Privacy-invasive software

Last updated

Privacy-invasive software is a category of software that invades a user's privacy to gather information about the user and their device without prior knowledge or consent. Such software is sometimes loosely referred to as "spyware" but the information gathering can be malicious or non-malicious. [1] The collected data is often used commercially such as being sold to advertisers or other third parties. [2] .

Contents

Origins

In early 2000, Steve Gibson formulated the first description of spyware after realizing software that stole his personal information had been installed on his computer. [3]

Spyware is any software that employs a user’s internet connection in the background or "backchannel" without their knowledge or consent. [ citation needed ]

Despite different interpretations of the definition of spyware; all descriptions include two central aspects, a degree of associated user consent, and the level of negative impact they impart on the user and their computer system (further discussed in Section 2.3 and Section 2.5 in ( Boldt 2007a )). Because of the diffuse understanding in the spyware concept, the Anti-Spyware Coalition (ASC), constituted by public interest groups, trade associations, and anti-spyware companies, has come to the conclusion that the term spyware should be used at two different abstraction levels. [4] At the low level, they use the following definition, which is similar to Steve Gibson's original one:

In its narrow sense, Spyware is a term for tracking software deployed without adequate notice, consent, or control for the user.

However, since this definition does not encompass all of the different types of spyware available, they also provide a wider definition, which is more abstract in its appearance:

In its broader sense, spyware is used as a synonym for what the ASC calls "Spyware (and Other Potentially Unwanted Technologies)". Technologies deployed without appropriate user consent and/or implemented in ways that impair user control over:

1) Material changes that affect their user experience, privacy, or system security;
2) Use of their system resources, including what programs are installed on their computers; and/or
3) Collection, use, and distribution of their personal or other sensitive information.

Difficulties in defining spyware forced the ASC to define what they call Spyware (and Other Potentially Unwanted Technologies) instead. This includes any software that does not have the users' explicit consent for running on their computers. Another group that has tried to define spyware is StopBadware, which consists of actors such as Harvard Law School, Oxford University, Google, Lenovo, and Sun Microsystems. [5] StopBadware does not use the term spyware at all, but instead introduced the term badware. Their definition is as follows: [6]

An application is badware in one of two cases:

1. If the application acts deceptively or irreversibly.
2. If the application engages in potentially objectionable behavior without:
- First, prominently disclosing to the user that it will engage in such behavior, in clear and non-technical language, and
- Then, obtaining the user's affirmative consent to that aspect of the application.

"Stop Badware Software Guidelines". April 7, 2006. Archived from the original on April 7, 2006.

Distinction

Disagreement among users and organizations on the definition of the term "spyware" has resulted from the subjectivity of the term. What some users regard as legitimate software could be regarded as a spyware by others. As the term "spyware" has gained traction; close synonyms such as trackware, evilware and badware have been created to distinguish the subject from the term spyware. As a result, the term privacy-invasive software was introduced to encapsulate all such software.

A three-by-three matrix classification of privacy-invasive software showing legitimate, spyware and malicious software (Boldt 2010, p. 110) Privacy-Invasive Software Classification.png
A three-by-three matrix classification of privacy-invasive software showing legitimate, spyware and malicious software ( Boldt 2010 , p. 110)

The work by Warkentiens et al. (described in Section 7.3.1 in ( Boldt 2007a )) can be used as a starting point when developing a classification of privacy-invasive software, where privacy-invasive software is classified as a combination between user consent and direct negative consequences. User consent is specified as either low, medium or high, while the degree of direct negative consequences span between tolerable, moderate, and severe. This classification allows developers and users to first make a distinction between legitimate software and spyware, and secondly between spyware and malicious software. All software that has a low user consent, or which impairs severe direct negative consequences should be regarded as malware. While, on the other hand, any software that has high user consent, and which results in tolerable direct negative consequences should be regarded as legitimate software. Under this classification system, spyware constitutes the remaining group of software, i.e. those that have medium user consent, or which impair moderate direct negative consequences. This classification is described in further detail in Chapter 7 in ( Boldt 2007a ).

