SCN: Spyware
Steve
steve at advocate.net
Fri Jul 14 12:29:04 PDT 2000
x-no-archive: yes
=========================
Your PC Is Watching
by Ariana Eunjung Cha, Washington Post Staff Writer
Keith Little, a computer technician who makes house calls on the
apple farms of central Washington state, says more and more of his
clients are asking him to take steps to protect their online privacy.
So he scans their computers for any mischievous programs and
installs security software.
What surprises people is how often Little finds programs designed
to funnel bits of their personal information from their computers and
into giant corporate databases. He says more than half of the 20 or
so computers he inspects each week are running stealthy programs
he calls "spyware."
The electronic eavesdroppers usually come attached to the software
people install on their personal computers. Whenever a user
connects to the Internet, these programs take advantage of the
opening to pass on information that has been stored on the PC's
hard drive. The data--it could be details of Web surfing habits or
identifying personal information--are then typically sent to the
manufacturer of the software or a marketer to be used in developing
new products or advertising campaigns.
At a time when concerns about online privacy have spread from
Internet bulletin boards to Capitol Hill, this tracking software has
become a flash point for the debates about how to balance
consumer rights with the business models of the digital age.
Little has found the programs in children's software such as Mattel
Interactive's Reader Rabbit and Arthur's Reading Games, Intuit
Inc.'s financial planner Quicken, and dozens of other packages. The
electronic hitchhiker also is part of a program associated with the
Netscape browser that millions of people use to travel the Internet.
One Web site has identified more than 400 of these data-gathering
and tracking programs. Most are free "shareware" that people
download off the Web, but an increasing number are mainstream
programs, even those people pay for.
"When people find out, they are livid," said Little, 42. "They say,
'Get it out of there.' Then they become very afraid to use their
computers, afraid of what personal stuff it's sending out. The
problem is that they were not informed."
The companies that use the programs say they were created not for
nefarious reasons but to help tailor information consumers want.
The programs work by collecting data from a hard drive or from the
electronic "cookies" many users pick up when they visit Web sites.
A marketing company might then use the information about what
Web sites you frequent to decide whether you would be interested in
an ad for a sporting-goods retailer or one for opera tickets. A
software manufacturer often wants to know who has purchased its
products so it can alert users to problems or update them about new
goodies.
Most companies say they do not seek out information that would
identify a person by name. Further, they say the information is not
disseminated publicly, but only used for internal corporate
purposes.
Privacy advocates, though, equate the programs to taps on phone
lines. Rep. Edward J. Markey (D-Mass.) recently introduced a bill
that would require companies to give "conspicuous notice" of any
information they are collecting and to allow users to decline to
participate. A New Jersey photographer last week filed a lawsuit
against Netscape Communications, an America Online Inc.
subsidiary, accusing the company of using its SmartDownload
program to "eavesdrop."
Concern has grown in the past few months as more Americans,
unsettled by high-profile accounts of spreading computer viruses
and other hacker attacks, have installed security software--or
"firewalls"--in their personal computers. The security programs
typically alert users with warning messages whenever an
unauthorized program is attempting to send information out into the
Internet. Many users quickly discover how vulnerable they are.
Last winter, a Seattle company called RealNetworks Inc. came under
fire after customers discovered its music player was collecting
information about users' listening habits in order to personalize its
services. The company has since stopped the practice and
apologized. Intuit, meanwhile, has acknowledged using the tracking
programs to target ads. And a few weeks ago, after parent
complaints, Mattel Inc. officials apologized for adding a data-
gathering program to more than 100 titles of its Learning Co. unit's
educational programs for children.
Simson Garfinkel remembers that he was 40,000 feet in the air on a
plane from London to Boston in May when he noticed that his laptop
kept trying to connect to the Internet. The culprit: an educational
program he had installed for his 3-year-old daughter. It was trying to
send out the product's code number and other such information to
the company so it could better respond to consumer needs,
according to Mattel spokeswoman Susan Salminen.
"I wouldn't call it spyware exactly. It was more like marketing ware.
But even that conveys a lot of personal information to the folks at
Mattel and it was upsetting," said Garfinkel, a computer network
architect from Cambridge, Mass.
Mattel's Salminen said the program's intentions are benevolent but
the company already had decided to eliminate it late last year from
all new software because of "public concern around the privacy
issue."
Earlier this month, a Netscape user named Christopher Specht filed
a class-action suit in U.S. District Court in Manhattan seeking
damages of a minimum of $10,000 per person for violating
consumers' privacy by tracking which files they download from the
Internet.
A spokeswoman for Dulles-based AOL said the company is aware of
SmartDownload's ability to gather customer data but it had "never
used it to access or retain information about users or files."
