(WIRED NEWS) Not all web surfers think spyware is a problem. Some say the snoopy software is a fair trade-off for free applications, even with the intrusion into their computers and lives.
“Typically the assumption has been that spyware sneaks onto computers, or users are unaware of what they have agreed to install,” said Gregg Mastoras, a senior security analyst at antivirus vendor Sophos. “But some people actually do knowingly install adware because they want to use a particular application that comes bundled with it. Some just aren’t particularly concerned by adware’s presence on their computers.”
IMesh, maker of a popular file-sharing application, recently began bundling an application called Marketscore. Some would view Marketscore as a privacy nightmare: The program routes all of a user’s web traffic through Marketscore’s own servers, where it is then analyzed to “create research reports on internet trends and e-commerce activities,” according to Marketscore.
Even data entered on secure websites — such as passwords, credit card numbers and bank account numbers, information that is supposed to be viewable only by the sender and the intended recipient — is accessible to Marketscore, since the company has developed a method that allows it to view encrypted information.
But some users of iMesh didn’t seem to be troubled by the actions of Marketscore. Users at iMesh forums chided those who complained, posting messages stating that “without spyware there’s no such thing as free software.”
“I had a good idea what the Marketscore software does, though I didn’t read the entire user agreement,” said 19-year-old New York University student Keith Caron. “In general when any application asks to install another application, I assume the other application is spyware. But you have to support spyware if you’re going to have free file-sharing applications. Fair’s fair.”
Caron said many of his friends also assume that free software will contain spyware, and they accept that. This attitude may have led to the recent widespread presence of Marketscore on college networks across the nation.
On Thursday Columbia University issued a warning to students whose machines harbor Marketscore, which Columbia’s IT department said is in wide use on students’ computers.
“To protect campus systems against further spread of this threat, we have blocked connections from our networks to the spyware’s home servers. If your ability to view web pages on the internet has stopped, it may be because you were infected with this spyware,” Columbia’s announcement read in part.
Cornell and half a dozen other universities posted similar warnings and have also blocked Marketscore servers.
“This sucks,” said a Pennsylvania State University student in an e-mail interview. “I can’t surf the web and I can’t trade files if I uninstall the spyware. Why can’t the college let me do what I want to do with my computer? The school computer security guys are being way more annoying than the spyware was.”
Marketscore, for its part, insists that its application is neither spyware nor even adware. Security experts generally classify spyware as software that installs itself without a user’s permission and doesn’t clearly or honestly tell users what personal information it is gathering and how it is using it. Adware performs many — if not all — of the same functions as spyware, but alerts users to its presence and intentions.
In a statement Marketscore said, “Our processes and procedures are not done in secret — instead, we strive to fully inform potential panel members of the work we do and the way in which we do it. We are committed to describing what information we collect about our panelists and their internet usage, how we collect this information, the steps that we take to protect the information provided to us and the use we make of this information.”
Marketscore offers a free “Internet Accelerator” that the company says speeds up downloads by up to 100 percent, along with a free e-mail virus-protection service that uses Symantec’s CarrierScan Server antivirus technology. (Marketscore prominently displays a “Powered by Symantec” logo on its website.)
When users sign up for the antivirus service, they agree to have all their e-mails routed through Marketscore servers so that the messages can be scanned for viruses.
“I thought the virus scanner was a pretty cool feature,” said Marilyn Jackson, an unemployed Chicago-based graphic designer whose college-student son Mark installed Marketscore on her computer. “I can’t afford a subscription to keep my antivirus software updated. Marketscore doesn’t charge any fees.”
Neither of the Jacksons was concerned that all of their e-mails were being routed through Marketscore’s servers.
“I doubt they have the time to sit there and read all our messages,” said Marilyn Jackson. “Besides, my life is pretty boring anyway, it’s not like there’s anything interesting or criminal in my e-mail.”
The company boasts a Webtrust Cyber Certification issued by Ernst & Young, an accounting and auditing firm. Marketscore notes that the certification validates that the company “only observes the information we declare we collect and we only use that information as we have disclosed and agreed with you, our Marketscore member.”
“Moreover, the addition of an extra server connection, and the necessary log of user traffic created by Marketscore in order to prepare and sell their aggregated data reports, increases the potential for user data piracy by third parties.”
But does anyone apart from security experts really care? Steve Mullaney, vice president of marketing for Blue Coat, a security vendor, said that during a recent security audit of a Fortune 500 firm, he found the network was infested with the Gator.
“The users knew they had the application on their computers, and they knew exactly what it did,” said Mullaney. “They said they’d opted to install it on their computers because they wanted the eWallet application that stores passwords and credit card numbers, entering them into web forms with one click. The users said you have to get the adware if you want the eWallet.”
But Mullaney also noted that the users said they wouldn’t install Gator’s eWallet on their home machines, because the software slowed the performance of their computers.
While no one knows the percentage of computers that run spyware installed with the user’s permission, research firm IDC recently reported that 67 percent of all computers are infected with some form of spyware.
“I wonder if people have simply given up any notion of privacy,” said Budapest-based security consultant Yanos Kovas. “In Hungary, many people who grew up under communist rule came to accept government interference in every aspect of their lives as inescapable. They were too tired to fight anymore, so they convinced themselves that communism was OK and even a benefit.
“I think some internet users are exhausted by security threats and privacy leaks and are beginning to decide to believe that spyware is necessary for the greater good. If your personal information isn’t private anyway, if businesses and governments are trading it at will, then why not give a little more away and get some free software too?”