Recommended Spyware - Hypocritical Apps

Bob Leggitt | Saturday, 21 April 2012 |

“…We may collect information relating to the type of computer running the [brand name removed] program(s), operating system (brand and version), currently installed applications, system registry settings, system startup settings, etc… During the analysis of software on your computer, if we are missing an icon for a program, we may extract and collect the icon from your computer…”

So that’s an extract from the licence agreement small print of a piece of spyware, right?… Well yes, I think most people would agree that’s exactly what it is. The application clearly snoops your hard drive in serious depth – and perhaps the biggest concern is what sort of information, exactly, is collected under the heading of ‘etc’? Could be literally anything on your drive, really.

I ran the installation for this piece of software earlier today, and in fact, even before the licence agreement had presented itself on screen, my firewall was telling me: “this program is attempting to access the internet” – or words to that effect. The installation routine couldn’t even wait for me to read and okay the conditions before trying to report back to base. Needless to say, that was as far as the ‘installation’ got. I binned the setup, and set my firewall to permanently block the program.

But the scary thing is that this piece of spyware is not acknowledged as spyware. In fact, it’s an acknowledged aid to privacy, and it’s recommended as such by trusted, independent sites – one of which is a huge and reputable name, and another of which is dedicated to online privacy! In my case, the application was recommended as a means to fight LSO (Local Shared Objects) cookies. True, LSO cookies – which evade standard browser deletion processes – are a privacy invasion. But are they as big a problem as an application which scans and analyses your hard drive, and seemingly extracts and collects every piece of information it can practicably access?… No. I don’t think in themselves they are. The ‘solution’ is a bigger problem than the ‘problem’.

I should stress here that these 'recommended spyware' app vendors often claim they don't do anything with your data once they've mined it all. But that would defeat the point of collecting it. The data has value - everyone knows that. But it only has value if it can be passed on to someone who's prepared to pay for it. You can sit on a goldmine for as long as you like, but you ain't gonna get a penny until you start distributing the gold.

This little trick (a fake Windows dialogue) is a well known precursor to the introduction of spyware on your PC. But at least these nasties are not championed by reputable websites as components in the fight against spyware.

Okay, so there are obviously lots of much more venomous applications around than this polite 'recommended spyware'. ‘Free scans’, for instance, which actually introduce viruses to your system so they’ve got something alarming to detect, then lock you into a situation where you have to pay the vendor a fee to return to the normality you were enjoying in the first place. Graciously, after removing its own viruses, the rogue scan routine leaves its own little piece of spyware on your drive before pretending to go away and leave you in peace.

Actually, I recently found one site which ‘detected’ five or six viruses on my computer without even running a scan! Indeed, it couldn’t access my computer to start scanning because as soon as I saw the page load I locked my Internet connection. Everything that happened after the page had loaded was faked within the code of the page itself – a timed loop pretending to perform a cloud-based scan, when such a scan was physically impossible.

But the difference with those more obvious nasties is that they’re classed as malware. Legitimised and recommended spyware is in some ways more dangerous, because it gets the support of trusted websites. If something is recommended to me by a trusted site as a means to better privacy, I expect it to give me better privacy. Not ravage my drive for every last bit of data it can get its hands on. The concept is a bit like setting up a “£5 off!” deal, where it costs £10 to buy the voucher. You’re losing more than you gain.

The reason I’ve censored the name of this particular example of 'recommended spyware', incidentally, is not to protect the brand. Far from it. Why would I want to protect a brand which snoops people’s hard drives in such great depth under the banner of ‘privacy’? No, the reason I’ve censored the name is that this is one of countless applications which do exactly the same thing. If I try to pin the problem on one product, most readers will simply avoid that product. That would achieve very little, because people will probably just select an alternative, and chances are that the alternative will invade their privacy in just the same way.

So instead, I want to promote the concept of reading licence agreements on software. Even if you don’t read the whole thing, read the privacy or data-related paragraph(s), because those are normally the most revealing. Typically, the longer the licence agreement, the more it’s trying to conceal. It really doesn’t take long to tell people something good. “We do not collect your data”, for example, can be said in six words. But it can take a hell of a long time to tell people that you’re violating their privacy.

Let's face it - vendors are not going to write “This program violates your privacy”. Instead, they carefully tread round each individual violation with a convoluted stream of weasel words, until the reader is so bored or confused that he/she simply loses the will to bother and clicks ‘Accept’. The piece of text I quoted at the beginning of this article may look fairly straightforward, but remember, it wasn’t sitting conveniently at the top of the EULA in bold print. It was buried deep beneath a mass of dishwater-dreary text about copyright and what have you. You have to hunt for those admissions. But hunt you must. If you don't, sooner or later you're almost certainly going to be installing one of these ridiculous recommended apps which profess to defend against spyware, when that's precisely what they are themselves.

So do the websites that recommend legitimised spyware actually know what they're recommending? Well, the truth is I can't be sure. What I suspect, is that the biggest of the sites know the score (I doubt they promote software without reading the EULAs), but they recommend the software anyway because it's not horrendously obnoxious and it's probably worth their while to do the promos. Smaller sites, on the other hand, simply accept the word of the big sites and recommend the apps on the strength of that. That's only my hunch and I could be wrong, but ultimately it doesn't really matter who knows what. The fact is that in some cases, spyware is being recommended by trusted entities as a solution to privacy concerns. Sometimes, it might just be more private to let major websites learn your ad preferences than install a preventative application, which wants to place your entire drive on CCTV.

Follow/contact on Twitter