Forgot your password?
typodupeerror
Security Privacy IT

Spyware or Researchware? 244

Posted by CowboyNeal
from the big-brother-is-logging dept.
prostoalex writes "When the story of Firefox Web site visitors being predominantly male was published, many questioned the methodology used to acquire such research data. This MSNBC article talks about another research company, ComScore Networks, using a free antivirus utility to lure the Web users into downloading a small utility to their hard drives. The catch? The software watches not only sites visited, but even locations of the mouse clicks. ComScore swears the final data does not contain any personal information, but, as the article states, anti-spyware utility manufacturers are still thinking whether to include it on their list."
This discussion has been archived. No new comments can be posted.

Spyware or Researchware?

Comments Filter:
  • by fembots (753724) on Thursday April 21, 2005 @11:25PM (#12310004) Homepage
    To find out the gender of a visitor, just create a site which requires visitors to hold one key while moving the mouse.
    • Re:Gendericator (Score:5, Insightful)

      by mfh (56) on Thursday April 21, 2005 @11:29PM (#12310043) Journal
      To find out the gender of a visitor, just create a site which requires visitors to hold one key while moving the mouse.

      Or you can ask... most people are honest about their gender unless they are in a chat room. But without any social interaction nobody has a reason to lie.
      • by Anonymous Coward
        But without any social interaction nobody has a reason to lie.

        i'm a hermaphrodite, i have to lie, i'm never an option to them!
      • by eric76 (679787) on Thursday April 21, 2005 @11:39PM (#12310113)
        most people are honest about their gender unless they are in a chat room. But without any social interaction nobody has a reason to lie.

        On the other hand, if they had a slashdot poll asking what is your sex and the possible choices were "male", "female", "none", "both", "not applicable", and "i ate a pizza for supper last night", the "male" and "female" would probably be on the low end of the answers.

      • http://www.bash.org/?100796 [bash.org]

        where the men are men
        the women are men
        and everyone under 18, has a .gov ident!
      • by rjelks (635588) on Friday April 22, 2005 @12:45AM (#12310441) Homepage
        I lie about personal information all the time. It's my small way of messing up the statistics.
        • by fgl (792403) <daniel@notforsale.co.nz> on Friday April 22, 2005 @06:20AM (#12311487) Homepage Journal
          Me too, Im a 99 year old grandmother of 30 from Albania, who also owns a multi-million dollar IT company that survived the .com bubble & employs over 1000 people.
          I still get porn spam though.
          • I'm much the same. Except that I try to be a 6 year old girl, because there are laws to protect the privacy of children that do not apply to adults. As soon as websites solve the Y2k issue I will be a newborn, but everyone assumes that I must have been born in the 1900's.

            Mental note, write a book about how to survive this in 12 years, just in time for those first children to start turning 18.

          • I bet you still say you're a 14 year old bum living in your mothers basement with only $3.42 pocket money a week, you tax evasionist you!
      • Or you can ask... most people are honest about their gender

        Or give them at least the option NOT to answer that question. What does it matter if I read a page like this one [www.unb.ca] if I am a man or a women? Even more when I have to enter an apply for hotmail.

        I am so much emancipated that these things should NOT matter. Do they ask you for your skincolour? No, because that is racism, yet asking what your sex is is allowed and normal.
      • And you are just as likely to get a correct response as the psuedo-spyware company got when they asked their users what their sex was.
      • So you're saying that in chat rooms less than half are honest about their gender? Where have you been chatting?
      • >most people are honest about their gender unless they are in a chat room

        Really? If asked for information, I lie about *everything*. And in the case of exit polls, I agree with the late Mike Royko that there is a moral obligation to lie.

        hawk
  • Depends... (Score:5, Insightful)

    by LewsTherinKinslayer (817418) <lewstherinkinslayer@gmail.com> on Thursday April 21, 2005 @11:27PM (#12310020) Homepage
    The difference between Spyware and Usage Statistics pretty simple: is it clearly stated to the End User and is optionable. Essentially, its not spyware if you know about it up front and have the ability to (actually,) turn it off.
    • Re:Depends... (Score:4, Insightful)

      by B'Trey (111263) on Thursday April 21, 2005 @11:37PM (#12310102)
      Absolutely. This is sheer paranoia. If you go to the AV utility linked above, it clearly states:

      Marketscore is part of an online market research community with over 2 million members worldwide. Marketscore relies on its members to gain valuable insight into Internet trends and behavior. In exchange for having their Internet browsing and purchasing activity observed, members have access to free email virus scanning and other benefits. Marketscore DOES NOT sell personal information; nor do members receive any advertisements as a result of their participation.

