Subliminal Mind Control &
Manipulation Archive Features

The C.R.Q. :Cue :Cat

archived 092400
Archive file# cue092400a
donated by KatMan

This is a two part article. The discovery by KatMan and his alerting this website to the Cue Cat about 3 weeks ago, caused us to start watching for material related to this 'latest' technology. KatMan states this is a major move towards the 'cashless' society, and to further that effort the Cue Cat is FREE.

Involved in the production and development of the Cue Cat were Digital Convergence of Dallas, Texas, Tandy Corporation of Forth Worth, Texas (through its Radio Shack divisions), Coca Cola, and others.

The next portion is a report on the Cue Cat by The Privacy Foundation.

The :CueCat Bar Code Reader

Privacy Foundation
September 22, 2000

Overview
Vendor Contact and Response
Detailed Problem Description
TV / Computer Interface
Privacy Policy


The Privacy Foundation publishes privacy advisories and special reports.


Overview
The Privacy Foundation recently completed a technical evaluation of the :CueCat bar code reader. This handheld device, which is similar in appearance to a computer mouse, is a product of Digital:Convergence Corp. of Dallas, Texas. Hundreds of thousands of these devices are currently being distributed free of charge to consumers through partner companies including Radio Shack, Wired magazine, and Forbes magazine. The company has announced plans to distribute 10 million devices by year-end 2000 and 50 million devices by year-end 2001.

The :CueCat is promoted as an easy way for consumers to visit Web sites on their PCs by scanning bar codes that have been included in catalogs, magazine articles, and printed advertisements. By using this device consumers no longer have to enter URLs in their browser to go to a Web site to learn more about a product, a service, or a particular subject.

The Privacy Foundation has serious privacy concerns about the product because the :CRQ software, which accompanies the :CueCat device, appears to transmit all of the information that Digital:Convergence would need in order to record every bar code that every user scans. This tracking feature of the :CRQ software could be used by the company to profile an individual user.

Profiling is typically used by Internet marketing companies to provide personalized ads targeted to an individual. The :CueCat tracking ability does not appear to be disclosed in the documentation or privacy policy that accompanies the product. In addition, there is no disclosure of what is currently being done with the bar code scan information once it arrives at the company.

Digital:Convergence states that individual users are not being tracked or profiled.

But even if the information is being used only in aggregrate form, or not at all, there is still the possibility in the future that bar code scanning information can be tied to individual users. This tying would require no changes with the :CRQ client-side software.

The tracking feature is made possible because a unique ID number is assigned to each user when they register their :CueCat with Digital:Convergence. This unique ID number is sent to Digital:Convergence servers along with a bar code number each time a bar code is scanned. This ID number was observed both by investigators with the Privacy Foundation and by other outside researchers. This ID number could be associated with personal information and demographic information that the user supplies during product registration.

We recommend that Digital:Convergence provide a patch that disables the ID number for current users. The company and its partners – including Radio Shack, Wired, and Forbes – should notify users of the existence of the tracking potential, and the availability of the patch to remove it. In addition, we recommend that future shipments of the product have the user ID number feature disabled.

In addition, the Privacy Foundation recommends that Digital:Convergence disclose more details to users about what information is being collected through the :CueCat system and how it will be used.

TOP OF PAGE



Vendor Contact and Response

Digital:Convergence was contacted on Sept. 18, 2000, and again on Sept. 21.

The Privacy Foundation expressed concern that the data transmitted by the :CRQ software could be used to record every scan of the :CueCat along with the personal information of its current user. Digital:Convergence acknowledged that a user ID is associated with each scan, but said that their current database breaks the link between a user's activation code and personal information (such as an email address), so that such tracking is not being done, nor is it contemplated.

We suggested modifications to the :CRQ software that would remove the possibility of user-specific tracking. Digital:Convergence indicated that they would consider modifying their data collection procedures and provide more disclosure. As soon as a new disclosure statement becomes available, we will link to it from this web site.

TOP OF PAGE


Detailed Problem Description

Installation of the :CRQ software includes a computer video promotion followed by a registration process that requires some personally identifiable information:

full name
email address
zip code
gender
age range

Registration is followed by a lengthy survey that includes questions about personal interests, computer and electronics equipment owned, Internet usage, and shopping habits. This survey can be skipped by a user. Once registration is completed, an activation code is sent to the user's email address. The :CueCat and software cannot be used without registering the product and receiving an activation code.

The Privacy Foundation examined the :CueCat device and the :CRQ software to determine the sorts of information transmitted from a user's PC to Digital:Convergence.

