Photo credit: Lance Cottrell - President of Anonymizer.com - Photo by: Declan McCullagh (c)
Full text transcript of interview with Lance Cottrell, President of Anonymizer
Robin Good: Hello everyone, here is Robin Good, live from Rome in Italy and on the other side of the ocean today I have with me Lance Cottrell, who is the president of a company that creates software that allows you to hide or protect your identity on the internet. Good morning, Lance! Where are you connecting from?
Lance Cottrell: Good morning, I'm connecting from San Diego.
RG: Great, and do you want to tell us a little bit about your company and what exactly you do over there?
Lance Cottrell: Anonymizer has been in business for ten years and we provide tools and services that allow people to use the internet without being tracked or identified as they're going out there, so you can have access to any kind of information or content or discussion groups without the possibility of being identified.
RG: Why would a normal person want to do that in the first place?
Lance Cottrell: There are a lot of reasons why people would want to be concerned about their privacy online. I mean, people are unaware of just how much information is being gathered about them on a continuing basis.
So that when you're going out to websites, almost every website you're going to is gathering personal information about you, logging your activities, which pages you look at. Advertising networks can track you across thousands of different websites at a time. But even things like resume websites will actually take your personal information and resell it.
You can subscribe to find out at anytime one of your employees has used one of these so you know who is looking for another job and potentially start looking for a replacement.
RG: But how do are these sites and services that you have mentioned able to collect this information, and what information exactly do they collect from you or your computer?
Lance Cottrell: There's a couple of different technologies that the websites can use to track you. The first and probably the best known is through cookies. When you visit a website, they'll place a small piece of data on your computer, called a cookie that your computer then returns every time you go back to that website.
The second and more difficult method to deal with is by IP address tracking. So the IP address is kind of like the phone number of your computer, it is unique to your individual computer across the entire internet. And if you're on any kind of a broadband connection, it's probably static, it changes either never or very infrequently and any computer you're connecting to across the internet can see that address and then can use that as an activity that they're watching.
So, they can see certainly where you are in the world, what kind of computer you've got, what ISP you're using, the headers will usually show the last websites you were at, and if you've got a presence across many websites, and advertising sites for example have it across thousands and thousands of websites, you could watch that activity as it evolves. And because storage is getting so cheap these days, this information is really kept forever.
There's no reason for these people to delete it, so data that they collected five or six years ago is still in the databases and will still be in the databases in twenty years.
RG: But what is the main application and use for the data that is being collected out of many unaware normal users on the internet?
Lance Cottrell: Most of the data collection is not for nefarious or evil purposes. Most of the data that's being collected is being collected for marketing purposes. So companies want to know who you are, where you're going, what you're looking at, what kind of stories in a news site were interesting to you, what products you tend to buy, that kind of thing. But we see a lot of other applications.
For example, companies will use clicking, and the ability to identify you to uniquely target sales to you. So if you show a propensity to buy, say, high-priced flowers and nice vases online, then when you go back to those websites, you will never see the inexpensive options anymore.
They'll automatically remove them and only show you things that are kind of the top-end of your buying range and up. So in fact, anonymous visitors, people who have never been to the site, get a much better deal, a much better price, a much better offering than loyal customers.
But of course the same technologies are being used by criminals, the phishers and the pharming websites to try to collect information to try to identify promising targets and perpetrate things like identity theft, not to mention things like repressive regimes of government, which are actively using this to repress dissent and to restrict access to information.
RG: So is it legal for companies to display specific pages, or let's say customized pages, depending on who is connecting to that website?
Lance Cottrell: Certainly there's a huge diversity of laws around the world. I'm not aware of any country in which it is illegal to customize the content of a webpage based on the visitor and I've certainly studied this the most within the U.S., but we see a lot of websites that will target based on the city or the state or the country that you're living in.
We've seen hotel prices or air fares which are literally hundreds of dollars different if you're coming from the U.S. rather than, for example, coming from Europe.
RG: So you're basically saying that depending on my IP originating address, websites are able to detect what type of user I am, where I am coming from, maybe what other sites I've seen, and can therefore serve me page that would maximize their profit according to my profile? Am I understanding this correctly?
Lance Cottrell: Yeah, that's absolutely correct. They're trying to identify, you know, what's your socio-economic status, what are your likely buying habits? If they can identify you by group that's good. If they can identify you individually and your personal buying habits, obviously that allows even more fine-grained tailoring.
We see the same thing in a lot of contexts, not just with commercial-types of websites, but we'll see this also with media and propaganda.
For example the Al Jazeera website, which is an Arabic news outlet which has targeting based on language and geography.