      Unless there is evidence that they're lying and ARE actually collecting personal data or the program tries to hide itself and prevent you from uninstalling it, this is a non-issue. Absent some sort of incriminating evidence that isn't immediately apparent, the company is doing nothing wrong.
      • Re:Depends... (Score:5, Informative)

        by rjelks (635588) on Friday April 22, 2005 @12:47AM (#12310462) Homepage
        Remember, Gator(or whatevertheyswitchedtheirnameto) isn't spyware either...they said so.
      • Re:Depends... (Score:3, Informative)

        by muzzmac (554127)
        They USED to (2 weeks ago) collect ALL data. Even SSL traffic (Internet banking passwords and all). Now they don't do that any more. They state they throw away personal information but do state they look at Credit Card numbers. Do a five minute Marketscore Google search. They've stopped doing that recently. I'm guessing because banks have started blocking their proxy servers. Now they let the users go straight there and send the info back. (Who knows what SSL info they send. They do use some SSL)
      • They aren't lying. They're just not explaining that their observations include all of your encrypted transactions, because they install their own root certificate. Suddenly, all your SSL transactions go to MarketScore. They are decrypted and read, then reencrypted and sent on to their destination. This means that they have access to credit card numbers, CVV2, passwords, PINs, social security numbers -- anything you type into a website, whether or not that website is "secure."

        They claim they don't keep that
    • Re:Depends... (Score:5, Insightful)

      by pete6677 (681676) on Thursday April 21, 2005 @11:41PM (#12310124)
      Most importantly, is it overly difficult to remove? If the software was either carelessly created or intentionally designed to resist uninstallation, it could cause problems for the user and should be avoided.
      • Re:Depends... (Score:3, Informative)

        by Tim C (15259)
        But that's true of *any* software, no matter what its intended purpose is. Hell, I know people who avoid using Firefox, because the update mechanism (used to) leaves multiple entries in the Add/Remove Programs control on Windows.
        • I know that wasn't perfect and looks bad, but is that really a deciding factor in using one browser versus another? I would think there are more important things to consider than a few extra entries in Add/Remove Programs.
    • Re:Depends... (Score:5, Interesting)

      by Dead Kitty (840757) on Friday April 22, 2005 @01:07AM (#12310537)
      A new question is exactly which parties does the software need to be upfront with? The Marketscore software has just recently changed it's tatics, it's no long just an issue with the End User anymore. They now are actively hiding themselves from end servers. The implications?

      Banks with online banking services have long banned authentication attempts coming from customers using known Marketscore proxies for obvious security reasons. This is due the violation of the terms & conditions presented when setting up an online banking account. The traditional Marketscore setup had client traffic sent to their proxies which was then forwarded to the intended site. This made it easy for us to track customers with "compromised" machines (Marketscore would never admit to compromising anything).

      Lately (last 1 or 2 weeks), we noticed in our server logs that connection attempts from Marketscore proxies suddenly dropped to nothing (from 100's to 0). After some investigation, we learned that the new Marketscore spyware now installs its proxy locally on the user's machine. It accumulates data in a local cache which is then sent back to Marketscore for their anaylsis. Because of this, we can no longer filter compromised machines running Marketscore shitware. Of course there's the other garbage like secretly installing their own root cert on the victim's machine, harder detection by anti-spyware programs, etc.

      Yes, maybe the user knows the benefits (and the world of hurt) they can expect from using this software...but what about the banks (or other businesses) who are actively trying to protect its customers? We're still trying to figure out how to deal with this on our side while individually informing the affected customers.
      • Re:Depends... (Score:4, Interesting)

        by Anonymous Coward on Friday April 22, 2005 @05:29AM (#12311348)
        Nice to see someone else notice.

        How much do I hate ComScore/MarketScore, let me count the ways...

        1/ I *think* they use OpenSSL without giving any credit as required by the license. Evidence: http://groups.google.com.au/groups?q=comscore+open ssl&hl=en&lr=&c2coff=1&selm=bcqfh4%24mo9%241%40Fre eBSD.csie.NCTU.edu.tw&rnum=1 [google.com.au]

        2/ They actively seek little apps to install their software with. Evidence: http://groups.google.com.au/groups?q=comscore+spyw are&hl=en&lr=&c2coff=1&selm=x%25M3d.8204%24n16.579 6%40newsread2.news.atl.earthlink.net&rnum=3 [google.com.au]

        3/ They go out of their way to hide their identity from their "Panellists". Try and find a reference to Comscore on http://www.marketscore.com/ [marketscore.com]

        4/ They do not care about the security of the information of their panellists. Do some research on how they previously "Broke" SSL sessions and effectively proxied all "SSL Protected" information up to their proxy servers.

