ComScore: Spyware or 'researchware'?

(continued from previous page)

recently warned students of potential spyware dangers in Marketscore. "Most people don't really understand all the information that's collected about them on the Internet, and to me it's playing on that."

Spyware is commonly thought of as software that's downloaded onto a PC without clearly disclosing all of its functions or obtaining permission from the computer's owner. It typically slips onto a person's machine unnoticed as a scantly disclosed add-on with other popular applications, such as file-sharing software, or via browser security vulnerabilities.

Spyware denies people reasonable control over the application, for example, the ability to easily uninstall it. And, as its name implies, it typically spies on people while they're surfing the Web. It can collect passwords, bank statements and any matter of personal data, down to the keystroke. In a more benign form, known as adware, such programs can be used to send ads based on people's interests.

"Most people don't really understand all the information that's collected about them on the Internet, and to me it's playing on that."

--Steven Jay Schuster, security director, Cornell University

"Researchware," by contrast, can collect all the same personal information, but it gives people notice, choice, anonymity and control to uninstall the program, according to ComScore's working definition.

Marketscore is a downloadable application that purports to speed up Internet surfing, and in partnership with Symantec, protect e-mail from viruses. In exchange for these services and with the subject's permission, it will track people's Web surfing habits and compile "clickstream" data for research purposes, for example, extrapolate the most popular Web sites among a sample population.

To compile data, Marketscore redirects Internet traffic through its own servers and decrypts secure data transfers between a PC user and a Web site using Secure Sockets Layer (SSL), the de facto security standard for e-commerce transactions. Doing so, it can collect highly personal information, including bank passwords, health data and credit card numbers.

Because ComScore acts as a proxy server, panelists do not have direct access to the Internet. If Marketscore were to break, for example, users might lose their online connection, or more troubling, be exposed to a potentially damaging security breach. ComScore said it has never had a security breach in its five years of operation.

In fact, ComScore's track record has won the trust of some Internet industry heavyweights that have studied its practices, including America Online.

"The main ComScore panel doesn't constitute spyware," said AOL spokesman Andrew Weinstein. "All the disclosures meet our standards. We're working with ComScore to differentiate their research panels with software, which involves surveys. That might be in a grayer area. But all of their products are fine with us."

Not everyone is comfortable with ComScore's setup, however. Consent aside, security experts said third-party proxies should carry red

It's MY computer

No one has any right whatsoever to install any software for any purpose on my computer without my full and open consent. This does not include hiding the disclosure in some lengthy privacy policy statement. If you don't say in plain and simple terms such as: "We would like to install some software on your system that wil ..." you are trespassing and totally unwelcome, plain and simple.

I couldn't agree more...

You are absolutely correct. I hate companies that think because they are offering free access to some service or another than a consumer might find useful that that gives them the right to install any crap they want on my property.

Another one that really bugs me is software companies that do the same thing. No they are always installing what I would consider spyware, but they install button bar and all kinds of other crap when you install their programs and give you no way to either not install it or or remove it. Two pet peeves right now is Adobe Acrobat who installs button bars in Microsoft Word with no way of turning them off. The other one is Macromedia FlashPaper 2 which installs a button bar in to Microsoft word as well.

Other companies like Corel install little TSR programs that keep nagging you to register so that they can spam you with crap for the rest of your e-mail addresses life.

Their needs to be a consumer law that allows us to take back control of our property. Until companies start giving us high end computers and stuff in exchange for this type of crap they need to keep their paws off my property.

Robert

Sometime called spyware??

Well,just to let know these companies....every day I reveice calls to FIX computers infected with spyware and adware...Usually computers are in such bad shape they are not usuable for Internet at all so people call for help...This "research" costs people lot of money,most of this crappy software doesnt even function properly...Forget about hackers and crackers this companies should be prosecuted,fined and jailed as first class criminals...If I was sneaking up on my neighbors window that is what would happen.....Why are this companies allowed to do this?
Is there any law and order or money can buy anything??

[sderf]

Get out of my computer

Will someone please tell me why do these people think they have the right to spy on me. It is none of their business what I do and where I go on my computer. Where did these people grow up,in Russia, China where? If I want people to know things about me, mail me a survey and I will answer their questions if I want then to about me.I am sick and tired of the computer industry thinking they have the right to do anything they want. This needs to stop now.

My Bandwith, not yours.

