Spyware and closely related phenomena

Transcription

DATE
REPORT NUMBER
2005-04-08
PTS-ER-2005:15
ISSN 1650-9862
Spyware and closely related
phenomena
SPYWARE AND CLOSELY RELATED PHENOMENA
Post- och telestyrelsen
Table of contents
Summary ........................................................................................... 3
1
Background – PTS’s work within the privacy field....................... 5
1.1 The aim of the report and the role of PTS ........................... 5
2
Codes that violate privacy – concepts in this report .................... 7
3
Spyware and closely related phenomena .................................... 9
3.1 What is spyware? ................................................................ 9
3.2 Programs with an advertising and marketing function....... 10
3.3 Programs with an information compilation function .......... 11
3.4 Programs with remote access and monitoring
functions .......................................................................... 13
3.5 The purpose of various forms of spyware in general .......... 14
4
Installation methods, how is the user infected? ........................ 17
4.1 Accompanying programs .................................................. 17
4.2 Plug-in programs in the web browser................................ 17
4.3 Trojans............................................................................. 17
4.4 ActiveX............................................................................. 18
5
How does spyware affect the user? ........................................... 19
5.1 Spyware – links to viruses and other malicious codes........ 19
6
How
6.1
6.2
6.3
6.4
7
What
7.1
7.2
7.3
7.4
7.5
7.6
7.7
can users protect themselves? .......................................... 21
Antivirus programs ........................................................... 21
Firewalls........................................................................... 21
Anti-spyware .................................................................... 21
General caution on the Internet ........................................ 21
is the legal position? ........................................................ 23
Introduction ..................................................................... 23
The provisions of EkomL on cookies, etc........................... 23
Further details on the provision on cookies, etc. and its
applicability to spyware .................................................... 26
Prohibition against wiretapping ........................................ 30
Criminal law provisions .................................................... 31
Other integrity-related legislation...................................... 33
Some problems (providing information, etc.) .................... 34
Appendix
Appendix 1 – Case studies................................................................ 35
0
Summary
In pace with society continuing to develop into an information society, where
large sections of both business and government are to varying degrees dependent
upon computers and communications networks, an increasing dependence arises
on these computers and networks operating and being secure. For many years
viruses and other harmful codes have constituted a much noted threat to such
functions. However, there are also programs and technical systems that in ways
other than by pure destruction may constitute a threat to both the functionality of
the communications networks and the trust and confidence which users have in
their use. This report is aimed at a group of such programs, that in various ways
may constitute a threat in the form of functions that violate privacy, everything
from more harmless storage of menu choices in cookie files to actual kidnapping
of entire networks of computers. The programs and their functions can in
individual cases entail serious violations of privacy for the individual user but may
also in a broader perspective constitute a threat to public confidence and
preparedness to utilise electronic communications services. A further problem is
also that some of these programs facilitate malicious parties, via remotely
controlled computers, creating platforms for further attacks of which the user is
entirely unaware.
The aim of this report is primarily to describe the occurrence and functions of the
programs that under a collective name can be called ‘spyware’. This report
contains first simple descriptions of the various kinds of spyware programs that
occur, second a review of the ways in which users may be adversely affected by
them. There is also a section of an analytic nature regarding particular problems
with identifying what really are spyware programs that violate the privacy of the
user and programs that can actually have beneficial aims and the areas of use.
Besides these descriptions, there is also a legal analysis of the legislation that PTS
is obliged to apply and its application to spyware and also a more general
description of other legislation that may be of relevance to the field. The aim with
the legal review is to express PTS’s opinion regarding the provisions of the
Electronic Communications Act (EkomL) that can be used to counteract the
potential threats to privacy that exist and also to conduct a reasoned discussion
concerning problems with real powers to exercise supervision.
The section regarding spyware is generally addressed to everyone who has an
interest in knowing about these phenomena and who, on a less technicallyorientated level, wishes to obtain an overall awareness of their occurrence,
potential threats and the possibilities of protecting oneself. The section regarding
legal issues is mainly directed at lawyers or others who are interested in the legal
issues that, primarily on the basis of EkomL, arise in conjunction with the
occurrence of spyware.
Finally, an Appendix has been compiled with some examples of spyware
programs and how they are installed in authentic test situations on computers
connected to networks and influence their functions.
1
2
1 Background – PTS’s work within the privacy field
PTS exercises supervision in accordance with the Electronic Communications Act
(EkomL). The legislator has chosen to emphasise privacy issues in EkomL by
introducing a special privacy chapter (Chapter 6) into the Act. It is provided by
Chapter 6, Section 18 of the Electronic Communications Act (EkomL) that:
“Electronic communications networks may be used to store or gain access to information that is
stored in a subscriber’s or user’s terminal equipment only if the subscriber or user receives
information from the personal data controller about the purpose of the processing and is given an
opportunity to prevent such processing. This does not prevent such storage or access that is
necessary to perform or facilitate the transmission of an electronic message via an electronic
communications network or which is necessary to provide a service that the user or subscriber has
expressly requested.”
When introducing the Act in July 2003, this provision attracted great attention as
it relates, among other things, to the use of so-called cookies that are deployed by
many websites. PTS had received many complaints about websites that use
cookies inappropriately or did not provide information about their use. Today,
there are few complaints and the general interest for the so-called ‘cookie
provision’ has reduced slightly. However, this Section does not only regulate the
use of cookies but also other kinds of software that are used to “store or gain
access to information that is stored on a subscriber’s or user’s terminal
equipment”, for example spyware. Spyware can gather more information about
the user and can therefore violate privacy significantly more than the use of
cookies.
Today we have limited knowledge about how extensive the use of spyware is. PTS
therefore considers that there is a great need to shed some light upon the use of
spyware and closely related phenomena and also the consequences that these can
have for the privacy of users when using electronic communications networks.
1.1 The aim of the report and the role of PTS
The aim of this report is to provide an overall description of technical and legal
aspects of spyware and closely related phenomena. It is important to emphasise
that the focus of the report lies exclusively within what one in general terms can
describe as various forms of functions that can be deemed to be of a nature that
violate privacy. Other forms of malicious or destructive software with spreading
mechanisms such as, for example, viruses and the like, are therefore not dealt
with. For the sake of simplicity, those functions having a nature that potentially
violates privacy have as an overall concept been termed ‘spyware’. However, it is
appropriate here to point out that the aim is not to try to (re)define what is
generally meant by this term nor should the report be viewed as an exhaustive list
of what may be deemed to constitute functions of a nature that violate privacy.
As stated in the report, the purpose of these spyware programs is not always
malicious - most forms of program are based on functions that can be used to
assist the user and enhance functionality.
3
The report does not only include phenomena that lie within the operational area
of PTS. The use of spyware and closely related phenomena constitutes a threat to
confidence in electronic communications and is regulated in some cases by
Chapter 6, Section 18 of the Electronic Communications Act (see Chapter “What
is the legal position?”). In this part, the problem lies within the operational area of
PTS. However, there are other aspects of the phenomena, for example improper
or unethical marketing, combating crime and processing of personal data, which
lie within the operational fields of other authorities. Examples of other authorities
who, besides PTS, have a role in the work with spyware and closely related
phenomena include the Swedish Consumer Agency, the Police and the Data
Inspection Board. PTS views this report as an introductory description of the
current situation and considers it to be important that all authorities that have a
responsibility within the field should collaborate in future work.
4
2 Codes that violate privacy – concepts in this report
The personal privacy of computer users can be violated in a number of ways.
Personal privacy refers here to personal and private information (data) not being
processed or disclosed to others without the knowledge and consent of the
individual.1 Programs and the like that can violate personal privacy may be
described from several perspectives. One point of departure for describing
programs that violate privacy is the way in which they have an impact on the
person affected, another is the manner in which the program enters the system.
In this report the term function refers to what the programs do from a user
perspective - what effect the programs have. Certain programs can gather
information about what websites have been visited and thereby present
advertising that may be deemed to be interesting for users. Other programs can
affect the user’s resources for own purposes, for example a web browser can be
controlled to show certain information. Another function may be that a program
installs further programs without the knowledge of the user.
The term installation method refers in this report to the way in which a program is
installed on a computer. There are a number of installation methods for programs
that violate privacy, for example they can be disseminated with viruses, worms or
Trojans. The terms virus, worm and Trojan describe dissemination mechanisms
with malicious codes. Viruses are malicious codes that copy themselves onto
existing program files or start sectors on diskettes and hard discs. Worms are
malicious codes that disseminate themselves between data in networks. Trojans,
for example Trojan horses, are malicious codes that, besides apparent or actual
desired operations, also perform undesired operations. The delimitation between
these categories of malicious code is not clear. For instance, it is conceivable that
a Trojan carries a worm as payload and it is conceivable that a worm can carry a
virus. A further installation method is that the user actively installs the program in
the same way as with other ordinary programs.
The term technical platforms refers in this report to possible technical systems that
are used specially by a program to achieve certain functions.
SIS Handbook 550, Terminologi för informationssäkerhet [Terminology for information security], SIS
Förlag AB. 2003
1
5
6
3 Spyware and closely related phenomena
3.1 What is spyware?
Normally the term spyware is used when programs that violate privacy are
mentioned, though the term does not have any clear definition. In this report the
term ‘spyware’ refers to programs that in concealment monitor a computer or
network user’s activities, alternatively affect the system in a manner that is
undesirable for the user, for example web browser hijacking. However, not all
phenomena are programs, cookies can also be used so that the user’s personal
privacy is violated.
Spyware should probably be regarded as a malicious code, i.e. a code that when
executed causes intentional disruption or damage. However, not all programs that
violate privacy are malicious programs (malware). Programs that have legitimate
areas of use, for example remote access programs, can also be used improperly
and violate personal privacy.
Spyware in this report thereby refers to programs that, without the knowledge of
the user, install or are executed on the user’s computer and which in various ways
gather or disseminate personal information about the user. Where the limit goes
for the user being aware of the program being installed and what is personal
information is discussed in the chapter “What is the legal position?”.
Programs that violate the user’s privacy can be categorised on the basis of how
they are used, disseminated and utilise the IT system or computer they attack. In
this report spyware is divided into three categories, based on the program’s area of
use, first programs that are used for advertising and marketing (advertising spyware),
second programs that are used for information compilation and, third, programs
that are used to remotely control and monitor the computer of the user affected
(surveillance spyware). The first and second kinds of spyware are often combined
and gather information about a group of individuals for marketing purposes and
forward such selected marketing to them, while the third kind of program rather
monitors specific selected persons, for example members of a family or
employees of a business.
In this report the various programs and phenomena are divided up on the basis of
the function that the programs primarily have. It is actually appropriate to point
out that individual programs often have several functions and that such a division
is consequently not always completely correct. However, in the main, the separate
programs may be said to have one function that to a predominant extent
describes them. This division should primarily be viewed as a way of conducting a
logical and comprehensible description for the reader of the report and not as
such a definitive or exhaustive determination of what individual phenomena
entail.
A description is given below of various kinds of spyware for marketing, remote
control and surveillance and closely related phenomena.
