Hide and seek on the Web

Jay Allen considered his ex-girlfriend a "rabbit in the pot" stalker for the repeatedly nasty comments she posted to his blog.

So he tried passive resistance by drawing a virtual curtain around his Web site. The trick, called cloaking, made his blog appear seemingly abandoned to her, while his regular postings were available to anyone else with a Web browser.

"I found out the Internet Protocol address (of her computer) and delivered her a static page anytime she visited," said Allen, an author and software developer. "That worked really well, until one day she went to an Internet cafe and found a month-and-a-half worth of postings and left a bunch of ugly comments again."

News.context

What's new:
New tools let people draw a virtual curtain around a Web site to mask sensitive information from outsiders.

Bottom line:
Web site operators and corporations are latching on to the cloaking practice as it becomes a growing strategy for playing espionage with rivals.

More stories on this topic

Allen added: "Still, it's a really neat idea to be able to cloak a page."

The concept, also known as IP-based filtering, has been around for many years, and outside of dodging an ex, it has numerous useful and covert applications that have caught on in the business world.

While few would admit it, the practice is an ever-more-popular strategy for Web site operators and corporations playing espionage with rivals.

Footprints left in the form of Web traffic logs are tipping one kind of voyeur off to another, and in some cases, that's delivered new competitive intelligence to rivals.

An online retailer, for example, might show one price for a digital camera to the public, and another price 15 percent higher for the same product to its rival. Consequently, the rival might price its product disproportionately and lose customers.

"Like with Caller ID, people want to know who's calling them. And it's going that way now with the computer; people want to know who's looking at their site," said Chris Cox, a Florida-based private investigator. "Some of (the voyeurism) is quite general, like for marketing purposes, and some of it can be quite sinister."

As the Internet becomes part of mainstream media, several high-profile lawsuits, including those from the music labels, have proven that privacy is anything but a guarantee online. But people still have the feeling they're anonymous while surfing. That's why many "safe surfing" or subscription privacy tools have yet to gain steam with consumers.

Fears that marketers are watching your every move have subsided and seemingly been replaced by corporate paranoia over internal secrets.

New tools to help companies "cloak" their traffic while surfing the

Web are becoming an attractive defense as a result.

Privately held Anonymizer, based in San Diego, began selling a corporate Internet cloaking service in 2003 called the Enterprise Chameleon. The product, a piece of hardware and software linked to a corporate server, will filter all employee traffic through its IP-changing servers and randomly issue untraceable IP addresses.

Sales of the product jumped 500 percent from 2003 to 2004, and this year the company expects corporate sales to comprise 50 percent of its revenue. (The other half comes from individual customers.) Anonymizer caters to government agencies and corporations, including pharmaceutical and biotechnology companies.

In general, cloaking works through a simple script that commands the Web server to deliver a set Web page whenever it detects the designated IP address. The IP address can be traced to an Internet service provider and, with special tools, to a geographic location. Because IP addresses are often static, the script could also mark whole blocks of numbers assigned to an Internet service provider, a geographic range, a specific company or government entity.

"You give up a tremendous amount of information when you're going to a competitor's site, like what you're working on, what products you're interested in, etc."

--Lance Cotrell, president, Anonymizer

In one practical example of IP-based filtering called geo-targeting, an online retailer can display Polar Fleece clothing to Alaskans by detecting their IP address and hence, their whereabouts. Advertisers use the same technology to send specific promotions to consumers, and search engines sniff IP addresses to display results based on a user's locale.

While privacy is an afterthought to many consumers online, corporations running a Web site or doing research on the Internet are increasingly aware of the perils of too much data and detection.

"As more information is easily traced, you can look at an IP address and determine the owner of that, or the company that owns that block of IP addresses...You can start to look at other types of things, like that the company is sponsoring certain types of events, and you can see certain patterns," said Alex Fowler, co-lead of national privacy practice with PricewaterhouseCoopers.

"When you're using a cloak, you're trying to avoid this logging of data," he added.

Privacy experts say that pharmaceutical and biotechnology companies are interested in keeping their online moves private, for fear of outsiders' ability to reverse engineer what's looked at in public databases. What companies research and read in the form of white papers could tip outsiders off to future products, for example.

Companies also have reverse engineered IP filtering to target and attract new employees. For example, during the dot-com heyday when hiring was tough, 3Com changed its Web page to highlight employment opportunities when it appeared Cisco employees were visiting, according to Lance Cottrell, the president of Anonymizer. Fowler said that auditing firm Ernst & Young had done the same to staff of rival PricewaterhouseCoopers.

Cottrell said that as much as 90 percent of corporations are mining competitive intelligence from their Web log files. "You give up a tremendous amount of information when you're going to a competitor's site, like what you're working on, what products you're interested in, etc.," he said.

In one example, he said Company A was interested in buying out

Company B, and its managers, investment bankers and corporate lawyers were regularly visiting the rival's Web site for financial information and other related data. Company B caught on by analyzing its log files after a huge spike in traffic, and then it started talking to another rival about a buyout, which instigated a bidding war. "They estimated that their acquisition cost them $15 million more than it should have," he said.

"Most people don't appreciate the dangers in the fact that someone can find out a lot about you just by you looking at them."

--Cox, private investigator

In another example, a maker of color printers might detect a traffic spike to a new product page from a rival, then later see interest in their marketing materials. That would signal that the rival could be coming to market with a new product of its own. To retaliate, the incumbent might issue an upgrade with a press release at the same time, thereby stealing some thunder from its rival.

"If you're just going to your competitor's Web site in the clear, you're really playing poker with all your cards face up," Cottrell said.

Cox uses the Anonymizer tool to ensure that his investigations online can't be traced back to his office or home, thereby tipping off the subject. He said he has been hired by companies to investigate employees who are believed to be selling stolen corporate goods online.

"Most people don't appreciate the dangers in the fact that someone can find out a lot about you just by you looking at them," Cox said.

Still, IP detection can be inaccurate, as Allen found out with his ex.

"What if someone is working from home that day, or has a remote office?" he asked.