A law to protect spyware

Sen. Fritz Hollings is pushing a bill that supposedly safeguards online privacy -- but actually gives intrusive marketers a green light.

Published April 26, 2002 7:30PM (EDT)

Outrage surged through users of the KaZaA file-sharing utility when they learned, early in April, that a new breed of spyware had been installed on their computers. KaZaA, probably the most popular heir to Napster's throne, was already well known for coming bundled with a wide variety of parasite programs that serve up advertisements, track Web-surfing activity, and otherwise cause mischief. But the newest arrival topped anything seen before in scope or ambition.

A company called Brilliant Digital had surreptitiously installed software in computers running KaZaA. Once activated, the software would set up a distributed computing network, allowing Brilliant to hijack the resources of thousands of personal computers to serve the needs of its own customers. Brilliant's plan is to use the computer processing power generated by the network to serve technologically advanced advertisements and track how users react to those ads.

As the newest assault on Internet privacy, Brilliant's plan pressed hard on an online hot button. Indeed, the tracking of personal data riles enough people that a new bill that purports to protect online privacy was introduced in Congress just last week. As the bill -- sponsored by Sen. Ernest "Fritz" Hollings, D-S.C., and titled the Online Personal Privacy Act (S. 2201) -- notes, consumers fear there's too little privacy online and too much sharing of sensitive personal information among the business elite. Up to a third of them have been submitting bogus data about themselves in an attempt to protect their privacy, and "tens of billions of dollars in e-commerce" have been lost due to privacy fears, the bill warns.

But Hollings' bill should outrage Internet users just as much as Brilliant Digital's spyware. For while it talks a good game about protecting "sensitive" information, the truth is that it would place a congressional stamp of approval on precisely the kinds of practices that purveyors of spyware are eager to engage in.

The fact that Hollings is behind this bill should be the first clue about the real agenda it serves. Hollings is also a sponsor of the Consumer Broadband and Digital Television Promotion Act (CBDTPA, formerly known as the SSSCA), a bill that requires all new computers and other digital information devices to come with copy protection software and/or hardware installed on them. It would also outlaw any effort to reverse-engineer or disable any copy-protection format -- a measure that some observers believe will cripple software development -- particularly in the open-source and free-software communities. CBDTPA is ostensibly based on the premise that consumers won't sign up for broadband ISP access until Hollywood puts its content online, and Hollywood won't do that until its sure its intellectual property will be safe. But the bill isn't really about the "promotion" of broadband at all. Hollings is one of the Senate's largest recipients of entertainment industry campaign contributions, and the bill is squarely aimed at protecting that industry's interests.

Likewise with the Online Personal Privacy Act. It is masquerading as pro-consumer when in fact it is pro-business. The new legislation is similar to laws passed in Europe that divide your personal information into two types. The first is "sensitive" information, such as your financial and medical history, race, lifestyle, religion, political affiliation, and sex life. The second is "nonsensitive" information, and among that will include your name, address, and records of anything you buy or surf on the Internet. Under the act, business can't collect or divulge the sensitive bits without your express consent, but anything classified as nonsensitive can be freely collected and sold at will.

But the nonsensitive clause is a huge gaping loophole through which business will ride roughshod. Never mind that part about "sensitive" information being forbidden. Most things that businesses want to know about us can be inferred just by examining the things we buy, read and click on. If they can put that information together with our names, which the bill allows, then any concept of "privacy" protection is rendered meaningless. The Online Personal Privacy Act legitimizes the kind of intrusive spyware program activity that is currently proliferating.

It's no secret, of course, that your lifestyle can be inferred just by examining the things you buy, read and click on. Humans are noisy beasts; we leave a staggering number of clues to our vices, ills and perversions in everything we touch. In a database geek's lexicon, our habits are not normalized -- they contain excessively redundant information, so if you hide one fact it can still be deduced by the imprint it makes on the rest.

No part of a lifestyle can be completely hidden if one wants to participate in modern society. The dietary laws of many religions will show up on supermarket receipts. Religious migratory habits will be obvious, too -- from the haj of a Muslim to the conspicuous 18- to 24-month absence of a Mormon on a mission. Your money problems could be discovered by an analysis of your austerity, your age group by the perfume you buy, or your sexual orientation by the brands you're loyal to.

And yet, despite this abundance of accidental data, businesses have always had difficulty collecting enough to make it useful. Bar code scanners in supermarkets aren't sufficient because they capture only a fragment of a consumer's activity. Marketers have also encountered obstacles assembling the resources necessary to process all that information. And up until recently, they've been limited mostly to targeting statistical clumps of people, rather than actual individuals.