7
3.2 Programs with an advertising and marketing function
The purpose of programs that are used for advertising and marketing can first be
to disseminate advertising, second to change the advertising that has already been
disseminated. In order to direct such advertising, various forms of information
collation are often used (see Section below on programs whose function is
information compilation) to direct advertising that is considered to suit a certain
profile of user.
In this Section programs are presented that, with or without the knowledge of the
user, are used for marketing purposes.
Software manufacturers form one of the driving forces behind the dissemination
of spyware. They often offer several versions of their application; free versions
(freeware2 and shareware3) and complete versions that are not free. In order to
earn money on the free versions, software manufacturers offer to provide
advertising for other businesses in conjunction with the freeware. However,
initially this advertising often proved too ineffective and in order to enhance the
effect more efficient methods were required to be able to monitor user behaviour
and in this way be able to create targeted advertising. The information that is
gathered by spyware with an information compilation function (see Section
below) is often used to enable the creation of targeted advertising, for example via
spyware with a marketing function.
3.2.1
Advertising programs
Advertising programs (known as adware) are software programs that show pop-up
advertising as soon as the program is run. The installation of advertising software
is often conducted by being included with other software that is free of charge.
For example, freeware that is downloaded via the Internet may contain adware to
finance the manufacture and dissemination of the program. Many of these
programs are also available in versions that cost money but which then do not
contain any advertising software. The function of the adware is to in various ways
expose the user to marketing, for example by pop-up windows or because a
certain part of the interface in a program contains marketing. Adware can, of
course, also be independent from other programs and, for example, automatically
generate pop-up windows with certain specific advertising every time the user
opens their web browser.
3.2.2
Web browser hijacking
Another example of programs that are used for marketing purposes are programs
that in various ways change the local web browser’s settings in order to redirect
traffic to other websites. The program may for example exchange the start and
search pages that the user has chosen or ad links in the list with favourites without
any special request by the user. This phenomenon is sometimes called web
browser/page hijacking. The phenomenon of web browser hijacking can itself
virtually be regarded as a technology, i.e. the software that the web browser
Freeware, programs that may be disseminated freely and used without cost.
Shareware are programs that may be disseminated freely but for which the user is expected to
pay a charge upon repeated use or after a certain limited time (trial period).
2
3
8
contains constitutes the basis for the program. The function of the phenomenon
is to in various ways manipulate the web browser to direct the traffic being
conducted via the web browser, i.e. to in various ways influence what websites the
user visits or what websites it appears that the user has visited.
The aim of this kind of program is often to direct several visitors to websites to
which the traffic is redirected and in this way disseminate advertising. The aim
may also be to in this way get it to appear as if the traffic comes from another
website. For instance, it may be mentioned that if a website has an agreement for
certain remuneration for all visitors that go from that website to another, it then
has an interest in getting it to appear as if all visitors that reach the outside website
actually come from its own site. This function can be achieved by some kind of
web browser hijacking.
Web browser hijacking programs can also redirect the user’s searches via another,
invisible to the user, website that gathers information about the user activities (a
feature that rather makes this web browser hijacking’s function that of
information compilation, see Section 3.3 below). For the user the redirection is
unnoticed, except that surfing can be slower.
3.2.3
Browser Helper Object
Browser Helper Object (BHO) is a program that is activated each time the web
browser is started. A BHO can virtually be described as a technology, i.e. a
software that in different ways can affect how a web browser shows websites that
the user visits. One function that a BHO can have is that the BHO searches
through the sites that the user opens in the web browser and substitutes banners
so that all banners contain, for example, certain predetermined advertising.
3.3 Programs with an information compilation function
In this Section, programs are presented that compile information about the user
without the user’s knowledge. The aim of programs that are used for information
compilation is often to gather data about the Internet user’s behaviour. This may
be their behaviour on a certain website or their general behaviour on the Internet.
The programs may, for instance, compile information about what websites the
user has visited on the Internet, log-on details that have been given to download
programs (for example name, e-mail address, sex, age and country), the user’s IP
address and what operative system and web browser is used. A further purpose of
the information is often marketing (see above regarding programs whose function
is marketing) and in order to target advertising that is deemed to suit the profile
created by the user. In many cases the purpose of information compilation is
therefore not directly malicious but to enhance the user’s benefit from the service.
For example, a customer in an Internet bookshop may get book tips based on
which books the customer has previously ordered. The problem from a privacy
perspective is that the user may very well be unaware about the information
compilation and what the information is used for.
As mentioned in the previous section, one of the driving forces behind the
dissemination of spyware was the software manufacturers who tried alternative
routes for financing, for example through targeted advertising. The information
9
that spyware gathers in for information compilation is often used in particular to
be able to create targeted advertising.
It is worth pointing out that spyware often performs several different functions.
Marketing programs, BHOs and web browser hijackers as described above can
thereby contain functions that compile information.
3.3.1
Key loggers
Software to log keystrokes has been available for a long time, but modern versions
of key loggers can log a lot more than just keystrokes. They can save screen dumps
based on selective key words that are typed on the keyboard or shown on the
screen or be specially designed to find and save passwords. This kind of software
can be simply downloaded from websites and sold commercially to monitor
employees and to parents to check their children’s surfing.
3.3.2
Web bugs
Web bugs are a further phenomenon that can virtually be described as a
technology, i.e. a method to compile information about the user and their Internet
activities. However, web bugs cannot be categorised as programs as they do not
comprise any code that is executed. Web bugs instead constitute small graphic
images that are placed on websites or in e-mail messages and which, when they
are opened, are downloaded from another server than the website that is visited.
A typical web bug has a size of 1x1 pixel, which means that it is invisible to the
naked eye. When a user looks at a website or e-mail message that contains a web
bug, this image is requested from a server belonging to the web bug’s owner and
in this way the owner can trace the individual user and see whether they have seen
an advertisement or opened an e-mail that contains a web bug.
3.3.3
Cookies
Another phenomenon that is sometimes regarded to be spyware is cookies.
Cookies are text files that are stored on the user’s computer and which websites
can use to compile information about the user and their behaviour. It may be as
simple as a marking of what the user has already looked at on the website,
normally through changing the colour of a link on which the user has clicked, or
remembering the user’s settings or user name. These cookies are only intended for
the user and do not forward information to any external web server.
However, there are businesses that exploit cookies to monitor what websites the
user has visited and what the user has done there. Cookies were originally not
designed to be used in this way but it was intended that the information should
only be available for the website that placed the cookie. It should not be possible
for an outsider to be able to use and read cookies that are intended for another
website. However, cookies can be utilised in ways other than as originally
intended. A business may, for example, include cookies in advertising that is
shown on someone else’s website. This kind of cookie is sometimes known as a
third-party cookie, as the information is sent to a third party and not to the person
who provides the website that the user has chosen to visit. By showing advertising
and placing cookies on a large number of different websites, the business can
monitor which of these websites the user has visited and what the user has done
10
there and thereby gain a detailed profile of the user’s movement pattern on the
Internet.
3.4 Programs with remote access and monitoring functions
The category of programs for remote access and monitoring includes various
kinds of violation tools and monitoring products that are often targeted at a
specific computer or user. Many of these products have originally been produced
as security tools for private people and businesses and are intended for instance to
be used to monitor their children’s or employees’ surfing habits. Programs for
remote control have areas of use such as, for example, when a support business
should assist a customer without personally being with the customer. It may under
these preconditions be very efficient to, at a distance, completely assume control
of the customer’s computer. In the wrong hands, these applications may however
be utilised for completely different purposes and used for violation and malicious
use of the computers of unaware users. As the protection within a network is
often aimed towards outside attacks, it is particularly sensitive for the network
security if one of the computers in the network can be controlled from outside
and thereby implement measures within the network as if it were a user at the
terminal that implemented it.
3.4.1
Monitoring programs
Monitoring programs can capture basically everything a user does on their
computer, including all keystrokes, e-mail, chat conversation, websites visited and
what programs are used. In principle, all activities that are conducted with the
computer can be logged. The program is often run in the background and the
user is not aware that they are being monitored. The information that is gathered
by the program is either sent continuously to a third party or stored on the
computer in a log file that is later communicated to a third party. In some cases
the log file is encrypted, which makes it very difficult for the user to know what
the log file contains. Certain programs also send such log files by e-mail to a
predetermined destination.
The major difference between monitoring programs compared with the category
key loggers, which was described above, is that general monitoring programs have
a significantly broader monitoring area and are not refined to monitor any
particular function.
3.4.2
Remote access tools
Remote access tools, also known as Remote Administration Tools, (RATs) are used to
remotely access, monitor and record information from the computer where the
program is installed. Certain RATs can also control the computer’s web camera
and microphone and in this way capture both image and sound.
Many RATs imitate the functionality of permitted remote access programs but are
specifically designed to be installed and used without being detected. The user
does not notice that the program has been installed until the intruder, via the
program, takes over the machine and for example moves the curser or opens files.
A great danger with RATs is that they completely control the accessed computer.
This means that all the rights that the remotely controlled computer has, for
11
example access to internal networks, etc., also pass to the party who is remotely
controlling the computer. It can also be very difficult to subsequently trace
whether it is the user themselves who implemented the measures via the
computer or whether these measures have been implemented at a distance via a
RAT.
RATs can also be used for so-called system hijacking. System hijacking means that a
program utilises the infected terminal’s resources and capacity. Various kinds of
program use the capacity in different ways. For example, a large number of
infected computers’ accumulated processor capacity is utilised for demanding
calculations; there are also cases where a large number of infected computers have
in a coordinated way used their Internet connections to perform overload attacks
against specified targets. Such large groups of infected computers that can in a
coordinated manner be utilised are often called botnets. Spam is often sent from
hijacked computers that, without the user’s knowledge, utilise the Internet
connection to send large quantities of e-mail.
3.4.3
Modem hijacking
Modem hijacking means that the user downloads a program to their computer,
often without being aware of it, which discontinues the original modem
connection to the Internet and links the user up to another connection via
another telephone number. This telephone number is often a number to which a
significantly greater call cost than normal is linked. The user is then invoiced for
the calls made.
A modem hijacking is a function that in practice changes the number specified in
the computer’s remote connection and thereby changes the number the user
normally calls to connect to their Internet provider. The effect of the function is
thereby that the user connects to another Internet provider. Modem hijacking
thereby does not as such involve any remote administration or other control of
the user’s computer; however, it may mean that the user unconsciously generates
very high telephone bills as the new number that is entered usually has a very high
time tariff.
3.5 The purpose of various forms of spyware in general
Something that complicates the description of spyware in their capacity of
malicious codes is that most of the functions also exist and in many cases are also
based on completely legitimate program functions that also have an important
area or use. For example, most of the monitoring programs and methods for
system hijacking and RATs are originally based on various tools to control a
network or for system administrators to, remotely, assist individual users when
they have problems with their systems. Programs for advertising and marketing
have in many cases a fully legitimate purpose of obtaining financing for software
or other products through targeted marketing being integrated in the product. It is
thus very difficult in a general way to clearly delineate between what is directly
malicious and what is acceptable. This situation may be compared with, for
example, viruses and similar programs that exclusively have functions of a
destructive nature or replicating nature and which can generally be said to
12
constitute programs whose only purpose is destruction and for which there is
therefore no legitimate area of use.
