Report from WhenU v Utah updated June 13, 2004

In April I mentioned WhenU’s suit against the state of Utah, challenging Utah’s recent Spyware Control Act. Oral argument took place yesterday and today as to WhenU’s motion for preliminary injunction.

Consistent with case filings, WhenU claimed that the company cannot reliably determine which users are in Utah and which are elsewhere. However, documents presented in the hearing showed that WhenU offers its advertisers the service of showing their ads only in particular locations, including in particular states.

Counsel for the state of Utah also asked WhenU’s CEO about WhenU’s display of advertising for online gambling and for online liquor sales. My testing demonstrated that WhenU shows such ads in Utah, but longstanding Utah law is thought to prohibit these ads. So WhenU will have to develop — arguably, already should have developed! — systems to avoid showing these ads in Utah. WhenU has criticized the Spyware Control Act, claiming that compliance would be difficult and costly. But WhenU must satisfy Utah’s gambling and liquor laws independent of the Spyware Control Act. So much for the purportedly high burden of Utah’s spyware regulation.

In my own oral testimony, I explained the methods of installation and operation of spyware. In one notable section, I showed videos of WhenU software installed via drive-by downloads with defective license agreements, such that even when a user requested to view WhenU’s license agreement, the license was not available.

Details in WhenU.com, Inc., v. The State of Utah – Case Documents. The hearing will conclude on June 22, 2004, and the Court’s decision is expected thereafter.

Dell’s Spyware Puzzle updated June 9, 2004


Dell Ad Displayed using ClariaDell Ad Displayed using Claria

Lots of companies have a puzzling relationship with spyware. For example, a recent eWeek article pointed out the complexities in Yahoo!’s relationship with Claria: My research of last year found that yahoo.com is the the single most targeted domain of the many thousands Claria targets with its context-triggered popups. More recently, Yahoo! released a toolbar that uninstalls Claria software. These facts suggest that Yahoo! would dislike Claria and would actively oppose Claria’s activities. Nonetheless, Yahoo! remains a major supplier to Claria (via Yahoo!’s Overture sponsored link service, which reportedly provides 30% of Claria’s revenue, per Claria’s S-1 filing).

Even more puzzling, Dell both suffers from spyware and receives web traffic from Claria’s advertising services. In recent comments to the FTC (PDF page 70), Dell’s Maureen Cushman reported that spyware is Dell’s “number one call driver” as of late 2003, and that spyware is responsible for as much as 12% of calls to Dell tech support.

Nonetheless, my testing shows that Dell UK ads run on the Claria ad network. See the ad shown at right (among several other ads also from Dell UK), which I received while viewing the IBM.COM site. My further testing indicates that Claria shows several Dell UK ads when users visit the sites listed below (perhaps among others). (Note that users might have to visit particular parts of the sites listed here — i.e. the computers section of amazon.co.uk, not just other parts of the Amazon site.)

ebay.co.uk
hp.com
msn.co.uk
apple.com
amazon.co.uk
ibm.com
kelkoo.co.uk
bt.com
pricerunner.com
dabs.com
dealtime.co.uk
johnlewis.com
dooyoo.co.uk
comet.co.uk
ebuyer.com
pcworld.co.uk
dixons.co.uk
acer.co.uk
abrexa.co.uk
sony.co.uk
simply.co.uk
priceguideuk.com
toxiclemon.co.uk
packardbell.co.uk
microwarehouse.co.uk
evesham.com
toshiba.co.uk
cclcomputers.co.uk
morgancomputers.co.uk
timecomputers.com
sony-cp.com
europc.co.uk
empiredirect.co.uk

Dell staff tell me that the ads were unauthorized, placed by an affiliate without Dell’s permission. My inspection of the ads (and their link destinations) is consistent with this claim. But my inspection of Claria configuration files further suggests that the ads ran on the Claria network since at least February 6, 2004 — some four months ago. Why didn’t Dell notice this problem until I brought it to their attention?

If this is just a glitch, what procedures could Dell (and other companies) implement to make sure their ads are placed through only authorized channels? I’d be honored to work with interested advertisers to think through the possibilities for automatic or scheduled monitoring, testing, etc.

A note on my research methods: In May-June 2003, I offered a Gator real-time testing service that reported, on request, which ads (if any) targeted a given web site. I have subsequently disabled this site, so it provides only archived data. But I can still provide current Gator targeting data upon request. Interested readers, please get in touch by email.

WhenU Security Flaw

Every program installed on users’ PCs exposes users to potential security risks — for any program can contain design flaws that let attackers take control of a user’s computer. But experience shows some kinds of programs to be far more risky than others. Frequent readers of my site won’t be surprised to learn that software from WhenU, distributed on WhenU’s own web site until mere weeks ago, is among the programs with security vulnerabilities that let attackers take over users’ PCs.

