Modernizing Authentication — What It Takes to Transform Secure Access
I want to tell you a cautionary tale about how not all things on the Internet are as glorious and altruistic as they seem. Take, for instance, the “Web accelerator’’ that promises to enhance your online experience with downloads that are up to ten times faster…
What does that mean exactly? Think of your Internet connection as a pipe or a hose. If you use a dialup connection, your computer connects at the blazing speed of 56 kbps (or 56,000 bits per second). If you’re using DSL, you connect at about 384 kbps (maybe 768 if you’re lucky), and if you have a T1 line (why are we talking about Web accelerators?) you connect at approximately 1.5 Mbps (or 1,500,000 bps). Dialup is like sipping the Internet through a straw. DSL is like using a garden hose, and a T1 line is like a fire hose -- you can’t stick it in your mouth and turn it on full blast. DSL speeds are so nearly instantaneous, the difference in an increase of ten times is undetectable. It’s similar to asking if the hose is turned on all the way or only almost all the way.
“But wait,” you say, “I’m on a dialup modem. Surely a Web accelerator will help me!”
Consider this: you download some software that tweaks your operating system, or maybe your Web applications or, possibly something more nefarious under the hood, in order to send Internet traffic over hardware that supports the 56K sippy straw.
Some Web accelerators utilize image compression to speed things up by squeezing graphics down, allowing more throughput. They promise increased speeds to Web sites you visit regularly by caching the compressed versions of ALL the Web sites you visit. More importantly, by installing their software and signing up for their service, you allow all of your Web traffic (and possibly ALL of your Internet traffic) to go through their network.
You effectively authorize them to examine every byte of data you send to the Internet.
In the case of MarketScore, it is most certainly buyer beware. They make an attractive offer of free email virus scanning and the opportunity to “influence the Internet market” with innocuous looking market research. Closer examination uncovers much more than just market research.
Cornell University published a paper on the MarketScore (also known as comScore) methodology. They found the MarketScore client agent recorded every keystroke typed, compressed the data, and forwarded it to MarketScore servers. The program was geared toward intercepting secure (SSL) sessions, instant message traffic and all HTTP (Web) traffic, as well as intercepting and redirecting POP mail traffic.
For the individual who has this installed, anything going out as an encrypted session via SSL, such as online banking, online purchasing, or any other online transactions using a credit card, are being recorded and cataloged by MarketScore before being encrypted. You do this to yourself by the way. The client agent doesn’t miraculously appear on your machine. You sign up for the privilege. If someone else in your household installs it without your knowledge, you still are at risk.
In an addendum to the original paper, Cornell also showed that the latest versions of the MarketScore software are invisible to anti-virus and spyware/adware removal tools. It contains a keystroke logger that isn’t activated and sets the client agent for automatic updates. More importantly, it uses a string-matching algorithm to match 10-digit phone numbers, 15- and 16-digit credit cards, and street addresses -- with and without city, state and zip. Driver’s license numbers and SSNs are also being recorded and forwarded to the MarketScore servers.
If you read the end user license agreement, (that thing you click through when you’re installing the software on your system.) you’ll find several interesting “features and benefits”. It states:
“We make commercially viable efforts to develop automatic filters that would allow us to avoid collection of sensitive personally identifiable information, such as UserID, password, and credit card numbers. Inadvertently, we may collect such sensitive information about our panelists; and when this happens, we will make commercially viable efforts to purge our database of such information.”
They are actively looking for data strings that MATCH personal information, but promise to filter it out. Funny, there appears to be no filtering done on those strings. The wording is interesting, too. They say they make efforts to develop filters that would allow them to avoid collection, but say nothing about actually avoiding it.
Under the section “How Is The Information Collected” MarketScore says:
“We may also combine the information that you provide us with additional information (such as select credit bureau and prescription information) or with information obtained from other sources (such as consumer preference reporting companies, credit reporting agencies, and prescription benefits managers) using confidential matching procedures.”
Great. Now they have credit card numbers, credit reports, and it’s likely they have potentially revealing medical data, as well. What is the purpose of having credit data or prescription data for conducting market surveys?
This is the best part. In a section about changes to the agreement, MarketScore states:
“If we change our practices in how we handle personally identifiable information, or if we materially change other aspects of our program, we will post these changes on our Website, and the changes will be effective immediately upon such posting. If you do not agree with any of the changes, you may remove our application as described above.”
In the first package Cornell evaluated, there was no keystroke logger. In the second version there was. Because the keystroke logger isn’t activated (yet) it could be said this is not a material change to their program. When it is activated, it could be said it’s not a material change because it’s been there “all along”. No notification is necessary, and since the client auto updates, all clients will be affected. Of course, nothing was said in the EULA about keystroke loggers in the first place.
This may serve a legitimate purpose. The amount of data collected without the explicit knowledge of participants is not appropriate, however. Maybe I’m paranoid, but I have no interest in allowing strangers to collect personal data to sell to the highest bidder, even if they promise to protect any “inadvertently collected” sensitive data..