        5/ They actively try to disguise thier immoral practices to gather information. Try to find any mention of "Marketscore" on this page which is the sales site to sell their services to Marketing companies. http://www.comscore.com/metrix/xpc.asp [comscore.com]

        6/ They got Ernst and Young (I hate that company too) to "Certify" them. Read the report. It is laughable. https://cert.webtrust.org/ViewSeal?id=383 [webtrust.org]

        7/ They ONLY stopped proxying SSL sessions about 3 days AFTER the New Zealand banks went public saying they were blocking their software. Other banks were doing it just less publically. How much would their customer base have been eroded if everyone who does internet banking stopped using their software. That is, I believe, why they changed.

        8/ Now they just copy your data to servers. Not sure what. The SSL stuff is encrypted. Noone knows what they send but them.

        9/ Their software silently updates without telling the user. That's nasty.

        10/ They have only JUST added an "Add/Remove" control panel. Previously there were no visible clues that it was installed.

        11/ They marketed themselves as an Internet Accelerator. They did this by using proxy technology. This is horribly slow from overseas.

        The conspiracy theorists I know believe they are a front for the NSA. :-) Reston Virginia known for this sort of stuff?

        I just know they are evil. :-)
      • My bank doesn't. Which banks do ban Marketscore?
  • Choice (Score:5, Interesting)

    by mfh (56) on Thursday April 21, 2005 @11:27PM (#12310021) Journal
    The beef I have with spyware is that it's never given me a choice; it installs without me knowing and lurks like a drooling Rutterkin in the corner -- waiting for me to spill my drink or drop The One Ring. But this research program is optional, right?

    I have no problem with optional programs that record data to be used in a study. My wife also participates in allgery studies. So?
    • "The beef I have with spyware is that it's never given me a choice..."

      "Mr. Bond, we didn't invite you here!"
    • Well, 'research' may really just be the same type of marketing 'research' that regular spyware companies do, and sell. The above-boards approach sits a lot better on my stomach though than gator software silently installing itself in the background. I don't think that the anti-spyware groups should flag it as spyware--you presumably know what this one's doing when you download and install it. Maybe just flag it as a warning?
    • To the extent that something forthrightly discloses what it does and offers the choice to opt-in (...and to opt-out later easily if one changes one's mind ...), the validity of the data is compromised.

      There's nothing *wrong* with giving people the choice of providing information in exchange for an incentive (... I participate in surveys & studies all the time ...) but it is not unlikely that as a result, the sample becomes non-representative (except of itself.)

      How likely is it that the genders differ

      • oh well, then they should try to make the best of their invalid data. their right to valid data can't trump their subjects' right to privacy, period.
      • Excellent point. People who would install and use this software are (I hope) a non-representative subset of all computer users. I'd like to believe that more people have a clue than not, and the fact that these guys only have about 1 million members is kinda encouraging - when you think about how many Internet users there are.
        I hope.
    • The difference (Score:2, Insightful)

      by Anonymous Coward
      "I have no problem with optional programs that record data to be used in a study. My wife also participates in allgery studies. So?"

      Did your wife's allergy study also reveal how many times she had sex and with who?

      Did it reveal your bank account information?

      Did she have to tell the allergy researchers everywhere she drove?

      My guess is that there were limits to what the Allergy Research people asked, and even if they asked something untowards ("Excuse me ma'am, what is your breast size?"), she could say "
      • My guess is that this study is examined by a medical ethics board and run by legitimate researchers. IF they ask the guys wife what her breast size is, it is because they have a reasonable reason to believe that breast size affects something related to allergies. Since this is unlikely, ethics boards will require proof that there is a reason to ask.

