Spies Among Us

By ADAM COHEN Monday, July 31, 2000
  • Share
  • Read Later
O.K., maybe it does sound a little paranoid. But last year over the Christmas holidays, Richard Smith, a Brookline, Mass., software entrepreneur and freelance computer investigator, became convinced his computer was spying on him. It began after Smith had downloaded onto his laptop a nifty program he found called zBubbles, which is supposed to help people shop online. A product of Amazon subsidiary Alexa, zBubbles does some helpful things. When you're surfing e-commerce websites, it pops up and offers recommendations about products. And just like a good shopping pal, it even gives you comparative shopping advice about where you may be able to get a specific item cheaper.

There's a dark side to the program, though, that isn't nearly so friendly. While browsing an Internet-privacy newsgroup, Smith came across a posting from a zBubbles user who suspected it was snooping on him. The program supposedly monitored what users were doing online and discreetly reported back to Alexa.

Intrigued by the report, Smith, who played a major role in tracking down the creator of last year's Melissa virus, decided to investigate. Working out of his third-floor home office, he ran a little experiment. He fired up zBubbles and began surfing the Net; at the same time, he launched a program called a "packet sniffer," which examined the transmissions that were leaving his computer and going back over the Internet. He found they contained all kinds of information about him that zBubbles had culled as it trailed him online. What was in there? His home address, for one thing. It also sent back the titles of the dvds he was considering buying on Buy.com. His computer was even relaying information about an airline flight he had booked for his 14-year-old daughter. "It was creepy," says Smith.

zBubbles has good reason for sending some of that information back to Alexa. To help with e-shopping, it has to know the sites a user visits and the products he sees there. But zBubbles apparently spies even when users aren't shopping: Smith was just double-checking his daughter's plane reservation when zBubbles grabbed the flight number and sent it home. "They're getting too much information," concludes Smith. "They design the product always to be installed on the screen, even though most of us aren't shopping all the time."

Officials from zBubbles declined to comment, since a complaint was filed by Smith with the Federal Trade Commission. A company-privacy statement online, however, insists zBubbles doesn't correlate any information it collects with individual users. While that might appear to lessen privacy concerns, Smith and others are concerned the information could be matched up with individuals if the company is sold or if it changes its mind. In fact, the zBubbles usage agreement cautions that its privacy policy "may be changed by us in the future." Users, it adds, should "check the zBubbles privacy policy frequently for changes."

It's hardly a shock these days to learn that surfing the Internet isn't a private experience. Internet service providers have the ability to keep track of the sites you visit and the software you download. Websites use cookies bits of data that can be stored on your PC to keep a record of visitors. And the DoubleClick dustup, which erupted earlier this year when it emerged that the company was cross-matching information from its cookie-created user profiles with data it had acquired through its $1.7 billion purchase of the direct marketing company Abacus Direct, was a reminder of just how easy it is for companies to link the cookies you got by visiting different websites with off-line information about you to assemble a chillingly complete dossier, including everything from where you work to what kind of books and movies you like to buy .

But zbubbles is part of a new wave of privacy incursions that take Internet snooping to a new level: software that commandeers your computer to spy on you. This software plants itself in the depths of your hard drive and, from that convenient vantage point, starts digging up information. Often it's watching what you do on the Internet. Sometimes it's keeping track of whether you click on ads in software, even when you're not hooked up to the Internet. In Netspeak these programs are known as E.T. applications because after they have lodged in your computer and learned what they want to know, they do what Steven Spielberg's extraterrestrial did: phone home.

That may be the most paranoia-inducing part. E.T. applications use your Internet connection to deliver espionage briefings on you, often without your realizing it's happening. "If you're connected to the Net, it's easy for these applications to send a packet back," says William Cheswick, chief scientist at Lucent Technologies' new Internet-security venture. "It's one additional flash of the modem light. Who would even notice?" In fact, some E.T. applications have been uncovered precisely this way. People glance over at their computer and have a Sixth Sense moment: their modem light is flashing, indicating that information is being sent over their Internet connection, even when no one is seated at the computer.

Makers of E.T. applications say the privacy concerns are overblown. Most say that even if they are able to collect data about computer users, they don't connect them to individuals. Yes, they may have the capability to learn even without your knowledge that you are visiting porno sites or hiv Web pages. But, they say, they'll never connect any of that to you by name. Those promises don't assuage many privacy advocates, who say the data have the potential to be misused and, given the commercial value of individualized data, companies that collect them could change their policies at any time.

