"What's Related?" Fallout
Since the release of our report "What's Related?"--Everything But Your Privacy, a number of things have happened. Those interested in their privacy or in working to protect privacy might be especially interested in the fallout.
This is my (cmcurtin) accounting of the series of events that led up to the release of that report, as well as events afterward. It has been reviewed and verified by gfe and monwel.
Detailed summary of events and timeline
- Mid-August 1998
- Gary Ellison writes Doug Monroe and Matt Curtin about the completely undocumented "what's related" button on Netscape's new browsers, namely 4.5 beta and 4.06 about how such a feature could be implemented and potential privacy and/or security risks. Collectively, we look into the matter and release "What's Related?"--Everything But Your Privacy on August 26.
- September 1998
- Ramanathan Guha of Netscape contacted us to identify himself as the "implementor" at Netscape and to ask us to clarify what our privacy issues were. When Doug asked Guha on September 10 about the source of the data returned by the Netscape "what's related" service, he wrote "We are using their [Alexa's] data". Gary spoke to Guha by phone and suggested that the largest part of the problem could be solved by moving the domain of the cookie to
*.netscape.net
from*.netscape.com
, thereby making it impossible to correlate the "what's related" data with other Netcenter data, such as secure software downloads, which require the signing of a legal affidavit confirming one's name, address, and telephone number.Gary wrote Doug and Matt, indicating that Guha (and probably others at the level of engineering and implementation) "get it" and are sympathetic to our concerns. Gary left the conversation with Guha with the impression that the cookie's domain might be changed in a yet-to-be-announced Communicator 4.51.
- October 1998
- The report is entered into the Ohio State University CIS department technical report series and a pointer to the document is made in Lauren Weinstein's PRIVACY Forum Digest.
The report is widely reported in such places as Slashdot, Yahoo!, and in the German-language community via German, Swiss, and Austrian news web sites. Only passing interest is observed by mainstream US media.
- January 13, 1999
- Ken Hickman of Netscape addresses a letter to Doug, Gary, and me claiming that the report misrepresents Netscape's service. It is further claimed that our report is inaccurate:
- Links followed from Smart Browsing were made via redirects through Netscape's web site at the time of publication. Since that time, that behavior has changed; I have verified that links are now made directly.
- He claims the service does not use cookies, but that the cookie is present because the Smart Browsing servers are in the same domain as the Netcenter cookie (i.e.,
*.netscape.com
). Whether they're logging that data today is irrelevant; the potential for a change in policy and abuse of the data still exists. What we wrote is still completely accurate. - He claims that our section on "frequency of the fetch" has confused many users about which behavior is default. I honestly don't see how we can make this any more clear.
- He further wrote that "there are other errors" without giving any other details. Since he did not enumerate any real errors in what we had written, I tend to doubt that there are any such errors. Perhaps there are minor cases of the service changing since the time of publication, but the core issues remain the same, and the fact remains that what we wrote was accurate at its time of release.
- January 13
- I reply to Ken's note, maintaining that "at best, the information is dated" and, after a few abrasive counterpoints, concluding with a translated quote of Pontius Pilate, "what I have written, I have written". I freely admit that I did not optimize for tact. Sorry. But don't expect to be able to make bald statements about my work and not be on the receiving end of a stern correction.
- January 14
- Ken replies to my reply, agreeing that the only real problem is information that is now out of date and complains that he has had to deal with journalists seeking information from Netscape about the issues raised by the article.
- January 15
- Someone from Anonymizer Inc (which mirrors the report on their web site) wrote me seeking clarification on a number of points on the article. Ken wrote them on January 15, stating "Mr. Curtin's article has mutliple [sic] sections that include information that is wrong or misleading, for example..." The rest of the email is identical to the one I received on January 13.
- January 29
- A reader sends me email informing me that clicking on the "what's related" button when viewing the report will show the WIRED magazine reprint of The Unabomber Manifesto is related.
- January 31
- I make my extreme displeasure about the whole situation known, in no uncertain terms, to Ken, in response to his January 14 mail. In it, I question the value of linking to Netscape's Smart Browsing FAQ more prominently, asking whether it will only serve to provide Netscape an opportunity to baldly contradict our work or give them another opportunity to portray us as somehow sympathetic or related to a terrorist. I receive no reply.
- March 7
- I contact Lauren Weinstein again, making him aware of developments since the most recent Smart Browsing article to appear in the PRIVACY Forum Digest.
- March 21
- Lauren writes to inform us that he's checked links again, and Netscape appears to have picked up additional "what's related" data for our report, all of which matches what I found on Alexa's site on March 8. Both Netscape and Alexa show the Unabomber's manifesto to be the first on the list of related links.
I hope that this is helpful in showing that some potential risks of giving the providers of a product or service a form of editorial power are no longer purely theoretical.
We found a problem, studied it, and explained our findings in a publication that should be understandable by anyone with an interest in their privacy. Netscape has had the ability to make minor modifications to the operation of their service in order to solve these problems, but has not. Instead, we have seen our work called "inaccurate" and "misleading".
This is a real problem and I'm disgusted with Netscape's handling of it.
Netscape used to be cool.