COMMAND
:CueCat
SYSTEMS AFFECTED
:CueCat
PROBLEM
The Privacy Foundation (TPF) has released an advisory calling for
changes in the way the :CueCat bar code scanner is tracking users.
The full text of the advisory is available at:
http://www.privacyfoundation.org/advisories/advCueCat.html
The Privacy Foundation recently completed a technical evaluation
of the :CueCat bar code reader. This handheld device, which is
similar in appearance to a computer mouse, is a product of
Digital:Convergence Corp. of Dallas, Texas. Hundreds of thousands
of these devices are currently being distributed free of charge to
consumers through partner companies including Radio Shack, Wired
magazine, and Forbes magazine. The company has announced plans
to distribute 10 million devices by year-end 2000 and 50 million
devices by year-end 2001.
The :CueCat is promoted as an easy way for consumers to visit Web
sites on their PCs by scanning bar codes that have been included
in catalogs, magazine articles, and printed advertisements. By
using this device consumers no longer have to enter URLs in their
browser to go to a Web site to learn more about a product, a
service, or a particular subject. The Privacy Foundation has
serious privacy concerns about the product because the :CRQ
software, which accompanies the :CueCat device, appears to
transmit all of the information that Digital:Convergence would
need in order to record every bar code that every user scans.
This tracking feature of the :CRQ software could be used by the
company to profile an individual user.
Profiling is typically used by Internet marketing companies to
provide personalized ads targeted to an individual. The :CueCat
tracking ability does not appear to be disclosed in the
documentation or privacy policy that accompanies the product. In
addition, there is no disclosure of what is currently being done
with the bar code scan information once it arrives at the company.
Digital:Convergence states that individual users are not being
tracked or profiled. But even if the information is being used
only in aggregrate form, or not at all, there is still the
possibility in the future that bar code scanning information can
be tied to individual users. This tying would require no changes
with the :CRQ client-side software. The tracking feature is made
possible because a unique ID number is assigned to each user when
they register their :CueCat with Digital:Convergence. This unique
ID number is sent to Digital:Convergence servers along with a bar
code number each time a bar code is scanned. This ID number was
observed both by investigators with the Privacy Foundation and by
other outside researchers. This ID number could be associated
with personal information and demographic information that the
user supplies during product registration.
Installation of the :CRQ software includes a computer video
promotion followed by a registration process that requires some
personally identifiable information:
- full name
- email address
- zip code
- gender
- age range
Registration is followed by a lengthy survey that includes
questions about personal interests, computer and electronics
equipment owned, Internet usage, and shopping habits. This survey
can be skipped by a user. Once registration is completed, an
activation code is sent to the user's email address. The :CueCat
and software cannot be used without registering the product and
receiving an activation code.
The Privacy Foundation examined the :CueCat device and the :CRQ
software to determine the sorts of information transmitted from a
user's PC to Digital:Convergence.
With a packet sniffer in place to monitor network connections made
by a PC, authors of advisory installed the :CRQ software and
submitted both the registration and survey. Submission of the
survey showed a network connection to crq.com with the following
data being transmitted: [Please note that portions of network
traffic included in this report have been modified for
illustrative purposes.]
