IP: Radio Shack gives away barcode scanner, but is privacy compromised?Telecom Digest V2000 #53

[Dave Farber <farber () cis upenn edu>]

> Date: 14 Sep 2000 05:59:06 -0400
> From: blackhole () handheld net
> Subject: Radio Shack gives away barcode scanner, but is privacy compromised?
>
> Radio Shack stores are handing out free barcode scanners in the shape of a 
> cat to their customers.  Rather than try to explain it further, I'll refer 
> you to the maker's web page:
> http://www.getcat.com
>
> The idea is that when you want more information on a product in the Radio 
> Shack catalog, you scan a (rather odd, diagonal) barcode and it will take 
> you right to a web page featuring that product.  But in theory, you can 
> also scan other kinds of barcodes (including the ubiquitous UPC code) and 
> get to semi-relevant pages.  Ironically, the device seems far more 
> reliable when scanning regular UPC's than when scanning the codes in the 
> Radio Shack catalog (but maybe that's just because I didn't scan them 
> correctly).
>
> There are, however, some non-obvious catches to this offer.  The first is 
> that in order to make the scanner work you have to install their software 
> (they give you a CD, or you can download it at the above web site).  The 
> software seems quite large for what one would expect to be a glorified 
> barcode scanner driver, coming in at over 3 and a half megs (that's the 
> downloadable version; I did not try the CD).  But the real problem is that 
> in order to actually use the software (and therefore the scanner), you 
> have to go back to the company's Web site and register it.  In doing this, 
> you are asked for your name, e-mail address, and if I recall correctly, 
> your age and gender.  When you register, they e-mail you an activation 
> code at the address you gave when you registered (thus they know that they 
> at least have a valid e-mail address, assuming you're not using a 
> "throwaway" e-mail account).
>
> So when you put the activation code into the software, from then on it 
> knows exactly who you are.  But it gets better.  Whenever you scan 
> something, each scan actually sends three data items back through the 
> keyboard port (encoded using a rather simplistic algorithm that has been 
> explained on at least a couple of Web pages):  A serial number that is 
> unique to the scanner, a three-character code showing the type of barcode 
> scanned (and for a free device, it seems to handle an amazing number of 
> different types of codes), and the barcode data itself.  So every time you 
> scan something, it knows which scanner is being used and the activation 
> code.  I'm assuming all of this is then transmitted back to the company 
> that made the thing, and then they serve up what they consider to be an 
> appropriate Web page.  Of course, the software installs itself into your 
> startup menu, so it is always on while you are surfing the Web.
>
> Now, when you register for that activation code, you get back an e-mail 
> that has a Subject line of "DigitalConvergence License Agreement", and in 
> the body of the message it states the following:
>
> > Please read the updated Licensee Agreement. Scroll to the end of this 
> document to get your activation code.
> > :CRQ(TM) Software and :CueCat(TM) Reader Hardware License
> >
> > Please read the following license agreement carefully before using this 
> software or hardware as you are agreeing to be bound by the following 
> terms and conditions of this license.  You agree to the terms and 
> conditions of this license by performing ANY OF THE FOLLOWING ACTIONS: 
> (1) using the :CRQ software; (2) using the :CueCat reader (3) pressing 
> the "agree" button below; OR (4) printing out a copy of the agreement, 
> signing the agreement and returning a copy to 
> Digital:Convergence(TM).  If you do not agree to the terms and conditions 
> of this license, do not press the "agree" button or engage in any of the 
> foregoing acts.
> > Not all actions may be available with each copy of this agreement.
>
> [..... No fooling, there is certainly no "agree" button in this e-mail! .....]
>
> > Copyright
> >
> > :CRQ and :CueCat  are trademarks of DigitalConvergence.:com Inc. 
> Copyright 1999-2000 DigitalConvergence.:com Inc. All rights reserved.
> > License
> >
> > This is a license, not a sales agreement, between you, the end user, and
> > DigitalConvergence.:com Inc. ("Digital:Convergence").
> >
> > The software, documentation and any fonts accompanying this License 
> whether on disk, in read only memory, on any other media or in any other 
> form (the ":CRQ software") are licensed to you by Digital:Convergence. 
