The new policy comes just days after computer sleuth Richard Smith discovered the company was collecting records of responses to online postings without visitors' permission, potentially setting up the conditions for significant privacy invasion. "The issue raised by Richard Smith is indeed serious, and it has prompted us to make a change in how we track site usage," DejaNews President and Chief Executive Tom Philips wrote in a statement to reporters. "The unintentional result has been that when a user has clicked on the e-mail link in a discussion posting, we have recorded information about that link, including the intended recipient's e-mail address."
That much all agree on. But more controversial was DejaNews' tracking of the other half of the e-mail trail. By gathering senders' numeric Internet Protocol addresses, DejaNews potentially could know identities of both sides of the electronic communication. In the case of users who had logged to use site customisation, DejaNews knew immediately who was writing to whom and, presumably, what they were writing about, since the service specialises in tracking the Usenet electronic bulletin board service.
As it turned out, no one, including Smith, has suggested DejaNews actually wanted to assemble dossiers on others' communications. Rather, DejaNews officials say, they kept the logs to track how often people clicked on e-mail links to respond to others' postings, an important measure of the service's success.
Nonetheless, Smith contacted the service last week to warn DejaNews of other dangers the logs could pose. According to several recent news reports, civil litigants and federal agencies now routinely subpoena Internet services for records of users' activities. Divorce lawyers, in particular, have taken an interest in the logs, accounts say. "The issue I'm pounding on is the more information is collected by Web sites, the more interesting it will become to law enforcement," said Smith, who also is president of Phar Lap Software in the US. The e-mail tracking, he said, appeared to be done with much the same computer code the company uses to record when users click on another Web site address from the DejaNews service. As a result, he said, the e-mail records were almost certainly collected more by default than design.
"In the case of e-mail, [the e-mail logs are] particularly unnecessary," Smith said. "Overall, I think it's more in the category of a bug. They do want to monitor where traffic goes to Web sites, and it looks like e-mail addresses just got thrown in, too." Since DejaNews is a member of the TrustE industry group, it is required to post to its Web site notice of any and all information it gathers from visitors. Though the company claims its practice of collecting e-mail addresses complied with the statement, Smith and other privacy advocates strongly disagreed. As a result, TrustE Spokeswoman Anne Jennings said, the group will likely issue some sort of statement about the DejaNews flap this week.
Privacy advocate and Privacy Times Publisher Evan Hendricks praised DejaNews for its attention to the problem. "DejaNews has good instincts," Hendricks said. "When something stinks, they throw it out." He reiterated his call for more protections online and off, however. "How many times do we have to have invasion of privacy before we realise we need a national policy on this? I'm telling you this on the day [President Bill] Clinton is expected not to endorse [privacy] legislation but the goals of privacy legislation. This is no way to run a railroad."