FTC: Consumer Privacy Comments Concerning NSClean Privacy Software--P954807 Consumer Privacy - Comment, Project No. P954807 NSClean Privacy Software On behalf of NSClean Privacy Software, I thank the Commission for the opportunity to comment on consumer privacy issues and the Global Information Infrastructure. Our privately held company manufactures software which affords consumers a significant and easy to use means of controlling information placed on their machines by browsers which can result in risks to their privacy. While I will touch on many of the concerns from the standpoint of the consumer and attempt to correct some misimpressions as to the severity of certain items, my discussion here primarily deals with the technical issues of these concerns and to a lesser degree the mechanisms by which our products provide a technological means to address them. The issue of "persistent cookies" and javascript 1.2 "Cookies," a small single database or group of files created by most browsers, has come under a great deal of scrutiny in the trade and technical media as well as public media and has generated concern far beyond that which is warranted in most cases. Cookies are largely inoccuous in general usage and are actually beneficial to the end user when used without benefit of external information to which they can be associated. It is only when cookies are matched up with other data that they can become a genuine privacy concern as most cookies can only identify a particular machine and not an individual owing to their remarkably unsophisticated design. As explained in the Netscape cookie specification, cookies are highly limited in their capabilities which at best are useful for placing an electronic "dog tag" or serial number or a small amount of information onto the end user's machine for retrieval as needed by one particular site. Sites that use cookies as an indexing reference for a database are actually pretty rare since there are much better ways to gather personal information from a user's ordinary activities. The risk however is not zero. Cookies are used by commercial shopping sites to store items selected for purchase to relieve the need to enter the order information manually as the user navigates through a number of pages. This function is commonly referred to in internet commerce as a "shopping basket." Other beneficial uses of cookies are customizations of the appearance of a particular site or for storing user preferences or passwords to limited access sites such as the New York Times newspaper for the convenience of the end user. The popular Yahoo site as an example allows its users to preset a selection of particular stock market symbols they wish to follow or to customize information to be delivered to them when they visit. Software exists that block these cookies and these designs often interfere with the legitimate uses of cookies as well as interfere with proper operation of many legitimate sites. Some sites will not function at all unless the cookies are allowed to be used to permit users to move among their various pages on their sites. The vast majority of "cookie" software simply blocks all cookies including the beneficial ones. Software that permits editing or deletion after the fact is a better solution as the real danger is when cookies become persistent, remaining on the hard disk as a tracking tool for years after they have been placed. Many of the later versions of browsers permit the user to engage a warning when a cookie has been received from a site by their browser. Some of these warnings also permit the user to selectively reject each received cookie, however some sites which dispense cookies often dispatch so many cookies that users become frustrated and will often turn these warnings off after a time. Many individual sites may pass one or two cookies to the user for whatever purpose, but there is a particular program called the Apache http server which, when misconfigured, can send dozens of cookies with each delivered page on such sites. Apache "cookies" aren't actually cookies since persistent cookies (ones that remain behind on a client machine after a session with a particular site) have an expiration date and these Apache cookies which so frustrate the public do not. An examination of the cookies database on a user's hard disk will not contain any of these apparent cookies as they do not follow a valid format. The sheer number of these ersatz cookies in particular are what cause users to turn off the notification of cookies in their browsers as the Apache http server is quite widely used by many sites. Apache has fixed this problem in later versions of their internet server product but it is still possible for a system administrator to accidentally misconfigure their server resulting in this "barrage." As stated above, there are many legitimate and useful purposes for cookies. There are also genuine concerns about cookies which involve "rogue" sites as well as certain providers of banner advertising on web pages. Most of our evidence here is anecdotal based upon comments from our customers in personal email to us. There is a widespread perception that companies such as Doubleclick, focalink, and myriad others are watching people as they move from one web site to another which carries their advertising banners. People are concerned they are being profiled for their patterns of usage. In ads placed on the home pages of the above mentioned sites in the past, they proclaimed to prospective advertising clients that they did indeed "profile" their clickthroughs by recording the user's IP (internet protocol) address and other data collected in order to deliver "highly specific targetted advertising" to the user based upon their preferences, likes and desires. Since a small number of internet providers also pass along the user's real name and/or email address with the link to these sites, it is technically possible for them to correlate the cookies with the log entries in their server containing the user's identity and thus it would appear that this concern could be valid. These claims are no longer made on their sites and have since been replaced with explanations to the public that they don't really do such things. Those among us who have been following this for a long time remember the original claims. In fact we provided a link directly to those pages for a very long time to educate our customers on the claims made by the banner advertisers. Only these