Skip banner
HomeSourcesHow Do I?Site MapHelp
Return To Search FormFOCUS
Search Terms: personal w/5 information w/5 privacy

Document ListExpanded ListKWICFULL format currently displayed

Previous Document Document 17 of 575. Next Document

Copyright 2000 The San Diego Union-Tribune  
The San Diego Union-Tribune

December 12, 2000, Tuesday

SECTION: COMPUTER LINK;Pg. 6

LENGTH: 2293 words

HEADLINE: Spyware; Prying into your digital brain

BYLINE: Doug Bedell; KNIGHT RIDDER NEWS SERVICE

BODY:
It might be called "The Spy Who Came in from the Code," and the latest Internet privacy flap would surely give novelist John Le Carre a run for his plot line.

In recent months, a new breed of advertisement-laden software has drawn scrutiny from security analysts and consumer advocates.

This "spyware," some say, contains sneaky features that can "call home" on Net-connected computers to deliver all sorts of information about users.

"The real issue is to what extent do people have control of information flowing out of their computers," says Lauren Weinstein, co-founder of People for Internet Responsibility.

"In a legal sense, they have none right now." Software companies and their associates, meanwhile, have fought furiously against any hint of wrongdoing.

They call their programs "adware" and say the data they bring back from personal computers have been grossly misunderstood.

"We don't do any of the things folks are concerned about at the moment -- tracking what they're using or seeing online," Bob Regular, marketing director for adware maker Conducent, told InternetNews.com recently.

"We don't have the capability to do that, and that's not the data we stream back," he says.

Those corporate assurances haven't placated concerned consumers.

Hundreds of free software titles -- including RealDownload, Netscape's AOL Smart Download, Qualcomm's free version of the Eudora mailer and NetZip's Download Demon -- now include advertising within program windows.

In many cases, security analysts using sophisticated "sniffers" and other tools have been unable to identify exactly what's being sent out by the programs because it is encrypted.

Encryption is great if they are trading sensitive personal information about users, say privacy groups, but who gave them permission to transmit anything in the first place?

The arguments have flown across the Internet in rapid-fire succession since February. Consumers are told about the transmissions in privacy statements, say software companies.

Those statements are often vague, hidden or couched in legalese, say privacy groups.

Software companies say it's benign data used only to set up advertising within the program windows.

Privacy groups counter that if it's no big deal, why not allow outside scrutiny of its use?

Puzzled consumers are caught in the middle, and many aren't happy.

Phil Dowd, an Indiana small-business owner, has publicized a letter he wrote the makers of Go!zilla, a free download utility that critics say can catalog a user's Net activity.

"Your program is free, but my computer information is not," Dowd wrote. "It is free to look in my bedroom window at night, but it is not appropriate."

Information relay

What is spyware?

Spyware, as it has become known, is an application that can be installed on your hard disk when you download shareware, freeware or code snippets such as game demos.

These third-party components -- made by companies including Radiate/Aureate Media and Conducent -- are not inherently evil.

Most are set up to relay information used to rotate banner advertisements that appear inside program windows.

Radiate/Aureate's ad banner technology is used by more than 300 ad-supported software packages, including popular utilities such as Go!Zilla and CuteFTP.

Conducent has agreements with Web portal sites such as Lycos and Go2net, distributing highly touted freeware such as the PKzip file-compression utility.

Other popular titles include Comet Cursor, DigiCams, Qualcomm's free version of Eudora, the RealDownload feature of RealPlayer 8.0 and several children's games.

A Canadian, Gilles Lalonde of Infoforce (http://www.infoforce.qc.ca/spyware), has set up the Spyware Infested Software List, which says it catalogs hundreds of uses of spyware in programming.

When you launch some of these programs, the embedded application "piggybacks" on your Internet connection and relays data to a remote ad server.

Inside the program ad windows, you may notice changes in the products and services being offered. The remote servers can use information from your computer's operating system to feed you ads they believe you might find appealing.

