Spyware or Researchware?

prostoalex writes "When the story of Firefox Web site visitors being predominantly male was published, many questioned the methodology used to acquire such research data. This MSNBC article talks about another research company, ComScore Networks, using a free antivirus utility to lure the Web users into downloading a small utility to their hard drives. The catch? The software watches not only sites visited, but even locations of the mouse clicks. ComScore swears the final data does not contain any personal information, but, as the article states, anti-spyware utility manufacturers are still thinking whether to include it on their list."

Gendericator

[fembots]

To find out the gender of a visitor, just create a site which requires visitors to hold one key while moving the mouse.

Re:Gendericator

[mfh]

To find out the gender of a visitor, just create a site which requires visitors to hold one key while moving the mouse.

Or you can ask... most people are honest about their gender unless they are in a chat room. But without any social interaction nobody has a reason to lie.

Re:Gendericator

[eric76]

most people are honest about their gender unless they are in a chat room. But without any social interaction nobody has a reason to lie.

On the other hand, if they had a slashdot poll asking what is your sex and the possible choices were "male", "female", "none", "both", "not applicable", and "i ate a pizza for supper last night", the "male" and "female" would probably be on the low end of the answers.

Re:Gendericator

[Trejkaz]

In Soviet Russia, the Cowboy Neal option forgets You!

Re:Gendericator

[rjelks]

I lie about personal information all the time. It's my small way of messing up the statistics.

Re:Gendericator

[fgl]

Me too, Im a 99 year old grandmother of 30 from Albania, who also owns a multi-million dollar IT company that survived the .com bubble & employs over 1000 people.
I still get porn spam though.

Depends...

[LewsTherinKinslayer]

The difference between Spyware and Usage Statistics pretty simple: is it clearly stated to the End User and is optionable. Essentially, its not spyware if you know about it up front and have the ability to (actually,) turn it off.

Re:Depends...

[pete6677]

Most importantly, is it overly difficult to remove? If the software was either carelessly created or intentionally designed to resist uninstallation, it could cause problems for the user and should be avoided.

Re:Depends...

[rjelks]

Remember, Gator(or whatevertheyswitchedtheirnameto) isn't spyware either...they said so.

Re:Depends...

[Dead+Kitty]

A new question is exactly which parties does the software need to be upfront with? The Marketscore software has just recently changed it's tatics, it's no long just an issue with the End User anymore. They now are actively hiding themselves from end servers. The implications?

Banks with online banking services have long banned authentication attempts coming from customers using known Marketscore proxies for obvious security reasons. This is due the violation of the terms & conditions presented when setting up an online banking account. The traditional Marketscore setup had client traffic sent to their proxies which was then forwarded to the intended site. This made it easy for us to track customers with "compromised" machines (Marketscore would never admit to compromising anything).

Lately (last 1 or 2 weeks), we noticed in our server logs that connection attempts from Marketscore proxies suddenly dropped to nothing (from 100's to 0). After some investigation, we learned that the new Marketscore spyware now installs its proxy locally on the user's machine. It accumulates data in a local cache which is then sent back to Marketscore for their anaylsis. Because of this, we can no longer filter compromised machines running Marketscore shitware. Of course there's the other garbage like secretly installing their own root cert on the victim's machine, harder detection by anti-spyware programs, etc.

Yes, maybe the user knows the benefits (and the world of hurt) they can expect from using this software...but what about the banks (or other businesses) who are actively trying to protect its customers? We're still trying to figure out how to deal with this on our side while individually informing the affected customers.

Re:Depends...

Nice to see someone else notice.

How much do I hate ComScore/MarketScore, let me count the ways...

1/ I *think* they use OpenSSL without giving any credit as required by the license. Evidence: http://groups.google.com.au/groups?q=comscore+open ssl&hl=en&lr=&c2coff=1&selm=bcqfh4%24mo9%241%40Fre eBSD.csie.NCTU.edu.tw&rnum=1

2/ They actively seek little apps to install their software with. Evidence: http://groups.google.com.au/groups?q=comscore+spyw are&hl=en&lr=&c2coff=1&selm=x%25M3d.8204%24n16.579 6%40newsread2.news.atl.earthlink.net&rnum=3

3/ They go out of their way to hide their identity from their "Panellists". Try and find a reference to Comscore on http://www.marketscore.com/

4/ They do not care about the security of the information of their panellists. Do some research on how they previously "Broke" SSL sessions and effectively proxied all "SSL Protected" information up to their proxy servers.

