-mail through the list server system. Please follow the instructions above for getting the list server "help" information, which includes details regarding the "index" and "get" list server commands, which are used to access the PRIVACY Forum archive.

All PRIVACY Forum materials are available through the Internet Gopher system via a gopher server on site "gopher.vortex.com". Access to PRIVACY Forum materials is also available through the Internet World Wide Web (WWW) via the Vortex Technology WWW server at the URL: "http://www.vortex.com"; full keyword searching of all PRIVACY Forum files is available via WWW access.

---

VOLUME 08, ISSUE 22

Quote for the day:

"As long as they can think, we'll have our problems..."

-- Eros (Dudley Manlove) "Plan 9 From Outer Space" (Reynolds Pictures; 1959)

---

Date: Thu, 23 Dec 99 20:40 PST From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator) Subject: Web Tracking and Data Matching Hit the Campaign Trail

Greetings. In yet another example of the "if it's legal, someone will do it" school of data matching and web tracking, it has been revealed that the two leading Republican presidential candidates, Sen. John McCain and Texas Gov. George W. Bush, have contracted with Aristotle Publishing (http://www.aristotle.org) to target web users by matching web browsing habits and web site signup data with actual voter registration records. Apparently these are the only two presidential candidates currently making use of this service, as announced by an Aristotle spokesman.

Aristotle, which describes itself as a "thriving, growing, profitable firm," provides "tools" to political campaigns to "influence public opinion" and "win votes." Their web site apparently can only be viewed if you have javascript enabled--without it you could simply see a blank page.

You may have already been justifiably concerned about DoubleClick, Inc.'s tracking of your behavior over the web, but Aristotle takes consolidation of personal data to a whole new level, by actually combining the information that has been provided by web users (e.g. for various "freebie" web giveaways), with specific and detailed political data such as voter location and party affiliation information, obtained from voter registration roles. Maybe you wondered why you seemed to be getting something for nothing at those web sites, and what would really happen to that information you provided to them? Well, now you know. Welcome to the big time.

Once you've been targeted by this system, you'll be presented with the designated candidates' political banner ads on at least 1500 web sites, including some major portal and news sites. Some of these ads, once clicked, entice the user to enter various additional personal information (some of which Aristotle says they don't record).

Of course, to the average web user, there's no clue that they've been the subject of this sort of intensive data matching and rifling through their voter registrations. Most users would probably just assume that the ads popped up at random. Random? Surely you jest!

And golly gee whiz Mr. Wizard, you guessed it, this is all entirely legal. Proponents claim that there've been no significant complaints about the privacy aspects of the operation (perhaps that will change?), and they also suggest that they're no more privacy-invasive than direct mail (wow, now there's a "high" ethical bar to be shooting for if ever I've seen one...) And in fact, Aristotle is obviously proud of the service, since they've posted at least one outside press account on their own web site. (Will this issue of the PRIVACY Forum Digest show up on there? They hereby have my permission...)

Keep in mind that this is just the barest shadow of the sorts of "services" likely to evolve in the near future, given the "wild west" attitude which still prevails regarding personal information. It was bad enough when this only involved search engines and ads for offshore gambling or mailorder sales pitches. But the introduction of the political element directly into the mix should give everyone cause for some serious concern. I dare say that this calls into sharp focus the abysmal lack of regulations to control the handling and abuse of personal information, regardless of its various sources.

The power of web data collection, tracking, ad presentation, and similar technologies, combined with other traditionally public record data sources (and voter registration roles are just the tip of the iceberg) creates a scenario that might cause Darth Vader to be jealous.

But of course, it's also possible to hold opposing points of view. Maybe none of this actually matters? Perhaps some persons reading this might feel that there really are no significant privacy problems with these sorts of data collection and matching activities. Perhaps you're not all that concerned about who gets your data or how it's used? Regardless of where you stand on this issue, I'd be interested in hearing your views (please remember to send submissions for possible inclusion in the Digest to privacy@vortex.com).

It does seem bizarre, however, that it appears to be impossible to register to vote in this country without subjecting yourself to these sorts of information manipulations, with apparently no real opt-out available.

Given these developments, perhaps it's no wonder that whenever I see the glowing descriptions of plans for voting over the Internet (already a reality for one state's primary and high on the wish list for many states) I get a cold chill down the back of my spine...

Until next time, all the best for the holidays!

--Lauren-- lauren@vortex.com Lauren Weinstein Moderator, PRIVACY Forum - http://www.vortex.com Co-Founder, PFIR: People for Internet Responsibility - http://www.pfir.org Member, ACM Committee on Computers and Public Policy

---

Date: Wed, 22 Dec 1999 01:18:21 -0800 From: Allyn Weaks Subject: Who owns your mailing list? Topica.com may have bought it.

Who owns your mailing list?

