After DirectRevenue removes competitors' programs from users' disks, it also transmits extensive information about users' computers. Among the information: MAC address, Windows Product ID, all running tasks, and registry entrise for certain additional competitors (Gator, 180solutions) and removal programs (Ad-Aware, PestPatrol) if installed.
Please try again? Server is doing fine, serving thousands of requests per hour, still working fine in my testing.
I did have to upgrade my hosting plan after the tens of thousands of downloads of my spyware-installed-through-security hole video last week (4MB file!) (see write-up, slashdot coverage). But especially compared to that, this week has been a cakewalk!
Yes. Recall the New York Attorney General's successful suit against Network Associates, challenging a EULA prohibiting posting benchmarks or reviews without consent.
Rogabean writes: "When you installed say, Kazaa, you agreed that in exchange for running Kazaa for free that you also agree to run for instance Gator. So removing Gator should entail removing Kazaa or whatever program bundled it. I can't argue that point."
Certainly Gator claims that Gator is required in exchange for getting Kazaa for free. Whether or not users understand this and meaningfully accept it is another question, of course. If they did, there's a certain persuassive force to Gator's requirement that Gator stay as long as Kazaa stays.
But why not put an Add/Remove entry in Control Panel that lists Gator? Selecting Gator's Remove entry would trigger a popup that prompts "Warning: Removing Gator will remove Kazaa too. Do you want to continue?"
This way, users could always get rid of Gator by going to Control Panel and removing the Gator item, just like any other program.
In contrast, as it stands, users must figure out what programs came with Gator, then separately remove each of those programs. The current procedure is quite a bit longer and more complicated than what I propose, and quite a bit less intuitive and more complicated than removal of most other Windows programs.
Also of interest: Section headings removed
on
Gator's EULA Dissected
·
· Score: 2, Interesting
Not discussed in the initial write-up above, but potentially of interest:
Gator's license, as presented by Kazaa, merges section headings in with body text. No bold type separates section headings from the paragraphs that follow. For that matter, no line breaks separate the headings from the paragraphs. They're just all merged together.
Example:
Ownership; All Users of This Computer Bound You represent and warrant that you are the owner of the computer and that you have authorized the download and installation of the GAIN AdServer and GAIN-Supported Software, or that...
Is it really that typical to prohibit use of packet sniffers? Any other programs include this in their EULA? I've never seen it before, though perhaps I haven't been reading the right EULAs.
If programs can prohibit packet-sniffers, then how are users (or researchers or testers or auditors) supposed to confirm whether or not programs are complying with their own privacy policies?
Jellomizer, some spyware programs actually do exactly what you propose. I've made several videos showing a bundle of programs, installed through an exploit, wherein one program in the bundle deletes the rest. Makes for a great video: First we see new folders created in Program Files (and new files elsewhere too), then we see many of them disappear. Positively spooky!
I think the other commenters did a good job of explaining my intentions in making the video. One further point to add: It's surprising, and worth documenting, that big companies (e.g. 180solutions) continue to benefit from installations through security holes. Lest the companies deny this in the future, it's essential to document the wrongdoing clearly, convincingly, and publicly.
Howdy folks. Sorry to take so long to respond -- was in airports and planes all afternoon. Day before Thanksgiving...
Browsing to the site I showed in my video is one way to get infected. But that's not the most typical infection method. Instead, other sites can and do point to this site (and other similar sites), typically via IFRAMES. I was recently looking at a post in a web-based threaded messaging site, which used a 1x1 pixel IFRAME (basically, hidden) to reference the site shown in my video. When a user loads the infected post in the threaded messaging site, the user's PC will be infected via the exploits shown (if the user's PC is vulnerable to such exploits), and the user will receive spyware like that shown in the video.
As to video format: I apologize for the WMV format. There's a lot to be said for this format, from the reliable free creator to the wide deployment of the player software (present in all W2K and WXP systems). But clearly it's an imperfect solution, and not great for viewers on other platforms. I'm working on finding a better alternative and/or offering the same content in other formats.
