Netscape and privacy

[Chris Smyth]

The Communications Week issue of September 25 1995 contains an interesting
interview with Netscape Chairman Jim Clark in which he outlines the future
that he envisions for his company. The interview also contains a passage
discussing the Netscape browser software that I find somewhat disturbing.
Many cypherpunk list members are concerned with the general issue of
electronic privacy and with the programming of WWW browsers, so I think this
post is relevant to the list. Clark's apparent attitude toward privacy makes
me uneasy.

Begin excerpt

Comm Week: How do you track usage?

Clark: We have worked out schemes to tell us when you use our program and
for how long you use it. That capability is easy to add. We can tell each
and every time you turn it on and we can tell whether you have paid for it
or not. We were getting 10 million hits a day at our Web site.  It has
doubled since our IPO.

End excerpt

I personally oppose the collection of this type of behavioral tracking
information without my explicit consent, and I would reconsider using
software which implements the type of tracking Clark mentions above.  Note,
Clark's reply is ambiguous because it does not indicate if the `schemes'
have been implemented or deployed at this time.  Some list member associated
with Netscape may wish to clarify Clark's comments.  

It is true that a user automatically contacts the Netscape Web cite when
starting the browser if he or she has not reset the default home page.  I
reset my home page long ago, but I do not know if the Netscape site is still
contacted anyway.  Nor do I know if Netscape is contacted when I quit the
browser, or if elapsed usage time is tracked.

The future Clark posits for his corporation depends on people adopting
Netscape software for a wide variety of tasks. He wants the browser to
evolve toward being a general multimedia web browser, mail handler,
newsreader, and collaboration tool.  Such a tool would handle large amounts
of private and/or proprietary information and the creator of such a tool
must be extremely sensitive to privacy concerns in my opinion.  Collecting
and relaying information about usage is potentially a significant violation
of the privacy users will expect.

Certainly, it is tempting to gather information for marketing purposes and
other reasons.  For example, some browser company unconcerned about privacy
might program its browser to regularly transmit information about bookmarks
and histories to a database site for analysis and data-mining.  But ignoring
privacy concerns risks invoking the fervent ill-will of many users.  Perhaps
I am over-reacting to Clark's comments.  Even if I am over-reacting,
Netscape should consider developing a statement of its privacy policy and
making it available at its web site.

It is not easy to craft clear, concise and general privacy guidelines.
Below are two crudely crafted suggestions for properties that should be
satisfied by a browser.

1) Information about browser usage will never be collected and/or transmitted
surreptitiously to any other agent on the net.

2) Transfer of information should be done openly with the explicit
initiation/agreement of the browser user.

Note, currently the Netscape browser (and other browsers) apparently transmit
identification information such as the browser type, version number, and
machine name when making a connection.  The browser user should probably be
told about this information in my opinion.
                Chris Smyth csmyth at blaze.cs.jhu.edu