No Such Thing as a Free
Lunch?
By David Shamah, The
There may not be gold in them thar
hills, but if you look around the Internet, you can find lots of the next best
thing – freebies! You can download free programs, of course, but you can also
get free e-books, free discount coupons, free t-shirts, Frisbees and key
chains, free postcards, promotional items, CDs, DVDs, free food – and, of
course, the inevitable newsletter that anyone and everyone seems to be
distributing these days. There are dozens of sites where you can find the
latest and greatest free stuff (just do a Google
search for "free stuff").
Actually, most of the stuff you can get is not
exactly "free" – but the price is pretty painless. Some sites will
have ask you answer a set of questions, usually
related to the product they are selling or promoting, before they furnish you
with the freebie. Depending on how highly motivated you are to get the thing,
you may or may not choose to answer the questions; sometimes I find that the
questions I am asked to answer in exchange for a freebie are a bit invasive, so
I just close the browser window and move on.
But often I have been asked for nothing more than my
e-mail address, which I usually have no problem giving. In fact, I set up a
"phony" e-mail address at one of the large Web mail providers (Yahoo,
in this case) which is dedicated specifically to the spam I expect to get when
I sign up for a freebie. Asking for an e-mail address seems like a fair
exchange for a free magazine subscription or free movie tickets (both freebies
I have managed to snag), and if I have the inevitable follow-up newsletters
sent to my spam address, which I routinely delete without even reading, what's
the harm?
Well, obviously there must be a problem with this
system – which lots of people use – or I wouldn’t be writing about it! And
indeed it is a problem. A nefarious, sophisticated combination of Internet
cookies and e-mail are being used at this very moment to build the biggest,
most detailed database ever – all to make sure that you buy, buy, buy – or other stuff.
In a sense,
it's a real scam, if by "scam" we mean that you are being subjected
to a process that you have no idea is going on, via a method that you never
heard about, for the profit of some third party that you don’t even know exists.
I don’t know about you, but I have a problem with this. If someone's making
money off me, I want a cut!
And just how does this scam work? Believe it or not,
it's due to the most innocuous of Internet tools – the cookie! Using a
combination of cookies, e-mail and a device called a "Web bug," which
tracks your movements on Web pages, advertisers can track your movements from
Web site to Web site and build a personal profile specifically on you – as an
individual, not as part of an aggregate, as most Web sites that send you
cookies claim. And it's all inside the cookie. They know who you are, where you
are, and what (they think) you want, and giving them a phony e-mail address or
even listing your home country as Outer Mongolia won't fool them.
Let's say you see a popup banner that urges you visit
a certain site where they are giving something away. You surf on over there and
are promptly sent a cookie – a text string with information about the site you
are visiting and you interaction with it. Cookies are how sites like Amazon
know who you are when you open their page.
So far, so good. Cookies do have a legitimate place in the
Web universe, especially at shopping sites like Amazon – cookies make it easier
to access your purchase history, etc. If you're busy and can only check your
Yahoo web mail between coffee breaks, for example, you've probably turned on
the mail site's "remember me" feature, after which you are sent a
cookie that will identify your account when you surf to the site.
But the same technology that keeps track of your name
can also keep track f your surfing habits. Amazon, to cite them as an example
again, makes heavy use of cookies when you use the site; Amazon's cookies track
your product clicks in each session, for example, as you "drill down"
through the site, transmitting your actions back to the server – which then
looks at your choices and makes recommendations for other products that the
Amazon database thinks would interest you. Again, this is not necessarily a bad
thing at a site like Amazon – you end up saving lots of time because the site
saves your cookie-generated product choices in your personal profile database,
and when you return to the site, the database will have already generated a
list of products likely to interest you.
But we all knew this, kind of, at least; obviously,
they must be keeping track of you in order for them to welcome you personally
each time you surf to their site. We accept this from Amazon, though, because
we know what they're all about; Amazon is an Internet merchant that sells
stuff, and if we've surfed there, chances are we are interested in buying – and
the information they have on us makes it more convenient for us to buy. So
that's ok.
But what if this system could be duplicated across
many Web sites, not necessarily related to each other? What if, before we have
even click on a button, a Web site knew all about us – where we live, what
sites we visit, how much money we've spent buying things on the Web? It's one
thing with Amazon – they sell stuff, and they have an interest in holding on to
the information they have about us – after all, they want to make sure that
they do the selling, not someone else! But how would we feel if a Web site that
was interested in, say, our political affiliations, had this information? That
would be something else indeed.
Just how could such a thing be pulled off? Easy; if
there were a "cookie aggregator" that paid money to various companies
for information about you and stuck it into a database that had very personal
information about you based on cookies that were already on your machine that
had their source with the aggregator, and if they then sold the information
back to other companies subscribed to their service and then had a profile
about you, and kept incrementally and steadily honing the profile since the
activity at the Web site you've surfed to that already knows about you sends
the new surfing information back to the database as part of the deal so your
new, updated profile can be sold to others – well, that would certainly be a
formidable threat to your privacy.
Unfortunately, the system I've just described is not
a nightmare from the back end of an overactive geek imagination – it's a
living, breathing system!. A company called Doubleclick tried to do exactly this a few years ago and
halted when Web users raised a furor over being tracked. Doubleclick
actually tried to associate individual names with profile information it was
collecting, but changed its mind after a spate of bad publicity and a
subsequent lawsuit.
But individual profiling still goes
on, albeit by using ID numbers in cookies, not names in databases. And once you
send an e-mail to a site that has a record of your
cookie, they now know who they are too. This system has become big business,
and is apparently being adopted by Google, which is
introducing its own Web e-mail called Gmail. According
to some Net privacy experts, "Google uses a
single cookie for everything, and it expires in 2038. Your browser offers this
cookie, which contains a unique ID number, every time you enter any page on Google's site. If you don't have a cookie, Google will give you one with a new unique ID number.
All of your search terms are saved
by Google, along with a time stamp, your IP address,
and your unique cookie ID. So far this information is not considered 'personally
identifiable' by Google because your IP addresses
might be dynamic. The unique ID in the cookie is the one thing that identifies
all of your various IP addresses as coming from the same browser." (from http://www.gmail-is-too-creepy.com/gcook.html)
And since you probably do all your
searching with Google, they know where you surf and
what interests you - and are in a unique
position to become the Web's biggest cookie aggregator and build and sell an
information database that will let advertisers more easily target you – or let
law enforcement agencies know what you've been doing! And since they can scan
the contents of mail sent with their service (a right you agree to when you
sign up for Gmail), you might want to be real careful
about what you write and to whom.
The whole sordid Gmail/Google
saga can be seen at http://www.gmail-is-too-creepy.com,
and if you don’t like what you see, perhaps you should follow the site's
suggestion and go on a search and destroy mission for the Google
cookie (just do a search for "google" on
your hard drive; the cookie file usually is in the format of "yourname@google.com").
I love Google as much as anyone else, but maybe it's
time for a little variety in my search engine routine. I wonder if Altavista is still around?
Questions/comments to
ds@newzgeek.com