Welcome to Consumer Reports Advocacy

For 85 years CR has worked for laws and policies that put consumers first. Learn more about CR’s work with policymakers, companies, and consumers to help build a fair and just marketplace at TrustCR.org

Spyware Everywhere

Free Software is the Lure, Online Surveillance is the Reality

by Robertson Barrett, October 21, 2002

Eliot Pierce, a product manager for a large online media company, scours the World Wide Web each day for music files, games and flashy new freeware utilities. Years of heavy Internet use have taught him to read the fine print most consumers ignore when they install free programs on their PCs.

So after carefully downloading KaZaA — the most popular file-sharing program on the Web with 90 million copies requested so far this year — Pierce was not amused when his new BonziBUDDY showed up, too.

“I did a custom download and only elected to get KaZaA,” he said. “But instead I also got this other program, and very soon I had a talking monkey running around my screen. I had no idea how to get rid of it.”

“Bonzi” had an ambitious agenda. As BONZI.COM Software put it, “He will explore the Internet with you as your very own friend and sidekick! He can talk, walk, joke, browse, search, e-mail and download like no other friend you’ve ever had!” He was also a double agent: From then on, whenever Pierce surfed the Web, his cartoon companion and a handful of other programs bundled with KaZaA would quietly transmit records of his behavior back to third-party servers. In return, Pierce received a steady stream of targeted, but unwanted, pop-up ads on his PC.

This sort of spyware, as many Web aficionados call it, rides onto tens of millions of home and office computers each week inside popular applications such as KaZaA. In most cases, it’s there to send ads that foot the bill so software companies can give their programs away for free. The companies disclose that fact somewhere in the download process. Even so, privacy experts say millions of eager teens and otherwise-wary adult Internet users download the programs just to locate a game or MP3 music file, miss the terse disclosures and, like Pierce, are surprised when they receive a stream of advertisements.

More troubling, the critics say, many users who choose to receive ads rather than pay for software don’t fully understand what they’re getting themselves into.

While nearly all the software companies claim users can stop the ads by uninstalling their programs, many leave active spyware components behind. As a result, users and family members who use the same PC wind up broadcasting their online behavior or personal information to unfamiliar third parties and thus become long-term targets of constant, focused promotions. And because most spyware operates the entire time a user is online, privacy experts worry that hackers who focus on popular programs have a back door to attack millions of Windows users at a time. (Note: None of the prevalent spyware programs are written for Macintosh operating systems.)

“What I call ‘spyware’ is any piece of software that is installed on your computer that sends back information about what you’re doing on the Internet,” said Richard M. Smith, a leading Internet security consultant based in Cambridge, Mass. “Sometimes you may know you’re installing it, and other times you may not. Companies want to see where you surf on the Internet, so that’s the main thing sent off — the list of all the Web pages where you go to. Also, the more software you have running in the background all the time, the more danger there is for hackers to break in.”

Spyware is nothing new, but it has diversified into an ever-greater number of forms since it debuted inside screensavers, games and other freeware in the mid-1990s. Its first widespread commercial incarnations were stealth software that scanned browser “cookies,” dropped invisible “Web bugs” that gathered Internet provider addresses, or reset home pages to small startups’ Web sites. Two years ago, big guns such as Real Networks and AOL’s Netscape added eavesdropping routines to programs that were required to download their applications. Both companies toned down those programs when users and privacy advocates complained.

Since then, spyware has proliferated in vast new advertising networks, such as WhenU.com’s SaveNow and Gator Corp.’s GAIN, that pay to have their software bundled inside red-hot Napster successors like KaZaA, Grokster, Bearshare and iMesh that carry them to tens of million of desktops each week. A close second are stand-alone programs like Hotbar and BonziBUDDY that offer users Web-crawling services but downplay their roles as advertising vehicles. With three such programs installed and running in the background on one PC, a typical surfing experience can include two to four pop-ups ads and promotions on the desktop at any given time. (Read about the major categories of spyware.)

