Spyware Analysis of P2P Software

rhizome writes "Benjamin Edelman, a PhD candidate in Economics and a Law student at Harvard, has analyzed the hidden (or not) additions to a user's machine when they install some of the major Windows P2P clients. He analyzes the length and readabilty of their licenses, what is revealed or hidden in the software's installer and includes screenshots for illustration. Clear, concise and eye-opening."

Relevant section

The relevant parts, for people who can't or don't want to RTFA:

My testing uncovered no bundled software installed without at least some disclosure apparent in a careful and complete reading of all applicable installation license agreements. However, it is possible that programs were installed that I failed to detect, especially if bundled program installations were set to be delayed after installation of the requested P2P software.

Although each P2P installer included at least a vague reference to each program to be installed, certain P2P programs' installation procedures nonetheless present cause for concern. For one, substantive disclosures are generally detailed only in license agreements presented in scroll boxes -- often squeezing thousands of words of text into small windows requiring dozens of page-downs to view in full.

Comment removed

[account_deleted]

Comment removed based on user account deletion

What programs were included

[bedelman]

Robogun,

Preparing these detailed analyses is surprisingly time-consuming -- lots of license text to read, lots of screenshots to make, lots of measurements and other tests (registry, filesystem, etc.). So at least for this initial run, I had to limit myself to a manageable number of P2P programs. In general I tried to focus on the programs believed to have largest market share -- the programs that would infect the most PCs with unwanted software if such programs in fact contain unwanted software.

WinMX would be a good candidate for inclusion in a follow-up piece. And there are plenty more too.

Or perhaps someone else will be so kind as to take over where I've left off!

Ben

FYI: (was:Little-Known Spyware EULA Provisions)

[Lead+Butthead]

Bubonic plague is a bacterial infection, not a viral infection.

Re:Lawyer, economist, and paid shill?

[digitalchinky]

What exactly was your experience? LimeWire, to me, appears to do exactly as he said. Nothing more, nothing less. I don't think he sold out there.

Shareaza is missing from the list, but is very similar to LimeWire - might be a good alternative (note: shareaza, not sharaza!)

http://www.shareaza.com/

Re:Lawyer, economist, and paid shill?

[Vengie]

I spent about an hour talking to Ben at the Yahoo! party last week. I can assure you that he is by no means shilling for anyone. His feelings on the matter are pretty strong, and he sells himself on the integrity you mention.

Re:None of the Open Source ones checked?

[mlinksva]

LimeWire is open source and is safe. I did a quick check of several other open source P2P apps (BitTorrent, eMule, Phex, and Shareaza). None are bundled with malware and if they have a license agreement it is only the GPL. All of the proprietary apps checked are unsafe, and it is well known that others not checked (e.g., Grokster) are also not safe.

Re:just a question

[MarkGriz]

Not necessarily the "best", but Shareaza is very good, for a number of reasons:

- Works well (IMHO)
- Open source and Free (beer)
- Connects to Gnutella, Gnutella2 and Emule networks
- Built-in bittorrent support.