Forgot your password?
typodupeerror
Privacy Security Businesses

Market Research Company Secretly Installs Spyware 206

Posted by Zonk
from the you-wanted-to-participate-anyway dept.
An anonymous reader writes "Forbes reports that two security experts are raising new questions about comScore, claiming that company's tracking software is being installed without consent on an unknown number of computers. The widely-used online research company takes screenshots of every Web page viewed by its 1 million participants, even transactions completed in secure sessions, like shopping or online checking. ComScore then aggregates the information into market analysis for its clients, which include such large companies as Ford Motor, Microsoft and The New York Times Co." From the article: "'[The] software is sneaking onto users' computers without the user agreeing to receive it,' says Harvard University researcher Ben Edelman, who documented at least ten unauthorized comScore downloads. Eric Howes, director of malware research at antivirus company Sunbelt Software, and his researchers separately observed hundreds of unauthorized comScore downloads in a three-month period this fall."
This discussion has been archived. No new comments can be posted.

Market Research Company Secretly Installs Spyware

Comments Filter:
  • Well? (Score:4, Insightful)

    by flyneye (84093) on Sunday December 10, 2006 @03:25PM (#17186330) Homepage
    Is anyone going to do something about this?
    Some justice,revenge,butt chewing,anything?
    Do we write our congressman,DOS them or what?
    all problems and no solutions.
    It must be illegal on some level.
    do we file a massive suit and each collect $5 or what?

    • Isn't it sad that poor Windows users have to put up with this nonsense to get a "free" program? It's so much nicer just to click add/remove software and search for the program I want to use. It must be awful not to be able to trust the people who make your software when any one bad program eventually will give away your banking information and you would never know until UPS contacts you to get directions to your Lithuanian address.

      Windows users: when you use linux, a program that does just what you need

      • Re: (Score:2, Interesting)

        by flyneye (84093)
        Is it necessarily a winblows problem or a browser plug-in/extention problem?

        • Re: (Score:3, Insightful)

          by theCoder (23772)
          It's not really a Windows technical problem (what comScore did could probably be done on Linux), but more of a Windows culture problem. I don't know about you, but I get nervous when I download source code for a program and run it without looking over the code. I get doubly nervous if I download a binary and run it. Back when I ran Windows (many years ago), I had no problems downloading and running programs from the Internet. If I happen to use Windows today, I still do that (though I'm pretty selective
    • Re: (Score:3, Funny)

      by gardyloo (512791)
      Personally,
      I think we should all write in this style.
      A real Story-of-Mel [wizzy.com] style.

      Hawt.

      Seriously. The world
      might not be made better for it.
      But *I* might be made better for it.

      When Congress writes anti-spam/anti-spyware laws
      in this style, and the FBI enforces them,
      with judges reading sentences in
      i-am-bic pentameter,
      humanity will be restored
      (whatever THAT means).

      [Now, watch slashdot's formatter totally f this up]
  • Yawn... (Score:2, Funny)

    by Colin Smith (2679)
    I'm sorry but monocultures and all that. I've given up warning people. It's their own responsibility to look after their computers? What they can't? Dearie me, that'll be hmmm, $$$ then.

     
  • by zappepcs (820751) on Sunday December 10, 2006 @03:32PM (#17186374) Journal
    the previous story mentioned social justice in the headline... social justice here would be to have CD copies of their malicious software being rammed up their backsides "without their consent" so to speak...

    Why is the DOJ worried more about aunt Eunice downloading MP3s than they are about people who are maliciously causing harm?

    sigh, I'll write but I wonder if my representatives will actually notice...
    • by jb.hl.com (782137)
      Because downloading MP3s is explicitly against federal law, whereas (IIRC) spyware is only legislated against by state law?
    • Re: (Score:3, Insightful)

      by StikyPad (445176)
      Because Joe Websurfer doesn't have a lobbiest bending the ear of Congress.
  • by straponego (521991) on Sunday December 10, 2006 @03:36PM (#17186410)
    I think everyone who isn't a total scumbag agrees that spammers and spyware makers are evil and a drain on society. Furthermore, in terms of lifetimes wasted, they time they cost us surely adds up to many times the lives we've lost due to terrorism. I have the answer, one which will heal the political rift in the US as a side effect.

