16 June 2000
Source: Public Information Research
By Public Information Research
The New York Times is leveraging its brand name with its Internet operations, and is capturing an enormous audience for its advertisers. Since nytimes.com was launched in January, 1996, it has collected over 10 million unique registrations.
Each one of these received a cookie that contains their User ID and password, in a form that can be descrambled by any kid with a Cub Scout decoder ring. In May, 2000, it was discovered that a bug in all versions of Microsoft Explorer allows the cross-domain reading of cookies. Therefore it appears that the New York Times, in its eagerness to amass one of the most valuable profiling databases anywhere, has left behind some 4 million vulnerable cookies.
Here's the math: There were 10 million vulnerable cookies planted by NYT over a 4-year period. As of May 19, 2000, they silently began replacing these cookies with a better-encrypted version. But since they get only 85,000 unique visitors per day, this means that in the month they've been replacing cookies, they've probably reached only 2 million of their 10 million registrants. The other 8 million are out of the habit of checking in with NYT. The cookies were set to expire in 10 years. Some may have been overwritten by other cookies by now -- Netscape, which wrote the original cookie standard, says that there can be a maximum of 300 cookies. But it's unclear whether Explorer has a maximum, and in this case, Explorer is what counts.
If half of these 8 million cookies are on Explorer, then that leaves 4 million NYT registrants with vulnerable cookies.
Someone can read the NYT cookie by sending a piece of spam to the victim, which when previewed will silently launch a cookie-grabbing program on a malicious server (there is NO attachment to click). Or they can place a cookie-grabber on a malicious website and just start fishing for any NYT cookies that happen to stop by that site.
In both cases, the former NYT reader isn't aware that the cookie has been stolen. This is dangerous because most people use the same password on more than one site.
When advised of the problem, Rich Meislin, the chief editor of NYT Digital, e-mailed Public Information Research on May 16, 2000, as follows:
Thanks for your message. As you note, we will be providing a stronger encryption algorithm later this week. We're deciding how to best go about communicating this to our readers. / Rich Meislin
For a month now, PIR has been asking for a press release, article, or some other good-faith effort to notify those 4 million former readers. As of June 15, 2000, there is no evidence that NYT Digital is willing to rock the e-commerce cookie boat and actually issue what might be described as the first cookie recall in history.
PIR went ahead and set up a demonstration of the cookie vulnerability on its website, at:
http://www.pir.org/nocookie.html (toward bottom of the page)
On June 15, PIR discovered that nytoday.com, another of the NYT Digital websites, is _currently_ using a cookie for site registration that contains the username plus a poorly-scrambled version of the password. We expanded the demonstration in order to crack this password. What will it take to get them to take their cookies back?
This is clearly a case where the importance of the advertising dollar, and the massive long-term profiling of users for the sake of that dollar, has outweighed the needs and interests of the public.
That's what we think at PIR.
Send an e-mail to meislin@nytimes.com and tell him what you think.
_____________
Information on the Reach of New York Times Online Operations
____________
[ NOTE: Times Company Digital changed its name to New York Times Digital in 2000. ]
Remarks by Martin A. Nisenholtz, president of New York Times Digital May 26, 1999, CS First Boston Conference, "Newspaper Strategies in the Internet Age":
"Times Company Digital consolidates approximately 50 Internet holdings, including our flagship, nytimes.com, as well as boston.com, nytoday.com, winetoday.com and golfdigest.com [and abuzz.com, and a major stake in TheStreet.com].
...
"When we embarked on this a lot of people told us that users would never give us information to get at our content. They were wrong.
...
"Our users are the most affluent of any news and information site, with an average income of higher than $150,000. They ranked number one for purchases online in the past six months. And they ranked number one for dining by Platinum Credit Card.
...
"We have conducted extensive research to quantify the number of like-minded New York Times readers across the United States. In this framework, like-mindedness is defined principally along psychographic line, though it can include certain demographic drivers like education as predictors of behavior. We found a total potential audience of 39.5 million American adults who shared these attributes, in addition to some unknown number around the world.
...
"We're already analyzing data across five dimensions: registration, content behavior, technographics, transactions and advertising/promotion metrics. This data is available to advertising clients 24/7 so creative executions can be optimized in a continuous feedback loop.
...
"We are leveraging one of the great media brands of our time, one that is trusted throughout America and, indeed, throughout the world."