A Consumer Reports WebWatch examination of leading free-software sites found that programs containing spyware were consistently among the most downloaded in July and August. (Installations of those programs showed that most included marginally clearer disclosures in 2002 than in previous versions, in many cases after grassroots criticism.) On August 15, for example, nine of the top 20 programs available on CNET’s massively popular Download.com contained some form of spyware, as did 10 of ZDNet.com’s top 50 programs. Understandably, another top draw was Lavasoft’s Ad-aware, which helps the afflicted users remove or disable some of the stealth programs. (See sidebar.)

The ad networks and the makers of popular applications that host them strenuously object to the spyware label, insisting the term should apply only to programs that sneak onto PC hard drives and transmit personal information with no user notice whatsoever. Instead, the companies prefer the term adware and say their installation-screen disclosures clearly communicate the quid pro quo. Kelly Larabee, a spokesperson for KaZaA maker Sharman Networks, said KaZaA wouldn’t have consistently topped Download.com’s list this year if its millions of users hated the ads more than they wanted the goodies.

“We believe there is a benefit for the user,” Larabee said. “We’re not going to do anything to allow advertisers to invade the privacy of our users — we wouldn’t be the software of choice otherwise.”

But privacy advocates charge that most companies that create or carry spyware purposely rely on fine-print disclosure tactics and user passivity to maintain and expand their reach.

“Most of us click right through those installation agreements,” said Chris Hoofnagle of the Electronic Privacy Information Center. “One of the difficulties is the culture of ‘free.’ Americans need a better skepticism of marketing.”

Users Can’t Resist

It’s not as though users have no warning. Download.com will only carry programs that contain adware if the makers admit to the fact up front, and site editors also notify users through reviews on the relevant Download.com page. (The information is not always consistent: While Download.com informs users about KaZaA’s bundled programs, a longer review of KaZaA on sister site CNET.com — not directly linked — actually recommends against downloading the program. Instead, CNET.com recommended a new version of peer-to-peer file-sharing program Limewire, which a different reviewer on CNET’s News.com pans for ad-serving.)

Download.com also publishes public comments. “Our users are very vocal on this,” said Kelly Green, the site’s director. “If our users feel that a program is including an unacceptably invasive program, they will definitely speak their mind.”

But the hit parades on Download.com and similar sites suggest the complainers are either outnumbered or download their favorite programs anyway.

“It’s kind of sad — people give up their privacy very cheaply,” said Seth Schoen, a technologist with the Electronic Frontier Foundation, an online policy think-tank. “People may be permanently subjecting themselves to a great deal of advertising just to get a single computer game which they might play for two weeks.”

No Sheriff

Spyware programs currently face no strong regulatory roadblocks. The major initiative now before Congress, the Online Personal Privacy Act (Senate Bill 2201, click for pdf version; click here to download pdf reader) would require software companies to notify users of features that collect or share personal information — something all the top makers of adware and their host programs already do in minimal form.

“Companies would have to seek ‘opt-in’ for sensitive information like financial or medical data, but otherwise it requires a short notice that matter of factly says, ‘We are collecting your personal information and we’re using it for marketing,'” said Hoofnagle of the Electronic Privacy Information Center. “You don’t have to say specifically what you’re doing. As long as it stays this way, spyware will continue.”

Even so, criticism of past practices has prompted adware firms and host software companies to mount aggressive public-relations campaigns. “We realized a year ago that people were lumping us together with true spyware companies, that we had to step up and do something about it,” said Scott Eagle, senior vice president of marketing at Gator, the largest adware network. “Now, every single distribution method we have has a minimum of a consumer must-click, ‘I accept’ button — it’s not buried in fine print — and at minimum two or more screens talking about Gator. Every one requires an active acceptance of our privacy policy and user license agreement.”

KaZaA’s Sharman Networks, which is registered in the Pacific island nation of Vanuatu, has taken most of the heat and often failed to respond to press inquiries. Now, Sharman is talking. In August, it announced a partnership with Bullguard, whose popular software addresses backdoor security risks, if not spyware practices. But that move came under yet another cloud. In April, CNET discovered that KaZaA had quietly worked in new software from Brilliant Digital Entertainment “to enable richer, more entertaining forms of advertising.” Actually, in coming months, Brilliant plans to tap the millions of KaZaA users’ PCs as its own peer-to-peer network. Security experts went ballistic, worrying that hackers could use it to bring down a vast swath of the Internet audience.

