[Reader-list] Spyware : How Your Personal Data Gets Stolen Online

[Harsh Kapoor]

Alternet.org

Spyware: How Your Personal Data Gets Stolen Online
Matthew Callan, Freezerbox
February 8, 2002

Though we have been firmly entrenched in the information age for 
almost 20 years now, the Internet still retains a Wild West 
atmosphere, without a Wyatt Earp to tame it. Rules are made and 
discarded at will, virtue a dead end, pimping a virtue. You must get 
yours before the next guy grabs it, any way you can, and there are 
plenty of sharpies promising an edge, bottles of snake oil in hand 
labeled DRINK ME.

Witness the latest con, spyware, software that is able to swipe 
personal data from your computer and sell it to the highest bidder. 
All this is done under the guise of collecting general demographics 
and providing users with exciting offers, but its potential is far 
too frightening to ignore.

Spyware usually comes to your computer in the form of a simple 
data-collection program, bundled along with a piece of freeware (an 
application that the developer offers to the public gratis) that 
contains embedded banner ads. As you use the application, the spyware 
takes the personal information you provided when registering and adds 
to it other appliction-related data; what you are using the 
application for, how long you use it, etc. This information is sent 
to a server that interprets the data in order to target you with very 
specific advertising.

Rotating banner ads are like airport surveys: If you want to ignore 
them, you can. And since most freeware relies on advertising dollars 
to pay the bills, this may seem a fair price to pay for a 
programmer's labor (and the reason why these programs are often 
referred to more benignly as adware). However, there are troubling 
aspects to this practice; some potential, some already in play.

First of all, users are rarely notified of the presence of any 
spyware when they download; if so, only in the glaucoma-inducing 
lines of tiny text that make up a User Agreement. More often than 
not, spyware is not administered by the company from which users 
receive the application, but by a third party that markets the 
spyware. So while you may have agreed to the terms and conditions set 
forth by the application's developers, you did not specifically agree 
anything the spyware's administrator has in store for you. Under 
current laws, this is all perfectly kosher. Software providers are 
under no legal obligation to inform the public of their purpose in 
gathering personal information, let alone how they do it and with 
whom. Most sites do disclose some information about what software you 
receive and what it does, merely to give lip service to privacy 
concerns, knowing full well that their security policies have the 
same judicial weight as handshake agreements.

So it was only a matter of time until a program such as VX2 would hit 
the Web, and hit it hard. VX2 takes spyware to a new level by pulling 
information, not just from use of an application, but from the use of 
a computer. When freeware that includes VX2 is installed on a 
computer, the program saves itself to a directory on the hard drive. 
Once firmly in place, it keeps track of the user's Web browsing 
(current and historical), information entered into forms, and 
configuration of the user's hardware and software. Based on all this 
information, pop-up ads begin to appear incessantly in the user's Web 
browser, giving the false impression that the Web page being viewed 
is responsible for the constant annoyances.

In order to discover that VX2 is on your computer, you would have to 
determine the IP of the pop-up ads plaguing your browser, a task that 
less technically-inclined Web surfers are not able to do. Even harder 
to determine is how VX2 got on your computer, and where it is stored. 
To top it all off, VX2 is an incredibly difficult program to 
completely remove from a hard drive, and doing so often disables the 
freeware that let it in.

Even more disturbing information can be culled from the VX2's Privacy 
Policy, as featured on its Web site. Although VX2 insists that it 
does not collect any truly damaging data (i.e., credit card 
information), it does concede that "the operation of certain third 
party websites may result in some personal information being included 
in URL data...Such instances are rare and are the result of poor 
security practices by these third party websites." Thereby, the buck 
is passed when some mysterious charges suddenly appear on your Visa 
bill. VX2 also reserves the right to update its software at any time, 
saying that "upgrades may include third party applications.... They 
will be done automatically in the background while you are surfing 
the web in order to cause the least amount of inconvenience to our 
users as possible." Its stated reason for capturing data that the 
user enters into forms (which includes even secure, encrypted forms) 
goes past disingenuousness and straight into Orwell country: "This 
information is automatically sent to VX2 in order to save you the 
time and trouble of submitting such information to us yourself."

