10/15/99

Caller I.D. - Internet Companies Often Know Who's Trying To Click In.

Some Seek to Lead Rivals Astray; Others Tailor Message to the Visitor

Cat and Mouse With Cops

Brian Dunham has a hot Internet business idea, but he worries that someone will steal it. So last month, the 31-year-old San Franciscan blocked potential competitors from finding his brand-new Web site.

When the rest of the world clicks on eframes.com, it sees a Web business that frames and ships digital photographs overnight. But four firms that Mr. Dunham views as likely rivals get only a dummy site sporting this message: "Coming in time for Christmas!"

Known to insiders as Web-access blocking, this maneuver is made possible by the growing ability of computer programs to identify Internet users. In a little-known trick - technically called "domain-name identification" - Web sites can secretly see where visitors are coming from the moment they click on. The site can then choose to let them in or not. Or it can put up a substitute site. Or it can send them somewhere else altogether.

Some companies are using this technique to elbow out competitors. Others are displaying customized ads that only some viewers can see. For a month or so earlier this year, DoubleClick Inc., an Internet advertising firm based in New York, furtively put up three different editions of its home page. Most visitors saw one version, highlighting the firm's accomplishments. Employees of a rival firm could see only another version, with a special press release touting DoubleClick's capture of one of the rival's customers. Clients being wooed saw only a third version. "It's very stealth," says Christopher Saridakis, a DoubleClick vice president.

It also offers a reminder that going online is hardly a private affair. "Most people think that browsing the Web is as anonymous as watching TV or reading a newspaper. But it's becoming more like wandering around a trade show with your name tag on," says Jason Catlett, president of Junkbusters Corp., a privacy advocacy and consulting firm based in Green Brook, New Jersey.

Even venture capitalists have to worry. New Internet firms have surreptitiously watched which investors visit their sites, and how often. This tracking tells them who is the most enthusiastic about their venture, and thus whom they should pursue for money. "Absolutely, it was helpful," says Flint Lane, the president of a Princeton, New Jersey, firm that in January began offering an online bill-paying service called Paytrust. Companies also use this intelligence to size up potential suitors in acquisitions. "They huff out of the room, saying they're done, and then the company sees lots of hits on their site from those same people. They can predict they will be back," says Brad Burnham, general partner at AT&T Ventures, of Basking Ridge, New Jersey.

"It's interesting how naive people are about the footprints you leave in cyberspace," Mr. Burnham adds.

Indeed, a sizable portion of the Australian government left footprints on one hot site. To protest a new Internet content law, sex-site owner Bernadette Taylor this summer posted a long list of agencies - from the Nuclear Science Department to Tourism Tasmania - whose Internet addresses showed up in her logs. Like all Web-site operators, she could tell how much time each agency visitor spent on her site. "Viewing patterns suggest this was NOT research," she wrote about one agency.

The White House and many U.S. government agencies also gather the Internet addresses of everyone who visits them. They say it improves their Web sites. Some also acknowledge that the data help catch hackers and terrorists, who can be traced to their Internet service providers.

At least one U.S. agency has grown skittish. The Internal Revenue Service says it has stopped collecting the addresses of people visiting its Web site because of concerns that it was risking an unwarranted invasion of personal privacy.

For companies, however, this viewer information has endless possibilities. Entire ad campaigns have been spun from viewing Web-site viewers. For example, Al Noyes, senior vice president of marketing and sales at SmarterKids.com Inc., of Needham, Massachusetts, says he discovered that contrary to expectations, people were shopping at his children's-products site from office computers. "So we focused our ads on working moms" and not housewives, he says.

Blocking - and its related tactics - begins with the digits that identify every Web user. These unique numbers can't always be traced, and an estimated 30% of Internet users remain anonymous by using big services like America Online Inc., which effectively shields its customers behind one Internet access point. One AOL user looks just like another to the digit tracers.

But government agencies, organizations and companies often have their own Internet hookups, and when their employees go to the Web from their desks at work, they might as well shout out their employer's name. Operators of the Web site they are visiting can simply look up the visitor's Internet address in any of several reverse directories available free online (www.arin.net is one) and see the corporate name or agency behind the address. Conversely, the site operator can look up a rival company's Internet number and instruct its Web site to block any visitors coming from that address.

It takes only five minutes to fix up a Web site to do this. No special software is needed, just simple codes that are familiar to most Web-site administrators. When specified numbers come knocking, the computer can block, steer or misdirect the visitor in a matter of milliseconds.