> The :CRQ software and any copies made and/or distributed under this 
> License are
> > subject to this License.
> >
> > The :CueCat reader is licensed to you by Digital:Convergence.  The 
> :CueCat reader distributed under this License is subject to this License.
>
> [..... Whoa... LICENSED to me?  No, it was GIVEN to me by a Radio Shack 
> store employee, who did not even bother to take any of my personal 
> information when I balked at giving my address .....]
>
> > Digital:Convergence retains all title to and ownership of the Software 
> and reserves all rights not expressly granted to you. All rights, title, 
> interest, and all
> > copyrights in and to the software, documentation, and any copy made by 
> you remain with Digital:Convergence.
> > Permitted Uses and Restrictions
> >
> > This License allows you to install and use the :CueCat reader and :CRQ 
> software on a single computer at a time. This License does not allow the 
> :CRQ software to exist on more than one computer at a time. You may use 
> the Software only on a stand-alone basis, such that the Software and the 
> functions it provides are accessible only to persons who are physically 
> present at the location of the computer on which the Software is loaded. 
> You may not allow the Software or its functions to be accessed remotely, 
> or transmit all or any portion of the Software through any network or 
> communication line. You may make one copy of the :CRQ software in 
> machine-readable form for backup purposes only in support of your use of 
> the Software on a single computer, provided that you reproduce on the 
> copy all copyright and other proprietary rights notices included on the 
> originals of the Software. The backup copy must include all copyright 
> information contained on the original. You acknowledge that !
> the!
> > Software and :CueCat reader contain trade secrets and other proprietary 
> information of Digital:Convergence and its licensors. Except as expressly 
> permitted in this License, you may not decompile, reverse engineer, 
> disassemble, modify, rent, lease, loan, sublicense, distribute or create 
> derivative works based upon the :CRQ software or :CueCat reader in whole 
> or part or transmit the :CRQ software over a network or from one computer 
> to another. The :CueCat reader is only on loan to you from 
> Digital:Convergence and may be recalled at any time. Without limiting the 
> foregoing, your possession or control of the :CueCat reader does not 
> transfer any right, title or interest to you in the :CueCat reader. 
> Except as expressly permitted in this License, you may not reverse 
> engineer, disassemble, modify, rent, lease, loan, sublicense, or 
> distribute the :CueCat reader.  In any event, you will notify 
> Digital:Convergence of any information derived from reverse engineering 
> or such other act!
> ivi!
> > ties, and the results thereof will constitute the confidential 
> information of Digital:Convergence that  may be used only in connection 
> with the Software and :CueCat reader. Your rights under this License will 
> terminate automatically without notice from Digital:Convergence if you 
> fail to comply with any term(s) of this License.
>
> [... End of excerpt from the agreement.  After this there is the usual 
> "Disclaimer of Warranty" on both the software and the reader, followed by 
> a "Limitation of Liability", some more legalese, and finally they give you 
> your unique activation code.]
>
> I apologize for the long quotes, but did you notice that buried in there 
> was this startling revelation:  "The :CueCat reader is only on loan to you 
> from Digital:Convergence and may be recalled at any time."  And that was 
> surrounded by all sorts of language saying what you may not do (any kind 
> of reverse engineering, etc.).  The problem is, they have it all 
> backwards.  As I say, I was handed this device by a store employee, and I 
> never agreed to a thing, in particular not that the device was "on loan" 
> to me and also not that I would not reverse engineer it (not that I could 
> if I wanted to, I'm just making the point here).  After I read this I did 
> not use their software, not even once, simply because I did not want to do 
> anything that some judge might construe as me "agreeing" with the above 
> nonsense.  I don't agree to a word of it.
>
> So already, you have the following risks.  You have a piece of software 
> running on your system (if you go ahead and run it) that knows every 
> single item you scan (wonder how many people scan the barcode on their 
> driver's license just to see what happens?), knows your personal 
> activation code, and knows exactly which scanner you are using (because of 
> the unique serial number).  And perhaps you may give additional 
> information at some point while using this product.  That can all be 
> collected and stored.  Also this software seems pretty bloated by my way 
> of thinking, I really wonder what it does that makes it take up so much 
> real estate on the user's hard drive.  And, since "you may not decompile, 
> reverse engineer, disassemble ..." the software, there's really no easy 
> way of knowing what sort of information it's sending out - is it limiting 
> itself to sending just the output of the scanner, or does it include any 
> personal data?  In theory a program that large could have some rou!
