Well, there’s a revolution going on, all right. But it’s happening outside our computers, as information gets sucked from them and transmitted to commercial concerns. It’s an insidiously silent revolution. While engaging in seemingly benign Internet activity, most users have no idea that they’re beaming out stuff that they’d prefer to leave on their desktops. There’s a word for programs that quietly transmit these nuggets: “spyware.” I think it’s fair to say that the appellation applies to anything that works under our personal radar to send out information about us or our habits.
One case in point: QuickClick. Though it does perform a neat function–creating sometimes-useful links for words that aren’t already hooked up to related Web sites–its modus operandi is problematic, and only sketchily explained to users who install it from the NBCi portal. Those motivated to seek out the QuickClick privacy policy learn that all users are given a unique identifying number that’s transmitted with the words they select. Potentially, then, an incredible amount of information can be gathered about a QuickClick user’s interests–not only the Web page she visits, but what on that page she wants to learn more about.
Can this number be linked to one’s actual identity? QuickClick’s privacy policy asserts that “we can never identify any individual’s online behavior.” But that isn’t quite accurate, according to Richard Smith, chief technology officer of the Privacy Foundation, who analyzed the software last year (and reaffirmed his findings for NEWSWEEK). He discovered that QuickClick is capable of transmitting information typed by users into forms presented on Web pages (though not forms sent off in “secure mode,” when Web browsers use encryption for added protection). Such forms often contain personal information–like names. What’s more, it turns out that when QuickClick is invoked from one’s spreadsheet or e-mail, selecting a word to create a link will send off an entire line of that word-processing or e-mail document to NBCi’s servers–straight off the hard disk. This was something Ingrid didn’t hint at in the commercial.
To get NBCi’s explanation, I spoke to its VP for product development John Rodkin. Rodkin knows the software well, since he helped create it for Flyswat, a company he cofounded that was purchased last year by NBCi. He confirms Smith’s findings, but says there’s no cause for concern. For one thing, he notes, it’s possible to block out both the unique identifying number and the software’s ability to send off personal information–all you need to do is wade through the privacy policy and decipher the instructions to perform this digital operation. (Rodkin portrays this as a snap, but Smith says that it’s something that only a Webmaster would find easy.) Most of all, Rodkin says, there’s no reason for hand-wringing because NBCi doesn’t really want the information plucked off your computer. When personal data arrive, he says, “we drop that information on the floor.” Also, he says, NBCi isn’t currently interested in tracking individual consumer behavior with QuickClick. (On the other hand, the overall privacy policy of NBCi does mention gathering information “for the purpose of managing and targeting advertisements.”)
Privacy experts, however, aren’t impressed by assurances that such information is instantly zapped. Smith calls it the “we don’t inhale” excuse. “If they don’t use it, why do they collect it?” he asks. “It’s like putting a microphone in your bedroom and saying that no one is really listening.” And legislators, who are awakening to privacy pitfalls on the Internet, may not embrace that explanation, either. In Sen. John Edwards’s Spyware Control and Privacy Protection Act of 2001, a bill introduced last month to protect consumers from software that snatches data without explicit permission, there is no exemption for “dropping information on the floor.”
Actually, I do appreciate NBCi’s refusal to exploit QuickClick’s spyware abilities. This distinguishes it from others who use spyware for, well, spying. Still, companies sometimes change their policies. NBCi is a public enterprise whose share price has dropped from a high of more than 100 to the approximate price of a bottle of Corona. Last month it laid off 30 percent of its work force. Maybe someone at NBCi (or another firm which winds up with some of its assets) will suddenly see a need to get some profit from all those bits lying on the floor. “It would be possible for some other company to use [QuickClick] differently,” concedes Rodkin.
If we’re lucky, by that time it won’t be so easy to unleash spyware on unsuspecting Web surfers. Rodkin correctly notes that part of the problem with Internet software that gathers information is that there are no ground rules for what’s kosher. “If we had a clear standard,” he says, “it would be better for everybody.” Maybe legislation like the Edwards bill might help provide such a standard. Preferably it will clearly forbid transmitting any personal information without an explicit understanding–and will put the brakes on the segment of the Internet industry devoted to enriching itself at the expense of our privacy. That would be a revolution fighting for.
