Re: Firm Tracks Access of Medical Info

[Matt Curtin]

> "Tim" == Tim May <[EMAIL PROTECTED]> writes:

  Tim> If visitors to Intenet sites wish to be untraceable, they can
  Tim> of course use Web proxies, Freedom, Hotmail/MyDeja-types of
  Tim> cutout accounts, and so forth.

The problem is that it isn't quite that simple anymore.  Some of these
tracking systems are combining different pieces of technology against
users, such that it will defeat various proxies, sometimes even
Freedom.

Coremetrics, for example, uses obfuscated JavaScript code to swipe
personal information out of forms that the user presumably fills out
for the purpose of telling the vendor where to ship stuff.  The data
are stuffed into the query string of a fetch for a web bug that takes
place -- which has a persistent cookie, of course.  Freedom will be
defeated in the case of a site that's using SSL, since the web bug
request will also be an SSL request in that case.  Details are at
http://www.interhack.net/pubs/intimately/. 

Of course, there are still things that can be done, including blocking
traffic to data.coremetrics.com and disabling JavaScript that will
work, but the whole issue here is an arms race.

This is basically as it's always been, but without disclosure of
what's happening in these systems, the level of technical prowess
needed to monitor the monitors and to eliminate their cruft is getting
higher.

The trick that we have now is defeating these tracking systems and
making our solutions available.

[Upon reflection, it seems that this means that things are pretty much 
as they have always been...]

-- 
Matt Curtin [EMAIL PROTECTED] http://www.interhack.net/people/cmcurtin/

Firm Tracks Access of Medical Info

[A. Melon]

BOSTON (AP) -- Internet privacy advocates raised concerns Tuesday about a technology 
firm that is quietly tracking the information consumers are getting from 
pharmaceutical companies' Web sites. 

By using tiny computer files such as ``cookies,'' Pharmatrak can track people's 
movement throughout the site on impotence, AIDS, or any other medical condition. 
Pharmatrak then shares that information with the drug companies -- and the Web surfer 
may never know. 

The Boston-based company is not subject to the restrictions put in place last month by 
online advertising services to protect consumer privacy. Advertisers agreed to inform 
computer users when they are being monitored, but because Pharmatrak isn't an 
advertiser, it doesn't need to. 

Mikki Barry, an attorney with Great Falls, Va.-based Internet Policy Consultants, said 
she's worried there are no laws to prevent Pharmatrak or other similar companies from 
passing around individuals' private information. 

On its Web site, Pharmatrak says ``in the future, we may develop products and services 
which collect data that, when used in conjunction with the tracking database, could 
enable a direct identification of certain individual visitors.'' 

Pharmatrak officials did not immediately return several calls or an e-mail sent 
Tuesday to the company president and chief executive Michael Sonnenreich. 

Sonnenreich told The Washington Post in Tuesday's edition his company is ``absolutely 
rock-solid in protecting the integrity and privacy of these people.'' He also said 
computer users who don't want to be tracked can disable the company's ``cookies,'' a 
string of computer codes that identifies visitors to a site. 

But Sarah Andrews, a policy analyst with the Washington D.C.-based Electronic Privacy 
Information Center, said that's not a realistic solution. 

``It's unfair to actually expect an average consumer to do that, even though its a 
very easy thing to do,'' Andrews said. ``But people are intimidated, and they don't 
know how.'' 

Many don't even know the cookies are there. Browsers aren't always set in a way to 
alert users to their presence. 

Pharmatrak shares the information it gathers with 11 of the largest drug companies in 
the world, including American Home Products Corp., Aventis S.A., Glaxo-Wellcome PLC, 
Novartis Pharmaceuticals Corp., Pfizer Inc., and SmithKline Beecham PLC. 

Aventis spokesman Lisa Kennedy confirmed her company uses Pharmatrak, but wouldn't 
comment on the information that Aventis receives or about Aventis' views on computer 
user's privacy rights. 

Like many of its competitors, the Aventis Web site privacy statement does not mention 
that Pharmatrak monitors its site and shares the information with other companies. 

Richard M. Smith at Denver's Privacy Foundation calls the system of tracking that 
Pharmatrak uses ``invisible Web bugs,'' and said his organization will be lobbying the 
Federal Trade Commission and the Internet industry to only use Web bugs that are 
visible to the average computer user. 

``Web bugs are like the old subliminal ads thing from the '50s when they flashed a 
Coke bottle on the screen for a fraction of a second,'' Smith said. ``We're not crazy 
about them being used at all, but if they are used, then they should at least be 
visible.''