When Dallas-based Digital Convergence ushered in a new era of bar-code scanners with its cat-shaped gadget, the CueCat, the first question on many software developers‘ minds was ”Why?“ The device, which the company distributed at the end of August for free to subscribers of Wired and Forbes magazines, can be used to access Web sites by scanning bar codes on products and in magazines. The hard-wired technology is good for other things, too, but Digital Convergence’s bundled software didn‘t allow for it: Using its CueCat has so far required installing a cumbersome package of software and scrolling through a lengthy and rather weird end-user license agreement and an interminable video presentation of the product in action — scanning peanut jars, prescriptions and VCRs. Worse, before activation, the software demands that users exchange their personal information for an ”authentication code“ to activate the ’Cat. All this for the dubious thrill of visiting the Web sites of companies whose products have bar codes.
It‘s easy to see what value the widespread use of the CueCat could have for a merchant. Digital Convergence is a subsidiary of Digital Demographics, whose sole intent is to collect information on consumers that companies can use to target their marketing efforts. The plan was to charge a fee for embedded cues in magazines, as well as to compile and sell the aggregate demographic data collected from ’Cat users. But determining the CueCat‘s value for the user has been a little trickier: Digital Convergence claims in its promotional materials that it developed the CueCat to access ”unwieldy deep Web content,“ which is a little like saying you can find rare jewels at Sears. Commercial, product-oriented sites, the kind that can be linked to bar codes, are hardly buried, and not at all difficult to find.
Still, there’s something delightfully geeky about being able to read bar codes into your computer — before I installed the CueCat software, I played with the device in Windows Notepad, marveling at how the little red beam could translate lines on a can into numbers onscreen. It‘s a gadget freak’s dream, a no-cast take-apart toy whose supply is effectively limitless. And the hackers wasted no time getting to work on it: An engineer named Michael Guslick put up a Web page detailing the process of ”declawing“ the ‘Cat by severing the wire that transmits the contraption’s serial number; another programmer wrote a sleek Java decoder that performs the same routine as the Digital Convergence software, only with a lot less bother.
Michael Rothwell, director of research and development for a North Carolina–based software company, says that he was inspired to hack the ‘Cat when he envisioned uses for the gadget beyond Digital Convergence’s marketing plan. ”My friends and I have a lot of books and CDs we wanted to catalog, you know, for insurance purposes,“ he said over the phone from his office. ”We wanted to use a scanner to catalog them efficiently.“ With the help of software developer Pierre-Philippe Coupard, he ”ported“ the software — he wrote a version of it that could run on the Linux operating system — only with added features. In addition to its cataloging capabilities, the ”CueCat Decoder“ derailed Digital Convergence‘s data-gathering mechanisms by sending the letters ACTIVATION CODE instead of the actual numbers; it also launched the appropriate page at Amazon.com when a user scanned a book. But instead of being grateful that Rothwell enabled the CueCat to live up to its full potential, Digital Convergence was furious.
On August 31, Digital Convergence sent a letter by Federal Express to Rothwell and several other developers, requesting that they stop distributing their CueCat software. Rothwell complied, at least temporarily, but fought back by posting the letter, from Digital Convergence’s lawyers, Kenyon and Kenyon, on his Web site (www.flyingbuttmonkeys.com). ”I‘m disappointed,“ Rothwell wrote, ”that they didn’t use the Organization Name in their letter,“ which is Flying Butt Monkeys or, more specifically, ”FBM Terrorist Conspiracy From Hell, Inc.“ He also posted his own letter, asking Digital Convergence to explain exactly what he did wrong.
It‘s a good question. Linux developers have a long history of porting the drivers that run hardware to other operating systems, sometimes with the help of technical information provided by the original equipment manufacturers; other times by ”reverse engineering“ — working backward to unravel the software’s algorithms and rewrite them. Rothwell‘s offense, it would seem, was to have reverse-engineered Digital Convergence’s software to make the CueCat perform functions more specific to his needs, and eliminate the possibility of its violating anyone‘s privacy. But Digital Convergence’s chief technology officer, Doug Davis, accuses Rothwell of unnecessarily infringing on the company‘s intellectual property, and insists that user privacy was never at risk. ”We only collect aggregate data,“ he says. ”We were never interested in individuals.“ But as if on cue, on September 18, the server at Digital Convergence containing registration data on CueCat users was cracked, and an entire database of 140,000 registered CueCat users’ names and addresses was filched. (The story was broken on the Web magazine Security Focus, in an article written by Kevin Poulsen, a hacker of some standing who in 1990 managed to commandeer all the phone lines coming into KIIS-FM so that he could be the 102nd caller and win a Porsche.)
Rothwell claims that, before he retooled the software, he sent Digital Convergence three e-mails offering to work with the company. ”They basically told me, ‘Over our corporate dead body,’“ he says. Davis declines to address specific developers by name, but claims he would not have turned away a developer offering useful innovations. ”One thing about us,“ he says, ”is that we learn.“ He does note that Digital Convergence would have required Rothwell and other interested developers to purchase a $20 developer‘s license and sign an agreement with the company. ”We would have saved them the trouble of reverse engineering,“ says Davis. ”All we would ask them to do was make sure the transactions still ran through our back end, so we log the information and tell Forbes and Wired that a cue got used.“
Davis also insists that many of the software’s problems — the installation procedure, for starters — have been addressed in newer versions of the software, which Digital Convergence plans to distribute to 50 million consumers by next year. But he‘ll have a hard time catching up to Rothwell, who, bolstered by an outraged open-source software community appalled at Digital Convergence’s tactics, has changed the name of his driver from ”CueCat Decoder“ to ”FooCat BarCode“ and returned to distributing his software on the Web, figuring the only real case against him Digital Convergence might have is the use of its product‘s name.
On Monday, September 25, Rothwell received what he calls ”another vague letter“ from Kenyon and Kenyon, requesting that he ”remove immediately those portions of the Web site that contain unauthorized or illegal misappropriations of Digital Convergence’s intellectual or proprietary rights,“ but failing to detail which portions are in question. It‘s becoming increasingly clear to Rothwell that all he’s infringed on is a flimsy business plan. ”They‘ll either legitimize my software or sue me,“ says Rothwell, ”on the grounds that they’re a big company with a legal department. But they still haven‘t told me what I’ve done wrong.“