3:00 a.m. 11.Nov.1999 PST
It lies at the center of several major privacy breakdowns affecting millions of Internet users. It hides in the digital gears of software from Windows to music software to Web site code.
It is a simple number known as the global unique identifier, or GUID. And it has repeatedly been exposed as a culprit in Internet privacy misdeeds.
See also: RealNetworks in Real Trouble
Most recently, the unique identifier in RealJukebox music software helped land RealNetworks in a privacy brouhaha, which culminated Wednesday in a class action lawsuit against the company.
What is this little number? And why is it the bad actor in so many e-privacy breaches?
The GUID -- like its predecessor, the cookie -- is a network tool used to detect when machines and their users come and go to networks and dot-com addresses.
The numbers let Web sites address users as individuals. But when they're misused, these electronic tattoos are the accomplices that make it possible to collect personal data without users' knowledge.
Experts on both sides of the e-privacy debate agree that it's not the simple use of the unique ID that matters. It's how they're used.
"The GUID is a 32-character string based [usually] on an IP address," explained guid.org's Thomas Shields, a GUID expert and a consultant to companies on using them for Internet advertising.
"Basically what I'm trying to do is generate a random number so that two people won't get the same number."
The numbers can be derived from typically unique numbers, such as those associated with Ethernet hardware numbers or numerical Internet addresses. Whether the resulting GUID can be traced back to a computer or Internet address depends on the randomization process used to create them.
But whether hardware-based or totally random in nature, the unique identifier is a must for most Web companies offering services to users.
"It's an issue of business models," said Rusty Zainoulline, president and founder of Washington-based WireMusix. "As a content provider, you're trying to make money off of people accessing content. That entails tracking some information. The GUID helps you to keep track of your customer."
1 of 3
The Electronic Tattoo To-do
"People have the wrong impression that GUIDs in and of themselves are bad," said Microsoft spokeswoman Melissa Covelli. "That's not the case at all, because GUIDs are necessary in order to reference documents over a network, or get information to the right people over a network."
Where things go wrong is when a GUID becomes the key in a secondary, often-hidden process that ties the unique ID to other information, such as site registration information, that personally identifies each user.
When that happens, Web sites can follow users around the Net by name -- without their knowledge -- and even link them to offline databases.
"The problem [in the RealNetworks case] is that they require users to divulge their private information, such as an email address, at the point the user downloads the music player," Zainoulline said. "They are asking for a piece of your private information."
If you can identify an online user, you can associate that user with all manner of offline information, said consultant Shields. The sole purpose for some Web businesses is to obtain that name.
"Every time you sign up for a sweepstakes online the mission is to get a name to associate with a GUID," he said.
"A GUID is anonymous -- you can never match that back to a name -- whereas an email and a name and a ZIP are personally identifiable. You can go back and associate that information with a person."
That's when an innocent GUID gathered during user registration becomes more than just a number.
So what's the fix?
With or without GUIDs or user registration, privacy advocates favor fair information practices that control its use and, importantly, inform users about how their data could be compromised.
That is far from the norm today. But Austin Hill, president of anonymous Internet service company Zero-Knowledge Systems points out that there are positive privacy models on the Web.
But there's a difference.
"Amazon is very clear about what they do, and they're using it to refer you books. As you browse around they're learning about what you're doing and where you're going. [The data] will be used in a profile, but it's done [with] openness and honesty," Hill said.
Amazon's privacy page describes very clearly the mechanism it uses to make recommendations to one user based on the preferences of others:
"For Purchase Circles, we group the items we send to particular ZIP and postal codes, and the items ordered from each domain name," the page reads. "We then aggregate this anonymous data and apply an algorithm that constructs bestseller lists of items that are more popular with each specific group than with the general population. None of the data is associated with any individual's name."
Amazon also offers users the chance to opt out of sharing their personal preferences.
If such policies were universal, the whole issue of GUIDs and privacy would change, for both companies and consumers, Hill said.
Basically, the GUID would be no big deal.
"There wouldn't be any outrage about using a GUID if practices were done within the realm of fair information practices, where you have notice and disclosure and access. Because there is a lot of value in this."
By contrast, the surreptitious use of GUIDs -- intentional or not -- by companies like Microsoft and RealNetworks will continue to be frowned upon, Hill said.
Fair information practices are espoused by many privacy watchdogs and would provide the basis for universal good behavior on the Net.
Fair information policies typically lay out principles of openness and user consent. All records and databanks of personal data would be public and accessible by any individual. As Amazon does, sites would spell out the purpose and use of the data they gather. They would also allow users to correct or remove erroneous information.
Zainoulline and others basically endorse the idea.
"Providers have to make it more clear to customers who come to their Web sites that any form of registration can result in the capture of private information," Zainoulline said. "It just has to be on a consensus basis."
To Simson Garfinkel, author of the forthcoming book on electronic privacy, Database Nation, there's only one way to bring companies around. That's the rule of law.
"We need to pass laws to protect privacy in the 21st century -- in the same way we needed to pass laws to protect the environment in this century," Garfinkel said. "Nobody believes we could protect the environment without laws. I believe the same thing will be true of privacy in the next century."
Hill said it's time for companies to wake up to the fact that privacy concerns will not go away and that they could stand in the way of ubiquitous e-commerce.
"Companies are just out of touch with how key privacy is to their user base," he said. "A relationship [with customers] isn't built by putting a camera over someone's shoulder."
3 of 3