providers can satisfactorily answer what information they gather and whether or not they reference the serial numbers they provide in their cookies and whether or not these cookies are used as keys to index detailed databases collected on consumers from other information exchanged for commercial purposes. I note the absence of comment by any of the above banner advertisers. The newest version of Netscape's Communicator browser product provided for the first time the ability to reject "third party" cookies. These "third party" cookies are those sent not by the site that the user has linked to, but rather another unidentified site that serves up banners and cookies for their own purpose. Since the cookie givers' address is different, it was possible to reject those cookies in Communicator without adversely impacting the desired site. As soon as Communicator provided that capability, the cookie givers began serving up their cookies with the site address of the first party site in their domain appended to their domain and thus defeated this wonderful idea Netscape had. Clearly there is a strong desire on some of the banner advertiser's part to get those cookies through no matter what and this too has raised great suspicion among the public. A new concern has been raised with Javascript 1.2 which contains a new feature that will greatly extend the limited capabilities of cookies, providing remote sites with the ability to read, write, erase and completely access the end user's hard disk and potentially all of its contents. The scheme depends on signed certificates which can be forged by a rogue site as is the case with Microsoft Internet Explorer and its ActiveX technology which similarly provides hooks directly into the operating system. This constitutes a far greater hazard to security and privacy than do cookies as this potentially permits complete access to the contents of the end user's system at the whim of any outside site. NSClean Privacy Software provides products which permit the end user to turn off the cookie warnings and through the use of our software can accept cookies while online and subsequently use our software to remove them from their hard disk. Owing to the need for legitimate cookies to be kept for the convenience of users for legitimate sites, our product line beginning with NSClean32 version 4.10 (soon to be extended to all of our products) now permits users complete control over cookies. 4.10 and future versions of our products permit the user to select which cookies they find useful and desire to keep and remove all other cookies at their option. Prior to these new versions, our NSClean and IEClean software removed all cookies after the user had completed their travels. This ability to edit and thus decide which cookies should be kept while all others are discarded automatically is also complemented by giving the user the option of controlling cookie warnings from within our program plus it allows the user to reject all cookies regardless of their browser version if they so desire. The most recent version of Netscape's Communicator product allows rejection of cookies from the browser without manually hitting the "Cancel" button when the cookie warning appears. Our product extends this capability to earlier versions of the Netscape product which did not have this ability. In addition, our product permits the end user to reject java and javascript from remote sites which further enhances their privacy and security against unauthorized data gathering or computer trespass. Voluntary surrender of privacy Users often compromise their privacy in ways they may not realize. In order to send or receive email or send or receive postings to usenet newsgroups, a user must enter their real name, email address and their choice of additional information into their browser simply in order to connect and utilize these services. By doing so, they then make their real name, email address and other information voluntarily available to web sites and ftp sites simply by requesting data. When a user chooses to submit a form to a remote web site, the form is usually posted as an email message or it is provided as a CGI (Common Gateway Interface) response to a database front end at the web site along with their request for data. These requests commonly consist of search requests of a database or other submission a site requests in order for the user to continue. The email address of the user is usually sent along with the request. The browser will put up some warning that they are about to submit data but the desire to receive the data compels them to click "OK" to submit the form regardless of the warning. The user's email address is sent and received at the other end where it is at least stored in the system's logs if not entered into a database without any warning at all. If a user decides to download a file from a site, it is sent to them by ftp (file transfer protocol). As a normal part of accessing files by ftp, it is customary to login to the ftp site using a username of "anonymous" and a password is also required to access a file. On anonymous logins, it is customary to send the user's email address as the password. The browsers do this automatically and again without warning. This too is an opportunity for an unsuspecting user to provide a disreputable site with information that could later be used to send them unsolicited commercial email or even to steal their identity for possibly nefarious purposes. When posting to usenet newsgroups, the user's email address is placed in the headers of messages which they place in newsgroups. Generators of Unsolicited Commercial Email ("Spammers") run harvesting software that collects these names from newsgroups en masse to turn around and sell to unscrupulous parties and are far and away the largest source of junk email. Again, the user has voluntarily surrendered their identity while merely attempting to exercise their right to free speech in a public forum. If a user finds themselves on a junk email list, they are often enticed into responding to the junk email by requesting that their name be removed. In reality, very few sites will remove their name upon this request. Instead, the "remove" request acts as verification that this is a "good" address which increases its value on a mailing list as "verified." In addition, sites like Dejanews archive all postings from usenet. By entering the email address of an active usenet user, anyone can gather an unofficial "psychological profile" of any party by entering their email address into the Dejanews server and rapidly obtain a listing of all newsgroups that person has participated in and from that listing, discover what any person's interests and passions are. While Dejanews exists to allow people to search for interesting topics and read comments placed there, this ability to profile strangers is ripe for concern since the news postings usually have the genuine name and email address of usenet users readily available from the web without even having access to usenet newsgroups. Another privacy risk is the new "Push" technology sites which provide a closed environment for the tracking of personal interests. Among the oldest and most noteworthy is a service called PointCast which delivers a stream of news and advertising to desktops. PointCast monitors the items you wish to see and gathers up your selections of topics you are interested in and delivers advertising customized for your desired interests. Just like web browsers, it also stores a huge amount of data on your hard disk and watches you while you watch it. Fortunately PointCast is a reputable company which is unlikely to represent a serious hazard, but it is gathering data and relaying it forward just like so many web sites do. PointCast users I know personally have told PointCast they did not want junk email from their advertisers yet received it anyway. A product to cleanup PointCast installations is in development. In each of the above situations, a person is only able to protect their privacy by providing a false identification or to in some way modify their name to render it useless to those who gather these names for various purposes. NSClean Privacy Software products permit a user to optionally switch between their real name and an alias of their choosing to allow them to post anonymously to usenet newsgroups, thus foiling "spammers" as well as present the false identity when submitting forms to a site to continue on or when downloading a file. It allows the use of their real identity when they wish to receive responses or when sending email if they so choose and thus places the decision to disclose personal data squarely in their own hands. Snooping on a person's machine - sensitive files Web browsers compile a number of files which are saved to the user's hard disk in the course of normal operation. These files include, but are not limited to a history database which maintains a list of all sites visited, what pages were viewed, which pictures were seen and other data on the contents of every site they visit. There is also a cache directory which contains copies of the actual files seen on web sites viewed, the actual pictures seen and another database index of those sites. By rummaging through the cache files, the actual sites a user has seen can be completely reconstructed at a later time. The cookies collected are also maintained by browsers as are details of their newsgroup activities including the message numbers read, the names of each newsgroup they visit and in later versions of the browsers, the actual messages they've read are all stored on their hard disks. Even their most personal and private email messages are stored in these databases on their machine. While much of this data is useful while navigating the web, much of this information is useless once the user has ended their online visits. The vast majority of cached data cannot be used even while online since travels backward and forward break the links that would allow this data to be used as intended, which is to cut down on reload time of pages already seen. Most of it is therefore unusable. The information persists however and any person with a modicum of knowledge in looking through the contents of a machine can browse these files and determine precisely what a person did on the net. Multiple sessions are kept in here and thus a pattern of a user's interests and activities can be gathered by examining these files on the user's machine. Employers, family members, children and others who have physical access to the machine can discover highly personal information that the user may never have intended to be discovered and most likely was never aware of. There have been repeated reports of people who were terminated by their employer or faced divorce or prosecution for their activities on the net as a result of this stored data on their own hard disk. Since the history and cache databases also store listings of files accessed in private corporate intranets, if these files are pulled by an outside site, it can provide information as to the structure and locations of sensitive internal files and thus this becomes a potential security issue that can assist crackers to locate data they would otherwise never know existed on a corporate or governmental lan. Another issue is public access internet machines provided by libraries and schools. Assume if you will that an adult has just left a machine and exercised their right as an adult to visit "naughty" sites. If a child were to be the next user of the machine, all of the information and locations the previous user visited would be readily available for that child to click on and travel to without having to know the location of the sites to manually type in. The descriptive names of sites alone could evoke the exploratory curiosity that tend to help youngsters find "trouble." It has been demonstrated recently that there are a number of security issues in all of the popular browsers that allow a remote site to access the contents of a user's machine through the use of rogue ActiveX, Java and Javascript programs. The presence of such detailed information on the usage of a person's computer could allow this information to be gathered and used. Once upon a time we never considered this much of a concern other than in the event of physical access to the user's machine. Now we are all aware that this data can actually be snatched right out of their machine by a rogue site. Netscape has made great efforts to quickly fix the security issues while Microsoft has merely band-aided the problems with warning signage most of the time rather than cure the core faults in their code. Since Microsoft gives away their product for free instead of a fair market price, it is anticipated that their product will eventually be the primary browser for most people. When you type in an internet address in the window of your browser, each manually typed entry