Personal tools

Spyware.htm

Spyware: Do You Know Who’s Watching You

Spyware: Do You Know Who’s Watching You?

Abstract:

Radiate, like many other companies since the creation of the Internet, is relying on advertising and user information for its income. In this particular case, however, it is possible that users’ rights are being circumvented, and Radiate may be poking its nose in private places without proper authorization. This paper looks at Radiate and its software module, and attempts to determine whether it is spyware, based on the ACM Software Engineering Code of Ethics.

Introduction

Spyware, according to whatis.com, is "any technology that aids in gathering information about a person … without their knowledge. On the Internet, spyware is programming that is put in someone's computer to secretly gather information about the user and relay it to advertisers or other interested parties.… Data collecting programs that are installed with the user's knowledge are not… spyware, if the user fully understands what data is being collected and with whom it is being shared." This subtle distinction between spyware and legitimate data-collection mechanisms is the issue at hand. I will attempt to determine the ethics of Radiate’s (previously known as Aureate) business practices, using the Software Engineering Code of Ethics as my baseline. I will look at whether Radiate’s module is, by definition, spyware, or a legitimate data-collection mechanism. Take note that this research was completed in November of 2000, and since then Radiate may have taken actions to remedy the situation in discussion.

Scenario: Part 1: Downloading the Program

We will follow the average user’s (let’s call him Erik) path though BinaryBliss.com, Radiate’s download site. Although there may be any number of other points of entry (www.download.com, personal homepages, etc), this is the most easily regulated one and thus gives Radiate the benefit of the doubt. Radiate posts a tiny link to their privacy policy on the second to last line of their homepage (Figure 1). Although this is common of most online companies, it is very small, and can be easily missed.

 

We will assume that Erik neither saw nor clicked this link. Let’s suppose Erik decided to download the program labeled as the top download. We will download this program, called "Hey.Beer.Man". Clicking the "Hey.Beer.Man" loads an intermediate page where Erik can read a short description of the game, as well as view a screenshot. Clicking "Download Now!" brings us to an important section: the End User License Agreement (EULA).

Near the top of the page Figure 2 is displayed. This should make some sense to Erik, even though he is not technically oriented. However, Radiate is being vague: they

will use your connection to "send and receive data;" what sort of data? As far as Erik is concerned, this "data" is the program that he is about to download. As expected, they provide an "I agree" link before the actual text of the agreement. Let’s give Radiate the benefit of the doubt, and assume that Erik actually read through the EULA:

"This SOFTWARE PRODUCT is "advertiser supported software," … These advertisements are delivered via the Internet and will be downloaded from the servers of Radiate … this software will connect to the Internet UBIQUITOUSLY to download advertisements …"

[http://www.binarybliss.com/eula.asp?aid=972].

Here, Erik learns that their software will access the Internet "ubiquitously" to download the company’s lifeblood: advertisements. Additionally, the EULA provides a link to Radiate’s Privacy Policy; we shall go back and examine it later.

In the case that Erik did not read the EULA, but merely clicked the red link, he is now allowed to download the host program. Soon after he double-clicks the icon to install the program, he is presented with a box that contains a document similar to Radiate’s EULA; in fact, it is a superset of that EULA. Aureate’s EULA is presented before that of the host program.

Effectively, though, none of these warning are of much use. We assumed that Erik, the average Internet user, would stop and read any of these user agreements. This is very likely an incorrect assumption, simply because of the average user’s attention span and interest in legal documents.

Scenario: Part 2: Installing the Program

What happens if, as is usually the case, none of the warnings are read? Let’s assume this is the case, and that Erik indeed read none of the warnings or user agreements, has downloaded and installed the program, and is now going to run it. The program does not create an icon on the desktop, so Erik must use the Start menu to access the program. If he knows anything about the state of his computer, he will notice that there are two new entries to the start menu (Figure 3).

The new links allow Erik to read about what he is getting into. Here again, he is pointed to Radiate’s Privacy Policy. If he follows the "Advertising" menu, he is given the opportunity to edit the information he is providing to Radiate, as well as have the Radiate module removed from his system. Other than the aforementioned, there is no visible trace of the module.

