SCN: Spyware

[Steve]

x-no-archive: yes

=========================

Your PC Is Watching  

by Ariana Eunjung Cha, Washington Post Staff Writer


Keith Little, a computer technician who makes house calls on the 
apple farms of central Washington state, says more and more of his 
clients are asking him to take steps to protect their online privacy. 
So he scans their computers for any mischievous programs and 
installs security software.  

What surprises people is how often Little finds programs designed 
to funnel bits of their personal information from their computers and 
into giant corporate databases. He says more than half of the 20 or 
so computers he inspects each week are running stealthy programs 
he calls "spyware."  

The electronic eavesdroppers usually come attached to the software 
people install on their personal computers. Whenever a user 
connects to the Internet, these programs take advantage of the 
opening to pass on information that has been stored on the PC's 
hard drive. The data--it could be details of Web surfing habits or 
identifying personal information--are then typically sent to the 
manufacturer of the software or a marketer to be used in developing 
new products or advertising campaigns.  

At a time when concerns about online privacy have spread from 
Internet bulletin boards to Capitol Hill, this tracking software has 
become a flash point for the debates about how to balance 
consumer rights with the business models of the digital age.  

Little has found the programs in children's software such as Mattel 
Interactive's Reader Rabbit and Arthur's Reading Games, Intuit 
Inc.'s financial planner Quicken, and dozens of other packages. The 
electronic hitchhiker also is part of a program associated with the 
Netscape browser that millions of people use to travel the Internet.  

One Web site has identified more than 400 of these data-gathering 
and tracking programs. Most are free "shareware" that people 
download off the Web, but an increasing number are mainstream 
programs, even those people pay for.  

"When people find out, they are livid," said Little, 42. "They say, 
'Get it out of there.' Then they become very afraid to use their 
computers, afraid of what personal stuff it's sending out. The 
problem is that they were not informed."  

The companies that use the programs say they were created not for 
nefarious reasons but to help tailor information consumers want. 
The programs work by collecting data from a hard drive or from the 
electronic "cookies" many users pick up when they visit Web sites. 
A marketing company might then use the information about what 
Web sites you frequent to decide whether you would be interested in 
an ad for a sporting-goods retailer or one for opera tickets. A 
software manufacturer often wants to know who has purchased its 
products so it can alert users to problems or update them about new 
goodies.  

Most companies say they do not seek out information that would 
identify a person by name. Further, they say the information is not 
disseminated publicly, but only used for internal corporate 
purposes.  

Privacy advocates, though, equate the programs to taps on phone 
lines. Rep. Edward J. Markey (D-Mass.) recently introduced a bill 
that would require companies to give "conspicuous notice" of any 
information they are collecting and to allow users to decline to 
participate. A New Jersey photographer last week filed a lawsuit 
against Netscape Communications, an America Online Inc. 
subsidiary, accusing the company of using its SmartDownload 
program to "eavesdrop."  

Concern has grown in the past few months as more Americans, 
unsettled by high-profile accounts of spreading computer viruses 
and other hacker attacks, have installed security software--or 
"firewalls"--in their personal computers. The security programs 
typically alert users with warning messages whenever an 
unauthorized program is attempting to send information out into the 
Internet. Many users quickly discover how vulnerable they are.  

Last winter, a Seattle company called RealNetworks Inc. came under 
fire after customers discovered its music player was collecting 
information about users' listening habits in order to personalize its 
services. The company has since stopped the practice and 
apologized. Intuit, meanwhile, has acknowledged using the tracking 
programs to target ads. And a few weeks ago, after parent 
complaints, Mattel Inc. officials apologized for adding a data-
gathering program to more than 100 titles of its Learning Co. unit's 
educational programs for children.  

Simson Garfinkel remembers that he was 40,000 feet in the air on a 
plane from London to Boston in May when he noticed that his laptop 
kept trying to connect to the Internet. The culprit: an educational 
program he had installed for his 3-year-old daughter. It was trying to 
send out the product's code number and other such information to 
the company so it could better respond to consumer needs, 
according to Mattel spokeswoman Susan Salminen.  

"I wouldn't call it spyware exactly. It was more like marketing ware. 
But even that conveys a lot of personal information to the folks at 
Mattel and it was upsetting," said Garfinkel, a computer network 
architect from Cambridge, Mass.  

Mattel's Salminen said the program's intentions are benevolent but 
the company already had decided to eliminate it late last year from 
all new software because of "public concern around the privacy 
issue."  

Earlier this month, a Netscape user named Christopher Specht filed 
a class-action suit in U.S. District Court in Manhattan seeking 
damages of a minimum of $10,000 per person for violating 
consumers' privacy by tracking which files they download from the 
Internet.  

A spokeswoman for Dulles-based AOL said the company is aware of 
SmartDownload's ability to gather customer data but it had "never 
used it to access or retain information about users or files."  