Recall my 2003 Documentation of Gator Advertisements and Targeting. I didn't pollute their system or render it worthless, but I did devise a method of efficiently determining all advertisements that Gator targets at a given domain. Type in a domain, see which competitors or others are targeting that domain with their paid advertisements through the Gator / Claria service.
Viewing the license on screen can be quite difficult, because WhenU places it in a window so small that viewing the whole thing requires 45 distinct presses of the page-down key. See WhenU License Agreement Is Forty Five Pages Long.
As WhenU presents the situation, users' apparent consent (e.g. by pressing the "Yes" button in a drive-by download) allows WhenU to do whatever they want.
One problem with this argument is that sometimes users are asked to accept a license agreement that 1) they've never seen ("click here to view our license agreement, then press yes to continue"), 2) they cannot view (because the "click here" link is defective). In court two weeks ago, I showed the judge a couple videos of various defective WhenU license agreements, which don't display even when users specifically request them.
Unfortunately, the majority of those "software principles" address only the amount and type of information provided, not the actual practices through which that information is delivered. While Google's document does insist on "clear" and "conspicuous" notice, it largely neglects to lay out just what that would mean. Indeed, I strongly suspect that companies like Gator and WhenU would claim that they already abide by these principles and point to their EULAs, which are presented to users during the installation of Gator, SaveNow, and their other software applications. In my own analysis of the automated, online installation of C2 Media's Lop.com software (see www.staff.uiuc.edu/~ehowes/dbd-anatomy.. ), it was clear that C2 Media's collection of EULAs and privacy policies had in fact covered all of the major functionality and behavior of the software installed, just as Google's "software principles" insist.
As the guy who reported WhenU's cloaking to Google, I can tell you that Google didn't remove WhenU because Google doesn't like WhenU (whether or not they do, I do not know) or on a whim. Google removed WhenU because WhenU was breaking Google's rules.
I think this is a bigger deal than folks here have recognized:
1) It's not often that Google and Yahoo and MSN take public action against those who break their rules. There's surely lots of cloaking going on in the world, but most of it seems to go undetected, or at least unpublished, by search engine staff. Conversely, I gather it's rare for a company as big as WhenU to try cloaking -- most cloakers are somewhat smaller, somewhat less established, and have somewhat less to lose (can just set up shop on some new domains if their old domains get excldued from search engine results).
2) My research indicates WhenU has been engaging in a pattern of search engine smapping. There's the cloaking, described above. Then WhenU copied some dozens of articles to more than a dozen WhenU web servers -- without statements of authorization to reproduce, and without even copyright notices. (One publisher confirmed that the article copies were unauthorized.) What to make of this? Again, I believe, the best interpretation is a desire to manipulate search results to boost availability of pro-WhenU content at the expense of critics, search engine rules and copyright law notwithstanding. Details at http://www.benedelman.org/spyware/whenu-copy.
3) WhenU has other bad practices of note. See my release of last week: WhenU Violates Own Privacy Policy: WhenU has been telling users that its software "doesn't collect or send your browsing activity anywhere" when, in fact, it does. My site has screen-shots, HTTP logs, etc.
One relevant question: Does WhenU in fact comply with its privacy policy as drafted?
My research indicates that WhenU does not comply with its privacy policy, in the following sense: It sends to its servers certain URLs that users visit, namely the URLs above which WhenU displays pop-up ads.
You're right that the bill would be awfully overbroad if it did what the article says it does. But the article is wrong. Read the bill and see for yourself.
Or, better yet, read my FAQ-style analysis and see 1) what the bill really does, and 2) what the article got wrong.
In short: Software that reports users' online activities is only prohibited under the bill if the software lacks a proper license agreement and uninstall program. So plenty of programs can still report users' activities, so long as this is properly disclosed and so long as users can change their minds later.
I agree that that's the impression you'd inevitably get after reading the article. That's clearly what the article's author wanted! the question is: What impression would you get after reading the bill? Or after listening to the sponsor of the bill defend it?!
For an alternative perspective, check out my A Close Reading of Utah's Spyware Control Act. I go through the bill's major provisions, then take a close look at the specific concerns raised by its critics. I received a copy of a letter they sent to bill sponsors, so I can examin the arguments in considerably greater detail than, for example, the MediaPost article.
