September 20, 2000 7:00 PM PDT
"Cat" scanning device may track users online
- Related Stories
"CueCat" users' information let out of the bagSeptember 18, 2000
Privacy advocates are investigating the device, known as the CueCat, and its ability to snoop on consumers while swiping bar codes printed in catalogs and magazines or on products. Researchers say the scanner, produced by DigitalConvergence, makes use of an identifying serial number that could trace the actions of an individual user and create a detailed database on a specific device's usage.
Last week, a security breach at DigitalConvergence's Web site exposed about 140,000 consumers' names, email addresses and ZIP codes, raising the eyebrows of many new members and privacy advocates.
"Whenever you scan something, your browser will make a connection with (DigitalConvergence's) site. It reports the (bar) code, your device serial number and a token that identifies you as an individual," said Matt Curtin, founder of Interhack, a security consultant group that has been looking into the technology.
As a result, "they could have a dossier of every person using the CueCat," he said. "This would show my ID...my email address, and a list of all the products I've ever scanned, how many times I've scanned them, and when I've scanned them."
A DigitalConvergence spokesman said that the company is not tracking this type of information. He said customer registration information is retained only for the purposes of general demographics.
"There is a unique ID within the CueCat so that we can see that some Cats came from Forbes and some came from Wired," said Dave Mathews, vice president of new product development at DigitalConvergence. "(But) individualized serial numbers are not designed to track individual behavior."
Those assurances have not assuaged privacy advocates, however, who among other things say that the company has not adequately disclosed its practices.
"The problem is the notification. Do people have a full idea of what they're getting involved with?" said Lauren Weinstein, moderator of the Privacy Forum and co-founder of People for Internet Responsibility.
New York-based DigitalConvergence began shipping more than 1 million scanners this month through RadioShack and to readers of Forbes and Wired magazines. The company hopes to introduce consumers to technology that bridges the printed word with the Web. By using a CueCat linked to a computer, consumers can swipe bar codes (or cues) on soup cans, shampoo bottles, or within advertisements or editorial to be transported to related Web sites.
Users of the device must go to the DigitalConvergence Web site and register some personal information, including their name, email address, gender, age range and ZIP code. This information is then linked to a unique identifier within the CueCat and sent to servers at DigitalConvergence each time a bar code is swiped.
Other privacy groups are poised to join the fray.
The Denver-based Privacy Foundation tomorrow is expected to issue a detailed report on the CueCat scanners, though it refused to discuss the report's substance. Nevertheless, the issue of serial numbers is a sensitive one among privacy advocates.
"Abuses at other companies have poisoned the well so much that a serial number is immediately considered suspect in any quarters," Weinstein said. "As a result, companies must bend over backwards to make sure everything is squeaky clean, because everyone's going to be viewed with extreme skepticism."
The serial number issue has been raised before, most famously in early 1999 in a clash with Intel over its Pentium III computer chip.
The company began stamping its processors with distinct numbers that consumers were expected to use as a form of identification, similar to a password, to enter protected Web sites. But consumer advocates said the number could be used to track people's Web travels.
Intel said earlier this year that it would stop the practice.