PC invaders camp out in hard drives

By John Borland and Rachel Konrad Staff Writers, CNET News.com April 18, 2002, 4:00 a.m. PT Virginia Watson unwittingly authorized a company she'd never heard of to install software that would help turn her computer into part of a brand-new network. The software, from Brilliant Digital Entertainment, came with the popular Kazaa file-swapping program. But the 65-year-old Massachusetts resident--who has a law degree--didn't read Kazaa's 2,644-word "terms of service" contract, which stated that Brilliant might the "unused computing power and storage space" of Watson's computer. "I have in the past read 'terms of agreement' and not retained a word," said Watson, who Brilliant's software after learning about it recently. "I find them way too long. After scrolling down a few times, I just tend to give up." Every month, millions of people agree to terms-of-service and privacy contracts they haven't read--and probably wouldn't understand if they tried--to download software without paying for it. Many are later disturbed to find their computers coopted by little-known companies to distribute advertisements, monitor online behavior, or help solve complicated computing problems. Terms of service have long been a source of controversy, especially when they involve consumer privacy. But the issue was raised to this month when consumers using the Kazaa program learned that they had unwittingly agreed to install software that could help turn their computers into nodes for a network controlled by another company. PC invasion has become the hidden cost of free software such as Kazaa and Audiogalaxy, programs that allow people to share digital music and other files online. Instead of charging consumers, or giving away software like music-swapping service Napster did before it was , software developers are giving advertisers direct access to people's computers. The stakes are high: Six of the top file-swapping software programs have collectively been downloaded more than 144 million times, according to the companies' sites and statistics kept by popular software-aggregation sites. Most of those downloads have been accompanied by "adware," software that often monitors Web browsing habits to generate ads based on the person's interests, or by other tracking software. Kazaa controversy: Software or sneakware?Kevin Bermeister, CEO, Brilliant Digital EntertainmentApril 5, 2002 Terms of service accompany virtually all adware, and consumers must generally click the "I agree" button to install the software. In some cases, the software will ask them to agree again months or weeks later. Negative publicity in the wake of the Brilliant-Kazaa controversy has some industry veterans worried that consumers will switch from mindlessly clicking "I agree" to staunchly refusing to accept terms of service. In that scenario, innovative software might not receive advertisers' support or distribution. Brilliant, whose Altnet peer-to-peer software piqued consumer fears, says it is committed to telling people exactly how their computers will be used via new agreements and pop-up boxes as it loads more software and starts using consumers' computer resources. But others say the case underscores the vulnerability of millions of PCs to all manners of invasion, disclosed or otherwise. "Spyware," or "sneakware," monitors online behavior or mines an individual's data without asking for consent before invading that person's PC. The programs haven't yet caused major damage, but experts say the applications could steal users' passwords or credit card numbers and become a security and privacy nightmare. The voyeuristic, potentially criminal, nature of spyware has united an unlikely lot: privacy advocates and adware proponents. They're both speaking out about privacy policies and terms-of-use contracts, while adware executives are taking pains to define adware and spyware. "I'm not an extremist," said Robert Regular, vice president of sales and marketing at New York-based digital advertising firm Cydoor. "But all this talk of spyware is the equivalent of elevating one bad seed, and it's having negative consequences on the good software. The public doesn't have time to investigate if it's negative software; they'll just stop downloading...I would hate to think we could reach a point that, whenever a dialog box comes up and says, 'Do you want to do this,' bells go off and people become worried." Mindful or mindless consent? Privacy and security experts say advertisers and other bundled software distributors are exploiting people's mindless habit of clicking "I agree," and they worry that consumers are abandoning their rights with the click of a mouse. Much as the avalanche of spam in the 1990s prompted action from legislators and regulators, growing annoyance with this quietly bundled software has triggered a backlash that could help set ground rules for using consumers' computers. "The question is not whether people read and understand (terms-of-service agreements)--of course they don't--but whether