As regards spyware, these functions are used in many cases by software
companies as usable and efficient methods to, for example, automatically analyse
and update software (for example, Microsoft Update). Many programs transfer
information to analyse and add functions to the programs that are run on the
computer (for example, the majority of music players that send out information
about what music is being played to another server and in this way can reproduce
information about what music group it is, song texts, album covers, etc.). Many of
the functions are also utilised commercially to be able to generate income for
software that is distributed ‘free’ over the Internet (for example, freeware that
automatically downloads advertising and marketing, which at the same time shows
that the program is being run). It is thereby not possible to say that a particular
type of program or function generally viewed can be said to be malicious or
performs unpermitted aims.
This fact has also contributed to antivirus programs and similar security functions
having certain legal difficulties in relation to attacks by spyware. If an antivirus
program automatically impedes functions from legitimate spyware, it is very
possible that a creator of legitimate spyware may successfully be able to bring an
action for damages against the creator of the antivirus program that prevents its
opportunities to generate revenue, for example antivirus programs that prevent
marketing as a source of revenue.4
From the privacy aspect it is probably most important that the user is aware of the
way in which the information about the user is stored or disseminated. That
spyware programs will be installed and what type of information they gather is
often described in the licence conditions5, which the user should read through
before downloading of the program. However, in many cases these licence
conditions are very extensive and sometimes directly misleading. This makes it
difficult for the user to make use of the information. It is not unusual for
contracts also to contain extensive powers for software manufacturers to
automatically install new software, which makes it in principle impossible for the
user to understand the scope of the consent given. Legal aspects of such consents
are referred to below in Section 8.7.1.
The spyware programs and their functions as described in this report refer to
those who do not have a legitimate purpose, that is to say those that in the
individual case are used by malicious persons or organisations to in different ways
infiltrate or violate the privacy of the user. However, it is important to be aware
that the assessment in the individual case is not black or white; there is a large grey
The company Gator (now under the name Claria) has, for example, instituted legal proceedings
against anti-spyware programs that have cited Gator’s software as constituting spyware. See
http://news.com.com/2100-1032_3-5095051.html There are also other examples of spyware with
marketing functions whose creators have sued regarding other similar programs, as these programs
in various ways counteract the functions in the former program. See
http://arstechnica.com/news.ars/post/20041208-4447.html
4
5
Also known as EULA (End User Licence Agreement).
13
zone concerning what can be regarded as legitimate or not. It is also worth noting
that many of the spyware programs whose aim is in a rather grey zone often
contain contractual clauses that are more or less concealed or cryptically
formulated in order to ensure that the creator shall in any event subsequently be
considered not to have done anything that was unpermitted and that the user may
be deemed to have accepted or consented to the function implemented. This
makes it even more problematic from a legal respect to regulate what can be
deemed to be a permitted or directly unlawful activity.
14
4 Installation methods, how is the user infected?
4.1 Accompanying programs
Today, many freeware and shareware programs that can be downloaded from the
Internet contain spyware. When the user installs the downloaded program, for
example file-sharing programs, games, chat programs, media players and
download manager, spyware is installed at the same time. In certain cases the user
more or less unconsciously approves the installation of the spyware through
accepting the conditions accompanying the freeware or shareware (see more
regarding this in Section 7.7.1). File-sharing programs are often pointed out as a
major source of dissemination. The method of installing spyware in conjunction
with another program is sometimes called ‘piggybacking’ and can be difficult for
an ordinary user to detect As the user himself allows the program to be installed,
nor is this form of installation particularly easy to detect by an antivirus program.
4.2 Plug-in programs in the web browser
Spyware can also be hidden in html links in e-mail messages or on websites. When
the user clicks on a link, a download of the spyware is started automatically, which
is a plug-in or supplementary program to the web browser. Usually the user is
actually asked about whether he really wishes to install this plug-in or
supplementary program, but this information can in most cases be formulated in a
tricky or unclear way, which makes it difficult for the user to know what really will
be installed.
4.3 Trojans
Trojans are programs that are run on the user’s computer but which, without the
user’s knowledge, are designed to install or run other programs on the user’s
computer. A Trojan is really a program that pretends to be a certain kind of
program but in reality hides something else. In contrast to viruses and worms,
Trojans are not self-replicating, i.e. they do not make copies of themselves.
Trojans are usually disseminated as appendices to e-mail letters or together with
other software. There are several different kinds of Trojans, of which some of the
most usual are described below.
In principle, a Trojan may contain any kind of additional software possible. Nor
does the Trojan need to directly contain the further software, but the Trojan’s
function may be to open a way into the infected computer in order to remotely
install further programs or in another way take control. These kinds of Trojan’s
are often called ‘backdoor Trojans’, as they open a backdoor into the computer.
With the assistance of a Trojan, an intruder can for example search through the
computer for passwords and other secret information. The intruder can also place
files in the computer, for example to spread viruses or place different forms of
spyware such as remote access programs (RATs), etc.
15
4.4 ActiveX
ActiveX is a part of the Windows operative system and can be used to gain full
access to a user’s operative system. In this way ActiveX, through so-called
ActiveX controls, may be used to remove or add files on the user’s computer.
Windows update is one example of an ActiveX control that searches for relevant
files on a computer and updates them with new ones. The purpose of the ActiveX
technology is of course not to install spyware and the like or that the ActiveX
technology should actually be used in a manner resembling spyware, but as the
technology gives such rather extensive control of the user’s computer, it can also
be exploited for such purposes. A website can gather information from a user’s
computer via ActiveX controls. JavaScript and VBscript are also technical
platforms that can be used to gather information from a user’s web browser in a
similar way as ActiveX, but the latter is significantly more powerful.
In order to prevent ActiveX from being misused, ActiveX controls can be signed
by the creator. If the ActiveX control is signed, the developer can be traced,
subject to the precondition that the certificate issuer is reliable.
16
5 How does spyware affect the user?
It is difficult to generally describe how spyware affects the user, as various kinds
of programs have different functions. In those cases where spyware comprises
information gathering, the information gathered is often sent either directly or
after a while to the creator’s server where the information can be stored and
processed. In those cases where spyware comprises remote access or monitoring,
the program is either activated from the beginning, which means that a substantial
quantity of traffic is sent over the user’s communications service. In the second
case, the spyware quite simply notifies the creator that it is installed and waits for
his command to initiate the remote access. Regardless of the function, the
spyware programs use the user’s computer capacity (processor and memory) when
they are activated and the user’s Internet connection in order to communicate the
information that is gathered in or the capacity that is required to remotely control
the computer, i.e. it is the user that has to bear the costs of the operation of the
program. A user who is affected by a number of spyware programs may notice
that the capacity of his computer and the Internet connection are significantly
impaired. The problem becomes particularly clear if the spyware program does
not succeed in contacting its server and makes several repeated attempts after
each other. In networks, the deterioration of transmission capacity becomes even
clearer, as the problem is multiplied by the number of computers that are infected
by the software.
Spyware can also more or less intentionally create security loopholes in the
computer and/or the network in which the program is installed. Many spyware
programs contain functions to be able to update themselves automatically and can
thereby create security loopholes that can be exploited by other malicious
programs to install themselves on the computer.
Besides the above-mentioned general effects, spyware programs may entail a
number of negative effects for the user in each individual case, depending on what
the program in practice has as a function. For instance, mention may be made of
personal and sensitive information being disseminated to others without the user’s
knowledge, that bank certificates, passwords and the like are stolen, that the user’s
terminal and Internet connection are used as a platform for criminal activities.
5.1 Spyware – links to viruses and other malicious codes
Spyware programs can and should not be viewed as individual phenomena.
Spyware is spread via other forms of malicious code such as, for instance via
worms, and can be installed maliciously through other programs, for example
Trojans, or in conjunction with other, in the user’s eyes, legitimate programs (socalled ‘piggybacking’).
The kinds of spyware that gather information can be used to gather information
about users such as for example their own and their contacts’ e-mail addresses. Email addresses can in their turn be used to send undesired mass-mailings via email, so-called ‘spam’. Moreover, spyware that can remotely control computers is
used in order to use the computers and connections of unaware users as
17
platforms for further attacks, such as for example targeted overload attacks
against a certain target or as a base for sending out spam.
It is consequently difficult to say where one kind of program or phenomenon
ends and where the other begins and which depends upon which. These
phenomena often thrive in an intricate context.
18
6 How can users protect themselves?
The basis of the user’s Internet security is safe habits in combination with an
updated antivirus program and an updated firewall. In order to protect against
spyware in particular, the user should also use an anti-spyware program.
6.1 Antivirus programs
An antivirus program searches for viruses in the files that come to the user’s
computer. The program should also be set so that it automatically and at regular
intervals checks the entire hard disk.
Common antivirus programs often do not trace spyware and those that do so do
not catch all forms of spyware. In some cases, protection against spyware is
included, but this protection must be activated upon installation to also include
so-called ‘extended threats’. one explanation for this is provided in the reasons
reported above in Section 4.5, The purpose of various forms of spyware in
general, that it quite simply is not so simple to generally determine what spyware
programs have a legitimate purpose and which do not have such a purpose. This
fact makes it complicated to develop general protective methods against certain
forms of functions. In certain cases the only thing that differentiates a legitimate
spyware compared with a malicious one is the manner in which the user is
informed and consents to the program’s functions. Another reason that
manufacturers of antivirus programs are not targeting spyware is that spyware as
such does not have any independent dissemination function such as for example a
virus. However, it may be noted that virus programs to an increasing extent also
include various kinds of security management regarding both spyware and firewall
functions.
6.2 Firewalls
A firewall examines all electronic traffic to and from the user’s computer and
informs the user if something appears suspicious.
A firewall can provide certain protection against spyware, but as the programs are
often bundled together with files that it is permitted to download, it may be
difficult to avoid the programs passing through the firewalls without being
stopped. However, firewalls can warn the user about unexpected outgoing traffic,
which may be a sign that spyware is sending information to an external server.
6.3 Anti-spyware
Spyware programs are often specially designed to be kept secret, which makes it
difficult to detect them. However, there are several products that are orientated
towards preventing installation or to find and remove spyware, for example the
free versions of Ad-Aware and Spybot Search and Destroy. The user should run
the anti-spyware regularly and update it continuously.
6.4 General caution on the Internet
Besides updated antivirus programs, firewalls and anti-spyware, there are other
things that the user should consider in order to be more secure on the Internet.
19
The programs on the user’s computer that make use of and communicate with the
Internet, for example the web browser, should also be updated regularly. These
programs sometimes have weaknesses, so-called ‘security loopholes’, that can be
used for intrusion or installation of undesired programs. When these weaknesses
are identified, they are rectified by the program manufacturer. In order to close
security loopholes on the user’s computer, it is therefore very important that the
programs are regularly updated. The same also applies to the computer’s operative
system, as this can also contain security loopholes that new updates will close.
The user should also be cautious when downloading files from the Internet, as the
files can contain a harmful code or spyware. It is important that the user thinks
about whether the source is credible or if the file appears safe before any
download is conducted. The user should also be careful about unknown attached
files that arrive with e-mail. Never click on such a file if the content is unknown
or if the sender is not known.
