Undetectable 'son of cookie' system wins grant
By John Lettice
Posted: 05/07/2002 at 11:02 EST
The developers of a 'son of cookie' web monitoring system have
received a Proof of Concept grant from Scottish Enterprise to
commercialise the system. Their non-cookie based web monitoring
software does not (as indeed the name suggests) rely on cookies,
but instead is intended to replace them with something far more
powerful.
It has, as the features list makes clear, great privacy-invading
potential. The "sensors" it uses:
- can be individually customised for any web visitor;
- can collect information rather than return pre-downloaded data.
- can be reconfigured remotely;
- are difficult to detect and delete;
- can be used to block access to sites, documents, data, emails,
etc., based on content,
- can be preferentially customised for each user.
So the system can provide highly detailed tracking information for
market research purposes, and "is also suitable for Internet and
general computer surveillance on behalf of commercial
organisations, governmental bodies and educational
establishments alike. It can enable tracking of visitors to any website
worldwide, and help to address Internet crime."
But dont worry, because: "The development of appropriate
safeguards to prevent misuse of the technology in these contexts will
be developed in parallel to the technology itself. These are a critical
part of this project, and will include a modular approach to allow
exclusion of technical capability and prevention of sensor
re-configuration."
How, though, does it work? If it works, that is. This isn't entirely clear
from the Scottish Enterprise announcement or the Strathclyde
University press release announcing the award of the grant, but a
Strathclyde's Department of Electronic and Electrical Engineering
has a clipping from Business A.M. that gives more details.
The "sensor" program can monitor keystrokes and "the whole range
of a user's internet usage," and it "can also be altered remotely,
allowing it to be fine-tuned to the owner's or user's particular
requirements." We trust you're as interested in that differentiation
between 'owner' and 'user' as we are. The piece also suggest that
companies gathering data could get their customers to use the
software in exchange for a payment or discount on purchases, so
clearly there's a component of the software that has to be run locally.
So you can just say no, right? Up to a point, we'd hazard. If it were
absolutely clear that users would be warned and given the ability to
refuse it, then there would really be no need for it to be pointed out
that it is "difficult to detect and delete." So you could speculate
about it coming hardwired and unannounced in, say, a bank's client
software, being rolled out for security and monitoring reasons to all
of the clients in a company network, or being sent to Microsoft
Outlook users "in order to have your advice."
We hope the "appropriate safeguards" will be sufficient to take care
of that last one, but if it's as powerful and unobtrusive as they
suggest, it's difficult to see how abuses can be blocked. |