I pay money for my bandwidth, I pay money for my computer. If these companies want to reimburse me for the all of the bandwidth that they STEAL without my authorization, I'd be fine with it. IF (and that's a big if) they ASKED FOR MY PERMISSION. Anyone who doesn't is stealing from me.

[Jonathan]

Oh WTF?!?!

Give me a ******* break. There really isn?t anything overly complicated here. Anything that tricks a user into installing the program or isn?t fully spelled out that there is software that is going to be installed and what it does and doesn?t have an easy to use uninstall process (e.g. You HAVE to using an anti-adware program to get rid of it.) is ad/spyware. The only people balking at this are the ***holes who make this software. If this was a virus writer and he claimed the rite to use a system for a DoS attack because the user clicked on a damn ad on a website he would be laughed at by the entire industry but no this is some special software. I sit here cleaning a person?s system of adware and let me tell you that this **** is not benevolent. This isn?t just some tool. Its ******* malware plain and simple. In fact I?m going to have to redo his system because its in suck a sorry state that even spybot and adaware can?t clean it up. So these companies can cry me a freaking river. I want a law passed that will legally let me assult the maker of whatever adware product I find on my system. Nothing says think you for your ?gift? then a Louisville Slugger to the gut.

[gdmellott]

A better approach.

If research really needs to be done, enough information could be obtained for all to benefit, by having the user's computer hold a Universal ID cookie that does not identify the person using the machine, and having the web sites provide any legitimate information to the reaserchers.

As far as secutiry goes, I would like to see a BIOS on computers that uses a 'natural flow' file to determine if the process desired to be executes it valid for the program. It would require the system administarting user to accent to any new installation and should note, in their native tongue, what the files or directories are used for, that the new program want to access.


Sincerely,

Gregory D. MELLOTT

It's simple

If your research requires you running a process on MY PC, it's intrusive, period.

Such intrusions should be treated exactly the same as trespassing.

[MythicalMe]

I call it spyware

If it installs without my knowledge and it is gathering information then it is spyware. If you want to stop being spyware, when the program installs, throw up a splash screen with the stated purpose, operation and ability to cancel installation.

Any software which installs in any less of a forthright manner, such as behind a long "terms of use" disclaimer, is using tactics which steal for me. It is my computer time, my internet connection and my resources which are being used without my consent. That's theft.

Spam, spyware, adware is all theft as far as I am concerned. Perhaps if these companies that use these tactics were prosecuted for theft there would be less of it happening.

You missed the point.

The point here is that ComScore is a completely legitimate company and their software is 100% invited on to users computers, why should it be called "spyware"? Comscore is a top notch company used by CNet and AOL. It serves a very important role in our use of the internet. It is a travesty that their company has to even be mentioned in the same sentence as the term "spyware". Lets face it folks, "spyware" is a term used to create hype and fear on the internet so lots of anti-spyware software can be sold. Lets not take the sins of a few bad companies that were not invited onto our computers and start bringing down the good ones. It is clear to me that the term "spyware" needs to be replaced with some other more objective way of communicating the privacy concerns related to software. It is very important for consumers to know what Comscore software does, but that does not mean we need to defame the good company's name. I think people sometimes get so caught up in the spyware hype that they forget that there is another side to this coin and that anti-spyware companies have the power to decide for us what will and will not be allowed on our computers. As consumers we need to make sure we understand the criteria they apply when they make these decisions and we need to make sure this is fair, too.

[Tex Murphy PI]

Have to read any EULA's lately?

Spyware has a broader meaning than your realize - it referes to software that monitors your actions, and is difficult to detect, let alone remove.

Most spyware programs are willingly installed on a target PC because most users just aren't willing to sit down and spend thirty minutes reading the End User Licensing Agreements (usually done in fine print, with any references to data collections deeply buried under a mountain of legalese mumbo-jumbo).

These spyware programs are no more "RESEARCH" programs than government sanctioned wire-taps, or Echelon data collections.

Nice try, but your logic just doesn't doesn't make sense - whichever way you would like to spin it.

[fredmenace]

I think YOU missed the point

Plenty of spammers, adware and spyware companies (not to mention annoying pop-up advertisements, etc.) have been employed by otherwise well-known companies. That doesn't make what they're doing right, it just means their customers are either ignorant of how they operate, or don't care because it's technically legal, and millions of people haven't raised an uproar. Once the activity is illegal and/or many people have become aware of it and started complaining, they'll stop using these "services".