So if you're coming out of the United States, you get one version of the website, the website's in English and it is fairly western oriented, very palatable to a western audience, there's nothing too radical, there's nothing anti-Semitic. If you go to the same website from the Middle East, it is in Arabic, and the content is completely different.
The articles are different, the pictures are different, the editorial is different. It is a night and day different website, and it's really just trying to tailor the content to the audience and spin it for each different region.
RG: What is your take on this media approach? Is it okay? Are you fine with it or not?
Lance Cottrell: I think it's a matter of informed consent and awareness on the part of the user.
A lot of people feel that when they go to a website they're seeing "the website," as though that is a singular entity and everyone sees the same website, whereas the reality is the internet is not a flat surface, it doesn't look the same from all angles, so when you're coming in from one place it looks very different from another, so it becomes very difficult to get a sense of what real is.
You may want to go to Al Jazeera to understand, you know, why are people in this country reacting the way they are? You may want to look at the media and understand what they're reading and why they're thinking the way they are, but in fact you're not seeing what they're seeing, you're seeing something completely different.
We see the same kind of thing often in a competitive intelligence context.
One company will be wanting to look at another company's website to understand what are their products, what's there pricing, how are they positioning things.
Well, if the competitor is being clever, and we're seeing a lot of this, they'll actually set-up their website to push wrong information or planted false tailored information just to their competitors. So when the competitor comes in they'll see prices that are maybe 30% higher than they really are as a way to try and trick them to price their products too high for the competitive landscape.
RG: But that would be too simple to bypass, I mean the moment that I am doing competitive intelligence, and if I do that as a professional I probably know about this then I just don't connect from my company headquarters and the problem is solved. Or am I too naïve on this?
Lance Cottrell: Well, there's a bit of a problem of scaling. If you've got a large company, you've got dozens of people in a marketing department that are pretty much continually doing competitive research. It's awkward to send them all home or to send them to Starbucks to use Wi-Fi every time they want to do competitive intelligence.
But often, the data collection is on a much larger scale. We've worked with airlines that are wanting to compare their prices on every single link that they have. So, every pair of cities that they fly at every single time, and as you know, the prices change so frequently, they want to look at it today, tomorrow, next week, next month, so a huge number of different variables.
They may be trying to pull down 100,000 data points every day, and that's certainly not something you can just do from home and providing services that enable you hide that kind of enterprise level very high volume data-gathering is one of our specialties at the commercial level.
RG: Okay, I get you and it does make good sense. Just out of curiosity, would you ever name a company that does that publicly or would you protect their name?
Lance Cottrell: Most of the companies that we've become aware of that are doing these kinds of practices, we've become aware of because either a customer of ours is involved or it's a competitor of a customer of ours, and normally we have non-disclosure agreements that force us to stay quiet.
But in general the travel industry is very active in this, so the big airlines, the hotel chains, rental cars, we've seen though the same kind of things in other areas that you may not expect. We've seen it in things as mundane as car tire sales, where they're doing competitive intelligence and blocking each other and trying to prevent people from doing comparison shopping within a store, saying, "I've got a coupon for. I saw online a price for a tire at this cost that you say you will match that price."
When the sales clerk tries to verify that that's what it says online, they're unable to get the answer, or their getting a wrong answer and causing a lot of conflict. So, we see this in a lot of different areas, and then there are people with different concerns.
For example, we do a lot of work with law firms, and if you're involved in a litigation, in a law suit of some kind, you may be very concerned that you don't tip your hand and give a hint to the other side of what your strategy is, what your focus is going to be, what kind of evidence you may be presenting. And if they can see you, they'll say the website of the company you are suing, you may be giving them a lot of information about your plans.
RG: Very clear. So, let me ask you something. I imagine that your software then would enable individuals or organizations to not appear to be coming from where they're actually coming from, and so it would enable them to go and visit these sites that would otherwise be serving some kind of fake or hoax content and bypass the whole problem. Is that what one of your flagship products, called Anonymous Surfing, does?
Lance Cottrell: That's right. Anonymous Surfing is really our consumer product. What we have on the enterprise side that allows you to protect whole corporate networks is actually called our Enterprise Chameleon. But that's really what these products do.
They allow you to ensure that you get access to the sites, and that you're not being blocked because of who you are or where you are.
Second, you're able to get accurate information and that means it's not being tailored to you specifically, and if they're doing geographic targeting, we can enable you to go and visit these sites from a variety of different locations around the world.
So you can appear to be coming from the U.S, from Europe, Eastern Europe, Asia, the Middle East, Africa, and really come in and see the same website from many different directions. You can appear to be using, you know, different languages, and therefore see all the different variants of the website, or the pricing that the group may be putting out.