This classification system is broken down further with the distinction of direct negative consequences and indirect negative consequences. This distinguishes between any negative behavior a program has been designed to carry out (direct negative consequences) and security threats introduced by just having that software executing on the system (indirect negative consequences). One example of an indirect negative consequence is the exploitation risk of software vulnerabilities in programs that execute on users' systems without their knowledge. [7]

History

As personal computers and broadband connections became more common, the use of the internet for e-commerce transactions rose. [8] Early retailers included book dealer Amazon.com and CD retailer CDNOW.com, which both were founded in 1994. [9] As competition over customers intensified, some e-commerce companies turned to questionable methods to entice customers into completing transactions with them. [10]

Targeted advertisement

In the search for more effective advertising strategies, companies soon discovered the potential in ads that were targeted towards user interests. Once targeted advertising began to appear online, advertisers began to develop software that became known as spyware that collected users' personal interests through their browsing habits. Spyware brought along reduced system performance and security. The information gathered by spyware was used for constructing user profiles detailing what users could be persuaded to buy. The introduction of online advertisements opened up a new way of funding software development by having the software display advertisements to its users; software developers could offer their software "free of charge", since they were paid by the advertising agency. However, there is a distinction between "free of charge" and a "free gift", differences arising in the fact that a free gift is given without any expectations of future compensation, while something provided free of charge expects something in return. When downloading software described as "free of charge", users had no reason to suspect that it would report their Internet usage so that presented advertisements could be targeted towards their interests.

Problems arose due to users not being informed about neither the occurrence nor the extent of such monitoring, and were not given a chance to decide on whether to participate or not. As advertisements became targeted, the borders between adware and spyware started to dissolve, it started to both monitor users and deliver targeted ads.

The arms-race between spyware vendors

As the chase for faster financial gains intensified, several competing advertisers turned to more nefarious methods in an attempt to stay ahead of their competitors. As a result, this created a gray area between conventional ads that people chose to see, such as ads from subscription services, ads pushed on users through "pop-ups" and downloaded ads displayed in a program itself. [11] This practice pushed online advertising closer to the dark side of spam and other types of invasive, privacy compromising advertising. [12] During this development, users experienced infections from unsolicited software that crashed their computers by accident, changed application settings, harvested personal information, and deteriorated their computer experience. [13] Over time, these problems led to the introduction of countermeasures in the form of anti-spyware tools.

Anti-spyware has become a new area of online vending with fierce competition. These tools purported to clean computers from spyware, adware, and any other type of shady software located in that same gray area. This type of software can lead to false positives as some types of legitimate software came to be branded by some users as "Spyware" (i.e. Spybot: Search & Destroy identifies the Scan Spyware program as a Spybot.) These tools were designed similarly to anti-malware tools, such as antivirus software. Anti-spyware tools identify programs using signatures (semantics, program code, or other identifying attributes). The process only works on known programs, which can lead to the false positives mentioned earlier and leave previously unknown spyware undetected. To further aggravate the situation, some shady companies distributed fake anti-spyware tools in their search for a larger piece of the online advertising market. These fake tools claimed to remove spyware, but instead installed their own share of adware and spyware on unsuspecting users' computers. Sometimes, this software would also remove adware and spyware from competing vendors.

New spyware programs are constantly being released in what seems to be a never-ending stream, although the increase has leveled out somewhat over the last few years. According to developers of anti-spyware programs, the fight against spyware is more complicated than the fight against viruses, trojan horses, and worms. [14] There is still no consensus on a definition or classification system of spyware, which negatively affects the accuracy of anti-spyware tools resulting in some spyware programs being able to remain undetected on users' computers. [15] [16]

Predicted future development

There are several trends integrating computers and software into people's daily lives. One example is traditional media-oriented products which are being integrated into a single device, called media centers. These media centers include the same functionality as conventional television, DVD players, and stereo equipment, but combined with an internet connected computer. In a foreseeable future, these media centers are anticipated to reach vast consumer impact. [17] [18] In this setting, spyware could monitor and surveil what television channels are being watched, when/why users change channel or what DVDs users have purchased and watched. This information is highly attractive for any advertising or media-oriented corporation. This will most likely result in scenario where spyware is tailored towards these new platforms.