5/ They actively try to disguise thier immoral practices to gather information. Try to find any mention of "Marketscore" on this page which is the sales site to sell their services to Marketing companies. http://www.comscore.com/metrix/xpc.asp

6/ They got Ernst and Young (I hate that company too) to "Certify" them. Read the report. It is laughable. https://cert.webtrust.org/ViewSeal?id=383

7/ They ONLY stopped proxying SSL sessions about 3 days AFTER the New Zealand banks went public saying they were blocking their software. Other banks were doing it just less publically. How much would their customer base have been eroded if everyone who does internet banking stopped using their software. That is, I believe, why they changed.

8/ Now they just copy your data to servers. Not sure what. The SSL stuff is encrypted. Noone knows what they send but them.

9/ Their software silently updates without telling the user. That's nasty.

10/ They have only JUST added an "Add/Remove" control panel. Previously there were no visible clues that it was installed.

11/ They marketed themselves as an Internet Accelerator. They did this by using proxy technology. This is horribly slow from overseas.

The conspiracy theorists I know believe they are a front for the NSA. :-) Reston Virginia known for this sort of stuff?

I just know they are evil. :-)

Choice

[mfh]

The beef I have with spyware is that it's never given me a choice; it installs without me knowing and lurks like a drooling Rutterkin in the corner -- waiting for me to spill my drink or drop The One Ring. But this research program is optional, right?

I have no problem with optional programs that record data to be used in a study. My wife also participates in allgery studies. So?

Antivirus software, huh?

[FlyByPC]

Isn't that sort of app supposed to be CHECKING for trojans? Sheesh.

spyware (noun)

[weighn]

any software that covertly gathers information about a user while he/she navigates the Internet and transmits the information to an individual or company that uses it for marketing or other purposes - http://dictionary.reference.com/search?q=spyware

The software watches not only sites visited, but even locations of the mouse clicks.
add the use of the word "lure" and it makes me think that this is, indeed, spyware.

What's to think about?

[GoodbyeBlueSky1]

as the article states, anti-spyware utility manufacturers are still thinking whether to include it on their list.

How would this not be spyware, exactly? It's not like this "research" will cure cancer.

Re:What's to think about?

[damiangerous]

It doesn't at all meet the commonly accepted definition of spyware. If it were bundled as part of some other software and you didn't know about it, sure, that's very spyware and scummy. But to get this program you have to explicitly go to their web site and choose to install this one program that's very explicit about what it does. If you're not tricked, lied to or treated in any way dishonestly, there's no way you can consider it spyware. Go look at the page and tell me how they "trick" you. There are seven sentences of normal size type in the body of that page (and three headers) and one of those seven sentences explicitly states:

"In exchange for having their Internet browsing and purchasing activity observed, members have access to free email virus scanning and other benefits."

If that page "tricked" you, turn off your computer now and back away.

If you give choice, there's no research

[nigham]

Unfortunately, if they give the users a choice to turn it off, you can't qualify the statistics obtained from users who allow information to be logged as good - e.g. who's to say whether guys may be more inclined to turn it off than girls - or conversely, women feel more threatened about privacy... in either case your stats will be skewed.

In any case most users (myself, certainly) would turn it off - I am supremely uncomfortable with some random company knowing anything about what I do on my computer.

No...

[damiangerous]

Unless it starts getting buried as part of other installs, it's not spyware. They're very upfront about what they do. There's very little text on the linked page, and one paragraph (of three) reads in the same size type as the other text:

Marketscore is part of an online market research community with over 2 million members worldwide. Marketscore relies on its members to gain valuable insight into Internet trends and behavior. In exchange for having their Internet browsing and purchasing activity observed, members have access to free email virus scanning and other benefits.

You have to draw the line of reasonableness somewhere. If that site isn't clear enough for you to understand what they do, you probably shouldn't be on the Internet (or at least not from a computer configuration you could hurt yourself with).

Macs

[Johnny+Mnemonic]

This tool then is cutting out the Mac and Linux users from their tracked demographic; together those users represent about 5-10% of the market. And they represent many early adopters of tech, too.

I would think that the use of a tool of this kind would be enough to skew their information, causing any results to be not credible. I certainly wouldn't use them to research products that I would sell, as I would want to be able to target Mac and Linux users as well.

Re:Well, doh!

[StikyPad]

It takes information without my knowing or permission and steals my bandwidth to send it somewhere.

I know it's not hip to RTFA, but it doesn't install without your knowing or permission. It clearly states that you will allow the program to monitor your internet usage in exchange for the free antivirus software. It's easy to uninstall and doesn't leave its hooks all over the OS.

Stealing your bandwidth? If you consent to installing it, that hardly constitutes theft.

Free anit-virus?

