Software that can spy on you

Why did Mattel include technology that can encrypt and send data to and from your PC in its children's CD-ROMs?

Published June 15, 2000 7:14PM (EDT)

I was reading my e-mail somewhere over the Atlantic when my laptop tried to go online. I was in the middle of composing a rather lengthy e-mail, so I didn't think about it much. I just put Windows back into "work offline" mode and kept typing. But a moment later, I discovered that the laptop was back in online mode. Indeed, I soon discovered that no matter what I did, I couldn't keep the laptop in offline mode; it was determined to stay online.

Since I was running Windows, I did the normal thing you do when you encounter problems: I rebooted. But exactly the same thing happened when Windows came back up a few minutes later. So I started hunting around the laptop's operating system to see what was going on, and I discovered that a program called "DSSAgent" was silently running in the background. I killed the program with the Windows task manager and my computer started working normally.

Problem solved, I guess, but now I was curious. A little more investigation revealed that my computer's Windows registry had been modified to launch this DSSAgent program whenever the computer started up. The program itself had been hidden deep within my Windows directory, apparently designed to look like a system file. Further investigation revealed that the DSSAgent had been written by Brøderbund and had been installed when my daughter loaded an Arthur's Reading Race CD-ROM onto my laptop the previous weekend.

There were thunderstorms over my destination, so while my jet ran racetracks in the sky, I fired up some tools and started pulling apart the DSSAgent program. I discovered that the DSSAgent contained a copy of the developer's kit for the Pretty Good Privacy encryption system, that it contained the ability to send e-mail and post forms to Web pages and that its creators had gone to great lengths to hide the software's function. And there was no copyright message indicating who had written the program.

When I got home I did some more research and found that the DSSAgent program was running on every computer in my house. A quick search on the Web the next day revealed that Brøderbund is owned by Mattel Interactive, so I called up the company's public relations group and asked why its software had installed this program on my computer: Why was it there, and what did it do?

According to Debbie Galdin, a spokeswoman for Mattel Interactive, DSSAgent is part of a service that Mattel calls "Brodcast." Says Galdin: "Brodcast is designed to provide additional content for our more up-to-date products. The program does not send personal information to Mattel and does nothing to identify a particular user."

Maybe Mattel knows something about rapidly advancing phonics theories that I don't, but I can't imagine what kind of "up-to-date" content the company wants to rush out to all the 5-year-olds using "learn to read" software. Actually, the only sort of up-to-date information I'd bet Mattel is really interested in offering would come in the form of advertisements for its own just-released products.

The Brodcast technology was developed by Brøderbund (hence its name), but I never knew that it was there: Brøderbund never told me about its presence. (When I ran the installer again later, the technology was never identified.)

"If the program is enabled, it communicates with our servers to let them know that a particular product has been installed and retrieves JPEG images for that product if any exist," explains Galdin. "This allows us to provide our customers with additional content for the products they have purchased, communicate product fixes, etc. To this end, it connects to the server and sends the product SKU number, last time a connection was made and if any downloads are in progress. Based on that information the server decides whether to send a JPEG image or not."

While this indeed may accurately describe the company's intention in including the DSSAgent, it's pretty easy to see how such technology could cause problems. If it wanted, the company could scan your hard drive for competing products, then flood you with offers to purchase its own similar products, or even just use that info for competitive research. Once this kind of capability is introduced, it could also be misused by a rogue employee to retrieve your financial records or credit-card numbers or to download child pornography onto your computer.

And what about the fact that this technology is included in software for kids?

Earlier this year, the Children's Online Privacy Protection Act went into effect. One of the most significant aspects of this law is that it prohibits companies from collecting information on children under 13 without explicit parental consent. Consent is not just clicking a box -- parents need to send in a letter, a fax or an identifying e-mail message. There's no way to get legal consent through the installation process, and I certainly hadn't signed any permission forms.

Galdin insists that nothing in the Brodcast technology violates COPPA, but after the law went into effect, Mattel stopped shipping old versions of the Brøderbund CD-ROMs and gave the products new installers. "COPPA applies to Web sites directed towards children only and does not extend to this situation," Galdin argues.

"Nevertheless, once COPPA was enacted, we changed our installation software activating both Brodcast and registration so that it first asks the age of a user," she says. "The latest version asks if the user is under 13 years of age and, if so, does not offer to install the Brodcast program and does not ask any of the registration questions requiring personal information." If you are over 13, the program gives you a choice as to whether you want the Brodcast technology installed.

Galdin sent me some new CD-ROMs with the improved installer. I tried them out. But it turns out that even if you tell the installer that you don't want to use Brodcast, the installer puts the program on your computer anyway. "If the user doesn't want it, it is not enabled," Galdin says. But the program is still installed, she says, because it is part of the complete CD-ROM application.

Galdin says that DSSAgent used PGP encryption to protect the information sent from Brøderbund (and then Mattel) to the user. "We don't want anyone else to intercept our communications and send other kinds of information." Nevertheless, she says, Mattel's new products -- those shipped since April -- do not include the Brodcast technology at all.

All's well that ends well, I suppose, but to me, the inclusion of hidden programs with children's CD-ROMs, the installation of these programs even when you specifically choose not to use them, the use of encryption to scramble network communications and the failure to document any of this to the public or to users in any meaningful way represent a bad omen for the future of the consumer software industry.

A growing number of companies clearly think that it's acceptable to build covert monitoring systems into their programs. Proposed legislation specifically allows software vendors to exercise "self-help" in enforcing their copyrights -- actions that could include disabling your computer if they think you have violated the terms of your license agreement. Meanwhile, the ubiquitous Internet connectivity afforded by cable modems and DSL will make it harder and harder for us to know when these sorts of programs are active.

To be sure, the DSSAgent never should have tried to take my computer online when I was flying over the Atlantic. "That sounds like a product malfunction," Galdin said. "The agent normally detects when a user is online only to do its transactions; it is not designed to try to connect independently. We would be happy to look into it."

But were it not for the bug, I would have never discovered that Mattel's DSSAgent was running on my laptop. Were the company so inclined, it could have used this technology to do far more than retrieve a JPEG image from a server.

What concerns me most is that there are simply no rules or regulations inside the United States that set limits on how invasive consumer software can be. Under Canada's newly enacted C-6 privacy legislation, for example, there is a requirement for Canadian firms to inform their customers about what kind of personal information is collected and how it is protected, and to make sure that it is discarded when it is no longer needed. But in the United States, we've already seen several examples of programs -- such as last year's Real Audio Jukebox troubles --- that covertly spy on a person's actions and report them back to a central location.

Surveillance software represents one of the greatest threats to privacy in the coming years. A program that uses undocumented protocols for transmitting information to or from the user, even if it is just to tell a person that a new version of a program is ready for download, is a huge, terrible step in that direction. I'm glad that Mattel says it has decided to remove the DSSAgent technology from its CD-ROM offerings. The fact that the company was only motivated to take this action after a law was passed in Washington demonstrates the importance of legislation as a tool for dealing with privacy issues in the future.

By Simson Garfinkel

"Simson Garfinkel is a frequent contributor to Salon, the Chief Technology Officer of Sandstorm Enterprises, and the Chief Scientist of Broadband2Wireless, Inc."

MORE FROM Simson Garfinkel

Related Topics ------------------------------------------