These days companies are using increasingly intrusive techniques to get hold of your details and snoop on your surfing habits. We show you how to hit back.
Chris Cain, Computeract!ve, 27 May 2004
How would you feel if a group of strangers started to follow you around, taking note of what you did, where you went, who you spoke to and what you said? Aside from being more than a little freaked out, most of us would be pretty annoyed. But similar things could be happening when you use the internet, thanks to software known as spyware.
Sometimes referred to as advertising-supported software or adware, spyware snoops on your surfing habits. The information it gathers is then used by companies to target you with tailored advertising, interrupt your online experience with annoying pop-up windows and bombard you with unwanted emails promoting products and services.
While most of us wouldn't worry too much about something that tracks the websites we use, other software spies can record far more personal information, such as passwords and credit card numbers. This is far more worrying, especially for anyone who likes to shop or bank online.
What is spyware?
Spyware can roughly be defined as software that gathers information about a user, usually without their knowledge or informed consent, and then passes this data to others. As with computer viruses it comes in various forms but, in contrast, much of what is commonly referred to as spyware is currently perfectly legal.
Perhaps the most basic type of tracking device is a web page cookie (a snippet of data held in a file on your PC) designed simply to alert its employers or serve up an ad whenever you visit a particular site or click on a certain link. Most internet sites use cookies to provide a more personal service. Some can't even function properly without placing at least a small marker on your machine.
Cookies are also used to store site passwords or subscription data, saving you from having to type in your name or email address every time you visit. There's no denying that this can be convenient, but a cookie that remembers your login details can give someone else access to your PC when you are away from your desk.
Other trackers are much more devious, recording personal information, such as your email address, as well as tracking your online activities. The kind of data collected may be information you wouldn't think twice about revealing in an online survey, but the fact that this software can install itself on your PC without your permission or knowledge is very annoying.
Interestingly, PC security expert Robert Schifreen at SecuritySavvy.com says users often unwittingly agree to this type of surveillance. "Most spyware is installed with permission because it's in the small print of the licence agreement that most people just click 'Yes' to without actually reading through all the text."
The data sent back to HQ doesn't always stop at the name of sites you visit or even email addresses and passwords. Some spies are so cheeky they log everything you type. By far the most famous of these so-called keyloggers is Magic Lantern, allegedly developed by the FBI to sniff out passwords as they are typed in.
Others may note the technical specification of your computer and even take screenshots of the applications being used on the host PC. In extreme cases, there are even 'voiceloggers' that can use your sound card to record what's going on around your PC if a microphone is attached. You might think the chances of this are slim but many notebooks have microphones built in.
A particularly nasty form of spyware is known as malware. Deliberately malicious, malware attempts to alter your system by installing other software, opening security loopholes, emailing messages to any address in your Outlook contacts book or uninstalling spyware-detection utilities. Some of these can bypass or configure a firewall so the software can hook up to the internet at any time.
Secret service
Aside from cookies that automatically install themselves on your PC when you visit a particular site, most spyware arrives on your machine either as an email attachment or hidden inside freeware and shareware packages. It can also come as part of a web browser plug-in, or even a commercial application.
Not everything that can be classed as spyware is up to no good though. Some of it is genuinely useful. For example, Microsoft Word remembers a list of the documents you've recently opened, while Internet Explorer keeps a history of the websites you visit to help you get back to them easily, and the Google browser plug-in keeps a record of searches. While these are obviously tracking your movements, this software serves a useful purpose and isn't something you need worry about unless you specifically want to cover your tracks.
Among the most common cookie-based adware is DoubleClick, which serves up adverts in your browser based on information gleaned from your surfing habits. The people behind DoubleClick claim their software doesn't use your name, email address or phone number when performing any of its duties. However, its attempts to pop up with ads for products or services that may interest you can still be incredibly annoying. And while the products advertised by DoubleClick are likely to be inoffensive, it's just as easy to pick up advertising cookies from seedier sites.
Typical carriers of adware include peer-to-peer file-sharing utilities such as Kazaa Media Desktop. Kazaa features software called Cydoor and GAIN (also known as Gator), which deliver ads to you based on the type of sites you visit. To be fair, Kazaa does mention this in its privacy policy and you can buy adware-free versions of many of the popular file-sharing tools. However, we suspect more people will simply download the free version without reading any of the small print.
Other utilities known to incorporate spyware extras include versions of the download utility Go!Zilla, the cursor graphic program CometCursor and the popular MP3 tool AudioGalaxy. In fact, one version of the latter allegedly contains nine different pieces of tracking software. While AudioGalaxy's privacy policy admits to recording information such as your IP address, browser type, cookie and page information, it also states that: "Some advertisers and affiliates may collect personally identifiable information when you access their links."
On a not-unrelated note, one application causing controversy at the moment is the online address book Plaxo. The brainchild of Sean Parker, co-founder of Napster, it allows its users to share their Outlook address books online. While many have fallen in love with the system and its ability to keep your contacts up to date, there's a debate over whether this kind of information gathering can be considered spyware. There's also some concern as to whether passing on other people's details may conflict with European data privacy laws. It will be interesting to see what happens with this one.
