Secret agents invade your PC

Phone-home applets in softwares routinely verify with vendors about patches and updates. But they are a backdoor of sort, presenting a security and privacy threat to the user.

When software companies update your computer, are they also stealing information without your permission?

You might not know it, but they're in your PC and on your network, and they're altering your applications. Hell-bent hackers? Viruses? Nope. The digital critters to which we're referring are the increasingly ubiquitous phone-home applets embedded in many applications by some of the biggest and best-known commercial software companies in the world.

Used by Microsoft, Symantec, Intuit, and many other software vendors, phone-home applets verify that users have the latest patches and fixes released by a software vendor. Convenient and simple, these specialised applets, often called update agents (or, more menacingly, spyware), allow unrestricted access to a user's PC. These automated updates can be a great convenience, sparing software users from having to manually seek software fixes and updates.

But at what cost to the consumer? While these vendors are doing their updates, they may be stealing data from your PC.

Customers may not have any sure way of knowing what information update agents retrieve and transmit, so they may be left to rely on vendors' assurances that only necessary update information is collected. If you're a trusting consumer, you may be at risk when sneaky vendors use the back door to surreptitiously extract and analyze information in your computer--your Internet browsing habits or PC configuration.

Though application vendors in every category use auto-updates, game vendors seem to stand out for their stealthy data-collection practices. For example, Verant Interactive, a division of Sony Online Entertainment, was collecting information about additional applications running on users' computers while they were playing its online game EverQuest: The Scars of Velious. Confronted with evidence collected by technically savvy players using network sniffers--and anticipating a flood of angry responses from its customers--Verant changed its policy. "It really woke us up," says Verant's COO, John Smedley. "We have now opted to walk a straighter path."

Similarly, the online game site Battle.net, operated by Blizzard Entertainment, was snooping into players' PCs to retrieve key configuration information, such as players' names, browsers, and e-mail addresses, as well as files from competing gaming Web sites. Like Verant, Blizzard said that it was all a misunderstanding and that the purpose was to improve customer service.

Even if they are not used for secretive data collection, update agents can irritate users. For example, Microsoft Windows Me prompts users to launch the update agent so often that it becomes a distraction. In addition, when the agents misbehave, as did the one in Intuit's QuickBooks, they can really drag down performance: Intuit's agent was designed to run at predefined intervals ranging from once a day to once a week when the computer was connected to the Web. However, a bug in the code caused it to run as often as once an hour.

"This is new stuff," admits Intuit's vice president of technology, Paul English. "We're learning about the problems with it, and we're learning how users perceive it." Intuit's research revealed, not surprisingly, that users want to know what's going on. QuickBooks 2001 includes enhanced disclosure of Intuit's update policies and practices.

"One of the most important aspects of privacy protection is transparency of information collection," says Andrew Shen, a policy analyst with the Electronic Privacy Information Centre (EPIC). "That is, a data collector must tell the customer what information will be collected and how it will be used. Auto-update features and cookies, while convenient, allow companies to collect more info than consumers expect to provide or is necessary to update software."

But what can you do if you don't trust your vendor?

You may not want companies crawling around your system. In that case, security experts advise enterprise administrators to disable auto-updaters. By doing so, users can limit the amount of bandwidth the data exchange consumes, usually without visible notification. More importantly, disabling auto-updaters closes a potential security hole, because most updaters circumvent the system's security.

"Some auto-update applications run natively on Windows 95/98/Me machines, meaning that they run with all the permissions of the user that's currently logged in," says Neal Goldman, director of Internet Computing Strategies at the Yankee Group. "This gives them access to everything on the drive, [because] ActiveX Controls downloaded from Web sites can access forbidden resources like local hard drives."

"Vendors are understandably tempted by the opportunity to look around in a user's computer," says Bob Geiger, president of the computer security firm Info-defense.com. "In the hands of a skilled marketer, the information gathered by auto-update applets is a virtual treasure trove, a marketer's ecstasy."

