'Spyware' informs advertisers where you've been on the Net

Monday, September 25th 2000, 12:00 am
By: News On 6

by Doug Bedell, Staff Writer of The Dallas Morning News

It might be called "The Spy Who Came in from the Code," and the latest Internet privacy flap would surely give novelist John le Carré a run for his plot-line.

In recent months, a new breed of advertisement-laden software has drawn scrutiny from security analysts and consumer advocates. This "spyware," some say, contains sneaky features that can "call home" on Net-connected computers to deliver all sorts of information about users. "The real issue is to what extent do people have control of information flowing out of their computers," says Lauren Weinstein, co-founder of People for Internet Responsibility. "In a legal sense, they have none right now."

Software companies and their associates, meanwhile, have fought furiously against any hint of wrongdoing. They call their programs adware and say the data they bring back from personal computers have been grossly misunderstood. "We don't do any of the things folks are concerned about at the moment — tracking what they're using or seeing online," Bob Regular, marketing director for ad-ware maker Conducent, told InternetNews.com recently. "We don't have the capability to do that, and that's not the data we stream back," he says. Those corporate assurances haven't placated concerned consumers. Hundreds of free software titles —including RealDownload, Netscape's AOL Smart Download, Qualcomm's free version of the Eudora mailer and NetZip's Download Demon — now include advertising within program windows.

In many cases, security analysts using sophisticated "sniffers" and other tools have been unable to identify exactly what's being sent out by the programs because it is encrypted. Encryption is great if they are trading sensitive personal information about users, say privacy groups, but who gave them permission to transmit anything in the first place?

The arguments have flown across the Internet in rapid-fire succession since February. Consumers are told about the transmissions in privacy statements, say software companies.

Those statements are often vague, hidden or couched in legalese, say privacy groups.

Software companies say it's benign data used only to set up advertising within the program windows. Privacy groups counter that if it's no big deal, why not allow outside scrutiny of its use?

Puzzled consumers are caught in the middle, and many aren't happy.

Phil Dowd, an Indiana small-business owner, has publicized a letter he wrote the makers of Go!zilla, a free download utility that critics say can catalog a user's Net activity. "Your program is free, but my computer information is not," Mr. Dowd wrote.

"It is free to look in my bedroom window at night, but it is not appropriate."

What is spyware?

Spyware, as it has become known, is anapplication that can be installed on your hard disk when you download shareware, freeware or code snippets such as game demos. These third-party components — made by companies including Radiate/Aureate Media and Conducent — are not inherently evil. Most are set up to relay information used to rotate banner advertisements that appear inside program windows.

Radiate/Aureate's ad banner technology is used by more than 300 ad-supported software packages, including popular utilities such as Go!Zilla and CuteFTP.

Conducent has agreements with portal sites such as Lycos and Go2net, distributing highly touted freeware such as the PKzip file-compression utility. Other popular titles include Comet Cursor, DigiCams, Qualcomm's free version of Eudora, the RealDownload feature of RealPlayer 8.0 and several children's games. A Canadian, Gilles Lalonde of Infoforce www.infoforce.qc.ca/spyware has set up the Spyware Infested Software List, which says it catalogs 411 uses of spyware in programming.

When you launch some of these programs, the embedded application "piggybacks" on your Internet connection and relays data to a remote ad server. Inside the program ad windows, you may notice changes in the products and services being offered. The remote servers can use information from your computer's operating system to feed you ads they believe you might find appealing.

For privacy experts, the problem is that users often click through or ignore warnings that they are authorizing such activity. "What I want to see is something that —when people start up the software for the first time — very clearly says, 'This software is sending data to our servers. Here is why. Here is what we do with it,' " says Mr. Weinstein, the privacy advocate. "It should not be buried in a click-through licensing agreement that nobody reads and not put on a privacy policy page that most people won't find, won't read, won't understand and [that companies] can warp at any time at a moment's notice." Software companies and third parties such as Conducent have endeavored to explain their activities to consumers with limited success.

Conducent, for example, states: "The non-personally identifiable information collected by Conducent is used for the purpose of targeting content and measuring effectiveness on behalf of Conducent's customers. Conducent does not sell, rent or loan any information regarding desktop users to any third party. Any information given us is held with the utmost care and security." Many software makers, such as RealNet-works, have added longer installation notes about adware transmissions. RealPlayer, for example, now features a menu of setup options that specifically allows users to opt out of the activity.

But questions remain about the potential of this technology. Privacy advocates worry that such programming can be used by unscrupulous companies to become more snoopy. Beyond that, with third-party applications involved, whose privacy policies are actually being employed? "And if Aureate or Eudora or Qualcomm decides to change its policies ... well, too bad for us," says Tom Mattox of The Privacy Place www.privacyplace.com

Detective work Much of the furor over spyware no doubt stems from user inattention. When accepting free software, home computer owners often blithely skip through the fine print that splays across their monitors. As more homeowners have installed "always-on" broadband connections to the Inter-net, personal firewalls to maintain security have grown in popularity. Some users have discovered back-channel communications going on between their computers and other Web sites that they didn't know existed before.

