From Privacy Times, January 5, 2000

SMIFFED: AMAZON-ALEXA DATA COLLECTION COULD BUBBLE OVER

Amazon.com and its subsidiary Alexa seemed determined to plow ahead with a Web software launch, despite a complaint to the Federal Trade Commission that the program collects personal data in contravention of the companies' privacy policies.

Although the two companies insist they never used any of the personal data that their systems quietly collected, concern is rising that the data could be vulnerable to "hijacking." Moreover, it's possible that Alexa's software is capable of capturing data that is supposed to be protected by Secure Sockets Layer (SSL), a common encryption program for credit card data.

The two firms joined Microsoft, Real Networks and a growing list of Internet firms that have been "Smiffed," that is, caught in a privacy faux pas by Massachusetts-based computer expert Richard Smith. Whenever he sniffs around, Smith seems to find that major Internet companies are secretly capturing personal data on Internet users.

In his latest endeavor, Smith discovered that Alexa's trial software, which is designed to track aggregate data on Internet shopping, in fact collects personal data on Internet users. This is possible because the software captures the web addresses, or "URLs," previously visited by a user. If, while at previous Web sites, the user filled out forms or made queries, then his personal data becomes attached to the URLs collected by Alexa's software.

Smith's finding is significant because Amazon.com, the Web's most popular shopping site, plans on using Alexa's software for its "zBubbles" service, which aims to let Internet shoppers compare notes and make recommendations. The zBubbles' privacy policy says, "We collect web site usage data and traffic pattern data with respect to your activity both within and across web sites - all of which remains anonymous." Alexa's policy for its Web navigational service says, "When using the service, we collect information on Web usage which remains anonymous." Amazon.com's acquisition of Alexa was seen as integral to its "customization" strategy, i.e. getting to know its customers better.

In a letter to Amazon Chairman Jeff Bezos, that also went to the FTC, Smith said the transfer of personal data on Internet users "is a breach of zBubbles License and Usage Agreement. In addition," he added, "the software may also violate a number of federal laws including the Computer Fraud and Abuse Act and the Electronic Communications Privacy Act."

Alexa Founder Brewster Kahle acknowledged that personal information is collected, but only because it was attached to URLs. The information is not stored permanently and is not used to connect Web activity to an individual by name," Kahle told The New York Times.

The Alexa technology tries to offer online shoppers improved guidance on how to retrieve information about goods and services. It does this by studying the paths followed by many Web surfers so that individual consumers can benefit from an aggregation of shopping experiences.

Upon installing the Alexa "plug-in," Smith used a "packet sniffer" to monitor all data going from his computer to the Internet. He quickly noticed that the entire URL, including the so-called query string, was sent to Alexa's servers. A query string, for example, would show what a visitor searched for at a Web site.

"On certain Web pages, query strings can contain personal data such as names, addresses, phone numbers, and e-mail addresses," Smith said in a letter to Bezos. "In addition, query strings can also include information about what people are searching for, what products they are buying, and travel reservations. Pretty clearly, no software package should ever be transmitting this kind of personal information to another party without the knowledge and consent of a user."

Smith said an additional risk in the Alexa-zBubbles format is that the data could be "hijacked" -- stolen after its collection, but before its destruction. Moreover, it's possible that Alexa's technology could capture surfers' data protected by Secure Sockets Layer (SSL), the encryption program that commonly protects credit card data.

Kahle and Alexa Media Spokeswoman Cynthia Lohr did not return Privacy Times' calls. In an e-mail, Kahle said he was traveling. He added, "We live under the rule of thumb said to me by Marc Rotenberg of EPIC before we launched the service 3 years ago: "If you dont know who is who, then you don't have a privacy issue".