This, however, is a best-case scenario. Many host programs, like the second top download, "DigiCams - The WebCam Viewer," do not present the EULA upon installation, and do create a desktop icon. Also, the Radiate Start menu section is not created. Erik has no way of knowing that the Radiate module is installed on his computer.

Scenario: Part 3: The Radiate Tools: and Removal

If Erik is at all technologically savvy (although the average computer user is not, we will assume he is in order to allow this scenario), he will by now have some idea of what Radiate does, and may want to remove the module from his machine. Upon clicking the "Uninstall" link, he is presented with this a warning prompt. After clicking "Yes" there, Erik is told that the Radiate module was successfully uninstalled.

The Questions

Radiate is treading the fine line between spyware and legitimate data-collection software; has this line been crossed? What does the Software Engineering Code of Ethics say about this matter?

Radiate’s Case

To argue this side of the dispute, we will examine Radiate’s Privacy Policy:

"Radiate delivers content to computer software applications that use Radiate's technology. …Radiate will sometimes query you for demographic data …All of this information is aggregated …If you have already submitted this information and would like for us to remove it from our files, please contact us at the email address privacy@Radiate.com. We will use reasonable efforts to delete your information from our existing files."

[http://www.radiate.com/privacy.html].

This is an excellent and fair business strategy. They collect information about users of their program that they use to target their ads, and thus increase their revenue. They use this money to make more programs accessible to people who would not otherwise be able to use them.

Radiate makes two good points. First, they collect non-personally-identifying information in good faith and use that information only in the aggregate. Second, they give those who do not want to give their information the opportunity to opt out. Erik must simply send his request to privacy@Radiate.com, and he will be removed in a "reasonable" amount of time. Via their EULA and Privacy Policy, Radiate complies with canon 1.06 of the Code:

1.06. Be fair and avoid deception in all statements…

If accessing software through Radiate’s website, BinaryBliss.com, the user agreement that is presented before giving the user access to the software explains clearly what the Radiate module does.

If Erik decides that, given all this information, he does not want the Radiate module on his machine after all, he is given the capability to remove it, as you saw in Figure 3. Canon 1.02 of the Code looks positively upon this:

1.02. Moderate the interests of the software engineer, the employer, the client and the users with the public.

Although Radiate and the host companies may not like it, the users (the public) are given the opportunity to get rid of the spyware module.

If Erik does this, none of the host programs installed on his machine will function, but that is the consequence he must deal with.

Radiate is, in fact, doing the public a great service by bringing them software that they would have not otherwise had free, legal access to. Meanwhile, Radiate is profiting from these transactions. This relates to canons 1.07 and 3.08 of the Code:

1.07. Consider issues of [disadvantages]…

This is exactly why Radiate is in business. They are bringing software, free of charge, to the entire community.

3.08 Ensure that specifications for software …have been well documented, satisfy the users’ requirements and have the appropriate approvals.

The "users" in this case are not the end users, but the host companies. The requirements are to be able to have a revenue source while supplying free software; they are met.

Radiate has been forthcoming in every way regarding what its program does, and has given its end users many chances to opt out of the information collection. It has thus not performed any unethical actions, and any case claiming that it has is moot.

The Public’s Case

Despite Radiate’s efforts to better their image, they are failing miserably. There are two major problems with their business practices that they seem to fail to recognize:

First, they are not telling the public everything it wants to know in a straightforward manner. I had to read two multi-page legal documents before I had an idea of what was going on. If their target audience is Erik, the average home computer user who knows how to surf the net, read email, and not much more, then they need to describe exactly what they do in terms that Erik can easily, and quickly understand. Radiate needs to force each and every one of their host companies to display a short, easy-to-read, and to-the-point paragraph, detailing exactly what is about to happen. This way, the Radiate module would no longer be spyware, since Erik is fully aware of what is happening with his machine. Canons 2.07 and 3.12 address this:

2.07. Identify, document, and report significant issues of social concern… to the employer or the client.

The plain fact that anyone has any reason to call the module "spyware" is proof enough of social concern that is not being addressed (reported).

