Backdoor Santa Spyware:
Several File-Download Tools
including NetZip's Download
Demon, Netscape/AOL's SmartDownload, and Real Networks' RealDownload
Note: The NetZip
product was used to derive the related products, SmartDownload and RealDownload.
In many respects, these can be regarded as the same product.
This trio of programs amount
to a disturbing trend among download managers. Each of the download tools
mentioned contact their makers and "phone home" with every download. The
"phone call" includes the URL of the file you are downloading as well as
a file-download-counter and a unique GUID (Globally Unique IDentifier)
that identifies you, personally, and stays with you pretty much
forever. This gives these companies the ability to keep detailed records
of your entire downloading history!! To quote Steve
Gibson,
"This allows a database
of your entire, personal, file download history to be assembled
and uniquely associated with your individual computer . . . for
whatever purpose the program's publishers may have today, or tomorrow."
Additionally, some of these
download managers transmit even more information. Netscape's SmartDownload
can track your computer's IP address even across anonymizing proxies such
as Anonymizer, by transferring this info in a special cookie header that
most anonymizers will not modify. If you have previously purchased software
from RealNetworks, your full name and email address will be transmitted
back, in clear text, every time a file is downloaded.
In addition, the
NetZip and RealNetworks products base their GUID on your network card's
MAC address if you have one. This identifier, originally intended to
avoid address conflicts on a network, cannot be changed by the user and
so serves as a unique tool for branding a particular user for later
identifications. (Note: Some newer cards allow their MAC to be changed
by the user. On many older cards, it is set in the card's hardware at
the factory and cannot be changed without special electronic equipment,
or in some cases, dissecting the card.) Even without a network adapter
installed, these products still tag each user with a GUID based on
Windows class identifiers. The Netscape/AOL product also transmits the
computer's network name (often a user's name or username) as part of
its GUID. For SmartDownload users that have joined Netscape's
NetCenter, their NetCenter logon and personal email address is also
transmitted with each download.
A disturbing aspect of this
whole issue is RealNetworks' heavy-handed attempts to cover up what it
had done. As explained further on Gibson's
page, RealNetworks immediately denied every claim, demanded a retraction,
and hinted very strongly at legal action if Gibson Research Corp. continued
to air this particular piece of dirty laundry. Ironically, these threats
came after GRC's initial write-up, after which even more information
was found to be leaking from the program. Perhaps even more ironically,
this comes about a year after another RealNetworks product, RealJukebox,
is found to be transmitting private information back to the server.
It should be pointed out
that RealNetworks is NOT being accused of profiling users per se--only
that the framework for such profiling exists in the program and could trivially
be put to use. No-one has verified that profiling is or is not occurring.
In July, a class
action lawsuit was filed against Netscape/AOL, the makers of
SmartDownload. The lawsuit claims that SmartDownload secretly transmits
similar information and violates user privacy.
Links
Steve
Gibson's page on download-manager spyware - one of the original heads-ups
for this unwelcome behaviour
RealNetworks
version of whats going on (note soft, careful wording of its policies
:)
RealNetworks'
denial of guilt
RealNetworks'
admission of guilt
(Link dead)
Netscape/AOL
Lawsuit
"All trademarks are hereby
acknowledged as the property of their respective owners." So don't even
THINK about suing me :)