Some of the first to use this blocking technology were child pornographers, followed by hate groups and people who sell stolen goods. They looked up the digits used by government investigators and then programmed their Web sites to screen them out. But law enforcement officials soon caught on to the tactic, and a cat-and-mouse game ensued.

When Detective Michael Menz of the Sacramento (California) Valley Hi-Tech Crime Task Force sidestepped the block by purchasing Internet access through a local firm, for example, the pornographers tracked him down again and blocked that address as well. He now uses an undercover account, and says the last site he noticed that was blocking law enforcement agencies peddled pirated knockoffs of the film "The Blair Witch Project."

Technology firms have been in the forefront of blocking competitors from sniffing around their Web sites. In August 1995, ExperTelligence Inc., a Web development firm in Santa Barbara, California, noticed its trial software being openly downloaded by a rival, Allaire Corp., of Cambridge, Massachusetts. "I couldn't let it go," says ExperTelligence Executive Vice President Robert Reali. So he looked up Allaire's Internet access code and designed a special Web site that only Allaire would see. It omitted the real Web site's list of customers, and offered only an old version of software to download.

"It didn't bother us at all," says Benjamin Frueh, product manager at Allaire, which eventually discovered the block. "It's flattering for people to think you're enough of a competitor that they have to take these steps." Some blocking is pure spoof. A few months ago, Oracle Corp. employees who clicked on the Web site of their smaller rival Siebel Systems Inc., of San Mateo, California, were whisked to Siebel's job opportunities page - the only part of the Web site they could access. "It was especially funny because at the time they were trying to hire Oracle employees," an Oracle spokesman says. Siebel declined to comment.

In the same vein, Cisco Systems Inc, the San Jose, California, computer-networking giant, showed a holiday party picture to some of its competitors - before sending them to the hiring page. Later, Cisco used a reverse-blocking technique to defend itself. A competitor was sending its Web-site viewers to an outdated Cisco Web page in order to boast that its product was better. So Cisco grabbed all those referred viewers as they came in and bounced them to the updated site.

"People are getting a lot more sneaky," agrees Peter Corless, an Internet services architect with Cisco.

Much of the blocking that occurs is aimed at thwarting corporate espionage, and some security experts scoff at its effectiveness. A blocked executive can simply use a home computer to get into the site. "The good corporate spy is never going to go directly from A to B," says Mark Fabro, director of professional services of Secure Computing Corp., based in San Jose. "I'm going to use a private account."

But often a blocker just wants to slow down any rival snoops until a new venture gets rolling. Says Mr. Dunham, the picture framer, "The longer we can keep people from jumping on it, the better."

Advertisers have discovered their own uses for knowing who is visiting a Web site. They can pay for their ads to be shown only to select viewers. International Business Machines Corp., for example, recruited employees by posting ads on Web sites frequented by students. Every school - whose Internet address would be detected by the Web sites - got its own pitch: "Is there life after Boston College?"

The technology is also allowing some very personal ads to turn up in seemingly public places. DoubleClick, the Web advertising company, once posted this banner on hundreds of sites throughout the Internet: "Congratulations on the twins, John Nardone." But the only people who could see the banner were Mr. Nardone and his colleagues at Modem Media, of Norwalk, Connecticut, a DoubleClick client. "I was out for a few days and had 50 people forward me this cool thing," says Mr. Nardone. "They were seeing it all over the Web."

Mr. Reali of ExperTelligence suggests that Web sites will soon be able to auction ad space based on the identity of incoming viewers. "If you can see it's really Bill Gates coming to your site, who would bid the highest to show him an ad on golfing?" he says. Web sites can't identify Mr. Gates, for now, but they can spot someone coming from Microsoft.

Federal agencies only recently began posting privacy notices divulging that they gather Internet addresses. No law requires such disclosure, and only some companies have voluntarily followed suit.

Inevitably, all this snooping around is prompting even casual Internet users to start masking their identity. Companies are selling services that promise to make any computer user entirely anonymous. But these programs have Internet addresses, too. And since computer hackers also use identity shields in their mischief, Web sites are starting to block these as well when they can identify the shields' own addresses.

"If you're not going to show me who you really are, why should I give you any service?" says Michael Lambert, a computer security expert.

By Michael Moss.
WALL STREET JOURNAL EUROPE