12:01:35.535139 pc.example.com.1570 > beta1.crq.com.80: P 232:1050(818)
ack 1 win 8280 (DF).lastname=Doe&firstname=John&email=
johndoe%40example.com&zip=80208
&gender=A&age=D&minorlastname=
&minorfirstname=&minoremail=
&travel=B&airline=B&tripcount=A&hotel=
A&rentalcar=E&movietype=B
&moviefreq=F&moviefood=F&tv=A&tvcount=
B&vcr=A&dvd=C&dvdwhen=
&hometheater=B&cable=A&satellite=
B&gamecenter=B&videofreq=F
&moviesbuy=D&musictype=B&musicformat=
B&cdwhere=C&radio=B&mp3=A
&booktype=CG&bookbuy=AF&bookcount=
D&mags=ABK&clubs=A&cdrom=B
&monitorsize=AB&scanner=A&printer=
A&processor=C&dcamera=A
&dcamerawhen=&stereospeakers=
A&onlinefreq=A&internetfor=ACD
&onlinebuy=A&onlinebuywhat=AE&home=
B&dineoutfreq=C&pizza=B
&pizzakind=&wine=B&winewhere=
A&coupons=A&trading=B&banking=A
&bills=B&profession=A&vitamins=
B&vitaminswhere=&vitaminskids=
&toyswho=A&toyswhere=B&toyskind=
C&makeuptype=&makeupbrand=
&makeupwhere=&hobby=G&sports=
BCD&education=E
The transmission above shows the user's personal information (John
Doe, johndoe@example.com) being transmitted to the :CRQ server
along with the results of about 60 consumer profile questions.
When the registration was completed another connection was made:
12:15:23.912215 pc.example.com.1140 >
beta1.crq.com.80
POST /confirm.cfm HTTP/1.1
firstname=John&lastname=Doe&email=
johndoe@example.com&zip=80208
&gender=A&age=D&OptIn=1&addButton=Register
The above transmission appears to confirm the registration and
request that an activation code be sent to johndoe@example.com
via email. TPF received an activation code via email from
digitalconvergence.com and plugged it into the prompt box that was
presented when we first started the :CRQ software. After
activation of the software, we noted changes to the Windows
Registry that included our email address, activation code, and
default browser:
[HKEY_LOCAL_MACHINE\Software\
DigitalConvergence.Com\CRQ\Users\John Doe]
"UserEmail"="johndoe@example.com"
"RegCode"="Qh98AlkowF6cRTHtDJEjWe"
"DefBrowserName"="Internet Explorer"
These transactions alone provide enough information to create a
profile of personal information that can be linked to a globally
unique ID (GUID) assigned by Digital:Convergence. This GUID, as
TPF also found, is transmitted to Digital:Convergence with each
and every bar code scanned using the :CueCat device.
The :CueCat bar code scanner connects to a PC by way of a cable
that connects between the keyboard plug and the keyboard socket
on the PC. The :CueCat scanner effectively "types" a product
code received by the :CRQ software each time a bar code is
scanned. The :CRQ software then includes the "typed" product
code within an HTTP GET request to a Digital:Convergence server
that, in turn, responds with a specialized Web address related to
the product code.
TPF made a scan of one of the proprietary ":Cues" in Forbes
magazine which was associated with an article about the National
Gallery of Art. The :CRQ software subsequently made a network
connection to a Digital:Convergence server.
21:01:35.888710 pc.example.com.1320 >
o.dcnv.com.80: P 1718746:1718855(109)
ack 342313744 win 7444 (DF)GET /CRQ/1..Qh98AlkowF6cRTHtDJEjWe.
04.c3Nzc3Nzc3NzdnN3d3d6cXNx.
AABi.Y2NgY2B k.0 HTTP/1.1
Host: o.dcnv.com
The server [see Note at end of advisory] responded with some data
that pointed our Web browser to the address of the National
Gallery of Art (http://www.nga.gov).
21:01:36.144731 o.dcnv.com.80
> pc.example.com.1328:
P 1:266(265) ack 109 win 8192
HTTP/1.1 200 OK
Date: Tue 12 Sep 2000 03:02:52
Expires: Tue 12 Sep 2000 03:03:01
Content-Length: 132
Content-Type: text/plain
cat=39
url=http://www.nga.gov
desc=BOW - Collecting Art Museums
char=0
img=
but=
ban=
tab=12,26,34
tas=39
fixed=1,2,50,20
TPF took a look at the encoded string that was sent in the request
to Digital:Convergence. The entire string can be broken up into
segments delineated by the periods. Four of these segments
appeared to be particularly interesting. The first segment of the
string (Qh98AlkowF6cRTHtDJEjWe) matched the GUID activation code
used in setting up the :CRQ software. The third, fourth, and
fifth segments were run through a :CueCat decoder written by Kevin
Fowlks and published at FreshMeat.Net.