Geiger views high-speed broadband adoption as a factor that increases security and privacy threats posed by auto-update applets. "I certainly do not rule out the likelihood of some update programs copying a cookie file, browsing the hard drive's directory, or reading Windows' Registry to see what other applications reside on the machine, maybe even to extract the owner's personal and business names," he says. "With cable and DSL connections, these files can be uploaded in one-tenth of a second, well below the event horizon of any user."

Good intentions, bad results

But data collection from a customer's PC by a vendor isn't always tied to some type of privacy violation conspiracy. Sometimes, such violations simply result from coding errors.

Take Macromedia, for example. The company included a feature in its Shockwave multimedia development software that would let users collect and transmit Shockwave-enhanced Web site URLs. Surprisingly, the URLs sometimes included usernames, passwords, and other private information.

Microsoft had to defend itself against similar charges that its Windows 98 operating system and Word and Excel Office programs were tracking users' actions with a stealth technology called Globally Unique Identifiers. The technology could identify the author of a document across the Internet. Microsoft says that the identifier's purpose was to facilitate the tracking of documents' authors and recipients. However, a bug in a Microsoft product registration utility combined with the identifier provided far more information about users' machines than was originally intended. Microsoft and Macromedia acted quickly to eliminate the offending processes--and avoided litigation.

Though no evidence exists that these mistakes are anything more than an irritation or inconvenience, the next incident might have more dire consequences. But according to Info-defense's Geiger, coding errors and unlimited access combined add up to shaky security. Taking this risk is up to you.

You can be sure that most privacy-violating vendors are doing what they can to keep their activities secret. After all, getting caught lifting information from customers' PCs makes for bad publicity and mistrust. Indeed, conventional social wisdom declares that the fear and consequences of getting caught--not principle--is what keeps most people honest. The same thinking applies to software vendors. "It's the kiss of death for the vendor if the public finds out the company was collecting unauthorised information," says Michael Levy, Ph.D., vice president of research and development at NewHeights Software and professor of computer science at the University of Victoria, British Columbia.

Levy lays part of the blame on the digital devices evolution, saying, "PCs were designed well before the connectivity revolution. The reality is that the architects of the hardware and operating systems never considered the fact that everybody's PC will someday be connected to everyone else's."

Though the financial incentives for collecting information may be significant, they might not outweigh the risks. Software vendors who don't fully disclose their intentions face the threat of costly litigation. For example, class-action lawsuits against media-delivery company RealNetworks charge the company with secretly collecting data about users' Internet browsing habits and music preferences.

The sweeping suits charge that the company violated the federal Computer Fraud and Abuse Act, state privacy laws, and consumer protection statutes. The company is also accused of trespassing, invasion of privacy, and unfair competition. Such charges may cost RealNetworks millions of dollars if the plaintiffs are successful. RealNetworks denies the charges, saying that it notified users in the license agreement that it was collecting the information.

Trust me, I'm here to help

Full disclosure and greater user control over the process will eventually result from a combination of economic incentives, FTC enforcement, and the efforts of privacy groups such as TrustE and EPIC. Congressional legislation, such as Senate bill S.R. 3180 (the Spyware Control and Privacy Protection Act), will further help to raise user awareness and lift the concealing veil.

Until then, network administrators have few remedies at their disposal. The most obvious option is to disable the update agents, a process that's sometimes difficult because the code is usually an integral--and concealed--component of the primary application. Another option, touching on costly paranoia, uses a network sniffer to catch data packets entering and leaving the network. One alternative, available to shops with hardware firewalls in place, is to configure rules to trap outbound traffic to specific Web sites. This tactic assumes that administrators know that update agents are running and have the target site's IP address.

Finally, Geiger advises, you have recourse to the one strategy that usually succeeds: "Do business with vendors that have earned your trust, and take them at their word."