For details, see my new WhenU Security Hole Allows Execution of Arbitrary Software. I explain the specific WhenU software found to be vulnerable, and I show what an attacker would have to do to take advantage of the vulnerability.

Among advertisement-display programs, WhenU is not alone in its security vulnerabilities. Earlier this year, researchers from the University of Washington found similar vulnerabilities in software from Claria and eZula. (See their Measurement and Analysis of Spyware in a University Environment (PDF).)

Before releasing this research to the public, I alerted WhenU staff to the flaw in their software. WhenU staff acknowledged the security risks of the software I identified — saying the program was “obsolete” and claiming it was taken out of public distribution in September 2002, even as it remained on WhenU’s ordinary public web site until I brought it to their attention. In any event, my testing indicates that the vulnerable code has now been removed from WhenU’s site, and that vulnerable software installed on users’ PCs has been patched via WhenU’s auto-update system.

I’m releasing this research in preparation for tomorrow’s hearing entitled “Who Might Be Lurking at Your Cyber Front Door? Is Your System Really Secure?,” convened by the House Committee on Government Reform‘s Subcommittee on Technology, Information Policy, Intergovernmental Relations, and the Census. Spyware poses serious security risks of which users and policy-makers should be aware.

WhenU Breaks Its Privacy Promise

In July 2003, I noticed — and shortly notified WhenU — that WhenU’s software transmits to its servers the URLs that users visit, and that it does so every time it shows a user an ad. What’s the big deal? WhenU’s privacy policy said it wouldn’t do this: “URLs visited … are not transmitted to whenu.com or any third party server.” Many of WhenU’s software installers carry an even more explicit, but equally false, statement: “… does not track, collect or send your browsing activity anywhere.” What did WhenU do in response to my notification? Nothing, so far as I know.

Fast-forward eight months. I mentioned WhenU’s privacy violation in my FTC comments (PDF), and an FTC workshop speaker mentioned it (citing me) in his oral comments, with WhenU’s CEO and counsel present in the room. What did WhenU do? Again, nothing, so far as I know.

But this past Friday, I released to the public my new WhenU Violates Own Privacy Policy. I’ve revised my research of last summer and this spring — explaining things a bit more clearly, better tracking the duration and scope of the violation, and adding formatting to make the work easier to read. What did WhenU do? This time, finally, WhenU changed its privacy policy, to better describe its actual practice. But WhenU only made the change in some places — namely only on its web site, but not in the installer screens users look at as they decide whether or not to install WhenU software. So even today, as users install WhenU software, they are told — falsely — that WhenU doesn’t track, collect, or send their browsing activity. (screen-shots)

This is a troubling situation: For one, there’s the ten month lag between the violation first being brought to WhenU’s attention, and WhenU doing anything to even begin to address it. Then there are the thirty million users who reportedly run WhenU software. As users installed WhenU’s programs, WhenU promised not to send or track which URLs they visited. Instead, WhenU sent this information all along, and even continues sending it this very minute. Can WhenU correct the violation merely by changing its privacy policy web page?

Details, including HTTP logs and screen-shots, are in my WhenU Violates Own Privacy Policy.

Research on WhenU Search Engine Spamming, and Its Consequences updated May 22, 2004

Today I released an article documenting at least thirteen web sites operated with WhenU’s knowledge and approval (if not at WhenU’s specific request) that use prohibited methods to attempt to manipulate search engine results as to searches for WhenU and its products.

Some of these cloaking sites do offer information about WhenU, but their genuine information is interspersed with a mix of gibberish as well as with articles copied, without attribution of any kind, from the New York Times, c|net, and others. Meanwhile, most or all of the sites were registered with invalid whois data — most registered on the same day through the same registrar, but to five different names with five different gibberish email addresses in four states. The details:

WhenU Spams Google, Breaks Google ‘No Cloaking’ Rules

Sound too weird to be true? It turns out these behaviors are part of a practice called “search engine cloaking” — designed to make search engines think a site is about one subject, when in fact the site redirects most visitors to totally different content. The situation is complicated, and the easiest way to understand it is to read my article, complete with HTTP transmission logs and annotated HTML code.

Meanwhile, Google’s response was swift: I notified Google of the cloaking infractions on Sunday, and WhenU’s sites were removed from Google by Wednesday. Try a Google search for “whenu” and see for yourself: You’ll get critics’ sites and news coverage, but not www.whenu.com itself.

In subsequent research, I also found that WhenU has been copying news stories from around the web, without any statement of license from the respective publishers. See WhenU Copies 26+ Articles from 20+ News Sites. After I released this article, WhenU deleted the article copies from the dozen WhenU sites on which they had been posted. Fortunately, I kept plenty of screenshots. Meanwhile, at least one affected publisher has confirmed that the copies were unauthorized.