Clicking through

For privacy experts, the problem is that users often click through or ignore warnings that they are authorizing such activity.

"What I want to see is something that -- when people start up the software for the first time -- very clearly says, 'This software is sending data to our servers. Here is why. Here is what we do with it,' " says Weinstein, the privacy advocate.

"It should not be buried in a click-through licensing agreement that nobody reads and not put on a privacy policy page that most people won't find, won't read, won't understand and (that companies) can warp at any time at a moment's notice."

Software companies and third parties such as Conducent have endeavored to explain their activities to consumers with limited success.

Conducent, for example, states:

"The nonpersonally identifiable information collected by Conducent is used for the purpose of targeting content and measuring effectiveness on behalf of Conducent's customers. Conducent does not sell, rent or loan any information regarding desktop users to any third party. Any information given us is held with the utmost care and security."

Many software makers, such as RealNetworks, have added longer installation notes about adware transmissions.

RealPlayer, for example, now features a menu of setup options that specifically allows users to opt out of the activity.

But questions remain about the potential of this technology. Privacy advocates worry that such programming can be used by unscrupulous companies to become more snoopy.

Beyond that, with third-party applications involved, whose privacy policies are actually being employed?

"And if Aureate or Eudora or Qualcomm decides to change its policies well, too bad for us," says Tom Mattox of The Privacy Place (http://www.privacyplace.com).

Back-channel business

Much of the furor over spyware no doubt stems from user inattention.

When accepting free software, home computer owners often blithely skip through the fine print that splays across their monitors.

As more homeowners have installed "always-on" broadband connections to the Internet, personal firewalls to maintain security have grown in popularity.

Some users have discovered back-channel communications going on between their computers and other Web sites that they didn't know existed before.

Many such computer exchanges are, indeed, routine and nonthreatening.

Researchers at consumer public interest site Kumite.com (http://www.kumite.com/myths/myths/myth036.htm) have examined many of the Aureate products and pronounced them harmless.

"The software does seem to be either poorly designed or implemented," they say.

"For example, uninstalling the applications that include the Aureate spyware often does not remove the spyware itself. Once you have it, you have it forever."

Renowned computer security expert Richard Smith has also said that he sees no "extra information going out."

Users are generally allowed to opt in for ad-targeting transmissions during the installation process, which is the proper way to handle the situation, Smith told Kumite.com.

But another respected security expert, Steve Gibson of Gibson Research Corp. (http://www.grc.com), says his tests show how insidious NetZip's Download Demon -- now licensed by RealNetworks as RealDownload and by Netscape/AOL as Netscape Smart Download -- and similar software can be.

More than 14 million people are using the original NetZip Download Demon, says Gibson, a security software developer.

"In their default configuration, all of these programs send back a report of every file downloaded from anywhere on the Internet, even places that might not be anyone's business, and, except for RealDownload, which was modified after a weeklong battle with me, these programs tag your computer with a unique ID, which accompanies every report," Gibson says.

Compiling profiles

This data can give companies the ability to compile and create detailed user profiles based on Web sites visited and files downloaded, Gibson says.

Gibson points out that privacy lawsuits have been filed on behalf of consumers in several states "so perhaps the PC industry will begin to receive the message that this sort of secret spying and profiling is not OK with the rest of us, even if it is buried within a lengthy license agreement."

This debate gets stickier.

RealNetworks associate general counsel Robert Kimball warns that many of Gibson's assertions were incorrect and vaguely threatened legal action.

In a letter displayed on Gibson's site, Kimball contends the researcher is trying to drum up support for his new OptOut software, a free offering that attempts to cleanse hard drives of spyware vestiges.

"RealNetworks does not track any individual's use of RealDownload, does not create profiles of RealDownload customers and does not transmit any unique ID when a customer downloads files using RealDownload," Kimball wrote.

"Any use of RealDownload is completely anonymous, and its communications features are clearly disclosed and optional. Upon installation, users are informed that download URLs can be anonymously transmitted, and we offer them a clear choice to opt out of even that functionality."