they can be enforced," said Cern Kaner, an attorney specializing in software legislation who teaches computer science at the Florida Institute of Technology. "I don't think that companies should have the right to spy on you without your actual permission, but I think it will be hard...to prosecute companies who do engage in this type of practice if you have actually clicked on an agreement that gives them permission." Although people regularly click on such agreements, few scroll through the verbiage. In a survey last month of 155 adults by Richardson, Texas-based consulting firm Privacy Council, 76 percent of respondents said they were "concerned" about having their privacy violated on the Internet. Only 22 percent admitted to reading privacy policies. Among respondents ages 18 to 25--a core constituency for file-swapping software--only 8 percent read the policy. "It preys upon a very vulnerable population--namely teenagers and other people desperate to get free software," Privacy Council Chief Executive Larry Ponemon said. "They never read any of that gobbledygook. They want to satisfy their need immediately, not make sure they have consent and protection." Moreover, reading the policies does not automatically translate to understanding them. Like software license agreements for Microsoft Word or Windows, most privacy and terms-of-use statements that accompany bundled software are rife with impenetrable jargon and legalese. Mark Hochhauser, a Golden Valley, Minn.-based psychologist and readability consultant, said clicking the "I agree" button at the end of consent forms reflects widespread trust on the part of consumers--not necessarily ignorance or illiteracy. "Patients who are very sick can be given a 3,000-word consent form written by lawyers with the same level of complexity as these privacy notices," Hochhauser said. "The sick people usually just sign it without reading it because their doctor said it was OK. Same thing here: The reader thinks, 'The FTC would close them down if they were doing something really bad.' There may be a basic element of trust that people bring into this." A "kindergarten version" Stung by criticism in the media and on online bulletin boards, some adware companies are adopting "plain English" policies for their forms. Redwood City, Calif.-based Gator, a popular free application that is supported by advertising revenue from its own bundled program, requires a marketing person to draft its terms of service. That person then sends the document to the legal department, which edits and returns it to the marketing department for revisions. The result is a three-paragraph statement that Chief Marketing Officer Scott Eagle calls a "kindergarten version" of the full policy. Gator includes simple directions for how to remove its software and discontinue the targeted advertising in the first privacy policy that its users receive. It also requires the person to click "I agree" long after downloading is complete--part of a policy of "ongoing communication" with customers, Eagle said. "Does an uninvited guest keep knocking on your door saying, 'Hi! I'm here!'?" he asked rhetorically, describing Gator's multiple disclosures and the icon of alligator eyes that appears whenever the program is running. "No. We are invited guests on the desktop and even pop up a fourth modal screen saying, 'Your Gator software is here.' And since our e-wallet software helps users every day fill out forms, we constantly come back and have an ongoing relationship with our customers." Gator has more than 300 clients, including four of the top six automotive companies and businesses that sell everything from mortgages to diapers. It sends an average of two pop-up ads per week to more than 15 million people. Sharman Networks' Kazaa, which many consumers sharply criticized for bundling Brilliant's software earlier this month, has set up a special Web site explaining bundled software. Audiogalaxy, which bundles Gator with its software, includes a separate screen during installation that shows Gator's logo and then forces people to go through several screens describing Gator and consenting to the service. "Honestly, I don't know any other ways of harassing the user, other than making the screen flash," Audiogalaxy CEO Michael Merhej said. Nevertheless, industry executives say a handful of companies--which emerge and go out of business quickly and rarely publish physical addresses on their Web sites--are tainting adware's image. Gator executives said they recently submitted a list of "best practices" to the Interactive Advertising Bureau, including for consent and Adware scorecard See Download.com disclosure, but spyware remains below the radar of the Better Business Bureau. The Federal Trade Commission has received complaints about the software, though it won't say how many or for which programs. Internet industry groups are taking up the cause from a technological standpoint. On Tuesday, the World Wide Web Consortium endorsed standards for protecting consumers' privacy on Web sites. Blissful