As you may know, there are now free/inexpensive barcode scanning devices out in the wild. As you may NOT know, each of these devices contains with it a potential privacy hazard--a Globally Unique Identifier (GUID), a "secret code" that is assigned to each scanner when it is produced, that can be used by the parent company to tell your scanner apart from any other, and, in theory, to track your personal scanning, buying, reading and yes, even TV-viewing habits, and tie this information to a profile on you based on your scanner's GUID.

First, let's start with a little background: The scanners, referred by some in the user community as CluelessCats or, more commonly, "Colon Cats" (due not only to the odd punctuation of the actual product's name, but also to recent actions taken against users by its maker), connect to your PC's between its keyboard and keyboard port. The devices allow the user to swipe in the bar codes on books, product packaging, magazines, catalogs, coupons and ads to be taken to a Web site related to the product (swiping a book ISBN may take you to Amazon.com, for example). Best of all, these devices are currently being given away FOR FREE at selected electronics stores and through the mail. However, as you have probably guessed--just about anything "FREE" should set off warning bells--there is a dark side to all of this. There are three major issues of contention surrounding the barcode scanning device:

• Undisclosed profiling and tracking of users, via a unique "serial number" embedded in each device;
• Questionable license restricting users' uses of the device;
• Heavy-handed attacks against those who use the hardware on unsupported operating systems such as Macintosh and Linux systems, using homebrew interface software.

Tracking and profiling

The intent of the manufacturer is that companies will pay to license the ability to create barcodes in the :Cat's "special" format with their Web address embedded in them, and that advertisers will pay for ads and targeting info relating to data gathered by the software that interprets the scanned barcodes.

As mentioned, each scanner contains a unique serial number or GUID, contained on a programmable chip within the device. The software provided with the device must be "unlocked" before use, by providing information such as your name, age, ZIP code, demographics and a valid email address (hmm...) in order to receive a unique unlock code. In fact, it is in theory possible to tie each scanner from the factory to an actual name and address in meatspace:

• You receive the scanner either at a participating electronics store (RadioShack, et al) or in the mail, addressed directly to you (your address gotten from subscriptions to certain magazines, including Wired). If received at a store, the clerk scans the code from the package into his/her computer, then demands your name and address. If received in the mail, they obviously don't need to ask your name and address...
• Since each device contains a unique code, the device's code can be tied to the name and address described above.
• When you scan a barcode using the device, the provided software interprets the signals transmitted by the scanner (including the information from the barcode, barcode type, and the unit's GUID) and transmits the barcode along with the GUID to the company.
• Since information regarding each scanned item is correlated with the GUID of the scanner, each item scanned can be tied to the specific GUID, and hence the specific user, that scanned the item. As the scanners have an estimated 10-year life expectancy, this mountain of personal data can add up quickly. Even if you connect the device to a completely different computer, anywhere on Earth, the GUID attached to your device remains the same.
• Server-side data mining software crunches the profiles collected to obtain specific pysychographic data about YOUR interests, purchasing history, interest in particular types of ads and catalogues, and personal preferences. Considering that the ISBN numbers on the back of books and CDs are among the more commonly-scanned items, the software knows (in addition to purchasing habits) what music you listen to and what kind of books you read!
• An optional audio cable called a Digital Convergence cable is sometimes provided with the scanner. This cable connects between your computer and the audio output of your TV, using special codes embedded in TV shows and commercials to direct you to Web sites much like actually scanning the appropriate barcodes. This presents another capability: now the software knows what you are watching on TV!!

If you doubt an ulterior motive to the barcode scanner, see these excerpts from the company's other site (which has since been taken down [pointed to the Cuecat site], for probably obvious reasons), DigitalDemographics:

DigitalDemographics' parallel mission is to gather demographic and psychographic information from our :CRQ users, subscribers, and :CueCat device users. Our goal is two-fold.