is stored in a "URL window" database which allows you to review sites you've visited. Anyone with access to your machine can also view this listing and see what you've been doing. The inspiration for us to write our software in the first place came from personal friends whose employers had popped down the window and questioned them about the sites they visited at work. The remainder of the issues we handle came later. Our NSClean and IEClean software allow the end user to optionally remove any or all of this potentially sensitive data with a simple click of a button. The software will allow them to remove their newsgroup activities, newsgroup databases, cache files, history databases, cookies, email messages, URL window data, bookmarks and all other sensitive data kept by their browser as well as the ability to use an "alias" while online as they desire. Ours is the only comprehensive package we are aware of that provides such extensive privacy controls for users and was designed to be easy to use for those who need it the most, those who are not experienced enough to manually edit their hard disk contents and edit the delicate Windows registry database where a great deal of the sensitive information is maintained. One slipup in the registry can render the computer completely broken and thus even experts avoid playing with the registry unless absolutely necessary. Risks of broadband technologies and Microsoft 32 bit Windows Recently the relatively secure internet access by dialup modem to the internet has given way to high speed broadband technologies such as Cable modems, local area networks and xDSL. While these new high speed technologies offer great promise, they are fraught with risks to privacy as well for users of Microsoft Windows95 and WindowsNT. These high speed technologies exceed the capabilities of the relatively secure serial ports previously used in telcommunications. Thus in order to access these new services, providers must install ethernet cards into customer machines in order to provide the promise of high speed internet access. Ethernet cards are a mature technology primarily used in local area networks where all machines on the LAN are under common ownership and control. The IEEE 802.3 and derivative protocols utilized with ethernet cards are promiscuous in nature - that is all connections are "trusted." Under normal circumstances, the ability of one computer to see the contents of another computer on the local network was a desirable event. Microsoft made use of ethernet cards to allow users of Windows95 and WindowsNT to set up private networks of two or more machines to enable the convenience of "file and printer sharing" using the NETBEUI/LANMAN protocols. This capability dates back to Windows for Workgroups version 3.11 and has been most helpful in enabling the sharing of resources among multiple computers to reduce the cost of ownership. The problem from a privacy standpoint with this arrangement is that when a consumer connects their Windows95 or WindowsNT computer through an ethernet card to an external service provider such as their cable or telephone company where they have enabled "file and printer sharing" is that their computer becomes available to everyone else on the service. By simply knowing the name of the machine as presented to the ethernet, (the default name for all computers is "My Computer" unless changed from the default) strangers can access or change any or all of the files on the victim's computer without the knowledge of the victim. This issue was reported recently on the ZDNet news service without much coverage in the conventional media. We have addressed this issue as well with a product called "ShareClean" which permits a user to turn the file sharing portions of Windows95 on or off as required to assure that outsiders can not access their machine. WindowsNT users will find it somewhat easier to enable or disable these features and we anticipate an NT version of ShareClean in the next few weeks. NSClean Privacy Software strongly supports these emerging high speed technologies and is providing this product at a reduced cost and also is providing special bundling arrangements for those in need of this protection. The problem is not limited to cable modems as described in the article, it applies to any situation where an ethernet card is used to connect to the internet where "file and print sharing" is enabled in Windows 32 bit products including corporate networks. A rogue user on a company network could very well determine what the upper eschelon of the company is doing on their machines by exploiting this security hole inherent in Microsoft products. Recommendations While there is probably a political desire to regulate the internet based on so many horror stories and likely many more to come, the real issue is privacy violations which are already sanctioned under existing law. It is my own personal opinion that existing telemarketing and consumer fraud regulations can readily be extended to include the internet without raising the ire of internet users who justifiably fear government intrusion into the modern equivalent of the printing press. Privacy is clearly the greatest single concern to internet users and those who willfully violate that privacy should be held accountable under existing regulations already in place for other telecommunications entities. Fraud is fraud no matter where it is perpetrated. Users need to have the right to actually have their name removed from all lists and a central clearing house similar to the Direct Mail Marketing Association in the paper based junk mail world needs to be strongly encouraged. Severe sanctions should be made available to users in the event that this removal request is not honored under the same guidelines as telemarketing calls and junk faxes. This should be easy to satisfy by amendment to existing law without the need to create new law specific to the internet. People should have the right to be "unlisted" as far as UCE is concerned and the burden of paying for this should be placed squarely on those who generate UCE. Junk emailers already have the advantage of a significant cost benefit in sending bulk junk mail on the internet and such costs would serve to level the playing field and perhaps if it were high enough would help the USPS keep postage rates under control. Providers should also be granted the right to collect from spammers for use of their facilities for junk email as the burden is