IP: Real, Netscape/AOL, NetZip ~may~ be monitoring all browser-initiated file downloads

[Dave Farber <farber () cis upenn edu>]

> To: Dave Farber <farber () cis upenn edu>
> From: Jeff.Hodges () stanford edu
> Date: Sun, 16 Jul 2000 10:45:47 -0700
>
> I've skimmed the stuff below and the key web page..
>
>   http://grc.com/downloaders.htm
>
> ..and it certainly appears damning. But, Gibson isn't explicit on that 
> page as
> to whether the link he clicked on to download the test file (from one of his
> own machines) was being materialized to him in a vanilla web page (this is
> what is being implied, seems to me), or somehow via the "Smart Download"
> functionality itself -- dunno how that might be set up, but it's a reasonable
> question to ask. Anyways, if it is the former (yikes), then I'm also curious
> about what all other user actions are being monitored, plus his article
> doesn't analyze anything beyond the one (albeit significant) test case.
>
> Personally, I'm not surprised this is occurring (sigh). I thought to 
> myself at
> least a couple of years ago that it's just a matter of time before someone
> distributes retail not-just-business-site-focused software that
> surreptitiously communicates with others without end user knowledge, and I
> wondered when it would come to light. Well, between Richard Smith and Gibson,
> it's now apparently happening. Note that in the IBM-based mainframe world,
> surreptitious monitoring of end-user behavior was an explicitly supported
> feature of the environment (OS/MVS in my personal experience), but was
> strictly confined to the workplace, plus there was (for most folks) no
> Internet connectivity over which to (surreptitiously or not) communicate this
> stuff to other organizations. I wonder if a portion of the rationalization 
> for
> incorporating such monitoring facilities is something like "well, it's 
> nothing
> new, been done for years, our license agreement doesn't preclude it (modulo
> the significant NetZip boo-boo that Gibson points out on the above-referenced
> page)?
>
>
> JeffH
>
> ------- Forwarded Message
>
> To: JeffH <jeff.hodges () kingsmountain com>
> From: "Steve Gibson's MailBot" <mailbot-elyzwrd4 () grc com>
> Reply-To: "Steve Gibson's MailBot" <mailbot-elyzwrd4 () grc com>
> Date: Sun, 16 Jul 2000 09:38:09 -0800
> Subject: Steve Gibson's July/2000 News from GRC.COM ...
>
> Hello JeffH,
>
> _________________________________________________________________
>
>           The File Download Utilities from Real Networks,
>            Netscape/AOL, and NetZip *ARE* Spying On Us!
> _________________________________________________________________
>
>
> Before I tell you about this latest threat to our privacy ...
>
>   I MUST ASK YOU PLEASE not to reply directly to this eMail. This
>   mailing is being sent to more than 325,000 people, so there is
>   JUST NO WAY for us to read and answer individual questions.
>
>   I have created two resources for you to use for follow up:
>
>   1. A comprehensive new page on my web site which discusses this
>      threat at greater length and shows the detailed contents of
>      a "spyware packet" as it was leaving a test machine of mine:
>
>   http://grc.com/downloaders.htm"; >File Downloaders
>
>   2. A very active PUBLIC DISCUSSION FORUM which you are invited
>      to use for asking questions and getting more information.
>      Any standard Internet newsreader -- like those included in
>      Internet Explorer and Netscape Navigator -- can be used to
>      participate in the free discussion forums at grc.com. Just
>      click the link below to launch your reader and begin
>      participating ...
>
>   news://grc.com/newsletter"; >The Newsletter Forum
>
>      Or, if that doesn't work, you can access the forum through
>      our web-based interface (though it is much less cool.)
>
>   http://grc.com/newsletter.htm"; >Web Discussion
>
>
> The SERIOUS New Spyware Threat ...
>
>   NetZip's "Download Demon" was purchased by Real Networks and
>   renamed "Real Download". then Netscape/AOL licensed it from
>   Real and called it "Netscape Smart Download."
>
>   By watching the "packet traffic" flowing out of one of my
>   machines while downloading a file through the Internet, I
>   verified the rumors which you may have heard regarding these
>   programs: All of these programs immediately tag your computer
>   with a unique ID, after which EVERY SINGLE FILE you download
>   from ANYWHERE on the Internet (even places that might not be
>   anyone else's business) is immediately reported back to the
>   program's source, along with your machine's unique ID *and*
>   its unique Internet IP address.
>
>      This information allows them to compile and create
>      a detailed "profile" about who you are based upon the
>      web sites you visit and the files you have downloaded.
>
>   Perhaps you don't mind being watched and tracked as you move
>   around the Internet ... and having every file you download
>   reported along with your unique ID and IP address.  But the
>   idea of this being done WIHTOUT YOUR KNOWLEDGE, seems invasive
>   to me in the extreme. And even if you carefully read the
>   program's license, you might not be aware that this is going
>   on or that "you agreed to it" when you accepted their terms!
>
>   More than 14 Million people are already using the original
>   NetZip Download Demon. NetZip knows the exact number, since
>   every copy of their program "phones home" to report on what
>   their users are doing! And I'm sure people are downloading Real
>   Network's ReadDownload and Netscape's SmartDownload like crazy.
>
>   A Class Action lawsuit was recently filed against Netscape/AOL
>   because of this privacy invasion, so perhaps the PC industry
>   will begin to receive the message that this sort of secret
>   spying and profiling is not okay with the rest of us, even if
>   it is buried within a lengthy license agreement. You decide.
>
>   And, of course, the next release of my own OptOut spyware
>   detection and removal utility WILL consider these programs to
>   be dangerous, and warn its users of their presence in their
>   systems. But I wanted to be sure that you knew RIGHT AWAY what
>   was going on, and that I had independently confirmed that this
>   invasive file download and trackability really was occurring.
>
>   Our web page has the FULL STORY, with plenty of background:
>
>   http://grc.com/downloaders.htm"; >File Downloaders
>
>   And if you have questions or comments, please see ...
>
>   news://grc.com/newsletter"; >The Newsletter Forum
>
>   ... or ...
>
>   http://grc.com/newsletter.htm"; >Web Discussion
>
> _________________________________________________________________
>
> Thank you for your time. I hope this has been useful to you.
>
> Steve Gibson.         http://grc.com/"; >GRC Website
>
> ________________________________________________________________
> You may change your eMail address or remove yourself from this
> eMail system entirely, by visiting your personal page anytime:
> http://grc.com/x/ne.dll?6elyzwrd46"; >Update Info
>
> ------- End of Forwarded Message