A cumulative databank is a compelling information tool. Ours is powered by multiple sources:
 

• Demographic Profiles
• Historical Cue Data
• Responsiveness to Relevant Information on the Tabs
• Responsiveness to Relevant Information on the On:CRQ Web site
• Polling Data
• Panelist Data (from volunteers who participate in special interest panels)
• Specific Program Cue and Scratch Data
• Survey Data from Opt-In Respondents and volunteer panelists
• Direct Responsiveness to Offers
• Cross-Media Response Profiles
• Multiple Response Profiles from Same Segment/Media
• Industry Specific Demographic profiling

A questionable End User License Agreement (EULA)
"If you give me a claw hammer and I crack nuts with it; have I violated any of your rights?" - jodo, in a Slashdot forum

Since the scanner device is designed and given away in order to make the parent company money, it's safe to assume they don't want people using the free scanners in ways other than intended, including as a product-inventory or cataloguing tool, night light, doorstop, flashlight, motion detector, etc....or especially using it without their user-tracking software. To this end, the company has been constantly expanding and re-wording the License Agreement bundled with the device. Originally a standard software license to prevent unauthorized copying, redistribution and disassembly of the decoder software, the EULA has since been modified several times and now includes a section implying that the free scanner hardware is also covered by this license. The revised license goes on to say that the hardware is not actually "given" to the recipient, but only leased--and that the company can demand the return of the device at any time. There are several problems with this license that make its validity highly questionable:

• A licensing agreement is essentially a contract between two parties, the licensor and licensee. However, upon picking up the device at a store, the recipient is not notified of any license, nor required to read or sign anything in order to receive the device. Additionally, by most popular definitions the hardware is not actually "free" nor given away--the scanner is "paid for" in the form of valuable marketing information (such as name and address) provided in exchange for the device. Finally, the device is entered as a charge ($0.00) and this charge is printed on the customer's receipt. By most accounts, these factors mean that the device has been sold to the customer, meaning the First Sale rule applies.
• If the device has been sent to the user unsolicited, it now belongs to them according to section 3009 of the postal codes. This law, intended to beat scams where a company would send an unsolicited product to someone, then send an outrageous bill for the product later, states that any unsolicited product sent to a consumer becomes the consumer's property (and cannot be charged for). An owner of hardware can do whatever he/she wants with it (tear it apart, break it, modify it, throw it in the trash) or use it for any purpose he/she sees fit (flashlight, doorstop, paperweight...). If DigitalConvergence tried to enforce a "We are only leasing you this hardware, you must return it/pay for it/etc. at our whim" license, it appears it would make them guilty of mail fraud.
• The license agreement is printed on the packaging of a software CD that is separate from the actual scanner hardware. It is entirely possible and trivial for an end-user to open the packaging, remove the :Cat hardware, plug it in, and use it (with homebrew software) without ever coming across anything vaguely resembling a license - in fact, to prove this to the point of absurdity, there was even a Web site with photos depicting the process. Not to say that a "By opening this baggie you agree to the license agreement inside it, even though you haven't gotten a chance to read it yet" agreement is legally valid, but the fact that it's not even on the outer packaging makes it even less so.
• Assuming you actually want to use THEIR software...The software comes in a cardboard sleeve with the aforementioned "shrink-wrap" license agreement on it in fine print. This sleeve states that by opening it you agree to the license agreement inside. However, the software CD comes in a 3-sided cardboard sleeve that cannot be "opened" by the user (it's already open!) In fact, tilting it at the wrong angle will cause the software CD to fall out.
• The version of the license that comes with the software CD covers only the software. The extension to hardware came after many of the software CDs and jackets were printed. Only after installing the software, the user is presented with the original license and then an updated version that conflicts with the first. Again, persons not installing the software are not shown the updated license at all.
• The software presents an EULA governing the use of the software itself, instructing the user to press the button marked "Agree" to accept the license. However, there is no "Agree" button. There is a "seemingly unrelated" button, marked "Yes", that allows the installation to proceed when pressed. (Screen Shot) In this case, the user has not pressed any "Agree" button and may not be technically bound to the license, even after installing the software. I am not a lawyer, but I know a gaping loophole when I see one.