When a user is connected to the Internet, files on the computer should not be
unnecessarily shared with just anyone. This also applies if a file-sharing program is
installed on the computer. To avoid undesired intrusion the user should set the
folder or folders that shall be available for other users on the Internet and not
distribute more than is necessary. It is also possible to set the computer so that
the user only downloads and does not distribute files.
Moreover, as a user one should be careful about what ActiveX components one
accepts. This may be a more secure method of setting the web browser so that the
user is informed when an ActiveX component is activated or alternatively
completely close ActiveX. However, it should be mentioned that many websites
make use of various kinds of ActiveX components to work, for which reason the
user may have problems in utilising these websites if ActiveX is turned off.
Users should also be very careful when they use public computers, for example at
Internet cafés. One ought to assume that these have key loggers or other spyware
installed and therefore not conduct sensitive transactions from there, such as for
example bank transactions.
More information about how users can protect themselves on the Internet is
available on http://www.pts.se/internetsakerhet .
20
7 What is the legal position?
7.1 Introduction
There are a number of different points of departure when conducting a legal
assessment of the extent to which various forms of spyware may be deemed to
comply with the current legislation or not. There are private law rules governing
criteria for conclusion of valid contracts, the provisions in the law of torts about
damage that may be compensated, the provisions of the Swedish Penal Code on
various kinds of intrusion and fraud offences and also special legislation within
the field. This chapter does not aim to provide a comprehensive analysis of the
entire legal situation, but primarily a report on the legislation that PTS must apply,
that is to say special legislation found in the field. In order to achieve any kind of
more comprehensive description, a short description will also be provided of the
criminal law legislation that may apply. However, the report should be read with
the knowledge that other legal opinions, such as the extent to which actions for
damages might successfully be brought regarding damage caused, are intentionally
not dealt with.
7.2 The provisions of EkomL on cookies, etc.
A provision was introduced though EkomL (Chapter 6, Section 18) which
imposes conditions on the storage and use of stored information on a user’s
computer. This provision had no equivalent in previous legislation. The provision
means that an electronic communications network may be used to store
information, or to gain access to information that is stored in a subscriber’s or a
user’s terminal equipment only if the subscriber or the user is provided by the
personal data controller with information about the purpose of the processing and
is given an opportunity of preventing such processing. When this provision was
introduced it attracted great attention as, according to its wording, it covered the
management of cookies and this kind of technology, which is very usual when
developing websites, thereby suddenly became subject to a statutory information
requirement.
However, one aspect that did not attract attention on a broad front was that the
provision is applicable to all kinds forms of management whereby information is
saved or stored in a user’s terminal equipment and thereby covers certain types of
technology such as, for example, spyware.
A brief explanation is given below of the provision in general terms; a number of
potential particularly problematical aspects will be examined and, finally, the types
of spyware referred to above will be described and commented on in the light of
this provision.6
7.2.1
What does the provision mean?
This provision means that electronic communications networks may only be used
to load or store information on a user’s terminal equipment if the user is informed
of what the purpose is and is given an opportunity to prevent the use. This
For a more thorough review of the provision and exemptions from the provision, see the report
“The Internet and the Electronic Communications Act”, 1 October 2003, PTS-ER-2003:36
6
21
provision thus does not constitute a prohibition against performing download or
storage of information or any requirement that there must be consent; however, it
does constitute a requirement on informing the user about the activity. This
information must not necessarily be made before, but in certain cases be given in
conjunction with the activity. This provision is subject to penal sanctions
according to Chapter 7, Section 15, second paragraph, where it is stated that a
breach of the provision intentionally or negligently may entail fines, subject to the
precondition that the offence cannot be deemed to be of a minor level. A
schematic profile of the various requisites of the provision is given below.
What does the provision cover?
When information is stored or
gathered – i.e. transmissions of
information to or from the
terminal equipment.
Which transmissions are covered?
What liability does the provision entail
Everything that occurs over electronic
Information requirement – no
communications networks
Must be made to a subscriber or user – What does the information requirement entail?
The definition subscriber and
user means that it should be
That the technology is used
public networks –
What the purpose of the
consequently intranets and
use is
other private networks are not
covered.
An opportunity for users to
prevent processing
•
•
•
Chpt. 6, Sect. 18 EkomL
Electronic communications networks may be used to store of gain access to
information that is stored in a subscriber’s or user’s terminal equipment only
if the subscriber or user receives information from the personal data controller
about the purpose of the processing and is given an opportunity to prevent
such processing. This does not prevent such storage of access that is
necessary to perform or facilitate the transmission of an electronic message
via an electronic communications network or which is necessary to provide
such a service that the user or subscriber has expressly requested.
Exceptions
Technology exception
Storage or access that is necessary to
perform or facilitate the transmission of an
electronic message via electronic
communications network, for example
caching
Requested service
Who is responsible
•
•
Active management, in any event the mere
arrival at a certain website is probably not
sufficient.
Necessary, the technology must be necessary
to provide the service.
7.2.2
Personal data controller
The person who alone or together with others
decides on the purpose and means of processing
The travaux préparatoires states that who is
responsible should be assessed from case to
case
How should the information be provided
How the information about storage or access should be given to the user is not
governed in detail. It is said in the travaux préparatoires that the information does
not necessarily need to be given before a session has been started, but that it is
sufficient with the information and the opportunity to refuse the use being given
during the session.7 This is subject to the precondition that ‘normal routines’ are
used so that the user can set his web browser to prevent such use. It is probably a
reasonable conclusion that the legislator only meant by this that the ordinary
technology that is called cookie - which a web browser can recognise and if it is
correctly set give a warning about - is used, then it is not required that the user
should first approve the measure. It is instead sufficient that information about
cookies and the opportunities to prevent these being used can be given at some
time during the visit to the website. This could in such a case result in the
conclusion that if it does not involve such a technology for which the web browser
7
Government Bill.: 2002/03:110, p. 396
22
can be set to automatically avoid or warn about, then it is not sufficient to provide
the information at some time during the session, but it must be given before the
storage or access is performed.
This conclusion does not appear to be particularly far-fetched; it is probably
natural that regular and integrated technical solutions should not have information
requirements that are quite as extensive as other forms of potential privacyviolating programs or technologies. However, it does appear to be directly
inappropriate that this difference is only indicated by the legislator’s commentary
on the provision in the travaux préparatoires and is not prescribed directly by the
provision.
It is reasonable that the information provided must be clearly apparent and plain
and not be hidden in such a way that the user is in practice not provided with this
information. It is not sufficient that a particular terminal has just once given the
prescribed information (for example by a pop-up box which gives the information
once and then never turns up again, regardless of information being stored or
downloaded). Information about the use of for example cookies or other
technologies such as spyware which downloads information and their purpose
and also how a user can proceed in order to refuse the use should actually always
be available on the website. The reason for this is that it is the individual user who
is the object to be protected and not the terminal. Terminal equipment can in
most cases have several different users and it is thereby not sufficient that only
one of them has been informed. This probably means that software programs that
are installed on a terminal should not only once (when being installed) provide
information about data being downloaded or stored on the user’s computer.
The provision does not provide any direct guidance on how detailed the
information that is to be provided to the user needs to be. In any event, it must be
reasonably apparent what data is intended to be stored or downloaded from the
user’s terminal and for what purpose this access/storing is conducted. Regarding
the possibility of the user to prevent use, a fundamental description of what
measures a user can implement to prevent the storage or access should be
required. It may, when applying the law, be necessary to determine this in greater
detail, a circumstance that may be deemed unfortunate considering that the
provision is subject to penalties.
7.2.3
Supervision and penalties
PTS exercises supervision of EkomL, including this provision. Breaches of the
provision can result in compliance measures on the part of the authority, which
may include the imposition of an order, subject to a default fine, requiring the
operation to cease. Such a default fine can only become payable if the party
responsible does not comply with an order by the authority. Besides this
supervisory measure, the provision is also penalised according to Chapter 7,
Section 15, EkomL, where it is provided that offences by intent or negligence that
are not minor can lead to fines. It is also stated here that responsibility for such an
offence can only be imposed if liability for the offence is not prescribed by the
Swedish Penal Code. A breach of the provision concerning cookies, etc. is thus
subsidiary to offences contained in the Swedish Penal Code, which means that an
23
act that constitutes an offence according to the Swedish Penal Code absorbs the
offence according to EkomL. It is the police and public prosecutor who are
responsible for administration of justice operations, for which reason PTS does
not have any responsibility regarding this penal provision. A great difference
between a prosecution on a penal act and a supervisory measure regarding an
offence under EkomL, is that the supervision by PTS never entails any
punishment for acts committed but only includes various means of inducing
compliance to ensure that the party responsible does not continue breaching the
provision. However, the authority responsible for the administration of justice
prosecutes the party responsible for the offence committed. It is in these contexts
basically of no interest whether or not the party responsible has ceased with the
operation. This also means in its turn that one thing does not exclude the other;
supervisory measures by a supervisory authority can be run in parallel with a crime
investigation by the police and public prosecutor.
7.3 Further details on the provision on cookies, etc. and its
applicability to spyware
In the Privacy and Electronic Communications Directive8, which forms the basis
of the provision on cookies, etc., it is stated in the Preamble that all information
that is stored in a user’s terminal is part of the user’s personal sphere and that they
as such require protection according to the European Convention for the
Protection of Human Rights and Fundamental Freedoms. Such devices that are
used to gain access to the users’ terminals, or information stored therein, can
seriously violate the users’ liberty and should therefore only be allowed for
legitimate purposes with the knowledge of the users affected. “Spyware” and
“web bugs” are referred to as examples of such devices. Article 5, item 3 of the
Directive has more or less been incorporated into Swedish law word for word, for
which reason the purpose of the Preamble and background should also be
applicable to the Swedish provision. It is thereby manifest that in any event one of
the purposes of the provision - which in practice has mostly come to relate to the
technology cookies - was to address more complicated programs and technologies
than cookies.
However, the issue is the extent to which the provision really is applicable to these
programs and systems. As described above, it is required that a number of criteria
are satisfied for it to be possible to apply the provision. The most important
aspect of these is that it involves a download or storage of information from a user’s or
subscriber’s terminal equipment. However, it cannot only involve information that is
being sent from one user to another being snapped up during the transport. This
would indeed possibly constitute some form of wiretapping (which may also not
be allowed or quite simply criminal, see the Section on breach of data secrecy, etc.
below) but as no download or storage occurs from terminal equipment but signals
are picked up on the way, the provision on cookies, etc. is in any event not
applicable.
