Interesting People mailing list archives
IP: Real, Netscape/AOL, NetZip ~may~ be monitoring all browser-initiated file downloads
From: Dave Farber <farber () cis upenn edu>
Date: Sun, 16 Jul 2000 15:31:00 -0400
To: Dave Farber <farber () cis upenn edu> From: Jeff.Hodges () stanford edu Date: Sun, 16 Jul 2000 10:45:47 -0700 I've skimmed the stuff below and the key web page.. http://grc.com/downloaders.htm ..and it certainly appears damning. But, Gibson isn't explicit on that page as to whether the link he clicked on to download the test file (from one of his own machines) was being materialized to him in a vanilla web page (this is what is being implied, seems to me), or somehow via the "Smart Download" functionality itself -- dunno how that might be set up, but it's a reasonable question to ask. Anyways, if it is the former (yikes), then I'm also curious about what all other user actions are being monitored, plus his article doesn't analyze anything beyond the one (albeit significant) test case. Personally, I'm not surprised this is occurring (sigh). I thought to myself at least a couple of years ago that it's just a matter of time before someone distributes retail not-just-business-site-focused software that surreptitiously communicates with others without end user knowledge, and I wondered when it would come to light. Well, between Richard Smith and Gibson, it's now apparently happening. Note that in the IBM-based mainframe world, surreptitious monitoring of end-user behavior was an explicitly supported feature of the environment (OS/MVS in my personal experience), but was strictly confined to the workplace, plus there was (for most folks) no Internet connectivity over which to (surreptitiously or not) communicate this stuff to other organizations. I wonder if a portion of the rationalization for incorporating such monitoring facilities is something like "well, it's nothing new, been done for years, our license agreement doesn't preclude it (modulo the significant NetZip boo-boo that Gibson points out on the above-referenced page)? JeffH ------- Forwarded Message To: JeffH <jeff.hodges () kingsmountain com> From: "Steve Gibson's MailBot" <mailbot-elyzwrd4 () grc com> Reply-To: "Steve Gibson's MailBot" <mailbot-elyzwrd4 () grc com> Date: Sun, 16 Jul 2000 09:38:09 -0800 Subject: Steve Gibson's July/2000 News from GRC.COM ... Hello JeffH, _________________________________________________________________ The File Download Utilities from Real Networks, Netscape/AOL, and NetZip *ARE* Spying On Us! _________________________________________________________________ Before I tell you about this latest threat to our privacy ... I MUST ASK YOU PLEASE not to reply directly to this eMail. This mailing is being sent to more than 325,000 people, so there is JUST NO WAY for us to read and answer individual questions. I have created two resources for you to use for follow up: 1. A comprehensive new page on my web site which discusses this threat at greater length and shows the detailed contents of a "spyware packet" as it was leaving a test machine of mine: http://grc.com/downloaders.htm" >File Downloaders 2. A very active PUBLIC DISCUSSION FORUM which you are invited to use for asking questions and getting more information. Any standard Internet newsreader -- like those included in Internet Explorer and Netscape Navigator -- can be used to participate in the free discussion forums at grc.com. Just click the link below to launch your reader and begin participating ... news://grc.com/newsletter" >The Newsletter Forum Or, if that doesn't work, you can access the forum through our web-based interface (though it is much less cool.) http://grc.com/newsletter.htm" >Web Discussion The SERIOUS New Spyware Threat ... NetZip's "Download Demon" was purchased by Real Networks and renamed "Real Download". then Netscape/AOL licensed it from Real and called it "Netscape Smart Download." By watching the "packet traffic" flowing out of one of my machines while downloading a file through the Internet, I verified the rumors which you may have heard regarding these programs: All of these programs immediately tag your computer with a unique ID, after which EVERY SINGLE FILE you download from ANYWHERE on the Internet (even places that might not be anyone else's business) is immediately reported back to the program's source, along with your machine's unique ID *and* its unique Internet IP address. This information allows them to compile and create a detailed "profile" about who you are based upon the web sites you visit and the files you have downloaded. Perhaps you don't mind being watched and tracked as you move around the Internet ... and having every file you download reported along with your unique ID and IP address. But the idea of this being done WIHTOUT YOUR KNOWLEDGE, seems invasive to me in the extreme. And even if you carefully read the program's license, you might not be aware that this is going on or that "you agreed to it" when you accepted their terms! More than 14 Million people are already using the original NetZip Download Demon. NetZip knows the exact number, since every copy of their program "phones home" to report on what their users are doing! And I'm sure people are downloading Real Network's ReadDownload and Netscape's SmartDownload like crazy. A Class Action lawsuit was recently filed against Netscape/AOL because of this privacy invasion, so perhaps the PC industry will begin to receive the message that this sort of secret spying and profiling is not okay with the rest of us, even if it is buried within a lengthy license agreement. You decide. And, of course, the next release of my own OptOut spyware detection and removal utility WILL consider these programs to be dangerous, and warn its users of their presence in their systems. But I wanted to be sure that you knew RIGHT AWAY what was going on, and that I had independently confirmed that this invasive file download and trackability really was occurring. Our web page has the FULL STORY, with plenty of background: http://grc.com/downloaders.htm" >File Downloaders And if you have questions or comments, please see ... news://grc.com/newsletter" >The Newsletter Forum ... or ... http://grc.com/newsletter.htm" >Web Discussion _________________________________________________________________ Thank you for your time. I hope this has been useful to you. Steve Gibson. http://grc.com/" >GRC Website ________________________________________________________________ You may change your eMail address or remove yourself from this eMail system entirely, by visiting your personal page anytime: http://grc.com/x/ne.dll?6elyzwrd46" >Update Info ------- End of Forwarded Message
Current thread:
- IP: Real, Netscape/AOL, NetZip ~may~ be monitoring all browser-initiated file downloads Dave Farber (Jul 16)