"The lawsuit is without merit," said Ann Brackbill, a senior vice 
president. As every corner of the Internet becomes increasingly 
commercialized, many online companies are experimenting with 
new models for making money in the uncharted new economy.  

One way is to give away products or sell them for below cost and 
make money through advertising. The tracking programs allow these 
companies to tout their ability to target specific audiences to 
potential advertisers. At the same time, many software companies 
are trying to develop a continuing relationship with their customers, 
becoming in effect service-oriented companies. The tracking 
programs allow them to keep in touch.  

For the most part, companies that track consumers say the 
information they collect is minimal and it's gathered anonymously 
so that the data cannot be linked to real names. But security 
professionals like Travis Haymore of Lanham's Digital Systems 
International Corp. point out that some of the data streams leaving 
personal computers are so heavily cloaked, or encrypted, that it's 
practically impossible for anyone to verify or refute such claims. 
And the programs are more invasive than the electronic cookies that 
businesses use to track people on the Web because they potentially 
can scan documents and images on people's hard drives as well as 
track online habits.  

"Your tax records, what medical sites you've been looking at, your 
online banking--if someone has spyware on your machine, they 
would have access to that data and it would be next to impossible to 
tell if it was leaving," said Haymore, a former federal government 
computer security investigator.  

Irate computer users also have filled online bulletin boards with 
complaints about tracking programs that are impossible to remove 
(even when the original host program is deleted), that crash their 
computers or clog up their telephone or cable lines, slowing down 
their Internet connections.  

Two technology marketing companies, Silicon Valley's Radiate.com 
and Sterling's Conducent Technologies Inc., which have developed 
"ad bots," software for the most popular ads targeting customers, 
have been at the heart of the online privacy debate. These ventures 
partner with software companies and share a cut of the advertising 
revenue.  

Conducent's director of marketing, Robert Regular, says 
participation in its ad-driven programs is "voluntary" and offers 
consumers many advantages, including discounted or free software. 
People who purchase CD-ROMs made by eGames, for instance, can 
can get six free programs if they choose to look at ads and give up 
some personal information. "We will show ads and will make use of 
the user's Internet connection and if they agree to that, great. If not, 
they don't have to use the software," he said.  

Regular says the company always has required its partners to 
disclose in their privacy policies that the programs were "ad-
supported" but only this month started making them flash separate 
screens during in the installation process alerting users of the 
tracking.  

Like other people in the industry, Regular disputes the "spyware" 
characterization.  

"We don't spy on anyone. We don't know any personally identifiable 
information. We know they are an anonymous user. We don't look at 
anything that they do," he said. "Because we run in the background, 
people think we're doing something deceptive and don't understand 
that it's in order to refresh ads."  

As stories of tracking software and other privacy concerns have 
circulated throughout the online world in recent months, companies 
and independent programmers have scrambled to develop 
protection tools with names such as ZoneAlarm and OptOut. More 
than 1.1 million people already have downloaded OptOut, freeware 
that was developed by Steve Gibson, a security consultant in 
California and a privacy advocate. And personal firewall software 
has been rushing off store shelves since last fall, with 40,000 to 
50,000 copies being sold each month, according to research firm PC 
Data Inc.  

But even unsophisticated programmers can easily get around the 
best available electronic firewalls, security experts say.  

Symantec's Steve Cullen, the senior vice president for consumer 
business, said people using Norton Internet Security 2000, the most 
popular firewall program, for instance, can specify that their names, 
credit-card numbers and other sensitive information be blocked from 
leaving the computer. But if that information is electronically 
masked by one of many easy techniques, it can still get through.  

"If it's really spyware, certainly encoding or encrypting is something 
that these guys could do and that makes it much trickier to catch it," 
he said.  

Still, Cullen says that scenario is rare. He said about 80 percent of 
the time companies don't bother hiding the data and leave it as plain 
text, a format that is simple to filter.  

Christopher Kelley, an analyst with Forrester Research, believes 
that the "sneakiness" with which some corporations are acting has 
exacerbated privacy concerns and damaged the industry's 
credibility--something that they may come to regret as an increasing 
number of angry citizens create technological tools that could topple 
the companies' entire business plans. Added Montreal computer 
consultant Gilles Lalonde: "Right now it's now a free-for-all. Anything 
goes. This is the kind of environment that permits these kinds of 
intrusive behaviors, allows them to flourish. If we don't start to 
define some ethical rules, before long people will lose their trust in 
all online companies and this great technological revolution just 
stops."  

Copyright 2000 The Washington Post Company 





* * * * * * * * * * * * * *  From the Listowner  * * * * * * * * * * * *
.	To unsubscribe from this list, send a message to:
majordomo at scn.org		In the body of the message, type:
unsubscribe scn
==== Messages posted on this list are also available on the web at: ====
* * * * * * *     http://www.scn.org/volunteers/scn-l/     * * * * * * *