Item 24 of the Preamble to Directive 2002/58/EC of the European Parliament and of the
Council of 12 July 2002,
8
24
Moreover, it appears reasonable that storage of information is covered. When a
user surfs to a website, a substantial quantity of information is stored on his
terminal equipment. First, information of a technical nature (the actual html code
or corresponding), second the information that the user sees, i.e. text, images and
other medial content that is found on the website. Is all this information covered
by the provision and must the controller then inform the user of the purpose of
this storage? It does not appear reasonable that this would be the case; however, it
cannot be said that it is clearly indicated that the provision on storage is not
covered. To the extent that the storage is of a technical nature, it is actually
exempted; storage in cache spaces and storage of html codes or the corresponding
is thereby probably exempted. As regards the media that the user actually sees and
assimilates, this storage is actually rather obvious for the user. However, there
ought to be a difference between such obvious information storage and
information storage that is not visible to the user, such as for example cookies or
spyware. However, it cannot be said that it is clearly indicated by the formulation
of the provision that this distinction is made; the provision rather gives the
impression of being extremely broad and covering all downloads and storage
except pure caching. It could possibly be argued that the controller hardly needs
to provide information about obvious facts; what then really remains to provide
information about? An advertising banner that pops up on a website or in a box
in a program?
When interpreting the provision it may be appropriate to reflect on its overall
purpose; the user’s terminal equipment and the information that is available there
is the user’s personal property and should not be surreptitiously violated. A
description is given below of the extent to which spyware or closely related
phenomena could possibly be deemed to be embraced by the provision on
cookies, etc., contained in Chapter 6, Section 18, EkomL.
It should be pointed out that this explanation is only based on the current
provision on cookies, etc. In several cases, the use of the program may be subject
to other legislation such as the Personal Data Act or different kinds of provisions
regarding offences contained in the Swedish Penal Code.
7.3.1
Adware
To the extent that adware only provides banners or other advertisement to the
user, it may be questioned whether the program is subject to the provision.
Indeed a banner that is downloaded to the user’s computer is within the ambit of
the term ‘information that is stored on the user’s terminal’. But actually all content
on, for example, a website (including banners found there) that the user surfs to,
is also; what is the difference between a banner on a website (which certain
adware effects, i.e. integrates “its” banners on the websites the user visits) and a
banner that turns up in a box on a program? As argued above, a distinction
should be made between obvious information storage, such as banners that are
found on a website or on a box in a program, and information storage that is not
visible to the user such as, for example cookies or spyware. However, it cannot be
said that it is clearly shown by the formulation of the provision that this
distinction is made. It may possibly be argued that the controller hardly needs to
provide information about obvious facts; as previously mentioned what remains?
25
For example, to provide information about an advertising banner that turns up on
a website or in a box in a program? However, to the extent that adware in a first
phase sends information from the user’s computer to a third party in order to
there, for example, be analysed in order to tailor-make marketing in relation to the
user, then such transmission is probably subject to the information obligation.
To the extent that adware logs keystrokes or otherwise forwards information
from the terminal equipment, this program function is then not covered by the
provision and the user must thereby be informed of these transmissions.
7.3.2
Web browser hijacking
To the extent that programs for web browser hijacking write over the user’s links
or in another way manipulate information on the user’s terminal equipment, they
are subject to the provision.
To the extent that the program manipulates the transfer, ensures that a call is not
made to point A directly, but to point A via point B (in order to, for example, log
information that is sent to point A), the extent to which the provision becomes
applicable is more doubtful. It is not obvious that this kind of manipulation can
be deemed to constitute downloading or storage of information, as the user has
himself sent the information away. This rather resembles wiretapping of
information in the course of its transport.
7.3.3
Browser Helper Object (BHO)
To the extent that a program for a BHO logs use of terminal equipment and then
sends on this log, it is covered by this provision.
To the extent the program sends marketing, such as, for example banners that are
exchanged on websites, the same issue as under Adware above shall be considered.
7.3.4
Web bugs
Web bugs mean that an image, all be it for the user hardly a visible image, is
requested from the web bug’s server where the image is stored and downloaded
to the user’s computer. The provider of the image can then draw the conclusion
that the user has visited a certain website, opened a particular e-mail message, etc.,
depending on where the web bug is placed. This technology means that
information is downloaded and stored on the user’s terminal equipment; the
provision on cookies can thereby be applicable. However, similar reasoning as
above under Adware ought to be applied. The information obligation probably,
for instance, hardly applies to a website regarding those images that are available
and shown on the website. The difference between these and a web bug is only
that the web bug is so small that it cannot be seen. However, there is not
reference in the provision that directly deals with whether the
storage/downloading is visible to the user or not.
7.3.5
Programs for remote access and monitoring
Key loggers that are installed on terminal equipment and log keystrokes, etc. and
also send these on via an electronic communications network are subject to the
26
provision and thereby information must be provided about what the program
does and the purpose with the information.
Other systems that in various ways secretly take over parts of the terminal or
allow it to be remotely controlled by an outsider are all probably covered by the
provision, as in all cases it involves a program that is installed on the infected
computer and thereby constitutes information that is stored on the terminal
equipment. However, as with the Section on Adware above, it is questioned
whether such, for the user obvious information, that is stored such as a program
that is installed following the user’s active choice, does really to any great extent
need to provide further information about what is being installed. However, as
the information is stored in secret, for example in the form of hidden programs
that are installed in secret, this installation (i.e. storage of information) is probably
not in accordance with the provision unless more detailed information about its
purpose is provided. However, the criteria is also that the storage of the
information should take place via an electronic communications network, for
which reason it should be required that the program is installed via Internet or
some other communications network. It should be observed particularly here that
other provisions, primarily offences under the Swedish Penal Code may also be
applicable, such as breach of data secrecy.
7.3.6
Cookies
Use of the technology known as cookies is subject to the provision, as it
constitutes storage of information on the user’s terminal equipment. For a more
extensive concerning cookies, see PTS’s report on the Internet and the Electronic
Communications Act.9
7.3.7
Modem hijacking
To the extent that modem hijacking involves a program being downloaded and
installed on a terminal, it could probably be covered by the provision. If modem
hijacking comprises the telephone numbers to a certain modem pool found on
the terminal being changed to another, the conclusion is not as obvious. The issue
is here whether a change of information found such as a saved number to a
modem pool constitutes a storage of information in the sense provided for by the
provision. Considering the broad formulation of the provision and that there is
nothing said in the travaux préparatoires about any restrictions being imposed on the
provision regarding its scope, it is probably possible to view this as a storage of
information. However, in the event that the user has himself requested the
change, for example because he wishes to utilise a particular service, the storage is
probably covered by the exemption contained in the provision, provided the
storage is necessary for the service.
7.3.8
ActiveX
ActiveX is a technology platform that forms part of certain operative systems. It
may contain security loopholes that can be utilised. The program itself or the tool
ActiveX cannot be deemed to be subject to the provision. However, the
“Internet och lagen om elektronisk kommunikation”, PTS ER-2003:36. Available in English and
Swedish.
9
27
management of information, i.e. through utilising a security loophole in ActiveX
gain access to information stored on terminal equipment via the Internet or
another electronic communications network, may be deemed to be covered by the
provision.
7.4 Prohibition against wiretapping
Chapter 6, Section 17 of the Electronic Communications Act (EkomL) contains
provisions on a prohibition against wiretapping. This provision basically entails a
total prohibition against gaining access to, or in any other way processing data in
an electronic message that is transmitted in a public communications network or
with a public electronic communications service, or traffic data that are associated
with the message, unless at least one of the users affected has consented to the
processing. The term ‘consent’ means that if one of the participants in the
electronic exchange records or in another way saves the electronic message, this
does not constitute a breach of the provision regardless of whether the other
participant has consented or not.10 The prohibition only covers general services
and networks; private networks, for example limited intranet, are thereby not
covered. There are a number of explicit exceptions from the main rule regarding
certain kinds of documents that are dealt with below. Other exceptions from the
provision include provisions on the processing of traffic data (Sections 5 to 7) and
such information as is subject to a duty of confidentiality according to Section 20.
7.4.1
Exemptions
It is indicated by the travaux préparatoires that this provision is not intended to
impede automatic, intermediate and temporary storage of information, subject to
the precondition that the information is not stored longer than is necessary for
the transmission and that confidentiality remains guaranteed during the storage
period.11 Set against the background of this, the two first exemptions cover
different forms of information being saved in order to improve the efficiency of
the communication, so-called ‘caching’.
The third item exempted relates to, through a radio receiver, wiretapping a radiotransmitted electronic message that is not intended for the party that is
wiretapping or the public. This exemption is justified by it being the right of every
individual to possess a radio receiver and that it would not be advisable to
sanction the wiretapping itself. It has been considered in the travaux préparatoires to
earlier legislation that the ether should be deemed to be free and that every
individual can thereby wiretap what is being transported by radio transmission.
However, it should be added that the forwarding of wiretapped messages is
prohibited according to the provisions of Chapter 6, Section 23. This means that
even if it is allowed to wiretap a radio-transmitted message, it is prohibited to
unlawfully forward such a message. This exemption means that a user of a
wireless network, so-called W-LAN, cannot be deemed to be allowed to wiretap
another wireless network to which he has been automatically given access.
However, it should in this connection be noted that the user, if the wiretapper
actively obtains access to someone else’s network, may commit an offence against
10
11
Government Bill 2002/2003, p. 255
Government Bill 2002/2003:110, p. 253
28
other provisions, for example in the Swedish Penal Code. In the event that the
network is completely open, there will probably from the criminal law perspective
be problems in proving that an intrusion in the network is unlawful.
7.4.2
The prohibition against wiretapping’s application to spyware
The prohibition against wiretapping means that the use of spyware, which in
various ways wiretaps an ongoing communication is prohibited. However,
spyware which entails that the party making use of the spyware personally
participates in the communication, can hardly be deemed to be covered by the
prohibition. If, for instance, a key logger passes on information about what
keystrokes the user makes on their computer, this does not constitute a breach of
the wiretapping prohibition as the information that is forwarded is not
information that is captured during communication, the creator of the key logger
participates rather in the communication. However, if the use of a monitoring
program that copies and forwards all e-mail letters that the user sends constitutes
a breach of the provision, as in this case it involves information that is captured
during an ongoing communication.
7.5 Criminal law provisions
Besides the special legal provisions contained in the Electronic Communications
Act, other legislation may also apply to the management of spyware and closely
related phenomena. A short description is given in this Section of the legal
provisions that may come into question.
7.5.1
Breach of postal or telecommunication secrecy according to Chapter 4,
Section 8, Swedish Penal Code (BrB) and breach of data secrecy,
Chapter 4, Section 9c BrB
As regards the protection against another party unlawfully obtaining access to
information in digital form that is stored or is under transport, it is primarily the
provisions contained in Chapter 4, Section 8, BrB on the prohibition against
breach of postal and telecommunication secrecy and the provision on breach of
data secrecy in Chapter 4, Section 9c, BrB that are of interest.
Breach of postal or telecommunication secrecy applies to telecommunications
message that are delivered or transmitted by a telecommunications firm. In this
context, telecommunications firm means an undertaking that on a commercial
basis primarily delivers or transmits various forms of telecommunications
messages that others deliver to them for distribution.12 This protection only
applies during the delivery or transmission itself and thereby no longer when the
message has arrived at its final destination. The criminal act comprises the actual
breach, that is to say that the perpetrator obtains access to the message. There is
no requirement that the perpetrator also actually becomes cognizant of the
content of the message.