This may be old hat to some, but it was a shock to me. I own a non-free majordomo mailing list at esosoft.com. List owners generally pay for lists in order to have full control over content and the usual majordomo (or other list server) features. Two weeks ago, we started getting an odd message back when we tried to send admin commands to majordomo. I didn't think to save one, but it was to the effect that majordomo commands were turned off pending an upgrade. On Wednesday (15 Dec), just before midnight PST, we all received a email proclaiming "Your Esosoft Mailing Lists now Free!". Inside was a hyped up description of how all of our lists were going to be moved to topica.com in one week, and that this is such a wonderful thing because we can get royalties from the advertising that can be added to each message if we request it. (By default, so far, each message 'only' advertises topica.) Meanwhile, during much of this week, admin commands to esosoft's majordomo were disabled, making it impossible to get our subscriber lists or list settings, or maintain the lists, without going through esosoft support (who did a good job--she was as shocked as the rest of us and did her best to help us cope).

One of the long time esosoft mailing list owners has estimated that about 1600 lists were affected. If we assume that there are an average of 300 subscribers per list, that's nearly a half million addresses. How much is that worth to topica? Well, if there are 1600 lists, esosoft is going to have to shell out about $40,000 in refunds to us owners, and they're almost certainly getting a hefty profit out of the deal as well as getting rid of the lists (they apparently want to use those ten servers for higher profit-margin virtual servers.)

Meanwhile, there are at least a hundred of us who are irate that our subscriber lists have been sold to the very worst of the 'free' list sites without our permission (probably many more than a hundred, but some owners probably don't know how to find us, and we don't know how to find them). If we had wanted to do business with an Ads-R-Us site, we could have gone with onelist or similar in the first place. But being serious list admins, we were willing to pay out real money to have full control over content (no ads!) and to protect our subscribers. All gone for naught. Worse, even though many of us frantically told esosoft and topica to cancel the transfer before subscriber lists were moved, and were assured that this was done, we found out this afternoon that the 'deleted' lists on topica have been recreated and the subscriber lists as of Dec 17th handed over anyway. (Note that between the time we received notice and the time the lists were copied for transfer, majordomo was disabled and there was nothing we could do about protecting our subscriber lists, even assuming that esosoft wouldn't just rip them out of a backup set.) As far as I can tell, esosoft is covered legally, because the buyout is called a 'partner arrangement' and esosoft can assign who actually handles the lists we've paid for, even though the services are not even remotely comparable.

Now that it's happened, we've been trying to find other mailing list suppliers, only to find that topica has been approaching and trying to buy many of them out. A few are proud to have refused and are using that as a (very good!) selling point. Some have already sold out just as esosoft did. Some won't say whether they've talked to topica. We've also found lists on topica that have never had any known association with them, or with any provider who has had association with them. Some of the lists that show up at topica have been run from their start from private virtual servers, but topica lists them in their directory anyway. We don't know yet if they're active in any way but are working on it.

Topica does have a copyright/privacy statement. But according to an ex-esosoft list owner who's stuck with topica until she can make other arrangements, a topica account rep said in the topica listowners mailing list that the statement published on the web isn't the current policy! It should read:

"Topica does not claim ownership of the Content you transmit through Topica's Service. By transmitting Content through Topica for distribution to your Topica List, you grant Topica a world-wide, royalty-free, and non-exclusive license to reproduce, modify, adapt and publish the Content solely for the purpose of providing Topica's hosting, archiving, subscription, and promotion services. This license exists only for as long as your List continues to be a archived at Topica and shall be terminated at the time your Topica account is terminated."

Note the bit about 'promotion services'. So they don't claim 'ownership' of everyone's work, just the right to use it however they darned well please. None of us in the former-esosoft-listowners group would ever have knowingly agreed to such a thing.

So, if any of you run mailing lists, make sure that your contract says that none of the list information will be transferred to any other party under any circumstances, including partner arrangements. Better yet, invest in a virtual server and run the list server from scratch, with clear and strong warnings to any potential hijackers.

Side note: topica.com is the most annoying site I've ever been forced to try to use. You can't get anywhere to speak of without images .and. cookies .and. javascript all turned on. Ads with associated cookies from a wide variety of servers pop up every few seconds. Horrible bugs, too: people who subscribe to one list find themselves subscribed to multiple lists, and the same for unsubscribe. Truly a nightmare. The most disturbing thing of all is that some people don't mind it!

If any readers are ex-esosoft list owners in search of the support group, let me know and I'll point you in the right direction.

---

Allyn Weaks allyn@tardigrade.org Seattle, WA Sunset zone 5 Pacific NW Native Wildlife Gardening: http://www.tardigrade.org/natives/

[ Letting any outside entity have access to one's complete mailing lists is an extremely risky business. The safest route (and the one I've always followed) is to maintain 100% control over the maintenance of my lists and related distributions. Unfortunately, this option is not practical for many persons, resulting in the sorts of surprises described above. -- PRIVACY Forum Moderator ]

---

[...]