  • Oh boy (Score:4, Funny)

    by NanoGator (522640) on Thursday April 21, 2005 @11:27PM (#12310023) Homepage Journal
    Well, that story had all the right buzzwords to get the pitchforks wavin!
  • by FlyByPC (841016) on Thursday April 21, 2005 @11:28PM (#12310037) Homepage
    Isn't that sort of app supposed to be CHECKING for trojans? Sheesh.
  • spyware (noun) (Score:5, Insightful)

    by weighn (578357) <weighn@gm[ ].com ['ail' in gap]> on Thursday April 21, 2005 @11:30PM (#12310050) Homepage
    any software that covertly gathers information about a user while he/she navigates the Internet and transmits the information to an individual or company that uses it for marketing or other purposes - http://dictionary.reference.com/search?q=spyware

    The software watches not only sites visited, but even locations of the mouse clicks.
    add the use of the word "lure" and it makes me think that this is, indeed, spyware.

    • But no-one is being lured or tricked - the pag elinked to very clearly states what the software does:

      "In exchange for having their Internet browsing and purchasing activity observed, members have access to free email virus scanning and other benefits."

      (Sentence 6 of 7, all of which are in the same font and the same size)

      If someone installs it without realising that it's going to collect marketing data, well, frankly I think they have bigger problems, like a serious need to improve their reading comprehen
      • Marketing data !== Online banking logins and CC numbers.

        Marketing data !== Location of mouse clicks

        Free email virus scanning, does it REMOVE anything? Somehow I think the stuff probably sucks rotten donkey balls at virus prevention...

        Walks like spyware, talks like spyware, smells like spyware... this thing is one step above OpenOrriface as far as it's trojan qualities.

        I hate asshats like you that blame the user for something, same logic the spammers use. Jerk.
  • by GoodbyeBlueSky1 (176887) <joeXbanks@NosPAm.hotmail.com> on Thursday April 21, 2005 @11:30PM (#12310051)
    as the article states, anti-spyware utility manufacturers are still thinking whether to include it on their list.
    How would this not be spyware, exactly? It's not like this "research" will cure cancer.
    • How would this not be spyware, exactly? It's not like this "research" will cure cancer.

      If it's not curing cancer it's not research? I'm not sure about that...might want to check your sources.
    • by damiangerous (218679) <1ndt7174ekq80001@sneakemail.com> on Thursday April 21, 2005 @11:47PM (#12310161)
      It doesn't at all meet the commonly accepted definition of spyware [wikipedia.org]. If it were bundled as part of some other software and you didn't know about it, sure, that's very spyware and scummy. But to get this program you have to explicitly go to their web site and choose to install this one program that's very explicit about what it does. If you're not tricked, lied to or treated in any way dishonestly, there's no way you can consider it spyware. Go look at the page and tell me how they "trick" you. There are seven sentences of normal size type in the body of that page (and three headers) and one of those seven sentences explicitly states:

      "In exchange for having their Internet browsing and purchasing activity observed, members have access to free email virus scanning and other benefits."

      If that page "tricked" you, turn off your computer now and back away.

  • Here's the damn solution include it.

    They all pop up a list of software reporting your usage, this list is hand culled by the user.

    By not including it they lose some moral authority.
  • by nigham (792777) on Thursday April 21, 2005 @11:32PM (#12310064) Homepage
    Unfortunately, if they give the users a choice to turn it off, you can't qualify the statistics obtained from users who allow information to be logged as good - e.g. who's to say whether guys may be more inclined to turn it off than girls - or conversely, women feel more threatened about privacy... in either case your stats will be skewed.

    In any case most users (myself, certainly) would turn it off - I am supremely uncomfortable with some random company knowing anything about what I do on my computer.
    • This is horseshit.

      There is no 100% representative sample. You just do some research to determine who doesn't participate.

      For example, I recently presented a paper at a psychology conference. When I presented my research, I offered up my sample - mostly female, all culled from undergraduate psych courses, a majority not psych majors, between ages 19 and 42.

      There is no reason my data is only relevent to this sample, though there is always the possibility that, in fact, there is a subtle selection bias. So,
    • in either case your stats will be skewed.

      There are strict disclosure rules that psychologists have to follow before they can do a test with human subjects. It doesn't matter if your results will be skewed by warning them that they will be dumped in a vat of maggots, you still have to tell them. The rights of people to choose is more important than your right to gather information about them.
      • Knowing the type of people that won't participate in such an experiment is just as important as the final reactions of the people who will participate.

        Thats what makes the difference between a good psych project and "just a bunch of wierdo's dunking people in nasty gunk"
  • No... (Score:5, Insightful)

    by damiangerous (218679) <1ndt7174ekq80001@sneakemail.com> on Thursday April 21, 2005 @11:37PM (#12310098)
    Unless it starts getting buried as part of other installs, it's not spyware. They're very upfront about what they do. There's very little text on the linked page, and one paragraph (of three) reads in the same size type as the other text:

    Marketscore is part of an online market research community with over 2 million members worldwide. Marketscore relies on its members to gain valuable insight into Internet trends and behavior. In exchange for having their Internet browsing and purchasing activity observed, members have access to free email virus scanning and other benefits.

