Spy on Yourself

"Wow," my hacker friend Mason breathed as he looked at my computer monitor. "That's really horrendously fucking evil."

He was responding to the sight of my account with Root Vaults (root.net), a web service with hazy goals but an interesting tool: If you sign up and download a plug-in for Firefox, Root Vaults will record your entire clickstream. When I go anywhere or click on anything online, the plug-in records it and sends the data to my account at Root Vaults. A nifty graphical interface shows me what sites I visited, including the most popular ones, as well as what I searched for on both Google and Yahoo.

Since I was just testing Root Vaults, I tried to search for important things like "horse porn" and "cute kitties." As a result, my clickstream looked sort of like this: www.xxxpower.net (the clickstream from this one yielded some interesting results, as it appears some scamster was trying to make it look like I was clicking on the ads on the site, even though I wasn't); www.cuteoverload.com (too bad Root Vaults couldn't measure my utter joy in looking at this site packed with a zillion cute animals); www.pussy.org; www.kittenwar.com.

Now imagine that I spent all week sending my clickstream to Root Vaults. Instead of seeing searches I don't normally do (well, OK, sometimes I do search for cute kitties), I'd have a record of everything I'd wanted to see and everything I did see. Seth Goldstein, inventor of Root Vaults, calls it the "record of your attention," and he wants to sell it.

Like Google, Claria and dozens of other companies that record what you do online, Root Vaults doesn't quite have a business model for all the data it's aggregating. Right now Goldstein uses the information he's gathered to sell "leads" to mortgage and insurance companies looking for people whose clickstream makes them seem like good prospects. Later he might use all the consumer data in Root Vaults to sell companies information about who clicks on what and when. Or maybe he'll try to sell futures in consumers by claiming he's got a batch of people whose attention data show they're on the cusp of buying something big because they've been visiting ConsumerReports.org and trolling Shopper.com.

Unlike its sister companies, Root Vaults is letting users see the data it collects. That's why I don't entirely agree with Mason's damning assessment of the service. Certainly clickstream snooping is a privacy invasion, but what's worse is that it's something few people understand. For example, when you download the toolbars from Google, Yahoo or Microsoft, each one sends the very same kind of data that Root Vaults collects right back to its mother company. So if you want to know how much Yahoo! knows about you, sign up for Root Vaults, watch your clickstream get recorded and find out.

Goldstein is excited about this idea. As a founder of Attention Trust, a nonprofit whose goal is to regulate the clickstream-tracking industry, he's intrigued by the idea of corporate scruples in a space that's best known for spyware. "This tool could be for self-education," he enthuses. "The same way "Fast Food Nation" taught us what we're really eating, Root Vaults could teach you what kind of data companies are really gathering about you."

You'll be truly weirded out to discover how easy it is for a tiny little browser plug-in to send every online move you make to a third party. Once you've completed your experiment, though, delete all the data from your Root Vaults account, then delete the extension from Firefox. And just to be safe, don't click on anything you'd be afraid to share with the world.

Although Root Vaults is setting a new standard for transparency in clickstream tracking, one telling detail is still obscured. Goldstein insists each vault "belongs to you." But it doesn't. Whenever anything of "yours" is stored on someone else's computer, it's not highly protected by privacy laws, largely under the assumption that it must not be as private as the stuff you store on your own computer. So the government or an attorney can get access to this data without contacting you personally, and often with very little court oversight. So remember, kids, just because something's in your account on Root Vaults, that doesn't make it yours.