"Cat" Scanning Device May Track
Users
------------------------------------------------------------
Stefanie Olsen, CNET News.com
A new cat-shaped scanner being given away to millions of consumers this fall may be
letting more out of the bag than the people using it know about.
Privacy advocates are investigating the device, known as the CueCat, and its ability to
snoop on consumers while swiping bar codes printed in catalogs and magazines or on
products. Researchers say the scanner, produced by DigitalConvergence, makes use of an
identifying serial number that could trace the actions of an individual user and create a
detailed database on a specific device's usage.
"Whenever you scan something, your browser will make a connection with
(DigitalConvergence's) site. It reports the (bar) code, your device serial number and a
token that identifies you as an individual," said Matt Curtin, founder of Interhack,
a security consultant group that has been looking into the technology.
As a result, "they could have a dossier of every person using the CueCat," he
said. "This would show my ID...my email address, and a list of all the products I've
ever scanned, how many times I've scanned them, and when I've scanned them."
A DigitalConvergence spokesman said that the company is not tracking this type of
information. He said customer registration information is retained only for the purposes
of general demographics.
"There is a unique ID within the CueCat so that we can see that some Cats came from
Forbes and some came from Wired," said Dave Mathews, vice president of new product
development at DigitalConvergence. "(But) individualized serial numbers are not
designed to track individual behavior."
Those assurances have not assuaged privacy advocates, however, who among other things say
that the company has not adequately disclosed its practices.
"The problem is the notification. Do people have a full idea of what they're getting
involved with?" said Lauren Weinstein, moderator of the Privacy Forum and co-founder
of People for Internet Responsibility.
New York-based DigitalConvergence began shipping more than 1 million scanners this month
through RadioShack and to readers of Forbes and Wired magazines. The company hopes to
introduce consumers to technology that bridges the printed word with the Web. By using a
CueCat linked to a computer, consumers can swipe bar codes (or cues) on soup cans, shampoo
bottles, or within advertisements or editorial to be transported to related Web sites.
Users of the device must go to the DigitalConvergence Web site and register some personal
information, including their name, email address, gender, age range and ZIP code. This
information is then linked to a unique identifier within the CueCat and sent to servers at
DigitalConvergence each time a bar code is swiped.
Other privacy groups are poised to join the fray.
The Denver-based Privacy Foundation tomorrow is expected to issue a detailed report on the
CueCat scanners, threatening to land DigitalConvergence with its second black eye over
privacy issues this month. Last week, a security breach at DigitalConvergence's Web site
exposed about 140,000 consumers' names, email addresses and ZIP codes, raising the
eyebrows of many new members and privacy advocates.
The Privacy Foundation refused to discuss the substance of its report. But the issue of
serial numbers is a sensitive one among privacy advocates.
"Abuses at other companies have poisoned the well so much that a serial number is
immediately considered suspect in any quarters," Weinstein said. "As a result,
companies must bend over backwards to make sure everything is squeaky clean, because
everyone's going to be viewed with extreme skepticism."
The serial number issue has been raised before, most famously in early 1999 in a clash
with Intel over its Pentium II computer chip.
The company began stamping its processors with distinct numbers that consumers were
expected to use as a form of identification, similar to a password, to enter protected Web
sites. But consumer advocates said the number could be used to track people's Web travels.
|