Deja News, which provides a Web interface and search capabilities for Internet newsgroups, acknowledged tracking the Internet Protocol (IP) addresses of users who click on outbound links within Deja News. In what it termed an "unintentional result," the company also was keeping IP address logs when Deja News readers sent messages via "mailto" links within Deja News.
"For the last year, we have been collecting information about where our users click on our site by logging their IP addresses when they hit a link," said Deja News chief executive Tom Phillips in an email message to the media. "We've used none of this information for any purpose other than to better understand aggregate usage patterns. However, we recognize the concern of our users over its potential misuse. Therefore, we are implementing a plan to discontinue the collection of this data."
Deja News general counsel Richard Gorelick today clarified that while Deja News will discontinue logging IP addresses of those who click on email links, it is still looking into the matter of logging IP addresses of those who click on outbound site links.
Deja News user, security maven, and Phar Lap Software president Richard Smith initially drew attention to the problem last week with a series of postings to the "comp.security.misc" newsgroup. At that time, Deja News insisted there was nothing improper about its logging activities.
Smith, whose newsgroup postings spurred the change in policy, said he did not suspect Deja News of any irresponsible or nefarious use of the information it was collecting, but that the mere collection of it could put users at a privacy risk for reasons beyond Deja News's control--for instance, if the logs were to be subpoenaed.
"The danger for Web sites that either intentionally or unintentionally are tracking what people do on the Web is that they're going to be more and more likely to find themselves drawn into legal fights. We've been seeing that over last the last three or four months especially," Smith said, citing in particular a case in which the FBI found the culprit in a stock manipulation hoax by examining server logs at Yahoo and Angelfire.
"Web sites are going to be asked for this information more and more," Smith predicted. "And the more they record, the more they could wind up being required to turn [that information] over."
Deja News, for its part, appears to be more concerned about customer complaints than subpoenas.
"We approached this more as a customer service issue," said Gorelick. "We care about our users and about their concerns. We did not look at this as a legal issue."
The proposed logging change at Deja News comes as the site is working on a major overhaul, expected to be implemented in the next few weeks. Changes include a user ratings feature, e-commerce offerings, and a name change to "Deja.com."