IP: Radio Shack gives away barcode scanner, but is privacy compromised?Telecom Digest V2000 #53

[Dave Farber <farber@cis.upenn.edu>]

>Date: 14 Sep 2000 05:59:06 -0400
>From: blackhole@handheld.net
>Subject: Radio Shack gives away barcode scanner, but is privacy compromised?
>
>Radio Shack stores are handing out free barcode scanners in the shape of a 
>cat to their customers.  Rather than try to explain it further, I'll refer 
>you to the maker's web page:
>http://www.getcat.com
>
>The idea is that when you want more information on a product in the Radio 
>Shack catalog, you scan a (rather odd, diagonal) barcode and it will take 
>you right to a web page featuring that product.  But in theory, you can 
>also scan other kinds of barcodes (including the ubiquitous UPC code) and 
>get to semi-relevant pages.  Ironically, the device seems far more 
>reliable when scanning regular UPC's than when scanning the codes in the 
>Radio Shack catalog (but maybe that's just because I didn't scan them 
>correctly).
>
>There are, however, some non-obvious catches to this offer.  The first is 
>that in order to make the scanner work you have to install their software 
>(they give you a CD, or you can download it at the above web site).  The 
>software seems quite large for what one would expect to be a glorified 
>barcode scanner driver, coming in at over 3 and a half megs (that's the 
>downloadable version; I did not try the CD).  But the real problem is that 
>in order to actually use the software (and therefore the scanner), you 
>have to go back to the company's Web site and register it.  In doing this, 
>you are asked for your name, e-mail address, and if I recall correctly, 
>your age and gender.  When you register, they e-mail you an activation 
>code at the address you gave when you registered (thus they know that they 
>at least have a valid e-mail address, assuming you're not using a 
>"throwaway" e-mail account).
>
>So when you put the activation code into the software, from then on it 
>knows exactly who you are.  But it gets better.  Whenever you scan 
>something, each scan actually sends three data items back through the 
>keyboard port (encoded using a rather simplistic algorithm that has been 
>explained on at least a couple of Web pages):  A serial number that is 
>unique to the scanner, a three-character code showing the type of barcode 
>scanned (and for a free device, it seems to handle an amazing number of 
>different types of codes), and the barcode data itself.  So every time you 
>scan something, it knows which scanner is being used and the activation 
>code.  I'm assuming all of this is then transmitted back to the company 
>that made the thing, and then they serve up what they consider to be an 
>appropriate Web page.  Of course, the software installs itself into your 
>startup menu, so it is always on while you are surfing the Web.
>
>Now, when you register for that activation code, you get back an e-mail 
>that has a Subject line of "DigitalConvergence License Agreement", and in 
>the body of the message it states the following:
>
> >Please read the updated Licensee Agreement. Scroll to the end of this 
> document to get your activation code.
> >
> >
> >:CRQ(TM) Software and :CueCat(TM) Reader Hardware License
> >
> >Please read the following license agreement carefully before using this 
> software or hardware as you are agreeing to be bound by the following 
> terms and conditions of this license.  You agree to the terms and 
> conditions of this license by performing ANY OF THE FOLLOWING ACTIONS: 
> (1) using the :CRQ software; (2) using the :CueCat reader (3) pressing 
> the "agree" button below; OR (4) printing out a copy of the agreement, 
> signing the agreement and returning a copy to 
> Digital:Convergence(TM).  If you do not agree to the terms and conditions 
> of this license, do not press the "agree" button or engage in any of the 
> foregoing acts.
> >
> >Not all actions may be available with each copy of this agreement.
>
>[..... No fooling, there is certainly no "agree" button in this e-mail! .....]
>
> >Copyright
> >
> >:CRQ and :CueCat  are trademarks of DigitalConvergence.:com Inc. 
> Copyright 1999-2000 DigitalConvergence.:com Inc. All rights reserved.
> >
> >License
> >
> >This is a license, not a sales agreement, between you, the end user, and
> >DigitalConvergence.:com Inc. ("Digital:Convergence").
> >
> >The software, documentation and any fonts accompanying this License 
> whether on disk, in read only memory, on any other media or in any other 
> form (the ":CRQ software") are licensed to you by Digital:Convergence. 
