Every software start-up wants to be the new Napster — a program downloaded by millions, with an icon on every desktop. And every month, there’s a new contender: Most recently, the buzz has coagulated around an application called KaZaA. Over the last two months old KaZaA has hit peer-to-peer critical mass: A network of 5 million people is using it to trade files of all kinds, from obscure bootlegs to raunchy porn.
KaZaA’s offices also happen to be in Holland, which might make it more difficult for the U.S. recording industry to put it out of business. For KaZaA fans, the fun could go on for a while.
But that doesn’t mean KaZaA’s pleasures come without a price. Everyone who installs the “free” software will discover that KaZaA is not the only software program in the package. KaZaA comes bundled with no fewer than five associated applications. There’s New.net, which enables browsers to “see” unofficial domain names such as .kids, .family and .shop; Webhancer, which tracks user habits and page speeds; and three others — Cydoor, OnFlow and EZula — that serve or otherwise assist advertisements varying in frequency, form and annoyance.
Some of these programs fall into a class labeled by critics as “spyware.” Because they reside on your hard drive but automatically “phone home” to outside servers on the Net (to upgrade themselves, or retrieve ads), they can threaten user privacy and security, say critics — raising the awful prospect that complete strangers will find out exactly what you’ve been downloading. Although users can usually opt out of installing them, few people choose to do so — and in KaZaA’s case, they don’t always enjoy the option: Cydoor, for example, is mandatory for KaZaA use.
“When you’re skulking around the hidden recesses of someone’s system, placing hidden software that captures activity and sends it home to the mothership, you have the capability to do anything,” says Ray Everett-Church, a well-known privacy consultant. “This includes capturing every keystroke, reading every file. It could even modify your e-mail after you hit ‘send,’ adding or deleting things without your knowledge. You name it, [these programs] can be designed to do it.”
These potential dangers are not unique to KaZaA’s plug-ins; any piece of downloaded software that uses a Net connection could be used as a monitoring device. But KaZaA is worth special attention simply because of the number of associated plug-ins, or parasite programs, as some call them. The profusion of KaZaA parasites is significant, not just because of the privacy implications, but because they are a signpost to an economic and cultural shift. KaZaA parasites pay for the privilege of piggybacking on KaZaA. Forget about venture capital, advertising revenue or consumer subscriptions as ways for software entrepreneurs to make money on the Net. In its never-ending process of evolution, the Internet has stumbled into a new business model. The age of parasite funding has begun.
The payoff might seem slim — companies like Cydoor and Ezula pay 10 or 20 cents per download. But multiplied by millions, such pennies begin to add up to a revenue stream. And the parasites themselves become the gatekeepers of viability. Like spores of mold endlessly seeking the most popular new software applications, they grace the survivors that hoist themselves out of the Net’s teeming shareware underground with cash and a certain level of endorsement. The more parasites you have, the more others regard you as an evolutionary winner. And while the relationship may be imperfect, few developers — particularly in the white-hot peer-to-peer area — expect a breakup anytime soon.
“Money has to come from somewhere,” says Niklas Zennstrom, one of KaZaA’s co-founders. “There are many people who think that everything on the Internet should be at no cost and free of advertisement — but that is, of course, not the way that companies can operate.”
Screensavers, games and other forms of so-called “freeware” have served as hosts for associated software since at least the mid-90s. At the height of the Web wars, Microsoft and Netscape alone were engaged in a constant battle of plug-in escalation, loading their Web browsers with a profusion of add-ons. But the recent prominence of plug-in parasites is especially impressive because the practice of bundling has been in the midst of a severe public backlash — the anti-spyware scare — for at least a year or two.
The problems started when Steve Gibson, a security expert, discovered a strange piece of software on his computer in January 2000.
“I was running an early version of ZoneAlarm [a firewall application that alerts users to breaches of security] and it told me that a program called TSADBOT.EXE was trying to use my Internet connection,” Gibson says. “It was made by Conducent, a company that is pretty much gone now, but that’s when I realized that I had something in my system that I hadn’t deliberately installed.”