unfairly placed on the providers and recipients for the technical facilities to handle this ever expanding deluge of unwanted email now. Laws which prohibit or restrict the use of alias names on the internet as long as these issues remain unresolved should not be permitted to stand. In particular the Georgia statute which made it a crime to use an anonymous name on the internet stands as a manifest example of failure to address the greater issue. So long as real identities are placed in jeopardy by "spam harvesters," the public should retain the right to not provide these people with the means to provide an onslaught of junk email. We would all like to observe proper internet etiquette by not hiding behind an alias but it is not a good idea when using your real identity only results in not being able to receive desired email because your mailbox is stuffed with junk. A means of backcharging spammers for unsolicited email is being discussed among experts as a possible self-regulating approach where the user is at least entitled to some compensation for having to pay to receive junk email. After all, mass mailers using the postal system have to pay for each piece of junk mail they send and such would be reasonable on the internet. Proper exemptions should be provided for junk email which is sent to those who requested placement on lists to receive such messages so that desired email is not affected by the bad actors. The dangers of browser/operating system integration The greatest risk of all to personal privacy on the internet however comes from the integration of browsers into the operating system itself. At one time, browsers were external applications which did not have hooks directly into the computer's operating system. Java and javascript applets were kept isolated from the operating system entirely which meant that the only risks to privacy were those voluntarily or unwittingly given up by the user. This isolation of protection was referred to as the "sandbox" which acted as a secure firewall against trespass into their systems and prevented outsiders from having their way with the contents of their files. Now we are faced with Microsoft placing their Internet Explorer product directly into the operating system where no walls of separation will exist which will serve to protect the user against unauthorized rummaging through the most personal and private parts of their computers. Netscape has now similarly provided capabilities in their Javascript version 1.2 which similarly places the entire contents of a user's machine at the hands of outsiders who are savvy enough to use these controls to access the operating system itself. To my own sensibilities, this constitutes a violation of the fifth amendment whereby one's own computer fulfills the prophecy of Orwell's "1984." Both companies insist that they will only allow such deep penetration of a person's systems to those who provide a "signed" document which will identify the perpetrator after the damage is done. This is woefully inadequate as such documents can be readily forged. The user is merely handed a familiar box warning them that they are accepting an applet that could be dangerous. Many users disregard all such warnings as they are delivered all too frequently and most people do not read them before hitting the "OK" button to proceed. It is my own personal opinion and NOT that of NSClean Privacy Software that Microsoft in particular should not be in both the operating system and application software business as the potential risks of such tight integration between the operating system and their browser represents a substantial threat to the public's privacy. There should be a solid wall between applications and the operating system and tight integration makes it highly probable that unauthorized activity can readily occur without effective warning as to the scope of the security breach to the end user. In my opinion, Microsoft should be divested into two separate companies, one providing operating systems and another providing applications with Microsoft being given the opportunity to decide which entity they wish to retain. Further, in my opinion, Netscape should redesign their Javascript 1.2 to also prevent access to the operating system's contents as well. It would appear that they have undertaken this step in an attempt to counter the capabilities of Microsoft's browser and their operating system integration. As the "browser wars" continue on, it appears as though privacy is being trampled as this integration permits more substantial security violations and invasions of privacy for the public as each company strives for greater "convenience." In the computer security trade, firewalls are what protect large scale computer facilities. Similar firewalls to protect users against outsiders rummaging through their systems need to be provided for all users of the internet. Integration of browsers and operating systems clearly defeats this public interest. Even the most secure facilities of government agencies are now at risk as the integrated browser and operating system now allows the best firewalls to be completely compromised and bypassed by any external site at whim. In order to prevent this integrated browser environment from causing a severe security threat to all corporate and governmental entities, the system administrator would be forced to block all http daemon access and with that, all internet access would have to be eliminated in order to secure their systems. This has risen to the status of a National Security risk and should be carefully considered and evaluated strenuously in my opinion as the implications are significant and disturbing. Imagine if you will an employee of a major Stock Exchange or Central Bank or one of the many federal "alphabet soup" agencies casually surfing the web in pursuit of their duly authorized research activities. They happen upon a link which goes to a "rogue site." An ActiveX or Javascript applet is surreptitiously downloaded to their machine which then connects to the LAN, fetches data and permits a major breach of the network, completely bypassing the firewall. The tight integration of browsers and the underlying OS would not only make this probable, but likely. Thank you once again for this opportunity to express my concerns. Once again, the opinions which I have expressed do not reflect those of NSClean Privacy Software. - Kevin McAleavey, author of NSClean and IEClean privacy software - |