Verisign's SiteFinder finds privacy hullabaloo

Making Overtures

  • alert
  • submit to reddit

The essential guide to IT transformation

Privacy advocates have joined the chorus of critics of Verisign's "SiteFinder," which on Monday began directing mistyped dot-com and dot-net e-mail and Web addresses to a pay-for-play search site operated by the company, writes SecurityFocus' Deborah Ratcliff.

On Wednesday, Boston-based Internet security and privacy consultant Richard Smith found buried in the SiteFinder page a so-called "Web bug," an invisible image file served up by Overture.com, a Pasadena, Calif.-based advertising company that brands itself as a search engine. The bug delivers a cookie that doesn't expire for five years.

This certainly means the culling of some information, said Smith. "They're getting a sense of what domain names are mistyped, and perhaps this can be used by a domain name sales company. In addition, Overture is a pay for click search engine, with questionable affiliates."

The question on everyone's mind is, what are Verisign and Overture doing with information gathered through SiteFinder? Will the companies be able to tell that the person looking for a medical marijuana site on Monday is the same person looking for a cancer support group the week before?

"We don't know if this site is harvesting personal information, but we believe it's at risk," said Lance Cottrell, president of Anonymizer.com in Pasadena, which Thursday updated its privacy software to circumvent SiteFinder.

On Wednesday, discussion boards filled up with hundreds of messages reflecting user's concerns over the potential for privacy violations by Verisign.

Some privacy advocate are particularly concerned that the company could merge databases from its other ventures with information logged by SiteFinder, creating rich ore for data mining. The company holds digital certificates for two million individual certificate holders, and has access to those customers' personally identifiable information. By mapping certificates to domain names to IP address, a record of mistyped domain names could be tied to some users' identities -- if someone wanted to go to all that trouble, said Seth Finkelstein, who a civil libertarian software engineer who runs a popular anticensorware site.

"They're [Verisign] getting to know your IP address; and you may very well have a customer relationship with them through certificates which allows them to know you in great detail," adds Cottrell.

E-Mail Woes

SiteFinder's privacy policy says VeriSign only collects data "in aggregate form and solely for the purposes of operating and improving the performance of our Site Finder." It notes that Overture collects information "in order to serve content to our site, improve the services offered on our site, or measure advertising effectiveness of paid search results."

A Verisign's spokesman did not return repeated calls about the privacy concerns, but the company issued a written statement saying the purpose of SiteFinder is to ensure people get to their Web sites even if they mistype the address. The statement also said that Verisign is working with the technical community to solve a different problem that is wreaking havoc on some anti-spam efforts: SiteFinder immediately made nonexistent domain names indistinguishable from genuine hosts in the domain name system, breaking some anti-spam solutions that block e-mail from bogus domains, said Dan Camper, a software developer at Borrowed Time, Inc., in Austin.

From a privacy perspective, people are also concerned about what happens to all the mis-routed e-mails that are sent to Verisign when users type in bad addresses. This week the SiteFinder site was rejecting those e-mails, but only after receiving the "to" and "from" addresses.

"If Verisign's running an SMTP server or POP server, they can start grabbing people's e-mail addresses and passwords if they want to. It's not good that they're directing more than just the Web browser traffic here," said Smith. "I doubt that Verisign would do this, but Verisign did go ahead and change the Internet routing system, without first thinking of the unforeseen consequences of doing this."

The commercial exploitation of mistyped Web addresses also rubs critics the wrong way. When people mistakenly type in a URL and end up at Site Finder, Overture's paying advertisers will be listed as the top alternative choices for what the Web surfer may have meant to look for with the mistaken URL.

Moreover, Overture's been implicated in numerous spam complaints, according to Chris Brandon, president of an Internet investigations firm Brandon Internet Services, in North Carolina. "Overture has a long history of being in collusion with gangs of spammers," said Brandon. "I get complaints about them all the time from my 330 backbone ISP members about spam trying to direct them to Overture's search engines," he says.

Overture says it does advertise its own services, but it does not spam. The company says the only advertisements it sells are in the form of top picks on Web search engines, which is a common practice among search sites such as Yahoo, which is expected to complete an acquisition of Overture in mid-October. Moreover, Overture said that all of its affiliate members are hand-screened by an editorial board for legality and compliance to its strict rules of netiquette.

In fact, it's the commercialization of the DNS service that has many people up in arms. DNS, the very backbone of the Internet, they say, should not be tainted with advertising and privacy concerns, and VeriSign should not be taking advantage of its role as the official domain name registrar for .com and .net addresses. "It raises grave questions," Smith says.

Copyright © 2003,

Related stories

All your Web typos are belong to us
Verisign DNS change broke my HP printer (letters)
BIND developer blocks Verisign Net grab move

Secure remote control for conventional and virtual desktops

More from The Register

next story
6 Obvious Reasons Why Facebook Will Ban This Article (Thank God)
Clampdown on clickbait ... and El Reg is OK with this
Banking apps: Handy, can grab all your money... and RIDDLED with coding flaws
Yep, that one place you'd hoped you wouldn't find 'em
No, thank you. I will not code for the Caliphate
Some assignments, even the Bongster decline must
Caught red-handed: UK cops, PCSOs, specials behaving badly… on social media
No Mr Fuzz, don't ask a crime victim to be your pal on Facebook
Barnes & Noble: Swallow a Samsung Nook tablet, please ... pretty please
Novelslab finally on sale with ($199 - $20) price tag
Ballmer leaves Microsoft board to spend more time with his b-balls
From Clippy to Clippers: Hi, I see you're running an NBA team now ...
Video of US journalist 'beheading' pulled from social media
Yanked footage featured British-accented attacker and US journo James Foley
Call of Duty daddy considers launching own movie studio
Activision Blizzard might like quality control of a CoD film
Primetime precrime? Minority Report TV series 'being developed'
I have to know. I have to find out what happened to my life
prev story


A new approach to endpoint data protection
What is the best way to ensure comprehensive visibility, management, and control of information on both company-owned and employee-owned devices?
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.