[W8TVI]

Why not just download AVG Anti-virus?
Its free, and has no spyware attached.

of course they say its spyware

[indy_Muad'Dib]

Symantec, for example, designates the program as spyware on its Web site.

A major antivirus company saying a free anitvirus program is spyware, that should raise a few red flags right there.

Re:of course they say its spyware

[vga_init]

Well, what is spyware? In my mind, it's a piece of software that harvests data from your computer and sends it to someone else for their own personal uses without your explicit knowledge or consent.

By my definition, that makes the program in the article spyware.

You're right in suggesting that Symantec may have an ulterior motive, but there exists (what appears to me) the unfortunate fact that the software actually is spyware. It may be a coincidence, or Symantec may have checked specifically on competing software, but they aren't misreporting anything.

Black (because I like the color red and black seems more appropriate) flags would go up if a) Symantec lied about the software being spyware, or b) Symantec held a policy that only classified that software as spyware because it was competing with them, letting similar, non-competing programs go by unchecked.

Marketscore has been around for a while

[assassinator42]

It started out being marketed as a way to "speed up" web browing, much like AOL is advertising with "Top Speed" now. According to the article, they even have access to encrypted connections. It also says that your passwords and stuff are visible to them. This isn't good, and they don't really state up front that they do this. I believe marketscore has been considered spyware for a while by some people. Also, the program they give you in exchange only scans emails, or so it appears. Definentaly not worth it.

Re:Well, doh!

[complete+loony]

Ah, but lots of software that clearly state in their EULA's that they collect and submit information are also considered spyware. Yes they said it on their web page, but in a PR friendly way, most people will read it and not think about the privacy implications. Remember most people will give away their identity for the chance to win a chocolate bar.

Hostile code - forges SSL certs

[Animats]

It's more than spyware. This thing reroutes all your browser traffic through their proxy. That's how they see what you're doing. It includes rogue SSL certificates so it can capture encrypted connections. Yes, they get to see all your credit card numbers. Major universities, including UCIC, UCLA, UC Riverside, UCSD, Texas Tech, Windsor, UNC, Old Dominion, Michigan, Iowa, McGill, Carlton, Cornell, American University, Stanford, and Columbia are blocking conections to Marketscore for this reason. If you have Marketscore installed at one of those schools, you get a warning page like this.

Some banks also block online banking sessions coming in via Marketscore's proxies.

This is the same spyware previously known as "netsetter". There's no question about this being spyware.

Here's Stanford's Information Security Office's statement on Marketscore.

• Security Alert: MarketScore Spyware
  11 Jan 2005

  MarketScore (also called NetSetter) is a spyware-like application that compromises the security of all data sent or received by your web browser, even on "secure" encrypted web sites. All external browser communications are re-routed through MarketScore's proxy servers, so they have access to any "secure" traffic/passwords/accounts that otherwise would be encrypted.

  If you have MarketScore installed on your computer and have used your browser for any services that require WebLogin, your password should be considered compromised. After you have removed MarketScore from your computer, we strongly recommend that you change your SUNet password. This advice also applies to any other secure web sites you may have visited with your browser.

  The Information Security Office is directly contacting owners of machines that appear to behave as if MarketScore is present.

  Technical Detail

  MarketScore reconfigures the browser to use a "proxy server" for all non-local connections, including HTTPS connections. A proxy server is a machine that acts as a middle-man, brokering web page requests intended for other sites. So if the browser on machine A wants to visit web sites C, D, and E it makes all those requests through the proxy server B. B then contacts C, D, and E and passes the results back to A. This is usually transparent to the user on machine A after the browser has been configured to use the proxy.

  Web proxies are typically used in a corporate environment where all web traffic must be controlled or inspected centrally, although in the case of secure HTTPS traffic there is ordinarily nothing the proxy can do except forward the connection or refuse it. In this case, the proxy servers belong to a company called ComScore where they collect and analyze the intercepted data.

  While ordinarily an HTTPS connection would simply pass through a proxy securely, in this case MarketScore also installs a new root certificate in your browser so that it can decrypt all intercepted SSL connections (a "man-in-the-middle" attack) without triggering a security warning from the browser. In normal operation, browsers would complain if a site certificate doesn't match the domain of the URL, but the new root certificate tells the browser to trust ComScore's site certificate for any URL.

This goes well beyond what Marketscore claims their program does.

That seems to settle the issue.

It's spyware

[PhotoBoy]

If it monitors what I'm doing on my computer it should be classified as spyware. I don't care if it's for research rather than commercial uses, it's still spying.

The fact that the spying program is included with a free anti-virus program to entice people to download it says it all.