The stakes are ratcheting up quickly as we enter the coming wireless, portable-computer age. Before long our computers will probably be high-performance, handheld devices that know our physical location at all times and serve as our primary means of making purchases. If these pocket-size PCs have spies inside them, the capacity to monitor our lives will be virtually unlimited.

E.T. applications take advantage of a simple fact of Internet life: when we download software, most of us have no way of knowing what we're getting. We have to rely on the word of the company providing it and of the software writer that it does what it says it does and nothing else. "Any piece of software you download from the Internet is potentially a Trojan horse," warns David Kristol, a member of the technical staff at Lucent Technologies' Bell Labs. "You have no way of knowing what it's going to do."

That's what makes it so easy to spread computer viruses like Melissa, which traveled across the Internet in e-mail, embedded in innocuous-looking Word documents. It's what makes fraud so easy on the Net. A few years ago, the so-called Moldova scam lured users to free porno sites with such names as www.waysexygirls.com. When anyone downloaded a program that was necessary to see the way-sexy girls, it included Trojan-horse software, which unbeknownst to the user, hijacked the computer modem so that it dialed a phone number in the small East European nation of Moldova, charging the victim's phone bill at the rate of $3 a minute. MORE>>

Page One | Two



Page One | Two

E.T. applications aren't quite that sinister. But they often spirit away personal information users would be appalled to know was being shared. "People may get a box to check, but they have no idea they're downloading tiny little spies that will report back on them," says Robert Ellis Smith, publisher of the Privacy Journal. "Most people don't even know that can be done."

Take the case of SurfMonkey, which is supposed to protect kids surfing the Web. The program blocks questionable language and prevents children from accessing inappropriate Web pages. But, according to Richard Smith, it also sends home information, including a user's personal ID, phone number and e-mail address. That's hardly privacy-friendly, says Smith.

SurfMonkey says it doesn't use the IDs to collect data on individuals; they're used to evaluate the appropriateness of websites for children. Any personal information that is gathered, the company says, is otherwise "ignored." In any case, the company plans to change its software in the next month to stop sending ID data to its server.

The roots of E.T. applications go back to a surprising place: Microsoft. When Windows 95 came out, it included a program called Registration Wizard, which let purchasers dispense with snail mail and register their Windows 95 software over the Internet. But it did something else too: it poked around on the purchaser's hard drive, making a list of other installed software and sent the information back to Microsoft. Although Microsoft asked users for permission, it still caused an uproar. Critics contended that Bill Gates & Co. were snooping for commercial advantage: they charged that Microsoft wanted the data so that it could e-mail WordPerfect users to try to get them to switch to Microsoft's Word. Eventually the uproar died down, and Microsoft kept Registration Wizard just as it was.

In the five years since the Windows 95 rollout, E.T. applications have proliferated. More than 22 million people are believed to have downloaded them. The real driving force is that in the mad race for eyeballs and click-throughs on the Internet, information about who you are, where you live and what your surfing and buying patterns are is becoming increasingly valuable. "These days grabbing personal data is often seen as a surrogate for value by venture capitalists and Wall Street," says Jason Catlett, president of Junkbusters Corp., a privacy website.

There are hundreds of E.T. applications out there. Among the most popular: PKZip, shareware for compressing, storing and archiving files, and CuteFTP, widely used by the MP3 crowd to fetch music files. (Conducent, the company that embeds ads in PKZip and the current version of CuteFTP, says it sorts ad-view data only demographically and collects no personally identifiable information.) But even computer experts have trouble spotting E.T. programs. In some cases, they've come to light only when tech-savvy Internet-privacy advocates have picked apart the data streams moving in and out of their computers. That's how Smith blew the whistle on RealNetworks last fall.

RealNetworks makes the popular RealJukebox software, which lets users transfer music from the Net and their CDs to their hard drive so it can play on their computer. Smith noticed that when he put a CD in his computer, his music choice and his machine's unique identifier were sent back to RealNetworks. Since Smith had given RealNetworks his name and other identifying information when he registered his RealJukebox software, RealNetworks would be able to compile a database on what kind of music he was listening to. Under a fire storm of criticism, RealNetworks, which maintained it had no plans to correlate users' names with their musical tastes, nevertheless disabled its E.T. applications.