It's been fascinating to see this discussion -- with some folks taking the time to pretty carefully understand the bill, and others (perfectly understandably) deferring to news coverage. As someone who's had the opportunity to talk to Utah legislators about this bill, I thought I'd put together an analysis of what the bill does. I've also received a copy of the letter that gives the AOL et al. critique of the bill, so I've tried to respond to it, point by point.
Slashdot Mirror
Yes. Recall Radlight removing Ad-Aware.
I have personally observed -- and recorded in screen-capture videos -- the software of both plaintiff and defendant, installed through security holes.
See e.g. Who Profits from Security Holes?.
Perhaps also of interest:
After DirectRevenue removes competitors' programs from users' disks, it also transmits extensive information about users' computers. Among the information: MAC address, Windows Product ID, all running tasks, and registry entrise for certain additional competitors (Gator, 180solutions) and removal programs (Ad-Aware, PestPatrol) if installed.
I agree that there's lots of room for EULA reform.
See also my recent article about Gator's EULA (Slashdot'ed last week): Gator's EULA Gone Bad.
Please try again? Server is doing fine, serving thousands of requests per hour, still working fine in my testing.
I did have to upgrade my hosting plan after the tens of thousands of downloads of my spyware-installed-through-security hole video last week (4MB file!) (see write-up, slashdot coverage). But especially compared to that, this week has been a cakewalk!
Yes. Recall the New York Attorney General's successful suit against Network Associates, challenging a EULA prohibiting posting benchmarks or reviews without consent.
"Judge Orders Software Developer to Remove and Stop Using Deceptive and Restrictive Clauses" - NY AG's office
Rogabean writes: "When you installed say, Kazaa, you agreed that in exchange for running Kazaa for free that you also agree to run for instance Gator. So removing Gator should entail removing Kazaa or whatever program bundled it. I can't argue that point."
Certainly Gator claims that Gator is required in exchange for getting Kazaa for free. Whether or not users understand this and meaningfully accept it is another question, of course. If they did, there's a certain persuassive force to Gator's requirement that Gator stay as long as Kazaa stays.
But why not put an Add/Remove entry in Control Panel that lists Gator? Selecting Gator's Remove entry would trigger a popup that prompts "Warning: Removing Gator will remove Kazaa too. Do you want to continue?"
This way, users could always get rid of Gator by going to Control Panel and removing the Gator item, just like any other program.
In contrast, as it stands, users must figure out what programs came with Gator, then separately remove each of those programs. The current procedure is quite a bit longer and more complicated than what I propose, and quite a bit less intuitive and more complicated than removal of most other Windows programs.
Gator's license, as presented by Kazaa, merges section headings in with body text. No bold type separates section headings from the paragraphs that follow. For that matter, no line breaks separate the headings from the paragraphs. They're just all merged together.
Example:
Seriously! See screenshots.
Is it really that typical to prohibit use of packet sniffers? Any other programs include this in their EULA? I've never seen it before, though perhaps I haven't been reading the right EULAs.
If programs can prohibit packet-sniffers, then how are users (or researchers or testers or auditors) supposed to confirm whether or not programs are complying with their own privacy policies?
Jellomizer, some spyware programs actually do exactly what you propose. I've made several videos showing a bundle of programs, installed through an exploit, wherein one program in the bundle deletes the rest. Makes for a great video: First we see new folders created in Program Files (and new files elsewhere too), then we see many of them disappear. Positively spooky!
I used Windows Media Encoder. Free from http://www.microsoft.com/windowsmedia .
I think the other commenters did a good job of explaining my intentions in making the video. One further point to add: It's surprising, and worth documenting, that big companies (e.g. 180solutions) continue to benefit from installations through security holes. Lest the companies deny this in the future, it's essential to document the wrongdoing clearly, convincingly, and publicly.
Howdy folks. Sorry to take so long to respond -- was in airports and planes all afternoon. Day before Thanksgiving...
