Market Research Company Secretly Installs Spyware

An anonymous reader writes "Forbes reports that two security experts are raising new questions about comScore, claiming that company's tracking software is being installed without consent on an unknown number of computers. The widely-used online research company takes screenshots of every Web page viewed by its 1 million participants, even transactions completed in secure sessions, like shopping or online checking. ComScore then aggregates the information into market analysis for its clients, which include such large companies as Ford Motor, Microsoft and The New York Times Co." From the article: "'[The] software is sneaking onto users' computers without the user agreeing to receive it,' says Harvard University researcher Ben Edelman, who documented at least ten unauthorized comScore downloads. Eric Howes, director of malware research at antivirus company Sunbelt Software, and his researchers separately observed hundreds of unauthorized comScore downloads in a three-month period this fall."

Intercepts https://

[interiot]

The thing that really gets me is that their monitoring software installs a root certificate in the user's browser so that they can do a "man in the middle" attack to https:/// [https] connections at their proxy servers. In many cases, comScore gets permission from end users to do this, but I don't think many users really realize how much information they're exposing by doing this. Most obvious is bank passwords, etc, but comScore says they don't monitor those. comScore DOES however say that they verify their user's name, address, income, etc., which I'd imagine most users wouldn't actually agree to if they were fully informed.

this is what they should do!

[ILuvRamen]

why the hell don't the cops show up at the company's door, break it down, and arrest everyone responsible and make sure CNN news crews are there to record it and make a story out of it. Then maybe these stupid, evil marketing people will stop thinking they can get away with it! It's called illegal for a reason. If they can arrest a guy for putting a distributed processing screensaver on school computers, they can arrest marketing execs!

Screenshots?

[slashkitty]

The submitter claims the software takes screenshots of every page the users visit.

This isn't what the actual article says. It says "virtual photos". Most likely is that it's just collecting URLs.. and maybe the contents of the page.. There would be no reason to do screenshots... It would make things much more difficult to analyze.

Do you have to deal with the problems?

[Colin Smith]

Yawn? Don't plug into the net? What arrogant uncaring tripe. What kind of jackass gives that sort of a response? Oh, right, an OS snob

Actually it's the sort of response that you get from someone who's constantly asked to fix computers that are repeatedly infested with viruses, spyware and other malware.

Maybe you're 12 and your time's worthless. Mine isn't and I now charge $$$ to fix computers. You don't want to pay? YeeHaw! Go away, fix it yourself then, or find some rather dim student who has nothing better to do.

People have the right to privacy and surf the net unmolested, no matter the OS they use.

Awww, how sweet. Welcome to the real world, not the idealised socialist one you have in your head.
 

Re:Win-win-win solution

[Steve B]

One important point is that spam is about the perfect method of communicating "go-codes" to terrorist cells -- it's trivial to encode a message in the anti-filtering gibberish attached to most spam, and the indiscriminate broadcast completely negates traffic analysis.

Re:I can't find the repository

[flyneye]

Is it necessarily a winblows problem or a browser plug-in/extention problem?

Availability of garbage

[The Hobo]

I find it sort of funny that whenever I want to find a place to download the garbage mentioned in stories, I can't.. I can only remember Gator letting you go on their website to directly download what it is you wanted.

(For those wondering, sometimes I feel like downloading things just so I can play with it if I wanted to, in a VM for example, where a snapshot can make everything go away)

Why doesn't it inform you?

[Christopher_Edwardz]

If comScore isn't being devious or underhanded, why don't they have a clear install/operation routine that warns you every time you fire up a web-browser session?

All it would take is a box, perhaps giving you an opt-out for that session or simply just recording URLs. This would still provide accurate and interesting data. Especially in the latter.

Then the marketing droids would see which kinds of information people didn't want them to track.

I'm guessing they chose the spyware/malware route (which I see this software as) because they realized the obvious: who, in their right minds, would allow all their web surfing habits to go to someone else?

Additionally, how long do you think it is going to take for someone to alter the URL/IP in the software to send that data to another proxy? How long would it take any non-very-technical user to figure out this had been done?

Re:More examples of software Mac users don't have

[Technician]

Yet another reason to own a Mac.

Snob.. Own a Mac.

Sensible about security.. Own a non-Windows computer.

Smile :-)

Re:Well?

[TheLink]

Well that applied to the Sony rootkit thing too. So what happened?

In contrast that silly UK guy is going to get deported to the US because he was looking for UFOs by getting into US Gov machines without permission.