> The :CRQ software and any copies made and/or distributed under this 
> License are
> >subject to this License.
> >
> >The :CueCat reader is licensed to you by Digital:Convergence.  The 
> :CueCat reader distributed under this License is subject to this License.
>
>[..... Whoa... LICENSED to me?  No, it was GIVEN to me by a Radio Shack 
>store employee, who did not even bother to take any of my personal 
>information when I balked at giving my address .....]
>
> >Digital:Convergence retains all title to and ownership of the Software 
> and reserves all rights not expressly granted to you. All rights, title, 
> interest, and all
> >copyrights in and to the software, documentation, and any copy made by 
> you remain with Digital:Convergence.
> >
> >Permitted Uses and Restrictions
> >
> >This License allows you to install and use the :CueCat reader and :CRQ 
> software on a single computer at a time. This License does not allow the 
> :CRQ software to exist on more than one computer at a time. You may use 
> the Software only on a stand-alone basis, such that the Software and the 
> functions it provides are accessible only to persons who are physically 
> present at the location of the computer on which the Software is loaded. 
> You may not allow the Software or its functions to be accessed remotely, 
> or transmit all or any portion of the Software through any network or 
> communication line. You may make one copy of the :CRQ software in 
> machine-readable form for backup purposes only in support of your use of 
> the Software on a single computer, provided that you reproduce on the 
> copy all copyright and other proprietary rights notices included on the 
> originals of the Software. The backup copy must include all copyright 
> information contained on the original. You acknowledge that !
>the!
> > Software and :CueCat reader contain trade secrets and other proprietary 
> information of Digital:Convergence and its licensors. Except as expressly 
> permitted in this License, you may not decompile, reverse engineer, 
> disassemble, modify, rent, lease, loan, sublicense, distribute or create 
> derivative works based upon the :CRQ software or :CueCat reader in whole 
> or part or transmit the :CRQ software over a network or from one computer 
> to another. The :CueCat reader is only on loan to you from 
> Digital:Convergence and may be recalled at any time. Without limiting the 
> foregoing, your possession or control of the :CueCat reader does not 
> transfer any right, title or interest to you in the :CueCat reader. 
> Except as expressly permitted in this License, you may not reverse 
> engineer, disassemble, modify, rent, lease, loan, sublicense, or 
> distribute the :CueCat reader.  In any event, you will notify 
> Digital:Convergence of any information derived from reverse engineering 
> or such other act!
>ivi!
> >ties, and the results thereof will constitute the confidential 
> information of Digital:Convergence that  may be used only in connection 
> with the Software and :CueCat reader. Your rights under this License will 
> terminate automatically without notice from Digital:Convergence if you 
> fail to comply with any term(s) of this License.
>
>[... End of excerpt from the agreement.  After this there is the usual 
>"Disclaimer of Warranty" on both the software and the reader, followed by 
>a "Limitation of Liability", some more legalese, and finally they give you 
>your unique activation code.]
>
>I apologize for the long quotes, but did you notice that buried in there 
>was this startling revelation:  "The :CueCat reader is only on loan to you 
>from Digital:Convergence and may be recalled at any time."  And that was 
>surrounded by all sorts of language saying what you may not do (any kind 
>of reverse engineering, etc.).  The problem is, they have it all 
>backwards.  As I say, I was handed this device by a store employee, and I 
>never agreed to a thing, in particular not that the device was "on loan" 
>to me and also not that I would not reverse engineer it (not that I could 
>if I wanted to, I'm just making the point here).  After I read this I did 
>not use their software, not even once, simply because I did not want to do 
>anything that some judge might construe as me "agreeing" with the above 
>nonsense.  I don't agree to a word of it.
>
>So already, you have the following risks.  You have a piece of software 
>running on your system (if you go ahead and run it) that knows every 
>single item you scan (wonder how many people scan the barcode on their 
>driver's license just to see what happens?), knows your personal 
>activation code, and knows exactly which scanner you are using (because of 
>the unique serial number).  And perhaps you may give additional 
>information at some point while using this product.  That can all be 
>collected and stored.  Also this software seems pretty bloated by my way 
>of thinking, I really wonder what it does that makes it take up so much 
>real estate on the user's hard drive.  And, since "you may not decompile, 
>reverse engineer, disassemble ..." the software, there's really no easy 
>way of knowing what sort of information it's sending out - is it limiting 
>itself to sending just the output of the scanner, or does it include any 
>personal data?  In theory a program that large could have some rou!
