Banking

Secret agents invade your PC

Many software companies use phone-home applets to verify that you have all their latest patches and fixes. But these update agents could be snooping around where they don?t belong. Help to secure your network by understanding the software spy game.


By Howard Millman

You might not know it, but they're in your PC and on your network, and they're altering your applications. Hell-bent hackers? Viruses? Nope. The digital critters to which we're referring are the increasingly ubiquitous phone-home applets embedded in many applications by some of the biggest and best-known commercial software companies in the world.

Used by Microsoft, Symantec, Intuit, and many other software vendors, phone-home applets verify that users have the latest patches and fixes released by a software vendor. Convenient and simple, these specialized applets, often called update agents (or, more menacingly, spyware), allow unrestricted access to a user's PC. These automated updates can be a great convenience, sparing software users from having to manually seek software fixes and updates.

But at what cost to the consumer? While these vendors are doing their updates, they may be stealing data from your PC.

Annoying agents
Customers may not have any sure way of knowing what information that update agents retrieve and transmit, so they may be left to rely on vendors' assurances that only necessary update information is collected. If you're a trusting consumer, you may be at risk when sneaky vendors use the back door to surreptitiously extract and analyze information in your computer—your Internet browsing habits or PC configuration.

CNET and TechRepublic
This article first appeared on CNET's Enterprise Business site. TechRepublic is part of the CNET family of Web sites dedicated to educating and empowering people and businesses in the IT field.

Though application vendors in every category use auto-updates, game vendors seem to stand out for their stealthy data-collection practices. For example, Verant Interactive, a division of Sony Online Entertainment, was collecting information about additional applications running on users' computers while they were playing its online game EverQuest: The Scars of Velious. Confronted with evidence collected by technically savvy players using network sniffers—and anticipating a flood of angry responses from its customers—Verant changed its policy. "It really woke us up," says Verant's COO, John Smedley. "We have now opted to walk a straighter path."

Similarly, the online game site Battle.net, operated by Blizzard Entertainment, was snooping into players' PCs to retrieve key configuration information, such as players' names, browsers, and e-mail addresses, as well as files from competing gaming Web sites. Like Verant, Blizzard said that it was all a misunderstanding and that the purpose was to improve customer service.

Even if they are not used for secretive data collection, update agents can irritate users. For example, Microsoft's Windows Me prompts users to launch the update agent so often that it becomes a distraction. In addition, when the agents misbehave, as did the one in Intuit's QuickBooks, they can really drag down performance; Intuit's agent was designed to run at predefined intervals ranging from once a day to once a week when the computer was connected to the Web. However, a bug in the code caused it to run as often as once an hour.

"This is new stuff," admits Intuit's vice president of technology, Paul English. "We're learning about the problems with it, and we're learning how users perceive it." Intuit's research revealed, not surprisingly, that users want to know what's going on. QuickBooks 2001 includes enhanced disclosure of Intuit's update policies and practices.

"One of the most important aspects of privacy protection is transparency of information collection," says Andrew Shen, a policy analyst with the Washington, DC-based Electronic Privacy Information Center (EPIC). "That is, a data collector must tell the customer what information will be collected and how it will be used. Auto-update features and cookies, while convenient, allow companies to collect more info than consumers expect to provide or is necessary to update software."

But what can you do if you don't trust your vendor?

Protecting your data
You may not want companies crawling around your system. In that case, security experts advise enterprise administrators to disable auto-updates. By doing so, users can limit the amount of bandwidth that the data exchange consumes usually without visible notification. More importantly, disabling auto-updates closes a potential security hole, because most updates circumvent the system's security.

"Some auto-update applications run natively on Windows 95/98/Me machines, meaning that they run with all the permissions of the user that's currently logged in," says Neal Goldman, director of Internet Computing Strategies at the Yankee Group. "This gives them access to everything on the drive, [because] ActiveX Controls downloaded from Web sites can access forbidden resources like local hard drives."

"Vendors are understandably tempted by the opportunity to look around in a user's computer," says Bob Geiger, president of the Ardsley, NY-based computer security firm info-defense.com. "In the hands of a skilled marketer, the information gathered by auto-update applets is a virtual treasure trove, a marketer's ecstasy."

