Privacy Concerns and The CueCat

An anonymous reader sent us a story running over at cnet about the privacy issues with the CueCat. The article gives them a (somewhat undeserved) benefit of the doubt as it talks about various privacy groups being concerned about what DC is doing. Fortunately there are instructions online about how to modify the cat to disable its internal identification code (its not any more difficult then decrypting their split-invert-xor "Intellectual Property") by simply cutting one wire. Or you can just use one of the many free programs floating around. Oh, and since their server was cracked a few days ago, not only are they sniffing all this data, but crackers probably have a copy too. I would have been sick of this story weeks ago, but it just keeps getting funnier every time it pops up.

Re:How gullible do they think people are?

If all you want to track is whether a Cat came from Forbes/Wired/RadioShaft then you don't need a unique ID for each Cat. A simple (Forbes = 1 : Wired = 2 : RS = 3) ID is all that is necessary. All Forbes users would have an ID of 1, etc., and now there are no privacy concerns.

I don't think so. Yes, that would tell them which distributor that the user received theirs from, but nothing more. It doesn't tell them how many total users are using their CueCats. If 300k units were sent through Wired, how would they know who kept them, and who threw them away?

They would see, on their side, that 40k scans with Wired CueCats were made today. Is that 40k people, or one person scanning 40k items?

Re:What line to clip?

Detailed instructions are available from the Dissecting the CueCat [matrixpm.com] page.

I'm not sure, but I think there is a way to just flash the eeprom so it no longer sends out the ID. At least I think that's what this [tuwien.ac.at] does.

The (undiscussed) CueCat - TV connection

One of the other things in my CueCat box that came from Forbes was a "Convergence Cable". This little insidious piece of hardware hasn't gotten as much notice as the wonderfully hackable barcode reader and has just as much potential to wreak privacy havoc. If you're not familiar with this, the Convergence Cable is essentially an audio cable you're supposed to run from your TV's audio source into your line input jack on your PC. Their CueCat software will then pick up audio cues associated with TV shows and commercials and automatically drive your browser to an associated Web site. Now, not only do they know what magazines you're reading (and scanning), they know what TV shows you're watching. The utter lack of concern for and shameless exploitation of the technology illiterate in our society shown by this company is inexcusable. I sleep better at night knowing that since their cheesy little scheme has been unmasked, we won't have to wait long before they're out of business.

It IS easy to disable...

I found a link to a page called "Getting your CueCat declawed" ( http://matrixpm.com/~haveblue/cuecat/ ) at the Lineo CueCat site ( http://oss.lineo.com/cuecat/ ).

It's pretty simple, really:

Step one: Take out the four screws on the bottom of the scanner and pull the cover off, leaving the insides exposed.

Step two: Take off the four screws fastening the board to the plastic case and separate the board from the case.

Step three: Locate the S93C46 EEPROM on the bottom of the board. It's small, it has eight pins, and it should say "S93C4 6DV03 2704" (it's three lines, spaces indicate the line breaks). That's the chip that stores your serial number-- innocent-looking little bugger, isn't it?

Step four: Using whatever method you like, cut the connection right underneath the "4" in "2704". That is, if the "U5" on the circuit board is upside-down by the top-left corner of the chip, you want to cut the lower-left pin. I found that a small pair of wire clippers was actually sufficient to sever the connection-- use whatever you feel comfortable with.

Step five: put the damn thing back together again, and scan something. The serial number should come back as a repeating "BM5U". Congratulations, your :CueCat has been neutered.

Elapsed time: 10 minutes if you're clumsy like me and lose one of the screws. Less if you're good at this sort of stuff.

Have fun!

Digital Demographics

http://www.digitaldemographi cs.com/services/index.html [digitaldemographics.com]

The output of the device looks like this (after processing by the keyboard handler):

.C3nZC3nZC3nXE3b7DxjZCNnX.fHmc.C3DZC3nZC3f6ChjY.

