Jusletter IT

Computer users face a new and growing threat to security and privacy. This threat finds its way into the victims’ end-user computers indirectly in the form of monitoring programs that are secretly and easily installed (the perpetrators are probably not liable for prosecution). There may even be legal consequences for the victim end users if they are caught and prosecuted for removing the allowed spyware. These monitoring applications, or spyware, are poised to record and transmit a user’s computer usage and behaviour, to third parties. Some end user license agreements (EULAs), which accompany any kind of software, carry dangerous clauses in between thousands of words that are time consuming to read. Their true meaning is often hard to understand for most users due to wide use of legal terms. These EULAs allow the software programs to install spyware on the user’s computer secretly without legal liability. This paper focuses on the contents of EULAs and how computer users waive their rights by accepting the EULAs in question. The paper also takes a closer look at spyware, its types, their run-time behaviour, and impact on computer users. The paper also takes a look at possible ways of detecting the presence of the misleading sentences in the EULAs about the presence of spyware. Other measures of detecting and destroying spyware that has already been installed or is about to be installed on end user computers, using a number of programs is reviewed. The paper also discusses some common legitimate programs that secretly carry those spyware programs along with them and install them on the victim’s machine upon installation of the legitimate programs.

Spyware is the name given to the class of software that is secretly installed on a user’s computer, monitors a user’s activity, and reports back to a third party on that behaviour.¹ Spyware often finds its way onto a user’s computer through covert channels, i.e. it is bundled with what appears to be legitimate programs. People are typically exposed to spyware as a result of their behaviour. Operating systems are designed to hide information about background system activities, making it easier for spyware to operate.

Adware. Applications that are characterized as Adware perform a range of functions. They monitor user web browsing activity and send targeted advertisements to the user desktop based on that browsing activity.

Key Loggers. Are designed to capture any keystroke entered on a user keyboard covertly. Some key loggers are marketed as legitimate tools for tracking employees or family members² , but despite the putative legitimacy of some keystroke loggers, this form of spyware continues to be a highly prevalent and threatening form of the genre.

Trojan Horses. Trojan horse attacks, or simply “Trojans,” involve installing programs through covert channels like e-mail spams that can be contacted by outside computers and which provide control over the host computer. The characteristic label for this class of spyware is “RAT”³ .Their threats range from common dialler programs designed to engage user modems to incur expensive “900-number” toll charges, to more nefarious modifications of network administration tools such as Back Orifice or SubSeven, which exploit holes in the Microsoft operating system to give outside users the ability to capture screen displays and keyboard input or actually take control of a remote computer.⁴ This is clearly malicious.

Cookies and Web bugs. A cookie is a small text string (often no more than an ID number) that is sent by a web server to a browser. The text is then stored by that browser, typically on the user’s hard drive, and sent back to a web server at a later time.⁵ Web browsers first supported cookies in 1995. They were initially developed to provide a way for users to re-visit sites without having to identify themselves and their preferences each time.⁶ Web bugs are invisible images (graphics) embedded on pages or in e-mail messages that are designed to monitor who is reading the web page or e-mail message. A web bug is any HTML element that is intended to go unnoticed by users, and is present partially for surveillance purposes.⁷

Browser hijackers. Hijackers attempt to change a user’s web browser settings to modify their start page, search functionality, or other browser settings.

Malware. Malware as the name implies refers to a variety of malicious software that includes viruses, worms, Trojan horses and rootkits.

Some spyware can be used legitimately, but most of the time the use of spyware is not just illegitimate but unethical. Parents and managers can use keystroke loggers to monitor the internet behaviour of those they are responsible for.⁸ However, it is a short step from monitoring the internet use patterns of a minor or an employee, to impersonally hacking a user’s computer to record keystrokes that contain passwords and credit card numbers. Business certainly cannot be faulted for wanting to get the best impact for their online promotional dollar, but even though there are legitimate business models that depend on remote monitoring, the majority of spy threats faced by users have little or no legal basis for operation. As an example, the Google Toolbar™ can be installed with a reporting function that allows Google to use your internet browsing and search behaviour to modify its services to you to be more useful personally. Many companies use reporting software similarly, though few are as forthcoming as Google.⁹

Commercial Uses. A primary legitimate business use for spyware is for marketing segmentation and audience targeting.¹⁰ Businesses are increasingly making the use of spyware to gather valuable customer data as part of their mission.¹¹

Backchannel Update and Forceful Registrations. Some businesses use spyware-like applications for legitimate purposes, such as providing an active agent on customer computers to check for upgrades and to promote new software features.¹² Microsoft and other operating system’s updates and compulsory registrations (such as that of Red Hat Linux), anti-virus and anti-spyware updates among others are not just legitimate but necessary in order to correct security holes (patches) and update databases in the case of security applications as new threats emerge.

