Your generous donations help keep this site online! Click here to support cexx.org.
Backdoor Santa Spyware: Several File-Download Tools
including NetZip's Download Demon, Netscape/AOL's SmartDownload, and Real Networks' RealDownload
Note: The NetZip product was used to derive the related products, SmartDownload and RealDownload. In many respects, these can be regarded as the same product.
 
This trio of programs amount to a disturbing trend among download managers. Each of the download tools mentioned contact their makers and "phone home" with every download. The "phone call" includes the URL of the file you are downloading as well as a file-download-counter and a unique GUID (Globally Unique IDentifier) that identifies you, personally, and stays with you pretty much forever. This gives these companies the ability to keep detailed records of your entire downloading history!! To quote Steve Gibson,
 
"This allows a database of your entire, personal, file download history to be assembled and uniquely associated with your individual computer . . . for whatever purpose the program's publishers may have today, or tomorrow."
Additionally, some of these download managers transmit even more information. Netscape's SmartDownload can track your computer's IP address even across anonymizing proxies such as Anonymizer, by transferring this info in a special cookie header that most anonymizers will not modify. If you have previously purchased software from RealNetworks, your full name and email address will be transmitted back, in clear text, every time a file is downloaded.
 
In addition, the NetZip and RealNetworks products base their GUID on your network card's MAC address if you have one. This identifier, originally intended to avoid address conflicts on a network, cannot be changed by the user and so serves as a unique tool for branding a particular user for later identifications. (Note: Some newer cards allow their MAC to be changed by the user. On many older cards, it is set in the card's hardware at the factory and cannot be changed without special electronic equipment, or in some cases, dissecting the card.) Even without a network adapter installed, these products still tag each user with a GUID based on Windows class identifiers. The Netscape/AOL product also transmits the computer's network name (often a user's name or username) as part of its GUID. For SmartDownload users that have joined Netscape's NetCenter, their NetCenter logon and personal email address is also transmitted with each download.
 
A disturbing aspect of this whole issue is RealNetworks' heavy-handed attempts to cover up what it had done. As explained further on Gibson's page, RealNetworks immediately denied every claim, demanded a retraction, and hinted very strongly at legal action if Gibson Research Corp. continued to air this particular piece of dirty laundry. Ironically, these threats came after GRC's initial write-up, after which even more information was found to be leaking from the program. Perhaps even more ironically, this comes about a year after another RealNetworks product, RealJukebox, is found to be transmitting private information back to the server.

It should be pointed out that RealNetworks is NOT being accused of profiling users per se--only that the framework for such profiling exists in the program and could trivially be put to use. No-one has verified that profiling is or is not occurring.

In July, a class action lawsuit was filed against Netscape/AOL, the makers of  SmartDownload. The lawsuit claims that SmartDownload secretly transmits similar information and violates user privacy.

Links
Steve Gibson's page on download-manager spyware - one of the original heads-ups for this unwelcome behaviour
RealNetworks version of whats going on (note soft, careful wording of its policies :)
RealNetworks' denial of guilt
RealNetworks' admission of guilt (Link dead)
Netscape/AOL Lawsuit
 

Up (Adware)
HomeE-mailCopyrights and Disclaimers



 

"All trademarks are hereby acknowledged as the property of their respective owners." So don't even THINK about suing me :)