VOX +1 614 545 HACK FAX +1 614 545 0076 WEB http://web.interhack.com/
Spying on Spyware
C Matthew Curtin,
Central Ohio Chapter of ISSA July 21, 2004
Abstract Millions of computer users are being watched, not just by employers and auditors, but by the software that they use—frequently without their knowledge or consent. This“spyware” has become the center of the personal privacy debate and threatens to undermine eﬀorts to keep corporate data secured. What exactly is spyware? How does it work? What is its impact on users—and the businesses that employ them? Interhack’s Internet Privacy Project has been pioneering the dissection and documentation of spyware since 1999.
Id: spyware-wp.tex,v 1.2 2005/11/02 18:54:57 cmcurtinExp
INTERHACK PROPRIETARY: PUBLIC/5/5
Software to observe user behavior to collect information under users’ noses is often called spyware. These systems have become central to a heated debate regarding online privacy, prompting the U.S. Congress to consider several bills. 1 In addition, the very nature of such systems—the collection of data that would not otherwisebe available outside of corporate ﬁrewalls—raises questions about how companies can remain compliant with privacy-oriented regulation like the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Gramm-Leach-Bliley Financial Modernization Act of 1999 (GLBA).
What is Spyware?
In its most simple form, spyware is software designed to collect information fromcomputer system users without their knowledge. Typically, spyware can be classiﬁed as a type of trojan horse, which is a type of technology-based security incident, allowing for information security policy violation. Figure 1 shows where spyware ﬁts within the broader context of policy enforcement.
Figure 1: Where Spyware Fits
1 As of this writing, several bills that have been presented in the 108th Congress that either address directly or mention spyware, including “Safeguard Against Privacy Invasions Act” (H.R. 2929), “Internet Spyware (I-SPY) Prevention Act of 2004” (H.R. 4661), “Piracy Deterrence and Education Act of 2004” (H.R. 4077).
How Spyware Works
In this paper, we’ll brieﬂy outline two systems that could be classiﬁed as spyware to demonstrate diﬀerent methods for collecting information from users without their knowledge.2 In both cases, these systems perform some kind of surreptitious user tracking and then format some part of that data for reporting back to system’s operator. It should be notedthat there are signiﬁcantly more egregious cases of spyware in use; we choose these two systems because they represent a Windows-based system that collects and reports information and a Web-based system to do the same. Other cases that we have analyzed include Spector Professoinal , TheCounter.com , Coremetrics , DoubleClick [8, 9], and Netscape .
PCFriendly is anapplication that shipped on numerous DVD titles between 1996 and 2000. In addition to its stated objective (providing a software-based DVD player for Windows machine), the system collected information about the user and the user’s DVD collection, occasionally reporting such things back to InterActual Technologies, the maker of PCFriendly. PCFriendly is a Windows-based application that starts whena DVD is inserted into the system’s DVD player. The ﬁrst time that the application starts, the user is asked for information like name, address, email address, and age. A unique identiﬁer is assigned to the user, and the application appears to track changes over time, for example, additional DVD titles put into the system. As of Interhack’s last look at the system (in May 2002), PCFriendly was...