By Lisa Lerer
ComScore Networks is the Big Brother of the Internet. The widely-used
online research company takes virtual photos of every Web page viewed by
its 1 million participants, even transactions completed in secure
sessions, like shopping or online checking. Then comScore aggregates the
information into market analysis for its over 500 clients, including
such large companies as Ford Motor, Microsoft and The New York Times Co.
ComScore says that its participants are willing exhibitionists, happily
selling their online privacy for gift certificates and free
screensavers. But two computer scientists are raising new questions
about comScore, claiming that company tracking software is being
installed without consent on an unknown number of computers.
"[The] software is sneaking onto users' computers without the user
agreeing to receive it," says Harvard University researcher Ben Edelman,
who documented at least ten unauthorized comScore downloads. Eric Howes,
director of malware research at antivirus company Sunbelt Software, and
his researchers separately observed hundreds of unauthorized comScore
downloads in a three-month period this fall. (Edelman and Howes spend
their days patrolling the Internet for new threats.)
ComScore (revenues: $50 million) denies the allegations, saying the
company would never install software without permission. "There is
spyware out there, but that's not what we do," says comScore chairman
and co-founder Gian Fulgoni. "We get explicit permission before our
software is put on someone's machine." But privacy officer Chris Lin
acknowledges seeing some unauthorized downloads several months ago. She
says the company didnt distribute the nonconsensual software and
immediately cut it off from comScore servers.
This isn't the company's first dalliance into apparent voyeurism: Two
years ago, university IT managers busted comScore for tricking students
into installing tracking software packaged with a free Web-accelerator
program. Students were often unaware that they were being watched.
comScore has since discontinued the program, called MarketScore.
But comScore remains the only major online research company that
partners with third-parties. Outside distributors bundle its
surveillance software with desirable free programs like games or videos.
Therein might lie the problem. In September, Edelman typed in the URL of
a site that lists special codes for video gamers. Instead, a pop-up
window loaded, asking him to approve a download.
When Edelman clicked yes, comScore's RelevantKnowledge software, which
records every Web page visited, was installed on his machine along with
scores of other advertising and spyware programs. Computer sleuthing
unearthed the source of the bundled software: DollarRevenue, a program
that bundles together many different adware programs. SunBelt considers
DollarRevenue one of the top ten Internet threats for computers.
Edelman and Howes also observed similar downloads, based off porn and
wrestling fan sites, by PacerD and MediaMotor, other adware bundlers
known for their controversial practices. MediaMotor is the subject of a
Federal Trade Commission complaint alleging improper disclosure of
downloads; the U.S. Attorney's Office in Washington is engaged in a
parallel criminal investigation. MediaMotor did not respond to requests
ComScore admits that the company engaged in partnership negotiations
with DollarRevenue, even going as far as giving the company test
software, says privacy officer Chris Lin. But the discussions stopped
there, and the companies never signed a contract. Then, several months
ago, comScore software installed by DollarRevenue started reporting back
to company servers, says Lin.
Lin insists that the unauthorized software did not violate anyone's
privacy. The company quickly cut the cord between the software and the
servers. "This is the only issue that we have had with a potential
distributor in the six years that our company has been in operation,"
says Lin. DollarRevenue said it "never really worked" with comScore but
did not answer further questions about the unauthorized downloads.
ComScore said it never observed any illicit downloads from PacerD or
MediaMotor and has no relationship with either company.
Edelman and Howes blame the unauthorized software on the layers of
middlemen that deliver free programs, ads and spyware to consumers. One
of comScore's software distributors, they speculate, may have cut a deal
with a less-reputable firm, which ended up bundling the software with
spyware and adware. But Edelman says this type of foul up is inevitable
given comScore's network of distributors.
Competitors say they refrain from using third-party distributors. "When
you allow other people to start distributing your software, you lose
control," says T.J. Mahoney, a managing director of market research
start-up Compete. Another market researcher, Hitwise, licenses online
behavioral information from Internet service providers, rather then
contacting users directly. Nielsen/NetRatings first vets participants on
the phone. If they agree to join the panel, the company sends a CD or
directs them to a page where they can download tracking software.
In 2000, comScore hired independent accounting company Ernest & Young to
annually certify the company's privacy policies, but that's not enough
for Howes and Edelman. "A truly independent outside audit of its data
practices--that's really what it's going to take," says Howes.
Subscribe to InfoSec News