ignorance--so far Some consumer groups want to eliminate sweeping statements in contracts--including clauses that allow companies to change an agreement without any notice. Brilliant includes such a clause in its terms of use, noting it "reserves the right to change or modify any of the terms and conditions of this agreement and any of the policies governing the services at any time in its sole discretion." Other policies make no mention of bundled software at all--an omission that attorneys are quick to point out. "You can't say with any certainty that click-wrap agreements are always enforceable," said Doug Isenberg, an Atlanta-based attorney and publisher of the GigaLaw.com Web site. "Many judges will look for a way to find that a click-wrap agreement is unenforceable if the terms of the agreement are not conspicuous." Congress is examining bundled software and related issues. In 1999, and again in 2001, Sen. John Edwards, D-N.C., introduced legislation to force spyware distributors to get permission and notify people with a detailed description of the information they're collecting. No committee has picked up the bill, but broader consumer notice and privacy concerns are showing up in a compromise Internet privacy legislation soon to be introduced by Sen. Ernest "Fritz" Hollings, D-S.C. The FTC is urging consumers with complaints to contact the agency. Staff members are particularly concerned that children are among the most voracious consumers of free downloads and that software companies don't prevent children from agreeing to terms that affect their parents' computers. That was partly why the FTC took action recently against a company whose software disconnected surfers' computers from the Net and rerouted them through a 1-900 number. Congress has already enacted some consumer protection rules in other areas that could eventually apply to bundled software. For example, credit card companies must list the long-term interest rates for credit cards in a large font, and they can't hide even ordinary terms and conditions in small print. Market forces may also provide an antidote to bundled software abuses. German software company Lavasoft has distributed at least 4.5 million copies of Ad-Aware, a free program that scans a computer memory, registry and hard drives for known adware and spyware. "What we need is a private police force on the Internet to make sure the software you get has sufficient protections," said Privacy Council's Ponemon. "There's probably a really good business opportunity there." From legitimate advertising companies with Fortune 500 clients to unethical hackers working in covert networks, organizations are eager to tap your computer. But advertisers, publishers, industry pundits and journalists rarely agree on definitions of the emerging niches of "adware" and "spyware," two forms of software that usually piggyback on another, more popular program. Here are some rough guidelines: adware: This software installs itself after you click "I agree" or legally consent to having the program on your computer. The software might monitor your Web browsing habits or ask for your demographic data to generate "targeted ads" based on your interests. For example, an adware company could allow a pop-up ad about a Ford Explorer to appear on the screen while you were exploring the Jeep site. Adware may report data to a third party. spyware: This software often installs itself without your consent. The software might monitor your Web browsing habits or record your passwords, credit card information or other e-commerce data. It usually relays the data to a third-party company or funnels the information for unethical purposes. It's usually difficult to find or delete from your hard drive. --R.K. Below are the top 20 downloads for the week ending April 14, 2002 from Download.com*. Downloads that include bundled software or technology that will serve banner ads are in red. Those that try to purge adware are in green. Rank Name Downloads this week 1 ICQ 2002a 1,008,687 2 Morpheus Preview Edition 900,345 3 WinZip 458,643 4 IncrediMail Xe 325,782 5 iMesh 281,308 6 Edit Buddy 267,185 7 Ad-Aware 216,787 8 Download Accelerator 206,583 9 LimeWire 199,715 10 ZoneAlarm 170,399 11 BearShare 123,236 12 Grokster 119,324 13 DivX Video Bundle 97,425 14 Trillian 93,777 15 LingoWare 91,509 16 Winamp 82,082 17 Adobe Acrobat Reader** 77,622 18 Zero Popup 73,956 19 RealPlayer 73,627 20 Audiogalaxy Satellite 71,560 *Download.com is operated by CNET Networks, publisher of News.com. **Adobe's Web Buy feature, which allows you to purchase PDF files through online distributors, may transmit information about your computer to these third-party distributors. Source: Download.com, News.com Bill to revive political battle over Net privacy Los Angeles Times Spyware, in a galaxy near you Wired PC World poll highlights privacy concerns CNN.com To make legal terms stick, make Web users click USA Today Editors: Mike Yamamoto, Evan Hansen, Julie Laing, Desiree EvertsDesign: Melissa ParkerProduction: Mike Markovich