The Spyware Weekly Newsletter is distributed every week to 20,000 subscribers and read online by hundreds of thousands of visitors. Click here to subscribe. Please read our Terms of Use for quoting guidelines.This edition of the Spyware Weekly Newsletter is archived permanently at http://www.spywareinfo.net/apr14,2004.

Permalink | Top

Reason, a monthly libertarian magazine, soon will send out its June issue to 40,000 readers. Using a number of consumer databases and GPS technology, each issue will be customized to the individual reader. By this I mean that the cover of each magazine will have a satellite photo of the subscriber's home and advertisements customized for their interests.

The issue is a publicity stunt to illustrate the power and pervasiveness of consumer databases. The more information that is given away in surveys are stolen by advertising spyware, the closer we come to a world where anyone with money can pull up dossiers on us that would rival the old KGB for the amount of information collected.

Once your personal information is given up or stolen, it can never be removed from the millions of corporate and government databases around the world. Remember that the next time you are signing up at some web site and it wants personal information unrelated to providing its services.

There is an article about this at the New York Times but, unfortunately, they require registration to read their articles. I make it a policy to not link to their site because of it.

Permalink | Top

Program: [Program Name]
Author: [Program's vendor]
Platform: [Compatible Platforms]
License: $[whatever] $[whatever] [[whatever] off for SpywareInfo visitors until [whenever]]
Purchase: Click here to purchase

Do you have a spouse, children, or a boss who you do not want knowing what you were doing on the computer? Why worry about other people using the computer after you? You need this product before someone else gets your personal information from your computer.

This product cleans up your tracks left by Windows,your browser and many other programs. Save storage space and improve performance of your computer. Included in this program is support for skins, a "boss key" which allows you to instantly delete all usage traces and browser cache, as well as closing all of your open browser windows. This is useful for those of us who's minds wander at work ;-). Read on for a list of feature highlights

Every week, SpywareInfo arranges a discount on the programs best suited to keep your private life private. This arrangement lets us pay the bills to keep SpywareInfo running without having to sell ads to the likes of DoubleClick and X-10.

We do need your input, as the discount is for your benefit. What commercial privacy software would you like to see featured here at a discount? Drop us a note and let us know.

Links:

http://www.spywareinfo.com/downloads.php#feature :· More information on [product]
http://www.spywareinfo.com/email2.php :· Suggest a product

Permalink | Top

Ben Edelman is a Harvard Law student and PhD candidate who is becoming very active in the antispyware movement. He represented 1800Contacts when that company discovered adware was popping up advertisements based on their web site's content and he had a part in creating Utah's Spyware Control Act.

Edelman has filed a comment at the Federal Trade Commission concerning spyware and it is very interesting. He says he has logged evidence that Gator/Claria's software and WhenU's software are "spyware", not "adware". He says he has even caught WhenU violating their own privacy policy.

From Edelman's comment filed with the FTC:

16. I have reviewed the WhenU privacy policy, and I have concluded that WhenU violates this policy when it transmits to its servers some of the specific URLs viewed by WhenU users. The policy reads, in relevant part, as follows: 'As the user surfs the Internet, URLS visited by the user (i.e. the user's 'clickstream data') are NOT transmitted to WhenU.com or any third party server.'

17. In my examinations, it is true that WhenU software does not transmit to its server all URLs visited by WhenU users. But WhenU software does transmit to its server some URLs visited by WhenU users. Since WhenU's privacy policy seems to promise not to transmit any URLs visited by WhenU users ('URLs are not transmitted'), I consider WhenU's transmissions to be in violation of its privacy policy.

His comment also contains similar observations about Gator/Claria's software. I recommend reading the entire comment. You will need Adobe Acrobat Reader to read the file.

Links:

http://www.benedelman.org/ :· Edelman's site
http://www.ftc.gov/os/comments/spyware/040319edelman.pdf :· Edelman's FTC comment

Permalink | Top

The Business Software Alliance also has filed a comment at the FTC about spyware, a rather large one. I find myself in agreement with their take on the issue. Basically, the BSA prefers that the behavior of spyware, not software itself be regulated.