> tines
> to track all your web surfing, though I must emphasize that I have 
> absolutely NO evidence that anything like that is taking place (remember, 
> I did not use their software, because I do not agree to their license).
>
> Now you may be thinking, well, I'll just get the free scanner, throw their 
> software away, and never apply for an activation code.  You can do that, 
> but the company takes a very dim view of it.  While they may not be able 
> to claim that the scanner is "on loan" to you under those circumstances 
> (well, they can claim it but I for one will laugh heartily), they seem to 
> be trying to do everything in their power to make sure that the scanner is 
> useless to you unless you install their software.  It is relatively simple 
> to write software to convert the information sent by the scanner to plain 
> text (WITHOUT reverse engineering their software) and several people have 
> done so, but every time DigitalConvergence gets wind of it, they have 
> their lawyers send a nasty letter containing threats.  These have deterred 
> some folks, but not others.
>
> In my opinion - and I Am Not A Lawyer - if you don't use their software 
> (and don't in some other way affirmatively agree to the terms of their 
> license), they REALLY don't have a leg to stand on, since Radio Shack 
> doesn't make you agree to anything when they give you the device.
>
> Since this isn't a technical discussion list, I'll stop there, but if you 
> want more details of the "nuts and bolts" of this device (including ways 
> to turn it into something useful without running the supplied software), 
> type "CueCat" (no space) into a search server like DogPile, or into 
> DejaNews' Usenet search and you will find quite a few links.  Another good 
> starting point is at http://www.logorrhea.com/cuecat/mirrors.html.  But if 
> you find any software you like, I'd grab it now before the lawyers 
> discover the site.  By the way, the best Windows software I have found on 
> the web is called "catnip" (look for a file called "catnip.zip", 25,811 
> bytes in length, it's sort of like a Windows driver for the device that 
> lets you scan barcodes into any application that accepts text input.  I 
> did not write it and I don't take any responsibility for it, so I'm not 
> going to say any more about it than that).
>
> Given the widespread distribution of this device, I am really surprised 
> that the privacy implications (not to mention the absurd license 
> agreement) seem to have been ignored by most of the major computer media, 
> but then Radio Shack does buy a lot of advertising.  Considering how slow 
> the media usually is to react to a story, I expect this might be a hot 
> topic in maybe 2 or 3 months.  :-)  But in my opinion, Radio Shack ought 
> to be ashamed of itself for distributing a device like this with such a 
> ridiculous license attached - they know that a good percentage of their 
> customers are techie-types (otherwise they would not sell electronic 
> components), many of whom are not going to be able to resist the urge to 
> poke, prod, and play with this thing in ways not originally intended by 
> the manufacturer.  Not only that, but the stupid license agreement 
> probably keeps a lot of people from even trying out the included 
> software.  I for one would love to see what kind of web sites it would!
>  whisk
>  me away to if I scanned various items, but not at the expense of my privacy!
>
> Any bets on whether these barcodes will be found in *next* year's Radio 
> Shack catalog?
>
> O.B. Telecom-related:  The first part of the Radio Shack Catalog (probably 
> the first 70 pages or so) is all telephone-related gear.  I haven't had a 
> Shack catalog in several years and was quite surprised at the level of 
> sophistication of the phone equipment they're selling now. They're still 
> not in the category of a "Hello Direct" or similar company, and I have no 
> idea how competitive their prices are, but if you need phone gear you just 
> may be surprised at what they do offer now.
>
> P.S. Since the Digest is echoed to Usenet, the return e-mail address 
> really is a "black hole" that will either bounce e-mail or just eat it 
> 99.99% of the time.  If you have something significant to add to what I've 
> said, please do so via the Digest.
> - --
> The Telecom Digest is currently robomoderated. Please mail
> messages to >messages to editor () telecom-digest org.