Slashdot Mirror
Spyware or Researchware?
prostoalex writes "When the story of Firefox Web site visitors being predominantly male was published, many questioned the methodology used to acquire such research data. This MSNBC article talks about another research company, ComScore Networks, using a free antivirus utility to lure the Web users into downloading a small utility to their hard drives. The catch? The software watches not only sites visited, but even locations of the mouse clicks. ComScore swears the final data does not contain any personal information, but, as the article states, anti-spyware utility manufacturers are still thinking whether to include it on their list."
To find out the gender of a visitor, just create a site which requires visitors to hold one key while moving the mouse.
Rock that crushes, Paper & Scissors that don't matter.
The difference between Spyware and Usage Statistics pretty simple: is it clearly stated to the End User and is optionable. Essentially, its not spyware if you know about it up front and have the ability to (actually,) turn it off.
The beef I have with spyware is that it's never given me a choice; it installs without me knowing and lurks like a drooling Rutterkin in the corner -- waiting for me to spill my drink or drop The One Ring. But this research program is optional, right?
I have no problem with optional programs that record data to be used in a study. My wife also participates in allgery studies. So?
The dangers of knowledge trigger emotional distress in human beings.
Well, that story had all the right buzzwords to get the pitchforks wavin!
"Derp de derp."
Isn't that sort of app supposed to be CHECKING for trojans? Sheesh.
Paleotechnologist and connoisseur of pretty shiny things.
The software watches not only sites visited, but even locations of the mouse clicks.
add the use of the word "lure" and it makes me think that this is, indeed, spyware.
Mongrel News all the news that fits and froths
why? forty-two.
Unfortunately, if they give the users a choice to turn it off, you can't qualify the statistics obtained from users who allow information to be logged as good - e.g. who's to say whether guys may be more inclined to turn it off than girls - or conversely, women feel more threatened about privacy... in either case your stats will be skewed.
In any case most users (myself, certainly) would turn it off - I am supremely uncomfortable with some random company knowing anything about what I do on my computer.
I don't want to read
Marketscore is part of an online market research community with over 2 million members worldwide. Marketscore relies on its members to gain valuable insight into Internet trends and behavior. In exchange for having their Internet browsing and purchasing activity observed, members have access to free email virus scanning and other benefits.
You have to draw the line of reasonableness somewhere. If that site isn't clear enough for you to understand what they do, you probably shouldn't be on the Internet (or at least not from a computer configuration you could hurt yourself with).
This tool then is cutting out the Mac and Linux users from their tracked demographic; together those users represent about 5-10% of the market. And they represent many early adopters of tech, too.
I would think that the use of a tool of this kind would be enough to skew their information, causing any results to be not credible. I certainly wouldn't use them to research products that I would sell, as I would want to be able to target Mac and Linux users as well.
--
$tar -xvf
It takes information without my knowing or permission and steals my bandwidth to send it somewhere.
I know it's not hip to RTFA, but it doesn't install without your knowing or permission. It clearly states that you will allow the program to monitor your internet usage in exchange for the free antivirus software. It's easy to uninstall and doesn't leave its hooks all over the OS.
Stealing your bandwidth? If you consent to installing it, that hardly constitutes theft.
https://www.eff.org/https-everywhere
What shall it be?
Mcaffee.. no
Norton.. no
AVG..no
Oh, wait! Here's one! Marketscore! That sounds reputable! I've never heard of them before, so they must be good, because they stay out of the "eviil media".
--end scathing sarcasm--
The people "lured" into downloading this utility should probably also have their right to vote restricted for lack of ability to critically process information.
And, by the way, if you've feel vicitmized by this software, I have news for you.. they've recently changed the definition of gullible in the dictionary.Interpret that however you please.
quacks like a duck, and smells like a duck, then it must be...spyware seriously, people how cn you record where the mouse is clicked on my screen, and what sites I am visiting without being spyware. Saying that there is no personal information logged sounds like splitting hairs to me. This program should definitely be on the spyware list.
anti-spyware utility manufacturers are still thinking whether to include it on their list
If you use the blackhole dns list of spyware domains from bleedingsnort.com its already included based on this submission from doxdesk. Squid ACLs are a great way to stop these parasites and you don't have to wait for anti-spyware manufacturers to decide whether its spyware or not. Also ClamAV lets you create your own signatures so you can setup rules to detect anything you consider to be spyware.
