They appear so innocent. All those friendly little programs that let you swap media files, or organize your desktop, transform your cursor into animated characters or even keep track of those dozens of online user names and passwords. They’re fun, they’re useful and best of all, they’re free! But the price you could be paying for these applications is far higher than you realize. With adware and spyware, you’re compensating the developers with your privacy, which is being stolen away bit by byte.

Adware and Spyware Defined

First, it’s important to bring a little clarity to some of the definitions that are being tossed around. You’ll hear adware, spyware and even malware. Some terms encompass others, some don’t. The line between them is becoming increasingly blurred. Here’s a spyware primer.

Whatis.com defines adware as:

“Any software application in which advertising banners are displayed while the program is running. The authors of these applications include additional code that delivers the ads, which can be viewed through pop-up windows or through a bar that appears on a computer screen. The justification for adware is that it helps recover programming development cost and helps to hold down the cost for the user.”

So, what is spyware? Again, we turn to Whatis:

“In general, spyware is any technology that aids in gathering information about a person or organization without their knowledge. On the Internet, spyware is programming that is put in someone's computer to secretly gather information about the user and relay it to advertisers or other interested parties. Spyware can get in a computer as a software virus or as the result of installing a new program. Data collecting programs that are installed with the user's knowledge are not, properly speaking, spyware, if the user fully understands what data is being collected and with whom it is being shared.”

The difference between the two comes in two areas. First, is information about the user’s surfing habits being relayed back to a third party? And secondly, was this fact made clear to the user during the installation of the program? If not, you’ve just open your computer to a mole, my friend.

And it’s here where the line can get a little blurred. Many adware purveyors claim they're staying on the right side of the ethical divide by hiding behind a convoluted terms-of-service agreements that a lawyer would have a tough time plowing through. Hidden somewhere in those thousands of words is hidden the fact that you’re opening a back door from your computer to the world. Do you read these terms and conditions carefully before clicking the agree button? Probably not, but don’t feel bad. According to an article on cnet, neither do 86% of computer users.

Finally, there are downloads that do more than just serve ads. Some downloads that have come bundled with peer to peer management programs like Kazaa have actually hijacked user computer’s unused processing power and siphoned it off to be used in a virtual networked mega-processor. And, in the worst case, downloaded software can actually act like a virus or Trojan horse and install malicious software, or “malware”, onto your computer.

The Usual Suspects

In the past few  years, the prevalence of adware and spyware has boomed on the internet. Programmers have found a way to subsidize their development costs by serving ads in windows built into their interface. Peer to peer file sharing programs like Kazaa are the most common examples of this. These programs can be annoying to some, but most adware developers ensure that the user is aware of the commercial nature of the software they’re installing.

Spyware developers have crossed over on the dark side and ensure their programs are installed surreptitiously in the background. Here’s a quick round up of examples of both:

Kazaa

 

Kazaa and its accompanying hitchhiker programs are the classic examples of Adware. Kazaa itself a good little program for peer to peer file sharing that picked up where Napster left off when the file sharing pioneer went bankrupt.

 

When Kazaa is installed, the default option also installs three other adware applications, from Cydoor, DoubleClick and WhenU. These advertising networks will serve ads based on your country (given when you register Kazaa), browsing habits, search engine keyword searches and other criteria. How do these networks track your user history? A little application sits on your computer, tracks your internet usage and feeds this information back to the ad server. Technically, you agree to this when you install Kazaa (you can read the privacy policy of each company by clicking on the links at the beginning of this paragraph), but it would take a little digging to glean this fact out of the verbose user agreement.

 

Kazaa adamantly denies these applications are spyware, based on the fact that you have the option of not installing the Adware and, even if installed, these applications don’t send personal information such as names and email addresses. Anti spyware vigilantes maintain that Kazaa is splitting hairs.

 

Kazaa was embroiled in a Spyware controversy last year when it was found that a bundled adware application by Brilliant Digital Entertainment also siphoned off the unused computing power of users computers to be used in involved network processing tasks.

 

Bonzi Buddy

 

You’ve probably been introduced to this little purple gorilla through Bonzi’s ever present pop up ad campaign. I have probably turned down installation of the helpful little ape at least 20 times in the past year.

 

First, the good news. Bonzi Buddy brings personality to your desktop, helping you browse, manage downloads, alerting you when you have email, finding better prices while shopping, telling jokes, singing songs, remembering special dates and more. Sounds good, right? Well, Joe the purple ape is the online version of a friendly life insurance sales man. Make no mistake, this primate is bought and paid for by sponsors, and he’ll do his best to come between you and your money at every possible opportunity. What was initially cute and charming quickly becomes annoying, even when he’s not trying to sell you things. To top things off, Joe has a sneaky habit of sending information from your computer out to the Bonzi ad server.