Gibson never did find out which piece of software brought him the program, but about a month later, another security expert named Dale Haag discovered a similar piece of software on his computer. The program had been attached to CuteFTP, a free file-transfer application. Haag’s initial analysis found that the software — as he wrote in an e-mail to a mailing list devoted to Internet legal issues — “use[d] a hidden scheme to send information from your computer to a company called Aureate.”
The e-mail soon spread across the Net. Gibson then publicized his own experience. The derisive term “spyware” was born to describe software that supposedly surreptitiously installs itself on your drive, collects information, and then sends that information back home. Media outlets jumped all over the story. Users all over the world started setting up Web pages and deluging CuteFTP and other suspicious parties with complaints. Some even sued. Netscape and RealNetworks became targets of class-action lawsuits aimed at stopping the alleged monitoring and collecting damages.
Many of the concerns turned out to be unprovable. There is no hard evidence that either Aureate (now called Radiate) or Conducent, for example, actually sold personal information or indexed hard drives. The main responsibility for the bad press appeared to lie not with the parasites, but with the hosts, some of who failed to let users know what they were downloading.
Still, the potential privacy issues remained problematic, so Gibson came up with his own solution. He wrote “opt-out,” a program that uninstalled TSDADBOT. Then, a company called Lavasoft started distributing Ad-Aware, which traces what “spyware” programs are on a given hard drive, then removes them. It’s the law of Internet software — for every parasite, there’s a cure. And then the parasites mutate, and so on.
“They [Ad-Aware] promised that it would stay free, so I pretty much gave up,” Gibson says.
With the industry apparently cleaning itself up, many of the loudest critics moved on and the press lost interest. But the parasites propagated as never before, boosted by both the economic downturn and Napster’s travails. Software companies hungry for revenue looked to parasites as a desperately needed financial lifeline. Meanwhile, Napster’s troubles created an explosion of file trading software alternatives — which themselves constituted a fertile environment for bundling.
Innovative ad-related companies started to sprout and expand particularly quickly. With interest in banner ads declining, the old and new entrants became vessels of hope — fresh revenue streams that could attract both advertisers and users who tended to ignore banners.
WhenU.com is one company that has benefited from such downturn bundling. The New York company had been offering contextual ads — mostly coupons that appear as pop-ups on e-commerce sites — since 1999. But the idea didn’t take off until January, when executives decided to start bundling the ad-serving software with BearShare, a popular Gnutella client, and other free downloads. These hosts carried WhenU.com to critical mass. “We couldn’t have generated the numbers we’re generating now without co-bundled deals,” says CEO Avi Naider. With download partners inducing installs, and because of the demand for new, more aggressive forms of advertising, “we’ve been able to multiply our user base and revenue by tenfold,” he says. More than 3 million people now have the company’s SaveNow software on their computer, says Naider.
“Compared to the rest of the market, we’re the only company we know of that, in a dying ad market, is showing considerable growth,” he says.
Actually, WhenU.com is far from alone.
EZula has also ridden the wave of the post-Napster downturn. EZula’s TopText program inserts its own text advertisements as pop-ups linked to highlighted words in a Web page. EZula began partnering with KaZaA and other file-sharing companies a few months ago. Now, 20 to 40 percent of the company’s new installations come via file-sharing applications, says Assaf Henkin, one of the San Francisco start-up’s co-founders. “And within that range KaZaA is responsible for the majority of the users,” he adds.
OnFlow, which offers a “rich media” plug-in similar to Macromedia’s Flash, reports that it has also benefited from the popularity of KaZaA and other file-sharing companies. Ditto for Webhancer and New.net.
But the ultimate benefactor may be the two Dutch developers behind KaZaA. They launched the program in September 2000. They started with no venture capital and for eight months supported the company with their own funds. Then, in May, they released a new version of KaZaA. Word of its improvements started to spread, the software moved up the charts at Download.com and KaZaA’s founders finally got what they wanted — “enough volume to be interesting,” Zennstrom says. In other words, they became popular enough to attract the plug-in parasite posse.