We can do anything we want to with it. We can destroy it, we can pee on it, we can set it on fire, we can strap gi joes and 74 bottle rockets to it and boldly send it where no cat-shaped bar code reader has gone before. We paid for it (granted it cost $0), it's ours. - dizee, Slashdot poster

Legal Threats against non-Windows users

As it turns out, the makers of the barcode scanner only provide interface software for Windows--the software that captures your name and email address, ties it to your scanner's serial number, tracks your preferences, etc. Some of those who received a scanner in the mail don't use Windows, and so wrote their own software to capture the device's input to the computer. The company responded by firing off loads of cease-and-desist lawyer letters warning Linux developers that Bad Things would happen if they didn't take down all their software right away. Specifically, the letters made vague references to Intellectual Property violations, without saying how any IP has been compromised by writing an interface program from scratch (known as "clean-room engineering"), or even what IP (copyright, trademark, patent, etc) had supposedly been violated. Again, there are specific problems with the C&D threats that can be enumerated:

• In another instance, the manufacturer cites "Reverse Engineering" as violating their rights. However, as mentioned, the Linux decoders have been created without looking at the original software or dissecting the hardware logic, in a process called clean-room reverse engineering. This practice is legal and has been a staple of electrical and other engineering for many years. It is the same process that allowed the IBM microcomputer and Intel chips to be "cloned" by other companies legally. (As a personal side note, the EE courses I'm currently taking go into some detail about reverse-engineering and even information about how to go about it legally. Again, reversing is a common engineering practice.)
• While the manufacturer cites its EULA, which states that the SOFTWARE cannot be reverse-engineered, and that all information derived from reversing must be sent exclusively to them, the coders (who have no use for the Windows software the license protects--which is why they're writing their own drivers, duh) have not installed the software and are not bound by its license agreement. On yet another side note, the issue of whether or not software reversing is illegal is hotly debated, and, as far as I know, no actual ruling on the matter exists, unless for the hotly debated UCITA bill, which is legally questionable and not enforced in all states. But that's another rant.
• The manufacturer refuses to provide specific incidences of infringement, providing only a vague reference to an unnamed Intellectual Property.

Looks like just another bunch of crybabies with their panties in a knot because people aren't playing with their toys the way they intended, the way that makes them money.

Linux advocates and others using non-approved interface software with the device contend that it was the manufacturer's own stupid idea to give away free scanners, then try to retroactively force the recipients into contracts. (I for one am not complaining--I applaud them for letting me stop by Radio Shack to pick up FREE electronics; the photosensor and ultrabright LEDs these things contain will come in very handy for my senior design project :)

See the related Slashdot discussion, and the home of one of the original drivers, which includes a copy of the letter.
 
 

This information is for the version that connects to your Keyboard. There is now a USB version of CueCat; and as far as I can determine, the "neutering" instructions are the same (the new :Cat also uses a 93C46-series EEPROM). The USB :Cat is covered in more detail below.

"Neutering" the :Cat scanner by disabling its serial number is fairly easy. If you like to take stuff apart, it'll be fun, too. If you're careful, this process is completely harmless to the :Cat (they have 9 lives, don't ya know)...but remember, if you happen to screw up and destroy your :Cat in the process, you can always get another one, they're free :)
Note: As with any electronic device, make sure the power is disconnected before performing any surgery on the :Cat.
Update: As long as your :Cat's under the knife, see below on enabling a hidden anti-encryption setting with a different small modification to the :Cat.

Materials required:

• Phillips-head Screwdriver (to get the :Cat apart)
• Small screwdriver, razor blade, pen knife of X-Acto knife (take your pick) for cutting or prying
• (Optional) Piece of wire

There are several models of the scanner out there, each slightly different--so yours may not look exactly like shown above. The board above is most easily recognized by the "epoxy blob" in the center (older versions have a square Toshiba microcontroller chip in place of the blob), and the words "(TM+H Rev 0.3)" printed on the other side of the board.
You may want to check out another page, "Getting your CueCat declawed", especially if your board looks different from the one above. This page contains a lot of technical descriptions, EE's out there will really eat it up <g>.

I will cover 2 different methods of disabling the serial number, both of which are fairly simple.

Have a good look at the circuit board above. While yours may look slightly different, all versions of the device have the same/similar ID chip on it. (Update: Newer revisions of the board have a strange 5-pin chip in the place of the 8-pin EEPROM, but it does the same thing. You can probably kill the serial# on this bad boy using the same methods below, or just pry the whole chip off the board.)