---

End of PRIVACY Forum Digest 08.22

---

Date: Tue, 21 Dec 1999 14:08:33 -0800 From: PRIVACY Forum To: PRIVACY-Forum-List@vortex.com Subject: PRIVACY Forum Digest V08 #21

PRIVACY Forum Digest Tuesday, 21 December 1999 Volume 08 : Issue 21

(http://www.vortex.com/privacy/priv.08.21)

Moderated by Lauren Weinstein (lauren@vortex.com) Vortex Technology, Woodland Hills, CA, U.S.A. http://www.vortex.com ===== PRIVACY FORUM =====

* - - -

CONTENTS BULLETIN: Public Key Competition on the Web Goes POOF? (Lauren Weinstein; PRIVACY Forum Moderator)

Please include a RELEVANT "Subject:" line on all submissions! Submissions without them may be ignored!

---

All messages included in this digest represent the views of their individual authors and all messages submitted must be appropriate to be distributable without limitations.

---

VOLUME 08, ISSUE 21

Quote for the day:

"You can take my word for it. There'll be no war."

-- Charles Foster Kane (Orson Welles) "Citizen Kane" (Mercury/RKO; 1941)

---

Date: Tue, 21 Dec 99 10:17 PST From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator) Subject: BULLETIN: Public Key Competition on the Web Goes POOF?

Greetings. Various pundits have been declaring that the time had come for widespread adoption of public key systems for the encryption and verification of all manner of documents and transactions in both private and public venues. Now comes the startling announcement that effective competition in the critical "Certification Authority" business, crucial to the operation of the Public Key Infrastructure (PKI) on the Web as it's now structured, may apparently vanish, at least as far as most Web server operators and browser users are concerned.

This further complicates a situation which already had been raising eyebrows in many quarters. While it can be argued that digital certificates are not the only mechanism suitable for providing PKI services, and that they are in respects inadequate (see http://www.csl.sri.com/neumann/insiderisks.html for new "CACM" articles expressing these views), the bottom line is that for the foreseeable future you need these certificates for most PKI on the Web.

The announcement that VeriSign, Inc. (http://www.verisign.com), the largest provider of digital certificates for PKI operations, is purchasing the second largest provider, Thawte, Inc. (http://www.thawte.com), for stock worth more than half a billion dollars, will mean that in the Web world, VeriSign will control virtually the entire PKI certification business. Since Thawte generally undercut VeriSign in terms of pricing, it's hard to view this transaction as other than an apparent effort by VeriSign to close down the competition.

While both companies in their press releases and announcements have stressed the "benefits to consumers" that would result from this consolidation, it's hard to find other examples of cases where consumers were advantaged by two companies, each with approximately 50% market share, combining to form one company with virtually a 100% share. Such a state of affairs would be intolerable in most important business sectors.

As I mentioned above, there had already been questions raised about the state of affairs regarding such certification authorities. Most Web users' main contact with PKI is through the "SSL" system that is usually used to encrypt financial transactions and purchases over the Web. An awful lot goes on to make that little lock icon close on your screen, and key to this process are the "digital certificates" issued by companies such as VeriSign and Thawte. These certificates allow the entire public key encryption system to operate.

In theory, any Web user could accept a certificate from any source, and there are many firms and even individuals that do issue such certificates. However, the process of accepting and installing these certificates can be confusing and a bit scary to many users, so in practice the vast majority of transactions take place using the pre-installed certificates in the common Web browsers. And of the various firms that are pre-installed, only VeriSign (whose certificates read as "RSA Data Security") and Thawte have any significant working market share, so the entire universe of Web server/browser certificates is basically split between them. Interestingly, Thawte may become the leading browser certificate authority on 1 Jan 2000, when some browsers with VeriSign certificates will face "root" certificate expiration, which will no doubt be incorrectly viewed by many users as a Y2K bug...

Lack of real competition in this segment of the PKI market is bad news for businesses, governments, and consumers. To many observers, even before this announcement, it was already unclear why this market in the Web world was so tiny, and why the pricing for digital certificates, which buyers are usually forced to renew annually, are priced at such relatively high levels.

For users to have confidence in public key systems, which are now being heavily promoted by commercial firms and governmental entities, it's absolutely necessary that viable competition exists in this area. The questions concerning the current state of affairs that brought us to this juncture need to be answered with all due haste.

---

End of PRIVACY Forum Digest 08.21

--- ```

| | | --- | | ProcessTree Network TM For-pay Internet distributed processing. | | Advertising helps support hosting Red Rock Eater Digest @ The Commons. Advertisers are not associated with the list owner. If you have any comments about the advertising, please direct them to the Webmaster @ The Commons. |

[RRE]web tracking, online mailing lists, PKI competitionwriting

Source

Content

[RRE]web tracking, online mailing lists, PKI competition