A further protection against unauthorised access of information stored as data is
provided by the provision on breach of data secrecy contained in Chapter 4,
Section 9c, BrB. This provision means that a person who unlawfully obtains
12
See Government Bill 1992/93:200, p. 161 f
29
access to a recording for automatic data processing or unlawfully alters or erases
or inserts such a recording in a register may be sentenced for breach of data
secrecy to a fine or imprisonment for at most two years. The protected object of
the provision is the recording for ADP, by which is meant the actual information
content.13 Anyone who unlawfully obtains access to information stored on a
computer thereby commits the offence.
According to this provision, ‘recording’ also means data that is being conveyed via
electronic or other similar aids to be used for automatic data processing. What this
means is that such documents whereby someone through various methods
wiretaps what is being communicated in a data network, so-called ‘wiretapping’, is
also punishable.14 As an offence consequently exists both if the attack is made
against information that is stored and information that is being conveyed, the
provision thus covers in many cases the dissemination of computer viruses. This
provision is secondary to the prohibition against breach of postal or
telecommunication secrecy, which means that an act that only constitutes such a
breach does not also entail breach of data secrecy.
Besides the prohibition against unlawfully obtaining access, the provision also
contains a prohibition against unlawfully altering or erasing or inserting something
in a register for automatic data processing. This means that it is not only the
obtaining of access to information in a computer but also an unlawful change
(whether it comprises eradication, altering or addition) of the content is
prohibited. ‘Information’ refers only to structured data in contrast to running text.
‘Altering’ refers to both a temporary and more permanent change. When content
is eradicated or in another way changed, so that it is destroyed, the act can also be
regarded as malicious damage (see Section 7.5.2 below).
As a short summary it can be concluded that a person who, without permission
obtains access to both data that is communicated and data which is saved,
commits a punishable act. The dissemination of malicious viruses is thereby
normally criminal according to BrB, Chapter 4, Section 9 c (the actual
dissemination itself is not unpermitted, but the unpermitted change or erasure of
data that occurs when the virus is executed is). However, as this involves
punishable provisions the actual act itself must also be embraced by an intent.
This means that the perpetrator must have a wish and a plan to commit the
criminal act. It may in practice be very difficult to find the person who originally
created a malicious virus, and also to prove that the person who released the virus
also intended to commit a criminal act. A further problem is determining how
long the perpetrator’s liability extends. The creator of a virus personally infects
only a few computers, and the dissemination then takes place outside the creator’s
control. It is unclear how long the perpetrator’s liability can be deemed to extend
regarding this, for him (although actually consciously) uncontrolled, course of
events that occurs in a later phase.
13 Government Bill 1973:33 with proposal for amendments to the Freedom of the Press Act, etc.,
p. 74 f
14 See Government Bill 1985/86:65 p. 39 ff.; it should be pointed out that this only covers
wiretapping of fixed or dial-up connections.
30
7.5.2
Damages according to BrB, Chapter 12, Section 1
The protection against inflicting damage involves an offence against property.
This limitation means that the object of the measure must be a material object.
However, it is rare that physical damage is caused by the bearer of data in the case
of a virus attack, that is to say that the computer’s hardware is rarely destroyed
upon a virus attack. However, the destruction of information can in practice also
result in real damage arising, such a system and network no longer functioning. If
can be shown that the dissemination of a computer virus results in more extensive
erasure so that large and permanent damage arises to the computer or the network
for those affected, it is therefore possible, but not obvious, that the act is regarded
as a form of malicious infliction of damage. However, if the change is only
temporary or transient, such as when the data attacked can be reinstated to its
original condition with the assistance of a backup copy, it is considered that
damage or destruction has not arisen. Intent to disseminate a virus is a
prerequisite for liability but as such not intent that the offence be committed with
a malicious aim to cause damage or a direct aim to cause damage.15 Negligence is
not punishable. The scale of penalties comprises fines or imprisonment of at most
six months.
7.6 Other integrity-related legislation
Of course, the Personal Data Act, as regards privacy, is a central piece of
legislation aimed at protecting persons against violations and providing them an
opportunity to know about and influence the records in which they are found.
This section will briefly describe the Personal Data Act and how this legislation
can be applied to spyware and closely related phenomena.
7.6.1
The Personal Data Act
The Personal Data Act (PuL) contains restrictions on how parties may process
personal data. In very simple terms, it can be said that if personal data is to be
processed, then the consent of the person to whom the data refers is required.
Personal data means all information that can be traced to a physical person. This
information does not need to be directly traceable to the person, but it is
sufficient that the information in combination with other data (for example civil
registration (ID) number in combination with population records or telephone
numbers in combination with telephone directories) can be traced to the person.
The term processing of personal data is very broad and basically comprises all ADPrelated measures conceivable.
The main rule for processing of personal data is that the consent of the person
registered is required. However, there are situations that are exempted and where
consent is not required. For instance, reference may be made to consent not being
required if the processing is necessary in order to be able to perform a contract
with the person registered. There is also a more general exemption stating that
consent is not required, among other things, if the processing is necessary for a
purpose relating to a justifiable interest, if this interest weighs more heavily than
Holmberg and others, Kommentar till Brottsbalken [Commentary on the Swedish Penal Code], 6th
Edition, p. 633
15
31
the interest of the person registered in the protection against the violation of
personal integrity. Here, the various interests must be balanced.
There is no formal requirement that consent should be in writing. But it must be
active. It is consequently not sufficient with a passive consent, i.e. that the person
has been informed about the processing and has not opposed it. However,
consent can be deemed to have been given by conduct. If someone is informed
that the information shall be registered and then attaches the information, this
would probably consequently be regarded to be conduct implying consent.16
However, silent consent is not sufficient, i.e. when the person registered is
informed that the information will be registered and is given a fixed time within
which to protest against it.
7.6.2
Delineation between EkomL and PUL
For the uninitiated it may be complicated to grasp when PuL is applicable and
when EkomL is applicable instead, as the two statutes in certain cases apply to the
same circumstances. In very simple terms it can be stated that EkomL regulates
various forms of communication but not what is communicated. As long as the
message is in the process of transport, EkomL may be applicable regarding the
prohibition against wiretapping, regulation of cookies, etc., while PuL applies
when the content of the communication is in various ways processed, for example
storage of the messages.
Moreover, it can be said that EkomL is special legislation while PuL is general
legislation. This means that in the event that a procedure is regulated particularly
in EkomL, this legislation applies. However, if the procedure cannot be deemed
to be covered by EkomL, PuL applies.
7.7 Some problems (providing information, etc.)
7.7.1
How the information is formulated, circumvention of the provision on
cookies, etc. through hidden information
As mentioned earlier, the provision on cookies, etc. does not involve any
prohibition against the use of a technology that gathers or stores information but
only a requirement that information about the gathering or storing that occurs
and also provides the user with the opportunity to prevent this. The information
about such should be clear and plain, but there is no detailed description of how
the information should be formulated or how the information should be notified
to the user.
The malicious programs whose actual purpose is to perform things in
concealment probably do not constitute a problem as these programs or
technologies never display or inform about what their real purpose is. However,
what is more complicated are the programs that to some extent store or gather
information from the user’s terminal. This may involve anything from rather
benign functions, such as that the program checks on whether some newer
Kommentaren till personuppgiftslagen [Commentary on the Personal Data Act], Öhman/Lindblom, p.
37
16
32
version exists for downloading, to the more refined marketing programs that exist
to log and analyse potential customers’ Internet habits. Most of these programs
doubtless report the means by which they download or store information; the
problem is only that the information may sometimes be found in a contract text
together with hundreds of other exemptions or information.
There is some difference compared with the system with consent found in the
Personal Data Act (PuL) and other legislation. Consent according to PuL must
always be informed and clear. It is not sufficient in such a case to merely provide
information hidden among a mass of other information and then consider that
the user, by using the product, can be deemed to have consented to the
processing. It is the personal data controller who is also responsible for being able
to show that each individual user has actively consented. As regards the issue of
whether an information requirement such as that found in the provision on
cookies, etc., the requirement that the information has truly been received by the
user can hardly be placed as high as with consent under PuL. The provision
actually imposes a requirement that the controller should inform, in contrast to
only provide information, and there is naturally a limit somewhere for how
difficult it may be to gain access to the information for the controller to be
deemed to have informed the user. However, is cannot be said to be particularly
clear where this limit lies and there is an immediate risk that the information
about documents that potentially violate privacy that a program implements
become merely a further item in a 15-page information letter/contract that pops
up in passing when the program is installed in the terminal.
On the other hand, a system with consent or a far too stringently interpreted
information requirement would entail a significantly greater administrative burden
for the businesses that produce and use there programs/technologies. The
purpose of the provision is not to prohibit these technologies, which can naturally
also be used to make matters easier for the user17, but only make the user aware of
the threats to privacy that potentially exist.
7.7.2
Supervision of the provision on cookies, etc., international aspects
One practical problem is that the provision per definition relates to phenomena
that occur over communications networks. In most cases of the phenomena that
are described in this report, the actual storage or downloading of information
itself occurs over the Internet and the party responsible is in the majority of cases
in some other entirely different country. This of course makes it very difficult to
in any effective way conduct supervision of compliance with the provision.
EkomL applies within Sweden; such processing of information that occurs on a
Swedish user’s terminal equipment is probably subject to the provision regardless
of whether the party responsible is not located in Sweden. The fact that the Act as
such is applicable and that it is practically applicable are however two quite
different things; it is extremely difficult for a national supervisory authority to
successfully direct any demands against foreign parties if the foreign parties do
not have any desire to comply with the legislation (which they would probably
have if they conduced serious operations orientated towards Sweden, but hardly if
For example, such functions that keep track of what types of searches or products a user was
interested in previously and, based on this, can recommend similar products or services.
17
33
they conduct a shady operation and do not have any interest in being an active
stakeholder in the Swedish market).
It can also once again be pointed out that it is not the development of programs
that are used as spyware that are subject to the provision, but the actual
processing of information. In certain cases, this processing accompanies the use
of the program (for example when spyware is, without the knowledge of the user,
installed on their terminal) in various other cases, the processing occurs first when
information leaves the user’s terminal (for example when a security loophole in
existing software is used to be able to download information or software that is
installed with the user’s approval but the software gathers information from the
terminal in a way in which information has not been provided). It is conceivable
that it is in many cases difficult to localise who it actually is that uses the software,
even if one knows who has manufactured it.
However, it would be possible to apply the provision when the gathering or
storage is conducted on a large scale by a reputable, or in any event not a
completely disreputable, party. One example of a reputable use may be that of a
marketing operation which utilises various software to be able to survey the
surfing habits of individuals in order to then be able to use this information for
marketing purposes.
34
SPYWARE AND CLOSELY RELATED PHENOMENA - APPENDIX 1
Appendix 1 – Case studies
PTS has arranged a survey of how a number of software that violate privacy affect
users’ computers. A selection of this software is presented in this Appendix.
Summary
The case studies suggest that malicious programs (malware) are installed in phases.
This means that the first program that is installed also facilitates the automatic
installation of other programs; these programs in their turn facilitate further
programs being installed automatically, and so on. The programs that are installed
tend to have increasingly suspicious aims and behaviour the further down the
chain they lie. In the first phase, a program is often actively installed by the user
which, in many cases without the knowledge of the user, operates as a bearer for
further programs.
