RealAudio
A Moment of Sanity & Fun!
VORTEX REALITY REPORT
& UNREALITY TRIVIA QUIZ!

LISTEN!

PRIVACY Forum Home Page

Vortex Technology Home Page

Radio, Television, and Press Contact Information


"Spies" in Your Software?

A PRIVACY Forum Special Report -- 11/1/99

Lauren Weinstein (lauren@vortex.com)
PRIVACY Forum Moderator

Greetings. As the percentage of computer users with either on-demand or permanent connections to the Internet continues to creep ever closer to 100%, some techniques are beginning to appear in software which can only be described as underhanded--apparently implemented by software firms who consider it their right to pry into your behavior.

It's becoming increasingly popular for various software packages, which would not otherwise seem to have any need for a network connection, to establish "secret" links back to servers to pass along a variety of information or to establish hidden control channels.

One rising star in this area of abuse is remote software control. Various firms now promote packages and libraries, which can be "invisibly" added to *other* software, to provide detailed "command and control" over the software's use, often without any clue to the user as to what's actually going on. These firms promote that they can monitor usage, remotely disable the software, gather statistics--anything you can imagine. The oft-cited major benign justification for such systems is piracy control, leading to gathering of information such as site IP numbers, for example. If the software seems to be running on the "wrong" machine, it can be remotely disabled. But information gathering and control most certainly doesn't necessarily stop there!

Another example is the use of such systems in "demo" software. I recently received promotional material from a firm touting their package's ability to prevent demo software from running without it first "signing in" to a remote server on each run, which would then report all usage of the demo--so the demo producer could figure out who to target for more contacts ("buy now!") or to disable the demo whenever they wished--or whatever might be desired.

It is frequently the case that software using such techniques will establish network connections without even asking the user (though I did succeed in getting one such firm to promise to change this policy after a long phone conversation with their president). But as a general rule, you cannot assume that you'll ever know that software is establishing a "hidden" channel, except in cases with dialup modems where you might actually hear the process. With permanent net connections, there'd typically be no clue.

If you think that your firewalls will protect you against such systems, think again. The protocol of choice for such activities is HTTP--the standard web protocol--meaning that these control and monitoring activities will typically flow freely through most firewalls and proxies that permit web browsing.

Other examples of such "backchannels" have also been appearing, such as e-mail messages containing "hidden" HTTP keys which will indicate to the sender when the e-mail was viewed by the recipient (assuming the e-mail was read in an HTTP-compliant mail package). Is this any of the firms' business? No, of course not. They just think they're being cute, and do it since they can. If you care about this sort of thing, read your e-mail in text-based packages--they're safer from a wide variety of e-mail "surprises" (including viruses) in any case. In the Unix/Linux world, "mh" is a good choice.

Whether one cares to view any particular application of these sorts of "network spy" technologies as trivial or critical will vary of course. Some people probably couldn't care less. Others (especially in business and government, where hidden flows of information can have serious consequences indeed) will be much more concerned.

Unfortunately, until such a time as it is clearly illegal for such packages to siphon information from, or remotely control, users' computers without their knowledge or permissions, such abuses are likely only to continue growing in scope and risks. We haven't seen anything yet.

--Lauren--
Lauren Weinstein
lauren@vortex.com
Moderator, PRIVACY Forum --- http://www.vortex.com
Member, ACM Committee on Computers and Public Policy
Host, "Vortex Reality Report & Unreality Trivia Quiz"
--- http://www.vortex.com/reality

Copyright © 2017 Vortex Technology. All Rights Reserved.