The device sends an ALT-F10 first, which is apparently a signal that a scan follows. The next field is the serial number. The third is the barcode type, and the fourth is the barcode data. Fields are separated by periods.
Here is what the above scan looks like decoded:

000000002838610102 UPA 040000029311

This scan was of a UPC symbol on a bag of M&Ms. The output of the cuecat is scrambled using a modified base64 encoding. My software simply applies the inverse of the encoding. The Windows CRQ software does not itself process the scan data like this. It simply inverts the case of the scan and builds a URL using it. The basic form of the URL is as follows:

http://[SERVER].dcnv.com/CRQ/1..[ACTIVATION CODE].X.[SCANDATA].0

With the [SCANDATA] field broken out, it looks like this:

http://[SERVER].dcnv.com/CRQ/1..[ACTIVATION CODE].[X].[SERIAL NUMBER].[TYPE].[DATA].0

Here is an example, using the scan data from the M&Ms (try it):

http://t.dcnv.com/CRQ/1..ACTIVATIONCODE.04.c3Nzc3N zc3Nxe3B7dXJzcnNx.FhMC.c3dzc3Nzc3F6cHJy. 0 [dcnv.com]

My software perserves the serial number, but does not transmit an activation code; it actually substitutes the letters "ACTIVATIONCODE" where they should go. This is enough to prevent the tracking of scans, I think. In fact, their servers do not even check for the validity of the activation code.

Their Windows software asks a large number of demographic-defining questions before it actually installs the software. The answers are keyed to your "activation code," without which the Windows software will not work. But because they never do data validation server-side, you can still use their web servers without sending tracking data.

In a separate issue, their "registration database" was not a database (a plain text file, actually), and was stored at a publically accessible URL; they have since disallowed access to it from the internet:

http://net.c-me-register.com/Registrations/registr ations.txt

This is what the data looked like:

TS=09132000082913&FIRSTNAME=PETE&LASTNAME=PAGE&EMA IL=ppage@txisroads.com&ZIP=38834&GENDER= A&AGE=D&OPTIN=1&UID=Y0ZVY1QCZ7SGx2qHCoSf9g

TS=09132000082926&FIRSTNAME=frank&LASTNAME=kasica& EMAIL=fkasica@optonline.net&ZIP=08610-63 02&GENDER=A&AGE=F&OPTIN=1&UID=zRAzCaynOVkBS3XLZDyi NQ

TS=09132000082936&FIRSTNAME=claude&LASTNAME=perry& EMAIL=claude@telapex.com&ZIP=39601&GENDE R=A&AGE=H&OPTIN=1&UID=4Hacci4hfCygvJaWOCA7-A

... the last field ("UID") is presumably the activation code. This means it is trivial to match the weblogs on their servers with your profile data.

---- ----

so beware horror shows . .

\{monotone}

you are getting sleepy . . . . you will do as I say . . . you will turn on your computer . . . you will --oh, damn, you idiot, you're using windows, you will reboot . . .

Now, take out your cuecat . . . scan *all* your cd's [*chrotle*] . . . put it in the fishtank and scan your fish . . .

*ZZT*

\begin{plastic phony voice with excessive plastic surgery and stiff hair}

We interrupt this program to bring you a special report of idiots, believed to belong to a cult, who committed suicide tonight by putting electric devices in fishtanks. In related news, there is a special on exotic sushi at . . .

:)

Big differences, big dangers

Something the c|net article does not mention, and I wish more attention would be paid to it, is the use of the CC software to track user viewing habits in addition to barcodes.

The program sits there and listens to the audio feed of your TV. When it hears the CC sound, it takes you to the website, just like scanning a barcode does.

Now, take a look at the software - there thing uses user profiles (if you have them set up). Each person who uses the computer is encouraged to have thier own profile. So, when Mom sits down and scans stuff out of Family Circle, or watches LifetimeTV, or scans a bag of Gold Medal Flour - bingo! DC now knows this stuff. Dad watches ESPN, drinks Budweiser, and eats Guy's Potato Chips. Little Billy watches Nick Jr., drinks Hi-C, and enjoys Little Debbie sacky cakes. Now all those ads you see in print or on TV can be even MORE targeted. You simply change part of the CC-TV code to reflect the channel that is broadcasting it and you can watch the audience reaction to putting a commercial right at the highlight of the show - do they turn the channel? Do they just sit there and watch the commercials?