Another interesting area for spyware vendors is the increase of mobile device use. Distributors of advertisements have already turned their eyes to these devices. So far, this development has not utilized the geographic position data stored in these devices. However, companies are currently working on GPS-guided ads and coupons tailored to mobile phones and hand-held devices. [19] In other words, the development of geographical tracking spyware allows advertisers to gain access to personal geographical data for the purpose of serving geographically targeted ads and coupons to their customers. Once such geographic data has been harvested and correlated with previously collected data, another privacy barrier has been crossed.

Related Research Articles

Adware, often called advertising-supported software by its developers, is software that generates revenue for its developer by automatically generating online advertisements in the user interface of the software or on a screen presented to the user during the installation process. The software may generate two types of revenue: one is for the display of the advertisement and another on a "pay-per-click" basis, if the user clicks on the advertisement. Some advertisements also act as spyware, collecting and reporting data about the user, to be sold or used for targeted advertising or user profiling. The software may implement advertisements in a variety of ways, including a static box display, a banner display, a full screen, a video, a pop-up ad or in some other form. All forms of advertising carry health, ethical, privacy and security risks for users.

Spyware is any software with malicious behavior that aims to gather information about a person or organization and send it to another entity in a way that harms the user by violating their privacy, endangering their device's security, or other means. This behavior may be present in malware and in legitimate software. Websites may engage in spyware behaviors like web tracking. Hardware devices may also be affected.

Claria Corporation was a software company based in Redwood City, California that invented “Behavioral Marketing”, a new form of online advertising. It was founded in 1998 by Denis Coleman, Stanford MBA Sasha Zorovic, and engineer Mark Pennell, based on work Zorovic had done at Stanford. In March 1999 Jeff McFadden was hired as CEO and Zorovic was effectively forced out.

<span class="mw-page-title-main">BonziBuddy</span> Former freeware desktop assistant

BonziBuddy was a freeware desktop virtual assistant created by Joe and Jay Bonzi. Upon a user's choice, it would share jokes and facts, manage downloads, sing songs, and talk, among other functions, as it used Microsoft Agent.

Norton AntiVirus is an anti-virus or anti-malware software product founded by Peter Norton, developed and distributed by Symantec since 1990 as part of its Norton family of computer security products. It uses signatures and heuristics to identify viruses. Other features included in it are e-mail spam filtering and phishing protection.

<span class="mw-page-title-main">SpywareBlaster</span> Microsoft Windows software

SpywareBlaster is an antispyware and antiadware program for Microsoft Windows designed to block the installation of ActiveX malware.

<span class="mw-page-title-main">CA Anti-Spyware</span> Spyware detection program

CA Anti-Spyware is a spyware detection program distributed by CA, Inc. Until 2007, it was known as PestPatrol.

Direct Revenue was a New York City company which distributed software that displays pop-up advertising on web browsers. It was founded in 2002 and funded by Insight Venture Partners, known for creating adware programs. Direct Revenue included Soho Digital and Soho Digital International. Its competitors included Claria, When-U, Ask.com and products created by eXact Advertising. The company's major clients included Priceline, Travelocity, American Express, and Ford Motors. Direct Revenue's largest distributors were Advertising.com and 247 Media. In October 2007, Direct Revenue closed its doors.

<span class="mw-page-title-main">WinFixer</span> Rogue security software

WinFixer was a family of scareware rogue security programs developed by Winsoftware which claimed to repair computer system problems on Microsoft Windows computers if a user purchased the full version of the software. The software was mainly installed without the user's consent. McAfee claimed that "the primary function of the free version appears to be to alarm the user into paying for registration, at least partially based on false or erroneous detections." The program prompted the user to purchase a paid copy of the program.

<span class="mw-page-title-main">Zango (company)</span>

Zango,, formerly ePIPO, 180solutions and Hotbar, was a software company that provided users access to its partners' videos, games, tools and utilities in exchange for viewing targeted advertising placed on their computers. Zango software is listed as adware by Symantec, and is also labeled as a potentially unwanted program by McAfee. Zango was co-founded by two brothers: Keith Smith, who served as the CEO; and Ken Smith, who served as the CTO.