>tines
>to track all your web surfing, though I must emphasize that I have 
>absolutely NO evidence that anything like that is taking place (remember, 
>I did not use their software, because I do not agree to their license).
>
>Now you may be thinking, well, I'll just get the free scanner, throw their 
>software away, and never apply for an activation code.  You can do that, 
>but the company takes a very dim view of it.  While they may not be able 
>to claim that the scanner is "on loan" to you under those circumstances 
>(well, they can claim it but I for one will laugh heartily), they seem to 
>be trying to do everything in their power to make sure that the scanner is 
>useless to you unless you install their software.  It is relatively simple 
>to write software to convert the information sent by the scanner to plain 
>text (WITHOUT reverse engineering their software) and several people have 
>done so, but every time DigitalConvergence gets wind of it, they have 
>their lawyers send a nasty letter containing threats.  These have deterred 
>some folks, but not others.
>
>In my opinion - and I Am Not A Lawyer - if you don't use their software 
>(and don't in some other way affirmatively agree to the terms of their 
>license), they REALLY don't have a leg to stand on, since Radio Shack 
>doesn't make you agree to anything when they give you the device.
>
>Since this isn't a technical discussion list, I'll stop there, but if you 
>want more details of the "nuts and bolts" of this device (including ways 
>to turn it into something useful without running the supplied software), 
>type "CueCat" (no space) into a search server like DogPile, or into 
>DejaNews' Usenet search and you will find quite a few links.  Another good 
>starting point is at http://www.logorrhea.com/cuecat/mirrors.html.  But if 
>you find any software you like, I'd grab it now before the lawyers 
>discover the site.  By the way, the best Windows software I have found on 
>the web is called "catnip" (look for a file called "catnip.zip", 25,811 
>bytes in length, it's sort of like a Windows driver for the device that 
>lets you scan barcodes into any application that accepts text input.  I 
>did not write it and I don't take any responsibility for it, so I'm not 
>going to say any more about it than that).
>
>Given the widespread distribution of this device, I am really surprised 
>that the privacy implications (not to mention the absurd license 
>agreement) seem to have been ignored by most of the major computer media, 
>but then Radio Shack does buy a lot of advertising.  Considering how slow 
>the media usually is to react to a story, I expect this might be a hot 
>topic in maybe 2 or 3 months.  :-)  But in my opinion, Radio Shack ought 
>to be ashamed of itself for distributing a device like this with such a 
>ridiculous license attached - they know that a good percentage of their 
>customers are techie-types (otherwise they would not sell electronic 
>components), many of whom are not going to be able to resist the urge to 
>poke, prod, and play with this thing in ways not originally intended by 
>the manufacturer.  Not only that, but the stupid license agreement 
>probably keeps a lot of people from even trying out the included 
>software.  I for one would love to see what kind of web sites it would!
>  whisk
>  me away to if I scanned various items, but not at the expense of my privacy!
>
>Any bets on whether these barcodes will be found in *next* year's Radio 
>Shack catalog?
>
>O.B. Telecom-related:  The first part of the Radio Shack Catalog (probably 
>the first 70 pages or so) is all telephone-related gear.  I haven't had a 
>Shack catalog in several years and was quite surprised at the level of 
>sophistication of the phone equipment they're selling now. They're still 
>not in the category of a "Hello Direct" or similar company, and I have no 
>idea how competitive their prices are, but if you need phone gear you just 
>may be surprised at what they do offer now.
>
>P.S. Since the Digest is echoed to Usenet, the return e-mail address 
>really is a "black hole" that will either bounce e-mail or just eat it 
>99.99% of the time.  If you have something significant to add to what I've 
>said, please do so via the Digest.
>- --
>The Telecom Digest is currently robomoderated. Please mail
>messages to >messages to editor@telecom-digest.org.