Why not just download AVG Anti-virus?
Its free, and has no spyware attached.
Symantec, for example, designates the program as spyware on its Web site.
A major antivirus company saying a free anitvirus program is spyware, that should raise a few red flags right there.
To the extent that something forthrightly discloses what it does and offers the choice to opt-in (...and to opt-out later easily if one changes one's mind ...), the validity of the data is compromised.
There's nothing *wrong* with giving people the choice of providing information in exchange for an incentive (... I participate in surveys & studies all the time ...) but it is not unlikely that as a result, the sample becomes non-representative (except of itself.)
How likely is it that the genders differ in their willingnes to risk giving away personal information, such as keystrokes that may disclose physical address? I would not trust gender statistics for web usage at all, except for indicating the gender of people who don't worry much about strangers learning their meatspace location.
It may be that some data about semi-anonymous servces such as the web is impossible to get. As Johnny Cash sings, "I don't like it, but I guess things happen that way!"
--- Attorneys Assisting Citizen-Soldiers & Families -
Is the single scariest thing I've read, barring the end of the world that will result from the release of Longhorn.
And
ComScore officials said the sensitive data is never at risk.
"We establish two secure communications. One with you, and one with the bank," Lin said.
Is the third sariest. Of course the data is at risk, an information research company has your internet banking password, for crying out load! No one should ever have that.
Besides you.
And the bank has to have an ecrypted copy to check it against.
But that's all.
How secure is the network of a company that sells information going to be compared to a Bank?
Mind you most people will be using windows at home, so most banking passwords are being collected through vulnerabilities at that end anyway.
Anyone remember that common example of bad stats? Some survey was taken by calling people randomly. What's wrong with it? You're excluding everyone without a phone (which is now rare, but the poor didn't have them when this survey was done). Isn't this exactly the same? You're excluding everyone without spyware. Hey, maybe males are more likely to get spyware on their computers than females?
... whether people who voluntarily install their program understand that they are agreeing never to shop or bank online with decent security ever again?
It's one thing to warn someone "If you install our software, we'll monitor your net behavior".
It's entirely another thing to say "If you install our software, you'll be relying on us never to collect your credit card number, bank password, or the birthdate/mother's name information we'd need to empty your bank account ... and you're relying on us never to be hacked."
--- Attorneys Assisting Citizen-Soldiers & Families -
It started out being marketed as a way to "speed up" web browing, much like AOL is advertising with "Top Speed" now. According to the article, they even have access to encrypted connections. It also says that your passwords and stuff are visible to them. This isn't good, and they don't really state up front that they do this. I believe marketscore has been considered spyware for a while by some people. Also, the program they give you in exchange only scans emails, or so it appears. Definentaly not worth it.
Ah, but lots of software that clearly state in their EULA's that they collect and submit information are also considered spyware. Yes they said it on their web page, but in a PR friendly way, most people will read it and not think about the privacy implications. Remember most people will give away their identity for the chance to win a chocolate bar.
09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
This is going to nuke my karma to all Hell, but what the hey...
/. to stop them? If you're concerned about web privacy, don't download it, but it's not like they're trying to trick anyone here.
A lot of Slashdotters are, as usual, not RTFA/web page in question and assuming that this is the usual spyware trick of clandestinely trojanised software pretending to be a legitimate tool - allow me to explain;
The word 'lure' used in the summary is a loaded term - it implies (in the context the editors used) that they are somehow using this free AntiVirus tool as a means of covertly installing spyware - This company is simply offering a free antivirus product if you accept the *up front agreement* that their little utility can spy on your web browsing habits - they're not doing anything clandestine here, they're just offering their service to you for free, so they can sell the results on to advertisers to recoup costs;
From the company's website:
In exchange for having their Internet browsing and purchasing activity observed, members have access to free email virus scanning and other benefits.
This is just a new way of offering a product - "here, you can have this for free, but in exchange you've got to give us stuff we can sell to our avertisers" (though they promise not to sell personal info, so presumably they'll just be selling 'web trends' data) or rather, it's the same way that a lot of so-called 'adware' operates, only they're rarely this up-front.