Rogue security software is a form of malicious software and internet fraud that misleads users into believing there is a virus on their computer and aims to convince them to pay for a fake malware removal tool that actually installs malware on their computer. It is a form of scareware that manipulates users through fear, and a form of ransomware. Rogue security software has been a serious security threat in desktop computing since 2008. An early example that gained infamy was SpySheriff and its clones, such as Nava Shield.

<span class="mw-page-title-main">WhenU SaveNow</span>

WhenU Save/SaveNow, developed by the company WhenU, is a piece of advertising software generally considered to be adware or spyware. The program delivers advertisements, compares shopping results and other offers to users' computers, and tracks their browsing habits. WhenU is typically installed with other applications, ostensibly to support the free existence of those applications. WhenU cannot be installed without a user reading a disclosure screen and clicking "I accept" or "Next" to give consent, sometimes unknowingly. This model is similar to previous software known as Gator from the company now known as Claria Corporation.

<span class="mw-page-title-main">StopBadware</span> Anti-malware nonprofit organization

StopBadware was an anti-malware nonprofit organization focused on making the Web safer through the prevention, mitigation, and remediation of badware websites. It is the successor to StopBadware.org, a project started in 2006 at the Berkman Center for Internet and Society at Harvard University. It spun off to become a standalone organization, and dropped the ".org" in its name, in January 2010.

<span class="mw-page-title-main">SpySheriff</span> Spyware

SpySheriff is malware that disguises itself as anti-spyware software. It attempts to mislead the user with false security alerts, threatening them into buying the program. Like other rogue antiviruses, after producing a list of false threats, it prompts the user to pay to remove them. The software is particularly difficult to remove, since it nests its components in System Restore folders, and also blocks some system management tools. However, SpySheriff can be removed by an experienced user, antivirus software, or by using a rescue disk.

<span class="mw-page-title-main">Movieland</span> Former subscription-based movie download service

Movieland, also known as Movieland.com, Moviepass.tv and Popcorn.net, was a subscription-based movie download service that has been the subject of thousands of complaints to the Federal Trade Commission, the Washington State Attorney General's Office, the Better Business Bureau, and other agencies by consumers who said they were held hostage by its repeated pop-up windows and demands for payment, triggered after a free 3-day trial period. Many said they had never even heard of Movieland until they saw their first pop-up. Movieland advertised that the service had "no spyware", and that no personal information would need to be filled out to begin the free trial.

Phorm, formerly known as 121Media, was a digital technology company known for its contextual advertising software. Phorm was incorporated in Delaware, United States, but relocated to Singapore as Phorm Corporation (Singapore) Ltd in 2012. Founded in 2002, the company originally distributed programs that were considered spyware, from which they made millions of dollars in revenue. It stopped distributing those programs after complaints from groups in the United States and Canada, and announced it was talking with several United Kingdom Internet service providers (ISPs) to deliver targeted advertising based on the websites that users visited. Phorm partnered with ISPs Oi, Telefonica in Brazil, Romtelecom in Romania, and TTNet in Turkey. In June 2012, Phorm made an unsuccessful attempt to raise £20 million for a 20% stake in its Chinese subsidiary.

<span class="mw-page-title-main">Genieo</span> Israeli company specializing in Mac malware

Genieo Innovation is an Israeli company, specializing in unwanted software which includes advertising and user tracking software, commonly referred to as a potentially unwanted program, adware, privacy-invasive software, grayware, or malware. They are best known for Genieo, an application of this type. They also own and operate InstallMac which distributes additional 'optional' search modifying software with other applications. In 2014, Genieo Innovation was acquired for $34 million by Somoto, another company which "bundles legitimate applications with offers for additional third party applications that may be unwanted by the user". This sector of the Israeli software industry is frequently referred to as Download Valley.

Download Valley is a cluster of software companies in Israel, producing and delivering adware to be installed alongside downloads of other software. The primary purpose is to monetize shareware and downloads. These software items are commonly browser toolbars, adware, browser hijackers, spyware, and malware. Another group of products are download managers, possibly designed to induce or trick the user to install adware, when downloading a piece of desired software or mobile app from a certain source.