“That is the most frightening thing I have read, since I am a KaZaA user myself,” Eric Santiago, a Brooklyn, N.Y. resident, told CNET’s News.com. “I guess I should uninstall and start reading user agreements in the future.”

Spyware Removal Options

The hangover from record downloads of programs that include adware and other spyware in 2002 has created a matching demand for utilities designed to block unwanted pop-up ads or remove spyware altogether.

Security experts contacted by Consumer Reports WebWatch recommended several popular programs instead of manual software-removal methods. The Add/Remove Programs function in Windows’ Control Panel, for example, requires users to know the names of the stealth spyware files or to find special uninstallers, and even then, some spyware programs can leave functional elements behind on the hard drive.

While even leading anti-spyware makers can’t guarantee a clean sweep, they include services that update their programs to account for newly discovered offenders. (Note: No recommended programs offer versions for Apple operating systems, as no prevalent spyware targets Macintosh computers.)

(Click on links for details and downloads. Consumer Reports WebWatch does not endorse any of these software programs, but provides this information as a reference.)

All-Purpose Spyware Killers

Two programs have drawn the most praise from experts and users, and one effective free alternative is gaining in popularity:

Ad-aware 5.83

Lavasoft’s free utility, by far the most popular with users and experts, scans the PC hard disk and removable drives and displays a list of all programs that match its latest spyware list. Before attempting to remove any suspicious program, Ad-aware allows users to confirm the choice in a list box, make a backup kept in a harmless, separate directory and keep certain components of programs if they wish. For prevention going forward, a $15 upgrade, Ad-aware Plus, includes additional security features, lifetime customer support and Ad-watch, a real-time spyware monitor that alerts users if any spyware program uses system RAM or tries to install itself in the system registry.

BPC Spyware and Adware Remover 2.3

Like Lavasoft’s program, the Bullet Proof Soft’s free Spyware Remover tool removes and has a real-time feature, SpyWatch, that scans the PC memory and registry for known spyware components. Taking advantage of that ongoing service costs $29 after a five-day free trial. The program is 7 megabytes (seven times the size of Lavasoft’s) and includes an additional tool, Pop-Up Watch, which attempts to block pop-up ads even when “adware” is running.

SpyBot Search & Destroy 1.0

German developer Patrick Kolla has received positive reviews from users for offering a free “donationware” alternative (Windows only). While Kolla’s tool is a first release and its database of current spyware is smaller than those maintained by the staffs at Lavasoft and other firms, Spybot performs similarly and removes the most well-known spyware programs — an option for users who want a reasonable ongoing spyware detection service but don’t want to pay for it.

Ad Blockers

A second line of defense, if “adware” removers might miss some spyware, are utilities aimed at blocking some or all ads during Web surfing. (These aren’t a solution for users concerned about tracking as well as ads.).

Well-received leaders among them include InterMute, Inc’s AdSubtract Pro 2.5 ($29.95 after a 30-day free trial), Guardwall’s Guard-IE($29.95, Internet Explorer only) and Panicware, Inc.’s free Pop-Up Stopper (which requires users to hold down the “control” key to access some links; paid versions for $19.95 and $39.95 remove this distraction and offer advanced features).

Security and Privacy Aids

If all else fails, average PC users can minimize the security threat from back-door spyware with stronger software suites that monitor and squelch background Internet activity.

The leading packages — ZoneLabs’ Zone Alarm Pro 3.0 ($49.95) andSymantec’s Norton Internet Security 2002 ($69.95) — both include a personal firewall, up-to-date virus scanners and settings to block many Internet ads. A popular alternative, Anonymizer Privacy Toolbar, hides Web-surfing activity from advertisers and most spyware programs ($29.95 per year after a 30-day trial).