Behind your back – dangers of untested code.

AUTHOR

Michal Ren
Computer science student,
Research associate at the Multimedia Laboratory of Institute of Cultural Studies, Adam Mickiewicz University,
Poznan,Poland

ABSTRACT

The main objective of my paper is to present arguments supporting the following thesis: the activities of certain software developers (including large, well-known companies such as Microsoft or Logitech) closely resemble crimes known and described in literature, particularly in the computational ethics field (1). The aforementioned software developers include in their programs – without future user’s knowledge nor consent – software “gifts” that induce changes in the computer’s performance. Their presence often disrupts normal operation of the operating system or other applications, sometimes even forcing the user to reinstall the operating system with all the consequences; that needs to be defended against!

The proliferation of Internet access created an easy way for software developers to distribute their work. These days it is often unnecessary to pay for any program – lots of freeware is there for the taking! It goes without saying that this situation benefits every user. However, free software does not always work as expected. It is understandable that programs developed by individuals, without quality assurance and peer review, may contain bugs. But sometimes authors intentionally add, shall we say, hidden functionality to their software. These programs are called “trojan horses” or “trojans” for short, but only if their hidden functions are malignant in nature. Yet nobody would complain if a program played a song every Friday the 13th. Complacency can be dangerous, however. If a program does one thing which nobody knew about, maybe it also does something else – something not as easily dismissed as harmless. Among the most common activities is spying on the user, or robbing him or her of privacy by any means possible. This can be accomplished by, for example, embedding a unique identification number in every document saved by a word processor, as was the case with Microsoft Word (2). Any document could then be tracked back to the computer it was created on.

Even more insidious than identification of a computer (in MS Word’s case the ID was actually derived from the hard drive) is the identification of a person using it. The Internet allows for free flow of information and, unfortunately, also for dissemination of information about the user, usually without his or her consent. It is frightening how much information is routinely given away by web browsers (3,4) – the entered email address is the most common example. Recently advertisers went beyond simple spam (unsolicited email messages (5)). So called “web bugs” are more and more common on web pages. They are small, almost invisible (often consisting of only one transparent pixel), and they allow the advertising company to track the use through every web site he or she visits, provided they are also “bugged” (6). The data is later compiled for “targeted advertising”. Often in the privacy statements of the companies involved users are assured that “no personally identifiable information is obtained”, but if that is the case, how can one target advertisements at a particular user? (Assuming that no information is available on any particular user.) Such claims are often simply lies. (7)

Distributing advertisements through the Internet allowed software developers to generate revenue simply by forcing users to watch advertisements while using their program. A new term was coined – “adware”. The authors are often trying to blur the distinction between it and freeware (software available for free). (8) Some costs of using adware are easily quantifiable – many people pay for connection time, and downloading advertisements can take a long time. There are often hidden costs, such as loss of privacy. Often programs advertised as adware could be better described as “spyware” (2,9), since they intentionally spy on the user, collect intimate information, and then phone home at an opportune time to transfer it. (2)

The solution seems to be simple – remove all malignant software from the system. It is very difficult in practice, at least on Microsoft Windows operating systems, which are the most common on desktop computers right now. Shareware authors graciously allow users to install their software, try it, and later uninstall if it proves to be unsuitable for the task. It is a well known fact, that most of them can not be deleted completely, at least without some serious effort on the user’s part. An even simpler, and more effective solution is not to install any suspect software. However, not always there is a choice. Recently I’ve had to install Logitech digital camera, and in order to do that, I needed appropriate drivers. The provided installation program insisted on installing RealPlayer, and just would not take no for an answer. Of course, RealPlayer would not uninstall, so I ended up manually deleting it. In short, in order to use the hardware, I was forced to install software which I neither wanted, nor needed.

How can one defend? Only by participating in the arms race of software against software. There are utilities for removing spyware (10), deleting unwanted software without a trace (11), filtering advertisements and web bugs (12), and for preventing unauthorized connections from one’s own computer (13). This advice applies to the users of Windows operating systems. At least for now, the only complete solution is to switch to a different, open source OS such as Linux, and to compile all applications from source code. This way, no hidden functionality can sneak through. Unfortunately, by a normal user this would be viewed as an extreme measure.

  1. cf. T. Forester & P. Morrison, Computer Ethics, MIT Press, 1995 (second Edition)
  2. Privacy Foundation
  3. Privacy.Net – The Consumer Information Organization
  4. Gibson Research Corporation
  5. Coalition Against Unsolicited Commercial Email
  6. Web bugs
  7. Electronic Frontier Foundation
  8. news://alt.comp.freeware
  9. The Spyware Infested Software List
  10. Ad-aware
  11. RegCleaner
  12. WebWasher
  13. ZoneAlarm