https

OptOut Logo
Laying Down the Law to Spyware!
by Steve Gibson, Gibson Research Corporation
The Code of Backchannel Conduct

"You may use my Internet connection, but you must first help
me to understand why you want to use it and how you will use
it, then receive my explicit consent before using it. Then, if I
ever change my mind, you must cease such use and go away."


Spyware Defined:

Silent background use of an Internet "backchannel" connection MUST BE PRECEDED by a complete and truthful disclosure of proposed backchannel usage, followed by the receipt of explicit, informed, consent for such use.

ANY SOFTWARE communicating across the Internet absent these elements is guilty of information theft and is properly and rightfully termed: Spyware.

The temptation to collect personal demographic information is apparently overwhelming. These days everyone seems to want to know who you are. The advertising software companies loudly brag to their advertising customers about how "targeted" the presentation of their advertisements will be.

But, for that to be true, they need to know — and infer — everything about you that they possibly can. If you want to tell them, that's your business. And if you think I'm making a big deal — and a bunch of needless noise — about nothing, although I disagree, I understand and respect your feelings.

As a scientist and a technologist, I worry when temptation and technology are mixed together in the absence of ethics.

We have already witnessed a number of
 abuses of this powerful new technology,
and I believe it is only the beginning.

Therefore, I think that now is the time for us to send a clear and unmistakable message to those companies who are already showing that they lack sufficient respect for our privacy rights. Expressing your displeasure by eMail, directly to these companies and their affiliates, will certainly have an effect.

It is up to us to tell them what
behavior we will not tolerate
.


Why a Code of Backchannel Conduct? (CBC)

The CBC's goals are three fold:

 To protect the consumer's interests by establishing a set of guidelines for the proper, non-exploitive use of the user's Internet backchannel.

 To help earn, encourage, and promote trust in the intentions of companies and software that properly use the Internet backchannel.

 To actively bring scrutiny and public pressure to bear upon non-compliant backchannel usage by encouraging the exposure and comparison of usage policies.

The Articles of the CBC:

Up Front, Full, Plain Language, Disclosure
When first installed and activated, the communicating software components must present a simple, tractable, accessible, bulleted explanation of the software's purpose, intent, and use of the Internet backchannel.

The number one reason for declaring software to be "spyware" is that it sneaks into the user's system and communicates secretly. This is never going to be okay. The sooner the surveillance companies learn the lesson that they must declare their intentions up front, the sooner they're going to have me and the growing community of privacy-concerned computer users off their backs.

 Since the goal is to inform the user, burying this information beneath a mountain of legal mumbo-jumbo, then claiming to have "informed the user", misses the mark. Legal mumbo-jumbo is not informative, it is disinformative. It obscures and intimidates rather than communicates. The goal is to produce a short set of clear statements that the user WILL WANT TO READ rather than dread. It is clear that users want to know how such software plans to use their Internet connection. Not telling them will create significant public-relations problems and will destroy trust.

 It is important to note that responsibility for this may not be passed on to any third party for subsequent finger-pointing. The user-interface dialog presenting this information must be generated and presented by the backchannel-using components so that they assume full responsibility for communicating their intent and receive subsequent consent to enable themselves and proceed.

 The possibility of contact with third party systems and servers, if any, must also be disclosed and explained. Since users now have access to inexpensive or free traffic logging software, they will detect and must be notified of the possibility of connections to third party servers.

 The disclosure should contain a pointer, or link, to the publisher's web site, and that site should contain a prominent link to the publisher's full privacy statement. (see article 4 below)

No Unnecessary Information Gathering
NO INFORMATION other than what is required for achieving the express purpose of the service being offered may be communicated. After collection, that information may not be "retargeted" or reused for any other purpose(s) other than those specified by the first article disclosure. (see above)

 Sneakiness does not pay and will backfire. For example, Conducent Technologies makes a lot of noise about how their software doesn't "transmit" the user's IP address. Yet the user's machine contacts Conducent's servers directly, thus Conducent does indeed know (and I would be very surprised if they didn't record) the user's IP. It wasn't "transmitted" because it didn't need to be. This sort of sneakiness will be detected, disclosed, and advertised for the benefit and protection of the consumer. It will destroy the consumer's trust which is so vital to the success of these potentially worthwhile enterprises.