RG: Can I specify from which country exactly I would be connecting from? Or, I have a preset range of regions of the world that the software provides me as a choice?
Lance Cottrell: That's one of the big differences between the consumer product and the enterprise product. The consumer product, all of the traffic will appear to be originating from within the United States. With the enterprise product, you specify as a customer-you request from us which countries you want to have the traffic to be able to originate from. And we provide a little plug-in which actually gives a drop-down that allows you to pick which country you want the traffic to be originating from.
RG: From how many do I get to chose?
Lance Cottrell: The number of countries and which countries is really just a matter of your requirements and the price is based on the cost of internet services in those countries, because the traffic actually does originate from those countries, and so we have points of presence in all the countries we provide these services in.
RG: So, let's make it a little more pragmatic. If I want to be able to connect to a certain website and appear as if I am always connecting from Italy, but often, I am in different countries, but I would like to appear as if I was connecting from Italy, I want to know: what is the software tool that you are selling that allows me to do that? How much does it cost? How many more countries than Italy can I plug in?
Lance Cottrell: It's very difficult to give a single quote because this is really an enterprise level product and there's an awful lot of variables in terms of number of users, types of applications you're using, and all of the different countries can have very different prices.
The cost of doing business in Japan is several times the cost of doing business in say Western Europe, so it's hard to put in a specific quote, but for those services for small groups now, if you just have a few people, or one or two people that you have to protect, we actually have some client software that people can install, and that typically runs a couple hundred dollars a year for those capabilities.
RG: Well I'm not clear if those $200 will allow me to set it up so that I appear to be connecting from Italy wherever I am, but I assume so, and you correct me if that is not the case. Let's then move forward, as I think on the front of being able to get a lot of control on where I'm connecting from, you seem to be serving very well the enterprise and organizations while maybe other solutions may be more appropriate for the individual and the solo user. But you have lots of other interesting things that I want to ask you about, and one relates for example to IPTV.
Today we seen a lot of television or telcos actually moving to television over the internet playground. And some of them offering service where via broadband you can access on-demand live shows or recorded ones. Now much of this is geographically based, so it doesn't allow people when they're traveling to watch what they've paid for.
Would again your software enable me, or again I am mis-positioning you as you're really more of a corporate supplier in this type of personal use gets out of your main focus?
Lance Cottrell: I think with the broadband TV, and we haven't really done much research with that, I suspect that there would be problems with latency just because of the geographical dispersions. So when you're trying to pull down these very high speed broadband feeds there may be issues with being able to get that through our service half way around the world. But it's actually not something we've done any experimenting with to date.
We're really primarily focused on the privacy aspects as opposed to evading restrictions on where you can access certain content. But I think that's certainly one of those areas that we're starting to see where people are trying to restrict or target content based on geography and as those services become more common, we'll certainly be adjusting and tailoring our product offerings and solutions to address those needs as they arise.
RG: But it's curious you say you're really focused on providing privacy because I am very naïve on the issue certainly. I know nothing about the whole story and I'm here humbly trying to learn something and to share it with the people listening to this podcast or reading this article.
Now, if you allow me to circumvent systems set up by Al Jazeera or the travel agency or airline to get into what they don't want to show me it seems that I'm trying to circumvent certain restrictions or limitations they place there and not in any way trying to protect my privacy.
I know that this is the reverse side of the coin, but so I am enticed to learn, and know more and better from you in which ways exactly the software Anonymizer develops and distributes really enhances and augments my ability to protect my privacy.
Lance Cottrell: I think it's important to sort of consider the consumer offerings and the enterprise offerings differently, because the sets of concerns and the kinds of privacy that the two groups are looking to protect are frequently at odds.
With the consumer services the primary issue is normally personal identification. When you're going out on the internet let's say you're running a blog site, and we've all seen a lot of articles lately that people have gotten fired, when they've been identified for being involved with a blog that may be critical of their employer's business.
People like that would then be using our products to allow them to manage their blog or read research information by accessing internet resources without being identified, ensuring that they can do these things anonymously. In fact we've done some projects based off our consumer technologies where we provide capabilities that protect the citizens of Iran and we've also done work in China, to protect those citizens against censorship and monitoring by their own government.
So those are the kinds of things we're looking at in the consumer product - making sure that you can't be tracked.
The consumer product also protects you against phishing attacks and pharming attacks, and comes with supporting software for managing cookies and tracking information on your computer and our anti-spyware product all really work together to try and allow you to manage when and how your personal information and your identity and records of your internet activities can be recorded and used by third parties.
RG: Great, that clarifies it a lot and I must acknowledge that you did clarify that at the beginning but I kind of had temporarily forgotten about your clear explanation of that. And indeed I do agree that the two markets may have different uses.
