Interesting People mailing list archives
IP: Radio Shack gives away barcode scanner, but is privacy compromised?Telecom Digest V2000 #53
From: Dave Farber <farber () cis upenn edu>
Date: Thu, 14 Sep 2000 21:21:34 -0400
Date: 14 Sep 2000 05:59:06 -0400 From: blackhole () handheld net Subject: Radio Shack gives away barcode scanner, but is privacy compromised? Radio Shack stores are handing out free barcode scanners in the shape of a cat to their customers. Rather than try to explain it further, I'll refer you to the maker's web page: http://www.getcat.com The idea is that when you want more information on a product in the Radio Shack catalog, you scan a (rather odd, diagonal) barcode and it will take you right to a web page featuring that product. But in theory, you can also scan other kinds of barcodes (including the ubiquitous UPC code) and get to semi-relevant pages. Ironically, the device seems far more reliable when scanning regular UPC's than when scanning the codes in the Radio Shack catalog (but maybe that's just because I didn't scan them correctly). There are, however, some non-obvious catches to this offer. The first is that in order to make the scanner work you have to install their software (they give you a CD, or you can download it at the above web site). The software seems quite large for what one would expect to be a glorified barcode scanner driver, coming in at over 3 and a half megs (that's the downloadable version; I did not try the CD). But the real problem is that in order to actually use the software (and therefore the scanner), you have to go back to the company's Web site and register it. In doing this, you are asked for your name, e-mail address, and if I recall correctly, your age and gender. When you register, they e-mail you an activation code at the address you gave when you registered (thus they know that they at least have a valid e-mail address, assuming you're not using a "throwaway" e-mail account). So when you put the activation code into the software, from then on it knows exactly who you are. But it gets better. Whenever you scan something, each scan actually sends three data items back through the keyboard port (encoded using a rather simplistic algorithm that has been explained on at least a couple of Web pages): A serial number that is unique to the scanner, a three-character code showing the type of barcode scanned (and for a free device, it seems to handle an amazing number of different types of codes), and the barcode data itself. So every time you scan something, it knows which scanner is being used and the activation code. I'm assuming all of this is then transmitted back to the company that made the thing, and then they serve up what they consider to be an appropriate Web page. Of course, the software installs itself into your startup menu, so it is always on while you are surfing the Web. Now, when you register for that activation code, you get back an e-mail that has a Subject line of "DigitalConvergence License Agreement", and in the body of the message it states the following:Please read the updated Licensee Agreement. Scroll to the end of thisdocument to get your activation code.:CRQ(TM) Software and :CueCat(TM) Reader Hardware License Please read the following license agreement carefully before using thissoftware or hardware as you are agreeing to be bound by the following terms and conditions of this license. You agree to the terms and conditions of this license by performing ANY OF THE FOLLOWING ACTIONS: (1) using the :CRQ software; (2) using the :CueCat reader (3) pressing the "agree" button below; OR (4) printing out a copy of the agreement, signing the agreement and returning a copy to Digital:Convergence(TM). If you do not agree to the terms and conditions of this license, do not press the "agree" button or engage in any of the foregoing acts.Not all actions may be available with each copy of this agreement.[..... No fooling, there is certainly no "agree" button in this e-mail! .....]Copyright :CRQ and :CueCat are trademarks of DigitalConvergence.:com Inc.Copyright 1999-2000 DigitalConvergence.:com Inc. All rights reserved.License This is a license, not a sales agreement, between you, the end user, and DigitalConvergence.:com Inc. ("Digital:Convergence"). The software, documentation and any fonts accompanying this Licensewhether on disk, in read only memory, on any other media or in any other form (the ":CRQ software") are licensed to you by Digital:Convergence. The :CRQ software and any copies made and/or distributed under this License aresubject to this License. The :CueCat reader is licensed to you by Digital:Convergence. The:CueCat reader distributed under this License is subject to this License. [..... Whoa... LICENSED to me? No, it was GIVEN to me by a Radio Shack store employee, who did not even bother to take any of my personal information when I balked at giving my address .....]Digital:Convergence retains all title to and ownership of the Softwareand reserves all rights not expressly granted to you. All rights, title, interest, and allcopyrights in and to the software, documentation, and any copy made byyou remain with Digital:Convergence.Permitted Uses and Restrictions This License allows you to install and use the :CueCat reader and :CRQsoftware on a single computer at a time. This License does not allow the :CRQ software to exist on more than one computer at a time. You may use the Software only on a stand-alone basis, such that the Software and the functions it provides are accessible only to persons who are physically present at the location of the computer on which the Software is loaded. You may not allow the Software or its functions to be accessed remotely, or transmit all or any portion of the Software through any network or communication line. You may make one copy of the :CRQ software in machine-readable form for backup purposes only in support of your use of the Software on a single computer, provided that you reproduce on the copy all copyright and other proprietary rights notices included on the originals of the Software. The backup copy must include all copyright information contained on the original. You acknowledge that ! the!Software and :CueCat reader contain trade secrets and other proprietaryinformation of Digital:Convergence and its licensors. Except as expressly permitted in this License, you may not decompile, reverse engineer, disassemble, modify, rent, lease, loan, sublicense, distribute or create derivative works based upon the :CRQ software or :CueCat reader in whole or part or transmit the :CRQ software over a network or from one computer to another. The :CueCat reader is only on loan to you from Digital:Convergence and may be recalled at any time. Without limiting the foregoing, your possession or control of the :CueCat reader does not transfer any right, title or interest to you in the :CueCat reader. Except as expressly permitted in this License, you may not reverse