 As an example of unnecessary information gathering, Conducent Technologies admits to collecting and recording the user's Internet "subnet mask". This has two privacy consequences: It allows Conducent to silently "size" the user's local subnet, roughly determining how many machines are operating there. I submit that this is none of their business and that it is sneaky for them to do this without explaining that they are. Sneaky is bad. When applied in conjunction with the user's IP address, which is secretly gathered upon contact with their server, their collection of the subnet mask allows all Conducent carrying machines to be aggregated by subnet, determining which machines belong within the same network entity. This behavior is sneaky, seems unnecessary for their stated purpose, and causes them to fail this "no unnecessary information gathering" article.

No Insecure Capabilities
Internet connections are subject to, and the active target of, significant abuse. Malicious hackers use our connection to attack us, viruses use it to infect us, and unscrupulous corporations and individuals use it for espionage. Thus, the capabilities of any software that shares our Internet connection must be limited to what is absolutely necessary for the performance of its task. Its presence in our system must not open us to new avenues of attack and invasion.

 An example of substantial insecurity introduced by otherwise well-meaning 3rd party software, is the Aureate/Radiate system's documented ability to secretly download and execute any arbitrary program in the user's machine. This capability is massively dangerous and constitutes a "Trojan Gateway" into the user's system because it can be commandeered and subverted by malicious hackers. There are secure means for accomplishing the same thing, but allowing the secret downloading and execution of arbitrary programs certainly fails this "no insecure capabilities" article.

Formal Online Privacy Statement
The publisher's web site must maintain a formal "Privacy Statement" completely and clearly specifying any and all of the uses to which any collected information will ever be put. It must also explain any secondary inferential applications of the information, if any, and specifically detail the limitations of those applications. In other words, it must, as broadly as possible, state what will never be done with any information collected.

Preemptive Request for Consent
Immediately following the presentation of the systems's intentions (see article 1 above) and before ever employing the user's Internet connection, the software components must obtain explicit permission from the user to enable their future activities. Absent such explicit permission, the system must terminate its installation, remove itself from the system, and inform its hosting program, if any, of the user's refusal.

 As also required by the first CBC article, this responsibility must be accepted autonomously and can not be deferred to the invoking host software, if any.

Removable with Windows Add/Remove Programs
Whether receiving the user's explicit consent to operation within the system or not, the backchannel software must register itself with the Window's Add/Remove Programs facility so that it may be removed at the user's request at any time.

 It is important to note that as with the article 1 presentation of intent, this responsibility may not be delegated to whatever system loaded and installed the backchannel software. It is the explicit responsibility of the backchannel communicating system to provide for its own independent removal.

No Fine Print "Funny Business"
Due to the huge potential for Internet connection abuse, backchannel software and their "fine print licenses" will be actively scrutinized by technically competent, interested, and concerned users. With the general public now informed and empowered to detect and remove any suspicious backchannel software, and with earned trust being the currency required for long term success in any backchannel business model, there is simply no room for any "funny business".

 Playing games — like stating that the user's IP is not being "transmitted" when it is instantly known upon contact — does not engender the trust which will be required for the long term success of backchannel using systems.

 Burying onerous intent deep within a fine print license won't win any friends on this web site. For example, one OptOut user reported that he started paying closer attention to license agreements after receiving OptOut's "wake up call". And it's a good thing he did. Take a look at the license agreement he discovered from Transcom Software Inc. for their "Beeline" automated meta-search program.

I have reproduced the License Agreement in its entirety. I have also added text coloration to help you find significant portions while gaining a sense for the difficulty most users would have in finding or comprehending what this means: Transcom's Fine Print Funny Business

The days of Spyware playing fast and loose
with users' Internet connections are over.
Informed users will now dictate the terms
of continued access to their systems.

The "Known Spyware" page (coming up after the next page) contains a cross reference chart detailing the compliance of all spyware systems known to us within the context of the seven articles of the CBC as presented above.

To continue, please see: Internet Spyware Analyzer

You are invited to browse these pages for additional information:

1  OptOut Homepage 
5  Suspected Spyware 
9  Privacy On The Net 
2  Code Of Conduct 
6  The OptOut Program 
10  GRC Privacy Forums 
3  Spyware Analyzer 
7  OptOut User's Guide 
11  Keeping Informed 
4  Known Spyware 
8  OptOut User's FAQ 
12  GRC Privacy FAQ 

Jump to top of page
Gibson Research Corporation is owned and operated by Steve Gibson.  The contents
of this page are Copyright (c) 2014 Gibson Research Corporation. SpinRite, ShieldsUP,
NanoProbe, and any other indicated trademarks are registered trademarks of Gibson
Research Corporation, Laguna Hills, CA, USA. GRC's web and customer privacy policy.
Jump to top of page

Last Edit: Oct 06, 2003 at 14:29 (3,851.74 days ago)Viewed 9 times per day