Many such computer exchanges are, indeed, routine and nonthreatening. Researchers at consumer public interest site Kumite.com (www.kumite.com/myths/myths/myth036.htm) have examined many of the Aureate products and pronounced them harmless. "The software does seem to be either poorly designed or implemented," they say. "For example, uninstalling the applications that include the Aureate spyware often does not remove the spyware itself. ... Once you have it, you have it forever."

"Your program is free, but my computer information is not.

It is free to look in my bedroom window at night, but it is not appropriate."

— Phil Dowd, adware critic

Renowned computer security expert Richard Smith has also said that he sees no "extra information going out." Users are generally allowed to opt in for ad-targeting transmissions during the installation process, which is the proper way to handle the situation, Mr. Smith told www.Kumite.com. But another respected security expert, Steve Gibson of Gibson Research Corp. www.grc.com, says his tests show how insidious NetZip's Download Demon — now licensed by RealNetworks as RealDownload and Net-scape/AOL as Netscape Smart Download —and similar software can be.

More than 14 million people are using the original NetZip Download Demon, says Mr. Gibson, a security software developer. "In their default configuration, all of these programs send back a report of every file downloaded from anywhere on the Internet, even places that might not be anyone's business. And, except for RealDownload, which was modified after a weeklong battle with me, these programs tag your computer with a unique ID, which accompanies every report," Mr. Gibson says.

This data can give companies the ability to compile and create detailed user profiles based on Web sites visited and files downloaded, Mr. Gibson says.

Mr. Gibson points out that privacy lawsuits have been filed on behalf of consumers in several states "so perhaps the PC industry will begin to receive the message that this sort of secret spying and profiling is not OK with the rest of us, even if it is buried within a lengthy license agreement." This debate gets stickier. RealNetworks associate general counsel Robert Kimball warns that many of Mr. Gibson's assertions were incorrect and vaguely threatened legal action.

In a letter displayed on Mr. Gibson's site, Mr. Kimball contends the researcher is trying to drum up support for his new OptOut software, a free offering that attempts to cleanse hard drives of spyware vestiges. "RealNetworks does not track any individual's use of RealDownload, does not create profiles of RealDownload customers and does not transmit any unique ID when a customer downloads files using RealDownload," Mr. Kimball wrote. "Any use of RealDownload is completely anonymous, and its communications features are clearly disclosed and optional. Upon installation, users are informed that download URLs can be anonymously transmitted, and we offer them a clear choice to opt out of even that functionality."

Possible solutions

Software such as Mr. Gibson's OptOut can alleviate some user concerns, and more than one company have turned out products to meet this challenge. AD-aware by Lavasoft www.lavasoft.de/free.html for example, also detects and helps users disengage from the adware cycle.

But, says Mr. Weinstein, spyware can circumvent these programs in an instant. "It's like getting ants in your kitchen and trying to stop them with your thumb," he says. "You may feel like you're accomplishing something and you'll get a dirty thumb, but it's not going to have any real effect because things can change so rapidly." Beyond that, wider threats loom. The Privacy Foundation released a report Aug. 30 that found Microsoft Word documents and other files can be injected with tiny graphics files that could allow an author to track where a document is being read and how often. Any file that can render HTML could be tracked using an invisible, one-pixel "Web bug." Mr. Weinstein says Web bugs illustrate just how easy it is for anyone to track activity inside Internet-connected computers. From his perspective, self-regulation of the software industry can't be expected to curb abuses.

A recent survey of 2,117 Americans by the Pew Internet & American Life Project found great concern about privacy. At the same time, "a great many Internet users do not know the basics of how their online activities are observed, and they do not use available tools to protect themselves," the survey said.

Eighty-six percent of Internet users favor an opt-in privacy policy and say Internet companies should ask people for permission to use personal information, the study showed.

Although federal officials contend that the software industry should police itself for bad privacy policies, most Americans in the Pew study doubt that system will protect them. Nor, said a majority of respondents, should government get involved.

Privacy advocates say industry software officials must start dealing straight with consumers to prevent abuses. "Draw up some basic rules and regulations that say, 'Here are the rights people have to their data, here are the circumstances under which you're allowed to take data out of someone's computer,' " says Mr. Weinstein.

Without guidelines and industry regulation, invisible communications between remote servers and home users will remain worrisome, he says. "You're going to be constantly running from leak to leak in the earthen dam, plugging this hole and watching that one open up," Mr. Weinstein says. "Pretty soon, you'll be watching a crack open that will flood you."

>Contact Doug Bedell via e-mail by writing dbedell@dallasnews.com