Slashdot Mirror

← Back to Stories (view on slashdot.org)

Market Research Company Secretly Installs Spyware

Posted by Zonk on from the you-wanted-to-participate-anyway dept.

An anonymous reader writes "Forbes reports that two security experts are raising new questions about comScore, claiming that company's tracking software is being installed without consent on an unknown number of computers. The widely-used online research company takes screenshots of every Web page viewed by its 1 million participants, even transactions completed in secure sessions, like shopping or online checking. ComScore then aggregates the information into market analysis for its clients, which include such large companies as Ford Motor, Microsoft and The New York Times Co." From the article: "'[The] software is sneaking onto users' computers without the user agreeing to receive it,' says Harvard University researcher Ben Edelman, who documented at least ten unauthorized comScore downloads. Eric Howes, director of malware research at antivirus company Sunbelt Software, and his researchers separately observed hundreds of unauthorized comScore downloads in a three-month period this fall."

21 of 206 comments (clear)

  1. Well? by flyneye · · Score: 4, Insightful

    Is anyone going to do something about this?
    Some justice,revenge,butt chewing,anything?
    Do we write our congressman,DOS them or what?
    all problems and no solutions.
    It must be illegal on some level.
    do we file a massive suit and each collect $5 or what?

    --
    *Repent!Quit Your Job!Slack Off!The World Ends Tomorrow and You May Die!
    1. Re:Well? by mpe · · Score: 2, Insightful

      Yes, but then they'll point out that when you downloaded that Naked Britney Spears Screensaver, you clicked on a EULA which authorised them to read all your bank passwords. The fact that no-one in their right mind would do so is irrelevant.

      Or more likely the ELUA attached to the program said "We can change this however and whenever we like". With there being a piece of HTML somewhere on their website which says "We own anythihng on your computer".

      Personally I'm getting close to the point where I'm going to completely disconnect my Windows PCs from the Net and just have a Linux box for web stuff... it's just not worth the risk of having my bank account emptied by Windows scumware.

      Avoiding any banks who require Windows (with MSIE) for "(in)security reasons".

  2. That's sort of odd... by zappepcs · · Score: 3, Insightful

    the previous story mentioned social justice in the headline... social justice here would be to have CD copies of their malicious software being rammed up their backsides "without their consent" so to speak...

    Why is the DOJ worried more about aunt Eunice downloading MP3s than they are about people who are maliciously causing harm?

    sigh, I'll write but I wonder if my representatives will actually notice...

    --
    Support NYCountryLawyer RIAA vs People
    1. Re:That's sort of odd... by Anonymous Coward · · Score: 1, Insightful

      Because he who has money wins. This case; it's the RIAA. DOJ doesn't care about you.. or your well being.. They care about the $, just like everything else.

    2. Re:That's sort of odd... by StikyPad · · Score: 2, Insightful

      Because Joe Websurfer doesn't have a lobbiest bending the ear of Congress.

      --
      https://www.eff.org/https-everywhere
  3. "unauthorized download" by Anonymous Coward · · Score: 2, Insightful

    Keep in mind when reading that by "unauthorized download" they don't mean copyright infringement, they mean that a third party installed ComScore software without *your* authorization.

  4. Re:Yawn... by Ngarrang · · Score: 3, Insightful

    Yawn? Don't plug into the net? What arrogant uncaring tripe. What kind of jackass gives that sort of a response? Oh, right, an OS snob. People have the right to privacy and surf the net unmolested, no matter the OS they use. ComScore trampled on that right and deserve to burn, so don't turn this around and blame the user.

    --
    Bearded Dragon
  5. Re:Yawn... by Temsi · · Score: 4, Insightful

    That's about as stupid as teaching abstinence only as the only way to fight STD's.

    Interestingly, the advice given is almost the same too: don't plug in...

    People are doing it and kids will do it, so instead of closing your eyes and yelling "don't do it", you should at least show them how to use protection first.

    --
    -- This sig for rent.
  6. So what good is a unenforced law? by canuck57 · · Score: 4, Insightful

    So what good is the Computer Fraud and Abuse Title Act 18 Section 1030 if the FBI will not enforce it?

  7. Re:Yawn... by Anonymous Coward · · Score: 1, Insightful

    Really? Or would they all be downloading bash scripts from pr0n emails that delete their home directories and open up high numbered ports with shells running on them?