Once KaZaA became “a pretty hot app,” says Linton at Webhancer, they became an obvious choice for bundling. “We partnered with them in June,” he says.
Others came on board around the same time. And the results have proven lucrative. Zennstrom claims that KaZaA isn’t just surviving, it’s also profiting.
“Bundles are vital,” he explains. “KaZaA is free software so money has to come from somewhere.”
Sometime soon, every file-sharing application will have some sort of payment mechanism, predicts Ian Clarke, creator of Freenet. Some, like Freenet, will ask for donations of actual cash, but “for those that focus on MP3 distribution, the model of plug-ins and advertising is a positive initial option to look into.”
New file-sharing companies go even further, arguing that the mix of plug-ins and advertising should be accepted as the norm. “All file-sharing clients must add these types of revenue generators at some point,” says Henry Wilson, founder of Grokster.com, a swapping client that taps into KaZaA’s network, and which just launched a beta version with EZula attached. “We think this is a small price to pay for the ability to have free access to the files that are shared on Grokster.”
Privacy advocates and a vocal but small minority of file-sharing users disagree. They see these programs as Trojan horses, gifts that enter a hard drive, work in the background and threaten to topple people’s computers. Sure, these companies claim that the software never sends back personal information; and yes, their privacy policies have approval from TRUSTe and other privacy watchdogs.
For some software executives, violating people’s privacy would be the kiss of death to their business plans.
“The business and technology reasons for not developing such a system should be pretty obvious,” says Radiate’s Jeff Ready. “First, we make money when people use our software. The amount of money we make is dictated by the number of people that use our software. Clearly, if our software really did all this spying, very few people would use it, and we would make no money. It’s pretty straightforward.”
“But just because they aren’t currently releasing personally identifiable information doesn’t mean it doesn’t have that capability, or is readily adaptable to do so,” says Michael Allen, a security manager and a regional ISP.
KaZaA, by forcing people to download Cydoor’s software along with its own, ups the ante of risk, others argue.
“If the only way that file-sharing companies can survive is through inducing consent, then maybe they don’t deserve to survive,” says Lauren Weinstein, creator of the Privacy Forum, a digest of privacy issues. “Their actions are completely inappropriate.” Weinstein also noted that the only ultimate solution to the privacy problem will be legal restrictions on what kind of information software programs can transmit back and forth from your computer to the Web.
A few file-sharing software companies seem to agree. MusicCity’s Morpheus software, which is built on the same software engine that powers KaZaA, comes without plug-ins and is the most popular audio option at Download.com. LimeWire, a Gnutella client, and a few other Napster replacements have also avoided using plug-ins.
But KaZaA argues that Cydoor is harmless: “The ONLY thing the Cydoor component does is to fetch banners from an ad server, and display them on the KaZaA program, very much the same as a normal Web page,” Zennstrom says. But most of the company’s competitors — BearShare and AudioGalaxy, for example — still include only one or two plug-ins.
“A lot of these companies struggle to find the balance,” says Naider at WhenU.com. “They don’t want to scare off their users.”
Overwhelming users with plug-ins does appear to be a potential problem. More than 20 people who reviewed KaZaA on Download.com slammed the company for including so many plug-ins, and several recommended boycotting the company because of its bundled software.
But are the plug-in protesters part of the problem? If the parasites don’t pay, who will?
Naider figures that the move toward plug-ins shows that the Net is finally growing up. “The Internet is the only place in history where great stuff was given away for free,” he says. “What’s happening now is that the Net is returning to a model where good products — content or software — have a price. If the price isn’t in money, then the price comes in the form of bundled software.”
Perhaps critics who have a problem with extra plug-ins, particularly ad-serving plug-ins, ought to take up their complaints with consumers, he adds. “We’re not like that. We’re the ones who let great free software continue to be free.”