Malicious Uses. It is feared that hackers, already employ spyware for many reasons, and are likely to do so more frequently in the future.¹³ Some hackers may use Trojans as a means of creating BOTNETS¹⁴ to use for a Distributed Denial of Service (DDoS) attack¹⁵ . Others may use the same means for creating a network of computers for delivering spam messages to unintended e-mail recipients. Hackers may also use keystroke logging software to capture personal information, such as passwords and credit card numbers. The hackers may themselves then use this information for identity theft, or they may sell or trade this information with others.

Rock, Paper, Shotgun, a PC gaming website¹⁶ recently alerted computer users of the presence of spyware in PC games hosted by Origin¹⁷ . Origin’s consent to collection and use of data in its EULA reads as follows:

“You agree that EA may collect, use, store and transmit technical and related information that identifies your computer (including the Internet Protocol Address), operating system, Application usage (including but not limited to successful installation and/or removal), software, software usage and peripheral hardware, that may be gathered periodically to facilitate the provision of software updates, dynamically served content, product support and other services to you, including online services. EA may also use this information combined with personal information for marketing purposes and to improve our products and services. We may also share that data with our third party service providers in a form that does not personally identify you. IF YOU DO NOT WANT EA TO COLLECT, USE, STORE, TRANSMIT OR DISPLAY THE DATA DESCRIBED IN THIS SECTION, PLEASE DO NOT INSTALL OR USE THE APPLICATION. This and all other data provided to EA and/or collected by EA in connection with your installation and use of this Application is collected, used, stored and transmitted in accordance with EA’s Privacy Policy located at www.ea.com. To the extent that anything in this section conflicts with the terms of EA’s Privacy Policy, the terms of the Privacy Policy shall control”.¹⁸

Although, Origin has decided to modify the EULA in question¹⁹ , following outrage from their customers, the above is a good example of how Origin and many other legitimate software developers bundle Spyware with their products.

US Cert reported that the IT department of a major university noticed many users on its network running a worrying piece of software packaged as a tool for speeding internet downloads and protecting e-mail from viruses. Bundled with it, however, was adware²⁰ which collected sensitive information about the users, including information from encrypted, secure socket layer (SSL) sessions (a method for securing information exchanged on the internet)²¹ . The EULA for this software in question included the following:

“…[this software] monitors all of your Internet behaviour, including both the normal web browsing you perform, and also the activity you may have through secure sessions, such as when filling a shopping basket or filling out an application form that may contain personal financial and health information”²²

Peer to Peer applications such as Kazaa, Imesh, Morpheus and BearShare, have for a long time been proven to bundle spyware with their applications and network. See the work done in the paper titled “Investigating Spyware on the Internet” and a similar paper “Investigating Spyware in Peer-to-Peer tools”.²³ The author’s work proved the effectiveness of ad-Aware tool in detecting many instances of spyware in Peer-to-Peer networks mentioned above.

Removing spyware that is successfully installed on a computer has proven to be challenging. So the best way to protect computers from spyware is to detect them from the EULAs and or during installation.

License Analyzer²⁴ is a web based tool that helps users to detect or at least suspect the presence of spyware in a EULA. The method used by License Analyzer is to match and flag some keywords that mostly signify spyware with its database. License Analyzer also rates the complexity of the language used in the EULAs and the likelihood of the presence of spyware by displaying relevant statistics. The EULA in question is copied and pasted in the web-based field of the analyzer and a button is clicked for the analysis to begin. Within a few seconds or minutes a breakdown of the analysis is displayed. License Analyzer is to date in Beta release²⁵ but is a good tool for detecting the presence of spyware in the EULAs.