This is the chip marked with the red arrow above. It is an 8-pin device and, while you can't see it on the scan above, the number on the chip will be something similar to :

||||
S93C4
6DV06
.4735
|||| Think of it as all one number--it is simply split across multiple lines to fit on the chip. Again, the exact numbering may be different on your :Cat--but 93_46 should show up on the chip somewhere. The blue and green stuff above is not part of the number--the green represent the pins of the chip, and the blue dot represents a small dimple on the top of the chip (this will be explained later). As seen in HiTex' Chip Directory, the 93C46 series chips are EEPROMs, or reprogrammable memory chips. (These are programmed at the :Cat factory to contain a unique code.) The pinout is available here. As you can see, pin 2 is the chip's clock signal, 3 is data in, and 4 is data out--each of these pins are necessary to transmit the code! (Getting ideas yet?). To determine which pin is which, start at the small dimple on the top of the chip (this indicates Pin 1) and go counterclockwise around the chip. I've marked the dimple with a blue dot in the image above, as in the diagram below. 8 7 6 5
| | | |
-------
|      |
|.     |
-------
| | | |
1 2 3 4 Pins 2, 3, and 4 are marked in red.

Method 1:
This is probably the easiest method. Using your weapon of choice (pen-knife, razor blade, X-Acto knife, etc.), pry any one of the three marked pins off the circuit board so it doesn't make contact. Or, slice through the shiny green trace that connects the pin to the rest of the circuit. On my own :Cat I severed pin 2 (CLK), but it may be easier to reach a prying tool underneath pin 4 since it is on the end of the chip. Once this is done, your :Cat's serial number will be reported as ------------------.

Method 2:
 

[Click here for the scanned image]

This is my preferred method, since it sets your serial number to 000000000000000000 (which may be easier for decoder programs to accept as a valid serial number). I've tested this to work on the 0.3 revision of the :Cat, but can't guarantee success for other versions. Pin 4 of the serial chip is connected to what appears to be a small hole through the board. These holes are actually connections to the other side of the board. Place one end of a wire into the "hole" attached to Pin 4, as shown. Attach the other end of the wire to "hole" shown, which leads into the epoxy blob (controller chip). The hole shown is recommended (since I've tested it to work with this connection), but others may also work. This effectively shorts the output of the serial chip to a predefined value--that is, whatever voltage is on the conductive "hole" the other end of the wire is attached to. (Update: Upon further investigation it turns out this is in fact a ground node, and you can achieve this effect by connecting the wire from the EEPROM to any ground [that is for you non-engineers, anyplace that is connected to the "-" terminal of the board containing the red LED lights]) Depending on the thickness of your wire, it may or may not fit snugly into the holes--try to find some that fits snugly, bend it so that it will not be knocked loose while putting the case back on the :Cat, and glue the wire securely so that it can't come loose and short out other things. If you can solder the wire where it belongs, even better, but it'll be tricky.
 
If following the image above, make sure you don't have the board upside-down, or it will be a lot harder finding the right hole to jumper to :)

For reference, here are some sample scans (using cat.pl) showing the GUID information removed. Each was produced by scanning the ISBN from the back of a particular book.

Unmodified :Cat
.C3nZC3nZC3nWCxjWE3D1C3nX.cGf2.ENr7C3v7D3T3ENj3C3zYDNnZ.
Serial: 000000005763846002
Type: IB5
Code: 978068484914051500
 

Clock pin severed
.BM5UBM5UBM5UBM5UBM5UBM5U.cGf2.ENr7C3v7D3T3ENj3C3zYDNnZ.
Serial: ------------------
Type: IB5
Code: 978068484914051500

Data-Out pin shorted to Controller pin
.C3nZC3nZC3nZC3nZC3nZC3nZ.cGf2.ENr7C3v7D3T3ENj3C3zYDNnZ.
Serial: 000000000000000000
Type: IB5
Code: 978068484914051500
 
NB: If you are getting inverted upper/lower case with Code 128 / 3 of 9 barcodes after performing a modification, switching the CAPS LOCK on will clear it up. The cause of this problem is unknown.

For this modification you will need:

• Small phillips-head screwdriver (to get the :Cat apart)
• Piece of thin, insulated wire. A wire twist-tie works nicely.
• (Optional) Soldering gun.