Rather than trying to create a legal definition of "spyware" and "adware" and then regulating any software that falls within either category, the FTC should instead regulate the behavior that makes spyware so obnoxious. Legal definitions can have loopholes and many spyware companies have clever lawyers. So let's just ignore the term entirely and be concerned only with the behavior.

Coolwebsearch can argue all they want that their software is not spyware or adware or a browser hijacker. What they cannot argue about is that their software makes irrevocable changes to Internet Explorer and Windows. What Coolwebsearch cannot argue about is that their software actively resists removal. Instead of trying to define "spyware" and making Coolwebsearch's software fit into it somehow, instead let's spend our time outlawing its behavior.

I propose to make the following activity illegal:

Making alterations to any web browser which cannot be reversed by the built-in tools.

If Coolwebsearch wants to change the home page to coolwebsearch.com, that is fine. If their software resists the owner's efforts to change the home page back to the owner's preference, that should be illegal.

Resisting the removal of unwanted software.

Once installed, software must not resist being removed in any manner. A PC is private property belonging to the consumer who purchased it. Just as I can remove some politician's "vote for me ... FOR THE CHILDREN!!!!" sign from my front lawn, I should be able to remove any software from my computer. Both are my private property.

If the software is going to provide its own uninstaller, that uninstaller should be provided along with the software. No one should be forced to go to a web page and either download a separate uninstaller or trust an ActiveX control to remove the software. Very often, spyware will destroy a PC's internet connection, so the owner might not be able to go online at all.

Installing without clear and explicit consent.

Software should not be allowed to install unless the owner has given clear and unmistakable consent to its installation. This does not include an ActiveX security warning that pops up in Internet Explorer. This does not include clicking "I agree" to a 10,000 word EULA. Before CoolWebSearch can copy a single file to a person's hard drive, a box should pop up asking "Do you wish to install this software from coolwebsearch.com?". This dialog box should appear regardless of browser security settings.

This would include software bundles, where more than one distinct piece of software is being installed. If KaZaA is going to install Cydoor adware, it cannot do so without first informing the user that it is a separate piece of software and asking permission to do so. If Sharman Networks wants the KaZaA installer to exit if you choose not to install its sponsor(s), that is their choice.

This also includes auto update functions, no matter what program it belongs to. No software should be allowed to install software on someone's property without first gaining the consent of the owner. If someone wants to go into the options menu and specifically allow a program to do that, that is perfectly fine. If a piece of software does this without first gaining explicit consent to do so, that should be illegal without exception.

Transmitting information without clear consent.

Software should not be allowed to transmit any data to its vendor or any third party without the owner's explicit consent. If Gator/Claria's software is going to transmit the address of a web site I visit, regardless of the reason it is transmitting it, this fact needs to disclosed to me before it is installed. If Wild Tangent's updater is going to transmit the specifications of my hardware, regardless of the reason it is doing so, this fact should be disclosed before it is installed. I should be required to check a box stating that I understand that this information is going to be transmitted before the program finishes installing, separate from the EULA or security warning or whatever.

Generating advertisements of any sort without disclosure.

If Gator/Claria's software is going to launch a pop-up ad every time I search for a hotel room or eye glasses, so be it. However, their installer must inform me before the program is installed that it will be displaying advertisements and in what form those advertisement will be displayed.

I believe this covers just about every nasty habit common to all software referred to as "spyware", "adware", "malware", "grayware" or any other such label. These are common sense requirements that can be and should be applied to all software, regardless of whatever label someone cares to give it. It protects consumers and avoids the inevitable problem of a company finding a loophole in a legal definition of "spyware".

It also does something that very few software companies do these days; it would force them to show respect to the user and to acknowledge their property rights. Any company that would refuse to follow these guidelines is declaring its contempt for the user and displaying a shameful lack of ethics.

Links:

http://www.ftc.gov/os/comments/spyware/040323bsaspywaretestimony.pdf :· The BSA's FTC comment

Permalink | Top

Earlier I mentioned Utah's Spyware Control Act. I've just discovered that WhenU has filed a lawsuit against the state of Utah claiming that the law violates their constitutional right to advertise (???).