Geiger views high-speed broadband adoption as a factor that increases security and privacy threats posed by auto-update applets. "I certainly do not rule out the likelihood of some update programs copying a cookie file, browsing the hard drive's directory, or reading Windows' Registry to see what other applications reside on the machine, maybe even to extract the owner's personal and business names," he says. "With cable and DSL connections, these files can be uploaded in one-tenth of a second, well below the event horizon of any user."

Good intentions, bad results
But data collection from a customer's PC by a vendor isn't always tied to some type of privacy violation conspiracy. Sometimes such violations simply result from coding errors.

Take Macromedia, for example. The company included a feature in its Shockwave multimedia development software that would let users collect and transmit Shockwave-enhanced Web site URLs. Surprisingly, the URLs sometimes included usernames, passwords, and other private information.

Microsoft had to defend itself against similar charges that its Windows 98 operating system and Word and Excel Office programs were tracking users' actions with a stealth technology called Globally Unique Identifiers. The technology could identify the author of a document across the Internet. Microsoft says that the identifier's purpose was to facilitate the tracking of documents' authors and recipients. However, a bug in a Microsoft product registration utility combined with the identifier provided far more information about users' machines than was originally intended. Microsoft and Macromedia acted quickly to eliminate the offending processes and avoided litigation.

Though no evidence exists that these mistakes are anything more than an irritation or inconvenience, the next incident might have more dire consequences. But according to info-defense's Geiger, coding errors and unlimited access combined add up to shaky security. Taking this risk is up to you.

Data hijacking
You can be sure that most privacy-violating vendors are doing what they can to keep their activities secret. After all, getting caught lifting information from customers' PCs makes for bad publicity and mistrust. Indeed, conventional social wisdom declares that the fear and consequences of getting caught—not principle—is what keeps most people honest. The same thinking applies to software vendors. "It's the kiss of death for the vendor if the public finds out the company was collecting unauthorized information," says Michael Levy, Ph.D., vice president of research and development at NewHeights Software Corp. in British Columbia and professor of computer science at the University of Victoria, British Columbia.

Levy lays part of the blame on the digital devices evolution, saying, "PCs were designed well before the connectivity revolution. The reality is that the architects of the hardware and operating systems never considered the fact that everybody's PC will someday be connected to everyone else's."

Though the financial incentives for collecting information may be significant, they might not outweigh the risks. Software vendors who don't fully disclose their intentions face the threat of costly litigation. For example, class-action lawsuits against media-delivery company RealNetworks charge the company with secretly collecting data about users' Internet browsing habits and music preferences.

The sweeping suits charge that the company violated the federal Computer Fraud and Abuse Act, state privacy laws, and consumer protection statutes. The company is also accused of trespassing, invasion of privacy, and unfair competition. Such charges may cost RealNetworks millions of dollars if the plaintiffs are successful. RealNetworks denies the charges, saying that it notified users in the license agreement that it was collecting the information.

Trust me, I'm here to help
Full disclosure and greater user control over the process will eventually result from a combination of economic incentives, FTC enforcement, and the efforts of privacy groups such as TRUSTe and EPIC. Congressional legislation, such as Senate bill S.R. 3180 (the Spyware Control and Privacy Protection Act), will further help to raise user awareness and lift the concealing veil.

Until then, network administrators have few remedies at their disposal. The most obvious option is to disable the update agents, a process that's sometimes difficult because the code is usually an integral—and concealed—component of the primary application. Another option, touching on costly paranoia, uses a network sniffer to catch data packets entering and leaving the network. One alternative, available to shops with hardware firewalls in place, is to configure rules to trap outbound traffic to specific Web sites. This tactic assumes that administrators know that update agents are running and have the target site's IP address.

Finally, Geiger advises that you have recourse to the one strategy that usually succeeds, "Do business with vendors that have earned your trust and take them at their word."

Big Brother
How do you feel about vendors collecting information about you and your computer without your knowledge or explicit consent? Are you doing anything to protect yourself from electronic eavesdropping? What should we do to vendors who are gathering information unlawfully? Post a comment and let us know how you feel.

Howard Millman, a writer and computer technology consultant based in Croton, NY, contributes to CNET Enterprise and helps make computers behave.

This document was originally published by CNET on Feb. 12, 2001.

Editor's Picks