With a packet sniffer in place to monitor network connections made by a PC, we installed the :CRQ software and submitted both the registration and survey. Submission of the survey showed a network connection to crq.com with the following data being transmitted:

[Please note that portions of network traffic included in this report have been modified for illustrative purposes.]

12:01:35.535139 pc.example.com.1570 > beta1.crq.com.80: P 232:1050(818) ack 1 win 8280 (DF).lastname=Doe&firstname=John&email=
johndoe%40example.com&zip=80208
&gender=A&age=D&minorlastname=
&minorfirstname=&minoremail=
&travel=B&airline=B&tripcount=A&hotel=
A&rentalcar=E&movietype=B
&moviefreq=F&moviefood=F&tv=A&tvcount=
B&vcr=A&dvd=C&dvdwhen=
&hometheater=B&cable=A&satellite=
B&gamecenter=B&videofreq=F
&moviesbuy=D&musictype=B&musicformat=
B&cdwhere=C&radio=B&mp3=A
&booktype=CG&bookbuy=AF&bookcount=
D&mags=ABK&clubs=A&cdrom=B
&monitorsize=AB&scanner=A&printer=
A&processor=C&dcamera=A
&dcamerawhen=&stereospeakers=
A&onlinefreq=A&internetfor=ACD
&onlinebuy=A&onlinebuywhat=AE&home=
B&dineoutfreq=C&pizza=B
&pizzakind=&wine=B&winewhere=
A&coupons=A&trading=B&banking=A
&bills=B&profession=A&vitamins=
B&vitaminswhere=&vitaminskids=
&toyswho=A&toyswhere=B&toyskind=
C&makeuptype=&makeupbrand=
&makeupwhere=&hobby=G&sports=
BCD&education=E

The transmission above shows the user's personal information (John Doe, johndoe@example.com) being transmitted to the :CRQ server along with the results of about 60 consumer profile questions.

When the registration was completed another connection was made:

12:15:23.912215 pc.example.com.1140 >
beta1.crq.com.80
POST /confirm.cfm HTTP/1.1
firstname=John&lastname=Doe&email=
johndoe@example.com&zip=80208
&gender=A&age=D&OptIn=1&addButton=Register

The above transmission appears to confirm the registration and request that an activation code be sent to johndoe@example.com via email.

We received an activation code via email from digitalconvergence.com and plugged it into the prompt box that was presented when we first started the :CRQ software. After activation of the software, we noted changes to the Windows Registry that included our email address, activation code, and default browser:

[HKEY_LOCAL_MACHINE\Software\
DigitalConvergence.Com\CRQ\Users\John Doe]
"UserEmail"="johndoe@example.com"
"RegCode"="Qh98AlkowF6cRTHtDJEjWe"
"DefBrowserName"="Internet Explorer"

These transactions alone provide enough information to create a profile of personal information that can be linked to a globally unique ID (GUID) assigned by Digital:Convergence. This GUID, as we also found, is transmitted to Digital:Convergence with each and every bar code scanned using the :CueCat device.

The :CueCat bar code scanner connects to a PC by way of a cable that connects between the keyboard plug and the keyboard socket on the PC. The :CueCat scanner effectively "types" a product code received by the :CRQ software each time a bar code is scanned. The :CRQ software then includes the "typed" product code within an HTTP GET request to a Digital:Convergence server that, in turn, responds with a specialized Web address related to the product code.

We made a scan of one of the proprietary ":Cues" in Forbes magazine which was associated with an article about the National Gallery of Art. The :CRQ software subsequently made a network connection to a Digital:Convergence server.

21:01:35.888710 pc.example.com.1320 >
o.dcnv.com.80: P 1718746:1718855(109)
ack 342313744 win 7444 (DF)GET /CRQ/1..Qh98AlkowF6cRTHtDJEjWe.
04.c3Nzc3Nzc3NzdnN3d3d6cXNx.
AABi.Y2NgY2B k.0 HTTP/1.1
Host: o.dcnv.com

The server [see Note at end of advisory] responded with some data that pointed our Web browser to the address of the National Gallery of Art (http://www.nga.gov).

