So just how guilty is Netscape?

The SmartDownload privacy case retackled and in full

Since we posted the story that a case had been brought against AOL for infringing consumers' privacy through its Navigator browser, we have been inundated with interesting, uninteresting, encouraging and abusive emails. This then is an attempt to update those interested in the story and give a rundown on the facts and arguments.

First of all, what's all the fuss about?
The SmartDownload feature in Netscape's Navigator browser (included as an option since version 4.7) logs user downloads and sends this data to Netscape. This data includes the file name, the file's server name and the user's IP address. It may also include the user's email address. A cookie pointing to this information is also added to the browser. This is all done without informing the user or asking his/her permission.

German Web site Tecchannel has also discovered today that the same thing occurs when people use the browser's Search feature.

Hmmm. And how did this come to light?
An American named Christopher Specht has started a court case against AOL (it owns Netscape) claiming that this behaviour infringes his privacy.

Incidentally, a Christopher Specht has emailed us to explain he is "a lot more stable and a lot less paranoid" than we originally suggested. We've asked him for proof that he is the complainant. If he does so, we'll tell you what he has to say.

What has AOL/Netscape got to say about this?
Not all that much at the moment. The old "we don't comment on impending court cases" cop-out has been used a little. The defence is (currently) that SmartDownload needs to create extra files to work effectively. It has yet to answer queries about the Search feature.

So AOL is a privacy-invading, immoral and highly suspect company?
That's what some would have you believe. It is certainly willing to push its rights to the edge but then show us a company (especially a hi-tech company) that isn't.

So it's doing nothing untoward?
We didn't say that either. What we need to look at here is exactly what it is doing, its intent behind it and whether it is breaking any laws.

Okay, hit me

Netscape is getting these files - they're being sent to cgi.netscape.com. These files, carefully pieced together, can be used to build pretty good profiles of Navigator users - interests, favourite sites, probable age, income, etc. This doesn't mean they know that Kieren McCarthy (that's me, by the way) is a journalist who lives in London and likes petite brunettes. It doesn't mean they can contact me directly either. It is also absolutely nothing new.

Since businesses realised the value of marketing about 100 years ago, they have set about finding out who and where possible customers are. Building up profiles of the people that see your product and buy your product has become so entrenched that you will not be taken seriously until you have this data. Why do you think there are competitions, coupons, special offers, discounts, etc, etc? Because the cost of selling goods cheaper is offset by the information given by those taking advantage of the offer.

Companies also learnt very quickly that the less effort required on the consumer's part, the greater the response. Hence coupon bar codes, etc - you can quickly and efficiently track back where the coupon originated from. This is only a very tiny example, but you get the idea.

Now, with Net technology, every time someone uses your service or visits your site they drag a whole lot of information along with them. It is not surprising then that companies leap on this free information to find out what's going on. It's not even malicious - companies need this information to survive and since it does you no harm, claims of privacy invasion seem a little churlish.

So it's all a fuss about nothing?
No. Because so far we assume that companies are nice. We hate the cliched use of "competitive market" but let's face it, that's what IT is. Free market advocates will tell you competition gives the consumer choice and low prices but they often gloss over the fact that it turns companies into profit-crazed, ruthless and immoral beasts. Consumers are not people but purchasers and profit is the one and only goal.

Subsequently, companies will do just about anything they can, pushing laws to the limit, to get an edge over a competitor. Right, Bill? This is where the privacy debate comes in.

We don't think anyone can complain that companies will try to learn about their customers. But there is a fine line between use and abuse of information. Netscape has every right to pick up generic information about us if we choose to use its services (it cost them a lot of money to set up). But if this information is used by the company to create direct profit, if it causes us to be approached by other companies or it causes people to be able to recognise us individually then we should be asked clearly and prominently whether we are happy about it. We should also have to give permission since we gain no direct benefit.

Theoretically, therefore, any information about us that Netscape chooses to scrape up is none of our business. But companies, naturally, will abuse such trust and that's why we need laws. If there is a very real risk that a company could abuse our information and we would not be aware of it, or it does something that is useful only as a tool for creating direct profit, it follows that it should be against the law.