Note: As with any electronic device, make sure the power is disconnected before performing any surgery on the :Cat.

[Click here for the scanned image]

If you can do the "Neuter" procedure above, you can certainly perform this one too--but if you go this route, the "Neuter" will not even be necessary because the :Cat will output only a raw, un-encrypted barcode (no serial# or any such nonsense). I don't claim any credit for this; I just found a detailed explanation of Jeff Dobkin's discovery and decided to try it out myself. What you need to do is wire the +5V going to the LEDs and other logic to a certain pin on the board. (Note: I've only tried this on the (TM+H Rev 0.3) version because that's the one I've got, but have heard that a similar procedure works on other models. Experiment with the row of holes to see what works on yours :) While the board layouts may differ, the hole connected to R29 seems to always give the proper results.

There are several places on the board to get +5V. Probably the easiest is the +5V pin of the EEPROM, which conveniently provides a hole for you to stick a wire into (marked with 2 red arrows in the image). Another good place, if you care to use a soldering gun, is to simply solder one end of your wire to the big "+" on the LED (red light) board. Anything marked +5V here can be used. Now, put the other end of the wire thru the hole marked ("Hit me with +5V"), and your :Cat will output plain old un-encoded barcodes with no special software (and/or lawyers) required. Remember, if you got this cursed thing in the mail, it is your property to do with as you please, including stick wires into it like a Voodoo Doll. (Incidentally, if you got it from a Radio Shack, and they don't find out what you're up to, it is your property to do with as you please!  "Cop didn't see it, I didn't do it", I like to say.)

"Unmodified" :Cat scan, for reference:
.BM5UBM5UBM5UBM5UBM5UBM5U.fHmc.C3b3Dhn0C3bYC3TY.
(Note: Not technically "unmodified"; this is the same :Cat I already neutered to remove the serial number.)

After modification:
034707031081

(In case anyone is wondering, this particular barcode is from a pack of CD-Rs that just happened to be within arm's reach of my computer :)

Probably the hardest thing is finding a good piece of wire, one that is narrow enough to fit into these holes but wide enough not to slip out, in addition to being insulated. I've found a piece of wire twist-tie works nicely, just cut to the desired length and slice off the paper/plastic on the ends to expose the wire. Slide these ends thru the holes, and kink them where the come out the other side so that they can't slip back out (& to ensure good electrical contact). Soldering would be ideal here, but since it's a hassle and not everyone has a soldering gun, the wire alone should be adequate.
 

Note carefully the side of the board you are looking at compared to the image above, and make sure they match. If the procedure is not working, experiment! The Rev. 2.1 board may actually be backwards from this, as explained in this guest article.

You'll note that there are a number of these useless-looking holes all lined up in a pretty row, you ask, "so what do the REST of them do?". Just for fun, I hit the rest of 'em with +5 (and GND) to see what would happen. A hole I applied the 5V to (which I've marked with a blue dot) 2 away from the "magic one" returned the following strange results when scanning the same package multiple times:
.BM5UBM5UBM5UBM5UBM5UBM5U.eWah.DW.
.BM5UBM5UBM5UBM5UBM5UBM5U.eWah.CNC.
.BM5UBM5UBM5UBM5UBM5UBM5U.eWah.Ca.
.BM5UBM5UBM5UBM5UBM5UBM5U.eWah.Dq.
.BM5UBM5UBM5UBM5UBM5UBM5U.eWah.CNC.
.BM5UBM5UBM5UBM5UBM5UBM5U.eWah.Ca.
.BM5UBM5UBM5UBM5UBM5UBM5U.eWah.CNS.
.BM5UBM5UBM5UBM5UBM5UBM5U.eWah.DNO.
.BM5UBM5UBM5UBM5UBM5UBM5U.eWah.DG.
.BM5UBM5UBM5UBM5UBM5UBM5U.eWah.Dq.

