A SERIOUS New Spyware Threat ... from the July 2000 Actrix Newsletter

by Rob Zorn

Gibson Research Corporation The following was sent in to me by Milton Cain,  a regular commenter, character, and recipient of newsletters from the Gibson Research Corporation, an Internet team led by Steve Gibson who freely advises net-users on security concerns. People concerned about net-security should regularly stop by his page or consider subscribing to his newsletters
I have reproduced the following from the GRC newsletter in full. If you would like to read about Steve Gibson's disturbing interaction with the people at Real Networks, click here: http://grc.com/downloaders.htm

Next month I hope to run a small article on the GRC's OptOut program, that finds and eliminates advertising spyware on your machine. Think you don't have any? I think you would be surprised. Just wait and see... -Ed

-------------------------------------------------------

The NetZip, Netscape/AOL, and Real Networks Download Utilities *ARE* Spying On Us!

NetZip's "Download Demon" was purchased by Real Networks and renamed "Real Download". Then Netscape/AOL licensed it from Real and called it "Netscape Smart Download."

By watching the "packet traffic" flowing in and out of one of my machines while downloading a file through the Internet, I verified the rumors which you may have heard regarding these programs: All of these programs immediately tag your computer with a unique ID, after which EVERY SINGLE FILE you download from ANYWHERE on the Internet (even places that might not be anyone else's business) is immediately reported back to the program's source where it is logged and recorded along with your machine's unique ID. They also have the opportunity to capture and record your machine's unique Internet IP address.

This information is then compiled and used to create a detailed "profile" about who you are based upon the web sites you visit and the files you have downloaded.

Perhaps you don't mind being watched and tracked as you move around the Internet ... and then having every file you download logged and cataloged and used to assemble "your profile". But the idea of this seems extremely invasive to me, and unless you have carefully read the program's license you might not be aware that this is going on or that "you agreed to it" when you accepted the terms of the license!

More than 14 Million people are already using the original NetZip Download Demon. NetZip knows the exact number, since every copy of their program "phones home" to report on what their users are doing! And I'm sure people are downloading Real Network's RealDownload and Netscape's SmartDownload like crazy.

A Class Action lawsuit was recently filed against Netscape/AOL because of this privacy invasion, so perhaps the PC industry will begin to receive the message that this sort of secret spying and profiling is not okay with the rest of us, even if it is buried within a lengthy license agreement. You decide.

And, of course, the next release of my own OptOut spyware detection and removal utility WILL consider these programs to be dangerous, and warn its users of their presence in their systems. But I wanted to be sure that you knew RIGHT AWAY what was going on, and that I had independently confirmed that this invasive file download tracking really was occurring.

If you have questions or comments, please see The Newsletter Forum.