WhenU is asking the court to prevent the law from taking effect next month.

According to the lawsuit: "WhenU's software, one of the apparent targets of the act, is installed only with user consent, and does not invade the privacy of computer users."

Consider that sentence very carefully. Countless numbers of people discover WhenU's software on their machines and have no idea how it got there. We see this all the time at the message boards. I once found their software on my own mother's PC and I know for a fact she didn't install it herself. Second, as I mentioned earlier in this newsletter, Ben Edelman has evidence showing that WhenU's software transmits web site addresses to company servers, in violation of their own privacy policy.

Isn't it a crime to make false statements in court?

WhenU hopefully will lose this lawsuit. First, advertising is not protected by the Constitution. Second, if they are claiming First Amendment violations, commercial speech is not protected as closely as personal speech. Third, the law doesn't bother their right to any sort of speech in the first place. What it prohibits is transmitting information about the user (which it does according to Edelman) and using the content of someone else's web site to generate ads.

Links:

http://deseretnews.com/dn/view/1%2C1249%2C595055767%2C00.html :· Utah spyware law draws N.Y. suit

Permalink | Top

If your computer runs any version of Windows from 98 on, you need to update it as soon as possible. Microsoft has published patches to fix several very severe flaws that are trivial to exploit. These security holes will allow an attacker to access your computer and control it, or destroy it, remotely.

Links:

http://windowsupdate.microsoft.com/ :· Windows Updates
http://www.techweb.com/wire/story/TWB20040413S0009 :· Microsoft Discloses Huge Number Of Windows Vulnerabilties

Permalink | Top

Several months ago, the popular CarTalk radio show (National Public Radio) decided to stop providing audio recordings of their shows in Real format. This was due to many, many complaints from listeners about the obnoxious behavior of Real's software.

Stung by the move, Real Networks claims to have cleaned up their act and has persuaded CarTalk to change their minds.

A lot of people are disgusted by Real's media player. It used to hijack file associations and make it nearly impossible to change them back. The web site deliberately made it hard to find the free version and provided misleading links to the pro version to trick people into downloading it. It would cause pop-up ads constantly and a past version even installed spyware.

After reading about how Real responded to being dumped by CarTalk, I decided to check it out to see if they had indeed cleaned up their software. While they have made a few changes, I'm afraid that it is still an obnoxious piece of software.

The free and paid versions now are on the same page (one click inside the site) and side by side. So the claim that they have stopped misleading people away from the free and toward the pro version is true. After clicking the download link, it went to a download page which somehow snuck a pop-up ad past firefox. Ironically, that ad was for the very program I was downloading.

The program has stopped hijacking media associations. It asks if you want to associate music and video files with Real Player and it does honor your choice. It even asks you where to put program icons rather than just dumping them all over the desktop and quicklaunch bar.

Sadly, these are the only good things I'll have to say about it. For one thing, by default, there are 4 different "contact me about stuff" options checked. Immediately after it finished installation, my firewall popped up four different times to tell me it was accessing the internet. I decided to log every firewall access to see what would happen. After an hour of playing music, the firewall logged an astounding 2,500 distinct internet accesses, and this was after I had gone through the options and disabled all of the "phone home" options.

After installation, but before I could use it in any way, it demanded I fill out a survey! The questions asked my name, email address, home address, age, sex and zip code among other things. There was no way to use the program at all without filling out this unnecessary survey, which of course I filled out with false answers.

The software has a "message center", which I assume is for displaying ads. It does allow you to disable the "message center" but it pops up an obnoxious warning box when you do so. It also has an updater that runs by default and installs updated software by default. You can disable this in options also.

The EULA contains 6,854 words, all of which must be read in a small box that forces you to scroll down every couple of paragraphs. Buried far down in that license are the following tidbits:

...

e) Secure Content Consumption: The RealPlayer client may be required to send statistical data to servers regarding the consumption by an end user of content secured using the digital rights management technology contained in this Software to protect the integrity of the content ("Secure Content"). This communication serves to enable the content provider to calculate usage-based royalty amounts needing to be paid to owners of such Secure Content ("Secure Content Owners"). . DIGITAL RIGHTS MANAGEMENT SYSTEMS ("DRMs").

