"WOW," my hacker friend Mason breathed as he looked at my computer monitor, "That's really horrendously fucking evil." He was responding to my account on Root Vaults (root.net), a web service with hazy goals but a very interesting tool: If you sign up and download a plug-in for Firefox, Root Vaults will record your entire clickstream, including Google searches and things you've bought online.

When I go anywhere or click on anything online, the plug-in records it and sends the data to my account at Root Vaults. A nifty graphical interface shows me what sites I visited, including the most popular sites, as well as what I searched for on both Google and Yahoo!

Since I was just testing Root Vaults, I tried to search for important things like "horse porn" and "cute things." As a result, my clickstream looks sort of like this: www.xxxpower.net (the clickstream from this one yielded some interesting results, as it appears that some scamster was trying to make it look like I was clicking on the ads on the site, even though I didn't); www.cuteoverload.com (too bad Root Vault couldn't measure my utter joy in looking at this site packed with a zillion cute animals); www.pussy.org; www.kittenwar.com.

Now imagine that I spent all week sending my clickstream Root Vaults. Instead of seeing the result of searches I don't normally do or care about (well, OK, sometimes I do search for cute kitties), you'd have a record of everything I wanted to see and everything I did see. Seth Goldstein, inventor of Root Vaults, calls it the "record of your attention," and he wants to sell it.

Like Google, Claria and dozens of other companies that record all your searches and everything you look at online, Root Vaults doesn't quite have a business model for all the data it's aggregating.

Right now, Goldstein uses the information he's gathered to sell "leads" to mortgage and insurance companies looking for people whose clickstream makes them appear likely prospects. Later, he might use all the consumer data in Root Vaults to sell companies information about who clicks on what and when. Or maybe he'll try to sell futures in consumers by claiming he has a batch of people whose attention data shows they're on the cusp of buying something big because they've been visiting Consumer Reports and trolling Shopper.com.

Unlike its sister companies, Root Vaults is letting users see the data it collects. That's why I don't entirely agree with Mason's damning assessment of the service. Certainly, clickstream snooping is a privacy invasion, but, worse, it's something that few people understand.

For example, when you download the toolbars from Google, Yahoo! or Microsoft, each one sends the very same kind of data that Root Vaults collects right back to its mother company. So if you want to know how much Yahoo! knows about you, sign up for Root Vaults, watch your clickstream get recorded and find out.

Goldstein is excited about this idea. As a founder of Attention Trust, a nonprofit whose goal is to regulate the clickstream-tracking industry, he's intrigued by the idea of corporate scruples in a space that is best known for spyware. "This tool could be for self-education," he enthuses. "The same way Fast Food Nation taught us what we're really eating, Root Vaults could teach you what kind of data companies are really gathering about you."

You will be truly weirded out to discover how easy it is for a tiny little browser plug-in to send every online move you make to a third party. Once you've completed your experiment, you can delete all the data from your Root Vault, then delete the extension from Firefox. Just to be safe, don't click on anything you'd be afraid to share with the world.

Although Root Vaults is setting a new standard for transparency in clickstream tracking, one telling detail is still obscured. Goldstein insists that each vault "belongs to you." But it doesn't. Whenever anything of "yours" is stored on somebody else's computer, it's not highly protected by privacy laws—largely under the assumption that this data must not be as private as the stuff you store on your own computer. So the government or an attorney can get access to this data without contacting you personally, and often with very little court oversight.

So remember, kids, just because something's in your account on Root Vaults or Yahoo! Mail, that doesn't make it yours. And just because you can't see your own clickstream doesn't mean somebody else isn't watching it.

Annalee Newitz ([email protected]) is a surly media nerd who can draw a heart in the snow with her clickstream.

Send a letter to the editor about this story.