These aren’t WhenU’s only controversial business practices. For one, there’s WhenU’s core business — showing context-triggered pop-up advertisements that cover other companies’ web sites, without those sites authorization, a subject which has brought on extensive litigation. In addition, I previously discovered that WhenU violates its own privacy policy. In its privacy policy (as it stood through May 22), WhenU tells (told) its users that “URLs visited … are not transmitted to whenu.com or any third party server.” WhenU’s software installers continue to say the same, sometimes even more explicitly (“does not track, collect or send your browsing activity anywhere”). But my research indicates otherwise — that WhenU transmits to its servers the specific web pages users visit, and that it makes these transmissions every time users see WhenU advertisements. Details, including HTTP logs and screen-shots, are in my WhenU Violates Own Privacy Policy.

CFP Presentation on Search Engine Omissions; Spyware Workshop Comments updated June 3, 2004

Today I presented Empirical Research on Search Engine Omissions at Computers, Freedom, and Privacy (CFP) in Berkeley, CA. My presentation focused on two prior empirical projects in which I documented sites missing from Google search results: Localized Google Search Result Exclusions (documenting 100+ controversial sites missing from google.de, .fr, and .ch) and Empirical Analysis of Google SafeSearch (documenting thousands of unobjectionable and non-sexually-explicit sites missing from google.com when users enable Google’s SafeSearch feature to attempt to omit sexually-explicit content).

On Monday I was in DC for the FTC‘s Spyware Workshop. I thought the final panel, Governmental Responses to Spyware, did a fine job of explaining the legislative options on the table, and of noting the pressure to address the problem of spyware for the large and growing number of affected users. But I was dismayed that the first panel (Defining Spyware) classified as fine and unobjectionable certain programs that, in my experience, users rarely want, yet often find installed on their computers. Key among these undesired programs are software from Claria (formerly Gator) and WhenU. The technical experts on the second and third panels agreed that these programs pose major problems and costs for users and tech support staff. Yet the first panel seemed to think them perfectly honorable.

Also puzzling was a new position paper from the Consumer Software Working Group recently convened by CDT. Examples of Unfair, Deceptive or Devious Practices Involving Software (PDF) purports to offer a listing of bad behaviors that software ought not perform. It certainly lists plenty of behaviors that so outrageous as to be beyond dispute. But what it misses — indeed, ignores — are the harder cases, i.e. the programs that make spyware a more complicated issue, and the programs that affect the most users. For example, the Examples document condemns software installed without any notice to the user. It is silent about — and thereby is taken to endorse — the far more typical practice of showing a user a license agreement and/or disclosure that describes the software in euphemisms, but admittedly does provide at least some notice of the software’s purpose.

What to make of the document’s failure to consider the methods actually used by the controversial software with highest installation rates? Perhaps one explanation is that Claria and WhenU helped draft the report! (See the signators listed on page five.) That said, the document doesn’t purport to be comprehensive. Perhaps a future version will address the problems of drive-bys and euphemistic, lengthy, or poorly-presented licenses.

For more on the workshop, and another critical reaction, see other attendees’ notes on dslreports.com forums (especially a recent post by Eric Howes). See also impressive studies from PC Pitstop showing that more than 75% of Gator users don’t even know they have Gator (PDF) (not to mention consenting to Gator’s license agreements) and more than 85% for WhenU (PDF).

See also a transcript of the workshop (PDF).

 

Spyware, Adware, and Malware: Research, Testing, Legislation, and Suits

A number of firms currently design and offer so-called “spyware” software — programs that monitor user activities, and transmit user information to remote servers and/or show targeted advertisements. As distinguished from the design model anticipated by whatis.com’s definition of adware (“any software application in which advertising banners are displayed while the program is running”), these spyware programs run continuously and show advertisements specifically responding to the web sites that users visit. Companies making programs in this latter category include Gator (recently renamed Claria), WhenU, and 180Solutions. Other spyware programs include keystroke recorders, screen capture programs, and numerous additional software systems that surreptitiously monitor and/or transmit users’ activities. As programs and practices shift and terms evolve, some practices are more naturally termed “adware” or “malware” — especially if their tracking is secondary to an advertising purpose.

These programs have prompted a number of legal challenges, as described in the pending suits section, below. They have also attracted attention from legislators, who have proposed laws to rein in the problem.

I have followed these developments generally, I have written about the programs and their effects, and I have been retained as an expert in certain of these suits. This page indexes my research and my work in selected cases.

Spyware, Adware, and Malware: Research, Testing, Legislation, and Suits