A contributing factor to programs tending to be more suspicious at later phases
may be that the level of control over the total installation reduced with the
number of installation phases, which makes it possible for really dangerous
programs to be included in secondary or even later phases.
The actual behaviour of the tested programs has in the majority of cases been
significantly more amenable than what is technically possible. As a guess, this is
the result of the underlying purpose in the majority of cases being advertising and
marketing rather than theft or vandalism.
One phenomenon that has been observed in many of the case studies is that data
streams in communication between malicious programs and their servers are
often difficult to discern. Much suggests that the in recent times increasing
attention given to businesses behind these programs has made them increasingly
cautious, and the encryption of data a phase in this development.
35
Delimitation and testing environment
The survey aimed at showing how individual users - persons who use a computer
at home or at work - are affected. Therefore, a rather typical computer
configuration was created. The system in which the tests were implemented was
equipped with the operative system Microsoft XP Professional with Service Pack
2 together with all other security updates recommended by Microsoft. However,
in the Study of Iframe, Service Pack 2 was not used, as the IFrame-weakness only
affects Windows XP without it.
The antivirus program Norton Antivirus 2004 was used in all tests. This antivirus
program has been specially developed to identify and remove viruses, worms and
Trojans. The firewall Kerio Personal Firewall was used in all tests. Kerio gives a
clear notification and information each time a process tries to start another
process or communicate via a network. Cookies intended for tracing Internet
activity have been detected with the tools Ad-Aware and SpyBot. Monitoring of
processes has been conducted through the operative system command
tasklist.exe. This command generates a list of all processes that are at the moment
being run on the computer. These lists have been saved for each case study and
then compared with a list representing the processes that run in the pure basic
configuration. The tools Ad-Aware and SpyBot have also been used with the aim
of identifying and analysing processes; these are specially developed to recognise a
large number of processes among known malicious programs. All network traffic
from the test system has been monitored and logged. However, it has not been
possible to check exactly what information was communicated during installation
and use of the programs tested. The analysis of network traffic has been
performed with the tool Ethereal.
Among the selection criteria for which phenomena that should be studied,
mention may be primarily made to them being amongst the most extensive
malicious programs today and together demonstrate the breadth of the
phenomenon.
36
Case study 1 – Grokster
Grokster is a file-sharing program that, upon installation of the program, allows
the user to choose whether he wishes to pay for the program and thereby avoid
advertising and adware, or if he wishes to use the free version. This test relates to
the free version.
In the test, Grokster 2.6 was downloaded from www.download.com. The file
grokstersetup.exe was saved and executed. The first installation window told the
user that there is a version available to buy that does not contain advertising or
adware, see Figure 1.
Figure 1 – Installation window number 1 from Grokster
A window was thereafter shown offering the user the provision of a version
without advertisements or adware for free by buying something via one of several
offers that were presented on a website. Here again it was chosen to install the
free version, i.e. to ignore these offers.
The next window shows a licence agreement for GAIN Publishing, see Figure 2.
37
Figure 2 – Information about GAIN when installing Grokster
The agreement from GAIN was 6652 words, which probably would cover
approximately 10 A4 pages of text. The agreement must be accepted for the
installation to proceed, and this was done.
Thereafter the user must accept the licence agreement for Grokster, see Figure 3.
This agreement was marked 2.6.2.0 License Agreement.
Figure 3 – License Agreement for Grokster
38
It can be pointed out here that this window was implemented in such a way that
the text could not be copied. The printout alternative must be chosen if a user
wishes to familiarise himself with the entire licence agreement separately.
However the Print button was probably not correctly implemented as it was not
possible to print the licence agreement; nothing happened when this button was
chosen. Nor was it possible to make the window larger in order, for example, to
take screen dumps of large text segments. On the website there was a version of
the licence agreement to read. However, this version differed from that in the
installation window. The agreement was very long. It is estimated that it
comprised approximately 10 000 words. Some interesting extracts from this
agreement are presented below.
To begin with it was declared that the user approves three explicitly named
programs being installed and also other programs from a third party if these are
included in the licence agreement.
Legal Notice and Terms of Service for Grokster
By Clicking “I Agree” below and installing Grokster, you are agreeing to also install the
following applications a) Cydoor b) MySearch c) Qtech and d) other third party software
subject to the terms and conditions contained in the End User License Agreements
appended below.
Once again the agreement declared that the user approves the downloading of
software from a third party if this is included in the licence agreement.
12. Third Party Software
During the process of installing Grokster, i) you are agreeing to install third party software
as per the various End User License Agreements contained herein and ii) you may also be
offered the possibility to download or install software from third party software vendors
pursuant to license agreements or other arrangements between such vendors and yourself
(“Third Party Software”). Grokster may provide the information that it receives from you to
vendors whose THIRD PARTY SOFTWARE you have accepted. Use of this information would
be restricted to that which is described in the applicable THIRD PARTY SOFTWARE End User
License Agreement. In the event that you do not want this THIRD PARTY SOFTWARE, please
do not accept this Agreement. Please note that the THIRD PARTY SOFTWARE is subject to
different license agreements or other arrangements, which you should read carefully,
compared to the Terms of Service of Grokster. By downloading and using this THIRD PARTY
SOFTWARE you accept these THIRD PARTY SOFTWARE license agreements or other
arrangements and acknowledge that you have read them and understand them. Grokster
does not sell, resell, or license any of this THIRD PARTY SOFTWARE, and Grokster disclaims
to the maximum extent permitted by applicable law, any responsibility for or liability
related to the THIRD PARTY SOFTWARE. Any questions, complaints or claims related to the
THIRD PARTY SOFTWARE should be directed to the appropriate vendor.
----
In the agreement, separate agreements follow for Altnet, QTech, My Search Bar,
BroadcastPC, Delfin, Cydoor (The Coupons Bar Software) and Total Velocity
(TV Media).
39
The agreement from Grokster must be accepted for the installation to be able to
proceed, and this was done.
A number of programs were installed in conjunction with the installation of
Grokster. Some of these programs constitute own test instances, which will be
described later in this case study. The installed programs were:
• Gator/GAIN/Claria
•
VX2 Transponder
•
MyWay Speedbar and 411 Ferret/Active Search
•
FlashenhancerBHO / FlashTrack
•
BroadcastPC and DelFin
•
Brilliant Digital
•
TopMoxie / Web_CPR
•
TVMedia Display, se kap
•
Webrebates / Toprebates
•
Altnet/BDE
The constellation of malicious programs (malware) that were installed on the
computer during these tests had a great impact on the system. The new programs
occupied internal memory and processor power, which meant that the system felt
slow. Several browser helper objects (BHO), i.e. programs that add functionality
to a web browser, also meant that Internet Explorer was felt to be very slow,
sometimes the web browser crashed completely and could only be closed down
through killing the process in the activity manager. Furthermore, the operative
system crashed a number of times, particularly when the anti-spyware Ad-Aware
was run, see below.
When the program Ad-Aware was started in order to identify which malicious
programs were being installed during the test, it was observed that the process
webcpr1 started the process webcpr0. These belong to the program TopMoxie18.
Upon running Ad-Aware, the operative system (Windows XP, SP2) stopped the
process Windows Explorer from continuing to run, see Figure 4.
18
http://www.spynet.com/spyware/spyware-TopMoxie.aspx, 9 December 2004
40
Figure 4 – Examples of messages concerning data execution protection in Windows XP SP2
This was conducted by the inbuilt mechanism for data execution protection,
which is a security function incorporated into Windows XP SP2. Data execution
protection is a processor function that prevents codes running in the memory
areas that are marked as data storage areas. The function is also called ‘runtime
protection’. Upon an attempt to run codes from a marked data page an exemption
immediately occurred to prevent the code from running. In this way the attacker
was prevented from exceeding a data buffer with a code and then running the
code. The operative system thus prevented a malicious code from executing when
Ad-Aware was being run. It is worth noting here that the program operated
faultlessly before the installation of Grokster.
After having closed this message, the operative system crashed and the computer
was restarted. However, it was possible to complete the run of Ad-Aware by not
closing this window.
The program SpyBot, which has a similar function as Ad-Aware, could not
implement a complete search as it was affected by a fault; the origin of the fault
was difficult to identify on the basis of the information provided by the program.
These events suggest that one or more of the programs that were installed by
Grokster actively tried to prevent the anti-spyware Ad-Aware and Spybot from
searching for malicious programs.
Claria/Gator/GAIN
Gator Advertising Information Network (GAIN) is a network of companies that
release advertising through Gator’s adware. Gator changed name to Claria a year
ago. GAIN states that their adware is permission-based19, which means that in
conjunction with the downloading of free programs the user has given permission
to receive periodical advertising. The name Gator is often used as a composite
name for a number of programs that come from the company; the interesting
aspect from this report’s perspective is the advertising program. Gator offers a
number of useful software programs on its website, for example Precision Time
and Weatherscope. The advertising program Gator is installed together with these
programs, but it is more usual that the program is installed through ActiveX
19
http://www.claria.com/advertise/audience/, 17 March 2005
41
components on websites or through piggybacking on a file-sharing program such
as Grokster, which was also the case in the tests conducted. The advertising
program gathers and sends off information about the user’s habits on the
Internet. This information is compiled as a profile, which is then utilised to send
targeted advertising.
During the tests, Gator was installed in two ways; together with the program
Precision Time Tool which was downloaded on the website
www.gainpublishing.com, and with the file-sharing program Grokster. In the first
case, the main component was installed through an ActiveX component. This
installation provided a possibility of seeing a licence agreement; an extract of this
agreement is shown below. GAIN declares which type of information is gathered
about the user.
Here's what we do know...
While we don't know the identity of Subscribers, the GAIN AdServer and GP collect the
following kinds of anonymous information:
- Some of the Web pages viewed
- The amount of time spent at some Websites
- Some click history, including responses to some online ads
- Standard web log information and system settings (except that IP addresses are not
stored)
- What software is on the personal computer (but no information from those programs)
- First name, country, city, and five digit ZIP code/postal code
- Non-personally identifiable information on Web pages and forms
- Software usage characteristics and preferences
- For Gator(r) eWallet users, your master password, if you choose to create one
It is worth noting that GAIN prohibits the user from listening to network traffic
containing communication between software from the company and the
companies’ servers.
You acknowledge and agree that any and all communications between GP and the Licensed
Materials and the content stored on GP's computer servers and in its software includes
confidential information of GP and you may not access, publish, transmit, display, create
derivative works of, store, or otherwise exploit any such confidential information except as
such functions are performed by the Licensed Materials in the ordinary course of operation.
Any use of a packet sniffer or other device to intercept or access communications between
GP and the Licensed Materials is strictly prohibited.
Gator continuously shows advertising in the form of pop-up ads when the user
surfs on the Internet. These advertisements are based on the user’s habits such as
which websites have been visited, which search words have been stated in search
engines, etc. During these tests, advertisements turned up approximately 5 times
in a period of 30 minutes. Figure 5 shows how these pop-up ads look.
42
Figure 5 – Example of pop-up ads from GAIN
Gator monitors words that are filled in by the user in standard forms on websites.