Software such as Gibson's OptOut can alleviate some user concerns, and more than one company has turned out products to meet this challenge. AD-aware by Lavasoft (http://www.lavasoft.de/free.html), for example, also detects and helps users disengage from the adware cycle.

But, says Weinstein, spyware can circumvent these programs in an instant.

"It's like getting ants in your kitchen and trying to stop them with your thumb," he says.

"You may feel like you're accomplishing something and you'll get a dirty thumb, but it's not going to have any real effect because things can change so rapidly."

Web 'bugs'

Beyond that, wider threats loom. The Privacy Foundation released a report Aug. 30 that found Microsoft Word documents and other files can be injected with tiny graphics files that could allow an author to track where a document is being read and how often.

Any file that can render HTML (the coding used on Web pages) could be tracked using an invisible, one-pixel "Web bug."

Weinstein says Web bugs illustrate just how easy it is for anyone to track activity inside Internet-connected computers. From his perspective, self-regulation of the software industry can't be expected to curb abuses.

A recent survey of 2,117 Americans by the Pew Internet & American Life Project found great concern about privacy.

At the same time, "a great many Internet users do not know the basics of how their online activities are observed, and they do not use available tools to protect themselves," the survey said.

Eighty-six percent of Internet users favor an opt-in privacy policy and say Internet companies should ask people for permission to use personal information, the study showed.

Although federal officials contend that the software industry should police itself for bad privacy policies, most Americans in the Pew study doubt that system will protect them. Nor, said a majority of respondents, should government get involved.

Privacy advocates say industry software officials must start dealing straight with consumers to prevent abuses.

"Draw up some basic rules and regulations that say, 'Here are the rights people have to their data, here are the circumstances under which you're allowed to take data out of someone's computer,' " says Weinstein.

Without guidelines and industry regulation, invisible communications between remote servers and home users will remain worrisome, he says.

"You're going to be constantly running from leak to leak in the earthen dam, plugging this hole and watching that one open up," Weinstein says. "Pretty soon, you'll be watching a crack open that will flood you."

Terminology to know in the prying business

Spyware: In general, any technology that aids in gathering information about a person or organization without their knowledge. On the Internet, spyware is programming that is put in someone's computer to secretly gather information about the user and relay it to advertisers or other interested parties. Data collecting programs that are installed with the user's knowledge are not, properly speaking, spyware, if the user fully understands what data is being collected and with whom it is being shared.

Web bug: Usually a graphic image, such as a transparent one-pixel-by-one-pixel graphic image, that is placed on a Web page or in an e-mail message to monitor user behavior, functioning as a kind of spyware. A Web bug is typically invisible to the user because it is transparent (matches the color of the page background) and takes up only a tiny amount of space.

Cookie: An information file that a Web site puts on your hard disk so that it can remember something about you at a later time. The existence of cookies and their use is generally not concealed from users, who can also disallow access to cookie information. Nevertheless, to the extent that a Web site stores information about you in a cookie that you don't know about, the cookie mechanism could be considered a form of spyware. You can view the cookies that have been stored on your hard disk (although the content stored in each cookie may not make much sense to you). The location of the cookies depends on the Internet browser you use. Internet Explorer stores each cookie as a separate file under a Windows subdirectory. Netscape stores all cookies in a single "cookies.txt" file.



GRAPHIC: 1 DRAWING | 1 CHART; 1. Source: Whatis.com 2. Knight Ridder / Tribune; 1. Terminology to know in the prying business (9) 2. Spyware -- Prying into your digital brain (1)

LOAD-DATE: December 14, 2000




Previous Document Document 17 of 575. Next Document


FOCUS

Search Terms: personal w/5 information w/5 privacy
To narrow your search, please enter a word or phrase:
   
About LEXIS-NEXIS® Academic Universe Terms and Conditions Top of Page
Copyright © 2002, LEXIS-NEXIS®, a division of Reed Elsevier Inc. All Rights Reserved.