You say that it's being done with the users' consent, but I'll bet you just about anything that at least 1.4 million out of the 1.5 million users of these infected PCs have NO IDEA that their internet activity is being spied on.

This program perfectly fits the description of the worst kinds of spyware in every detail. There is no point in trying to claim it is somehow legitimate.

No, you miss the point

Any time you "consent" to use a proxy server that collects private information at all, it's sypware. I wonder how many people who have given their consent realize that their credit card and banking information is gathered (whether it's scrubbed or not). When I go to my bank's website, I need to know that NO ONE is gathering my information other than my bank. I would never consent to use of a proxy server to track that information or any other transaction involving my personal information.

Gathering information on trends wrt to surfing habits is one thing. Collecting private information is something quite different.

The problem is that most computer users don't realize what they are agreeing to and have no clue what a proxy server is or how it can be used. That's where clear disclosure is necessary. I don't care how "top notch" a company is if they are redirecting users through their own server. That's as bad as or worse then MSFT's Passport.

[hadaso]

TRUSTWARE

TRUSTWARE - that's waht ComScore wants to be!

What they claim is that people downloaded the program knowing what it does - mining data and sending it somewhere, and those people trusted them when agreeing to the instalation. this is not the same as something a user got infected with while trying to install something else for a different purpose.

I think it was about 4 years ago that I installed my first adware-supported "freeware". I liked the idea back then: the ads where not intrusive (they were only shown when I was using an app that didn't need even 10% of the screen, and disappeared with the app as soon as it lost focus). Then later I found that I have three or four different ad-serving programs on my system, that came with things like pkzip and other shareware. One of them was shared but more than one ad-supported app, and what annoyed me was not that they are trying to use my data, but that I have way too many of them installed and using resources. Why can't they use just one ad-serving engine? Then started all the public ranting about spyware spying on you, and it all added up:

I think the model of paying for a software license by being served targeted ads is a good idea. It is just not implemented correctly. It should be TRUSTWARE and not SPYWARE! There should be one ad-serving program on a user's system, and it should be the user's choice which ad-serving program it is. The user would choose an ad-serving service the user trusts for doing the ad-serving. Ad-supported software downloads would not have bundled spyware. Instead it would look in the system to see what ad-serving software exists, and would negotiate with this ad-server. If there is no compatible ad-server on the user's system, the ad-supported app would inform the user that a compatible ad-serving program should be installed and running before the app can be used.

For this to work there should be a standard open protocol for ad-servers to negotiate with ad-clients (ad-supported apps) and for them to serve ads to the client, and also to pay the vendor of the ad-client for displaying the ads in their app.

The point is that this way the user doesn't get unwanted software sneaked into her system. Instead she gets ads from a source she trusts, and this way perhaps she is willing to share much more info with this trusted source, which can result in much better targeted ads, which serve her better and earns more money for the advertisers.

Of course there are lots of security issues to be solved for this to work. On the other hand there is potential in this model beyond just serving ads. It's really about different software components in a single computer negotiating and transfering real value between them, so it's a sort of micro-payments system working inside a single PC, and when aggregated over many users on many PCs resulting in real money being transfered between the user's chosen ad-server vendors and the ad-client vendors.

It is spyware

Euphemisms to delude the victims or the purveyors? Either way it is an unwanted intrusion and most users would refuse if given a choice in the matter. Otherwise, why do the data miners need to do this in a stealthy manner? Do not even try to defend their actions in any manner.

- If the end user does not want to participate then any spying is just that.
- If the tracking must be done by imbedding code into the user's computer, it is a blatant intrusion, a trespass.
- It does slow down PC's and I have seen it interfere visibly with browser operations and ultimately corrupt drive data on a PC virus checked daily.
- It is also a violation of trust by those who do so without permission or clear ability to opt out.

Just call it for what it is. Rape Derived Data.

[fredmenace]

Story author has been hoodwinked

This article read as trying to be very "balanced" to the point of being apologetic of an unsavory activity, when in reality it appears the author was taken in by a disreputable spyware company just because it has lots of large clients, and the author was maneuvered into telling this company's side of the story. (I've seen the legitimacy claims of spammers covered in other stories, but usually with skepticism, rather than with such blind acceptance.)