It appears though that the corporate one doesn't seem to be really protecting privacy issues, but really having internal fights and its members working at finding the best way to trick each other into not understanding what is going on; that's what I see.
So I see a little more clean-cut panorama on the consumer side and a little more mashed-up or ambiguous one on the enterprise side as there exists both sides of the coin at play there.
Good. So I would like you to give me a brief summary to conclude this conversation on the key differences again between the anonymous surfing package and the one destined to the organizations and large institutions.
That is the focus of my interest, the anonymous surfing, being anonymous. So I would like you, Lance, to briefly summarize the key features and the differences, maybe also in cost, of these two different software solutions you are offering to the market.
Lance Cottrell: The consumer services are aimed at identity protection, so as an individual, when you're going out on the internet, making sure that you are personally protected.
And, a lot of the threats there, some of the pricing threats that we talked about, getting targeted pricing based on who you are or where you live, retaliation for you know, blogs and personal opinions, making it so people feel free to express themselves and then protecting them against certain types of attacks: against the spyware and the phishing and pharming, the identity theft kinds of situations.
In the corporate environment we're really trying to achieve two things. The first is we want people to be able to use the internet without being watched by their competitors. So in the old days, if you wanted to do research on a competitor you'd go down to the library and in the library you'd find their filings with the government stock exchange and the SCC filings.
You'd find marketing materials, you might go look at the ads they have in magazines. It's anonymous when you're doing that. The company you're researching has no visibility that you're doing these things. If you do the equivalent of the research things online, offline you would go to a store, walk the aisles, see how they're presenting their products, how they're pricing them. In real life they can't see you doing that.
But if you go to their website and you look at their prices and you look at their products, they're watching every step you take, every action you take, and so the privacy aspect is making sure we bring to the online world the same privacy and anonymity in research that you have offline, so that you're not giving away your strategy or your plans or the focus of attention to your competitors.
And then the second aspect of that is when you're going out there, making sure that you're getting the accurate information, that you're not being spoofed, that they're not feeding you wrong prices based on who you are. And, some of the enterprise solutions are really targeted around those high-speed queries.
So when you're doing 100,000 queries a day, taking that and spreading across thousands of IP addresses so no one IP address is doing more than say 10 queries a day so you don't raise flags about these activities. But it's really...people think about the internet being anonymous because when they're sitting at home surfing the net they don't see anyone watching them.
And when they go to the corner store, everyone knows them; they feel that that's not anonymous.
But from a different view, if you're looking at databases and tracking and how that data's used, the fact that the cashier at the corner store knows you never makes it into a database.
There's no selling and reselling of that information, whereas the visit to the website is absolutely being tracked and monitored and resold and that data has a tremendous commercial value to these people.
And so, that's what we're trying to bring is those kinds of privacies and bring it to the online kind of privacy and anonymity of research in action that you, sort of, take for granted in the offline world.
RG: Excellent explanation. I must say that what you pointed out at the beginning, that this ability to acknowledge and say out front "What am I viewing?" and "What are the alternatives?" or "What information is being hidden from me?", would be the best way to go about this rather than having to hide oneself or to tweak pages to serve different information.
I think that the road to transparency, though very ideal, it would be one that suits me best if I had to state my opinion, but I do understand there are major issues and interests at play, and that things are not as simple as in novels. So, I just wanted to point out that the ability for information not to be hidden may in certain cases actually provide lots of value.
When Amazon or another online store helps me find out and discover better music or books or films because other people like me have chosen that, I'm all for sharing that information, and I think in many cases the collecting of this data happens on a large pool of people and numbers and not by identifying Robin Good in Rome versus this or that other guy.
But again, I understand that things are not as clean-cut and I would like to thank you very much for all this information because you did very little marketing and a lot of clearing on things that for you are absolutely elementary, but to many people still are not very clear.
So I really appreciate the patience and your availability to cover these topics and I leave the microphone to you for closing remarks, URLs, invitations, whatever you have.
From Robin Good, live in Rome, this is all for today with Lance Cottrell of Anonymizer. Over to you Lance!
Lance Cottrell: Thanks very much. It was absolutely my pleasure talking to you, and certainly I agree with you that a lot of information gathering is a value, and it's useful to have people do that.
But it's important that people be in control of it, and be able to decide when they want their information to be gathered and when they don't. And I'd invite people to come by and take a look at our website. It's www.anonymizer.com, and that's spelled A-N-O-N-Y-M-I-Z-E-R.
We have been providing this service for ten years, and I think that it's very important to empower people to choose so it's not something that is imposed on them.
But people CAN control when they want to be anonymous and when they want to be identified and take advantage of that.