[Reader-list] downloads and privacy

[Shuddhabrata Sengupta]

MORE ON DOWNLOADS AND PRIVACY

This is a follow up from Monica's forwarding  of Josephine Bosma's post on 
Steve Gibson's analysis of "privacy violations".  I went to the Steve 
Gibson site mentioned in the posting  http://grc.com/downloaders.htm - and 
after wading through much (fascinating, but difficult geeky stuff about the 
detective work done by Gibson around the question of how RealNetworks 
actually keeps tabs on people who have downleaded stuff from them). What I 
could make out is as follows. For any media files downloaded using 
RealNetwork software, the software itself generates a unique code that 
marks out the specific download session and the specific computer being 
used and then sends this information back to RealNetworks. This means that 
RealNetwork then has a bank of data about the download activities of 
specific computers and the individuals associated with them. What is to 
prevent a corporation such as RealNetwork from farming out this data to
1. corporations that might be interested in an ongoing surveillance of 
individual's internet usage for the purposes of building very nuanced and 
detailed 'consumer profile'
2. state agencies that need and want to know our online habits

I am appending below the concluding parts of Gibson's findings so that 
those of us who do not have the time or the facility for actually going to 
the site can get some idea of what he is saying

But what strikes me after all this is that -

Given, that in India, proposals for actually having physical identification 
cards for cybercafe usage (refer: Ravi Sundaram's earlier posting 'the New 
Authoritarianism" ) are being put into practice, I would not be surprised 
if a large scale violation of online privacy is also actually taking place. 
Is there any way of finding out whether or not internet usage pattern data 
is being sold or given to the government or to private parties by 
corporations? I know that it is unlikely that any such 'understanding' 
would be public knowledge, but given the penchant that such entities have 
for bureaucratic records, perhaps there would be some 'Memorandums of 
Understanding' floating around somewhere? Any ideas where?

Cheers

Shuddha
---------------------------------------------------
  from Steve Gibson's site - http://grc.com/downloaders.htm
In Summary . . .

So what does it all mean?...

For most people, the main issue revolves around whether or not a report of 
every file downloaded with those utilities is transmitted back to their 
home base . . . and there's just no question any longer that unless 
deliberately disabled by the user, this is being actively done. If that 
bothers you, you may wish to immediately remove these downloading tools 
from your system.

Any of these file download spies may be removed through Windows' standard 
Add/Remove Programs feature located in the Windows Control Panel. You will 
find them listed as "Netscape SmartDownload", "RealDownload", and "NetZip 
Download Demon".

An additional privacy risk involves whether, to what degree, and to what 
end, historical file downloading profiles are being compiled about 
individuals, whether or not they are known by name and address and 
"personally identifiable."

Netscape has been completely silent on this issue, whereas RealNetworks has 
gone absolutely ballistic over my pointing out what it has apparently lied 
about and what it could be doing with the data that has been sent to its 
servers. As I have repeatedly stated, I have no evidence, information, or 
knowledge either way. But trust is what it all boils down to, and 
RealNetworks' record on that score seems to be getting shakier with every 
passing day.


Why is a unique ID tag being transmitted at all?
I can only address that larger question by asking: "If these companies do 
not care about us in any unique way — separate from everyone else (as they 
claim) — then WHY are they going to all the trouble of uniquely tagging 
every user's computer and deliberately transmitting not only that unique ID 
tag, but also — in the case of Netscape — sending the user's Internet IP 
address with each and every download file report?" This is not required for 
the purpose of identifying what files are downloaded "in aggregate", or 
learning when their downloading program is installed or removed from the 
host computer . . . contrary to what seems to be stated in their various 
license agreements.

Therefore, it is difficult to understand the motivation behind collecting 
personal data which is, on its face, unnecessary for the stated objective.

One Final Observation:
The stated purpose behind all of this download profiling (in their 
respective licenses) is to inform these vendors about the files we are all 
(collectively) downloading so that they can provide some sort of 
additional, useful, or auxiliary information to us (this is never really 
made clear). Yet, the date shown for the NetZip Downloader (version 1.0.62 
— which was captured in the outbound TCP/IP data packet shown above) is 
December 7th of 1998. So, this data gathering has presumably been underway 
since before that date. That's been quite a while.

When does the payback for all these years of "aggregate" user profiling 
begin? And who receives the value? And, moreover, given the highly dynamic 
nature of Internet content, does the whole idea of collecting such data 
really make any sense anyway?

It makes one wonder what's really going on here . . . doesn't it?

Shuddhabrata Sengupta
SARAI: The New Media Initiative
Centre for the Study of Developing Societies
29, Rajpur Road, Delhi 110 052, India
www.sarai.net