 

Potentially the most troubling aspect of Bonzi Buddy is the lack of a privacy statement or end user license agreement on the Bonzi site. When it comes to spyware culprits, Bonzi Buddy is definitely under suspicion.

 

Gator

 

Like the name implies, behind its helpful exterior, Gator has a lethal bite, both for users and online advertisers.  In its benign form, Gator is a helpful little app that helps you remember all those user names and passwords and stores them in a secure desktop “wallet”.

 

Gator’s dark side is embodied by the bundled adware, Offer Companion. Offer Companion sits on your desktop and monitors your browsing habits to identify your interests. When you hit a site on a topic area that matches the target of one of the advertisers in its database, you’ll be served a related ad, either in a pop up or slide up window. The downside for the user? Again, do you really want a third party monitoring your online activities and firing this information off the advertisers? And for online advertisers, do you really want visitors to your site being bombarded by ads from your competition?

 

At least Gator publishes its privacy policy and license agreements on its site. You can find out more about how Gator works in a previous NetProfit.

 

Comet Cursor

 

You may have found Comet Cursor magically appearing on your computer without your knowledge. Comet Cursor is the little program that turns your cursor into a dog, cat or Homer Simpson when you visit a website. Often, the program is downloaded with the ActiveX controls that are indicated as required when you visit the site. Comet Cursor was being bundled with RealPlayer downloads as well.

 

Again, Comet Cursor monitors online activity and will present advertising offers based on your browsing habits. Comet Cursor is apparently trying to make amends for past trangressions by published a simplified privacy policy on its site.

Is It All Bad?

Is Adware bad? For that matter, is Spyware bad? It seems that there are two fundamental points of contention here that have to be addressed both legally and ethically. The first is the notion of consent, and the second is user privacy.

With the consent question, those railing against spyware and adware maintain that even when consent is obtained, it is often done through the use of verbose, almost incomprehensible user agreements that requires an unreasonable amount of due diligence on the part of the use to understand. While the user’s acceptance of the terms and conditions may put the software producer on high ground legally, is it ethical?

The whole area of online privacy is a black hole that legislative bodies and judicial systems are just beginning to venture into. The fact is, the technical nature of internet browsing allows for the gathering of an astounding amount of information, even without cookies or on board monitoring software. When you add a client side adware program into the equation, the amount of personal information that can be gathered about you and sent out to third parties would make the IRS blush. The one caveat that adware producers usually toss out is that the information isn’t tied to your personal identity. It goes out as generic information. However, this isn’t always the case, and the ability to tie browsing behavior with an IP address or email address is certainly an easy next step.

Orwell may have missed the timing of his forecast by 20 years or so, but 1984’s Big Brother is here. The eerie scene in Minority Report where retinal scanning allows advertisers to tailor ads specifically to each recipient is now a reality online.

Worst Case Scenario

When you take the whole adware concept to the extreme, it opens up a frightening scenario that has already been played out. A firm named Intellitech launched a pop up campaign that directed traffic to their site, KoolKatalog.com, where they were invited to enter their email address into a slot machine type game created in Shockwave. What they didn’t know was that by playing the game, malicious code was actually being downloaded to their computer through a security flaw in an older version of Internet Explorer.

Once downloaded, these files opened a back door to the computer that allowed for private information to be sent back to Intellitech. Technically, this code could have also provided Intellitech access to the infected computers, much as a Trojan Horse virus does.

The whole Intellitech story can be read at Salon.com

Find, Identify and Eliminate

After reading this column, you may be in a cold sweat, wondering if you have a secret security hole on your computer. Sweat not, there’s a quick way to find out. Ad Aware from Lavasoft is a freeware program that will scan your computer and help you uninstall any known adware or spyware programs. I just ran a check on my computer and while I’m very careful about not downloading anything that hints of being spyware, the program did find over 30 tracking cookies placed there by ad serving networks like DoubleClick. While these little identifiers are not spyware, they do make it clear that while you’re online, you’re not nearly as anonymous as you thought.

Note: The whole DoubleClick privacy story from 2000 is another matter, and while it’s not really pertinent to this topic, it does make an interesting read.

Not sure if a program qualifies as adware or spyware? You can check it out at Spychecker.com

Protecting Against Future Invasions

And finally, next time you feel the urge to download a seemingly innocent, helpful little app or new toolbar for your browser, check out the user terms and license carefully. Chances are that this app will come bundled with an electronic snitch that will ferret out all your little secrets and won’t be able to keep its big mouth shut.