Copyright 2000 The San Diego Union-Tribune
The San
Diego Union-Tribune
December 12, 2000, Tuesday
SECTION: COMPUTER LINK;Pg. 6
LENGTH: 2293 words
HEADLINE:
Spyware; Prying into your digital brain
BYLINE: Doug
Bedell; KNIGHT RIDDER NEWS SERVICE
BODY:
It might
be called "The Spy Who Came in from the Code," and the latest Internet privacy
flap would surely give novelist John Le Carre a run for his plot line.
In recent months, a new breed of advertisement-laden software has drawn
scrutiny from security analysts and consumer advocates.
This "spyware,"
some say, contains sneaky features that can "call home" on Net-connected
computers to deliver all sorts of information about users.
"The real
issue is to what extent do people have control of information flowing out of
their computers," says Lauren Weinstein, co-founder of People for Internet
Responsibility.
"In a legal sense, they have none right now." Software
companies and their associates, meanwhile, have fought furiously against any
hint of wrongdoing.
They call their programs "adware" and say the data
they bring back from personal computers have been grossly misunderstood.
"We don't do any of the things folks are concerned about at the moment
-- tracking what they're using or seeing online," Bob Regular, marketing
director for adware maker Conducent, told InternetNews.com recently.
"We
don't have the capability to do that, and that's not the data we stream back,"
he says.
Those corporate assurances haven't placated concerned
consumers.
Hundreds of free software titles -- including RealDownload,
Netscape's AOL Smart Download, Qualcomm's free version of the Eudora mailer and
NetZip's Download Demon -- now include advertising within program windows.
In many cases, security analysts using sophisticated "sniffers" and
other tools have been unable to identify exactly what's being sent out by the
programs because it is encrypted.
Encryption is great if they are
trading sensitive personal information about users, say
privacy groups, but who gave them permission to transmit
anything in the first place?
The arguments have flown across the
Internet in rapid-fire succession since February. Consumers are told about the
transmissions in privacy statements, say software companies.
Those
statements are often vague, hidden or couched in legalese, say privacy groups.
Software companies say it's benign data used only to set up advertising
within the program windows.
Privacy groups counter that if it's no big
deal, why not allow outside scrutiny of its use?
Puzzled consumers are
caught in the middle, and many aren't happy.
Phil Dowd, an Indiana
small-business owner, has publicized a letter he wrote the makers of Go!zilla, a
free download utility that critics say can catalog a user's Net activity.
"Your program is free, but my computer information is not," Dowd wrote.
"It is free to look in my bedroom window at night, but it is not appropriate."
Information relay
What is spyware?
Spyware, as it has
become known, is an application that can be installed on your hard disk when you
download shareware, freeware or code snippets such as game demos.
These
third-party components -- made by companies including Radiate/Aureate Media and
Conducent -- are not inherently evil.
Most are set up to relay
information used to rotate banner advertisements that appear inside program
windows.
Radiate/Aureate's ad banner technology is used by more than 300
ad-supported software packages, including popular utilities such as Go!Zilla and
CuteFTP.
Conducent has agreements with Web portal sites such as Lycos
and Go2net, distributing highly touted freeware such as the PKzip
file-compression utility.
Other popular titles include Comet Cursor,
DigiCams, Qualcomm's free version of Eudora, the RealDownload feature of
RealPlayer 8.0 and several children's games.
A Canadian, Gilles Lalonde
of Infoforce (http://www.infoforce.qc.ca/spyware), has set up the Spyware
Infested Software List, which says it catalogs hundreds of uses of spyware in
programming.
When you launch some of these programs, the embedded
application "piggybacks" on your Internet connection and relays data to a remote
ad server.
Inside the program ad windows, you may notice changes in the
products and services being offered. The remote servers can use information from
your computer's operating system to feed you ads they believe you might find
appealing.
Clicking through
For privacy experts, the problem is
that users often click through or ignore warnings that they are authorizing such
activity.
