Information Security News: How Much Privacy?

[InfoSec News <alerts () infosecnews org>]

http://www.forbes.com/security/2006/12/07/internet-security-research-tech_cx_ll_1208comscore.html

By Lisa Lerer
Forbes.com
12.08.06

ComScore Networks is the Big Brother of the Internet. The widely-used 
online research company takes virtual photos of every Web page viewed by 
its 1 million participants, even transactions completed in secure 
sessions, like shopping or online checking. Then comScore aggregates the 
information into market analysis for its over 500 clients, including 
such large companies as Ford Motor, Microsoft and The New York Times Co.

ComScore says that its participants are willing exhibitionists, happily 
selling their online privacy for gift certificates and free 
screensavers. But two computer scientists are raising new questions 
about comScore, claiming that company tracking software is being 
installed without consent on an unknown number of computers.

"[The] software is sneaking onto users' computers without the user 
agreeing to receive it," says Harvard University researcher Ben Edelman, 
who documented at least ten unauthorized comScore downloads. Eric Howes, 
director of malware research at antivirus company Sunbelt Software, and 
his researchers separately observed hundreds of unauthorized comScore 
downloads in a three-month period this fall. (Edelman and Howes spend 
their days patrolling the Internet for new threats.)

ComScore (revenues: $50 million) denies the allegations, saying the 
company would never install software without permission. "There is 
spyware out there, but that's not what we do," says comScore chairman 
and co-founder Gian Fulgoni. "We get explicit permission before our 
software is put on someone's machine." But privacy officer Chris Lin 
acknowledges seeing some unauthorized downloads several months ago. She 
says the company didnt distribute the nonconsensual software and 
immediately cut it off from comScore servers.

This isn't the company's first dalliance into apparent voyeurism: Two 
years ago, university IT managers busted comScore for tricking students 
into installing tracking software packaged with a free Web-accelerator 
program. Students were often unaware that they were being watched. 
comScore has since discontinued the program, called MarketScore.

But comScore remains the only major online research company that 
partners with third-parties. Outside distributors bundle its 
surveillance software with desirable free programs like games or videos.

Therein might lie the problem. In September, Edelman typed in the URL of 
a site that lists special codes for video gamers. Instead, a pop-up 
window loaded, asking him to approve a download.

When Edelman clicked yes, comScore's RelevantKnowledge software, which 
records every Web page visited, was installed on his machine along with 
scores of other advertising and spyware programs. Computer sleuthing 
unearthed the source of the bundled software: DollarRevenue, a program 
that bundles together many different adware programs. SunBelt considers 
DollarRevenue one of the top ten Internet threats for computers.

Edelman and Howes also observed similar downloads, based off porn and 
wrestling fan sites, by PacerD and MediaMotor, other adware bundlers 
known for their controversial practices. MediaMotor is the subject of a 
Federal Trade Commission complaint alleging improper disclosure of 
downloads; the U.S. Attorney's Office in Washington is engaged in a 
parallel criminal investigation. MediaMotor did not respond to requests 
for comment.

ComScore admits that the company engaged in partnership negotiations 
with DollarRevenue, even going as far as giving the company test 
software, says privacy officer Chris Lin. But the discussions stopped 
there, and the companies never signed a contract. Then, several months 
ago, comScore software installed by DollarRevenue started reporting back 
to company servers, says Lin.

Lin insists that the unauthorized software did not violate anyone's 
privacy. The company quickly cut the cord between the software and the 
servers. "This is the only issue that we have had with a potential 
distributor in the six years that our company has been in operation," 
says Lin. DollarRevenue said it "never really worked" with comScore but 
did not answer further questions about the unauthorized downloads. 
ComScore said it never observed any illicit downloads from PacerD or 
MediaMotor and has no relationship with either company.

Edelman and Howes blame the unauthorized software on the layers of 
middlemen that deliver free programs, ads and spyware to consumers. One 
of comScore's software distributors, they speculate, may have cut a deal 
with a less-reputable firm, which ended up bundling the software with 
spyware and adware. But Edelman says this type of foul up is inevitable 
given comScore's network of distributors.

Competitors say they refrain from using third-party distributors. "When 
you allow other people to start distributing your software, you lose 
control," says T.J. Mahoney, a managing director of market research 
start-up Compete. Another market researcher, Hitwise, licenses online 
behavioral information from Internet service providers, rather then 
contacting users directly. Nielsen/NetRatings first vets participants on 
the phone. If they agree to join the panel, the company sends a CD or 
directs them to a page where they can download tracking software.

In 2000, comScore hired independent accounting company Ernest & Young to 
annually certify the company's privacy policies, but that's not enough 
for Howes and Edelman. "A truly independent outside audit of its data 
practices--that's really what it's going to take," says Howes.


_____________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn