The maker of a simple animated mouse pointer is raising privacy concerns because the device's software surreptitiously tracks its users' Web travels.
When a surfer visits Web sites that use the cursor to customize their pages, the pointer transmits a record of the visit to Comet Systems, which designed the software.
Unbeknownst to users, the Comet Cursor's tracking activities are tied to unique identification numbers. Privacy advocates complain that the software company didn't disclose the cursor's capabilities to users, many of them children.
"It's a vast, surreptitious collection of click stream data that could subsequently be personally identified," said Jason Catlett, president of Junkbusters, a privacy advocacy group.
The Comet Cursor changes its appearance by flashing and moving and can adopt the logos of compatible Web sites. More than 16 million surfers have downloaded and installed the software since its release last year, the company said.
But Comet said there is a big difference between its use of the GUID and past privacy problems tied to unique identifiers.
"We have never asked for a user name or email address, in order to respect the privacy of our users," said Ben Austin, the company's director of marketing. "At no point do we get any personal information as part of anyone surfing with the cursor."
Austin said Comet's collection of unique numbers is no different than the IP addresses provided when users visit any Web page.
Because the company never collects names, email addresses, or other identification information, it cannot associate an ID number with an individual, Austin said.
GUID-based data-collection by other companies has always associated the number with a name, he added.
Austin said the company uses the GUID to track the number of people using the software. The GUID is used every time the software contacts company servers to log a cursor-change. These statistics are used to bill the client Web sites, some of which pay on a "per-cursor-impression" basis.
Sites using the cursor technology include Yahoo, Lycos (parent company of Wired News), theglobe.com, Warner Bros., Universal Studios, RealNetworks, MindSpring, M&M/Mars, MSNBC, Energizer, CNET, Comedy Central, United Media, and Universal Press Syndicate, according to the company.
Catlett wrote a letter to the office of New York State Attorney General Eliot Spitzer requesting an investigation.
"The letter will be forwarded to our Internet bureau, and reviewed by the bureau," said Paul Larrabee, spokesman for the attorney general's office. The bureau will evaluate the complaint and then decide how to respond, he said.
Software analyst Richard Smith -- the code-watcher who has identified many privacy concerns affecting Internet users -- caught up with Comet Cursor last week.
"The problem is that this was never ever disclosed," Smith said. "When you install this software it never said anything about any monitoring. And most of sites using it were aimed at children, and children don't know about this."
Smith notified Comet Systems last Wednesday. On Monday, Comet Systems published a new disclosure notice in the privacy policy section of its Web site.
The company's new privacy notice acknowledged that the cursor collects a global unique identifier (or GUID), the Web address of sites where a cursor changes, as well as recording the change to the cursor.
"We do not collect any non-anonymous information and we make no attempt to create user profiles or connect this anonymous information with any personally identifiable information, such as names or email addresses. We also do not share log posting data with outside parties," the statement said.
The Web site states that the information is used to count the number of unique users of the software and to report impressions at sites.
But Smith said because GUIDs can eventually result in the misuse of data, even if not by the company directly, the software should not collect this data. Instead, it should rely on each individual Web site to tally cursor use. Austin said that would be difficult to get customer sites to agree to.
The company plans to continue transmitting the information with the software.
While Smith worries that unique hardware identification numbers can be extracted from the GUID, Austin said the GUID number is completely random and cannot be traced back to a particular computer identification number.
"Obviously Comet should have informed people that they wanted to track their every move across their Web properties," added Catlett. "But notice isn't enough here."
"Online profiling, even if it can be turned off, is simply unfair when the data isn't protected by minimum standards that most developed countries require by law."
Meanwhile, one high-profile site that utilized the cursor, the kid's section of Al Gore's official campaign site, stopped using the software Monday as a result of privacy concerns.
"It seemed like only the mildest form of information that was being conveyed -- but even that was against our strict standard," said Chris Lehane, spokesman for the Gore campaign. "When the issue was brought to our attention yesterday we removed the cursor from our site."
Companies that have altered data-collection practices over GUID issues include Microsoft and RealNetworks.