Blowing their cover
Given these threats to your privacy, how can you tell if there are spies on your system? Fortunately, there are some tell-tale signs. By far the most common complaint is a general system slowdown, especially when online, due to numerous spy programs running behind the scenes. Other indications include visiting a site and then receiving junk email or pop-ups about a seemingly related subject shortly afterwards, or your browser's home page suddenly changing.
One quick way to check for a tracking cookie, such as DoubleClick, is to look for it in your Cookies folder. If you're using Windows XP, you can locate this by double-clicking on the My Computer icon on your Desktop, double-clicking on the Local Disk (C:) icon and then double-clicking on the Documents and Folders folder. Open the folder labelled with your user name and there should be a folder called Cookies inside. If the DoubleClick cookie is there and you want to delete it, you can simply drag it into the Recycle Bin as you would any other file.
Of course, it's only possible to find and extract cookies manually if you know exactly what you're looking for. A far better way to detect spies is to use software designed to sniff them out, in much the same way as an antivirus package.
Prevention and cure
As with most ailments, prevention is better than cure. One way to stop cookie-based trackers from snooping on you is to manually opt-out of their services. Just as you might tick the box on a subscription form to say 'Don't email me about future promotions', you can choose to stop unwanted advertisements popping up in your browser. In the case of DoubleClick, this means visiting its Ad-Serving Cookie Opt-Out page and clicking on the 'Ad Cookie Opt-out' button. Doing this places an opt-out version of the cookie on your machine.
Finding the home of every ad-serving cookie would be a long and tedious task, but the good news is there is software that can help you. One such utility is Spybot Search and Destroy, which provides the web and email addresses you need to visit or send a message to in order to rid yourself of some of the major players. The list doesn't cover every service but it's somewhere to start.
Another way to minimise the risk is to familiarise yourself with the security settings in your browser, to make sure that only cookies for sites you trust are let onto your system. For example, in Internet Explorer you need to select Internet Options from the Tools menu and select the Privacy tab. From here you can set the level of privacy you want for your browser. In most cases the medium setting is fine, but those who want to block more types of cookie can select a higher level.
You can take things even further by choosing to allow or disable the cookies from individual sites. Be aware, though, that some sites won't function if you choose to block their cookies. Other software packages such as Norton Internet Security also offer privacy tools.
Perhaps the best way to stop spies infiltrating your system and track down any already installed is to use one of the previously mentioned spyware killers. There are plenty of them available and they are often free to download. Some are designed just to wipe out any intruders, while others have the ability to clear your PC and then immunise Windows against further attacks by setting what Microsoft refers to as 'kill bits' within the Registry. These bits prevent spies from latching on to your system.
For your eyes only
While good antivirus software and a firewall are essential items for regular internet users, it's clear that we should all take some further steps to protect our privacy online.
Advertising cookies that track the websites we visit aren't a concern for most of us, but anything that goes beyond this and allows personal data like Pins and passwords to be accessible is clearly a danger and must be avoided.
Even if there is a change in the law to make all these information gatherers illegal, in real terms it would be difficult to enforce, unlikely to stop their use, and potentially damaging to internet businesses and the way some popular - often free - packages work.
By following the guidelines we've outlined here and regularly sweeping your system for spies you can make sure you keep one step ahead and keep your PC private.
Spyware and the law
While many find the very idea of spyware offensive, its legal status is a grey and complex area.
Adware cookies that track your path across the web are perfectly legal, provided the companies that use them inform you of their purpose and give you the option to refuse them. That said, they don't have to do this before downloading the file to your machine.
When it comes to more personal data, such as email addresses, users must agree to it being captured. In addition, according to IT law specialist Struan Robertson of out-law.com: "It's unlawful to collect email addresses that identify a living individual for one purpose and then to use them for another, undisclosed purpose - such as selling an email list to spammers."
With IP addresses, the position is less clear. These can be used for some purposes without falling foul of the Data Protection Act. However, Robertson says: "Most spyware attempts to build a profile of an individual, and using the IP address for building that profile - whether it be shopping preferences or favoured news sites or whatever - will likely breach a key principle of the Act, where the business is established in the UK."
More devious devices, such as keyloggers and voiceloggers, are likely to fall foul of the Regulation of Investigatory Powers Act.
Spyware enjoys much more freedom in the US. However, the state of Utah has just caused controversy by voting in the Spyware Control Act. Under this, any software that reports your online actions, sends personal data to others, or serves ads without permission is prohibited. Microsoft, AOL, Google, Amazon, Yahoo and others have all complained that the definition used is too broad and could seriously restrict services and programs, including security and antivirus packages.
Spy catchers
As with viruses, spyware has caused such controversy that a number of software programmers have developed utilities to eliminate it. Such is the feeling surrounding the issue that many of these are either shareware or completely free.
Perhaps the most complete freeware tool is Spybot Search and Destroy. This not only sniffs out and removes any hidden fiends, it can also immunise your system against over 400 different spies. Regularly updated data files help keep you protected, and the package even supports over 30 languages.
Another favourite spy scanner is Ad-aware from LavaSoft, which you can download here. Now on version 6, this utility comes in both commercial and freeware versions. As with Spybot, Ad-aware can scan your system and remove a number of software sneaks including tracking cookies and spies lurking inside other programs. Other popular spy catchers to try out are X-Cleaner and SpyBlaster.
Thanks for this information. Very useful indeed.
ReplyDelete