« November 2003 | Main | January 2004 »

December 19, 2003

Don't Even Think About Accessing
Computer Data Without Permission

This AP story reports that an employee of a market-intelligence company pleaded guilty to federal charges of obtaining unauthorized access to a customer's computer files. The files included passwords and personal data of the customer's own customers. The market-intelligence employee reportedly downloaded the data to CDs and stored it at his house, just because he liked to have it -- he didn't use it for criminal or commercial purposes.

The employee is being held without bond, pending sentencing in about two months. He faces up to five years in federal prison.

December 19, 2003 in Criminal Penalties, IT Management | Permalink | Comments (0) | TrackBack

December 09, 2003

Marketers, Be Careful About Your GET Statements

Recently, several pharmaceutical companies narrowly dodged a privacy class-action bullet concerning their collection of data about Web-site visitors. See In re Pharmatrak, Inc. Privacy Litigation, No. 00-11672-JLT (D. Mass. Nov. 6, 2003) (granting summary judgment for defendants), copy available at the BNA Web site, on remand from 329 F.3d 9 (1st Cir. 2003) (reversing and remanding summary judgment dismissing action).

The lesson for marketing managers is to check whether your Web-site programmers are using GET statements in a way that results in saving personaly-identifying information about your site's visitors.


Each of the pharma companies wanted to compare usage of different parts of its Web site with the same information from competitors' sites. To do this, they signed up with Pharmatrak, which provided a service that utilized browser "cookies" to collect information about which users had visited which Web sites.

Privacy apparently was a concern from the start. Pharmatrak emphasized in its marketing that it did not collect personally identifiable information. In signing up with Pharmatrak, most of the pharmaceutical companies sought and received assurances from Pharmatrak that the tracking service would not collect personal or identifying data about their Web site visitors.

Alas, it didn't work out exactly that way. It turned out that, through inappropriate programming practice at various companies, Pharmatrak did indeed unintentionally collect some such personal data for a few Web site visitors. That led to a class-action privacy lawsuit under the Electronic Communications Privacy Act of 1986 (ECPA), 18 U.S.C. ยงยง 2511, 2520.

The Technology Problem

Apparently the main culprit was a Pharmatrak customer's use of a GET statement, instead of a POST statement, for collection of user information. As explained by the appellate court:

The personal information in 197 of the 232 user profiles [for which personally-identifiable information was improperly collected] was recorded due to an interaction between NETcompare and computer code written by one pharmaceutical client, Pharmacia, for one of its webpages.

Starting on or before August 18, 2000 and ending sometime between December 2, 2000 and February 6, 2001, the client Pharmacia used the "get" method to transmit information from a rebate form on its Detrol website; the webpage was subsequently modified to use the "post" method of transmission. This was the source of the personal information collected by Pharmatrak from users of the Detrol website.

Web servers use two methods to transmit information entered into online forms: the get method and the post method. The get method is generally used for short forms such as the "Search" box at Yahoo! and other online search engines. The post method is normally used for longer forms and forms soliciting private information.

When a server uses the get method, the information entered into the online form becomes appended to the next URL. For example, if a user enters "respiratory problems" into the query box at a search engine, and the search engine transmits this information using the get method, then the words "respiratory" and "problems" will be appended to the query string at the end of the URL of the webpage showing the search results.

By contrast, if a website transmits information via the post method, then that information does not appear in the URL. Since NETcompare was designed to record the full URLs of the webpages a user viewed immediately before and during a visit to a client's site, Pharmatrak recorded personal information transmitted using the get method.

* * *

In addition to the problem at the Detrol website, there was also another instance in which a pharmaceutical client used the get method to transmit personal information entered into an online form. The other personal information on Pharmatrak's servers was recorded as a result of software errors. These errors were a bug in a popular email program (reported in May 2001 and subsequently fixed) and an aberrant web browser.

(Footnotes omitted, paragraphing edited.)

A Happy Ending -- So Far

The pharmaceutical companies eventually won, because the trial court found they did not have the requisite "intent" to commit the privacy-violating acts, as defined in the ECPA. We'll see if the judgment survives the inevitable appeal.

Possible Lesson

The lesson learned here is a technical one, but it applies to both Web-site programmers and to marketing people: Be careful about the use of GET statements -- make sure you're not inadvertently collecting private information about your Web-site users.

December 9, 2003 in Marketing | Permalink | Comments (0) | TrackBack

Bandwidth Management to Keep Copyright Police Away

It's said that a non-trivial portion of the Internet bandwidth consumed by businesses is taken up by illegal employee downloading of music and video files. This ComputerWorld column suggests that businesses can reduce their risks of being targeted by the record industry, video industry, etc. -- and reduce costs too -- by deploying bandwidth-management software:

"We started by doing bandwidth prioritization between the dorms and the main campus," Dodds says.

During business hours, campus connections have priority over dorm use, and Dodds can filter out certain IP addresses, block some peer-to-peer traffic and even segregate dorms by subnet. Using the graphic capabilities of the package, Dodds is able to see which protocols are using the most bandwidth and then allocate bandwidth as needed.

* * *

Prior to implementing the bandwidth management setup, Fairmont was considering purchasing additional bandwidth. That's now been shelved.

And as for pulling the plug on illegal music and video downloads, well, let's just say Britney can shop to her heart's content.

It's an interesting idea, but bandwidth-management software strikes me as a short-lived phenomenon. Bandwidth will get cheaper; music and videos will become available on-line at reasonable prices (it's already happening with music); and employees will gradually get the message that they can be fired for doing illegal downloading.

December 9, 2003 in IT Management, Intellectual Property | Permalink | Comments (0) | TrackBack