This is so orwellian in it's nature that I am happier now than ever that I don't run Windows and am not fooled into running CC's software.

Better yet, let's do this hypothetical situation: Pretend that I am a political candidate for the Silly Party. We put on our national convention. At the start of the broadcast, Joe Commentator comes on and says, "Turn on your Cue Cat software folks! The Silly Party will be sending you to various parts of the Silly Party platform during the presentation tonight."

Instantly, my minions at Silly Party HQ can start watching the audience reaction of the home viewers. Since I am using a teleprompter to give my lecture to the masses, it can be instantly changed and edited. The minions see me getting too many of the "angry white male" audience tuning away and returning to Monday Night Nitro? Simply insert political rhetoric aimed at them. Whoops! Now the latino population is tuning out! Better say something to keep them listening. And this can go on and on and on for the rest of the convention.

This just scares the crap out of me.

Vote Nader [votenader.org]

Re:SLASHDOT ARE VIOLATING MY PRIVACY!!!!

<humor>
Yes, Dodger, we know everything about you now, including that little pants-wetting episode when you were in kindergarten that you thought everyone forgot but was entered in your *permanent record* and is accessible to anyone who knows the serial number of your Intel PII and has a barcode scanner.
</humor>

- Robin

Re:Digital Demographics

I think Digital Convergence may soon change the rules.

For the moment, let's assume D.C. is not totally without clue, and that they are capable of reading the many Slashdot postings, and have been following many of the hacking pages. (No extra jokes about the size of this assumption -- as they say on Wall Street, "past performance is no guarantee of future performance.") They're obviously concerned, if they haven't yet thrown in the hacker towel.

The question is: What should they do about all of this rogue analysis?

I see a couple alternatives for them:

1. Do nothing. By doing nothing, they acknowledge that "unregistered users may use their database." They still capture some demographic info: product scanned & IP address, notably. It won't be tied to a specific user as well as the scanner ID, and it won't give them the name / gender / zipcode stuff they might want, but it's still valuable data as to "how much" is their scanner being used.
2. Block access to invalid serial numbers. It sounds like their desktop software is already complaining if it receives a "bad" serial number from a modified scanner. Their server could also perform such a check. Their server optionally could lookup the scanner number on a table, making sure that it's in a range of devices actually produced and not something like zero.
3. Block access to invalid activation codes. Their server could be modified to reject requests from activation codes that are not found on the database. This might have performance implications on their end, as well as denying themselves their free (as in beer) demographics.

Before D.C. runs off to implement 2 and 3 above, I would like to point out that both of these denial methods will be circumvented by hackers within an hour of being implemented.

A cursory glance at the serial numbers in a couple of units (as well as data gleaned from the web) shows that the serial number does not seem to incorporate any kind of checksum, so any random number passed by a browser would probably work today. However, their client software could be set up to reject scanner input coming from a modified scanner. Why do this? Mostly to annoy the people who went out and cut the trace to the ID chip. Of course, these people will simply go to Radio Shack and pick up another scanner, costing D.C. more money, but they could. At least they could claim their software won't be party to any hardware hacking.

The activation code would be the tough one for a hacker to derive. First, they could use something like a doubly-signed MD5 signed activation code. Take the activation code (aaa...a) and sign it with a key they'd be willing to hide in their Windows client software (SSSS). Then, sign the whole aaa...aSSSS with a secretly held key (kkkk) known only to their servers.
key format: aaaaaaaaaaaaaaaaSSSSkkkk
The client application can check the value SSSS to see if the activation code being entered was created by D.C. (or forged by someone who disassembled their code.) This would stop the casual AOL user from typing in all zeros for the activation code. The server, however, would be the ultimate arbiter of who gets served, and could be set to only honor requests from Officially Signed activation codes..

This one actually has an interesting side effect that could be a 'benefit' for D.C. -- if they consistently received an unissued activation code that was signed, but the server signature is not valid, they might use that as evidence that the code is coming from someone who has circumvented their program's activation code, violating the DMCA in the process. "Lookee here Miz Reno, we caught us a hacker!" The truly insidious part of this plot is that they could institute it immediately (as soon as the software is ready.) I am assuming that a company that avoids enough ethics to inform their users of the marketing purposes behind their "free" (as in beer) scanner would already have their software set up to perform automatic "upgrades" to itself. They download new software, generate new doubly signed activation codes, and wait for the flies to be drawn to their website.

