Spyware company goes undercover

A controversial spyware developer has disappeared from the Internet after concerns were raised about the methods it used to acquire sensitive information

A US-based spyware developer appears to have taken down its Web site after a storm of bad publicity over its practice of tracking individuals' surfing habits as well as gathering credit card information and other personal data entered online without their knowledge.

The furore over US-based software company VX2 erupted last week when several spyware-watching Web sites highlighted the issue. VX2's Sputnik program is currently incorporated into a free screensaver download for the Internet advertising company Aadcom, and has been used by file-sharing services such as AudioGalaxy.

Spyware is any software that employs a user's Internet connection in the background without their knowledge or consent. The VX2 programme uses this model to profile Internet users for commercial gain. Once downloaded, it tracks the Web sites that the user visits, and serves fake pop-up adds that purport to be coming from authentic Web sites. It also admits to collecting personal information on individuals from online forms.

A policy statement on the VX2 Web site attempted to reassure individuals that their sensitive data was handled correctly. The declaration read: "We have undertaken technical measures to make sure that VX2 never collects credit card numbers, account numbers or passwords. If such data were, despite VX2's best efforts, ever inadvertently collected VX2 would immediately purge such information from its database."

But in the wake of the online publicity wave, VX2's Web site appears to have disappeared. Attempts to contact the company have been unsuccessful, so it has not been able to verify this statement.

The UK Data Protection Act 1998 requires data controllers to be explicit in their handling of customer data, and insists that all information is held for no longer than the necessary billing period. It also provides individuals with the opportunity to opt-out of their personal data being compiled.

But US-based spyware companies such VX2 currently escape the jurisdiction of UK law, which creates huge privacy implications for Internet users here.

"The only thing that the UK government could do -- and there is dispute over whether this should be the Home Office or DTI -- is to warn the public of the dangers. There is nothing much more that can be done," said Peter Sommer, a research fellow in computer security at the London School of Economics. "It could be a complicated vote-winning situation."

The government admits that spyware is "an issue" to be addressed. "We would recommend that it is only used with the consent of the data subject," said a government source. "If this is not gained, it will be a breach of the Data Protection Act."

Who's watching you? Get the latest on spy networks such as Echelon and Carnivore, as well as privacy issues for companies and individuals alike, at ZDNet UK's Privacy News Section.

Have your say instantly, and see what others have said. Go to the ZDNet news forum.

Let the editors know what you think in the Mailroom.