Banner 'bug' sucks data through the Web

Advertising banners produced by US software firm Conducent gather computer and network information by using a stealth application buried within the freeware program according to security newsletter, The Risk Digest.

Bill Royds, contributor to the Digest, discovered that the advertising application provided by Conducent for freeWare Windows applications such as PKZIP collects details about a user's computer and sends it back to Conducent's headquarters when a computer is connected to the Internet.

Royds says the information includes data on the applications running on a machine, as well as its IP address and information about the network it is connected to.

As an example, Royds says PKZIP gathers network IP addresses as well as information on NetBIOS. He claims it can also gather user names. Royds points out that that this could potentially compromise security by revealing IP network status information. "This is very similar to the Trojan horses that worry people so much. If someone was able to intercept these transmissions they could determine internal network and personal information about a user. Many users would not install these programs if they realised the nature of how the advertising works."

Royds did intercept that IP information and forwarded it to ZDNet UK News.

Conducent says there is nothing to worry about. A spokeswoman for Conducent says computer users are always made aware of the personal information they are providing before installation and claims Conducent does little more than gather IP addresses. "All the Conducent freeware is duly noted as such when installation occurs. It is up to the user to take the time to read the installation notes wherein the advertising-supported version of the software is explained comprehensively."

The speokeswoman criticises Royd's concerns as excessive. "Calling Conducent technology a Trojan, or a virus, assumes we're sending files -- or extracting information -- without the user's permission. We are not forcing free, ad-supported software on users. They are choosing to download it of their own volition, and as they so, information about their selection is contained in the installation notes."

According to Robin Bynoe of Charles Russell solicitors, gathering IP addresses as well as user names may well contravene European data protection regulations as Royd notes. However Conducent distributes software via the Internet and has no offices in the UK meaning that if a British customer had a complaint there would be little chance recourse. Says Bynoe, "If they are located in the US and are holding information in the US this comes outside the scope of UK law. If they are simply collecting a bank of IP adresses, this may not be a breach of the data protection act."

Is it acceptable for a company to gather such information?

Would you carry on using that software if you were aware of its activities?

Tell the new Mailroom

They can see you... Read about how and why in Surveillance , a ZDNet News Special