[Reader-list] Spyware : How Your Personal Data Gets Stolen Online
Harsh Kapoor
aiindex at mnet.fr
Tue Feb 12 13:53:59 IST 2002
Alternet.org
Spyware: How Your Personal Data Gets Stolen Online
Matthew Callan, Freezerbox
February 8, 2002
Though we have been firmly entrenched in the information age for
almost 20 years now, the Internet still retains a Wild West
atmosphere, without a Wyatt Earp to tame it. Rules are made and
discarded at will, virtue a dead end, pimping a virtue. You must get
yours before the next guy grabs it, any way you can, and there are
plenty of sharpies promising an edge, bottles of snake oil in hand
labeled DRINK ME.
Witness the latest con, spyware, software that is able to swipe
personal data from your computer and sell it to the highest bidder.
All this is done under the guise of collecting general demographics
and providing users with exciting offers, but its potential is far
too frightening to ignore.
Spyware usually comes to your computer in the form of a simple
data-collection program, bundled along with a piece of freeware (an
application that the developer offers to the public gratis) that
contains embedded banner ads. As you use the application, the spyware
takes the personal information you provided when registering and adds
to it other appliction-related data; what you are using the
application for, how long you use it, etc. This information is sent
to a server that interprets the data in order to target you with very
specific advertising.
Rotating banner ads are like airport surveys: If you want to ignore
them, you can. And since most freeware relies on advertising dollars
to pay the bills, this may seem a fair price to pay for a
programmer's labor (and the reason why these programs are often
referred to more benignly as adware). However, there are troubling
aspects to this practice; some potential, some already in play.
First of all, users are rarely notified of the presence of any
spyware when they download; if so, only in the glaucoma-inducing
lines of tiny text that make up a User Agreement. More often than
not, spyware is not administered by the company from which users
receive the application, but by a third party that markets the
spyware. So while you may have agreed to the terms and conditions set
forth by the application's developers, you did not specifically agree
anything the spyware's administrator has in store for you. Under
current laws, this is all perfectly kosher. Software providers are
under no legal obligation to inform the public of their purpose in
gathering personal information, let alone how they do it and with
whom. Most sites do disclose some information about what software you
receive and what it does, merely to give lip service to privacy
concerns, knowing full well that their security policies have the
same judicial weight as handshake agreements.
So it was only a matter of time until a program such as VX2 would hit
the Web, and hit it hard. VX2 takes spyware to a new level by pulling
information, not just from use of an application, but from the use of
a computer. When freeware that includes VX2 is installed on a
computer, the program saves itself to a directory on the hard drive.
Once firmly in place, it keeps track of the user's Web browsing
(current and historical), information entered into forms, and
configuration of the user's hardware and software. Based on all this
information, pop-up ads begin to appear incessantly in the user's Web
browser, giving the false impression that the Web page being viewed
is responsible for the constant annoyances.
In order to discover that VX2 is on your computer, you would have to
determine the IP of the pop-up ads plaguing your browser, a task that
less technically-inclined Web surfers are not able to do. Even harder
to determine is how VX2 got on your computer, and where it is stored.
To top it all off, VX2 is an incredibly difficult program to
completely remove from a hard drive, and doing so often disables the
freeware that let it in.
Even more disturbing information can be culled from the VX2's Privacy
Policy, as featured on its Web site. Although VX2 insists that it
does not collect any truly damaging data (i.e., credit card
information), it does concede that "the operation of certain third
party websites may result in some personal information being included
in URL data...Such instances are rare and are the result of poor
security practices by these third party websites." Thereby, the buck
is passed when some mysterious charges suddenly appear on your Visa
bill. VX2 also reserves the right to update its software at any time,
saying that "upgrades may include third party applications.... They
will be done automatically in the background while you are surfing
the web in order to cause the least amount of inconvenience to our
users as possible." Its stated reason for capturing data that the
user enters into forms (which includes even secure, encrypted forms)
goes past disingenuousness and straight into Orwell country: "This
information is automatically sent to VX2 in order to save you the
time and trouble of submitting such information to us yourself."