...

a) The Software includes a DRM called the RealSystem Media Commerce Update Software ("Media Commerce Software") and may include third party DRMs as Plug-in components, which are subject to their own license agreements.

...

RN is not responsible for the operation of third party DRM in any way, including revocation of your content. RN is not responsible for any communications to or from any third party DRM provider, or for the collection or use of information by third party DRMs. You consent to the communications enabled and/or performed by the DRM, including automatic updating of the DRM without further notice, despite the provisions of AutoUpdate defined in Section 6(c). You agree to indemnify and hold harmless RN for any claim relating to your use of a third party DRM.

Secure Content Owners may, from time to time, request RN or its suppliers to provide security related updates to the DRM components of the Software ("Security Updates") that may affect your ability to copy, display and/or utilize the Software. You therefore agree that, if you elect to download a license from the Internet which enables your use of Secure Content, RN or its suppliers may, in conjunction with such license, also download onto your computer such Security Updates that a Secure Content Owner has requested that RN or its suppliers distribute. Unless notification is provided to you, RN and its suppliers will not retrieve any personally identifiable information, or other information, from your computer by downloading such Security Updates.

...

c) The Media Commerce Software allows you to receive and playback content that has been digitally secured by a content provider. The Media Commerce Software interacts with your computer in the following ways: 1. Hardware information: In order to download the appropriate software, RealPlayer must send certain anonymous information about the hardware on your computer to the RealNetworks download server. Once the software is installed, information about your hardware will not be stored on any server. Hardware information will also be sent for content passes, as described below.

...

Basically, it will install copy protection software which limits the way you can use content that you download or even content that you have purchased. This copy protection software will make internet connections without your knowledge and install other software, also without your knowledge. That by itself guaranteed its removal from my PC after this little experiment.

Decide for yourself if you want to install software such as this on your property. Winamp will play every known type of music or video file except for QuickTime and Real and does it without being so obnoxious. QuickTime is perfectly acceptable for playing its file types and Cowan's Jet Audio will play Real file types without having to install Real itself.

Links:

http://www.winamp.com/ :· Winamp
http://www.jetaudio.com/ :· Cowan's Jet Audio
http://www.apple.com/quicktime/ :· QuickTime
http://www.mozilla.org/products/firefox/ :· Mozilla Firefox
http://www.cartalk.com/content/features/real/ :· CarTalk and Real

Permalink | Top

Judging from the letters after the last issue when I said I wanted a radar detector before I drive to Washington, many people misinterpreted that to mean that I plan to fly up the entire length of I-95 from Savannah to D.C. at full throttle. One obnoxious person even twisted it around to "I like to speed and don't want to be caught".

If there's a dozen state troopers watching the interstate for a little red car to go zooming by at 100 MPH, I hope they bring along a lot of donuts to munch on because they're wasting their time. I like my car and would prefer not to cash in its remains at the insurance agency. I wear my seat belt, come to a complete stop at stop signs, signal before turning and yes, I drive the speed limit.

Driving 1,500 miles with my foot in the exact same spot the entire way is not possible. I'm as likely to drift under the speed limit as I am to drift above it, especially in hill country. I would rather not help some county mounty make his ticket quota because I was looking at traffic instead of my dashboard while I'm going down a hill.

I want to thank everyone that gave their suggestions for a detector, especially the guy who said his truck has two speeds, dead still and wide open (had a good laugh at that). Opinion was split about 60/40 in favor of the Valentine One over the Escort Passport 8500.

After reading dozens of reviews of both, I decided to get the Escort Passport. Experts seem to agree that it's better at ignoring false hits and better at detecting the newer Ka band radar. It's also a hundred bucks cheaper and the Valentine's directional arrows aren't worth that extra $100.

I also want to say thanks to everyone that warned me about detectors being illegal in Virginia (which I knew already) and in Washington D.C. (which I didn't know). I'll lock it up before leaving North Carolina and maybe find a $5 throwaway decoy from a pawn shop in case a trooper notices the suction marks on the windshield.