DonkBoy Internet
Home of the famous
Information Archives.
"For the curious"
Best viewed @ 1024 x 768
For your security, Turn off cookies.
We Know Where You Surfed Last Night
John Lettice
A group of privacy advocates led by security expert Richard Smith
and Junkbusters president Jason Catlett is lobbying the Federal
Trading Commission to force software companies to close a cookie
security loophole that allows Web surfing habits to be tracked by
the use of email.
Smith, whose previous scalps include security issues involving
RealPlayer and Microsoft, has as usual provided a convincing
explanation of how the loophole can be exploited.
The loophole is available via email clients that can display
graphics retrieved from the Web. You read the message, the graphic
is downloaded, and you can then be assigned a unique serial number
via a cookie.
The serial number can be matched to your email address (because the
assigner of the cookie sent you the email, right?) and then you're
effectively 'branded' -- as you browse Web, any site with access to
the data cross-referencing the cookie with your email ID knows who
you are.
One of the mechanisms companies use to simplify this process, say
Smith, is to encode the recipient's email address in the URL of the
graphic, making it easy for their servers to match the cookie to
the address.
Catlett, who slings a mean sound-bite, says that "Cookie leaks are
the bug from spammers that keeps on bugging. It's intolerable that
email can be used to silently zap a nametag onto you that might be
scanned by a site you visit later.
It's like secretly barcoding people with invisible ink." Smith has
called on Netscape, Microsoft and other software companies to patch
the hole, and has sent a report to the FTC.
------------------------------------------------------------
Groups Petition FTC Over E-mail Loophole
------------------------------------------------------------
Margaret Kane, ZDNet News
Consumer and privacy advocates on Friday will ask the Federal Trade
Commission to close software loopholes that allow bulk e-mailers to
identify consumers by exploting 'cookie' technology.
The groups said that the security hole allows senders of bulk e-
mail to attach a cookie to a user's computer through an e-mail
message. Cookies are small identifying files that are normally used
with Web browsers, not e-mail.
The groups said they will submit a petition to the Federal Trade
Commission Friday
Security consultant Richard Smith said that if someone reads an e-
mail through a Web browser, and that e-mail contains graphics
pulled from the Web, a cookie can be deposited on the user's PC.
When the user surfs online later, that cookie can be read by the
depositing site, and matched with the e-mail address of the user.
"Web browser cookies and e-mail messages don't mix," Smith said in
a release. "Web browsing is supposed to be anonymous, but with the
cookie leak security hole, companies can easily match our e-mail
address to the Web sites we visit."
Advocacy groups including Junkbusters Corp., the Electronic Privacy
Information Center, the Electronic Frontier Foundation, Ralph
Nader's Consumer Project on Technology and the Privacy Rights
Clearinghouse have joined in the petition to the FTC.