So, the hackers will be reduced to using other peoples' activation codes. Not the end of the world for them, as long as they're not personally being tracked, kind of like using your mom's Grocery Shopper Saver barcoded keytag. Someone will eventually post a couple to the web, the "hackers" will pounce on them, and D.C. will shut them down until the next round is posted.

The final analysis? Going down the "denial" path means a never ending circle of hacker harrassment that NEVER ADDS A DIME TO D.C.'s BOTTOM LINE. I emphasize that because any countermeasures taken by D.C. can't actually gain them any more revenue or extra users, but only serve to embroil them in expensive lawsuits that some high-school kid will never pay in his lifetime anyway. Allowing the hacked units to continue to use their database gives them MOST of the demographic data they originally intended to collect. (Privacy wonks can still use the anonymizer to get their data if they're really paranoid, but most hackers using dialups are fine letting sites like this see their temporary IP address. It's effectively anonymous enough.)

I hope D.C. doesn't feel the need to wage war upon its "extra" customers. They already can't "win" it if they choose to fight, but they can certainly "lose" it.

John

The Church of the SubGenius [subgenius.com] -- because somebody had to put all that slack in there...

How gullible do they think people are?

From the CNet article:
"There is a unique ID within the CueCat so that we can see that some Cats came from Forbes and some came from Wired," said Dave Mathews, vice president of new product development at DigitalConvergence. "(But) individualized serial numbers are not designed to track individual behavior."

If all you want to track is whether a Cat came from Forbes/Wired/RadioShaft then you don't need a unique ID for each Cat. A simple (Forbes = 1 : Wired = 2 : RS = 3) ID is all that is necessary. All Forbes users would have an ID of 1, etc., and now there are no privacy concerns. I'm sorry, but these guys are inept from top to bottom: business model, data security, and PR. Everyone jump on FuckedCompany.com for this one, because DC probably won't last the year.

Dyking the wire

Sorry for Digital Convergance, but the firsst thing i did after i got a cuecat to play with was cut the wire and disable the ID.

Also, by using the Free drivers the ID is effectively disabled. I assume that DC was much more pissed about their data collection scheme being circumvented by the Linux software than by their 'Intellectual Property' being stolen.

Unfortunatly, a lot of companies collect such data (IE, blockbuster card, stop+shop discount card). Whenever you let someone identify you with a number for your own convenience your privacy is at risk.

I don't know what the fuss is about

<GRUMPINESS>Who cares what these people are doing with CueCat data? No one I know is inclined in the least to install the CueCat, much less use it to scan magazine bar codes. I think the idea comes from some marketing drone's graduate thesis, and s/he was lucky enough to find a company dumb enough to implement it. The .001% who actually use it deserve to have whatever passes for their personal lives invaded.</GRUMPINESS>

Re:How to disable cuecat id?

here's the link [matrixpm.com]
--

Re:How Microsoft can use this

I have a rather novel way of circumventing this diabolic scheme. It's called a zerox :) Barcodes are surprisingly easy to copy and surprisingly hard to secure. There are even barcode generator plugins available for many popular packages.

DC Lets you opt out of ID 'feature'

Per Digital Convergence's Privacy Policy [digitalconvergence.com]

Opt-Out Announcements and Notifications
For our members' benefit, we offer the ability to opt-out. Just say "No" to any offers we send you. At any time, you may request to be removed from Digital:Convergence's database and we will honor such a request

Wouldn't this be easier than hacking the hardware? The FTC has been pretty good about holding websites to their privacy policies, so assuming DC provides a way it can be independently verified, this sounds like a simple option.

Look who's talking.

The url of CNet's story(http://news.cnet.com/news/0-1005-200-2826868 .html?tag=st.ne.1002.tgif.ni) just makes me wonder: Isn't CNet also playing the "demographics" game? They could log where you are by you by your IP, your OS by your browser string, and other things.

Just goes to show how corruptly curious companies are getting this day in age.