    First, we have the NSA, DHS, et al target their illegal wiretapping programs at spammers and spyware makers. They've got the infrastructure to track these people down, and this is a justification for the programs everybody can get behind.

    Second, when a spammer is caught, we ship them down to Gitmo. It doesn't matter, in this case, whether torture is an effective means of getting information. We don't need information from them, we just want them out of circulation. We can hope that it would be a deterrent, but really they'll be getting it for the simple reason that they deserve it. Republican/Christians get to torture and sodomize to their shrivelled little hearts' content, and we don't have to worry about damaging our reputation in the world community. Everybody's happy!

    Gentlemen, there is no way that we can lose on this one!

    • by davidsyes (765062)
      "We don't need information from them, we just want them out of circulation."

      LOL. That sentence alone ought to have earned you 2 to 3 mod points... Or, maybe you had them, but had them taken away by:

      "spammers and spyware makers are evil and a drain on society" supporting types....
    • by Steve B (42864) on Sunday December 10, 2006 @05:03PM (#17187022)
      One important point is that spam is about the perfect method of communicating "go-codes" to terrorist cells -- it's trivial to encode a message in the anti-filtering gibberish attached to most spam, and the indiscriminate broadcast completely negates traffic analysis.
  • by Anonymous Coward
    Keep in mind when reading that by "unauthorized download" they don't mean copyright infringement, they mean that a third party installed ComScore software without *your* authorization.
    • by Dunbal (464142)
      they mean that a third party installed ComScore software without *your* authorization.

            Oh I hope it DOES make its way onto my machines. I can't wait until they see how much I charge for CPU cycles.
  • by martyb (196687) on Sunday December 10, 2006 @03:43PM (#17186486)

    I want to proactively block any chance of getting caught by this. I just added this to my (Windows/XP HOME SP2) HOSTS file (C:\windows\system32\devices\etc\HOSTS):

    127.0.0.1 comscore.com # ComScore, nee MediaMetrix, et al

    I recognize this is but a start. I expect this has been investigated by others already. Rather than re-invent the wheel, I'm looking for some input on what else I can do to protect myself from them. (I already use ONLY firefox, and also have AVG, AdAware, Spybot, and WinPatrol)

    Questions:

    1. What other entries should I add to my hosts file? (Prevent)
    2. What program(s) have you used to locate and remove this? (Detect and Remove)

    FYI: Wikipedia's ComScore Entry [wikipedia.org]

    • by interiot (50685)
      This lists some of the IP addresses that Texas Tech University has internally blocked. The most important thing to block is their proxy servers, since that's the bit that actually does the monitoring, and because the end-user software is distributed via a number of different sites and organizations.
    • Re: (Score:3, Informative)

      by flyingfsck (986395)
  • Intercepts https:// (Score:5, Interesting)

    by interiot (50685) on Sunday December 10, 2006 @03:44PM (#17186498) Homepage
    The thing that really gets me is that their monitoring software installs a root certificate in the user's browser so that they can do a "man in the middle" attack to https:/// [https] connections at their proxy servers. In many cases, comScore gets permission from end users to do this, but I don't think many users really realize how much information they're exposing by doing this. Most obvious is bank passwords, etc, but comScore says they don't monitor those. comScore DOES however say that they verify their user's name, address, income, etc., which I'd imagine most users wouldn't actually agree to if they were fully informed.
    • by khallow (566160)

      Most obvious is bank passwords, etc, but comScore says they don't monitor those. comScore DOES however say that they verify their user's name, address, income, etc., which I'd imagine most users wouldn't actually agree to if they were fully informed.

      In other words, comScore does a credit check. People routinely agree to those. So I'm not sure that your last statement is correct.
      • by interiot (50685)

        It's sort of like credit check, I suppose, but they can (and based on the "buying power" reports they generate, I believe there's a good chance they do) track purchases made, and may track bank balances (I'm not sure how easy this is to do, but it's possible they do this for the X largest ecommerce sites and the X largest banking sites).