    You have to draw the line of reasonableness somewhere. If that site isn't clear enough for you to understand what they do, you probably shouldn't be on the Internet (or at least not from a computer configuration you could hurt yourself with).

    • As I recall, Marketscore also sends SSL traffic through its servers, decrypting it, sending it, then re-encrypting it to gain speed.

      http://www.spywareinfo.com/newsletter/archives/1 20 4/1.php

      When Lavasoft rates it as a ten out of ten threat rating, I'll start to get worried - oh, wait, they DID.
  • Macs (Score:5, Insightful)

    by Johnny Mnemonic (176043) <[mdinsmore] [at] [gmail.com]> on Thursday April 21, 2005 @11:44PM (#12310141) Homepage Journal

    This tool then is cutting out the Mac and Linux users from their tracked demographic; together those users represent about 5-10% of the market. And they represent many early adopters of tech, too.

    I would think that the use of a tool of this kind would be enough to skew their information, causing any results to be not credible. I certainly wouldn't use them to research products that I would sell, as I would want to be able to target Mac and Linux users as well.

  • Oh, come on.. (Score:3, Insightful)

    by proteonic (688830) on Thursday April 21, 2005 @11:48PM (#12310163)
    Let's see.. I need an antivirus utility.
    What shall it be?
    Mcaffee.. no
    Norton.. no
    AVG..no
    Oh, wait! Here's one! Marketscore! That sounds reputable! I've never heard of them before, so they must be good, because they stay out of the "eviil media".
    --end scathing sarcasm--

    The people "lured" into downloading this utility should probably also have their right to vote restricted for lack of ability to critically process information.

    And, by the way, if you've feel vicitmized by this software, I have news for you.. they've recently changed the definition of gullible in the dictionary.

    Interpret that however you please.

  • quacks like a duck, and smells like a duck, then it must be...spyware seriously, people how cn you record where the mouse is clicked on my screen, and what sites I am visiting without being spyware. Saying that there is no personal information logged sounds like splitting hairs to me. This program should definitely be on the spyware list.
  • by csk_1975 (721546) on Thursday April 21, 2005 @11:52PM (#12310186)
    anti-spyware utility manufacturers are still thinking whether to include it on their list

    If you use the blackhole dns list [bleedingsnort.com] of spyware domains from bleedingsnort.com its already included based on this submission [doxdesk.com] from doxdesk. Squid ACLs are a great way to stop these parasites and you don't have to wait for anti-spyware manufacturers to decide whether its spyware or not. Also ClamAV [clamav.net] lets you create your own signatures so you can setup rules to detect anything you consider to be spyware.
  • Free anit-virus? (Score:4, Informative)

    by W8TVI (547517) on Thursday April 21, 2005 @11:54PM (#12310201) Homepage
    Why not just download AVG Anti-virus [grisoft.com]?
    Its free, and has no spyware attached.
  • by indy_Muad'Dib (869913) on Thursday April 21, 2005 @11:58PM (#12310216) Homepage
    Symantec, for example, designates the program as spyware on its Web site.

    A major antivirus company saying a free anitvirus program is spyware, that should raise a few red flags right there.
    • by vga_init (589198) on Friday April 22, 2005 @12:22AM (#12310338) Journal
      Well, what is spyware? In my mind, it's a piece of software that harvests data from your computer and sends it to someone else for their own personal uses without your explicit knowledge or consent.

      By my definition, that makes the program in the article spyware.

      You're right in suggesting that Symantec may have an ulterior motive, but there exists (what appears to me) the unfortunate fact that the software actually is spyware. It may be a coincidence, or Symantec may have checked specifically on competing software, but they aren't misreporting anything.

      Black (because I like the color red and black seems more appropriate) flags would go up if a) Symantec lied about the software being spyware, or b) Symantec held a policy that only classified that software as spyware because it was competing with them, letting similar, non-competing programs go by unchecked.

    • Normally I'm more than happy to lay the smackdown on Symantec, especially after their FUD campaigns to sell antivirus software for systems that have no viruses in the wild, but I think I trust a spyware-supported antivirus distributor even less.