"The lawsuit is without merit," said Ann Brackbill, a senior vice
president. As every corner of the Internet becomes increasingly
commercialized, many online companies are experimenting with
new models for making money in the uncharted new economy.
One way is to give away products or sell them for below cost and
make money through advertising. The tracking programs allow these
companies to tout their ability to target specific audiences to
potential advertisers. At the same time, many software companies
are trying to develop a continuing relationship with their customers,
becoming in effect service-oriented companies. The tracking
programs allow them to keep in touch.
For the most part, companies that track consumers say the
information they collect is minimal and it's gathered anonymously
so that the data cannot be linked to real names. But security
professionals like Travis Haymore of Lanham's Digital Systems
International Corp. point out that some of the data streams leaving
personal computers are so heavily cloaked, or encrypted, that it's
practically impossible for anyone to verify or refute such claims.
And the programs are more invasive than the electronic cookies that
businesses use to track people on the Web because they potentially
can scan documents and images on people's hard drives as well as
track online habits.
"Your tax records, what medical sites you've been looking at, your
online banking--if someone has spyware on your machine, they
would have access to that data and it would be next to impossible to
tell if it was leaving," said Haymore, a former federal government
computer security investigator.
Irate computer users also have filled online bulletin boards with
complaints about tracking programs that are impossible to remove
(even when the original host program is deleted), that crash their
computers or clog up their telephone or cable lines, slowing down
their Internet connections.
Two technology marketing companies, Silicon Valley's Radiate.com
and Sterling's Conducent Technologies Inc., which have developed
"ad bots," software for the most popular ads targeting customers,
have been at the heart of the online privacy debate. These ventures
partner with software companies and share a cut of the advertising
revenue.
Conducent's director of marketing, Robert Regular, says
participation in its ad-driven programs is "voluntary" and offers
consumers many advantages, including discounted or free software.
People who purchase CD-ROMs made by eGames, for instance, can
can get six free programs if they choose to look at ads and give up
some personal information. "We will show ads and will make use of
the user's Internet connection and if they agree to that, great. If not,
they don't have to use the software," he said.
Regular says the company always has required its partners to
disclose in their privacy policies that the programs were "ad-
supported" but only this month started making them flash separate
screens during in the installation process alerting users of the
tracking.
Like other people in the industry, Regular disputes the "spyware"
characterization.
"We don't spy on anyone. We don't know any personally identifiable
information. We know they are an anonymous user. We don't look at
anything that they do," he said. "Because we run in the background,
people think we're doing something deceptive and don't understand
that it's in order to refresh ads."
As stories of tracking software and other privacy concerns have
circulated throughout the online world in recent months, companies
and independent programmers have scrambled to develop
protection tools with names such as ZoneAlarm and OptOut. More
than 1.1 million people already have downloaded OptOut, freeware
that was developed by Steve Gibson, a security consultant in
California and a privacy advocate. And personal firewall software
has been rushing off store shelves since last fall, with 40,000 to
50,000 copies being sold each month, according to research firm PC
Data Inc.
But even unsophisticated programmers can easily get around the
best available electronic firewalls, security experts say.
Symantec's Steve Cullen, the senior vice president for consumer
business, said people using Norton Internet Security 2000, the most
popular firewall program, for instance, can specify that their names,
credit-card numbers and other sensitive information be blocked from
leaving the computer. But if that information is electronically
masked by one of many easy techniques, it can still get through.
"If it's really spyware, certainly encoding or encrypting is something
that these guys could do and that makes it much trickier to catch it,"
he said.
Still, Cullen says that scenario is rare. He said about 80 percent of
the time companies don't bother hiding the data and leave it as plain
text, a format that is simple to filter.
Christopher Kelley, an analyst with Forrester Research, believes
that the "sneakiness" with which some corporations are acting has
exacerbated privacy concerns and damaged the industry's
credibility--something that they may come to regret as an increasing
number of angry citizens create technological tools that could topple
the companies' entire business plans. Added Montreal computer
consultant Gilles Lalonde: "Right now it's now a free-for-all. Anything
goes. This is the kind of environment that permits these kinds of
intrusive behaviors, allows them to flourish. If we don't start to
define some ethical rules, before long people will lose their trust in
all online companies and this great technological revolution just
stops."
Copyright 2000 The Washington Post Company
* * * * * * * * * * * * * * From the Listowner * * * * * * * * * * * *
. To unsubscribe from this list, send a message to:
majordomo at scn.org In the body of the message, type:
unsubscribe scn
==== Messages posted on this list are also available on the web at: ====
* * * * * * * http://www.scn.org/volunteers/scn-l/ * * * * * * *
More information about the scn
mailing list