        Yes, people routinely agree to credit checks, but usually there's a direct financial benefit... eg. getting a loan or something like that. comScore rarely pays its parti

    • by Beryllium Sphere(tm) (193358) on Sunday December 10, 2006 @04:47PM (#17186908) Homepage Journal
      Inviting the question, even if you trust them with your credit card numbers, and trust all their employees, do you want to bet that there won't be a security breach on one of their servers?

      This is a serious limitation of SSL on commodity operating systems, by the way. IE's list of trusted root certificates is simply entries in the registry. Even if you're part of the infinitesimal fraction of users who knows what a CA cert is and where to look for them, how can you do a security review on all 39 of the root certificates that come with Firefox, or spot a new unwanted one? (One of those root certs is from AOL, by the way). If you trust the Mozilla foundation to audit the security and practices of each and every one, do you have the same trust in a proprietary browser's developers? Even assuming the developers make the decision instead of the marketers?
  • by ILuvRamen (1026668) on Sunday December 10, 2006 @03:48PM (#17186538)
    why the hell don't the cops show up at the company's door, break it down, and arrest everyone responsible and make sure CNN news crews are there to record it and make a story out of it. Then maybe these stupid, evil marketing people will stop thinking they can get away with it! It's called illegal for a reason. If they can arrest a guy for putting a distributed processing screensaver on school computers, they can arrest marketing execs!
    • by Jerry (6400)
      Exactly!

      How is what these scum are doing any different from a thief photographing the contents of letters in your mailbox?

      None that I can see.
    • by interiot (50685)

      I don't think Ford, Microsoft, etc. would do business with them if what they did was really obviously illegal. Also, if taken to court or whatnot, they'd probably say that most users agreed to their EULA [opinionsquare.com], which says things like:

      Once you install our application, it monitors all of the Internet behavior that occurs on the computer on which you install the application, including both your normal web browsing and the activity that you undertake during secure sessions, such as filling a shopping basket, compl

    • by davidsyes (765062)
      Sure they can. But then the/that local police chief won't make mayor. See, the marketing lobby will lobby the living shit out of the local police union to NOT give their votes to that chief. Maybe even a few lawyers/pro tems and the DA might get recalled or not re-elected if they signed off on the city breaking down the door of these evil marketing execs. The word EVIL exists for a REASON, ye know?

      I feel how you feel. Maybe what we end users need is a hella intense honey net with our OWN real-time MITMA to
    • by mpe (36238)
      why the hell don't the cops show up at the company's door, break it down, and arrest everyone responsible and make sure CNN news crews are there to record it and make a story out of it. Then maybe these stupid, evil marketing people will stop thinking they can get away with it! It's called illegal for a reason.

      The police department which actually does this would arrive by helicoptor and have a nickname of "The Flying Pigs"...
  • Screenshots? (Score:5, Interesting)

    by slashkitty (21637) on Sunday December 10, 2006 @03:56PM (#17186594) Homepage
    The submitter claims the software takes screenshots of every page the users visit.

    This isn't what the actual article says. It says "virtual photos". Most likely is that it's just collecting URLs.. and maybe the contents of the page.. There would be no reason to do screenshots... It would make things much more difficult to analyze.

    • Re:Screenshots? (Score:5, Informative)

      by interiot (50685) on Sunday December 10, 2006 @04:05PM (#17186650) Homepage
      The installed software re-routes all of your internet traffic [stanford.edu] through comScore's proxy servers. In most cases, they're probably just monitoring the URL's you visit, but they also check check more specific information in some cases... they say they verify the user's demographics (name, address, it sounds like purchases are tracked as well), and depending on what they're doing research on at the time, they sometimes track P2P activity, audio streaming activity, instant messaging statistics, etc.
      • by slashkitty (21637)
        If it's just a proxy, it's not even going to be able to see your https post data (just the URLS you're going to). There is a big difference between credit card, bank account numbers and just the URLs you're going to.
        • Re:Screenshots? (Score:5, Informative)

          by interiot (50685) on Sunday December 10, 2006 @04:58PM (#17186998) Homepage

          From TFA:

          While ordinarily an HTTPS connection would simply pass through a proxy securely, in this case MarketScore also installs a new root certificate in your browser so that it can decrypt all intercepted SSL connections (a "man-in-the-middle" attack) without triggering a security warning from the browser. In normal operation, browsers would complain if a site certificate doesn't match the domain of the URL, but the new root certificate tells the browser to trust ComScore's site certificate for any URL.
          • by statusbar (314703)
            So once this software is installed, that 'little padlock' in the web browser that says to everyone that the connection is secure is lying.