      What surprises me is that Symantec says anything is spyware. They normally don't seem to check for spyware at all.
  • by Anonymous Coward
    "Security professionals say ComScore dangerously slurps up all manner of personal information, including passwords for online banking services."

    Is the single scariest thing I've read, barring the end of the world that will result from the release of Longhorn.

    And
    ComScore officials said the sensitive data is never at risk.

    "We establish two secure communications. One with you, and one with the bank," Lin said.

    Is the third sariest. Of course the data is at risk, an information research company has yo

  • Bad Statistics (Score:2, Insightful)

    by Morrog (706170)
    Anyone remember that common example of bad stats? Some survey was taken by calling people randomly. What's wrong with it? You're excluding everyone without a phone (which is now rare, but the poor didn't have them when this survey was done). Isn't this exactly the same? You're excluding everyone without spyware. Hey, maybe males are more likely to get spyware on their computers than females?
  • by rewinn (647614) on Friday April 22, 2005 @12:36AM (#12310404) Homepage

    ... whether people who voluntarily install their program understand that they are agreeing never to shop or bank online with decent security ever again?

    It's one thing to warn someone "If you install our software, we'll monitor your net behavior".

    It's entirely another thing to say "If you install our software, you'll be relying on us never to collect your credit card number, bank password, or the birthdate/mother's name information we'd need to empty your bank account ... and you're relying on us never to be hacked."

  • by assassinator42 (844848) on Friday April 22, 2005 @12:48AM (#12310464)
    It started out being marketed as a way to "speed up" web browing, much like AOL is advertising with "Top Speed" now. According to the article, they even have access to encrypted connections. It also says that your passwords and stuff are visible to them. This isn't good, and they don't really state up front that they do this. I believe marketscore has been considered spyware for a while by some people. Also, the program they give you in exchange only scans emails, or so it appears. Definentaly not worth it.
  • by One Childish N00b (780549) on Friday April 22, 2005 @01:17AM (#12310585) Homepage
    This is going to nuke my karma to all Hell, but what the hey...

    A lot of Slashdotters are, as usual, not RTFA/web page in question and assuming that this is the usual spyware trick of clandestinely trojanised software pretending to be a legitimate tool - allow me to explain;

    The word 'lure' used in the summary is a loaded term - it implies (in the context the editors used) that they are somehow using this free AntiVirus tool as a means of covertly installing spyware - This company is simply offering a free antivirus product if you accept the *up front agreement* that their little utility can spy on your web browsing habits - they're not doing anything clandestine here, they're just offering their service to you for free, so they can sell the results on to advertisers to recoup costs;

    From the company's website:
    In exchange for having their Internet browsing and purchasing activity observed, members have access to free email virus scanning and other benefits.

    This is just a new way of offering a product - "here, you can have this for free, but in exchange you've got to give us stuff we can sell to our avertisers" (though they promise not to sell personal info, so presumably they'll just be selling 'web trends' data) or rather, it's the same way that a lot of so-called 'adware' operates, only they're rarely this up-front.

    Sure, it's spyware, but the text above is located right on their front page, is in easily-understandable English, and is not hidden, obscured of obfusicated in any way - if people want to give their permission for Marketscore to monitor their browsing in exchange for free software, who are /. to stop them? If you're concerned about web privacy, don't download it, but it's not like they're trying to trick anyone here.
    • While I generally agree with you, I do have two comments.

      Firstly, the editors didn't use the word "lure" at all, other than in so far as CowboyNeal chose to post this. All of the words in italics are those of prostoalex (unless he speaks up to claim that CowboyNeal changed them, of course).

      Secondly, if I had mod points, you'd be going down for that opening sentence :-)
      (No danger of that though, I've not had mod points for years)
      • Editors, original posters... someone's dropped a loaded term in there, and it's the editor's job to pick up on these biases and change them so that hundreds of Slashdotters go off half-cocked at 'teh eval spyware companie' 'luring' innocent webfolk into their den of spying evilness...

        As for the first sentence, it wasn't the usual 'go-on-mod-me-down', 'karma-to-burn' piece, I genuinely thought I'd get a Troll mod there for daring to question the evil of violating web privacy, even with the user's permissio
  • ... they made the software open source and available for scrutiny on a source like Sourceforge. More than that, the install should be clean and easy-in and easy-out.

    It would make the thing have a better chance as being used for legitimate research and a better chance and being trusted.

