"Spies" in Your Software?

                 A PRIVACY Forum Special Report -- 11/1/99

                    Lauren Weinstein (lauren@vortex.com)
                          PRIVACY Forum Moderator

Greetings. As the percentage of computer users with either on-demand or
permanent connections to the Internet continues to creep ever closer to
100%, some techniques are beginning to appear in software which can only be
described as underhanded--apparently implemented by software firms who
consider it their right to pry into your behavior.

It's becoming increasingly popular for various software packages, which
would not otherwise seem to have any need for a network connection, to
establish "secret" links back to servers to pass along a variety of
information or to establish hidden control channels.

One rising star in this area of abuse is remote software control. Various
firms now promote packages and libraries, which can be "invisibly" added to
*other* software, to provide detailed "command and control" over the
software's use, often without any clue to the user as to what's actually
going on. These firms promote that they can monitor usage, remotely disable
the software, gather statistics--anything you can imagine. The oft-cited
major benign justification for such systems is piracy control, leading to
gathering of information such as site IP numbers, for example. If the
software seems to be running on the "wrong" machine, it can be remotely
disabled. But information gathering and control most certainly doesn't
necessarily stop there!

Another example is the use of such systems in "demo" software. I recently
received promotional material from a firm touting their package's ability
to prevent demo software from running without it first "signing in" to a
remote server on each run, which would then report all usage of the
demo--so the demo producer could figure out who to target for more contacts
("buy now!") or to disable the demo whenever they wished--or whatever might
be desired.

It is frequently the case that software using such techniques will
establish network connections without even asking the user (though I did
succeed in getting one such firm to promise to change this policy after a
long phone conversation with their president). But as a general rule, you
cannot assume that you'll ever know that software is establishing a
"hidden" channel, except in cases with dialup modems where you might
actually hear the process. With permanent net connections, there'd
typically be no clue.

If you think that your firewalls will protect you against such systems,
think again. The protocol of choice for such activities is HTTP--the
standard web protocol--meaning that these control and monitoring activities
will typically flow freely through most firewalls and proxies that permit
web browsing.

Other examples of such "backchannels" have also been appearing, such as
e-mail messages containing "hidden" HTTP keys which will indicate to the
sender when the e-mail was viewed by the recipient (assuming the e-mail was
read in an HTTP-compliant mail package). Is this any of the firms'
business? No, of course not. They just think they're being cute, and do it
since they can. If you care about this sort of thing, read your e-mail in
text-based packages--they're safer from a wide variety of e-mail
"surprises" (including viruses) in any case. In the Unix/Linux world, "mh"
is a good choice.

Whether one cares to view any particular application of these sorts of
"network spy" technologies as trivial or critical will vary of course. Some
people probably couldn't care less. Others (especially in business and
government, where hidden flows of information can have serious consequences
indeed) will be much more concerned.

Unfortunately, until such a time as it is clearly illegal for such packages
to siphon information from, or remotely control, users' computers without
their knowledge or permissions, such abuses are likely only to continue
growing in scope and risks. We haven't seen anything yet.

--Lauren--
Lauren Weinstein
lauren@vortex.com
Moderator, PRIVACY Forum --- http://www.vortex.com
Member, ACM Committee on Computers and Public Policy
Host, "Vortex Reality Report & Unreality Trivia Quiz"
--- http://www.vortex.com/reality