"What I want to see is something that -- when people start up
the software for the first time -- very clearly says, 'This software is sending
data to our servers. Here is why. Here is what we do with it,' " says Weinstein,
the privacy advocate.
"It should not be buried in a click-through
licensing agreement that nobody reads and not put on a privacy policy page that
most people won't find, won't read, won't understand and (that companies) can
warp at any time at a moment's notice."
Software companies and third
parties such as Conducent have endeavored to explain their activities to
consumers with limited success.
Conducent, for example, states:
"The nonpersonally identifiable information collected by Conducent is
used for the purpose of targeting content and measuring effectiveness on behalf
of Conducent's customers. Conducent does not sell, rent or loan any information
regarding desktop users to any third party. Any information given us is held
with the utmost care and security."
Many software makers, such as
RealNetworks, have added longer installation notes about adware transmissions.
RealPlayer, for example, now features a menu of setup options that
specifically allows users to opt out of the activity.
But questions
remain about the potential of this technology. Privacy advocates worry that such
programming can be used by unscrupulous companies to become more snoopy.
Beyond that, with third-party applications involved, whose privacy
policies are actually being employed?
"And if Aureate or Eudora or
Qualcomm decides to change its policies well, too bad for us," says Tom Mattox
of The Privacy Place (http://www.privacyplace.com).
Back-channel
business
Much of the furor over spyware no doubt stems from user
inattention.
When accepting free software, home computer owners often
blithely skip through the fine print that splays across their monitors.
As more homeowners have installed "always-on" broadband connections to
the Internet, personal firewalls to maintain security have grown in popularity.
Some users have discovered back-channel communications going on between
their computers and other Web sites that they didn't know existed before.
Many such computer exchanges are, indeed, routine and nonthreatening.
Researchers at consumer public interest site Kumite.com
(http://www.kumite.com/myths/myths/myth036.htm) have examined many of the
Aureate products and pronounced them harmless.
"The software does seem
to be either poorly designed or implemented," they say.
"For example,
uninstalling the applications that include the Aureate spyware often does not
remove the spyware itself. Once you have it, you have it forever."
Renowned computer security expert Richard Smith has also said that he
sees no "extra information going out."
Users are generally allowed to
opt in for ad-targeting transmissions during the installation process, which is
the proper way to handle the situation, Smith told Kumite.com.
But
another respected security expert, Steve Gibson of Gibson Research Corp.
(http://www.grc.com), says his tests show how insidious NetZip's Download Demon
-- now licensed by RealNetworks as RealDownload and by Netscape/AOL as Netscape
Smart Download -- and similar software can be.
More than 14 million
people are using the original NetZip Download Demon, says Gibson, a security
software developer.
"In their default configuration, all of these
programs send back a report of every file downloaded from anywhere on the
Internet, even places that might not be anyone's business, and, except for
RealDownload, which was modified after a weeklong battle with me, these programs
tag your computer with a unique ID, which accompanies every report," Gibson
says.
Compiling profiles
This data can give companies the
ability to compile and create detailed user profiles based on Web sites visited
and files downloaded, Gibson says.
Gibson points out that privacy
lawsuits have been filed on behalf of consumers in several states "so perhaps
the PC industry will begin to receive the message that this sort of secret
spying and profiling is not OK with the rest of us, even if it is buried within
a lengthy license agreement."
This debate gets stickier.
RealNetworks associate general counsel Robert Kimball warns that many of
Gibson's assertions were incorrect and vaguely threatened legal action.
In a letter displayed on Gibson's site, Kimball contends the researcher
is trying to drum up support for his new OptOut software, a free offering that
attempts to cleanse hard drives of spyware vestiges.
"RealNetworks does
not track any individual's use of RealDownload, does not create profiles of
RealDownload customers and does not transmit any unique ID when a customer
downloads files using RealDownload," Kimball wrote.