Okay, I'm sick of being patronised now. What's the beef?
Netscape is pulling information about what you do when using its SmartDownload feature. This is an optional extra to the browser but then Netscape naturally pushes it quite hard. It's a nice feature because it means that if you are cut off mid-download, you won't have to download the whole file again - only the bits you've missed. In return for this, Netscape allows itself to know what you're downloading. For those of you without rampant paranoia, this is not a big problem. But then, Netscape doesn't exactly tell you this is what it's going to do.

Plus, there is plenty of software than can do the self-same thing and they won't pay any attention to what you download. SmartDownload is just more convenient. It's a bit bloody cheeky but hardly illegal. The question is: is this information saleable? The panic-stricken run around crying "spam! Spam!" to anyone they meet but spam has such a bad name for itself that you have to ask whether this is a realistic threat.

If Netscape is selling this info without having asked permission, it should be against the law. But we have to balance likelihood against unnecessary corporate restriction. It is arguable that without having the info with which to attract advertisers, Netscape would haven't as much money and the resulting browser wouldn't be as good. Don't get all riled - this is the foundation of capitalism and it's why we all have designer clothes and fancy food while Eastern Europeans queue for bread.

But what about sending the email address as well?
Well, if you log into Netscape's Netcenter, not only will it send the other info but because it knows who you are, it will also send your email with it. How dare they! you cry. Well, you are using their services and, presumably, it aims to "personalise" your portal - how else will it do this if it doesn't know what you like? Plus, what the hell do you think portals are for anyway? Now at The Reg, we believe openness is the best policy. To our minds, Netscape ought to clearly inform those that join Netcenter for the first time that it will follow them.

Something like: "As a member of our center, we hope to make your experience as accurate and personal as we can. You may be amazed that some items fit closely with your interests. We think this is a useful service and we hope you like it too but it is only fair that we tell you how this is done. While you move about the Internet, information about where you are and what you download will be sent to us. We will then piece this information together and change your Netcenter page accordingly. We believe this will make your experience better, but if you feel it invades your privacy, please select 'Impersonal service' on the next screen."

But then Netscape's not as nice as us. If it doesn't do something though and this information becomes widespread, we reckon this will be seen as malevolence - so sort it out, Netscape.

And what about Tecchannel's Search findings?
This is a little more interesting. If you use Navigator's Search function, as well as sending the query to the main search engines, it also sends it to itself. With your IP (and email if you've come through Netcenter), of course. We don't like this since it seems unnecessary. This is an extremely simple service to provide (in fact, The Reg could do the same with a bit of Javascript fairly quickly). As such, it's seems a bit much for Netscape to pluck this information. Tecchannel advises that you go direct to search engines but frankly we think this should be cut out.

You should be allowed to do a simple search without being followed and Netscape appears to give back very little for what is good information.

Christ, you've gone on a bit. What about it at the end of the day?
Well, Netscape is being cheeky. Whether it's breaking privacy laws - hmmm. It might be, but we see it more a question of whether you can prove beyond reasonable doubt that Netscape is selling this information. It certainly isn't doing itself any favours by being a bit insidious and not asking or telling people what it is doing. This whole case (and this article) are as a result of that. But then you can never teach a big company such "soft" tactics. Never forget that big companies couldn't give a monkey's about your rights unless it costs them money.

The resulting bad publicity from all this will most likely cause some changes in the next Navigator version. Partly because of uproar but, sadly, mostly because Microsoft will use the furore to sell Explorer. It will also get those wanting to stick with Netscape to upgrade faster. All publicity can be good publicity if you handle it right.

So, options?


  • Privacy statement Netscape promises it won't do anything bad. This is what The Reg has. This is never going to happen, so don't even think about it.

  • Warnings will be heavily flagged This isn't going to happen either. Imagine: "Warning: click here if you want us to track your movements." It wouldn't prove very popular.

  • Remove features A last resort. Some kinda compromise will be best for all concerned.

  • Promise of intent Netscape promises not to sell the information it obtains. This to us sounds most likely once the two sides have battled into the middle.

  • Microsoft is worse Netscape releases some false information on Explorer, everyone rushes in with knives, Specht is paid out of court and our goldfish society forgets all about it. Why not? It's happened many times before now.®


Related Story

AOL faces snooping court case

Related Link

tecchannel's article

Sponsored: Network DDoS protection