Controversy over widely used data collection tool could help define the limits of legitimate software behavior.
Staff Writer, CNET News.com
A battle has broken out over the proper definition of "spyware," pitting a Net research provider against critics who see little difference between its software and illicit programs that record personal data without consent.
ComScore Networks' Marketscore application is installed on more than 1 million PCs in the United States, forming the backbone of a well-regarded research service used by Fortune 500 companies, universities and media outlets, including CNET News.com. Now the software is in the privacy spotlight, tied to warnings from some universities and computer security experts about secretive and invasive software, sometimes known as adware or spyware, that can take over a PC with little or no warning.
ComScore denies the charges and is preparing to go on the offensive with a lobby campaign aimed at legitimizing data collection products such as Marketscore. A ComScore proposal currently being shopped to security firms and Internet service providers would create a new "researchware" label for its software in order to explicitly distinguish it from badly behaved spyware products.
"There's a small group of people in universities who've taken it upon themselves to take an issue with our software," said Dan Hess, senior vice president of industry analysis at ComScore. "We're trying to make them fully aware of the nature of our (products and services). It's a completely voluntary program."
What's in a name? Quite a bit, it turns out, if you happen to make your living tracking the private lives of millions of consumers over the Web.
Labels such as spyware and adware cut a wide swath, with many gray areas that can spark disagreements among software makers, consumers and security experts over legitimate and illegitimate practices. Now these basic categories are poised for an overhaul, as federal spyware legislation moves forward and companies like ComScore push for finer definitions from the security companies that are largely responsible for classifying specific products one way or the other.
Depending on how these changes are handled, consumers could face an even more bewildering labyrinth of warnings and terminology over little-understood products such as Marketscore and dozens of other products up for grabs on the Web.
Webroot Software, an Internet security company that counts Microsoft and EarthLink among its customers, said it plans to unveil a new category of potential threats in the next version of its security software, due out in the next few months.
"We're going to have an 'other' category, where we'll be able to identify things like Marketscore, describe what it does, and give users an option to remove it," said Richard Stiennon, vice president of threat research at Webroot. "It's ironic. When we do focus groups with consumers, they say they have too much information. So they're not going to be happy, but we're going to do it."
Webroot currently identifies Marketscore as a subcategory of spyware, known as a "system monitor," that tracks user behavior for marketing purposes.
Other software programs that are designed to detect and remove spyware and adware applications have warned users off Marketscore, too. Spybot Search and Destroy, for example, labels it spyware, and Ad-Aware dubs it a "data miner" for removal.
In fact, many in the Internet industry want better classifications for spyware and other tracking software because, too often, everything gets lumped together. For example, earlier this year, Webroot and EarthLink estimated that the majority of people have spyware on their computers. But the companies' classification of spyware included "cookies" that can be useful for people's PCs to recall passwords. Even sites like entertainment provider iFilm, which distributes an application for watching movie trailers, has been labeled as spyware.
That's why security software makers like Symantec plan to improve information they have on the threat level of software circulating the Internet. "Rather than new categories, we're focusing on new classifications for understanding risk, to help people make decisions about what it is they want to block and what it is they are OK with," said Vincent Weafer, director of security software for Symantec.
For ComScore, the data it compiles is used to create reports tracking e-commerce sales trends, Web site traffic and online advertising campaigns, to name a few. In a few years, it has risen from obscurity to challenge larger rivals such as Nielsen/NetRatings.
ComScore freely admits that it tracks the activities of its customers, also called "panelists." But it insists that it fully discloses its practices and protects the privacy of its customers by providing only aggregate data for its reports. It also promises to strip out and discard any information that could connect data back to a particular individual.
"We do capture information, including data that occurs in secure sessions, to get information like what a person buys," said Chris Lin, ComScore's chief privacy officer. "We do that with full disclosure, and we scrub the personally identifiable information."
Despite ComScore's claims that it provides clear disclosure and consent, some privacy experts said controversy over its software highlights gray zones for data collection companies. For example, even companies that fully disclose software behavior may nevertheless undermine public perceptions of notice and consent if their disclosure documentation is overly dense or poorly worded.
"They may be upfront up about it, and you can put the pieces together, but it requires a full understanding of network security and of legalese," said Steven Jay Schuster, security director at Cornell University, which recently warned students of potential spyware dangers in Marketscore. "Most people don't really understand all the information that's collected about them on the Internet, and to me it's playing on that."
Spyware is commonly thought of as software that's downloaded onto a PC without clearly disclosing all of its functions or obtaining permission from the computer's owner. It typically slips onto a person's machine unnoticed as a scantly disclosed add-on with other popular applications, such as file-sharing software, or via browser security vulnerabilities.
