EarthLink, Inc. Monday debunked
reports that the nation’s number-two ISP has hidden a “super cookie” in its
customized Internet Explorer browser.
This weekend, participants in newsgroups operated by Gibson Research Corporation found what they
thought was a unique tag in every User-Agent tagline, a piece of information
sent by the Web browser every time a person types in a URL or clicks on a
link for download. For EarthLink IE users, that tag begins with the string
ELNSB50 followed by a 48-character combination of letters and numbers.
Many corporations and ISPs use Microsoft’s Internet Explorer Administration
Kit to customize the User Agent string in the browser’s header, but
according to an initial report from GRC president Steve Gibson, who is
credited with helping to publicize privacy flaws in products from Real
Networks and Radiate, among others, EarthLink’s implementation was
dangerously different. Gibson’s early investigations suggested that
EarthLink’s token is unique for each browser user and created after the
consumer installs the Web browser and connects with the default home page
for EarthLink. There, he surmised, it was possible the member’s user name
and password could be matched with the 48-character string that stays with
the user.
Les Seagraves, EarthLink’s chief privacy officer, Monday reassured
subscribers that the string is designed to transmit display information to
its site about the member’s computer settings, and is not a user ID or in
any way used to track personal information.
“The information we have in the User-Agent section is browser information.
Basically it gives your browser monitor settings so we can tailor our Web
pages to the customer’s settings,” Seagraves said. “It’s not unique
information, its not tied to any personally identifiable information and
there’s no way to tie it into a user’s personal information.
“There could be thousands of people with the exact same number, based upon
their settings being the same,” Seagraves continued. “It doesn’t have
anything to do with who they are. We certainly don’t want to do anything
against our commitment to our member’s privacy or violate our privacy
statement ”
Seagraves said that the EarthLink site has not incorporated the user
settings into a tailored environment yet.
After speaking with EarthLink officials Monday, Gibson published a retraction at this site.
“I was wrong,” Gibson told InternetNews today. “What they’ve said is
completely plausible, and so it doesn’t nearly look like the type of problem
we had presumed,” he said.
While users might not appreciate having their EarthLink Web browsers
broadcasting internal data about their machines, this data would not be
useful for Internet tracking and is probably not explicitly user-unique.
Seagraves said the company is considering posting instructions at its site
about how to remove the string.
One of the first sightings of the super cookie came last year by the hacker
information Web site attrition.org,
which noted a
strange string of characters after the ELNSB50 designator.
The tag sets the stage for a relatively easy computer script, which would
look for the EarthLink designator and string. A query at any search engine
nets thousands of returns.
But without the database to link the User-Agent string with the member’s
personal information, the information is relatively useless to Web
advertisers, who are looking for specific user demographics.
The allegations Monday threatened to ravage EarthLink’s new ad campaign,
a multi-million dollar effort designed to bring in customers with its
promise to provide a “totally anonymous Internet.”
In its TV spots, the company says unknown parties are “compiling your
information, invading your privacy. At EarthLink, we would never do that.”