Until the big uproar occurred over the last couple of years, many major corporations used the services of the worst spammers, and the same corporations continue to push annoying pop-up ads that people complain about and try to block.

Until the activity in question is clearly illegal, or until a sufficient number of customers become aware of it and start complaining (to the point it would be bad PR for a company to be associated with it), companies will continue to use these services. Spam and pop-up ads are cheap and effective. So is spyware-derived research. Until there were sufficient complaints and laws targeting it, customers of spam services claimed there was nothing wrong with it. This doesn't make it desirable or something we should just accept as OK.

Awareness of spyware and adware is just lagging behind that of more in-your-face intrusions like spam and pop-up ads, mainly because it IS so invisible (which makes it all the more troubling).

In fact, this kind of spyware is far more potentially damaging than standard pop-up ads and spam, if less immediately annoying. We should not just "trust" some company to know all of our passwords, bank account logins, personal activities, everything we buy, everything we read, every site we visit, every personal email and chat message we send, etc. Any such software would need an extraordinary level of awareness and accepance on the part of the user, not just clicking past some fine print in an EULA, and any personally-identifying information should be stripped fully before the data ever leaves the computer. The user should also be able to see the data that will be transmitted before it is sent, and have the ability to prevent its transmission if it tells more than they want to.

Going through a proxy is a REALLY REALLY bad idea. At the least, there should be suitable warnings each time someone logs into the computer or goes onto the internet that this is occurring (if a proxy IS used, all web pages should be in a frame which clearly explains what is happening, what data is being collected and by whom, and giving the easy option to bypass it at any time, and similar warnings should display any time email, news, ftp, or other internet activity occurs).

Of the 1.5 million claimed users of this software, I bet at least 1.4 million would be surprised (and probably angered) to discover that their online activities were being monitored in any way.

There is nothing distinguishing this company from any other disreputable spyware company. No new category is needed here, except for "illegal".

[fredmenace]

Another point

In addition to getting the consent of the owner of the computer, it would seem each and every user who accesses the internet from that computer needs to be made aware of this data collection and give explicit consent to it. I am positive that this isn't happening.

Research Project For The Federal Trade Commission

As a marketing research professional this article raises some interesting ethical questions and what boundries a reputable research firm should adhere to and where some type of government regulation may be required. It also raises some interesting questions on the ethics of the firms who buy and utilize this type of research.

First class research firms such as Nielsen adhere to strict ethical standards. I can't imagine Nielsen conducting a focus group or other type of research where they write down the social security number and credit card numbers of the participants involved. And I certainly think that Nielsen's research participants would know why, when and where they were being questioned or observed.

To say that MarketScore's type of research is ethical or OK because companies like AOL use it is a weak argument. To label their software as "Researchware" does not change the type of methods they employ.

I have an idea for a survey that the Federal Trade Commission might want to conduct with Comscore's "panelists". Since they know who the users are, it should be easy to pull a sample of MarketScore panelists.

Q1) Are you familiar with ComScore, MarketScore or JDCouncil.org ?

Q2) Is the MarketScore software program currently installed on your computer ?

Q3) Is the MarketScore software program currently running on your computer ?

Q4) Do you know that you agreed to have Comscore capture your personal information such as credit card numbers, bank passwords, social security numbers and other private information ?

Q5) Did you read the End User License Agreement prior to installing the MarketScore software?

Q6) Did you understand the End User License Agreement prior to installing the MarketScore software?

Q7) Do you know how to de-activate or uninstall the MarketScore software ?

Q8) Did you receive any renumeration or conisderation for installing the MarketScore software ?

Q9) Do you want your personal information such as credit card numbers, bank passwords, social security numbers, and internet purchases recorded and tracked by MarketScore?

Q10) Do you want the MarketScore software installed and running on your computer?

Q11) Would you like to recieve a short, easy to understand confirmation from MarketScore that would REQUIRE YOU TO CONFIRM that you would like to continue as a panelist?

Q12) If your personal information were to "leak out" as a result of your use of the MarketScore software and cause you personal harm such as identity or credit card theft do understand what liability MarketScore has to you?

I don't think that full disclosure equates to fine print. The mortgage loan industry used to bury it's disclosures in fine print. Now there are separate forms in large print and easy to understand language in loan documents. Government intervention was required to at least make an attempt to insure that people knew what they were getting into.