engineer, disassemble, modify, rent, lease, loan, sublicense, or distribute the :CueCat reader. In any event, you will notify Digital:Convergence of any information derived from reverse engineering or such other act! ivi!ties, and the results thereof will constitute the confidentialinformation of Digital:Convergence that may be used only in connection with the Software and :CueCat reader. Your rights under this License will terminate automatically without notice from Digital:Convergence if you fail to comply with any term(s) of this License. [... End of excerpt from the agreement. After this there is the usual "Disclaimer of Warranty" on both the software and the reader, followed by a "Limitation of Liability", some more legalese, and finally they give you your unique activation code.] I apologize for the long quotes, but did you notice that buried in there was this startling revelation: "The :CueCat reader is only on loan to you from Digital:Convergence and may be recalled at any time." And that was surrounded by all sorts of language saying what you may not do (any kind of reverse engineering, etc.). The problem is, they have it all backwards. As I say, I was handed this device by a store employee, and I never agreed to a thing, in particular not that the device was "on loan" to me and also not that I would not reverse engineer it (not that I could if I wanted to, I'm just making the point here). After I read this I did not use their software, not even once, simply because I did not want to do anything that some judge might construe as me "agreeing" with the above nonsense. I don't agree to a word of it. So already, you have the following risks. You have a piece of software running on your system (if you go ahead and run it) that knows every single item you scan (wonder how many people scan the barcode on their driver's license just to see what happens?), knows your personal activation code, and knows exactly which scanner you are using (because of the unique serial number). And perhaps you may give additional information at some point while using this product. That can all be collected and stored. Also this software seems pretty bloated by my way of thinking, I really wonder what it does that makes it take up so much real estate on the user's hard drive. And, since "you may not decompile, reverse engineer, disassemble ..." the software, there's really no easy way of knowing what sort of information it's sending out - is it limiting itself to sending just the output of the scanner, or does it include any personal data? In theory a program that large could have some rou! tines to track all your web surfing, though I must emphasize that I have absolutely NO evidence that anything like that is taking place (remember, I did not use their software, because I do not agree to their license). Now you may be thinking, well, I'll just get the free scanner, throw their software away, and never apply for an activation code. You can do that, but the company takes a very dim view of it. While they may not be able to claim that the scanner is "on loan" to you under those circumstances (well, they can claim it but I for one will laugh heartily), they seem to be trying to do everything in their power to make sure that the scanner is useless to you unless you install their software. It is relatively simple to write software to convert the information sent by the scanner to plain text (WITHOUT reverse engineering their software) and several people have done so, but every time DigitalConvergence gets wind of it, they have their lawyers send a nasty letter containing threats. These have deterred some folks, but not others. In my opinion - and I Am Not A Lawyer - if you don't use their software (and don't in some other way affirmatively agree to the terms of their license), they REALLY don't have a leg to stand on, since Radio Shack doesn't make you agree to anything when they give you the device. Since this isn't a technical discussion list, I'll stop there, but if you want more details of the "nuts and bolts" of this device (including ways to turn it into something useful without running the supplied software), type "CueCat" (no space) into a search server like DogPile, or into DejaNews' Usenet search and you will find quite a few links. Another good starting point is at http://www.logorrhea.com/cuecat/mirrors.html. But if you find any software you like, I'd grab it now before the lawyers discover the site. By the way, the best Windows software I have found on the web is called "catnip" (look for a file called "catnip.zip", 25,811 bytes in length, it's sort of like a Windows driver for the device that lets you scan barcodes into any application that accepts text input. I did not write it and I don't take any responsibility for it, so I'm not going to say any more about it than that). Given the widespread distribution of this device, I am really surprised that the privacy implications (not to mention the absurd license agreement) seem to have been ignored by most of the major computer media, but then Radio Shack does buy a lot of advertising. Considering how slow the media usually is to react to a story, I expect this might be a hot topic in maybe 2 or 3 months. :-) But in my opinion, Radio Shack ought to be ashamed of itself for distributing a device like this with such a ridiculous license attached - they know that a good percentage of their customers are techie-types (otherwise they would not sell electronic components), many of whom are not going to be able to resist the urge to poke, prod, and play with this thing in ways not originally intended by the manufacturer. Not only that, but the stupid license agreement probably keeps a lot of people from even trying out the included software. I for one would love to see what kind of web sites it would! whisk me away to if I scanned various items, but not at the expense of my privacy! Any bets on whether these barcodes will be found in *next* year's Radio Shack catalog? O.B. Telecom-related: The first part of the Radio Shack Catalog (probably the first 70 pages or so) is all telephone-related gear. I haven't had a Shack catalog in several years and was quite surprised at the level of sophistication of the phone equipment they're selling now. They're still not in the category of a "Hello Direct" or similar company, and I have no idea how competitive their prices are, but if you need phone gear you just may be surprised at what they do offer now. P.S. Since the Digest is echoed to Usenet, the return e-mail address really is a "black hole" that will either bounce e-mail or just eat it 99.99% of the time. If you have something significant to add to what I've said, please do so via the Digest. - -- The Telecom Digest is currently robomoderated. Please mail messages to >messages to editor () telecom-digest org.
Current thread:
- IP: Radio Shack gives away barcode scanner, but is privacy compromised?Telecom Digest V2000 #53 Dave Farber (Sep 14)