The most recent company to feel the heat over E.T. applications is Radiate, formerly known as Aureate. Radiate is an advertising company that works with the makers of shareware software that can be downloaded free from the Internet. Shareware writers have long tried to support themselves by asking people who download their product to make voluntary payments. The problem was, few users paid up. Radiate's solution: placing ads on shareware. But these days the real money is in targeted ads that change to something else after they have been viewed once or that are matched to the interests and demographics of particular viewers. Radiate's ads placed on such popular shareware as Go!zilla and older versions of Free Solitaire came with E.T. software that embedded itself in 18 million people's computers and used their Internet connection to report back on what ads people were clicking on.

Internet-privacy advocates were furious. They argued that tracking the ads someone clicks on is inherently invasive. Computer users may not want it known that they're clicking on ads for, say, cancer drugs or pornography. A worst-case scenario: this kind of sensitive information, gleaned from a computer user's home Internet surfing, could make its way to the person's employer.

Worst of all, the original version of Radiate's software, which still resides in countless computers, was written to keep phoning home even after the shareware that put it there was deleted. In other words, even after you uninstall its shareware version of solitaire, your computer could keep reporting back on you. Users needed a special tool to delete the file, which the company provided on its website only later, after an outcry from privacy advocates.

Radiate insists it did nothing wrong. It says it never identified individual users who went to particular sites. "The information is anonymous," says spokesman Peter Fuller. "All we would know is that user XYZ123 clicked on an ad." And, Fuller says, no specific information about users was passed on to advertisers. Still, Radiate had the capacity to learn and share this information had it so wished.

One of the most insidious things about E.T. applications is that most computer users have no idea these invaders are in their computers. Steve Gibson, a computer consultant from Irvine, Calif., learned he had an E.T. application on his computer only when he was running Zone Alarm, an Internet-fire wall application. It listed applications on his computer that he knew were in contact with the Internet, such as his Internet Explorer browser and his Eudora e-mail. Then it asked him about one he'd never heard of: tsadbot.exe, which turned out to be an E.T. application he had unwittingly let into his computer a month earlier while downloading some shareware.

What can the average computer user do to guard against intrusions? Nothing but Gibson wasn't an average user. Outraged, he developed a program called OptOut, which removes Radiate. He is working to extend it to other E.T. applications, including Conducent's adbot, the mysterious tsadbot.exe that he found lurking in his own computer.

One big question is, What will the law have to say about E.T. applications? Privacy advocates claim existing statutes ban many of them. In the United States, the Computer Fraud and Abuse Act, which was enacted to prohibit hacking of government computers, contains some broad language about unauthorized access to computer data. There's also a good chance the U.S. Congress may step in and pass new legislation that bans computer spying more directly. In any case, the first lawsuits have already been filed: a class action against RealNetworks seeks $500 million in damages on behalf of 1 million RealJukebox users in California.

Even before E.T. applications have their day in court, though, public resentment may be leading companies to be more cautious about using them. In an attempt to catch hackers who were crashing servers, EverQuest, a popular online role-playing game, devised an E.T. program that searched users' hard drives for hacker programs. As soon as it was announced, Verant Interactive, the company that makes EverQuest, was flooded with angry e-mail. "I got one from a veteran saying, 'I fought in Vietnam for the rights of this country, and one of those rights is the right to privacy,'" says Verant Interactive ceo John Smedley. In the face of the criticism, Smedley decided to dump the E.T. application and replace it with technology that looks for hackers on the company's servers. "It's probably not going to be as effective," he says. "But, hey, that's life."

Even Microsoft, which evoked the ire of privacy advocates with Registration Wizard, has joined the privacy crusade. It introduced a spot on Microsoft.com called Profile Center, which it says allows users to examine every piece of data Microsoft has collected about them and delete data they don't want Microsoft to have. Yusef Mehdi, vice president of marketing for MSN, says Profile Center "has grown from the lessons we learned from Windows 95." One of the lessons, he notes, is that a well-advertised privacy policy can make business sense. "If you do that, you will inspire much more consumer confidence," he says, "and they will give you more data."

The new sensitivity many companies are exhibiting is good news for computer users concerned about privacy. Yet for every Radiate or Verant that gets caught and cleans up its act, there are probably more that haven't been caught and are still spying. In the long run, Cheswick says, the answer may be to segment computer hard drives physically into public and private areas so downloads don't have access to information people want to keep confidential. For now, he has a simple solution: he just doesn't download applications from the Internet or from e-mail. That may seem drastic. But if you go the other route, don't be surprised at what your computer tells the world about you.

For more on Internet privacy, go to www.timeeurope.com