The third segment (c3Nzc3Nzc3NzdnN3d3d6cXNx) decoded to
"000000000504449202", which is a serial number for the reader
device itself. The fourth segment (AABi) decoded to "CC!", which
identifies the type of bar code that has been scanned. In this
case, it refers to a :CueCat bar code. The fifth segment
(Y2NgY2Bk) is an encoded version of the bar code itself. Scanning
an ISBN bar code from a book (ISBN:045622900857) produced a
similar transmission to Digital:Convergence with the following
data in the request:
Qh98AlkowF6cRTHtDJEjWe.04.c3Nzc3Nzc3Nzdn
N3d3d6cXNx.FhMC.c3d2dXFxenNze3Z0.0
Again, the third segment of the data string remained unchanged.
The fourth segment decoded to "UPA", a type of product code. The
fifth segment decoded to the actual ISBN number of the book TPF
scanned, "045622900857". TPF conclude from this investigation
that by distributing the :CueCat device and software,
Digital:Convergence could collect not only the personal
information provided via the registration and installation survey,
but also a history of product bar codes that have been scanned by
specific users. Furthermore, all of this personal information and
bar code history data could be linked through the GUID activation
code provided through Digital:Convergence.
Beyond this, TPF observed no further monitoring of a user's
Internet activities. In particular, we witnessed no clickstream
monitoring and no use of cookies by the :CRQ software. Note,
however, that the :CRQ software use of GUIDs would obviate the
need for tracking cookies.
A specialized cable is also provided with the :CueCat that can be
used to connect the audio jacks from a user's TV to the sound card
of the PC. Once this connection is made, the :CRQ software
listens for special signals embedded within the audio of TV
programs and advertisements. These signals, in a manner similar
to scanned bar codes, prompt the Web browser to load a specific
address related to the program or advertisement viewed. Due to
the limited availability of :CueCat audio signals via television
broadcasts, the Privacy Foundation was unable to comprehensively
research this aspect of the :CRQ software. However, TPF technical
review determined that the :CRQ software does indeed listen to the
audio input ports attached to the computer's sound card. With the
appropriate audio port connected to a TV or other audio source,
the :CRQ software listens for special beeps that encode
information comparable to a barcode. Upon receiving such an
"audio cue", the :CRQ software behaves much as if the user had
manually scanned a barcode using the :CueCat. It transmits a
request to the :CRQ server that includes the user's GUID
activation code and a representation of the information in the
audio cue. In response, the :CRQ server delivers information
about an appropriate Web page. In the configuration suggested by
Digital:Convergence, the user connects a TV broadcast signal to
the computer so that Web pages relevant to the viewed programming
and advertisements are conveniently presented on the user's Web
browser. This computer, connected to the Internet and the
television, will quietly report to the :CRQ server whenever it
hears an audio cue. Since no user intervention is required, such
a computer could effectively become an in-house television
tracking device for Digital:Convergence.
For more information read original advisory on URL above.
SOLUTION
Digital:Convergence was contacted on Sept. 18, 2000, and again on
Sept. 21. The Privacy Foundation expressed concern that the
data transmitted by the :CRQ software could be used to record
every scan of the :CueCat along with the personal information of
its current user. Digital:Convergence acknowledged that a user
ID is associated with each scan, but said that their current
database breaks the link between a user's activation code and
personal information (such as an email address), so that such
tracking is not being done, nor is it contemplated.
Digital:Convergence indicated that they would consider modifying
their data collection procedures and provide more disclosure.
The Privacy Foundation recommends the removal of GUID activation
codes from the network transactions that result from use of the
:CueCat. If the company promises to "never release your personal
data to any third party," then there does not appear to be a
reason that a GUID needs to be transmitted or stored in
conjunction with personal information. TPF also recommend that
Digital:Convergence provide a patch that disables the ID number
for current users.