For now I applaud Webroot's and the universities mentioned stance on classifying this program as "Spyware". Until MarketScore can prove that it's panelists truely understand and agree to having this software installed and running on their computers, the panelists should have the option of this program being flagged as Spyware.

[fredmenace]

Precisely!

This is exactly correct: people may be willing to receive advertising or have their behavior monitored IF it is to a reasonable extent, they are fully aware of it, they get something in return, and THEY decide it is worthwhile. This is how most legitimate market research is done. Spyware and adware are part of the "we can do it cheaper because we can get away with things that we couldn't in the real world" philosophy of the internet. Sometimes this is true, and not a problem. But, like spam and file sharing, adware and spyware should be required to conform to the standards these practices would demand in the real world.

spyware

How can anyone suggest that there is any legitimate reason to put software on my personal computer? How can anyone find legitimacy in gather information about me? Next, they will want to put microphones in my house. It is unconstitutional.

[sderf]

I don't care what they call it

I don't care what they call it I still don't want anybody following me around with out my permission.
If you need information ask.

[albrown]

Spyware by any other name is still spyware

No matter how you spin it its still wrong and anyone doing it should be fined, jailed or worse.

Intrusion without permission in the name of science is still intrusion. If I wanted to be part of a study group for these theives then I'd sign up.

[jminniha]

Place this data gathering on the server side

Data should be gathered at the ecommerce site's servers...these data gathering companies should be trading their data gathering sofware installs with free/discounted data gathered from their partners. As such spyware data miners would not need to be installed on each PC client.

Just worried about the free internet.....

I am not a spyware vendor..I am just a concerned consumer who has been watching this for quite a while, and now that big players are in the game I can see that contol and power will be in few peoples hands.

I will say it again...the anti-spyware makers have a huge amount of power. They recommend what they think is good software and bad software. They have the power to remove "bad" software. This is all well and good if anti-spyware makers were all kind and benevolent, but they obviously want to make money too. The wheels can be greased. If the anti-spyware company has a large enough distribution, they can put out a software or definition update and kill another program in no time at all.

A good example is the tie between Alluria and WhenU. One could argue there is a little bit of a conflict of interest there:) In fact most of what I have seen is companies that do not want to be viewed as spyware have a tactic of teaming with a anti-spyware maker to get them on their side. This gets to the heart of my fears about this.

On the other hand I do think Privacy Protection Software is a good idea and that it is good for everyone if there are good rules. I think the P3P is a good example of how we can better inform consumers about privacy. This Privacy Protection Software may even be able to hit a web sites P3P policy and convey that in clear english for folks. Anyhow, I would like to see criteria like the following:

1) Objectivity - There needs to be a clear list of criteria by which software privacy will be measured. (the term spyware needs to go away because is not objective, it is just hype). Actual research needs to be done on the software and that research needs to be documented against the list of criteria. GIANT/Microsoft actually has a decent list of criteria, but maybe there needs to be an independent organization that sets the criteria?

2) Transparency - Both the consumer and the developer of the software applications need to have 100% disclosure of what the scoring criteria is for their application. This promotes having legitimate companies that are "in a gray area" to improve their practices and prevents anti-spyware makers from choosing how they want to apply their definitions to different vendors.

3) Fairness: ALL software must be treated and analyzed equally. i.e. the spyware companies cannot decide to include one piece of software and not another. All software has privacy concerns even if it is purchased by a consumer or used by an IT organization. For example, we use RAdmin here at work. By NO means is it spyware in the hyped sense of the word, but it could definitely be used to monitor what a person does on their computer and people have a right to know its capabilities.

Anyhow, just throwing out some thoughts. I think these are issues that are out there, but not too many consumers seem to be afraid of who we are giving power to. They hate spyware and any company that helps get rid of it is good in their books...Lets just not forget that the biggest reason anti-spyware companies are getting into this area is to make money and things can get out of hand if we let it.

Hopefully this will cause someone to think about this more..

[volterwd]

Ok

so i will stab someone and call it 'surgery', but hey... a peice of SHI* by any other name still stinks

Big Brother by any other name....

It is no more acceptable by ANY company whether for marketing purposes or whatever. It is still an invasion of our privacy to install anything unknowingly on our compters. If the Goverment did it (who knows) we would not stand for it. It slows down our machines and causes bandwidth to be used. I believe it to be worse than spam, since spam does not invade our systems, just fills our email boxes. (Spam does suck though)