            --jeffk++
    • by Otter (3800)
      This isn't what the actual article says.

      For that matter, the title "Market Research Company Secretly Installs Spyware" is completely wrong. Even the researchers aren't suggesting comScore* is actively involved in anything illegal, just that they're indiscriminate about what kind of scum they use as distributors.

      * I was going to ridicule the submitter/editor but they actually got the company's name right, while Forbes is wrong...

      • by slashkitty (21637)
        I think the article is suggesting that by letting 3rd party vendors distrubute their software, they are opening themselves and the users to all sorts of trouble.
  • by canuck57 (662392) on Sunday December 10, 2006 @03:59PM (#17186620)

    So what good is the Computer Fraud and Abuse Title Act 18 Section 1030 if the FBI will not enforce it?

    • by Threni (635302) on Sunday December 10, 2006 @04:28PM (#17186770)
      > So what good is the Computer Fraud and Abuse Title Act 18 Section 1030 if the FBI will not enforce
      > it?

      It would also appear to break the UK's Interception Of Communications Act 1988.
      • Re: (Score:2, Informative)

        by Anonymous Coward

        And the UK Computer Misuse Act 1990.

        But the authorities won't do anything without a complaint. So if you find this software on your computer then make a complaint to the police. Otherwise nothing will happen.

    • by TubeSteak (669689)
      Question: So what good is [Some law passed by Congress] if the FBI will not enforce it?

      Answer: It makes Congress look good. The can go home & tell their constituents "look what wonderful law I voted for".

      In reality, it takes either some Attorney General makes a stink over it, or some high profile mishap lights a fire under their asses.
    • Oh, they enforce it alright. Just not against people who actually cause harm (the people who the law is SUPPOSED to punish)...
    • by mpe (36238)
      So what good is the Computer Fraud and Abuse Title Act 18 Section 1030 if the FBI will not enforce it?

      They probably do enforce it, just in a highly selective and political way.
  • They have to install it on the computers of people who don't agree to it, because if they only monitored people who agreed to it, it would skew their results, because they'd be using self-selected samples! Think of the marketers!
  • Skew them ! (Score:3, Insightful)

    by Anonymous Coward on Sunday December 10, 2006 @04:31PM (#17186796)
    Download their software onto a 'tame' computer, and use it to browse 'interesting' sites.

    Who would have thought that people who regularly view Ford's web site also like Goats ?

  • by erroneus (253617) on Sunday December 10, 2006 @04:41PM (#17186874) Homepage
    I hope that some group or someone special takes the lead on this and not only goes after civil penalties but criminal penalties as well. I was to see someone in control of these decision sent to prison for their decisions to make this happen. I ALSO want to see the programmers and implementers of the methods used here sent to prison for their misdeeds.

    I think there is a point that needs to be driven home into our culture that it's NOT okay to do anything for money. Because I believe that at some level we all somehow forgive these people for their tresspasses because their motivation was for profit... and we all understand the need for profit right? No, there are limits to what is acceptable behavior with a profit motive and like HP's spying (which arguably wasn't directly a profit motive but performed by a profit seeking competitive organization) we should not simply dismiss this as yet another "white collar crime" and move on. If people felt like they were risking more than a few hundred thousand of their millions of dollars, they just might think twice before ordering these things be done.
  • Client List (Score:5, Informative)