_________________________
From a January 31, 2000 report, when Times Company Digital filed for an IPO [Times Company Digital is now New York Times Digital]:
TCD estimates about their users:
65% more likely to earn in excess of $150,000 per year;
62% more likely to have a post-graduate degree;
39% more likely to have purchased online in the last 30 days; and
48% more likely to have been online every day in the last 30 days.
Traffic: Each of TCD's websites is positioned to be a category leader. In December 1999, nytimes.com had 90.7 million page views with the average user spending 36.4 minutes on the site, according to Media Metrix. There are 10 million unique registered users with 400,000 new registered users being added monthly.
Employees: 321 full-time of which 92 are in web design and content, 88 in advertising and sales, 23 in marketing, technical development and operations, and 48 in administration. Operations are spread around between West 43rd Street, Boston, Cambridge (MA) and Trumbull (CT).
E-MAIL BASED PERMISSION MARKETING: Advertisers pay TCD to deliver their messages directly through e-mail. E-mail marketing delivers high response rates and high returns on investment for direct marketers. Through its database marketing model, TCD is positioned to benefit from the rapid growth of direct marketing on the Internet. 58% of nytimes.com's registered users agree to receive editorial messages, which contain advertising, and 21% agree to receive advertisers' messages.
Each of nytimes.com, NYToday.com, boston.com, WineToday.com and GolfDigest.com operates its own newsroom, under the overall supervision of TCD. Nytimes.com has entered into a joint venture with TheStreet.com under which the two operate a joint newsroom which provides continuously updated financial news throughout the day. The newsroom is under the direction of an editor selected by The New York Times. The joint venture also provides for the linking of nytimes.com and TheStreet.com. Political Points, a daily live webcast featuring political campaign news and interviews, appears on nytimes.com and abcnews.com.
______________________
From Business Wire, Feb. 3, 2000:
Times Company Digital, the Internet division of The New York Times Company, reported that for the month of December, year-over-year traffic increased at its two largest Web sites.
The Internet traffic results for December 1999 versus December 1998 were as follows:
The number of unique registered users for The New York Times on the Web increased 86.0% to 10.3 million. Page views rose 49.0% at The New York Times on the Web and 104.7% at Boston.com. Sessions or visits grew 42.7% at The New York Times on the Web, 50.6% at Boston.com and 146.1% at NYToday.com.
Times Company Digital
Key Internet Statistics
December 1999
(in thousands)
-------------------------------------------------------------- The New York Times on the Web (www.nytimes.com) ----------------
Launched in January 1996
Home/Work Reach - 2.8%(a)
New York DMA Reach - 9.5%(b)
December -------------------------------------- 1999 1998 % Change -------- -------- -------- Unique Registered Users (c) 10,289.0 5,532.0 86.0% Page Views 90,731.0 60,886.0 49.0% Sessions (Visits) 14,100.0 9,877.8 42.7% Unique Visitors 2,632.0 1,717.0 53.3% Avg. Page Views per Day 2,926.8 1,964.1 Avg. Sessions per Day 454.8 318.6 Avg. Unique Visitors per Day 84.9 55.4 ---------------------------------------------------------------------- ---------------------------------------------------------------------- Boston.com (www.boston.com) --------------- Launched in October 1995 Home/Work Reach - 1.2%(a) Boston DMA Reach - 17.4%(b) December(d) -------------------------------------- 1999 1998 % Change ------- ------- -------- Page Views 43,000 21,010 104.7% Sessions (Visits) 5,769 3,830 50.6% Avg. Page Views per Day 1,387.1 677.7 Avg. Sessions per Day 186.1 123.5 ---------------------------------------------------------------------- ---------------------------------------------------------------------- NYToday.com (www.nytoday.com) ---------------- Launched in June 1998 December(d) -------------------------------------- 1999 1998 % Change ------- ------- --------- Page Views 3,704 3,931 -5.8% Sessions (Visits) 940 382 146.1% Avg. Page Views per Day 119.5 126.8 Avg. Sessions per Day 30.3 12.3 ----------------------------------------------------------------------
(a) Source: Media Metrix - December 1999.
(b) Source: Media Metrix - Q4 1999.
(c) Unique registered users reached the 10 million mark on December 8,
1999.
(d) Information is based on preliminary internal data, which may be adjusted
at a later date.
Public Information Research, PO Box 680635, San Antonio TX
78268-0635
Tel:210-509-3160 Fax:210-509-3161 Nonprofit publisher
of
NameBase
http://www.pir.org/
NameBase@cs.com