Sure, it's spyware, but the text above is located right on their front page, is in easily-understandable English, and is not hidden, obscured of obfusicated in any way - if people want to give their permission for Marketscore to monitor their browsing in exchange for free software, who are
Dealing with lawyers would be a lot less tedious if they all looked like Casey Novak.
Just because you know it a piece of code is spying on you doesn't stop it from being spyware. James Bond was still a spy, even when Goldfinger knew who he was. The threat comes to others who may use the machine without knowing the spyware is running. Companies buy Comscore information and actually believe it represents normal people. No wonder so many Web sites suck -aggles
Some banks also block online banking sessions coming in via Marketscore's proxies.
This is the same spyware previously known as "netsetter". There's no question about this being spyware.
Here's Stanford's Information Security Office's statement on Marketscore.
11 Jan 2005
MarketScore (also called NetSetter) is a spyware-like application that compromises the security of all data sent or received by your web browser, even on "secure" encrypted web sites. All external browser communications are re-routed through MarketScore's proxy servers, so they have access to any "secure" traffic/passwords/accounts that otherwise would be encrypted.
If you have MarketScore installed on your computer and have used your browser for any services that require WebLogin, your password should be considered compromised. After you have removed MarketScore from your computer, we strongly recommend that you change your SUNet password. This advice also applies to any other secure web sites you may have visited with your browser.
The Information Security Office is directly contacting owners of machines that appear to behave as if MarketScore is present.
Technical Detail
MarketScore reconfigures the browser to use a "proxy server" for all non-local connections, including HTTPS connections. A proxy server is a machine that acts as a middle-man, brokering web page requests intended for other sites. So if the browser on machine A wants to visit web sites C, D, and E it makes all those requests through the proxy server B. B then contacts C, D, and E and passes the results back to A. This is usually transparent to the user on machine A after the browser has been configured to use the proxy.
Web proxies are typically used in a corporate environment where all web traffic must be controlled or inspected centrally, although in the case of secure HTTPS traffic there is ordinarily nothing the proxy can do except forward the connection or refuse it. In this case, the proxy servers belong to a company called ComScore where they collect and analyze the intercepted data.
While ordinarily an HTTPS connection would simply pass through a proxy securely, in this case MarketScore also installs a new root certificate in your browser so that it can decrypt all intercepted SSL connections (a "man-in-the-middle" attack) without triggering a security warning from the browser. In normal operation, browsers would complain if a site certificate doesn't match the domain of the URL, but the new root certificate tells the browser to trust ComScore's site certificate for any URL.
This goes well beyond what Marketscore claims their program does.
That seems to settle the issue.
If it monitors what I'm doing on my computer it should be classified as spyware. I don't care if it's for research rather than commercial uses, it's still spying.
The fact that the spying program is included with a free anti-virus program to entice people to download it says it all.
"I have no problem with optional programs that record data to be used in a study. My wife also participates in allgery studies. So?"
Did your wife's allergy study also reveal how many times she had sex and with who?
Did it reveal your bank account information?
Did she have to tell the allergy researchers everywhere she drove?
My guess is that there were limits to what the Allergy Research people asked, and even if they asked something untowards ("Excuse me ma'am, what is your breast size?"), she could say "I'd rather not tell you".
You aren't given that choice with this bit of spyware. Its not value for value because you don't get the ability to not reveal certain information about what you're doing.
Why people put their privacy at risk for $20 of value should be another study, but that's not what's at issue here.
I eat pork chops. I eat steak. I treat my wife with respect. I do all of these things in public. Why the hell should anyone cower before the commandments of a religion that is not their own? Don't assume that Christians are the majority on /.
Censorship is telling a man he can't have a steak just because a baby can't chew it. --Mark Twain
I know most people don't make an issue of it, but it _is_ still a commandment, and it _is_ distressing for some of us to see.
First of all, *if* god gave us free will, who gave you the right to complain about how and when we use that free will? If he wants to use god's name in vain then that's his god-given right. Get over it. If you don't want to see things that offend you, maybe you should stick to Christian Safe sites. Don't try to force us to curb our speech/actions based YOUR beliefs.