Spyware denies people reasonable control over the application, for example, the ability to easily uninstall it. And, as its name implies, it typically spies on people while they're surfing the Web. It can collect passwords, bank statements and any matter of personal data, down to the keystroke. In a more benign form, known as adware, such programs can be used to send ads based on people's interests.
"Researchware," by contrast, can collect all the same personal information, but it gives people notice, choice, anonymity and control to uninstall the program, according to ComScore's working definition.
Marketscore is a downloadable application that purports to speed up Internet surfing, and in partnership with Symantec, protect e-mail from viruses. In exchange for these services and with the subject's permission, it will track people's Web surfing habits and compile "clickstream" data for research purposes, for example, extrapolate the most popular Web sites among a sample population.
To compile data, Marketscore redirects Internet traffic through its own servers and decrypts secure data transfers between a PC user and a Web site using Secure Sockets Layer (SSL), the de facto security standard for e-commerce transactions. Doing so, it can collect highly personal information, including bank passwords, health data and credit card numbers.
Because ComScore acts as a proxy server, panelists do not have direct access to the Internet. If Marketscore were to break, for example, users might lose their online connection, or more troubling, be exposed to a potentially damaging security breach. ComScore said it has never had a security breach in its five years of operation.
In fact, ComScore's track record has won the trust of some Internet industry heavyweights that have studied its practices, including America Online.
"The main ComScore panel doesn't constitute spyware," said AOL spokesman Andrew Weinstein. "All the disclosures meet our standards. We're working with ComScore to differentiate their research panels with software, which involves surveys. That might be in a grayer area. But all of their products are fine with us."
Not everyone is comfortable with ComScore's setup, however. Consent aside, security experts said third-party proxies should carry red flags for anyone concerned about the privacy of their personal data and the sanctity of their computer.
"From an overall security perspective, I would never recommend that to happen," said Webroot's Stiennon. "That's the one case where all of your activity can be sniffed and tracked. Even if it was the most reputable company in the world, I would not recommend that practice."
ComScore has a panel of 1.5 million people in the United States who use its software, and by doing so, report their behaviors. With the software, ComScore has built a reputable research business in recent years with less investment than traditional, random digit-dial research panels. Its star has risen since the dot-com bust thanks to the credibility of its large panel size and data. The company sells data to major Internet companies, universities and the media.
But as high-speed Internet service has proliferated in recent years—making its Internet accelerator software less enticing to consumers—ComScore has had to find new incentives and avenues for distribution. For example, it runs JD Academic Research Council, or JDCouncil.org, which offers students $5 or $10 for using Marketscore.
The company has reportedly bundled its software with peer-to-peer applications like iMesh, which are popular with students.
But recently, the company's distribution efforts have hit a snag in academia.
Columbia University and Cornell have begun blocking Marketscore from their networks and students' PCs, and issued spyware warnings on the software. Other schools, including Pennsylvania State University, Indiana State University, California State University and North Dakota University, also are looking into the software.
"It wasn't causing adverse performance effects to our network, but you might imagine if you're a student and logging on to what you think is a secure site, and it's not, and it records your credit card information. That's why we decided to be a little more active on this," Cornell's Schuster said.
Because Marketscore's Web page contains only a buried reference to ComScore, some people say it appears secretive and raises suspicion. JDCouncil.org does not openly refer to ComScore either, except within a company information page.
The controversy comes as spyware is of mounting concern to consumers, information technology managers and corporations. As more Net companies begin to offer tools for consumers to fight it, spyware makers are getting trickier, exploiting Web browser flaws to get onto people's PCs and making it nearly impossible to uninstall their software.
As a result, several states, including California, have anti-spyware bills to ban unauthorized installation of spyware on unsuspecting computer users. Congress is also drafting a federal law to protect consumers from spyware. In October, the U.S. House of Representatives approved the proposed Spy Act, which prohibits companies and individuals from "taking control" of a computer, surreptitiously modifying the URL of a Web browser's home page or disabling antivirus software without the proper authorization.
Ari Schwartz, policy analyst for the Center for Democracy and Technology, said that generally speaking, as long as two parties consent to certain practices related to software, then those practices are legal, even if they involve peering into secure transactions.
Still, when it comes to conventions on the Internet like obtaining consumer consent, certain practices have been exploited, Schwartz said, referring to a recent case against spam king Sanford Wallace. Using Active X controls to dupe people into installing software they don't need or miswording questionnaires next to a check box are common tricks, Schwartz said.
On the flip side, companies like eBay have established high levels of consent among buyers and sellers. But there is a whole gray area in between, he said.
"Some companies fall into the middle, and there's a push back and forth as to whether they're the good guys or bad guys," Schwartz said.
CNET News.com's Evan Hansen contributed to this report.