    The whole problem with traditional spyware is that it is often installed in deceptive or undetected ways, that it is difficult to remove and even goes so far as to damage things such as AV software to prevent its removal.
  • Hmmm. I wonder... so does the study then indicate that primarily men use Firefox, or does the study actually indicate that primarily men install antivirus protection? Or both, for a double whammy of a skewed number?

  • It is still spyware (Score:2, Informative)

    by aggles (775392) *
    Just because you know it a piece of code is spying on you doesn't stop it from being spyware. James Bond was still a spy, even when Goldfinger knew who he was. The threat comes to others who may use the machine without knowing the spyware is running. Companies buy Comscore information and actually believe it represents normal people. No wonder so many Web sites suck -aggles
  • by Animats (122034) on Friday April 22, 2005 @02:11AM (#12310786) Homepage
    It's more than spyware. This thing reroutes all your browser traffic through their proxy. That's how they see what you're doing. It includes rogue SSL certificates [uiuc.edu] so it can capture encrypted connections. Yes, they get to see all your credit card numbers. Major universities, including UCIC, UCLA, UC Riverside, UCSD, Texas Tech, Windsor, UNC, Old Dominion, Michigan, Iowa, McGill, Carlton, Cornell, American University, Stanford, and Columbia are blocking conections to Marketscore for this reason. If you have Marketscore installed at one of those schools, you get a warning page like this. [csuchico.edu]

    Some banks also block online banking sessions coming in via Marketscore's proxies.

    This is the same spyware previously known as "netsetter". There's no question about this being spyware.

    Here's Stanford's Information Security Office's statement on Marketscore [stanford.edu].

    • Security Alert: MarketScore Spyware
      11 Jan 2005

      MarketScore (also called NetSetter) is a spyware-like application that compromises the security of all data sent or received by your web browser, even on "secure" encrypted web sites. All external browser communications are re-routed through MarketScore's proxy servers, so they have access to any "secure" traffic/passwords/accounts that otherwise would be encrypted.

      If you have MarketScore installed on your computer and have used your browser for any services that require WebLogin, your password should be considered compromised. After you have removed MarketScore from your computer, we strongly recommend that you change your SUNet password. This advice also applies to any other secure web sites you may have visited with your browser.

      The Information Security Office is directly contacting owners of machines that appear to behave as if MarketScore is present.

      Technical Detail

      MarketScore reconfigures the browser to use a "proxy server" for all non-local connections, including HTTPS connections. A proxy server is a machine that acts as a middle-man, brokering web page requests intended for other sites. So if the browser on machine A wants to visit web sites C, D, and E it makes all those requests through the proxy server B. B then contacts C, D, and E and passes the results back to A. This is usually transparent to the user on machine A after the browser has been configured to use the proxy.

      Web proxies are typically used in a corporate environment where all web traffic must be controlled or inspected centrally, although in the case of secure HTTPS traffic there is ordinarily nothing the proxy can do except forward the connection or refuse it. In this case, the proxy servers belong to a company called ComScore where they collect and analyze the intercepted data.

      While ordinarily an HTTPS connection would simply pass through a proxy securely, in this case MarketScore also installs a new root certificate in your browser so that it can decrypt all intercepted SSL connections (a "man-in-the-middle" attack) without triggering a security warning from the browser. In normal operation, browsers would complain if a site certificate doesn't match the domain of the URL, but the new root certificate tells the browser to trust ComScore's site certificate for any URL.

    This goes well beyond what Marketscore claims their program does.

    That seems to settle the issue.

  • It's spyware (Score:5, Interesting)

    by PhotoBoy (684898) on Friday April 22, 2005 @04:31AM (#12311215)
    If it monitors what I'm doing on my computer it should be classified as spyware. I don't care if it's for research rather than commercial uses, it's still spying.

    The fact that the spying program is included with a free anti-virus program to entice people to download it says it all.
    • But the program says "We will monitor you" up front. It's not being dishonest about what it does.

      It's more like "MonitorWare" if it came bundled with McAfee or Norton, and they didn't tell you it was there, that would be spyware.
      • What a freaking perversion of the English language. Where I come from "we will monitor you" does not imply "gather your credit card number" in any sense.

        That's like saying "I will visit your mom for a chat" means "I will sniff your mom in the cooch."

        It just isn't the same thing.

        The stuff is Evil. Face it. (Yea, lot of credability from a guy using the email address "joe.hacker@gmail.com" about what is good and right on internet. Go crawl back under your futon in the basement, kid.)
  • I wish they'd make this useful software available for OpenBSD users like myself.