If a user makes a search with a search engine, for example Altavista, the program
opens a new result page with hits. Figure 6 below shows an example of a page
from Search Scout; this page was opened in conjunction with a search of
“designer clothes” being made in the search engine Altavista.
43
Figure 6 – Example of Gator Search Scout
Gator communicates continuously with its servers. Earlier versions of the
program were implemented in such a way that the information that was sent
between the client and its server could be discerned simply. The extract below
shows how a HTTP POST call might look20.
POST /bannerserver/bannerserver.dll?GetBannerList
MachineID=RTJCNzI4QjktRkU4MS00RjIzLUE2REQtNzZEM0M2MThG
OTA4&MachineInt=103900267&Banner-Version=3%2e0&Product
Version=4%2e1%2e2%2e6&OEMID=0&Locale=0409&ZipCode=2&Us
erID=OTNBMEFDNDMxOUE5NDJDM0E0REFBQTA3M0JFQUY1RDk%3d%3d
%3d&UserInt=146699728&LocalTime=04%2f19%2f2003+01%3a26
%3a18+%2d0500&GMTTime=04%2f19%2f2003+05%3a26%3a18+%2b0
000&BnrTypes=7df&AIC-0=gator%5faic&Site=yale%2eedu&Def
Browser=1&InstDate=04%2f18%2f2003+09%3a00%3a18+%2d0500
&GTRGF=0%2c0&PA=0&
The extract below shows a TCP stream captured with Ethereal. It can be seen
here how Gator sends information in Field1 (bold) to the server
gi.gator.com/emachine.asp. However, the information is difficult to discern
directly.
POST /emachine.asp HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
X-UA: WinInet 6.0.2900.2518, 1.1, 1.0
User-Agent: Gator/5.0 RequestMachineInt
Host: gi.gator.com
Content-Length: 86
Connection: Keep-Alive
Cache-Control: no-cache
Field1=Q0RvJ3TaJAAAAP2lUv2cqGa80C4P6eL5fq56oaiTL4%2bzVYSNv1vcrx8vu7D0VkesBn8
%3d%3d%3d&
HTTP/1.1 100 Continue
Server: Microsoft-IIS/5.0
Date: Tue, 30 Nov 2004 15:10:39 GMT
VX2 Transponder
VX2 Transponder is a browser helper object and adware. The program monitors
and logs user habits such as websites visited and information entered in search
forms on web pages. This information is then sent on to a server, probably with
20
http://www.benedelman.org/spyware/ftc-031904.pdf, 8 December 2004
44
the aim of showing pop-up ads when the user surfs. The program’s algorithm for
the selection of ads is structured so that advertisements are selected depending on
what kind of website the user is visiting at the moment.21 The algorithm adapts the
intensity of advertisement shown depending on the user’s activity; if no new
websites are visited nor are any new ads shown.
In Figure 7 below an example is shown of a pop-up ad that offers the user free
smileys.
Figure 7 – Pop-up ads from VX2 Transponder
On the first time that the program is executed it looks for the file oeminfo.ini in
the user’s computer. If this file exists, it contains the information about the
computer such as from whom it was bought, serial number, processor and
configuration, and perhaps also the user’s name. This information can be seen if
one in Windows XP selects Start Æ Inställningar Æ Kontrollpanelen Æ System
[Start Æ Settings Æ Control Panel Æ System], first flap.
The program gathers information about websites visited and information entered
into forms; this is then communicated to a third party. Long-lived third party
cookies are also stored on the computer with the aim of identifying the user over
several sessions.
The VX2 Transponder also searches the user’s computer for files used by the email program Microsoft Outlook; doing so to find a full name and e-mail address.
This kind of activity was however not observed during the tests; the reason may
be that the test system did not have the e-mail program installed.
The program also has an update function which it can utilise to update itself or
download new malicious programs from a third party. The program then contacts
a server that can indicate new software from a third party that should be
downloaded and installed.
BroadcastPC and DelFin Media Viewer
BroadcastPC is adware that shows multimedia advertising on the user’s computer.
The program monitors the user’s habits on the Internet and delivers
21
http://www.spynet.com/spyware/spyware-VX2.Transponder.aspx, 8 December 2004
45
advertisements on the basis of this. The advertisement comprises large video clips
that are downloaded to the user’s computer in the background.
BroadcastPC makes use of DelFin Media Viewer, also known as PromulGate,
which is a media player and adware. According to the creator’s website, the
product provides the marketer with the possibility of sending targeted ads to
millions of users daily through the Internet.
DelFin Media Viewer uses unique identification numbers for each user.22 The
program registers information about the user and communicates this together
with the unique id-number and postcode to its marketing customers.
In the tested case, a large video clip was downloaded by BroadcastPC. After a
while Windows Media Player started automatically and showed a full screen trailer
for Buffy the Vampire Slayer. After the video clip had been finished playing,
DelFin Media Viewer started, see Figure 8. This contained advertising and linked
to a website where purchasing could be conducted.
Figure 8 – DelFin Media Viewer with advertising for Buffy the Vampire Slayer
22
http://www.spynet.com/spyware/spyware-DelFin-Media-Viewer.aspx, 8 December 2004
46
Case study 2 – Kazaa and PerfectNav
The main program in this case study is the program Kazaa. This program also
installed a number of malicious programs (malware), and of these the program
PerfectNav constitutes a test instance in this case study.
Kazaa is probably one of the world’s most spread file-sharing programs. Precisely
as the file-sharing program Grokster, see Case study 1 – Grokster, Kazaa is
adware and also known for including malicious programs. The constellation here
has also changed over time, it usually involves adware and browser helper
objects.23 The user often accepts installation of these programs onto his computer
by accepting long and complicated licence agreements where this is declared. In
the test case, a number of programs were installed together with Kazaa; these are
presented below. One of these programs, Perfect Nav, constitutes its own test
instance, which is described below.
In the test case, Kazaa was installed by the downloading and execution of an
installation file which was taken from the website www.kazaa.com. The
installation process for Kazaa was similar to that for Grokster. However, Kazaa
was somewhat clearer about the fact that several programs from a third party were
being installed at the same time, as early in the installation a number of programs
that accompany the product are presented: BullGard Virus Protection, Altnet
Topsearch, PerfectNav, Cydoor, GAIN, Altnet Peer Points Components, My
Search Toolbar, and Joltid P2P Networking. Thereafter, the user must approve a
number of licence agreements for the installation to continue. These agreements
contained information about the programs from a third party.
PerfectNav
PerfectNav has been created by the company eUniverse and is a browser helper
object which manipulates the page for search errors in the web browser. The
program redirects incorrectly entered addresses into its own start page.
This behaviour is also found with the program NaviSearch which among others
was installed together with the adware BargainBuddy.
Figure 9 below shows an example of how PerfectNav affects the web browser
when the incorrect address www.aftonnbladet.se was entered for Aftonbladet’s
website.
23
http://www.cs.washington.edu/homes/gribble/papers/spyware.pdf, 17 March 2005
47
Figure 9 – Start page for PerfectNav, which is shown in the event of incorrectly entered addresses
48
Case study 3 – IFrame
IFrame is not spyware but a function in the Page Description Language (PDL),
HTML. During October 2004 a weakness was discovered in the web browser
Internet Explorer 6.0. All versions of the operative system Windows except
Windows XP with Service Pack 2 run the risk of being affected if this weakness is
exploited. Through buffer overflowing, an arbitrary code can be executed with the
same privileges on the computer as Internet Explorer.
The weakness comprises how Internet Explorer deals with SRC and NAME
attributes belonging to HTML elements such as <FRAME> and <IFRAME>.
Many known security companies have found codes circulating on the Internet
which make use of JavaScript to allocate a memory capacity (buffer) where the
attacker places, among other things, machine codes. Through entering very long
SRC and NAME attributes in an IFRAME element on an HTML page, Internet
Explorer can be redirected to indicate the new memory capacity, and in this way
be redirected to execute the new code. There are also other technologies that can
be used to allocate the memory capacity that the dangerous code is placed in.
By clicking on ads on regularly visited websites, the user has in recent times been
redirected to websites that exploit the weakness and install an arbitrary code on
the user’s computer.
The most common way of being harmed from a user perspective is that the user
clicks on an ad on a website (large well-known and regularly visited websites have
been affected)24 or that the user clicks on a link in an e-mail message they have
received from a person they know (as the worms often send e-mails to all items in
the address book of the infected computer).
As Windows XP with Service Pack 2 is protected from this weakness, Windows
XP with Service Pack 1 was used in this test case.
In the test case, a code was tested that is written in order to exploit this weakness.
This was found on the page http://singe/rucus.net/exploit/11337. The same
page also includes the actual code, see the second extract below. This code, which
is commented on by the creator, opens a command window (cmd shell) on port
28876 when a link is clicked. By opening the command window a perpetrator can
obtain total control of the computer.
In the first case, the link was tested with a firewall and antivirus program shut
down, and after this with both turned on. In the latter case, Norton Antivirus realtime protection discovered that the weakness in IFRAME was being exploited
and warned the user. Norton calls the threat a virus of the name
Bloodhound.Exploit.18.
By exploiting this weakness, the perpetrator can install an arbitrary code on the
user’s computer, and thus there are many behaviours that the user can encounter
24
http://news.netcraft.com/archives/2004/11/21/iframe_exploit_spreading_through_banner_ads.
html, 13 December 2004
49
arbitrarily. Those that have been most common in recent months include the
installation of worms that spread themselves via mass-mailing, installation of
programs for remote control and monitoring programs, together with the
installation of advertisement-showing programs.
50
Case study 4 – TrueActive
TrueActive is a program for monitoring. The program is a further development of
the program WinWhatWhere and can be said to represent the new generation’s
monitoring tools. In contrast to the more simple variants, for example Keylogger
Pro, which only registers keystrokes, TrueActive can also monitor, for example,
Internet traffic in the form of web addresses visited, file management in terms of
moving, modification, renaming, removal; information given in forms on
websites; entire conversations in many known programs for e-mail and chat; what
is shown on the screen and recorded with the web camera; the passwords of
various kinds of content in the operative system’s clipboard manager.25
In the test case a test version was downloaded from the company’s web page.
This was activated by a licence key that was sent from the company after
information had been provided about the downloader.
The logs of the monitoring can be sent via e-mail. The program can be set so that
it operates completely in the background; the icon in the tool field can be
removed and the reports via e-mail can be made via so-called ‘stealth e-mail’,
which means that the program uses its own e-mail server.
Figure 10 and Figure 11 below show examples of how a report may look. In this
case the monitoring was running when the web browser was used to search for
“alfa romeo 147” on www.google.com and then enter on the upper most hit. The
report shows in the left column the screen dumps captured of the websites that
had been visited, under the column “Formatted” it can be seen what has been
entered using the keyboard.
Figure 10 – Report on monitoring in TrueActive
25
http://www.trueactive.com/features/features.asp, 2004-12-13
51
Figure 11 – Report on monitoring in TrueActive
52
53

Spyware and closely related phenomena

Transcription

Similar documents

Viruses, Worms, Spyware, Phishing, Pharming

Spyware/Adware

Identity Theft and Fraud