But the advances in technology symbolized by spyware from companies such as Brilliant Design promise to solve the technical problems while the Hollings bill ensures that such practices are legal.

Spyware programs use a variety of technologies. Setting "cookies" on your hard drive identifies you to particular Web sites, and "Web bugs" -- invisible image files on Web pages -- in conjunction with cookies help track movement through the Web. They make the problem of collecting data and associating it with a unique entity easy. The next step is getting your name, which can be done as soon as you make an impulsive click to buy something from a site that is sharing information with the spyware loaded on your computer.

This kind of individualized tracking used to be impossible, especially for print media, where the latency, or time lag, between an ad placement and its response was too long and the results too generalized. Today, however, the individually targeted, latency-free abilities of modern spyware make it easy to automate on a massive scale. They get to work the instant you begin surfing bugged Web pages, identifying you by an anonymous number at first until you finally blunder into any of the million opportunities -- such as ordering a product online -- that tie your number and all its cataloged kinks to a name.

It's true that most companies practicing these data-gathering techniques have long since responded to consumer backlash and provided an opt-out mechanism for users. Opting out will either suspend their data collection activities on you, or withdraw your name from the lists they share with other companies. But with hundreds of such databases currently in existence, how does one hunt down the instructions for opting out of so many and still maintain a social life?

The problem of finding the sheer computer horsepower necessary to manipulate captured data may also soon be a thing of the past. This detective work is not easy for silicon to do: Neural nets, classification trees, rule inductions, genetic algorithms and other methods all take their toll on processor power, which means somebody's got to pony up the megahertz to do it. But if Brilliant Digital is any indication, that somebody will soon be you.

Brilliant Digital's new generation of spyware has been inspired by distributed computing projects such as SETI@Home, but it has the ethics of a cuckoo bird. The parasite, hidden within a harmless-looking 3-D viewer called b3d, piggybacks on KaZaA and installs itself with minimal notification. It's so subtle that most of the KaZaA network's users weren't aware they had it until recently; the only hint of what Brilliant's program would be doing was buried within a 5,000-word license of the kind that most anxious users skip past in a hurry. Yet once installed, the parasite runs constantly in the background of your computer's consciousness, soaking up any CPU cycles and disk space that you don't happen to be using yourself, and turning them over to do the work of Brilliant's customers through a private network called Altnet.

Brilliant claims on its Web site that Altnet will be used only to render video and 3-D animation for media-rich advertisements, but it doesn't really matter if they've shanghaied your computer to draw the next Cap'n Crunch commercial or calculate the probability that you're a transvestite: Altnet, and the parasites that will follow in its footsteps, still provide the opportunity for a business to annex your resources to liberate their own, so they can run more important programs: programs that may just untie your whole intimate biography.

With the logistics solved, all that's left is the legitimacy and a kick in the pants for consumer motivation. Again, it's Hollings to the rescue, giving marketers, credit analysts, insurance companies, employers and all the others everything they need, as though it were written out on a shopping list.

Hiding behind aggressive wording that makes it seem as if it'll be safe to go back online are two giveaway exceptions in the bill's text. The first is the allowance of "cookies or other tracking technology" to gather the data that Hollings considers to be "nonsensitive" -- such as your browsing and shopping habits. This would include the entire range of spyware now in the wild, constraining them only with the feeble requirement to provide "robust notice" of their activity, like the robust notice you'll find if you have the strength and the legal wit to get through KaZaA's 5,000-word license.

The second is that any inferred knowledge won't be considered "personally identifiable" and will therefore be protected under law, leaving data-mining experts with the freedom to continue mapping your psyche with their robot cartographers and sharing the results with their partners. With names and e-mail addresses conspicuously missing from the act's definition of "sensitive" information, Hollings' idea of classifying the levels of your privacy is like trying to cut hot custard pudding in half.

In one swoop, Hollings not only makes it possible for businesses to accelerate into this brave new world of automated lifestyle profiling, but also fools consumers into a false sense of security that'll have them buying more, and more often. Perhaps you don't care if the credit card company knows what ills you suffer from, or if Amazon has twigged to the kinks you practice in the bedroom. Maybe you're comfortable with being lost in a crowd of millions of Internet surfers, enjoying the same kind of anonymity an ant enjoys in his hive. But did you click on that suggestive banner ad out of random curiosity or because they gotcha?

By Chris Wenham

Chris Wenham is a Web specialist in New York; his writing is collected on his Web site, Disenchanted.

MORE FROM Chris Wenham

Related Topics ------------------------------------------