    I miss out on such good stuff.
  • The difference between the two is quite clear I think. Research is being conducted openly, with full consent of the subjects who freely and with full understanding agree for given data to be collected (or answer certain questions asked by the researchers). Spying is done in secret, without the subjects knowing data about them is being collected, without being able to review it and agree to it consciously.

    And, obviously, tucking some small print into a lengthy "agreement" written in lawyer-lingo that no on

  • Anti-spyware manufacturers? Is that like steel manufacturing? Is anti-spyware drop-forged, hammer forged, or die cast? Maybe it's extruded like cheerios.
  • by ZeroVerteX (196791)
    I consider my computer usage habits (i.e. where I click, and what I look at) PERSONAL INFORMATION! A rose is a rose, and spyware is spyware!
  • Spyware.

    Was that hard?
  • by Mattwolf7 (633112) on Friday April 22, 2005 @10:02AM (#12312712)
    Marketscore is Spyware
    You have been redirected here because your computer attempted to contact a Marketscore proxy server. While it is undetermined whether or not you intended to sign up for the Marketscore service, you should be informed of the following:

    * Your communications through Marketscore are not secured:

    Even though your browser displays a lock or key and indicates that you are using a secure connection (the URL begins with https://), your traffic is being tunneled through a Marketscore proxy which has direct, unencrypted access to your "secure" connections. Secure connections should always be made directly to the intended target. The Marketscore site certificate could be used to masquerade as any domain, even after being uninstalled.

    * Proxying could threaten University security:
    Your confidentiality, and that of other OSU services, students, staff and faculty could potentially be compromised since usernames and passwords could be recovered from data collected by Marketscore (previously Netsetter) or its future owners or management. As a student or staff member of The Ohio State University, you are granted access through your login name and password, which could be accessed by unauthorized third-parties through your use of a proxy such as Marketscore.

    * Proxying does not improve internet connection speeds: While Marketscore or any similar service may claim to improve connection rates, this is not shown in research.

    * It can be construed as a violation of Resnet and the University's Acceptable Use Policy: "Users will not attempt to circumvent the ResNet firewall or any other established network services" [AUP, ResNet]. Proxying through a third party such as Marketscore does just that.

    * Marketscore can update itself: Marketscore software can quietly (without user notificatation/intervention) update itself. This means arbitrary code can be executed on your machine at any time.

    In order to resume normal web browser activity, you must remove Marketscore from your computer. Below is a guide for removing this Spyware. To be certain that Marketscore is fully cleaned from your system, these instructions must be completed in their entirety.

    Remove Marketscore:

    Uninstall Marketscore
    Open the Control Panel
    Click Start->Control Panel (or if Control Panel does not appear, Start->Settings->Control Panel), click Add or Remove Programs
    Find the Marketscore (OR Netsetter) item in the list, and click to Remove it.
    Note: If Marketscore/Netsetter do not appear in the Control Panel, then you are infected with a self-installing variant of the spyware which you will have to remove using a "hidden" uninstall feature:
    ResNet marketscore removal batch tool
    Download and run MSremove.bat [ohio-state.edu]

    If, after following these instructions, your machine has not been cleaned of Marketscore, please contact the ResNet Support Center at 2-HELP (2-4357).

    Equip your computer with software to protect against other Spyware and remove possible lingering elements (registry entries, etc.) of Marketscore:

    In order to assure that your computer is free of other elements that can compromise your privacy and security, ResNet highly recommends that you install software that will detect and remove Spyware.

    The two leading applications are:
    Ad Aware - The personal edition is available for free download at http://www.lavasoft.com
    Spybot Search & Destroy - This software is freely available at http://security.kolla.de
    Install one of these (installing both can cause conflicts), be sure that the spyware definitions are up to date, and scan your system periodically. Doing this, in addition to protecting your privacy and security, will help keep your computer clean and running efficiently.

    This lameness filter really sucks.... I'm not sure how i feel about OSU blocking it. I guess they do it because it hurts their network, but what if they block something else?
    • It can be construed as a violation of Resnet and the University's Acceptable Use Policy: "Users will not attempt to circumvent the ResNet firewall or any other established network services" [AUP, ResNet]. Proxying through a third party such as Marketscore does just that.

      Uh, what? How exactly does using a proxy outside the university network circumvent the firewall? Do they teach some sort of alternative computer networking at OSU?

Everything that can be invented has been invented. -- Charles Duell, Director of U.S. Patent Office, 1899

Working...