ITS examines spyware-related problems

This article has been corrected. You may view this article’s correction here.

University e-mail filters deleted more than 100,000 incoming copies of a computer virus Tuesday morning, but Yale Information Security Officer Morrow Long said spyware and market research programs have replaced viruses as the primary source of frustration for ITS over the course of the past year.

ITS workers contained the virus, a worm called Zafi, which was originally sent during the holiday season. But they said they have focused more of their energies on spyware-related problems. Long said the University is currently worried about Marketscore, a program marketed as an “Internet accelerator” that was also distributed with the file-swapping tool iMesh. But executives at comScore, the consumer-research corporation that publishes Marketscore, said they inform customers their activity is being recorded and do not release any personal information to clients — including Yale professors — who purchase the aggregate data for their own studies.

Spyware is an information-gathering program that may be deceptively advertised or packaged with file-sharing software, Long said.

“In the old days, we’d have a machine that didn’t work right because there were 10 or 20 viruses on it,” Long said. “Now, it’s 10 or 20 spyware programs.”

This change is the result of a “coming-of-age” among the hacker community, said Patrick Hinojosa, the chief technology officer of Panda Software, a company that offers anti-virus and “anti-intrusion” programs.

“There’s been a shift over on the virus-writing side from people just wanting to gain notoriety, to spyware or phishing scams — with a money motivation behind it,” Hinojosa said.

Long said Marketscore is particularly invasive because it tracks what sites users visit and what they do on each site. But comScore representatives said their system is not spyware because it collects data for large-scale consumer research rather than marketing tailored to specific users.

“Information security and privacy are the top priorities of this company,” comScore Senior Vice President Dan Hess said. “The information that we collect is just the building blocks of what we do — personal information is not of any use to us.”

But Yale Chief Information Officer Philip Long said the Marketscore system, which routes all user information through a comScore proxy server before sending it to its destination, is dangerous regardless of the company’s business practices.

“You’re agreeing to let them see your information before you even send it, which means they have all your passwords,” Philip Long said. “We just don’t believe that it is good hygiene for your information to go through anybody else’s proxy server. Even if these guys are honest, they could get hacked.”

Information technology officials at other universities have already taken steps to curtail Marketscore traffic on their networks because they also believe it undermines the user’s expectation of privacy, said Joel Rosenblatt, a senior security officer at Columbia University. At Cornell University, network administrators have banned all Marketscore traffic since mid-October, Cornell Senior Security Engineer Daniel Adinolfi said.

But some professors who make use of the information sold by comScore said the corporation has been careful about protecting the data its software collects.

“They always deny requests to release contact information,” said Pete Fader, a marketing professor at the University of Pennsylvania’s Wharton School of Business who uses Marketscore data to analyze cross-site browsing.

Philip Long said ITS officials will have an anti-spyware program called Spy Sweeper available to students by the end of the month, with a new version of the Symantec anti-virus software — now including spyware detection — in March. The University’s information officers are not currently planning to block Marketscore, but they want students to be aware that their online activities are being tracked, Philip Long said.

“There will be some individuals who may want to use this, and who are we to judge?” Philip Long said. “We want to provide end users with the opportunity to make an informed choice.”

Comments