21:01:36.144731 o.dcnv.com.80
> pc.example.com.1328:
P 1:266(265) ack 109 win 8192
HTTP/1.1 200 OK
Date: Tue 12 Sep 2000 03:02:52
Expires: Tue 12 Sep 2000 03:03:01
Content-Length: 132
Content-Type: text/plain
cat=39
url=http://www.nga.gov
desc=BOW - Collecting Art Museums
char=0
img=
but=
ban=
tab=12,26,34
tas=39
fixed=1,2,50,20

We took a look at the encoded string that was sent in the request to Digital:Convergence. The entire string can be broken up into segments delineated by the periods. Four of these segments appeared to be particularly interesting. The first segment of the string (Qh98AlkowF6cRTHtDJEjWe) matched the GUID activation code used in setting up the :CRQ software. The third, fourth, and fifth segments were run through a :CueCat decoder written by Kevin Fowlks and published at FreshMeat.Net.

The third segment (c3Nzc3Nzc3NzdnN3d3d6cXNx) decoded to "000000000504449202", which is a serial number for the reader device itself. The fourth segment (AABi) decoded to "CC!", which identifies the type of bar code that has been scanned. In this case, it refers to a :CueCat bar code. The fifth segment (Y2NgY2Bk) is an encoded version of the bar code itself.

Scanning an ISBN bar code from a book (ISBN:045622900857) produced a similar transmission to Digital:Convergence with the following data in the request:

Qh98AlkowF6cRTHtDJEjWe.04.c3Nzc3Nzc3Nzdn
N3d3d6cXNx.FhMC.c3d2dXFxenNze3Z0.0

Again, the third segment of the data string remained unchanged. The fourth segment decoded to "UPA", a type of product code. The fifth segment decoded to the actual ISBN number of the book we scanned, "045622900857".

We conclude from this investigation that by distributing the :CueCat device and software, Digital:Convergence could collect not only the personal information provided via the registration and installation survey, but also a history of product bar codes that have been scanned by specific users. Furthermore, all of this personal information and bar code history data could be linked through the GUID activation code provided through Digital:Convergence.

Beyond this, we observed no further monitoring of a user’s Internet activities. In particular, we witnessed no clickstream monitoring and no use of cookies by the :CRQ software. Note, however, that the :CRQ software’s use of GUIDs would obviate the need for tracking cookies.

TOP OF PAGE


TV/ Computer Interface

A specialized cable is also provided with the :CueCat that can be used to connect the audio jacks from a user's TV to the sound card of the PC. Once this connection is made, the :CRQ software listens for special signals embedded within the audio of television programs and advertisements. These signals, in a manner similar to scanned bar codes, prompt the Web browser to load a specific address related to the program or advertisement viewed.

Due to the limited availability of :CueCat audio signals via television broadcasts, the Privacy Foundation was unable to comprehensively research this aspect of the :CRQ software. However, our technical review determined that the :CRQ software does indeed listen to the audio input ports attached to the computer's sound card. With the appropriate audio port connected to a TV or other audio source, the :CRQ software listens for special beeps that encode information comparable to a barcode.

Upon receiving such an "audio cue", the :CRQ software behaves much as if the user had manually scanned a barcode using the :CueCat. It transmits a request to the :CRQ server that includes the user's GUID activation code and a representation of the information in the audio cue. In response, the :CRQ server delivers information about an appropriate Web page.

In the configuration suggested by Digital:Convergence, the user connects a TV broadcast signal to the computer so that Web pages relevant to the viewed programming and advertisements are conveniently presented on the user's Web browser. This computer, connected to the Internet and the television, will quietly report to the :CRQ server whenever it hears an audio cue. Since no user intervention is required, such a computer could effectively become an in-house television tracking device for Digital:Convergence.

TOP OF PAGE


Privacy Policy

Digital:Convergence includes their privacy policy with the :CueCat product as well as on their Web site. The policy states, in more than one place, that Digital:Convergence "will never release your personal data to any third party to solicit you unless you have expressly elected to permit it."

However, the current privacy policy does not disclose why the software appears to track bar code scans by individual users. In addition, users are not told what happens to this data after it is sent to the Digital:Convergence servers.

At the Web site of a subsidiary, DigitalDemographics, the company promotes its ability to gather user data. This site provides information about the :CueCat product for advertisers and marketing partners. Here’s what the site has to say about the use of data collected from consumers:

http://www.digitaldemographics.com/services/index.html

"DigitalDemographics' parallel mission is to gather demographic and psychographic information from our :CRQ users, subscribers, and :CueCat device users. Our goal is two-fold.

The Privacy Foundation publishes privacy advisories and special reports.

The Privacy Foundation


Next Page
Subliminal Cues

Related Articles:
Bronfmans - Seagram Subliminal Programming
Jehovah Witnesses' Subliminal Covert Mind Control


Notice: TGS HiddenMysteries and/or the donor of this material may or may not agree with all the data or conclusions of this data. It is presented here 'as is' for your benefit and research.