  8. Skew them ! by Anonymous Coward · · Score: 3, Insightful

    Download their software onto a 'tame' computer, and use it to browse 'interesting' sites.

    Who would have thought that people who regularly view Ford's web site also like Goats ?

  9. Re:Yawn...Just say no to sex. by Temsi · · Score: 3, Insightful

    OK, now you're just being silly.

    Sure, abstinence is the only 100% effective way of preventing STD's, but teaching that and nothing else, is an extraordinarly dumb thing to do, because it goes against our natural instincts. We are born with the need for sex, and when it awakens it tends to go a little nuts. Abstinence only education can lead directly to teen pregnancies and the transmission of std's, because kids are not given an alternative method of protection, and in fact statistics show that it simply doesn't work in any way shape or form. Ignorance is not protection.

    Your gun lesson analogy is a bad one. Firing guns is not a natural urge written into our genes.
    ALL teens have sexual urges, but only a handful of nutcases have the urge to shoot their classmates.
    Thus, your argument is a red herring.
    That being said, it wouldn't hurt to have an alternative method of protection against guns, such as trigger-locks, and not rely solely on the "don't do it because I said so" method (which incidentally is the same one used in abstinence only education).

    A more proper analogy would be:
    You have a swimming pool in your back yard. You can tell your kids not to go in it all you want, but one day, when you're not looking, they will, and when that time comes, wouldn't it be safer if they've been taught how to swim?

    --
    -- This sig for rent.
  10. I hope someone takes the lead on this by erroneus · · Score: 2, Insightful

    I hope that some group or someone special takes the lead on this and not only goes after civil penalties but criminal penalties as well. I was to see someone in control of these decision sent to prison for their decisions to make this happen. I ALSO want to see the programmers and implementers of the methods used here sent to prison for their misdeeds.

    I think there is a point that needs to be driven home into our culture that it's NOT okay to do anything for money. Because I believe that at some level we all somehow forgive these people for their tresspasses because their motivation was for profit... and we all understand the need for profit right? No, there are limits to what is acceptable behavior with a profit motive and like HP's spying (which arguably wasn't directly a profit motive but performed by a profit seeking competitive organization) we should not simply dismiss this as yet another "white collar crime" and move on. If people felt like they were risking more than a few hundred thousand of their millions of dollars, they just might think twice before ordering these things be done.

  11. Re:Intercepts https:// by Beryllium+Sphere(tm) · · Score: 4, Insightful

    Inviting the question, even if you trust them with your credit card numbers, and trust all their employees, do you want to bet that there won't be a security breach on one of their servers?

    This is a serious limitation of SSL on commodity operating systems, by the way. IE's list of trusted root certificates is simply entries in the registry. Even if you're part of the infinitesimal fraction of users who knows what a CA cert is and where to look for them, how can you do a security review on all 39 of the root certificates that come with Firefox, or spot a new unwanted one? (One of those root certs is from AOL, by the way). If you trust the Mozilla foundation to audit the security and practices of each and every one, do you have the same trust in a proprietary browser's developers? Even assuming the developers make the decision instead of the marketers?

  12. I can't find the repository by symbolset · · Score: 1, Insightful
    Isn't it sad that poor Windows users have to put up with this nonsense to get a "free" program? It's so much nicer just to click add/remove software and search for the program I want to use. It must be awful not to be able to trust the people who make your software when any one bad program eventually will give away your banking information and you would never know until UPS contacts you to get directions to your Lithuanian address.

    Windows users: when you use linux, a program that does just what you need is almost always just a few clicks away, is free, and doesn't have toxic junk like this attached to it. Usually linux comes with your choice of industrial-strength database servers and clients, web servers and scripting languages, a complete software development kit for the whole thing in dozens of programming languages, a choice of office suites and so much more that it's just amazing. One of the nicer things about it is that you can throw out that filing cabinet with the installlation CDs , packaging and license agreements that came with every piece of hardware and software because you just don't need it. You can replace it with a nice japanese fountain and improve your Feng Shui.