3.12. … develop software …that respect the privacy …

The end users, e.g. Erik, are victims of a breach of privacy, as their activities are being monitored. Whether the user knows what is going on or not, their privacy is still violated.

Even if the module is not spyware, it still breeches canon 1.03 of the Code;

1.03. Approve software only if they have a well-founded belief that it … does not diminish quality of life or privacy or harm the environment. …

The Radiate diminishes its users’ privacy. A claim saying that this is not true based on warnings before installing the software is moot. Whether the user knows what is going on or not, their privacy is still violated.

Second, they claim to provide an uninstall option for their module. As far as Erik is concerned, the module is gone after the uninstallation process is completed. This, however, is not the case. I used Gibson Research Corporation’s [http://www.grc.com] OptOut program to verify that Radiate had indeed done what it claimed to do. To my dismay, but not necessarily surprise, the screens in Figure 4 appeared. Contrary to what Erik thinks, the Radiate module still contaminates his machine. It appears that Radiate simply removed the registry keys that identify it. Not only did it not remove the files performing the data transfers, but there is now no way to tell via the registry that it still exists!

Since the Radiate controversy began, Radiate released another piece of software that supposedly removes everything related to Radiate from the host machine. Radiate describes it as follows:

"…uninstalling software that uses our technology may fail to properly uninstall our ad-serving component. In this case, you can use our DLL Remover to remove any remaining files from your computer…"

[http://www.radiate.com/privacy/falserumors.html].

According to this statement, there should now be absolutely no trace of any Radiate software on Erik’s computer. I ran Radiate’s DLL Remover, and then GRC’s OptOut once more. The following is an excerpt from the generated log:

OptOut Activity Log & Report:

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

OptOut Registry Analysis on: 11 / 05 / 2000 at 16:32

The system registry is completely clean

OptOut Deep Drive Scan on: 11 / 05 / 2000 at 16:33

• Scanning Drive C: for known problem files

• Found Aureate file: advert.dll. Last accessed:

11 / 05 / 2000 -- earlier today!

• File path: C:\WINDOWS\SYSTEM\advert.dll

• Found Aureate file: amcis.dll. Last accessed:

11 / 05 / 2000 -- earlier today!

• File path: C:\WINDOWS\SYSTEM\amcis.dll

2 known problem files were found on Drive C: !

OptOut Deep Scan Finished: 11 / 05 / 2000 at 16:33

This scenario is covered by canon 3.10 of the code:

3.10. Ensure adequate testing, debugging, and review of software …

As you saw with both of Radiate’s attempts at uninstalling their own software, at least this portion of the project has not been fully tested.

Even their own special purpose utility was unable to remove all traces of their module from the machine. And they are surprised that the public does not like them!

Conclusion

When I began researching for this paper, I was looking for information that would incriminate Radiate’s business practices; I found this information in vast quantities. Ironically, though, I also found much information that advocates Radiate’s business plan. If they cleaned up their business practices, quality assurance, and controlled the sources of their host programs, the public would not have a leg to stand on. The public’s argument stems from the fact that in many cases, Radiate’s module is installed without user authorization. If Radiate made absolutely sure that every program that was distributed as shareware under their name would adhere to strict standards of providing the user clear, easy-to-read information about what the Radiate module does, Radiate would be home free. Their business plan, in my opinion and according to the Code, is ethical; it is their lack of control over their market that provides the controversy.

Archived CPSR Information
Created before October 2004
Announcements

Sign up for CPSR announcements emails

Chapters

International Chapters -

> Canada
> Japan
> Peru
> Spain
          more...

USA Chapters -

> Chicago, IL
> Pittsburgh, PA
> San Francisco Bay Area
> Seattle, WA
more...
Why did you join CPSR?

Support efforts at engaging society and government on the appropriate legal and social uses of technology.