Digg this story   Add to del.icio.us  
Verisign's 'SiteFinder' finds privacy hullabaloo
Deborah Radcliff, SecurityFocus 2003-09-19

Privacy advocates have joined the chorus of critics of Verisign's "SiteFinder," which on Monday began directing mistyped dot-com and dot-net e-mail and Web addresses to a search site operated by the company and Overture.com, a Pasadena, Calif.-based advertising company that brands itself as a search engine.

On Wednesday, Boston-based Internet security and privacy consultant Richard Smith found buried in the SiteFinder page a so-called "Web bug," an invisible image file delivering a cookie that doesn't expire for five years.

This certainly means the culling of some information, said Smith. "They're getting a sense of what domain names are mistyped, and perhaps this can be used by a domain name sales company. In addition, Overture is a pay for click search engine, with questionable affiliates."

The question on everyone's mind is, what are Verisign and Overture doing with information gathered through SiteFinder? Will the companies be able to tell that the person looking for a medical marijuana site on Monday is the same person looking for a cancer support group the week before?

"We don't know if this site is harvesting personal information, but we believe it's at risk," said Lance Cottrell, president of Anonymizer.com in Pasadena, which Thursday updated its privacy software to circumvent SiteFinder.

On Wednesday, discussion boards filled up with hundreds of messages reflecting user's concerns over the potential for privacy violations by Verisign.

Some privacy advocate are particularly concerned that the company could merge databases from its other ventures with information logged by SiteFinder, creating rich ore for data mining. The company holds digital certificates for two million individual certificate holders, and has access to those customers' personally identifiable information. By mapping certificates to domain names to IP address, a record of mistyped domain names could be tied to some users' identities -- if someone wanted to go to all that trouble, said Seth Finkelstein, who a civil libertarian software engineer who runs a popular anticensorware site.

"They're [Verisign] getting to know your IP address; and you may very well have a customer relationship with them through certificates which allows them to know you in great detail," adds Cottrell.

E-Mail Woes
SiteFinder's privacy policy says VeriSign only collects data "in aggregate form and solely for the purposes of operating and improving the performance of our Site Finder." It notes that Overture collects information "in order to serve content to our site, improve the services offered on our site, or measure advertising effectiveness of paid search results."

A Verisign's spokesman did not return repeated calls about the privacy concerns, but the company issued a written statement saying the purpose of SiteFinder is to ensure people get to their Web sites even if they mistype the address. The statement also said that Verisign is working with the technical community to solve a different problem that is wreaking havoc on some anti-spam efforts: SiteFinder immediately made nonexistent domain names indistinguishable from genuine hosts in the domain name system, breaking some anti-spam solutions that block e-mail from bogus domains, said Dan Camper, a software developer at Borrowed Time, Inc., in Austin.

From a privacy perspective, people are also concerned about what happens to all the mis-routed e-mails that are sent to Verisign when users type in bad addresses. This week the SiteFinder site was rejecting those e-mails, but only after receiving the "to" and "from" addresses.

"If Verisign's running an SMTP server or POP server, they can start grabbing people's e-mail addresses and passwords if they want to. It's not good that they're directing more than just the Web browser traffic here," said Smith. "I doubt that Verisign would do this, but Verisign did go ahead and change the Internet routing system, without first thinking of the unforeseen consequences of doing this."

The commercial exploitation of mistyped Web addresses also rubs critics the wrong way. When people mistakenly type in a URL and end up at Site Finder, Overture's paying advertisers will be listed as the top alternative choices for what the Web surfer may have meant to look for with the mistaken URL.

Moreover, Overture's been implicated in numerous spam complaints, according to Chris Brandon, president of an Internet investigations firm Brandon Internet Services, in North Carolina. "Overture has a long history of being in collusion with gangs of spammers," said Brandon. "I get complaints about them all the time from my 330 backbone ISP members about spam trying to direct them to Overture's search engines," he says.

Overture says it does advertise its own services, but it does not spam. The company says the only advertisements it sells are in the form of top picks on Web search engines, which is a common practice among search sites such as Yahoo, which is expected to complete an acquisition of Overture in mid-October. Moreover, Overture said that all of its affiliate members are hand-screened by an editorial board for legality and compliance to its strict rules of netiquette.

In fact, it's the commercialization of the DNS service that has many people up in arms. DNS, the very backbone of the Internet, they say, should not be tainted with advertising and privacy concerns, and VeriSign should not be taking advantage of its role as the official domain name registrar for .com and .net addresses. "It raises grave questions," Smith says.


    Digg this story   Add to del.icio.us  
Comments Mode:


 

Privacy Statement
Copyright 2010, SecurityFocus