A potentially unwanted program (PUP) or potentially unwanted application (PUA) is software that a user may perceive as unwanted or unnecessary. It is used as a subjective tagging criterion by security and parental control products. Such software may use an implementation that can compromise privacy or weaken the computer's security. Companies often bundle a wanted program download with a wrapper application and may offer to install an unwanted application, and in some cases without providing a clear opt-out method. Antivirus companies define the software bundled as potentially unwanted programs which can include software that displays intrusive advertising (adware), or tracks the user's Internet usage to sell information to advertisers (spyware), injects its own advertising into web pages that a user looks at, or uses premium SMS services to rack up charges for the user. A growing number of open-source software projects have expressed dismay at third-party websites wrapping their downloads with unwanted bundles, without the project's knowledge or consent. Nearly every third-party free download site bundles their downloads with potentially unwanted software. The practice is widely considered unethical because it violates the security interests of users without their informed consent. Some unwanted software bundles install a root certificate on a user's device, which allows hackers to intercept private data such as banking details, without a browser giving security warnings. The United States Department of Homeland Security has advised removing an insecure root certificate, because they make computers vulnerable to serious cyberattacks. Software developers and security experts recommend that people always download the latest version from the official project website, or a trusted package manager or app store.

References

Citations

  1. Boldt, Martin; Carlsson, Bengt (2006). "Privacy-Invasive Software and Preventive Mechanisms". 2006 International Conference on Systems and Networks Communications (ICSNC'06). p. 21. doi:10.1109/ICSNC.2006.62. ISBN   0-7695-2699-3. S2CID   15389209.
  2. Boldt, Martin (2007). "Privacy-Invasive Software Exploring Effects and Countermeasures" (PDF). Blekinge Institute of Technology Licentiate Dissertation Series. 01.
  3. Gibson, GRC OptOut -- Internet Spyware Detection and Removal, Gibson Research Corporation
  4. ASC (2006-10-05). "Anti-Spyware Coalition".
  5. StopBadware.org, StopBadware.org
  6. StopBadware.org Guidelines, "StopBadware.org Software Guidelines", StopBadware.org, archived from the original on September 28, 2007
  7. Saroiu, S.; Gribble, S.D.; Levy, H.M. (2004), "Measurement and Analysis of Spyware in a University Environment", Proceedings of the 1st Symposium on Networked Systems Design and Implementation (NSDI), San Francisco, USA
  8. Abhijit, C.; Kuilboer, J.P. (2002), E-Business & E-Commerce Infrastructure: Technologies Supporting the E-Business Initiative, Columbus, USA: McGraw Hill
  9. Rosenberg, R.S. (2004), The Social Impact of Computers (3rd ed.), Place=Elsevier Academic Press, San Diego CA
  10. CDT (2006), Following the Money (PDF), Center for Democracy & Technology
  11. Vincentas (11 July 2013). "Privacy Invasive Software in SpyWareLoop.com". Spyware Loop. Archived from the original on 9 April 2014. Retrieved 27 July 2013.
  12. Görling, S. (2004), An Introduction to the Parasite Economy, Luxemburg: In Proceedings of EICAR
  13. Pew, Internet (2005), "The Threat of Unwanted Software Programs is Changing the Way People use the Internet" (PDF), PIP Spyware Report July 05, Pew Internet & American Life Project, archived from the original (PDF) on July 13, 2007
  14. Webroot (2006), "Differences between Spyware and Viruses", Spysweeper.com, Webroot Software, archived from the original on 2007-10-01
  15. Good, N.; et al. (2006), "User Choices and Regret: Understanding Users' Decision Process About Consensually Acquired Spyware", I/S: A Journal of Law and Policy for the Information Society, vol. 2, no. 2
  16. MTL (2006), AntiSpyware Comparison Reports, Malware-Test Lab, archived from the original on 2007-11-02, retrieved 2007-09-29
  17. CES, International Consumer Electronics Association, archived from the original on 2010-02-08, retrieved 2007-09-28
  18. Newman, M.W. (2006), "Recipes for Digital Living", IEEE Computer, vol. 39, no. 2
  19. Business 2.0 Magazine (October 26, 2006), 20 Smart Companies to Start Now {{citation}}: |last= has generic name (help)CS1 maint: numeric names: authors list (link)

General sources

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.