Secondly, where is the commandment that says not to use the word god/God? Oh I see, you mean this one: "Thou shalt not take the name of the Lord they God in vain: for the Lord will not hold him guiltless that taketh his name in vain".
I hate to have to be the one to tell you this but 'God' isn't god's name. 'God/the Lord' is the substitute that the translators of the bible used to keep people from saying god's name, which is actually 'Yaweh'. They could have just as easily used "snickerdoodle".
If you are going to follow the faith of a pointless mythology, you might as well learn it properly. Sheesh.
Ender-
PS. Thank you for instigating my first ever religious flame/troll post in 14 years of BBS/Internet useage. Too bad you're anonymous.
Nothing to see here
Anti-spyware manufacturers? Is that like steel manufacturing? Is anti-spyware drop-forged, hammer forged, or die cast? Maybe it's extruded like cheerios.
I like toast!
I consider my computer usage habits (i.e. where I click, and what I look at) PERSONAL INFORMATION! A rose is a rose, and spyware is spyware!
If it can go wrong it wnetscape: Segmentation Fault, Core dumped
Marketscore is Spyware
You have been redirected here because your computer attempted to contact a Marketscore proxy server. While it is undetermined whether or not you intended to sign up for the Marketscore service, you should be informed of the following:
* Your communications through Marketscore are not secured:
Even though your browser displays a lock or key and indicates that you are using a secure connection (the URL begins with https://), your traffic is being tunneled through a Marketscore proxy which has direct, unencrypted access to your "secure" connections. Secure connections should always be made directly to the intended target. The Marketscore site certificate could be used to masquerade as any domain, even after being uninstalled.
* Proxying could threaten University security:
Your confidentiality, and that of other OSU services, students, staff and faculty could potentially be compromised since usernames and passwords could be recovered from data collected by Marketscore (previously Netsetter) or its future owners or management. As a student or staff member of The Ohio State University, you are granted access through your login name and password, which could be accessed by unauthorized third-parties through your use of a proxy such as Marketscore.
* Proxying does not improve internet connection speeds: While Marketscore or any similar service may claim to improve connection rates, this is not shown in research.
* It can be construed as a violation of Resnet and the University's Acceptable Use Policy: "Users will not attempt to circumvent the ResNet firewall or any other established network services" [AUP, ResNet]. Proxying through a third party such as Marketscore does just that.
* Marketscore can update itself: Marketscore software can quietly (without user notificatation/intervention) update itself. This means arbitrary code can be executed on your machine at any time.
In order to resume normal web browser activity, you must remove Marketscore from your computer. Below is a guide for removing this Spyware. To be certain that Marketscore is fully cleaned from your system, these instructions must be completed in their entirety.
Remove Marketscore:
Uninstall Marketscore
Open the Control Panel
Click Start->Control Panel (or if Control Panel does not appear, Start->Settings->Control Panel), click Add or Remove Programs
Find the Marketscore (OR Netsetter) item in the list, and click to Remove it.
Note: If Marketscore/Netsetter do not appear in the Control Panel, then you are infected with a self-installing variant of the spyware which you will have to remove using a "hidden" uninstall feature:
ResNet marketscore removal batch tool
Download and run MSremove.bat
If, after following these instructions, your machine has not been cleaned of Marketscore, please contact the ResNet Support Center at 2-HELP (2-4357).
Equip your computer with software to protect against other Spyware and remove possible lingering elements (registry entries, etc.) of Marketscore:
In order to assure that your computer is free of other elements that can compromise your privacy and security, ResNet highly recommends that you install software that will detect and remove Spyware.
The two leading applications are:
Ad Aware - The personal edition is available for free download at http://www.lavasoft.com
Spybot Search & Destroy - This software is freely available at http://security.kolla.de
Install one of these (installing both can cause conflicts), be sure that the spyware definitions are up to date, and scan your system periodically. Doing this, in addition to protecting your privacy and security, will help keep your computer clean and running efficiently.
This lameness filter really sucks.... I'm not sure how i feel about OSU blocking it. I guess they do it because it hurts their network, but what if they block something else?