Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

When is spyware not spyware – considering the scandal around movieworld.com and related sites

August 15th 2006 in Uncategorized

It has been reported at atg.wa.gov.au that Attorney General McKenna has sued Movieland.com and Associates for what it calls “spyware”:
http://www.atg.wa.gov/releases/2006/rel_Movieland_Spyware_Lawsuit_081406.html


The full complaint, complete with screenshots, can be read here:
http://www.atg.wa.gov/releases/2006/Documents/MovielandComplaint8-14-06.pdf


Now, I must say at the outset, that the behavior exhibited by the software being distributed by Digital Enterprises (trading as Movieland.com; Alchemy Communications, of Los Angeles; AccessMedia Networks, of Los Angeles; and Innovative Networks, of Woodland Hills) is right up there with the worst that I have ever seen.  At best it can be called “nagware”, it is most certainly “malware” and it is teetering on the edge of being labellable as a “Trojan”, but I don’t think we can label it “spyware”.


Just like the term “zero day exploit” is often misused, the label “spyware” is used at times when it should not be.


Let’s look at what the lawsuit is about, and what the software in question does:


1.       Three days “free” access to members-only content on sites including movieland.com, moviepass.tv and popcorn.net is offered to Web surfers via pop-up advertisements.


2.       If the offer is accepted, the Web surfer must download software to take advantage of the three days of “free” access with the software variously being known as “MediaPipe”, “FileGrabber” or “Media Assistant”.


3.       After the three free days expire, new “billing” software is apparently downloaded that generates pop-up windows (and videos) that warn the user that their three day access has expired and that they must now purchase membership because they had not stopped using the access software.  The pop-ups display the user’s IP address and customer ID, as well as the time and date of installation of the trial software (this, let me say now, does not make the “billing” software “spyware”).


4.       Although users are warned when they install the original access software that they will receive “payment reminders”, they are not told what these reminders are, or how disruptive they will be.


5.       The pop-ups appear every hour, starting when the user accesses the internet.


6.       The initial pop up is large, obscuring much of the available screen real estate, and is not easy to close – the only action a user can easily take is to click on a “Continue” button which launches a 40 second long video alleging that because the user has not cancelled their “free” access, they are now legally obligated to purchase membership.  Again, the video is not easily closed.


7.       There is no opportunity to decline membership and remove the access software after the three day free access period expires.


8.       Although an entry appears in Add/Remove Programs, the entry does no more than redirect the user to a payment page.  It seems from my reading of the original complaint that the entry in Add/Remove Programs only exhibits this behavior *after* the three days of free access has expired.  I assume that before the three days expire the access software can be removed successfully.  This could be a very important point in the legal fight to come.


The actions of Digital Enterprises, Alchemy Communications, AccessMedia Networks and Innovative Networks are unethical, unconscionable and possibly illegal, but is their software “spyware”?


The complaint lodged by the State of Washington alleges on page 19 that the software in question is “spyware” because it “places files on the user’s computer which send repeated, harassing notices that interfer with use of the computer; prevent the user from uninstalling the offending files; and if, in fact, if the files are uninstalled (sic), leaves parts of Defendants’ software on the user’s computer”.


Unfortunately for the State of Washington, Rob McKenna and Paula Selis, the behavior listed does not make the software “spyware”.  The behavior is unfair, deceptive, antisocial, hostile, unethical and possibly in contravention of various laws, but it does not make the software spyware.


The purest, traditional, interpretation of “spyware” is software that watches what users do with their computer and then sends that information over the internet.  Let me emphasise, though, that if your software phones home to report that your user licence has expired, and you are thereafter denied access to updates, that is not “spying”.  That is a developer or company ensuring that users are only receiving benefits to which they are entitled.


I’ve been fighting spyware/malware/adware/foistware/betrayware/stealware (pick your name) since Year 2000 and I admit to being a bit of a traditionalist when it comes to the terminology applied to various types of malware.  Over time the meaning of spyware has, unfortunately, been expanded to encompass software that is designed to intercept or take partial control of a computer’s operation without the informed consent of that machine’s owner or legitimate user, or subvert the computer’s operation for the benefit of a third party (cite: Wikipedia.org; http://en.wikipedia.org/wiki/Spyware).  Although commonplace, such an interpretation is not correct.  Such software is rightly labeled “malware” (software that is designed to infiltrate or damage a computer system, without the owner’s informed consent; cite: http://en.wikipedia.org/wiki/Malware).


Now, it could be said that the Digital Enterprises software is “watching” users, but then we start getting into difficulty regarding the interpretation of “watching”.  A programmatic time-bomb that is written to download and install payment software after a certain period of time has elapsed is not “watching” in the sense meant by those who originally coined the term “spyware” as it pertains to malevolent software.