    by phantomcircuit (938963) on Sunday December 10, 2006 @05:17PM (#17187136) Homepage
    Corporations supporting comScore's actions
    • AOL
    • Best Buy
    • Borders
    • CareerBuilder.com
    • Clear Channel Communications
    • Columbia House
    • Digitas
    • Discover Financial Services
    • Eli Lilly and Company
    • Expedia
    • ESPN
    • Ford Motor Company
    • General Mills
    • Google
    • HP Home & Home Office Store
    • Hyatt Corporation
    • Interpublic Group
    • iVillage
    • Johnson and Johnson
    • Knight Ridder Digital
    • Mattel
    • Medscape (Web MD)
    • Mercado Libre
    • Microsoft
    • Monster Worldwide
    • NASDAQ
    • NAVTEQ
    • Nestlé USA
    • The Newspaper Association of America
    • New York Times Digital
    • Office Depot
    • OMD Digital
    • Orbitz
    • Pepsi
    • Procter and Gamble
    • Starcom IP
    • Terra Networks
    • Ticketmaster, LLC
    • T-Mobile
    • Tribune Interactive
    • Verizon
    • Viacom International
    • Washington Mutual
    • Yahoo!
    Retrieved from http://www.comscore.com/about/clients.asp [comscore.com]
    • That's the most useful information I've seen in all the posts under this article...time for some letters/emails informing their clients that I will be terminating my business with them if they can't tell me they won't be using this advertising firm any more. Whether it will hurt them or not I don't know, but it seems that I can't count on my government to do anything about people like this.
  • by The Hobo (783784) on Sunday December 10, 2006 @05:21PM (#17187156)
    I find it sort of funny that whenever I want to find a place to download the garbage mentioned in stories, I can't.. I can only remember Gator letting you go on their website to directly download what it is you wanted.

    (For those wondering, sometimes I feel like downloading things just so I can play with it if I wanted to, in a VM for example, where a snapshot can make everything go away)
    • by interiot (50685)
      Well, they're a market research company, so they're legitimately interested in avoiding self-selection bias. Anyway, opinionsquare.com and permissionresearch.com are two places you can download the software. In this case though, it's clear that self-selection bias isn't the only concern... they almost completely avoid mentioning their connection with comScore (though if you click on the WebTrust / Earnst&Youngthing in the bottom corner, and then click on "Audit Report and Management's Assertions", yo
  • They don't do it (Score:4, Insightful)

    by wytcld (179112) on Sunday December 10, 2006 @05:25PM (#17187180) Homepage
    They commission third parties to do it. That's plausible deniability.

    Enticing a third party to commit a crime should carry heavier penalties than doing the crime yourself. Especially when as in this case multiple third parties are enticed.

    And comShare is receiving stolen property - property stolen only because they offered to buy it. But do we need new law in this area to properly jail these fuckers?
  • by rudy_wayne (414635) on Sunday December 10, 2006 @05:31PM (#17187216)
    from the article:
    "Two years ago, university IT managers busted comScore for tricking students into installing tracking software packaged with a free Web-accelerator program."

    Why are university students downloading a "Web-accelerator program"? Because they're too stupid to know that these programs are worthless bullshit. Once again, we see that the biggest problem is not viruses or "spyware" -- it's user stupidity.

    • Not always. I've never used any of the latest generation, but way back in my dial-up days, I used to have a web accelerator that actually provided some benefit. What it did was skim a webpage for links, and load those links up in the cache, so when I clicked on one, I got an instant response from the cache rather than having to wait for my connection to do the work. It took advantage of the fact that when browsing the web, your modem was generally idle while you were reading. These days, with broadband redu
  • If comScore isn't being devious or underhanded, why don't they have a clear install/operation routine that warns you every time you fire up a web-browser session?

    All it would take is a box, perhaps giving you an opt-out for that session or simply just recording URLs. This would still provide accurate and interesting data. Especially in the latter.

    Then the marketing droids would see which kinds of information people didn't want them to track.

    I'm guessing they chose the spyware/malware route (which I se

  • by Mr Europe (657225) on Monday December 11, 2006 @03:13AM (#17191528)
    Don't be alarmed ! It affects only Windows.

    We Linux users are safe.

"If I do not want others to quote me, I do not speak." -- Phil Wayne

Working...