What VX2 boils down to is this: A program you never wanted squats in 
your computer's hard drive, sending personal information to a company 
with whom you never had any direct contact and never agreed to give 
such access; a program that, furthermore, can upgrade itself and add 
any other program to your computer that it sees fit. It is the kind 
of application that would make the CIA drool, but once again, private 
industry has beaten the public sector to the punch.

It is difficult to determine which applications are or have been 
bundled with VX2, due to the frequency of freeware updates and the 
program's inherently insidious nature. Companies that use VX2 are 
obviously tight lipped about it; companies who no longer use it, but 
once did, are in no rush to inform users that they were being spied 
on. Because of the nature of VX2's operation, however, these 
once-guilty firms still have a responsibility to inform their users. 
This spyware embeds itself into a user's hard drive; therefore, the 
application once bundled with VX2 does not even have to be running 
for it to gather information and send it to an ad server. Even if a 
company no longer maintains a relationship with VX2, unless it alerts 
its users to VX2's existence, and how to effectively delete it from 
their hard drive, the program will continue to do its dirty work. By 
keeping quiet, under the guise of not alarming their users, these 
firms remain co-conspirators in VX2's quest to snoop on the 
Web-browsing public.

The most popular application known to have used VX2 is the Audio 
Galaxy Satellite, a music-downloading application similar to Napster. 
Portal of Evil, a Web site that collects pages "from the margins of 
society," and one of the first sites to break the whole sordid VX2 
story, has attempted to make Audio Galaxy accountable for bundling 
VX2 along with their Satellite freeware. In responses to both Portal 
of Evil and Wired.com, Audio Galaxy merely stated that VX2 was no 
longer included with their freeware, refusing to state when it was 
and for how long. The company said it had little knowledge of the 
program's use and blamed its presence in their software on Onflow, a 
software company that supplied Audio Galaxy with advertising graphics 
enhancers. Onflow maintains that it had never heard of VX2 until it 
was alerted by Portal of Evil.

Ignorance is a poor excuse for what companies such as Audio Galaxy 
have unleashed on the Web. What is now crystal clear is this: many 
companies offering freeware attach add-ons to their software 
willy-nilly, presumably under the spell of sleazy marketers, not 
knowing or not caring what this software will do to its users. 
Imagine the slaughterhouse conditions of The Jungle, transposed to 
the Internet, and you will have a good idea of the situation we find 
ourselves in today. (Audio Galaxy did not respond to this writer's 
request for comment.)

The origins of the program are incredibly murky, and fraught with 
more incest and secrecy than I, Claudius. No one has ever taken 
responsibility for writing the code (or funding such). As is often 
the case with such spyware, the program was probably developed and 
tested by a third-party tech department far removed from whoever 
wields it now, and then funneled through several different 
subsidiaries of a large parent company, in order to throw any curious 
bloodhounds off the scent.

According to cexx.org, a Web watchdog site, VX2's first major 
appearance was under the name Transponder, marketed by the Blackstone 
Data Corporation. Blackstone's public Web site has disappeared from 
the Internet, but since VX2 shares a PO Box in Las Vegas with them, 
the two are probably one and the same. Confusing matters further is 
Mindset, a 'Web solutions' company that gives away freeware of 
screensavers and trivia games bundled with VX2. A sharp eye reveals 
that their Privacy Policy is identical to the one on VX2's Web site.

Thanks to the venal efforts of these people, the Web remains a 
lawless place huddled on the edge of civilization, full of mustache 
twirling barkers who cruise for those easy marks just off the 
stagecoach. And since times are tighter these days, the stakes are 
higher, the con jobs meaner, the medicine show a lot less funny. In 
the current political climate, anything that threatens our privacy 
deserves a long hard look, and a long hard fight. Until a sheriff 
finally arrives -- until everyone realizes how much we stand to lose 
and how soon it will happen -- we must get used to the hustler's 
hello: one hand slapping us in the back and the other one reaching 
into our pockets.

Incidentally, VX2 happens to share a name with a component of a 
variety of nerve agent. This brand of biological weapon is ten times 
more powerful than other nerve agents, and is characterized by its 
oily texture and long half-life. Whether the spyware's nomenclature 
was a loving tribute or a dark coincidence remains to be seen.

Matthew Callan edits, and constantly mines his life for material for, 
the online zine scratchbomb.com. He is currently hard at work on his 
first novel, Breaking My Shoes, a rumination on men, war, Staten 
Island and mayonnaise. 


--