Browsing to the site I showed in my video is one way to get infected. But that's not the most typical infection method. Instead, other sites can and do point to this site (and other similar sites), typically via IFRAMES. I was recently looking at a post in a web-based threaded messaging site, which used a 1x1 pixel IFRAME (basically, hidden) to reference the site shown in my video. When a user loads the infected post in the threaded messaging site, the user's PC will be infected via the exploits shown (if the user's PC is vulnerable to such exploits), and the user will receive spyware like that shown in the video.
As to video format: I apologize for the WMV format. There's a lot to be said for this format, from the reliable free creator to the wide deployment of the player software (present in all W2K and WXP systems). But clearly it's an imperfect solution, and not great for viewers on other platforms. I'm working on finding a better alternative and/or offering the same content in other formats.
Ben Edelman
Viewing the license on screen can be quite difficult, because WhenU places it in a window so small that viewing the whole thing requires 45 distinct presses of the page-down key. See WhenU License Agreement Is Forty Five Pages Long.
Ben Edelman
One problem with this argument is that sometimes users are asked to accept a license agreement that 1) they've never seen ("click here to view our license agreement, then press yes to continue"), 2) they cannot view (because the "click here" link is defective). In court two weeks ago, I showed the judge a couple videos of various defective WhenU license agreements, which don't display even when users specifically request them.
See my report from the hearing, case documents.
Ben Edelman
See analysis by Eric Howes:
Details at WhenU Spams Google, Breaks Google "No Cloaking" Rules.
1) It's not often that Google and Yahoo and MSN take public action against those who break their rules. There's surely lots of cloaking going on in the world, but most of it seems to go undetected, or at least unpublished, by search engine staff. Conversely, I gather it's rare for a company as big as WhenU to try cloaking -- most cloakers are somewhat smaller, somewhat less established, and have somewhat less to lose (can just set up shop on some new domains if their old domains get excldued from search engine results).
2) My research indicates WhenU has been engaging in a pattern of search engine smapping. There's the cloaking, described above. Then WhenU copied some dozens of articles to more than a dozen WhenU web servers -- without statements of authorization to reproduce, and without even copyright notices. (One publisher confirmed that the article copies were unauthorized.) What to make of this? Again, I believe, the best interpretation is a desire to manipulate search results to boost availability of pro-WhenU content at the expense of critics, search engine rules and copyright law notwithstanding. Details at http://www.benedelman.org/spyware/whenu-copy.
3) WhenU has other bad practices of note. See my release of last week: WhenU Violates Own Privacy Policy: WhenU has been telling users that its software "doesn't collect or send your browsing activity anywhere" when, in fact, it does. My site has screen-shots, HTTP logs, etc.
Ben Edelman
benedelman.org
Sign up for updates via a link on the site.
Ben Edelman
benedelman.org
My research indicates that WhenU does not comply with its privacy policy, in the following sense: It sends to its servers certain URLs that users visit, namely the URLs above which WhenU displays pop-up ads.
Details are in my recent FTC comments, Methods and Effects of Spyware. See paragraphs 12-17.
Ben Edelman
benedelman.org
For those still reading --
I'm told that Governor Walker signed the bill into law today.
Ben Edelman
benedelman.org
Jack,
You're right that the bill would be awfully overbroad if it did what the article says it does. But the article is wrong. Read the bill and see for yourself.
Or, better yet, read my FAQ-style analysis and see 1) what the bill really does, and 2) what the article got wrong.
A Close Reading of Utah's Spyware Control Act
In short: Software that reports users' online activities is only prohibited under the bill if the software lacks a proper license agreement and uninstall program. So plenty of programs can still report users' activities, so long as this is properly disclosed and so long as users can change their minds later.
Ben Edelman
I agree that that's the impression you'd inevitably get after reading the article. That's clearly what the article's author wanted! the question is: What impression would you get after reading the bill? Or after listening to the sponsor of the bill defend it?!
For an alternative perspective, check out my A Close Reading of Utah's Spyware Control Act. I go through the bill's major provisions, then take a close look at the specific concerns raised by its critics. I received a copy of a letter they sent to bill sponsors, so I can examin the arguments in considerably greater detail than, for example, the MediaPost article.
Ben Edelman
Details: A Close Reading of Utah's Spyware Control Act.
Ben Edelman