What VX2 boils down to is this: A program you never wanted squats in
your computer's hard drive, sending personal information to a company
with whom you never had any direct contact and never agreed to give
such access; a program that, furthermore, can upgrade itself and add
any other program to your computer that it sees fit. It is the kind
of application that would make the CIA drool, but once again, private
industry has beaten the public sector to the punch.
It is difficult to determine which applications are or have been
bundled with VX2, due to the frequency of freeware updates and the
program's inherently insidious nature. Companies that use VX2 are
obviously tight lipped about it; companies who no longer use it, but
once did, are in no rush to inform users that they were being spied
on. Because of the nature of VX2's operation, however, these
once-guilty firms still have a responsibility to inform their users.
This spyware embeds itself into a user's hard drive; therefore, the
application once bundled with VX2 does not even have to be running
for it to gather information and send it to an ad server. Even if a
company no longer maintains a relationship with VX2, unless it alerts
its users to VX2's existence, and how to effectively delete it from
their hard drive, the program will continue to do its dirty work. By
keeping quiet, under the guise of not alarming their users, these
firms remain co-conspirators in VX2's quest to snoop on the
Web-browsing public.
The most popular application known to have used VX2 is the Audio
Galaxy Satellite, a music-downloading application similar to Napster.
Portal of Evil, a Web site that collects pages "from the margins of
society," and one of the first sites to break the whole sordid VX2
story, has attempted to make Audio Galaxy accountable for bundling
VX2 along with their Satellite freeware. In responses to both Portal
of Evil and Wired.com, Audio Galaxy merely stated that VX2 was no
longer included with their freeware, refusing to state when it was
and for how long. The company said it had little knowledge of the
program's use and blamed its presence in their software on Onflow, a
software company that supplied Audio Galaxy with advertising graphics
enhancers. Onflow maintains that it had never heard of VX2 until it
was alerted by Portal of Evil.
Ignorance is a poor excuse for what companies such as Audio Galaxy
have unleashed on the Web. What is now crystal clear is this: many
companies offering freeware attach add-ons to their software
willy-nilly, presumably under the spell of sleazy marketers, not
knowing or not caring what this software will do to its users.
Imagine the slaughterhouse conditions of The Jungle, transposed to
the Internet, and you will have a good idea of the situation we find
ourselves in today. (Audio Galaxy did not respond to this writer's
request for comment.)
The origins of the program are incredibly murky, and fraught with
more incest and secrecy than I, Claudius. No one has ever taken
responsibility for writing the code (or funding such). As is often
the case with such spyware, the program was probably developed and
tested by a third-party tech department far removed from whoever
wields it now, and then funneled through several different
subsidiaries of a large parent company, in order to throw any curious
bloodhounds off the scent.
According to cexx.org, a Web watchdog site, VX2's first major
appearance was under the name Transponder, marketed by the Blackstone
Data Corporation. Blackstone's public Web site has disappeared from
the Internet, but since VX2 shares a PO Box in Las Vegas with them,
the two are probably one and the same. Confusing matters further is
Mindset, a 'Web solutions' company that gives away freeware of
screensavers and trivia games bundled with VX2. A sharp eye reveals
that their Privacy Policy is identical to the one on VX2's Web site.
Thanks to the venal efforts of these people, the Web remains a
lawless place huddled on the edge of civilization, full of mustache
twirling barkers who cruise for those easy marks just off the
stagecoach. And since times are tighter these days, the stakes are
higher, the con jobs meaner, the medicine show a lot less funny. In
the current political climate, anything that threatens our privacy
deserves a long hard look, and a long hard fight. Until a sheriff
finally arrives -- until everyone realizes how much we stand to lose
and how soon it will happen -- we must get used to the hustler's
hello: one hand slapping us in the back and the other one reaching
into our pockets.
Incidentally, VX2 happens to share a name with a component of a
variety of nerve agent. This brand of biological weapon is ten times
more powerful than other nerve agents, and is characterized by its
oily texture and long half-life. Whether the spyware's nomenclature
was a loving tribute or a dark coincidence remains to be seen.
Matthew Callan edits, and constantly mines his life for material for,
the online zine scratchbomb.com. He is currently hard at work on his
first novel, Breaking My Shoes, a rumination on men, war, Staten
Island and mayonnaise.
--
More information about the reader-list
mailing list