    --
    Help stamp out iliturcy.
    1. Re:I can't find the repository by theCoder · · Score: 2, Insightful

      It's not really a Windows technical problem (what comScore did could probably be done on Linux), but more of a Windows culture problem. I don't know about you, but I get nervous when I download source code for a program and run it without looking over the code. I get doubly nervous if I download a binary and run it. Back when I ran Windows (many years ago), I had no problems downloading and running programs from the Internet. If I happen to use Windows today, I still do that (though I'm pretty selective of the sources of the binaries).

      Of course, the question is if people migrated en mass to Linux, would they bring their bad Windows habits with them? Probably. Most people don't understand computers and don't really know why running binaries from the Internet is a bad thing. They do it all the time, and really they have no choice since most MS computers have no compilers on them.

      Technically, it's possibly to have spyware on Linux. Culturally and socially, it's much less likely.

      --
      "Save the whales, feed the hungry, free the mallocs" -- author unknown
  13. They don't do it by wytcld · · Score: 3, Insightful

    They commission third parties to do it. That's plausible deniability.

    Enticing a third party to commit a crime should carry heavier penalties than doing the crime yourself. Especially when as in this case multiple third parties are enticed.

    And comShare is receiving stolen property - property stolen only because they offered to buy it. But do we need new law in this area to properly jail these fuckers?

    --
    "with their freedom lost all virtue lose" - Milton
  14. Re:Do you have to deal with the problems? by jlarocco · · Score: 3, Insightful
    You sound like you lack the social skills necessary to tell people that it consumes too much of your time to fix all your friends computers in such as fashion as to retain them as your friends.

    Real friends don't expect you to do work for them. If that offends them, good riddance.

    You should be able to teach similar sorts of things to your friends, strengthen your friendship and give yourself more time to do fun things.

    Yes, but it's not my responsibility, nor is it a way I want to spend my free time. There are much more fun ways to strengthen friendships that don't involve one person doing work for free.

    As far as I'm concerned, my help stops after I tell them to run Debian.

    --
    Maybe not
  15. Re:Yawn...Just say no to sex. by Loco+Moped · · Score: 2, Insightful

    You have a swimming pool in your back yard. You can tell your kids not to go in it all you want, but one day, when you're not looking, they will, and when that time comes, wouldn't it be safer if they've been taught how to swim?

    That's a nice analogy, but it doesn't fit. Almost every friend I've set up with Firefox, firewalls, anti-virus programs, etc. has, within days, DISABLED those programs and gone back to surfing bareback.

    Why? I ask.

    Every bogus reason in the book:
    "It was too *slow*" (It wasn't)
    "I didn't *like* it!" (Won't say why)
    "It *messed up my computer*" (How, they can't say).
    "The Icons look wrong" (no joke)

    Now I just walk away. Why waste my time with bozos when actual work is available for which I'll not only get paid, but get a "thank you" along with the check?

  16. Re:Do you have to deal with the problems? by Fred_A · · Score: 3, Insightful
    You should be able to teach similar sorts of things to your friends
    From what I've seen most people don't care enough to be bothered to learn about these things. It's computers, it's complicated, they don't care. If you try to explain it to them they just wave you away. When it slows down, it means it's broken so they get a new one.
    --

    May contain traces of nut.
    Made from the freshest electrons.
  17. Re:Do you have to deal with the problems? by bmo · · Score: 3, Insightful

    "Real friends don't expect you to do work for them. If that offends them, good riddance."

    Hear, hear old chap!

    It's about time we all stopped subsidizing Microsoft's insecure shitware. If everyone who had Windows had to pay GeekSquad's rates every time a computer died, there would be much more pressure on Microsoft to release something secure. But they don't, because they don't have to.

    And seriously, it takes a good whole 12 hours of watching the cleaning software chew through all the data on drives these days and when you're done, you're still not sure you got everything.

    Yet some "friends" want us to do it for free or for prices that wind up being about minimum wage when the billable hours are worked out. Sometimes that's ok. Some charity cases are OK in my book, but when the charity case comes back 6 months later with the same old "my computer is slow", one feels like a chump.

    So now my line is "I'll do it for free if you let me put Linux on it."

    Last Friday, a colleague asked me if his computer was infected because it was slow. I told him it was probably a couple of hundred infections (true). He was wondering if he should give it to me or GeekSquad. I told him GeekSquad will just format and reinstall. I did tell him that while he could pay me to do the same thing at a cheaper rate than GS, I would put Linux on it for free. He's thinking.

    --
    BMO