Each of these is of course a different swipe...running them thru cat.pl returns something like:

.BM5UBM5UBM5UBM5UBM5UBM5U.eWah.DG.
Serial: ------------------
Type: PCD
Code: 5

Rather mysterious to be getting different results from scanning the same barcode. My own wild speculation is that these values relate somehow to the scanning speed or a "read quality" indication, and could be used to set R13 [amplifier gain?] at the factory). It seems to be change from one scan to the next, and does not return values on every scan. Anyone care to hazard a guess?
As for the other holes, none did anything very interesting--either they had no effect, or the scanner stopped working completely until the short was removed. Grounding them had no effect at all.
 

Note: The HO+E revision uses a different method. Chris writes the following:
I have the HO+E version of the cuecat and i wanted to tell you that i found the proper pins for shorting out the encryption. I simply shorted J2 (Led +5) with the feed for R29 (Two holes to the left of what is shown for your version of cuecat). I hope that this info can help you/others who have this version as i think this version is harder to find info for.
 
See also: Quick CueCat Modification Solutions - details the hack for three major CueCat board revisions. Also, an offer to hack your 'cat and mail it back for a reasonable fee.

Contrary to the included documentation, the USB CueCat will work with Windows 95 OSR2. You will have to download a driver update first. Detailed instructions are here, but I should forwarn you of a problem I experienced with the instructions listed (aside from it basically saying, "Don't bother with win95, it won't work") : After downloading the first file (USBSUPP.ZIP) the CueCat worked on my '95 machine, but after installing the second file (USBUPD2.ZIP) it stopped working. If it works fine after installing the first file, and does not exhibit other problems, I see no need to install the other file.

Also remember to enable USB in your BIOS, if it isn't already. If the :Cat is plugged in but doesn't ever light up (even at the BIOS screen) this is the most likely culprit.

Anyway, there is a way to hack this :Cat to remove the serial # (same as the keyboard version), and also a hack to decode its output (just like the keyboard version). I have received a report of the "neuter" procedure causing the :Cat to reverse the case of alphabetical characters from Code128 barcodes.

To remove encryption: Find the chip marked HMS91C7316 (on the bottom side of the :Cat) and carefully cut/pry pin 5 to disconnect it from the board, as with the Neuter procedure. For those unfamiliar with pin numberings, see the diagram below.

The blue dot represents a small circular dimple you should see on the top of the chip, which indicates Pin 1. Simply count counter-clockwise around the chip from Pin 1 for the numbers of all the other pins. Pin 5 is marked in red. Now the USB CueCat will output plain, unencrypted barcode data.

All in all, it is a decent quality mono audio cable, about 25 ft. long, with a male/female combination RCA plug (as a pass-thru) at one end and a stereo plug at the other end, the kind found on most headphones and just about anything that plugs into a soundcard. Don't let that stereo plug fool you though--it is a mono cable, with only 2 conductors all the way down the wire. Yes, I cut it open and checked, because a stereo cable would be really nice.  Here is the cable, with one plug sliced off and wire end stripped.

The standard privacy warnings apply (and then some!) to using this cable for its intended purpose of reading CueCat audiocodes from your TV set--this is a good way to tell a notoriously loose-lipped company what kind of TV shows you watch, but doesn't convey to you, Dear Consumer, anything useful in return. (What? TV commercials can send links to rich-media adverts right to my computer? Wowie-gee-willikers, Batman! Sign me up right away!)  Not to mention needlessly tie up gobs of CPU horsepower, while the CueCat software performs realtime Fourier transforms(??) on the incoming audio in the vain hopes of finding a split-second DC audiocode in it somewhere.

This of course doesn't stop you from not installing their software, and using the cable to copy amusing audio clips to/from your computer, or attaching a microphone to it to record sound up to 25' away. Attach a carbon mic and clip it to your bird feeder :)

Misc.
Software to create your own :Cat barcodes
 
 
 

"Cat and Mouse Games" Essay (Dr. Dobb's Journal)
"Stupid Companies" Essay, many :Cat links
Disable :Cat's encryption right on the board!
"Cat" Scanning device may track users online
CueCat users' information let out of the bag
Consumer details exposed on CueCat site
Getting your CueCat declawed
Slashdot Coverage and more and more
CueCat Software Spies on You!
CueCat: Corporate and Clueless (ZDnet rant)
Quick CueCat Modification Solutions - Instructions for performing the "Decode" hack on the three major boards, and offers to do it for you for a small fee.