Automated Spyware Detection Using End User License Agreements adopted a method similar to the method of classifying e-mail messages as spam or spam-free. They represent each EULA using a word frequency vector, thus the data instances are essentially represented by pairs of word frequency vectors and classes.²⁶ Here, their experiment was able to test several available algorithms with 13 out of 15 as promising. The experiment was able to classify a EULA as either good or bad where the bad EULA contained spyware.²⁷ The proposed tool aimed to be a middleware²⁸ which sits between the application software (the software in question) and the operating system of the computer installing the application. The tool operates in the background and automatically analyzes the content of the EULA as soon as it appears on the screen, and immediately advises the user whether or not to accept the EULA in question based on the result of its analysis. This should save the user from the headache of going through thousands of words and not even understanding the complex language used.

An effective anti-spyware software tool is crucial in detecting spyware as software bundled with spyware is being installed. The anti-spyware software should also be able to search and destroy spyware that somehow slipped onto a victim’s computer. There are a lot of commercial and free anti-spyware tools currently on the internet. But it is important to be cautious about what a user is installing. The fact is that, some anti-spyware or anti-malware applications have turned out to be installing spyware and malware instead of protecting against them. Ad-Aware anti spyware program has proven to be a good tool for detecting and destroying Spyware²⁹ , likewise Norton Internet Security, Spybot Search & Destroy and Spyware Doctor. However, none of these and other tools can be rated 100% effective. So a combination of counter measures must be applied to achieve absolute protection, as discussed in the next section.

The first sentence in the quotation of Evidence 1 above, means that EA may collect information such as your machine name in connection with your Internet Protocol address necessary to track you and your internet behaviour, internet protocol address necessary to determine your city’s and perhaps your organization‘s location, Operating system version which if they intend to hack the computer, will help them in searching for the operating system’s known vulnerabilities that will help them attack the computer easily, and other technical information such as the security status of the computer (i.e. if anti-virus, firewall, intrusion detection system etc) is available and its true capability status. This would simplify the authors’ of the spywares’ hacking methods if they intend to hack the computer or if they intend to sell it to third parties that may, as they have indicated that they may use the information (technical) and personal information (computer’s name, user credit card details, shopping behaviour etc.) for marketing purposes. If such a thing is allowed, the security of the computer is being compromised, which means somebody else may be controlling the computer remotely, and it is a clear waiver of one’s right to privacy and security.

The quotation in Evidence 2 says it all. The software monitors all of your internet behaviour including both the normal web browsing and your most sensitive activities that should be secure, such as money transfers, shopping using credit cards, other financial transactions and even your health Information that you give to your personal medical doctor or other health organizations. This is a clear violation of privacy and breach of security. The activities that you may have through secure sessions are the ones performed on Secure Socket Layer (SSL)³⁰ . SSL is a commonly used protocol for managing the security of a message transmission on the Internet. Messages passed through SSL are encrypted, which means information such as secure passwords and credit card details are passed through SSL. The statement in the quotation “and also the activity you may have through secure sessions” means that the spyware may try to eavesdrop on the secure session. This is a clear breach of security. To achieve information security, confidentiality, integrity and availability of the information must be preserved. I believe absolute security lies in the hands of the user. Users need to be at least roughly educated as to the real threats (spyware) facing them and the countermeasures necessary to avert these threats, so education and awareness are crucial, here. Users must be aware of the impact of spyware on user computers that include degradation of computer performance and stability, violation of users’ rights to privacy, reduction in employee productivity due to the impact on performance and stability—all of which in turn imposes extensive administrative expenses, and most critically, the opening of doors to computer hacking which has huge consequences, from monetary theft to integrity harm, among others. A combination of effective tools that detect spyware from the EULAs that detect spyware during installation and Information security best practices should make life miserable for the authors of Spyware. It is a subject matter that must be addressed in the near future. .

It is still not clear if the authors of Automated Spyware Detection Using End User License Agreements have released the proposed tool for commercial use. I have contacted them via e-mail to ascertain the status of the tool but to date I have not received any response from them. Nevertheless, such software is vital and should be released for commercial usage as soon as possible. This paper has established evidence that authors of many legitimate kinds of software bundle spyware with the software and include the presence of the spyware in the EULAs in order to escape legal consequences. The Paper also discusses much about spyware, its types and possible ways of detecting the presence of the misleading language in the EULAs. A number of programs for detecting spyware during and after Installation have also been discussed.