"Any use of
RealDownload is completely anonymous, and its communications features are
clearly disclosed and optional. Upon installation, users are informed that
download URLs can be anonymously transmitted, and we offer them a clear choice
to opt out of even that functionality."
Software such as Gibson's OptOut
can alleviate some user concerns, and more than one company has turned out
products to meet this challenge. AD-aware by Lavasoft
(http://www.lavasoft.de/free.html), for example, also detects and helps users
disengage from the adware cycle.
But, says Weinstein, spyware can
circumvent these programs in an instant.
"It's like getting ants in your
kitchen and trying to stop them with your thumb," he says.
"You may feel
like you're accomplishing something and you'll get a dirty thumb, but it's not
going to have any real effect because things can change so rapidly."
Web
'bugs'
Beyond that, wider threats loom. The Privacy Foundation released
a report Aug. 30 that found Microsoft Word documents and other files can be
injected with tiny graphics files that could allow an author to track where a
document is being read and how often.
Any file that can render HTML (the
coding used on Web pages) could be tracked using an invisible, one-pixel "Web
bug."
Weinstein says Web bugs illustrate just how easy it is for anyone
to track activity inside Internet-connected computers. From his perspective,
self-regulation of the software industry can't be expected to curb abuses.
A recent survey of 2,117 Americans by the Pew Internet & American
Life Project found great concern about privacy.
At the same time, "a
great many Internet users do not know the basics of how their online activities
are observed, and they do not use available tools to protect themselves," the
survey said.
Eighty-six percent of Internet users favor an opt-in
privacy policy and say Internet companies should ask people for permission to
use personal information, the study showed.
Although federal officials
contend that the software industry should police itself for bad privacy
policies, most Americans in the Pew study doubt that system will protect them.
Nor, said a majority of respondents, should government get involved.
Privacy advocates say industry software officials must start dealing
straight with consumers to prevent abuses.
"Draw up some basic rules and
regulations that say, 'Here are the rights people have to their data, here are
the circumstances under which you're allowed to take data out of someone's
computer,' " says Weinstein.
Without guidelines and industry regulation,
invisible communications between remote servers and home users will remain
worrisome, he says.
"You're going to be constantly running from leak to
leak in the earthen dam, plugging this hole and watching that one open up,"
Weinstein says. "Pretty soon, you'll be watching a crack open that will flood
you."
Terminology to know in the prying business
Spyware: In
general, any technology that aids in gathering information about a person or
organization without their knowledge. On the Internet, spyware is programming
that is put in someone's computer to secretly gather information about the user
and relay it to advertisers or other interested parties. Data collecting
programs that are installed with the user's knowledge are not, properly
speaking, spyware, if the user fully understands what data is being collected
and with whom it is being shared.
Web bug: Usually a graphic image, such
as a transparent one-pixel-by-one-pixel graphic image, that is placed on a Web
page or in an e-mail message to monitor user behavior, functioning as a kind of
spyware. A Web bug is typically invisible to the user because it is transparent
(matches the color of the page background) and takes up only a tiny amount of
space.
Cookie: An information file that a Web site puts on your hard
disk so that it can remember something about you at a later time. The existence
of cookies and their use is generally not concealed from users, who can also
disallow access to cookie information. Nevertheless, to the extent that a Web
site stores information about you in a cookie that you don't know about, the
cookie mechanism could be considered a form of spyware. You can view the cookies
that have been stored on your hard disk (although the content stored in each
cookie may not make much sense to you). The location of the cookies depends on
the Internet browser you use. Internet Explorer stores each cookie as a separate
file under a Windows subdirectory. Netscape stores all cookies in a single
"cookies.txt" file.
GRAPHIC: 1 DRAWING | 1
CHART; 1. Source: Whatis.com 2. Knight Ridder / Tribune; 1. Terminology to know
in the prying business (9) 2. Spyware -- Prying into your digital brain (1)
LOAD-DATE: December 14, 2000 