It is important that we be clear, and consistent, when we attach labels to malevolent software.  Users are being confused.  The popular press are not doing us any favours by going for the zing that comes with accusing a big name of spreading “spyware”.  “Malware” just doesn’t have the same ring to it.


3 comments to...
“When is spyware not spyware – considering the scandal around movieworld.com and related sites”

Kristin Alexander

Hello Sandi. I read your blog entry with interest and wanted to add an additional perspective.

While “spyware” may have a meaning to some computer users based on common usage, it also has a very specific meaning under Washington’s Computer Spyware Act. In determining whether particular software constitutes “spyware” for purposes of violating Washington’s statute, a court looks not to common usage of the term, but rather to how the term is defined in the law.

Washington’s Computer Spyware Act includes a provision making it unlawful for a person to “take control of a computer by a) accessing or using the modem or internet service for such computer to cause damage to the computer; b) Opening multiple, sequential, stand-alone advertisements in the owner or operator’s internet browser without the authorization of an owner or operator and that a reasonable computer user cannot close without turning off the computer or closing the internet browser.”

Washington’s lawsuit against Movieland, et al. alleges that the defendants’ Internet-based software takes control of the user’s computer by means of pop-up videos that disable its functionality, and thus, under the provisions of the Washington law, constitutes “spyware” as that term is defined.

Washington’s Computer Spyware Act also makes it unlawful for a person to misrepresent that sofware will be uninstalled or disabled by a user’s action. RCW 19.270.020(4). The state’s lawsuit alleges that the defendants misrepresent that their software can be uninstalled using the “Add/Remove” function, when in fact, the user is redirected to their Web site when an attempt to remove the software is made.

While this practice may or may not be included as part of the commonly understood meaning of “spyware,” it is prohibited by Washington’s Computer Spyware Act, and for purposes of legal analysis by a court, constitutes a form of “spyware.”

Sincerely,

Kristin Alexander
Public Information Officer
Washington State Attorney General’s Office



Kristin Alexander

Slight edits to what I just you…KA

Hello Sandi. I read your blog entry with interest and wanted to add an additional perspective.

While “spyware” may have a meaning to some computer users based on common usage, it also has a very specific meaning under Washington’s Computer Spyware Act. In determining whether particular software constitutes “spyware” for purposes of violating Washington’s statute, a court looks not to common usage of the term, but rather to how the term is defined in the law.

Washington’s Computer Spyware Act includes a provision making it unlawful for a person to “take control of a computer by accessing or using the modem or internet service for such computer to cause damage to the computer.”

Washington’s lawsuit against Movieland, et al. alleges that the defendants’ Internet-based software takes control of the user’s computer by means of pop-up videos that disable its functionality, and thus, under the provisions of the Washington law, constitutes “spyware” as that term is defined.

Washington’s Computer Spyware Act also makes it unlawful for a person to misrepresent that sofware will be uninstalled or disabled by a user’s action. RCW 19.270.020(4). The state’s lawsuit alleges that the defendants misrepresent that their software can be uninstalled using the “Add/Remove” function, when in fact, the user is redirected to their Web site when an attempt to remove the software is made.

While this practice may or may not be included as part of the commonly understood meaning of “spyware,” it is prohibited by Washington’s Computer Spyware Act, and for purposes of legal analysis by a court, constitutes a form of “spyware.”

Sincerely,

Kristin Alexander
Public Information Officer
Washington State Attorney General’s Office



alunj

And then there is the philological discussion about what spyware means to the average user.
Put simply, it means “I didn’t intend for my machine to send that information to that recipient”.
Clearly, that’s a very broad definition, and the authors of both spyware defence programs and spyware legislation cannot work with that sort of vaguary, but must come up with strict definitions that broadly cover most of the definition desired by the user.
There are other definitions, of course. “I didn’t want to see these adverts” is a common one – but if the adware pool hadn’t been poisoned so early and so well, I think that adware would have been a great way to fund developers.
“I don’t want to tell anyone who I am” is another definition – but again, if the developer insists on it, and is up-front and honest, your recourse is only to stop using the software.


Sometimes IE7 will be stuck at the Welcome page (http://runonce.msn.com/runonce2.aspx ) that appears the first time IE7 is run.  Attempts to revert to the normal home page may fail:Some possible causes of this problem are:1)  The Welcome page does not load completely for whatever reason.2)  Scripting has been disabled (note: blocking ActiveX does not cause […]

Previous Entry

That’s right folks. Jesper will be presenting in Japan at TechEd.
http://blogs.technet.com/jesper_johansson/archive/2006/08/16/447195.aspx

Next Entry

Archives