http://www.forbes.com/security/2006/12/07/internet-security-research-tech_cx_ll_1208comscore.html By Lisa Lerer Forbes.com 12.08.06 ComScore Networks is the Big Brother of the Internet. The widely-used online research company takes virtual photos of every Web page viewed by its 1 million participants, even transactions completed in secure sessions, like shopping or online checking. Then comScore aggregates the information into market analysis for its over 500 clients, including such large companies as Ford Motor, Microsoft and The New York Times Co. ComScore says that its participants are willing exhibitionists, happily selling their online privacy for gift certificates and free screensavers. But two computer scientists are raising new questions about comScore, claiming that company tracking software is being installed without consent on an unknown number of computers. "[The] software is sneaking onto users' computers without the user agreeing to receive it," says Harvard University researcher Ben Edelman, who documented at least ten unauthorized comScore downloads. Eric Howes, director of malware research at antivirus company Sunbelt Software, and his researchers separately observed hundreds of unauthorized comScore downloads in a three-month period this fall. (Edelman and Howes spend their days patrolling the Internet for new threats.) ComScore (revenues: $50 million) denies the allegations, saying the company would never install software without permission. "There is spyware out there, but that's not what we do," says comScore chairman and co-founder Gian Fulgoni. "We get explicit permission before our software is put on someone's machine." But privacy officer Chris Lin acknowledges seeing some unauthorized downloads several months ago. She says the company didnt distribute the nonconsensual software and immediately cut it off from comScore servers. This isn't the company's first dalliance into apparent voyeurism: Two years ago, university IT managers busted comScore for tricking students into installing tracking software packaged with a free Web-accelerator program. Students were often unaware that they were being watched. comScore has since discontinued the program, called MarketScore. But comScore remains the only major online research company that partners with third-parties. Outside distributors bundle its surveillance software with desirable free programs like games or videos. Therein might lie the problem. In September, Edelman typed in the URL of a site that lists special codes for video gamers. Instead, a pop-up window loaded, asking him to approve a download. When Edelman clicked yes, comScore's RelevantKnowledge software, which records every Web page visited, was installed on his machine along with scores of other advertising and spyware programs. Computer sleuthing unearthed the source of the bundled software: DollarRevenue, a program that bundles together many different adware programs. SunBelt considers DollarRevenue one of the top ten Internet threats for computers. Edelman and Howes also observed similar downloads, based off porn and wrestling fan sites, by PacerD and MediaMotor, other adware bundlers known for their controversial practices. MediaMotor is the subject of a Federal Trade Commission complaint alleging improper disclosure of downloads; the U.S. Attorney's Office in Washington is engaged in a parallel criminal investigation. MediaMotor did not respond to requests for comment. ComScore admits that the company engaged in partnership negotiations with DollarRevenue, even going as far as giving the company test software, says privacy officer Chris Lin. But the discussions stopped there, and the companies never signed a contract. Then, several months ago, comScore software installed by DollarRevenue started reporting back to company servers, says Lin. Lin insists that the unauthorized software did not violate anyone's privacy. The company quickly cut the cord between the software and the servers. "This is the only issue that we have had with a potential distributor in the six years that our company has been in operation," says Lin. DollarRevenue said it "never really worked" with comScore but did not answer further questions about the unauthorized downloads. ComScore said it never observed any illicit downloads from PacerD or MediaMotor and has no relationship with either company. Edelman and Howes blame the unauthorized software on the layers of middlemen that deliver free programs, ads and spyware to consumers. One of comScore's software distributors, they speculate, may have cut a deal with a less-reputable firm, which ended up bundling the software with spyware and adware. But Edelman says this type of foul up is inevitable given comScore's network of distributors. Competitors say they refrain from using third-party distributors. "When you allow other people to start distributing your software, you lose control," says T.J. Mahoney, a managing director of market research start-up Compete. Another market researcher, Hitwise, licenses online behavioral information from Internet service providers, rather then contacting users directly. Nielsen/NetRatings first vets participants on the phone. If they agree to join the panel, the company sends a CD or directs them to a page where they can download tracking software. In 2000, comScore hired independent accounting company Ernest & Young to annually certify the company's privacy policies, but that's not enough for Howes and Edelman. "A truly independent outside audit of its data practices--that's really what it's going to take," says Howes. _____________________________ Subscribe to InfoSec News http://www.infosecnews.org/mailman/listinfo/isn
This archive was generated by hypermail 2.1.3 : Sun Dec 10 2006 - 23:37:44 PST